Re: Can't SSH into CARP'd system from the outside
On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote: [...] # macros [...] carpdevs = { carp0 , carp1 } [...] # pass rules [...] pass in on $carpdevs inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside just from a quick glance: pf(4) never filters on carp interfaces, but on carp's physical interface (aka carpdev).
Re: pf.conf
On Wed, Nov 12, 2008 at 7:47 AM, disintx [EMAIL PROTECTED] wrote: For all the ports you are looking for, you need to check /etc/services and you should read the man pages for whatever daemons you want to know about. May I also recommend the excellent Building Firewalls with OpenBSD and PF (http://openbsd.org/books.html#book1), helped me loads at the time I build a bridging firewall. Cheers, Steph
Re: 4.4: crash in uvm_aiodone_daemon
On 2008-11-12, jul [EMAIL PROTECTED] wrote: Pedro Martelletto wrote on 11/11/08 18:56: What was the actual panic message? sorry but the serial console was connected after crash, so i don't have initial message. This information is not in trace ? is there a command to recover it ? show panic
Re: Using a separate boot partition
On Wed, Nov 12, 2008 at 5:31 AM, Joseph Alten [EMAIL PROTECTED] wrote: So there isn't really an option like I was describing? I was going to just create my / partition on my boot hard drive like you mentioned, but I seemed so close when I ran boot hd0a:/bsd -a at the boot prompt that I thought I was missing something in the documentation... Thanks anyway. On Tue, 11 Nov 2008 20:08:08 -0800, Ben Calvert [EMAIL PROTECTED] wrote: on Linux, too much crap tends to end up in /, so they created /boot so you could have a small separate partition. on more traditional unix systems, you dont' put much in / , instead you have a separate /usr /tmp /home /var , etc. why not put / where you wanted to put /boot and then mount the rest on the second disk On Nov 11, 2008, at 7:52 PM, Joseph Alten wrote: Due to technical constraints, my setup requires that I have a separate boot partition (basically the kernel and anything else critical for booting), and then of course my root partition other data partitions on a separate disk. I'm kind of new to OpenBSD, and so far what I've managed to do is copy /bsd to a separate partition, then at the boot prompt I run boot hd0a -a, then specify my root partition when prompted by the kernel. While this has the desired effect, I'd rather not run this every time I want to boot OpenBSD. Is there a kernel parameter I can pass that lets the kernel know ahead of time the root device I wish to mount? Basically I'm looking for the OpenBSD equivalent of root=/dev/xxx Linux kernel parameter. I think I managed to get FreeBSD working similarly with the vfs.root.mountfrom= parameter, but this doesn't appear to exist in OpenBSD. Thanks for looking into this. I'm backing ben here : OpenBSD / should be small enough to fit it entirely into a boot partition. : 12:10 [EMAIL PROTECTED]; df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 130M 35.1M 88.4M28%/ /dev/wd0m 9.9G3.6G5.9G38%/home /dev/wd0h 130M 10.0K124M 0%/tmp /dev/wd0j 1014M417M547M43%/usr /dev/wd0k 253M143M 97.5M59%/usr/X11R6 /dev/wd0l 4.0G746M3.0G19%/usr/local /dev/wd0d 2.0G2.0K1.9G 0%/usr/obj /dev/wd0g 4.0G1.1G2.7G28%/usr/ports /dev/wd0e 1.5G632M817M44%/usr/src /dev/wd0f 1014M513M451M53%/usr/xenocara /dev/wd0i 130M 11.6M112M 9%/var all but bsd.mp is installed on this rig. -- Vincent Gross So, the essence of XML is this: the problem it solves is not hard, and it does not solve the problem well. -- Jerome Simeon Phil Wadler
Re: symux/rrdtool problem on 4.4-snap
On 2008-11-12, Ryan Flannery [EMAIL PROTECTED] wrote: I'm having some strange problems with the symon (mon+mux) and rrdtool packages after recently upgrading to a 4.4 snapshot (fresh install). Seems like your Perl packages are not in-sync with the base perl. Make sure they are all up-to-date and you fetch from a mirror which isn't lagging.
Re: VLC/MPlayer/ffmpeg audio/video sync issues introduced in 4.4..
On Mon, Nov 10, 2008 at 09:19:18PM -0800, J.C. Roberts wrote: On Tue, 11 Nov 2008 04:26:22 + Jacob Meuser [EMAIL PROTECTED] wrote: On Mon, Nov 10, 2008 at 08:08:59PM -0800, J.C. Roberts wrote: general mplayer configuration suggestions nah, it's probably an B-frame or trellis or quantization issue. Then again, it might be the flux capacitor. (: heh :) just keep it under 88. -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
Re: IPSec to Checkpoint
On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote: Hey there, I don't know if your isakmpd.conf is good or not. The general part seems good. But I'm wondering why you are not using the new configuration file (/etc/ipsec.conf) It's much easier to use and to maintain over time. For your part, you'll have to keep default lifetime in isakmpd.conf as it's not supported in ipsec.conf. Aah, I somehow missed that change. I'll look into that. Thanks -- joe. George Lucas was born a nerd and will die a nerd.
Applying patch 004 to OpenBSD 4.4 and Apache/OpenSSL (problem with PEM_F_DEF_CALLBACK)
Hello At work here I have a PC which was loaded with OpenBSD 4.3 I have updated it to OpenBSD 4.4 After having installed it I downloaded from OpenBSD's ftp the files sys.tar.gz and src.tar.gz which i did tar zxpf in /usr/src I then downloaded the latest 4.4.tar.gz patch file and applied every patch. Everything went fine except the 004 patch. I was having this error when doing the make : --start of copy [root][153] # make -f Makefile.bsd-wrapper [...] cc -c -I../../os/unix -I../../include -O2 -pipe -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len -DHAVE_SOCKADDR_LEN -DMOD_SSL=208116 -DEAPI `../../apaci` -DSSL_COMPAT -DSSL_ENGINE -DMOD_SSL_VERSION=\2.8.16\ ssl_engine_pphrase.c ssl_engine_pphrase.c: In function `ssl_pphrase_Handle_CB': ssl_engine_pphrase.c:492: error: `PEM_F_DEF_CALLBACK' undeclared (first use in this function) ssl_engine_pphrase.c:492: error: (Each undeclared identifier is reported only once ssl_engine_pphrase.c:492: error: for each function it appears in.) *** Error code 1 --end of copy So I did a rm -rf of the /usr/src and from the following CVSROOT : [EMAIL PROTECTED]:/cvs/openbsd I did a cvs up -dP of OPENBSD_44 But I must have done something wrong or so I guess since I could not compile httpd So I searched with Google and found that in OpenSSL 0.9.8 they did a change, which is explained here : https://issues.apache.org/bugzilla/show_bug.cgi?id=35889 So I did modify my own OpenBSD 4.4 /usr/src/usr.sbin/httpd/src/modules/ssl/ssl_engine_pphrase.c I replaced the PEM_F_DEF_CALLBACK by PEM_F_PEM_DEF_CALLBACK at : [...] prompt = Enter pass phrase:; for (;;) { if ((i = EVP_read_pw_string(buf, bufsize, prompt, FALSE)) != 0) { PEMerr(PEM_F_PEM_DEF_CALLBACK,PEM_R_PROBLEMS_GETTING_PASSWORD); memset(buf, 0, (unsigned int)bufsize); return (-1); [...] Now, the commands listed in the beginning of the 004 patch file do apply properly : --start of copy cc -O2 -pipe -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len -DHAVE_SOCKADDR_LEN -DMOD_SSL=208116 -DEAPI -DHTTPD_USER=\www\ -DUID_MIN=1000 -DGID_MIN=1000 -DUSERDIR_SUFFIX=\public_html\ -DLOG_EXEC=\/var/log/suexec_log\ -DDOC_ROOT=\/var/www/htdocs\ -DSAFE_PATH=\/usr/bin:/bin:/usr/local/bin\ -DUSE_SETUSERCONTEXT -o suexec -L/usr/lib -L../os/unix -L../ap suexec.o -lm -lap -los -lkeynote -lm -lssl -lcrypto === src/support === src -- /usr/src/usr.sbin/httpd [root][162] # --end of copy I guess that, at some time, I must have done or broken something on this machine because the patch could not have broken this. Can someone please confirm me there is nothing wrong in the 004 patch and that for some reason I don't have a clean copy of OPENBSD_44 sources ? Best regards, -- _\(_)/_ Gilbert Fernandes Laga /(O)\ Administrateur systemes/reseau
Re: IPSec to Checkpoint
On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote: Hey there, OK, so I've switched to ipsec.conf and it is alot easier! However, I'm still struggling to use aes 256. I have the following: ike esp from 195.24.xxx.x/25 to 62.232.yyy.y/27 \ local 195.24.aaa.aa peer 62.232.bbb.bbb \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk sudomakemeagoat This uses aes128. Is there any way to get aes256 working? Note: I'm on 4.2, was 256 support added later? If not, is there any way I could enable 256 on 4.2? -- joe. I can't believe Alan Davies would do that. I absolutely love him!
useradd /etc/security
After a few upgrades; I noticed that new users added with useradd(8) (using commands in upgradeXX.htm) are created with 13 asterisks in passwd field. During a new install only one asterisk is placed in this field for system users. I was curious about this difference and feeling a bit adventurous; so I changed them all from 13 to 1 (including some created for packages). The next day; there is a message in daily insecurity output: Checking the /etc/master.passwd file: Login _pgsql is off but still has a valid shell and alternate access files in home directory are still readable. When I need to login (rarely) as _pgsql; I use sudo su - _pgsql. Since I don't need to have a password on this user; I changed _pgsql back to 13 asterisks. I looked at /etc/security - at about line 40 and following there is a statement that bypasses the test for shell and home directory if the password is 13 characters. Finally, the point... I was thinking that new users added in upgradeXX should have only one asterisk instead of 13; so that /etc/security will produce warning if these users somehow have shells in the future? Frank
Re: Experiences running named and rndc on 4.4 vs 4.3
On Tue, 11 Nov 2008, Don Jackson wrote: Today I began testing named on a freshly installed OpenBSD 4.4 amd64 machine, using my old named.conf file from 4.3 (which was still running named version 9.4.2) When the machine first boots after the install, /etc/rc determines there is no rndc.key, and generates one: rndc-confgen: generating new shared secret... done. starting named Here are the owner, group, and file modes of the two different copies of rndc.key that are generated: # ls -lAF /etc/rndc.key /var/named/etc/rndc.key -rw--- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key -rw-r- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key named only cares about the rndc.key in /var/named/etc Right. But later, rndc will use the /etc version. So you need both, and the permissions you show are sane ones. Looking at the logs: /var/log/daemon, one can see: Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission denied Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953: permission denied Here is my workaround: # chown root:named /var/named/etc/rndc.key # ls -lAF /var/named/etc/rndc.key -rw-r- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key Should /etc/rc set the group ownership of /var/named/etc/rndc.key? Comments? I think rndc.key should pick up the named group from the ownerships and permissions on /var/named/etc. /var/named/etc should be owned by root.named and have permissions 750. I bet your /var/named/etc is owned by root.wheel. Dave
relayd: backups when using relay?
Hi list I'm looking at the relay (not redirect) feature of relayd (4.4), but cannot figure out how to use backups/fallbacks when doing relaying? With redirect I just add another forward directive, but this doesn't seem to work for relays? Cannot find anything in docs mentioning this (with regards to relays). Any pointers? Thanks Johan
Re: relayd exits when disabling and enabling hosts
Yes, sorry it is a typo, I used 4.4-snapshot (10/08), got the same error, I'll try to test it on the release as soon as it gets out. If it keeps crushing i'll fill a bug report. Thanks for the info. 2008/11/11 Stuart Henderson [EMAIL PROTECTED] On 2008-11-11, Johan Strvm [EMAIL PROTECTED] wrote: Note that he was using 4.3. I was about to reply and suggest this was fixed in 4.4 (I think this problem have disappeared since I changed to 4.4), but I wasn't sure. On Mon, Nov 10, 2008 at 05:11:56PM +0100, David Caro wrote: Same behaiviour using fresh 3.4-snapshot (10/08) installs presumably a typo since 3.4 didn't have hostated let alone relayd. :)
Re: How to NAT a site-site VPN tunnel
I found another thread in french (I think, I am not good with french) with a link that looks promising... http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html I will check out that solution and let you know if I still have problems.
Re: IPSec to Checkpoint
On Wed, Nov 12 2008 at 18:13, Joe Warren-Meeks wrote: Hey guys, Hi, I'm struggling to get isakpmd to talk to a checkpoint firewall I need the following parameters General IKE Properties = AES-256 with SHA1 IKE Phase 1 SA = Group2 (1024 bit) IKE Phase 1 SA renegotiation = 1440 IKE Phase 2 SA renegotiation = 3600 The network layout looks as follows: OurNet OurFirewall Internet TheirFW TheirNet 195.24.xxx.xxx/25 - 195.24.xxx.yyy - 62.232.xxx.xxx 62.232.xxx.yyy I currently have the following in my isakpmd.policy Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; And my isakmpd.conf is at the end. Any pointers guys? I don't know if your isakmpd.conf is good or not. The general part seems good. But I'm wondering why you are not using the new configuration file (/etc/ipsec.conf) It's much easier to use and to maintain over time. For your part, you'll have to keep default lifetime in isakmpd.conf as it's not supported in ipsec.conf. From experience I can assure you it works also with Check Point (R60 to R65) you just have to carefully ensure that all ipsec variables are the same (As always with ipsec). Please review the parameters with the other end. If you can, also ask them for their error message when establishing the tunnel. I found the CheckPoint messages more usefull than the isakmpd ones. [General] Retransmits=5 Exchange-max-time= 120 Listen-on= 195.24.xxx.yyy Default-phase-1-lifetime= 1440,60:86400 Default-phase-2-lifetime= 3600,60:86400 [Phase 1] 62.232.xxx.xxx= local-remote [local-remote] Phase= 1 Transport= udp Local-address= 195.24.xxx.yyy Address=62.232.xxx.xxx Configuration= Default-main-mode Authentication= makemeagoatorsomething [Phase 2] Connections=VPN-local-remote-62.232.xx.yy/255.255.255.224 [VPN-local-remote-62.232.xx.yy/255.255.255.224] Phase= 2 ISAKMP-peer=local-remote Configuration= Default-quick-mode Local-ID= network-195.24.xxx.xxx/255.255.255.128 Remote-ID= network-62.232.xxx.yyy/255.255.255.224 [network-195.24.xxx.xxx/255.255.255.128] ID-type=IPV4_ADDR_SUBNET Network=195.24.xxx.xx Netmask=255.255.255.128 [network-62.232.xxx.yyy/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=62.232.xxx.yyy Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Life= ANY Transforms= AES-256-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-256-SHA-SUITE [AES-256-SHA] ENCRYPTION_ALGORITHM= AES_CBC KEY_LENGTH= 256,256:256 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_MAIN_MODE [QM-ESP-AES-256-SHA-SUITE] Protocols= QM-ESP-AES-256-SHA -- joe.
Re: 4.4 recently installed
On Tue, Nov 11, 2008 at 01:21:09PM -0800, T D wrote: I'm not sure...I didn't think it had more than one, I will have to look into this. There are no extra cards on the system (only a rj45) - the motherboard wouldn't have more than one music built in would it?. unlikely Think I better check what board it is and look up the specs. CDs play well. then you can probably just 'disable clcs' in UKC without issue. but depending how you played the CD, it could just be using the mixer and he DAC is not working. --- On Mon, 10/11/08, Jacob Meuser [EMAIL PROTECTED] wrote: From: Jacob Meuser [EMAIL PROTECTED] Subject: Re: 4.4 recently installed To: misc@openbsd.org Received: Monday, 10 November, 2008, 4:27 PM On Sun, Nov 09, 2008 at 10:39:17PM -0500, Nick Holland wrote: T D wrote: Hi all, I have installed 4.4 on a machine (ibm aptiva) with the below dmesg output. As I am somewhat new to this os, I would like some sugestions as to what I could/should do with this box and no I will not rm -rf / Any ideas/suggestions greatly apreciated. I presume, your question is, not what can I do with this now that I have it installed, but rather, how can I fix this problem: ... clcs0 at pci0 dev 17 function 0 Cirrus Logic CS4610 SoundFusion rev 0x01: irq 3 clear_fifo: fist timeout cnt=0 clear_fifo: fist timeout cnt=1 ,,, (and so on annoyingly) Correct? If so, the easy way out is probably to use ukc to disable the clcs0 device (see faq5.html). You will lose the ability to play audio on this thing. there is also a wss(4) attaching later. this thing really has two audio devices? http://www.openbsd.org/faq/faq13.html#audioprob -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org Find your perfect match today at the new Yahoo!7 Dating. Get Started http://au..dating.yahoo.com/?cid=53151pid=1012 -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
IPSec to Checkpoint
Hey guys, I'm struggling to get isakpmd to talk to a checkpoint firewall I need the following parameters General IKE Properties = AES-256 with SHA1 IKE Phase 1 SA = Group2 (1024 bit) IKE Phase 1 SA renegotiation = 1440 IKE Phase 2 SA renegotiation = 3600 The network layout looks as follows: OurNet OurFirewall Internet TheirFW TheirNet 195.24.xxx.xxx/25 - 195.24.xxx.yyy - 62.232.xxx.xxx 62.232.xxx.yyy I currently have the following in my isakpmd.policy Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; And my isakmpd.conf is at the end. Any pointers guys? [General] Retransmits=5 Exchange-max-time= 120 Listen-on= 195.24.xxx.yyy Default-phase-1-lifetime= 1440,60:86400 Default-phase-2-lifetime= 3600,60:86400 [Phase 1] 62.232.xxx.xxx= local-remote [local-remote] Phase= 1 Transport= udp Local-address= 195.24.xxx.yyy Address=62.232.xxx.xxx Configuration= Default-main-mode Authentication= makemeagoatorsomething [Phase 2] Connections=VPN-local-remote-62.232.xx.yy/255.255.255.224 [VPN-local-remote-62.232.xx.yy/255.255.255.224] Phase= 2 ISAKMP-peer=local-remote Configuration= Default-quick-mode Local-ID= network-195.24.xxx.xxx/255.255.255.128 Remote-ID= network-62.232.xxx.yyy/255.255.255.224 [network-195.24.xxx.xxx/255.255.255.128] ID-type=IPV4_ADDR_SUBNET Network=195.24.xxx.xx Netmask=255.255.255.128 [network-62.232.xxx.yyy/255.255.255.0] ID-type=IPV4_ADDR_SUBNET Network=62.232.xxx.yyy Netmask=255.255.255.0 [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Life= ANY Transforms= AES-256-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-AES-256-SHA-SUITE [AES-256-SHA] ENCRYPTION_ALGORITHM= AES_CBC KEY_LENGTH= 256,256:256 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_MAIN_MODE [QM-ESP-AES-256-SHA-SUITE] Protocols= QM-ESP-AES-256-SHA -- joe.
How to reply read -s from bash (linux) in ksh (OpenBSD)
I need migrate a script to a OpenBSD server, this work ok, but in the script the some input parameters must be completed without echo in the terminal. I not found this in ksh, Thanks in advance! -- # /dev/hdc - OpenBSDeros.org hdc [at] openbsderos [dot] org
Re: How to reply read -s from bash (linux) in ksh (OpenBSD)
Something like stty -echo read variable stty echo Regards, Andreas 2008/11/12 HDC [EMAIL PROTECTED]: I need migrate a script to a OpenBSD server, this work ok, but in the script the some input parameters must be completed without echo in the terminal. I not found this in ksh, Thanks in advance! -- # /dev/hdc - OpenBSDeros.org hdc [at] openbsderos [dot] org -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: How to reply read -s from bash (linux) in ksh (OpenBSD)
On Wed, Nov 12, 2008 at 6:40 PM, HDC [EMAIL PROTECTED] wrote: I need migrate a script to a OpenBSD server, this work ok, but in the script the some input parameters must be completed without echo in the terminal. I not found this in ksh, a couple of ideas 1) do stty -echo read foo bar stty echo though in case you hit ^c in that read, that may lead to a tty with no echo. perhaps may be solved with trap. 2) write a tiny program read-s, which will do that
Re: NAT + IPsec problem
Hello, I succeed to do what I wanted using this : http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html Many thanks for the help ! -- Cordialement, Pierre BARDOU -Message d'origine- De : Claer [mailto:[EMAIL PROTECTED] Envoyé : dimanche 9 novembre 2008 12:39 À : BARDOU Pierre Objet : Re: NAT + IPsec problem Le jeudi 06 novembre 2008 a 15:30, BARDOU Pierre ecrivait : Hello, Bonjour, I am trying to setup an IPsec connection. Here is the ipsec.conf : ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \ main auth hmac-sha1 enc aes-256 \ quick auth hmac-sha1 enc aes-256 group modp1024 psk Tunnels go up well : flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx before the tunnel. So I put this in my pf.conf : nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2 The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go through the tunnel, they are going to the internet. Here is the pflog : Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 193.164.151.1: icmp: echo request Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 193.164.151.1: icmp: echo request - Packets are going out through em0 (my inet interface) instead of - enc0 As pf doc says translation occurs before filtering, I don't understand why pf can see my real adress (10.31.30.1). And the most important : why outgoing packets -with good adresses- don't go through the tunnel ? Have I misconfigured something ? Oui et non. Cette config ne peut pas fonctionner. l'action NAT est faite sur l'interface de sortie aprÚs le filtrage l'action RDR est faite sur l'interface d'entree avant le filtrage Quand un paquet arrive sur l'openbsd, en gros, il se passe ceci : - analyse du paquet par pf (in) - est ce que le paquet doit etre nate (rdr) - est ce que le paquet est autorise (nouvelle session ou session existante) - est ce que le paquet doit etre redirige sur une if particuliere (route-to) - traitement du routage par le kernel - le paquet doit il etre encapsuledans un flux ipsec ? - Le paquet est analyse facea la table de routage correspondante - analyse du paquet sur l'interface de sortie (out) - est ce que le paquet est autorise (nouvelle session ou session existante) - est ce que le paquet doit etre redirige sur une if particuliere (route-to) - est ce que le paquet doit etre nate (nat) Vue que le paquet est encapsule avant le nat, ce dernier ne peut pas s'appliquer. Comme indique dans un reply a ce thread, la solution est de passer par une loopback pour appliquer le nat avant le routage. De ce fait, le paquet passe 2x dans la table de routage. Apres je peux pas me permettre de donner plus de confs ce serait aider un concurrent ;-) (NextiraOne) Bonne chance ! Cdlt, Claer BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: relayd exits when disabling and enabling hosts
On 2008/11/12 10:56, David Caro wrote: Yes, sorry it is a typo, I used 4.4-snapshot (10/08), got the same error, I'll try to test it on the release as soon as it gets out. If it keeps crushing i'll fill a bug report. a snapshot from October '08 is way past 4.4 release, which was built in August. (takes a little while to produce CDs, build packages for the slower architectures, etc).
openvpn error PKI on obsd 4.4
hi ,,, i follow tutorial from this site http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd i try make PKI follow automatic script from openvpn not working , bellow detail log # uname -a OpenBSD log.mydomain.com 4.4 GENERIC#1021 i386 # #mkdir /etc/openvpn #cp -R /usr/local/share/examples/openvpn/easy-rsa /etc/openvpn/ # init-config ksh: init-config: not found # ./vars /etc/openvpn/easy-rsa/2.0/openssl.cnf[10]: HOME: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[11]: RANDFILE: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[12]: openssl_conf: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[17]: oid_section: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[18]: engines: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[37]: default_ca: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[42]: dir: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[43]: certs: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[44]: crl_dir: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[45]: database: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[46]: new_certs_dir: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[48]: certificate: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[49]: serial: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[50]: crl: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[51]: private_key: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[52]: RANDFILE: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[54]: x509_extensions: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[60]: default_days: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[61]: 30: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[62]: default_md: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[63]: preserve: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[68]: policy: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[72]: countryName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[73]: stateOrProvinceName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[74]: organizationName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[75]: organizationalUnitName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[76]: commonName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[77]: emailAddress: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[83]: countryName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[84]: stateOrProvinceName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[85]: localityName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[86]: organizationName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[87]: organizationalUnitName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[88]: commonName: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[89]: emailAddress: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[93]: default_bits: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[94]: default_keyfile: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[95]: distinguished_name: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[96]: attributes: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[97]: x509_extensions: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[111]: string_mask: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[116]: syntax error: `(' unexpected NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys # then i try using openssl.cnf in /etc/ssl/ #cp /etc/ssl/openssl.cnf /etc/openvpn/easy-rsa/2.0/ # chmod 755 openssl.cnf # ./vars /etc/openvpn/easy-rsa/2.0/openssl.cnf[6]: RANDFILE: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[10]: default_bits: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[11]: default_keyfile: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[12]: distinguished_name: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[13]: attributes: not found /etc/openvpn/easy-rsa/2.0/openssl.cnf[16]: syntax error: `(' unexpected NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/2.0/keys # still error may openssl.cnf is miss config here my openssl.cnf ( from exsample ) # For use with easy-rsa version 2.0 # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd openssl_conf= openssl_init [ openssl_init ] # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids engines = engine_section # To use this configuration file with the -extfile option of the # openssl x509 utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6
Re: symux/rrdtool problem on 4.4-snap
On Wed, Nov 12, 2008 at 6:54 AM, Stuart Henderson [EMAIL PROTECTED] wrote: In gmane.os.openbsd.misc, you wrote: On 2008-11-12, Ryan Flannery [EMAIL PROTECTED] wrote: I'm having some strange problems with the symon (mon+mux) and rrdtool packages after recently upgrading to a 4.4 snapshot (fresh install). Seems like your Perl packages are not in-sync with the base perl. Make sure they are all up-to-date and you fetch from a mirror which isn't lagging. s/are not/may not be/, but that is the first thing to check anyway.. Ah, I missed that. Many thanks for the clue-stick. After upgrading and re-building the rrd's, everything works fine. Thanks again, -ryan
Missing security announcements
Hi! I subscribed to security-announce a long time ago and thought I would receive information about security annoucements, but contrary to what is stated on http://openbsd.org/mail.html: security-announce - Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available., as is easily verifyable here: http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/ together with: http://openbsd.org/errata44.html, the patches are not announced. If the stated annoucement process via mailing list is unreliable or untimely, I'd think it's useless, and with it that mailing list. Regards Peer
Re: How to reply read -s from bash (linux) in ksh (OpenBSD)
1) do stty -echo read foo bar stty echo though in case you hit ^c in that read, that may lead to a tty with no echo. perhaps may be solved with trap. This work fine whit stty traps! Thanks! -- # /dev/hdc - OpenBSDeros.org hdc [at] openbsderos [dot] org
Re: dhcpd problem on OpenBSD 4.4 with release / renew
Kenneth R Westerback wrote: On Tue, Nov 11, 2008 at 03:03:19PM -0800, Brian Keefer wrote: On Nov 11, 2008, at 2:01 PM, Administrator wrote: Brian Keefer wrote: On Nov 11, 2008, at 12:42 PM, Administrator wrote: Nope, didn't help. There must be some other mistery. Now it stops at DHCPOFFER part. DHCPDISCOVER from 00:50:18:48:cb:3d via vlan51 DHCPOFFER on 192.168.51.3 to 00:50:18:48:cb:3d via vlan51 DHCPDISCOVER from 00:50:18:48:cb:3d via vlan51 DHCPOFFER on 192.168.51.3 to 00:50:18:48:cb:3d via vlan51 Any ideas? Do you have the ability to test on -current? You might try that. Also definitely post a follow-up to Misc@ and Cc: [EMAIL PROTECTED] to see if he has any ideas. I'm not a DHCP guru, unfortunately. He's probably going to need some tcpdump samples to see what options are getting passed. This is what was requested last time: please include tcpdump -eniinterface -Xvvs port 67 or port 68 Ok, I will try -current tomorrow. Do I have to recompile world or just dhcpd? Will this be enough? # cd /usr/src/usr.sbin/dhcpd # make obj make make install For -current you should install a snapshot and go from there. I believe you can't just update dhcpd because there have been library changes. Hopefully you have a box you can test on. I tend to use VMs for this kind of thing. -- bk You should be able to just get -current /usr/src/usr.sbin/dhcpd/options.c and recompile on your system. The library problem was with my compiling on a -current system and someone trying to that executable it on a -release system. Ken Recompiled /usr/src/usr.sbin/dhcpd with -current source tree, but this didn't solve my problem anyway. # ls -la /usr/sbin/dhcpd -r-xr-xr-x 1 root bin 89956 Nov 12 15:48 /usr/sbin/dhcpd # tcpdump -enivlan51 -Xvvs port 67 or port 68 tcpdump: listening on vlan51, link-type EN10MB 15:49:13.301041 00:50:18:48:cb:3d ff:ff:ff:ff:ff:ff 0800 342: 192.168.51.3.68 255.255.255.255.67: [udp sum ok] xid:0x5e8ed704 C:192.168.51.3 vend-rfc1048 DHCP:RELEASE SID:192.168.51.254 CID:1.0.80.24.72.203.61 (ttl 64, id 57884, len 328) : 4500 0148 e21c 4011 a3dd c0a8 3303 [EMAIL PROTECTED];X3. 0010: 0044 0043 0134 6d17 0101 0600 .D.C.4m. 0020: 5e8e d704 c0a8 3303 ^.W.A;X3. 0030: 0050 1848 cb3d .P.HE.=.. 0040: 0050: 0060: 0070: 0080: 0090: 00a0: 00b0: 00c0: 00d0: 00e0: 00f0: 0100: 6382 5363 3501 0736 c.Sc5..6 0110: 04c0 a833 fe3d 0701 0050 1848 cb3d ff00 .A;X3=...P.HE.=?. 0120: 0130: 0140: 15:49:17.371880 00:50:18:48:cb:3d ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 255.255.255.255.67: [udp sum ok] xid:0x73d08ba secs:55475 vend-rfc1048 DHCP:DISCOVER CID:1.0.80.24.72.203.61 RQ:192.168.51.3 HN:Suezou^@ VC:77.83.70.84.32.57.56 PR:SM+DN+DG+NS+WNS+WNT+WSC+VO+77 (ttl 64, id 64284, len 328) : 4500 0148 fb1c 4011 7e89 [EMAIL PROTECTED] 0010: 0044 0043 0134 2ac8 0101 0600 .D.C.4*C( 0020: 073d 08ba d8b3 .=.r,U;3.. 0030: 0050 1848 cb3d .P.HE.=.. 0040: 0050: 0060: 0070: 0080: 0090: 00a0: 00b0: 00c0: 00d0: 00e0: 00f0: 0100: 6382 5363 3501 013d c.Sc5..= 0110: 0701 0050 1848 cb3d 3204 c0a8 3303 0c07 ...P.HE.=2.A;X3...
Re: IPSec to Checkpoint
Support for specifying aes key sizes was added february 2008, thus 4.2 does not provide this. On Wed, Nov 12, 2008 at 03:17:17PM +, Joe Warren-Meeks wrote: On Wed, Nov 12, 2008 at 02:35:35PM +0100, Claer wrote: Hey there, OK, so I've switched to ipsec.conf and it is alot easier! However, I'm still struggling to use aes 256. I have the following: ike esp from 195.24.xxx.x/25 to 62.232.yyy.y/27 \ local 195.24.aaa.aa peer 62.232.bbb.bbb \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes psk sudomakemeagoat This uses aes128. Is there any way to get aes256 working? Note: I'm on 4.2, was 256 support added later? If not, is there any way I could enable 256 on 4.2? -- joe. I can't believe Alan Davies would do that. I absolutely love him!
Re: Can't SSH into CARP'd system from the outside
i don't think I understand. Clarify. you mean carpdev is like your physical interface..eth0, re0, etc.? On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote: On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote: [...] # macros [...] carpdevs = { carp0 , carp1 } [...] # pass rules [...] pass in on $carpdevs inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside just from a quick glance: pf(4) never filters on carp interfaces, but on carp's physical interface (aka carpdev).
PCC developer looking for funding through BSD Fund
I know there has been some interest on this list related to having a BSD licensed C compiler used for OpenBSD. Anders Magnusson (Ragge,) is the maintainer of PCC and is looking for some funding through BSD Fund (tax deductible in the US) to get a V1.0 release out. This is also on Undeadly, if you have not seen it already: http://undeadly.org/cgi?action=articlesid=20081108135831mode=expanded A post to pcc-list by Anders Magnusson: http://marc.info/?l=pcc-listm=122633955912667w=2 BSD fund has decided to get into the business of trying to get donations for further PCC development, so that there can be faster progress in development. I have been discussing pcc with BSD fund for a while, and I think they are doing a great job! More info on http://www.bsdfund.org/projects/pcc/ , if you want to contribute to PCC development or have a company that might be interested in giving money for PCC. -Mark C.
Re: Experiences running named and rndc on 4.4 vs 4.3 - Solved/Explained
Yes, you are exactly right. My OS install script renames the existing /var/named/etc directory, and creates a new one pulled from version control, and in so doing, does not restore the correct ownership of the etc directory. So later on, during the execution of /etc/rc, the rndc.key file gets created with the wrong ownership, which led to the problem I reported. Because the rndc.key was generated later in this process, I did not think I had an ownership issue with it, but clearly the problem is the ownership of the parent directory. Thank you for your insight into my problem, I will make sure my install scripts do a better job of maintaining the ownership/permissions... Don On Wed, Nov 12, 2008 at 6:17 AM, Woodchuck [EMAIL PROTECTED] wrote: On Tue, 11 Nov 2008, Don Jackson wrote: Today I began testing named on a freshly installed OpenBSD 4.4 amd64 machine, using my old named.conf file from 4.3 (which was still running named version 9.4.2) When the machine first boots after the install, /etc/rc determines there is no rndc.key, and generates one: rndc-confgen: generating new shared secret... done. starting named Here are the owner, group, and file modes of the two different copies of rndc.key that are generated: # ls -lAF /etc/rndc.key /var/named/etc/rndc.key -rw--- 1 root wheel 77 Nov 11 12:24 /etc/rndc.key -rw-r- 1 root wheel 77 Nov 11 12:24 /var/named/etc/rndc.key named only cares about the rndc.key in /var/named/etc Right. But later, rndc will use the /etc version. So you need both, and the permissions you show are sane ones. Looking at the logs: /var/log/daemon, one can see: Nov 11 12:24:10 svn01 named[142]: none:0: open: /etc/rndc.key: permission denied Nov 11 12:24:10 svn01 named[142]: couldn't add command channel 127.0.0.1#953: permission denied Here is my workaround: # chown root:named /var/named/etc/rndc.key # ls -lAF /var/named/etc/rndc.key -rw-r- 1 root named 77 Nov 11 12:24 /var/named/etc/rndc.key Should /etc/rc set the group ownership of /var/named/etc/rndc.key? Comments? I think rndc.key should pick up the named group from the ownerships and permissions on /var/named/etc. /var/named/etc should be owned by root.named and have permissions 750. I bet your /var/named/etc is owned by root.wheel. Dave
Re: Problem with relayctl - OBSD 4.4
Hello, Here is the log for relayd -dv. When I try to relayctl reload I got a command failed and nothing in relayd output. # relayd -dv warning: macro 'squid_adh' not used warning: macro 'dns_adh' not used warning: macro 'dns1_ext' not used warning: macro 'dns2_ext' not used warning: macro 'mx1_ext' not used warning: macro 'mx2_ext' not used warning: macro 'mx_int' not used warning: macro 'mx_adh' not used startup relay_privinit: adding relay squid protocol 1: name http_proxy flags: 0x0004 type: http relay_privinit: adding relay dns protocol 2: name dnsfilter flags: 0x0004 type: hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00% hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) host 10.60.0.102, check tcp (1ms), state unknown - up, availability 100.00% hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00% hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) host 10.60.0.101, check tcp (1ms), state unknown - up, availability 100.00% dns relay_init: max open files 1024 adding 2 hosts from table squid:3128 adding 2 hosts from table DNS:53 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 relay_init: max open files 1024 init_filter: filter init done relay_launch: running relay squid adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 adding 2 hosts from table squid:3128 relay_init: max open files 1024 init_tables: created 0 tables adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table DNS:53 adding 2 hosts from table squid:3128 pfe_dispatch_imsg: state 1 for host 2 10.60.0.102 relay_launch: running relay squid adding 2 hosts from table DNS:53 relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay dns relay_launch: running relay dns pfe_dispatch_imsg: state 1 for host 4 10.60.0.102 relay_launch: running relay squid relay_launch: running relay dns relay_launch: running relay squid relay_launch: running relay squid relay_launch: running relay dns relay_launch: running relay dns relay_launch: running relay dns pfe_dispatch_imsg: state 1 for host 1 10.60.0.101 relay_launch: running relay dns relay_launch: running relay dns relay_launch: running relay dns relay_launch: running relay squid pfe_dispatch_imsg: state 1 for host 3 10.60.0.101 relay_launch: running relay dns hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) hce_notify_done: 10.60.0.101 (tcp_host_up: connect successful) hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) hce_notify_done: 10.60.0.102 (tcp_host_up: connect successful) -- Cordialement, Pierre BARDOU -Message d'origine- De : Stuart Henderson [mailto:[EMAIL PROTECTED] Envoyé : mardi 11 novembre 2008 13:20 À : misc@openbsd.org Objet : Re: Problem with relayctl - OBSD 4.4 On 2008-11-11, James Records [EMAIL PROTECTED] wrote: Pierre, I'm seeing the same exact thing, I'm not able to reload the config without killing and restarting relayd. I haven't looked at the source yet, but I may get to that in the next couple days, restarting is an ok work around for me at this point, but won't be when it gets into production. Jim Run relayd -dv, try and reload the config, check the output and paste it in mail. BEGIN:VCARD VERSION:2.1 N:Bardou;Pierre FN:BARDOU Pierre ADR;WORK:;B011 LABEL;WORK:B011 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20070806T072621Z END:VCARD smime.p7s Description: S/MIME cryptographic signature
Re: relayd exits when disabling and enabling hosts
In that case i'll make the bug report as soon as i get one machine idle enough time to install openbsd 4.4 again. 2008/11/12 Stuart Henderson [EMAIL PROTECTED] On 2008/11/12 10:56, David Caro wrote: Yes, sorry it is a typo, I used 4.4-snapshot (10/08), got the same error, I'll try to test it on the release as soon as it gets out. If it keeps crushing i'll fill a bug report. a snapshot from October '08 is way past 4.4 release, which was built in August. (takes a little while to produce CDs, build packages for the slower architectures, etc).
Re: Can't SSH into CARP'd system from the outside
On 2008-11-12, Vivek Ayer [EMAIL PROTECTED] wrote: i don't think I understand. Clarify. you mean carpdev is like your physical interface..eth0, re0, etc.? yes On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote: On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote: [...] # macros [...] carpdevs = { carp0 , carp1 } [...] # pass rules [...] pass in on $carpdevs inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside just from a quick glance: pf(4) never filters on carp interfaces, but on carp's physical interface (aka carpdev).
symux/rrdtool problem on 4.4-snap
Hello misc@, I'm having some strange problems with the symon (mon+mux) and rrdtool packages after recently upgrading to a 4.4 snapshot (fresh install). Previously I was running 4.3 with symon symux installed, and would cron a script that created rrdtool graphs from some of the symux rrd files, similar to what syweb does (only from cron). After the upgrade, any attempt to fetch info from some of the rrd files (even. via a rrdtool fetch rrdname CF) created updated by symux results in either a segfault or the following error from rrdtool: ERROR: fetching cdp from rra Same if I try to graph any of those files. The only rrds that I can fetch info from, and graph, are the mbuf, mem, and pf rrds. I've re-created the rrds a dozen times, always from the provided c_smrrds.sh script. Symux reports no errors while running, and seems to be updating all of the rrds. On all of them, I can run rrdtool last rrdname without error, and see that it was updated within the last 5 seconds. I've been trying to track down the error, but so far have had no luck. Any ideas or a clue-stick-smacks would be greatly appreciated. Many Thanks, -ryan OpenBSD 4.4-current (GENERIC.MP) #1959: Mon Nov 3 12:17:11 MST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2133671936 (2034MB) avail mem = 2071810048 (1975MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x7ffbc000 (62 entries) bios0: vendor Dell Inc. version 1.2.0 date 10/18/2006 bios0: Dell Inc. PowerEdge 2900 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET MCFG acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.25 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 332MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu1: 4MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu2: 4MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 7 (application processor) cpu3: Intel(R) Xeon(R) CPU 5130 @ 2.00GHz, 1995.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG cpu3: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 ioapic1 at mainbus0 apid 9 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 9 ioapic2 at mainbus0 apid 10 pa 0xfec83000, version 20, 24 pins ioapic2: misconfigured as apic 0, remapped to apid 10 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 6 (PEX2) acpiprt2 at acpi0: bus 7 (UPST) acpiprt3 at acpi0: bus 8 (DWN1) acpiprt4 at acpi0: bus 10 (DWN2) acpiprt5 at acpi0: bus 11 (PE2X) acpiprt6 at acpi0: bus 12 (PEX3) acpiprt7 at acpi0: bus 13 (PEX4) acpiprt8 at acpi0: bus 1 (PEX5) acpiprt9 at acpi0: bus 2 (PE2P) acpiprt10 at acpi0: bus 14 (PEX6) acpiprt11 at acpi0: bus 4 (SBEX) acpiprt12 at acpi0: bus 16 (COMP) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 ipmi at mainbus0 not configured pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12 ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12 pci1 at ppb0 bus 6 ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci2 at ppb1 bus 7 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 8 ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc2 pci4 at ppb3 bus 9 bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x11: apic 8 int 16 (irq 5) ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01: apic 8 int 16 (irq 0) pci5 at ppb4 bus 10 ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci6 at ppb5 bus 11 em0 at pci6 dev 1 function 0 Intel PRO/1000GT (82541GI) rev 0x05: apic 9 int 0 (irq 5), address 00:1b:21:0a:06:41 ral0 at pci6 dev 2 function 0 Ralink RT2561S rev 0x00: apic 9 int 4 (irq 5), address 00:0e:2e:8d:26:66 ral0: MAC/BBP RT2561C, RF RT2527 ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12: apic 8 int 16 (irq 0) pci7 at ppb6 bus 12 ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE rev 0x12: apic 8 int 16 (irq 0) pci8 at ppb7
Re: Using a separate boot partition
Seems to me we are not looking at the good direction. I seem to understand that the problem is multi-booting, with OSes possibly on multiple physical devices. It also seems that the starting point is a Lunixish advocating of having a /boot partition handling *all* parameters for all OSes, which is presomptuous or a misplaced ego at least. Each new installtion of an OS needs the controlling /boot/grub/menus.lst to be mounted and sudo edited (or worse, GRUB re-installed) before beeing able to boot that new OS. Very likely, GNU GRUB Legacy is used and installed in the /boot volume. So why not use it? With GRUB you can: map drives (tell from which to really boot from) hide/unhide partitions (i.e.: have two OpenBSD installs on the same drive) make partitions active chainload partitions have many instances of grub, each in its own volume, handling all specific OSes automaticly write their specific kernel parametes Key is to install the OSes to boot from their own partition and to never re-write the MBR. Only one OS should be allowed to write one mbr, be it NTLDR, GAG, GRUB. With Lilo and GRUB, you may chose to install the boot record in the (mis-named) partition boot record (PBR) which is more like a volume boot record. grub setup (hd,x) grub install (hd,x) Then, chainload. Title whatever root (hd,y) chainloader +1 boot And leave it to the OS specific boot pocesses to have it their specific way with their specific boot.conf or menu.lst or init. More on GRUB, check this (Ubuntuish but extensive) http://users.bigpond.net.au/hermanzone/ Don't miss the MBR description http://users.bigpond.net.au/hermanzone/p6.htm which tells you you only should rewrite only the first 446 bytes of the MBR, leaving the rest (the four DOS/Intel partition table) unchanged unless you know what you are doing. Douglas A. Tutty wrote: On Wed, Nov 12, 2008 at 12:05:47AM -0500, Douglas A. Tutty wrote: On Tue, Nov 11, 2008 at 08:31:42PM -0800, Joseph Alten wrote: So there isn't really an option like I was describing? I was going to just create my / partition on my boot hard drive like you mentioned, but I seemed so close when I ran boot hd0a:/bsd -a at the boot prompt that I thought I was missing something in the documentation... The boot prompt is the boot loader not the kernel. With your command, you're telling the boot loader to load the kernel on hd0a:/ called bsd. That's not the same as booting a kernel on one drive and using a different drive for the root partition, which is what you asked for. Yes, I know the -a flag tells the kernel to ask for root device. I just don't see a way of telling the kernel up-front what root device to use. In Linux parlance, this is having grub on /dev/hda but linux on /dev/hdc1, which works without needing a separate /boot partition.
Re: relayd: does timeout-directive limits time for SSL-handshake?
Hi! (ok not really a Re: since i dont have the original message, but i copy-pasted somewhat from archives to get some context, hope noone minds :) http://www.nabble.com/relayd:-does-timeout-directive-limits-time-for-SSL-handshake--td19698613.html) Just want to bring this back up, since I just had this problem as well. And I had to bring it up more than 2s (running at 15s now) due to slow (mobile among others) clients. Didn't see anything in CVS, any chances of changes? A SSL handshake could very well take a few seconds on slow clients (as shown), but if my service is taking 2-3s to respond, something is wrong and I'd want to throw it out of rotation earlier than that. A separate connection_setup_timeout directive or something might be on order? Btw, would there be any problems running CURRENT relayd/relayctl on a 4.4 kernel/system? Thanks Johan On Monday, September 29, 2008 - 5:49 pm, Reyk Floeter wrote: Hi! On Sat, Sep 27, 2008 at 02:01:09AM +0200, Till Neudecker wrote: I have a pretty normal loadbalancing setup (2 relayd- loadbalancer, 2 backend hosts). The loadbalancer accepts ssl-encrypted sessions and forwards them unencrypted to the backend-hosts. Because all the hosts are on the same LAN I set the global timeout-directive to 200ms. 200ms is a really brave timeout even for host checks in a LAN. I almost always increase it in my configurations, but I think pyr@ liked the really short timeout ;). But we should probably bump up the default to prevent failures in common configurations. When now connecting from a slow internet-connection to my service, I often receive a SSL accept timeout. After changing the global timeout to 2000ms the problem disappears. The man-pages only says timeout limits the time for the checks of the backend-hosts but nothing about the SSL- handshake from clients Can someone agree or disgree to my guess that timeout also limits the time for the SSL-handshake? Yes, this is right. The global timeout is a connection timeout which is used by the health checks but also by the initial connect/accept of the relays in TCP and SSL mode. This means that this timeout will be used for the time to establish the stateful TCP or SSL connection. The established connection will switch to the per-relay session timeout which defaults to 600s (10min) for idle TCP/SSL sessions. Thanks for your hint, I will think about adding another timeout and/ or improving the manpage here. Reyk
Re: Using a separate boot partition
On Tue, Nov 11, 2008 at 07:52:30PM -0800, Joseph Alten wrote: Due to technical constraints, my setup requires that I have a separate boot partition (basically the kernel and anything else critical for booting), and then of course my root partition other data partitions on a separate disk. Can you say more about the technical constraints. If it is just size constraints there should not be much of a problem since the root partition is supposed to be small in OpenBSD. I'm kind of new to OpenBSD, and so far what I've managed to do is copy /bsd to a separate partition, then at the boot prompt I run boot hd0a -a, then specify my root partition when prompted by the kernel. While this has the desired effect, I'd rather not run this every time I want to boot OpenBSD. Is there a kernel parameter I can pass that lets the kernel know ahead of time the root device I wish to mount? Basically I'm looking for the OpenBSD equivalent of root=/dev/xxx Linux kernel parameter. I think I managed to get FreeBSD working similarly with the vfs.root.mountfrom= parameter, but this doesn't appear to exist in OpenBSD. Thanks for looking into this. -- Joseph Alten -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: Using a separate boot partition
On 2008-11-12, dermiste [EMAIL PROTECTED] wrote: I'm backing ben here : OpenBSD / should be small enough to fit it entirely into a boot partition. /etc/{master.,}passwd and /etc/{s,}pwd.db can grow pretty large on some systems...
Re: How to NAT a site-site VPN tunnel
2008/11/12 Mitja MuEeniD [EMAIL PROTECTED]: If you control the target box, the simplest solution by far is to assign a deconficting alias address to it and then establish the VPN tunnel between the 3rd party site and this alias address of yours. Everybody will be accessing through the original address except for the problematic site, they will use the alias. There are tricks with nat on ipsec but they are very hard to configure right. I have full control over the local OBSD server and the internal network, however the address assiged to the box in question is pretty entrenched and so it isn't really possible to change its address. :( I am not completely without clue, and am willing to get deeper into the configs in question. I should probably point out that I am still using the older style isakmpd.[conf,policy] files at this time, but I believe that my problem lies within the pf.conf file. I think I need to so something like nat on rl2 from 172.20.20.123/32 to $client_network - enc0 but that doesn't seem to work for me
Re: Can't SSH into CARP'd system from the outside
then, what about this: pass on $carpdev proto carp keep state Looks like it's filtering on the $carpdev, which is carp0 and carp1 in this case. It's just what I read in the pf book. I'd like to resolve this soon so I can go ahead an launch my website. I feel like there's a lot of carp in the pf files. I need to lean it down a little. That might be causing all these problems. Help appreciated, Vivek On Wed, Nov 12, 2008 at 2:19 PM, Stuart Henderson [EMAIL PROTECTED] wrote: On 2008-11-12, Vivek Ayer [EMAIL PROTECTED] wrote: i don't think I understand. Clarify. you mean carpdev is like your physical interface..eth0, re0, etc.? yes On Wed, Nov 12, 2008 at 12:40 AM, Marco Pfatschbacher [EMAIL PROTECTED] wrote: On Tue, Nov 11, 2008 at 03:53:54PM -0800, Vivek Ayer wrote: [...] # macros [...] carpdevs = { carp0 , carp1 } [...] # pass rules [...] pass in on $carpdevs inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state # Allow SSH Access from Outside just from a quick glance: pf(4) never filters on carp interfaces, but on carp's physical interface (aka carpdev).
Re: Can't SSH into CARP'd system from the outside
On 2008/11/12 14:35, Vivek Ayer wrote: then, what about this: pass on $carpdev proto carp keep state the proto carp packets are all strictly on the parent interfaces, that is the only place you need to pass them. Looks like it's filtering on the $carpdev, which is carp0 and carp1 in this case. $carpdev would be a pf.conf macro and could be anything, I don't have a copy of the book and http://home.nuug.no/~peter/pf/en/ doesn't talk about carp in pf.conf so I can't check how it's used there. I think most people using the term carpdev would use it in the sense it's described in carp(4), i.e. the interface the carp device attaches to. It's just what I read in the pf book. I'd like to resolve this soon so I can go ahead an launch my website. I feel like there's a lot of carp in the pf files. I need to lean it down a little. That might be causing all these problems. the only time I use the carp interface in pf.conf is for address specification, pass to (carp80) etc.
Re: Missing security announcements
On 12 Nov 2008, at 17:57, Peer Janssen wrote: Hi! I subscribed to security-announce a long time ago and thought I would receive information about security annoucements, but contrary to what is stated on http://openbsd.org/mail.html: security-announce - Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available., as is easily verifyable here: http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/ together with: http://openbsd.org/errata44.html, the patches are not announced. If the stated annoucement process via mailing list is unreliable or untimely, I'd think it's useless, and with it that mailing list. Regards Peer Four of those 4.4 patches are listed as reliability patches and not security patches. So I can why they were not posted to the security list. There is only one security patch there and that is patch 001. I'm sure one of the developers will correct me if I am wrong but that is my assumption. Simon.
Re: PCC developer looking for funding through BSD Fund
On 12 Nov 2008, at 20:25, Mark Carlson wrote: I know there has been some interest on this list related to having a BSD licensed C compiler used for OpenBSD. Anders Magnusson (Ragge,) is the maintainer of PCC and is looking for some funding through BSD Fund (tax deductible in the US) to get a V1.0 release out. This is also on Undeadly, if you have not seen it already: http://undeadly.org/cgi? action=articlesid=20081108135831mode=expanded A post to pcc-list by Anders Magnusson: http://marc.info/?l=pcc-listm=122633955912667w=2 BSD fund has decided to get into the business of trying to get donations for further PCC development, so that there can be faster progress in development. I have been discussing pcc with BSD fund for a while, and I think they are doing a great job! More info on http://www.bsdfund.org/projects/pcc/ , if you want to contribute to PCC development or have a company that might be interested in giving money for PCC. -Mark C. Looks interesting. It would be great to have a 100% C99 compatible compiler and C standard library. Not sure if that is what is the eventual goal for the project or not but there seems a real lack on that front. I should probably do some more reading into PCC. Simon.
Re: Missing security announcements
On Thu, 13 Nov 2008, Simon Connah wrote: On 12 Nov 2008, at 17:57, Peer Janssen wrote: Hi! I subscribed to security-announce a long time ago and thought I would receive information about security annoucements, but contrary to what is stated on http://openbsd.org/mail.html: security-announce - Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available., as is easily verifyable here: http://www.sigmasoft.com/~openbsd/archives/html/openbsd-security-announce/ together with: http://openbsd.org/errata44.html, the patches are not announced. If the stated annoucement process via mailing list is unreliable or untimely, I'd think it's useless, and with it that mailing list. Regards Peer Four of those 4.4 patches are listed as reliability patches and not security patches. So I can why they were not posted to the security list. There is only one security patch there and that is patch 001. I'm sure one of the developers will correct me if I am wrong but that is my assumption. Simon. For what its worth (probably not much), there is also the errata rss feed from undeadly, which clearly marks SECURITY vs RELIABILITY patches. I'm sure everyone knows about this by now, but it does make a nice addition to an rss reader of choice. http://www.undeadly.org/cgi?action=errata
Re: Missing security announcements
On Wed, Nov 12, 2008 at 06:57:19PM +0100, Peer Janssen wrote: I subscribed to security-announce a long time ago and thought I would receive information about security annoucements, but contrary to what is stated on http://openbsd.org/mail.html: security-announce - Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available., FWIW, I received the Welcome to the security-announce mailing list! message on 9/4/2002 and nothing since. I don't think it's a big deal since there are other ways of getting the information.
Re: Missing security announcements
On Wed, 12 Nov 2008 21:32:57 -0600 Emilio Perea [EMAIL PROTECTED] wrote: I don't think it's a big deal since there are other ways of getting the information. Given that we usually sign up to a security-announce mailing list for good reason, if the list isn't working as intended, or there is some misunderstanding as to why the list exists, then I'd like to know explicitely, if only so that I do not rely on the list too much. -- Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us Government is the great fiction, through which everybody endeavors to live at the expense of everybody else. -- Frederic Bastiat +++ ((lambda (x) (x x)) (lambda (x) (x x))) ++
Re: Missing security announcements
I don't think it's a big deal since there are other ways of getting the information. Given that we usually sign up to a security-announce mailing list for good reason, if the list isn't working as intended, or there is some misunderstanding as to why the list exists, then I'd like to know explicitely, if only so that I do not rely on the list too much. It does not work because noone who works on OpenBSD runs -stable. Then every few months some of you come and yell at us. Honestly, I think we should get rid of the list. But then, it was created because you people like you asked for it. So, if we got rid of it, people like you would yell at us. So how about if we leave the list in existance, and instaed ignore your requests? I think that would work better. I am not here saying this because I have answers. I don't. I think that people running old software quite frankly cannot rely on a mailing list run by people who don't run -stable. So how can any of you hope we will solve your problems? People who can't, won't.
Re: Missing security announcements
On Wed, 12 Nov 2008 21:32:57 -0600, Emilio Perea wrote: On Wed, Nov 12, 2008 at 06:57:19PM +0100, Peer Janssen wrote: I subscribed to security-announce a long time ago and thought I would receive information about security annoucements, but contrary to what is stated on http://openbsd.org/mail.html: security-announce - Security announcements. This low volume list receives OpenBSD security advisories and pointers to security patches as they become available., FWIW, I received the Welcome to the security-announce mailing list! message on 9/4/2002 and nothing since. I don't think it's a big deal since there are other ways of getting the information. Maybe your email address got lost somewhere. I have 75 entries from 12 April 2002 (in case your date format was not the screwed up yank format) or a few less counting from Sep '02. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: Missing security announcements
On Wed, Nov 12, 2008 at 10:32 PM, Emilio Perea [EMAIL PROTECTED] wrote: FWIW, I received the Welcome to the security-announce mailing list! message on 9/4/2002 and nothing since. I don't think it's a big deal since there are other ways of getting the information. Maybe you mean 2008, because I personally sent several messages to the list in the years since. If there was an errata that wasn't announced, remind the developer to send such notice. That's the only way they'll start sending such messages. I certainly can't remind them because I'm not subscribed so I don't even know what's missing.
Re: Missing security announcements
On Wed, Nov 12, 2008 at 11:36:10PM -0500, Ted Unangst wrote: On Wed, Nov 12, 2008 at 10:32 PM, Emilio Perea [EMAIL PROTECTED] wrote: FWIW, I received the Welcome to the security-announce mailing list! message on 9/4/2002 and nothing since. I don't think it's a big deal since there are other ways of getting the information. Maybe you mean 2008, because I personally sent several messages to the list in the years since. No, I meant 2002. But as Rod suggested, it's quite possible I got unsubscribed accidentally. I see there are quite a few messages in the mailing list archives... In any case, I've seen announcements of all errata on misc or source-changes, so it's no big deal.
Re: Missing security announcements
On Wed, 12 Nov 2008 21:17:46 -0700 Theo de Raadt [EMAIL PROTECTED] wrote: It does not work because noone who works on OpenBSD runs -stable. Then every few months some of you come and yell at us. Not yelling, honest; I was just curious. So, basically, no one has the time or motivation to send out updates? -- Aaron W. Hsu [EMAIL PROTECTED] | http://www.sacrideo.us Government is the great fiction, through which everybody endeavors to live at the expense of everybody else. -- Frederic Bastiat +++ ((lambda (x) (x x)) (lambda (x) (x x))) ++
Re: Missing security announcements
It does not work because noone who works on OpenBSD runs -stable. Then every few months some of you come and yell at us. Not yelling, honest; I was just curious. So, basically, no one has the time or motivation to send out updates? None of the developers are on the list. Heck! More than half the developers don't even read misc because of who posts to it.
chaplIn...
. . . out of all the lies said to mE i love you was my favouriTe . . . [EMAIL PROTECTED] . . .
Re: Using a separate boot partition
On Wed, Nov 12, 2008 at 2:21 PM, Raimo Niskanen [EMAIL PROTECTED] wrote: On Tue, Nov 11, 2008 at 07:52:30PM -0800, Joseph Alten wrote: Due to technical constraints, my setup requires that I have a separate boot partition (basically the kernel and anything else critical for booting), and then of course my root partition other data partitions on a separate disk. Can you say more about the technical constraints. If it is just size constraints there should not be much of a problem since the root partition is supposed to be small in OpenBSD. Yes, it's just size constraints. Generally I prefer /usr, /var, /opt, and so on, to be on the same partition because that allows for a more flexible storage mechanism. However, most of my hard drive storage is non-bootable, which means that I usually place kernels and ramdisks on my bootable hard drive. I'm kind of new to OpenBSD, and so far what I've managed to do is copy /bsd to a separate partition, then at the boot prompt I run boot hd0a -a, then specify my root partition when prompted by the kernel. While this has the desired effect, I'd rather not run this every time I want to boot OpenBSD. Is there a kernel parameter I can pass that lets the kernel know ahead of time the root device I wish to mount? Basically I'm looking for the OpenBSD equivalent of root=/dev/xxx Linux kernel parameter. I think I managed to get FreeBSD working similarly with the vfs.root.mountfrom= parameter, but this doesn't appear to exist in OpenBSD. Thanks for looking into this. -- Joseph Alten -- / Raimo Niskanen, Erlang/OTP, Ericsson AB