Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 11:20:07PM +0200, Felipe Alfaro Solana wrote: > On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote: > > > On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana > > wrote: > > > Again, not a single or valid technical argument on why a bridging > > firewall > > > is a bad idea. Just a moot and offensive responsive, and a very > > > strong assessment from someone that doesn't know me at all. It's also > > very > > > sad to see so many impolite answers in this list. Perhaps saying "are > > > apparently black magic" would be more appropriate. > > > > http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 > > > > You can either read the code or listen to somebody who has. I don't > > know you either, but I know Henning and I know the bridge code, and > > the short version is he's right. > > > > And again, I think you mean that running a bridge under OpenBSD is perhaps > not the fastest or brightest solution. And I trust you, But again, I have > yet to hear a single technical argument on why running, for example, Snort > inline on other platforms is a bad idea and makes one stupid. > Did you ever check the security record of snort? It is at least as bad as wireshark's but it is sitting in the middle of your network passing packets. I couldn't sleep with such a system in my core. It is also a lot easier to bypass unnoticed a bridging FW/IDS then a box that does actual routing. Go ahead, use it and get burned, I think you need pain to realize that it is bad. -- :wq Claudio
Re: Internet access over Bluetooth; a summary.
On Mon, Apr 27, 2009 at 11:18 PM, Thomas Pfaff wrote: > On Mon, 27 Apr 2009 21:04:01 +0200 Otto Moerbeek wrote: >> On Mon, Apr 27, 2009 at 08:43:16PM +0200, Thomas Pfaff wrote: >> > B B $ sudo echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts >> >> I don't think you tested the above command. Hint: the redirect is not >> done as root. > > Quite right, sorry about that. B Just to make the archives happy: > > B # echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts since everything is done with sudo, this might be something like $ sudo sh -c 'echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts'
Re: Internet access over Bluetooth; a summary.
On Mon, Apr 27, 2009 at 10:18:19PM +0200, Thomas Pfaff wrote: > > > I've no idea what the name servers are supposed to be, so I > > > just started a local one and pointed /etc/resolv.conf at it; > > > > not very nice, better find out what the actual nameservers are. I > > believe ppp has some way to tell the client, see the ppp man page. > > I'm probably missing something obvious here, but can someone > enlighten me as to why running a local (recursive) name server > is "not very nice"? Caching only reduces load on the DNS system if the caches get used a lot. Lots of caches that are virtually unused increase the load. Imagine every laptop owner would do this, and the resulting load of root and other authorative namerservers. -Otto
Re: vmware esxi 3.5u4: amd64 4.4 generic bsd.mp kernel panic
I've tried to do include the panic and trace with the screenshots i attached, i'm afraid i dont know another way to get the info across. I can appreciate the devs not being able to look at the/each virtualization issue, i was just hopeing someone knew what was going on. Before reading on: the system seems to work fine with the bsd.mp of the 4.5 snapshot of 26/4/2009 as Stuart Henderson suggested. Now to be of some use atleast: " tricked network card to flexible " Default the vmware esxi only makes the E1000 network card available to the "Other 64-bit" guest os. (which is also recommended by vmware) If you set it to linux 32-bit or something along those lines, you can add a "flexible" network card, which openbsd picks up on as a pcn/AMD PCnet-PCI device. After which, you can switch back to "Other 64-bit" and the network card will stay as flexible. With a bit of testing on performance, i found this "network card" to perform much better than the e1000 over a virtual switch in vmware with no actual network card attached to it. (This was OpenBSD 4.4 unpatched). I'd be happy to test this out with 4.5 current as well. The actual (relevant?) hardware in the server: proc: AMD Phenom 9350e Quad-Core processor 4x2Ghz mobo: Supermicro H8SMI-2 rev 2 (MCP55 Pro chipset, incl dual lan) mem: 8GB ECC bank interleaving set (still waiting on the raid card and the ipmi device) That is not actually 2 physical sockets/processors on the board, but the hardware chosen is in the supported list on the vmware site. I will look into this a bit further, cheers! Thanks for taking the time to answer :) -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of J.C. Roberts Sent: maandag 27 april 2009 17:48 To: Erwin van Maanen Cc: misc@openbsd.org Subject: Re: vmware esxi 3.5u4: amd64 4.4 generic bsd.mp kernel panic On Mon, 27 Apr 2009 16:16:57 +0200 "Erwin van Maanen" wrote: > Running OpenBSD on a vmware esxi server, whenever i boot the amd64 > bsd.mp version i get stuck with kernel panic. > > panic: fp_save ipi didn't > > > > I've tried several things: > > - amd64 bsd.mp, without network card(s): boots normal > > - amd64 bsd.mp, with tricked network card to flexible (pcn device): > same panic just right after the httpd loads > > - i386 bsd.mp: no problems so far > > - amd64 without mp: no problems > > > > dmesg (of the normal bsd boot, not mp): > > http://www.hutmeel.nl/panic/dmesg.txt > > > > I've made a few screenshots of the panic message, trace, ps and show > registers. > > http://www.hutmeel.nl/panic/panic0-2.gif > > http://www.hutmeel.nl/panic/panic0.gif > > http://www.hutmeel.nl/panic/panic1.gif > > http://www.hutmeel.nl/panic/panic2.gif > > http://www.hutmeel.nl/panic/panic3.gif > > http://www.hutmeel.nl/panic/panic4.gif > > > > As you can see on the first screenshot, it looks like it happens as > soon as ntpd starts. > > Any help in the right direction would be greatly appreciated. (was > searching the archives, but couldn't find a similar problem) > > > > -- Erwin > First of all, running OpenBSD on anything other than real hardware is not supported. --The developers have better things to do than fight with imaginary bugs on imaginary hardware (i.e. "virtualization"). If you hit a bug running under virtualization, then the problem is the responsibility of the vendor of said virtualization because they are obviously failing to emulate hardware exactly. Secondly, what part of the following message did you fail to understand? "RUN AT LEAST 'trace' AND 'ps' AND INCLUDE THE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THIS INFORMATION" O.K. Now with stating the obvious above out of the way, I did get an ESX license last week for the lab, but I'm still waiting on Dell to deliver the T610 hardware. If you can explain what you mean by, "tricked network card to flexible," it would help. Also, even though we are off topic for m...@openbsd, it might help to state the exact, *real* hardware you're using to run ESX. As I found out the hard way, ESX is *very* picky and doesn't play well with most real hardware. Did you realize you are *supposed* have two (2) populated processor sockets (2 physical processors) in order to run *any* 64-bit operating system as a guest on top of ESX? --I found this limitation buried deep in the ESX docs, and hence the question about the real hardware you're using to run ESX. -- J.C. Roberts __ Information from ESET NOD32 Antivirus, version of virus signature database 4036 (20090427) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 4036 (20090427) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Dell D531 : Mem conflict + pcmcia not responding
Just finished an install on my Dell D531 laptop, and when I insert cards (ral, wi) there is no effect; neither LEDs light up nor a change in dmesg occurs. According to dmesg, it at least appears that the pcmcia adapter is detected without a nasty `not configured.' Same outcome when booted with a card already in. At first I thought it might be because of the two pci* memory address conflicts, however I have been told this probably is not the cause of my problem and directed toward -misc. Below is my dmesg and the output of pcidump -v. Thank you, Joel /* Begin dmesg */ OpenBSD 4.5-current (GENERIC.MP) #76: Sat Apr 25 00:44:57 MDT 2009 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3621478400 (3453MB) avail mem = 3502350336 (3340MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf6de0 (58 entries) bios0: vendor Dell Inc. version "A04" date 02/28/2008 bios0: Dell Inc. Latitude D531 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP HPET APIC ASF! MCFG TCPA SSDT SLIC acpi0: wakeup devices PCI0(S5) PCIE(S4) USB1(S0) USB2(S0) USB3(S0) USB4(S0) USB5(S0) EHCI(S0) AZAL(S3) RP01(S3) RP02(S3) RP03(S5) RP04(S3) RP0 (S3) LID_(S3) PBTN(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Turion(tm) 64 X2 Mobile Technology TL-64, 2194.88 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT, PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR, LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Turion(tm) 64 X2 Mobile Technology TL-64, 2194.50 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT, PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR, LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative ioapic0 at mainbus0 apid 2 pa 0xfec0, version 21, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpiprt0 at acpi0: bus 3 (PCIE) acpiprt1 at acpi0: bus 1 (AGP_) acpiprt2 at acpi0: bus -1 (RP01) acpiprt3 at acpi0: bus 11 (RP02) acpiprt4 at acpi0: bus 9 (RP03) acpiprt5 at acpi0: bus -1 (RP04) acpiprt6 at acpi0: bus -1 (RP05) acpiprt7 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpitz0 at acpi0: critical temperature 95 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: PBTN acpibtn2 at acpi0: SBTN acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT0 model "DELL YD6238" serial 1378 type LION oem "SMP" acpibat1 at acpi0: BAT1 not present acpidock at acpi0 not configured acpivideo at acpi0 not configured acpivideo at acpi0 not configured cpu0: PowerNow! K8 2194 MHz: speeds: 2200 2000 1800 1600 800 MHz pci0 at mainbus0 bus 0 mem address conflict 0xfec01000/0x400 extent `pciio' (0x0 - 0x), flags=0 0x1f0 - 0x1f7 0x3f4 - 0x3f7 0x10c0 - 0x10cf 0x6eb0 - 0x6ebb 0x6ec0 - 0x6ecb 0x6ee0 - 0x6eef 0xbfa0 - 0xbfaf 0xe000 - 0xefff extent `pcimem' (0x0 - 0x), flags=0 0x0 - 0x9 0x10 - 0xefff 0xf800 - 0xfbff 0xfe60 - 0xfeaf 0xfebfc000 - 0xfec0 0xfee0 - 0xfee0 0xffa8 - 0xffa800ff 0xffb0 - 0xffb04fff 0xfff0 - 0x pchb0 at pci0 dev 0 function 0 "ATI RS690 Host" rev 0x00 ppb0 at pci0 dev 1 function 0 "ATI RS690 PCIE" rev 0x00 pci1 at ppb0 bus 1 mem address conflict 0xe000/0x1000 extent `ppb0 pciio' (0x0 - 0x), flags=0 0x0 - 0xdfff 0xee00 - 0xeeff 0xf000 - 0x extent `ppb0 pcimem' (0x0 - 0x), flags=0 0x0 - 0xfe8f 0xfe9f - 0x vga1 at pci1 dev 5 function 0 vendor "ATI", unknown product 0x791f rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 5 function 0 "ATI RS690 PCIE" rev 0x00 pci2 at ppb1 bus 11 extent `ppb1 pcimem' (0x0 - 0x), flags=0 0x0 - 0xfe7f 0xfe8fc000 - 0x "Broadcom BCM4315" rev 0x01 at pci2 dev 0 function 0 not configured ppb2 at pci0 dev 6 function 0 "ATI RS690 PCIE" rev 0x00 pci3 at ppb2 bus 9 extent `ppb2 pcimem' (0x0 - 0x), flags=0 0x0 - 0xfe6f 0xfe7f - 0x bge0 at pci3 dev 0 function 0 "Broadcom BCM5755M" rev 0x02, BCM5755 A2 (0xa002): apic 2 int 18 (irq 9), address 00:
Re: OpenBSD on Sun Netra X1
Many (probably 50%) of RJ11 4-wire telephone cables were crimped wrong by the factory and are in fact roll over cables (RJ11 fits in RJ45, but you need 4 wires, 2 won't work). Saved me some from hair loss one sunday far away from everything. -- Jussi Peltola
Re: Transparent firewall (bridge) with DMZ + LAN
Henning Brauer wrote: * Daniel Ouellet [2009-04-28 02:49]: shut up! All are real and I even learn from Henning about the lost of Queue here as well, witch I haven't thought of then. So, loose of queue, mean also lost of AltQ too. no, this is not related to altq at all. Thanks for the correction here Henning. I was wrong. I assume AltQ was working with the queue, so, no queue would mean loosing altq capability. Hmmm. Looks like something I miss understood and I will go back looking at it. Thanks for the tip. Daniel
Re: Transparent firewall (bridge) with DMZ + LAN
* Daniel Ouellet [2009-04-28 02:49]: > shut up! All are real and I even learn from Henning about the lost of > Queue here as well, witch I haven't thought of then. So, loose of queue, > mean also lost of AltQ too. no, this is not related to altq at all. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Transparent firewall (bridge) with DMZ + LAN
Felipe Alfaro Solana wrote: On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote: On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana wrote: Again, not a single or valid technical argument on why a bridging firewall is a bad idea. Just a moot and offensive responsive, and a very strong assessment from someone that doesn't know me at all. It's also very sad to see so many impolite answers in this list. Perhaps saying "are apparently black magic" would be more appropriate. http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 You can either read the code or listen to somebody who has. I don't know you either, but I know Henning and I know the bridge code, and the short version is he's right. And again, I think you mean that running a bridge under OpenBSD is perhaps not the fastest or brightest solution. And I trust you, But again, I have yet to hear a single technical argument on why running, for example, Snort inline on other platforms is a bad idea and makes one stupid. In some previous comments, you said no hard facts were provided. Just do your own tests instead of asking others to do it for you. Plenty of reasons were provided. You refuse them, or to see it for yourself, then shut up! All are real and I even learn from Henning about the lost of Queue here as well, witch I haven't thought of then. So, loose of queue, mean also lost of AltQ too. Many benefit are lost, you refuse to see the writing on the wall in front of your nose. Shame on you to even argue and not tests to your own satisfaction, but hiding behind others writing and URL. Also, you want reasons for tap oppose to inline IDS as example, then may be you can listen to this nice talk that was done just a few weeks ago: http://www.youtube.com/watch?v=UM4ZrsOjmNQ&feature=channel_page It's somewhere in there, where it has no impact on the normal traffic and allow you to keep your job. It's very obvious that putting IDS inline for him would have been a way to see the door by some of his superiors. And by the way, the Lego references he has in there are about Henning's talk just before his and he liked it as well! May be listening to that as well might show you that he has a pretty good idea of how that part of the system might work! (;> And for your "Just a moot and offensive responsive...", may be, just may be, could it be that people are getting frustrated to explain to you the obvious after some more details provided? Just may be You just reminded me of the guy behind the counter at your neighborhood grocery store that take pleasure to make a little kid fell stupid each time his mom send him there to buy things for here. Every time he is there, the BIG men always asked the kid to justify why he needs that with lots of questions, making him fell stupid. Then, one day that same little guy (Puffy) got fed up and went to the store with a brown bag in his hand. Look at the BIG men behind the counter and simply asked him, very politely. Sure, could you put your hand in the bag please? The BIG guy surprise asked why and try to do his game again, but the little Puffy just said, "put your hand in the bag please?" The BIG men did, then his face changed, his hand felt worm and smooth. Then, the little guy asked with a BIG smile on his face... (:]. Now Sure, can I get toilet paper please? Except that on your case looks like you get pleasure rubbing your hand in the brown bag. So, stop trying to paint yourself as the big guy and all of us as the little kid. You never know when that little kid will take you to your own words! (;> All this to say, if you don't understand the technical reasons provided to you and you don't want to do your own tests after the explications were provided to get your own hard figure you keep asking, then stop playing with the brown bag. It stink really, and that's all you are doing, moving that fecal content all over the place, again and again. If all that was said doesn't give you pause and thing to think above, no matter what anyone would or could put here, say, provide or add will do. So, drop it and lets move on. Best regards to you. Daniel
Re: installing i386 filesets with a amd64 cd.... possible?
* Mike Swanson [2009-04-27 23:34]: > unix3 wrote: >> Hi, I want to know if there would be any incompatibility if I use the amd64 >> install cd to call a http server with the i386 filesets and install them.. >> is this safe? > No, you should use the same architecture's CD rather than a completely > different one. Even if you managed to get this to work somehow, you > wouldn't be able to use the amd64 installer without the processor > supporting amd64 instructions; at that point, why are you bothering to > install i386 when you clearly have the option to use the superior arch? hah. I install i386 code on amd64 hardware all the time. it is considerably faster for much of the stuff I am doing (larger data structures -> memory pressure. at least, that's the theory. unlikely to matter for webbrowsing or your generic mailserver) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Transparent firewall (bridge) with DMZ + LAN
* Felipe Alfaro Solana [2009-04-28 02:08]: > > > And again, I think you mean that running a bridge under OpenBSD is > > perhaps > > > not the fastest or brightest solution. And I trust you, But again, I have > > > yet to hear a single technical argument on why running, for example, > > Snort > > > inline on other platforms is a bad idea and makes one stupid. > > > > You are free to read: > > > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c > > > Is it something in the "on other platforms" sentence that you don't > understand? The link you provide is for OpenBSD code. And it's now clear to > me that bridging in OpenBSD consumes a lot of resources and developers > dislike it. So I don't get your point. "you don't get the point" seems to be the key issue here. i told you before it is not an OpenBSD problem. it is implemented the way it is because you kind of have to do it this way, or similiar. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: filesystem compatibility with FreeBSD
On Mon, Apr 27, 2009 at 7:55 PM, Chuck Robey wrote: > Repeating, OpenBSD is getting put on the 80 EIDE drive, 500G is already up and > running for FreeBSD, and the remaining 100G on the Raid1 will be formatted just > as soon as I figure out what filesystem type to use if the ONLY goal is maximum > portability with FreeBSD. Please, don't bother telling me that such and such > filesystem is more efficient, that won't affect things here. FFS should work. It used to, but things tend to drift apart. They may drift back too, especially with FFS2.
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 5:20 PM, Felipe Alfaro Solana wrote: > And again, I think you mean that running a bridge under OpenBSD is perhaps > not the fastest or brightest solution. And I trust you, But again, I have > yet to hear a single technical argument on why running, for example, Snort > inline on other platforms is a bad idea and makes one stupid. I don't know, I don't care. This is an openbsd list used to discuss running software on openbsd.
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 1:29 AM, Fred Crowson wrote: > On 4/27/09, Felipe Alfaro Solana wrote: > > On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst > wrote: > > > >> On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana > >> wrote: > >> > Again, not a single or valid technical argument on why a bridging > >> firewall > >> > is a bad idea. Just a moot and offensive responsive, and a very > >> > strong assessment from someone that doesn't know me at all. It's also > >> very > >> > sad to see so many impolite answers in this list. Perhaps saying "are > >> > apparently black magic" would be more appropriate. > >> > >> http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 > >> > >> You can either read the code or listen to somebody who has. I don't > >> know you either, but I know Henning and I know the bridge code, and > >> the short version is he's right. > >> > > > > And again, I think you mean that running a bridge under OpenBSD is > perhaps > > not the fastest or brightest solution. And I trust you, But again, I have > > yet to hear a single technical argument on why running, for example, > Snort > > inline on other platforms is a bad idea and makes one stupid. > > You are free to read: > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c Is it something in the "on other platforms" sentence that you don't understand? The link you provide is for OpenBSD code. And it's now clear to me that bridging in OpenBSD consumes a lot of resources and developers dislike it. So I don't get your point. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: Transparent firewall (bridge) with DMZ + LAN
On Tue, Apr 28, 2009 at 1:16 AM, Robert wrote: > On Mon, 27 Apr 2009 23:20:07 +0200 > Felipe Alfaro Solana wrote: > > > And again, I think you mean that running a bridge under OpenBSD is > > perhaps not the fastest or brightest solution. And I trust you, But > > again, I have yet to hear a single technical argument on why running, > > for example, Snort inline on other platforms is a bad idea and makes > > one stupid. > > (Looks like we aren't out of trollfood, yet. ;) Are you calling me a troll? :) > You want an example why it is bad to put sensors inline? > One word: Downtime. The same holds true for a firewall. If you have a firewall between your DMZ and your internal network and it goes down, unless you are using a HA solution (like one using CARP), then you are screwed anyways. > If your bridge breakes the network, you can be happy if the insurance > covers it the first time it happens. > Contracts and lawyers will get involved and that isn't fun. > And even if you don't end up having to pay anything, the hair and years > of life expectancy lost isn't worse it. > > Why risk it, when a tap is so much better? A tap is not a firewall. You can't use the tap to filter traffic you don't want. > > (Exeptions proof the rule of sumthin :) > > - Robert > -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: OpenBSD on Sun Netra X1
Christopher Intemann wrote: Thank you very much, your guide will be very helpful to me. Your welcome. Maybe you should blog it somewhere? Archive is there for that, plus to be decently blog, I believe it should be written in better English! (;> So, I think it will stay where it is. Unless you make it nicer, update it better when you do the final setup, then may be I might put it at openbsdsupport.org, may be. I'm just only getting a bit confused about the serial ports of the Netra box. Where do i get the appropriat cables to either connect this port to an ordinary RS/232 port, or to another netra x1? Get a plug converter form 9 pins to RJ-45. If you don't have one, you must have a friend that may well have plenty of Cisco adapter, or cable laying around not use. Or just make one. Example for one: http://www.diablocable.com/cisco-compatible-console-cable-db9-female-to-rj45-male-baby-blue-6-ft-72-3383-01-p29944.html But really, don't even buy one. I am sure you can make one or that you already have all you need around and you may not know it. As for connecting two Sun together, it's called a roll over cable, also very simple. See here for an example of what it looks like: http://www.alliancedatacom.com/manufacturers/cisco-systems/connector_cables/cable_pinouts.asp Look for "Figure C-1: Identifying a Roll-Over Cable". Couldn't be simpler could it? (;> Really, cables are the lease of your problems. (;> Best, Daniel
filesystem compatibility with FreeBSD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm installing OpenBSD on this machine, on a 80 EIDE disk that's there specifically to run OpenBSD development. I already have a 600G 3Ware hardware raid on the disk, 500G of which has FreeBSD, using the TW driver (this raid isn't supported by FreeBSD on boot, and I *think* this is true of OpenBSD also. I can investigate a bit more, and figure out the name of the OpenBSD driver for this 3Ware 9650 Raid controller, but I have (as I said above) 500 G of this 600G raid devoted to FreeBSD. The extra 100G, I want to use to shuttle things between OpenBSD and FreeBSD. My only problem is that I don't know what filesystem I should use for the easiest portability between the 2 OSes. Repeating, OpenBSD is getting put on the 80 EIDE drive, 500G is already up and running for FreeBSD, and the remaining 100G on the Raid1 will be formatted just as soon as I figure out what filesystem type to use if the ONLY goal is maximum portability with FreeBSD. Please, don't bother telling me that such and such filesystem is more efficient, that won't affect things here. Please, could you comment on this? Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkn2RfQACgkQz62J6PPcoOnzTACfdNfi4PjXv2/J3HssyktSmJiT P4cAn3bKSgPbetHDAHfxwa1BYYRL/S2t =Ky6J -END PGP SIGNATURE-
Re: installing i386 filesets with a amd64 cd.... possible?
Kenneth R Westerback wrote: > On Mon, Apr 27, 2009 at 12:16:55PM -0400, unix3 wrote: >> Hi, I want to know if there would be any incompatibility if I use the amd64 >> install cd to call a http server with the i386 filesets and install them.. >> is this safe? >> >> Thanks > > Since the install process involves running some of the code that is > installed, the amd64 install media will encounter problems running the > i386 executables that you ask it to install. > > Ken HOWEVER...it can be used as a step in the process: * Do a minimal install OpenBSD/amd64 * boot OpenBSD/amd64 * ftp down the desired (i386) bsd.rd, place in root directory * At the boot> prompt, specify your i386 bsd.rd (the amd64 and i386 boot loaders will boot each other's kernel) * complete your install. that's all assuming you have an amd64 compatible system. If you don't...you won't get amd64 booted. OpenBSD/i386 and OpenBSD/amd64 are two different platforms. HOWEVER, their boot loaders are compatible (which can be handy) There are lots of questions, though...how'd you end up with an amd64 disk and no i386 disk...considering how fast it is to do an install, why didn't you just TRY it and find out...etc. I've spent longer answering than it would take to test your question... Nick.
Re: Transparent firewall (bridge) with DMZ + LAN
On 4/27/09, Felipe Alfaro Solana wrote: > On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote: > >> On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana >> wrote: >> > Again, not a single or valid technical argument on why a bridging >> firewall >> > is a bad idea. Just a moot and offensive responsive, and a very >> > strong assessment from someone that doesn't know me at all. It's also >> very >> > sad to see so many impolite answers in this list. Perhaps saying "are >> > apparently black magic" would be more appropriate. >> >> http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 >> >> You can either read the code or listen to somebody who has. I don't >> know you either, but I know Henning and I know the bridge code, and >> the short version is he's right. >> > > And again, I think you mean that running a bridge under OpenBSD is perhaps > not the fastest or brightest solution. And I trust you, But again, I have > yet to hear a single technical argument on why running, for example, Snort > inline on other platforms is a bad idea and makes one stupid. You are free to read: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_bridge.c
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, 27 Apr 2009 23:20:07 +0200 Felipe Alfaro Solana wrote: > And again, I think you mean that running a bridge under OpenBSD is > perhaps not the fastest or brightest solution. And I trust you, But > again, I have yet to hear a single technical argument on why running, > for example, Snort inline on other platforms is a bad idea and makes > one stupid. (Looks like we aren't out of trollfood, yet. ;) You want an example why it is bad to put sensors inline? One word: Downtime. If your bridge breakes the network, you can be happy if the insurance covers it the first time it happens. Contracts and lawyers will get involved and that isn't fun. And even if you don't end up having to pay anything, the hair and years of life expectancy lost isn't worse it. Why risk it, when a tap is so much better? (Exeptions proof the rule of sumthin :) - Robert
Howl - ZeroConf
Has anyone been successfull in implementing Howl.
If so please point me to any reference material that
will help. I currently am running OpenBSD 4.4 on
a Sony Vaio PCV-RS220(UC)
My current dmesg:
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.53GHz ("GenuineIntel" 686-class) 2.55 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem = 1064898560 (1015MB)
avail mem = 1021267968 (973MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/08/03, BIOS32 rev. 0 @ 0xf1040,
SMBIOS rev. 2.3 @ 0xf2fb0 (41 entries)
bios0: vendor Award Software, Inc. version "ACPI BIOS Revision 1001" date
01/08/2003
bios0: Sony Corporation PCV-RS220(UC)
apm0 at bios0: Power Management spec V1.2 (BIOS management disabled)
apm0: APM power management enable: unrecognized device ID (9)
apm0: APM engage (device 1): power management disabled (1)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf/0x1692
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf15e0/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xb200!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82845G Host" rev 0x01
vga1 at pci0 dev 2 function 0 "Intel 82845G Video" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xf000, size 0x800
drm at vga1 unsupported
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 5
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 3
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 9
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x81
pci1 at ppb0 bus 1
rl0 at pci1 dev 13 function 0 "Realtek 8139" rev 0x10: irq 9, address
00:0c:6e:27:2d:ad
rlphy0 at rl0 phy 0: RTL internal PHY
"NEC Firewire" rev 0x01 at pci1 dev 14 function 0 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DB LPC" rev 0x01: 24-bit timer
at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801DB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA, 114473MB, 234441648 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom
removable
atapiscsi1 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi1: 2 targets, initiator 7
cd1 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
auich0 at pci0 dev 31 function 5 "Intel 82801DB AC97" rev 0x01: irq 10, ICH4
AC97
ac97: codec id 0x414c4720 (Avance Logic ALC650)
ac97: codec features 20 bit DAC, 18 bit ADC, Realtek 3D
audio0 at auich0
"Intel 82801DB Modem" rev 0x01 at pci0 dev 31 function 6 not configured
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask eb6d netmask eb6d ttymask fbff
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
auich0: measured ac97 link rate at 48003 Hz, will use 48000 Hz
uhub4 at uhub0 port 3 "Genesys Logic USB2.0 Hub" rev 2.00/7.02 addr 2
umass0 at uhub4 port 1 configuration 1 interface 0 "SanDisk ImageMate 14 in 1
Reader/Writer" rev 2.00/93.21 addr 3
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd0 at scsibus2 targ 1 lun 0: SCSI0 0/direct
removable
sd0: drive offline
sd1 at scsibus2 targ 1 lun 1: SCSI0 0/direct
removable
sd1: drive offline
sd2 at scsibus2 targ 1 lun 2: SCSI0 0/direct
removable
sd2: 968MB, 123 cyl, 255 head, 63 sec, 512 bytes/sec, 1984000 sec to
Re: Recipient Validation & Design Opinions
> If you are able to weed out illegitimate recipients, this may go a long
> way to reduce spam, or at least it did for us. Looking the email
> address up in LDAP is *much* cheaper than doing a call-out to the
> backend server(s). Greylisting helps us, too, but seems to "cost" mail
> from broken servers (there are imho more than enough of these out
> there).
>
We do exactly this, on our spamd machines. it helps
immensely. Basically we check every recipient in the greylist. if they
don't pass this routine below the sending address gets trapped for
24 hours. This is very very very effective if you have userbase churn.
spammers use dirty lists, so one bogus user can stop a lot of spam
if you trap the source of it for a little while.
---
# This routine tells us if a single destination rcpt is bogus
sub badrcpt {
my $rcpt = shift;
if ($BADDEST{"$rcpt"}) {
return(1);
}
if ($GOODDEST{"$rcpt"}) {
return(0);
}
# 1) check against the BADRERCPT...
foreach $re (@BADRERCPT) {
if ($rcpt =~ /$re/i) {
# match. trap the host.
$BADDEST{"$rcpt"} = 1;
return(1);
}
}
if (-x $EXTERNAL_ADDRESS_CHECKER) {
if (system(("$EXTERNAL_ADDRESS_CHECKER", "$rcpt")) != 0) {
# address checker says $re is bad - trap the host
$BADDEST{"$rcpt"} = 1;
return(1);
}
}
my $server = 'ldap2.srv.ualberta.ca';
my $port = 389;
my $msg;
my @email = split('@', $rcpt);
# Does the email address make sense?
if ($#email != 1) {
syslog('info', join('@', @email) . ": invalid email address\n");
$BADDEST{"$rcpt"} = 1;
return(1);
}
# check validity of domain part - it must be as follows
if ($email[1] =~/^mailman.srv.ualberta.ca$/) {
return(0); #mailman is always valid for now
}
if (($email[1] !~ /^ualberta.ca$/i)
&& ($email[1] !~ /^gpu.srv.ualberta.ca$/i)
&& ($email[1] !~ /^smtp.srv.ualberta.ca$/i)
&& ($email[1] !~ /^mailhub.srv.ualberta.ca$/i)
&& ($email[1] !~ /^maildrop.srv.ualberta.ca$/i)) {
syslog ('info', join('@', @email). ": invaild domain part of address");
$BADDEST{"$rcpt"} = 1;
return(1);
}
# Establish a connection to the LDAP server.
if (!$ldap) {
if (! ($ldap = Net::LDAP->new($server, port => $port))) {
syslog('info', "can't connect to LDAP server");
return(0);
}
# Anonymous bind ...
$msg = $ldap->bind;
if ($msg->code) {
syslog('info', 'bind: ' . $msg->error);
$ldap->unbind; $ldap->disconnect;
$ldap = undef;
return(0);
}
}
# See if email address exists in LDAP.
$msg = $ldap->search(base => 'ou=people,dc=ualberta,dc=ca', scope => 'one',
filter => "(|(maillocaladdress=$email[...@$email[1])(uid=$email[0]))",
attrs => [ 'uid' ]);
if ($msg->code) {
syslog('info', 'search: ', $msg->error);
$ldap->unbind; $ldap->disconnect;
$ldap = undef;
return(0);
}
# Process result.
if (scalar($msg->entries) == 1) {
# we found an entry. print it out and return success.
#foreach my $e ($msg->entries) {
#$e->dump;
#}
#syslog('debug', "Valid email address: $rcpt");
$GOODDEST{"$rcpt"} = 1;
return(0);
}
# Otherwise, we did NOT find one, so we exit indicating failure.
syslog('debug', "No such email address: $rcpt\n");
$BADDEST{"$rcpt"} = 1;
return(1);
}
Re: soekris 5501, ral(4) and 4.5-current
I'll second this; from a gw of mine:
$ sudo crontab -l | grep ral0
# Down and up ral0 on failure
* * * * * ifconfig ral0 | grep -q OACTIVE && {
ifconfig ral0; echo "\n *\n"; ifconfig ral0 down; sleep 1; ifconfig ral0
up; ifconfig ral0; }
/Alexander
Stuart Henderson wrote:
> try ifconfig ral0 down; ifconfig ral0 up.
>
> that's a different thing and I suspect is a problem either in the driver
> or net80211. I have seen this on ral occasionally and have now seen something
> similar or the same on an acx which used to be stable; the only change at
> all with the acx was moving it to an environment with more other wireless
> devices around.
>
> unfortunately the places where I can actually get any diagnostic output
> are not places where this problem occurs...
>
>
> On 2009/04/27 11:46, Chris Jones wrote:
>>
>> Stuart Henderson wrote:
>>> On 2009-04-26, Tom wrote:
On 2009-04-26. Stuart Henderson wrote:
On 2009-04-25, Tom wrote:
>>I have a ral(4) acting as a hostap. The problems began since
>> ugrading from Feb 28th snapshot to April 10th (and higher). I have a
>> Soekris 5501. I bought 2 different ral(4) PCI cards, one is a RT2661
>> and the other is a RT2860 (Planex GW-DS3300N). The RT2661 actually
>> lasts longer than the RT2860. When I have the RT2860 in the box, it
>> doesn't matter whether I use no encryption, WEP, WPA1 or WPA2. The box
>> locks up without any kind of drop into ddb. When the RT2661 is in the
>> machine, it will stay up a day, maybe two tops before it locks solid.
> try a different psu, especially if you have the lower-power of the ones
> that soekris sell.
Hi,
I got the higher psu of the ones soekris sell. It's 12V, 3A. That
should be enough
for the 2.5" laptop disk plus the PCI card I run, right?
>>> usually, yes, but there have been so many reported strange problems
>>> with soekris boxes that went away after switching PSU, it's a good thing
>>> to check early on.
>>>
>>> I'll try moving my alix with RT2860 to -current to see if I can
>>> replicate though..
>>>
>> I picked up a 12V, 3A PSU for my net4501 and it didn't fix the issue I
>> am having running my ral(4) card in hostap mode on 4.4-stable.
>>
>> ral0 at pci0 dev 17 function 0 "Ralink RT2860" rev 0x00: irq 11, address
>> 00:0e:8e:20:84:94
>> ral0: MAC/BBP RT2860 (rev 0x0102), RF RT2850 (2T3R)
>>
>> I'm having a different issue where the clients are connecting
>> momentarily and then disconnecting.
>>
>> When I have a moment I'm going to throw this card in a spare desktop I
>> have to rule out an issue with the hardware or driver under 4.4-stable.
>> I'll update the list when I test this.
>>
>> Cheers,
>> -C
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 3:02 PM, openbsd misc wrote: >> You can either read the code or listen to somebody who has. I don't >> know you either, but I know Henning and I know the bridge code, and >> the short version is he's right. >> >> > Has anyone noticed > > That if you substitute BIble for code , in the section quoted above- > its like listening to someone who believes in a technical > high-priesthood - all blessed with the doctrine of technical > infallibility > which is great if you like dogma and blind faith. For Me the > occasional rational explanation for why not to do something with a > little concrete technical backup to support the assertion, is usually > more useful. Explanations have been given. By the people writing the code. What more do you need? In your analogy, it would be like Jesus telling you something, and you disagree. Feel free to disagree with Jesus or the Bible, but keep in mind, the Bible != Jesus in this analogy. If Jesus|coders did exist, and I can see the results of his/her work (water into wine, design into code), then I would be inclined to believe in Jesus|coder. The Bible on the other hand... -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 8:11 PM, Ted Unangst wrote: > On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana > wrote: > > Again, not a single or valid technical argument on why a bridging > firewall > > is a bad idea. Just a moot and offensive responsive, and a very > > strong assessment from someone that doesn't know me at all. It's also > very > > sad to see so many impolite answers in this list. Perhaps saying "are > > apparently black magic" would be more appropriate. > > http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 > > You can either read the code or listen to somebody who has. I don't > know you either, but I know Henning and I know the bridge code, and > the short version is he's right. > And again, I think you mean that running a bridge under OpenBSD is perhaps not the fastest or brightest solution. And I trust you, But again, I have yet to hear a single technical argument on why running, for example, Snort inline on other platforms is a bad idea and makes one stupid. -- http://www.felipe-alfaro.org/blog/disclaimer/
Re: problem with some graphical apps in 4.5 on some machines
--- Rene Maroufi [Mon, Apr 27, 2009 at 10:51:43PM +0200]: --- > Hi, > > i update 3 machines from 4.4 to 4.5. On 2 of these machines I have a > very strange problem: Some graphical apps can't display graphical icons > or any image. For example: > > Pidgin: Shows no icons (red cross instead of the icons). > Audacious: Unusable, shows no application window > GQview: Unusable as a image viewer, shows no images > xpad: missing icons (red cross instead of the icons) > > Other apps works with all icons: > Abiword, Inkscape, OpenOffice.org and Gimp (but image preview doesn't > work). > > I use icewm as window manager. > > I reinstalled the apps and some dependencieas (with pkg_add -r -F update > -F installed) like gtk+2, glitz, cairo, png and jpeg, but nothing > changes. not sure if this is directly related, but did you clean out /usr/X11R6/lib/modules as per http://www.openbsd.org/faq/upgrade45.html ?
Re: RIT's mirror
* Stuart Henderson [2009-04-26 05:05]: > On 2009-04-25, wrote: > > The RIT mirror is providing 4.2 sets from it's snapshots directory. > > Should they still be listed? > > snapshots aren't compulsory for a mirror, and they are providing > the required last two releases. that said, given that there is > another mirror at the same site I probably would normally consider > removing it, but in this case I think there's a good reason to > keep it: it's reachable by AFS. No, but providing old shit as snapshots is bad. remove it until they either remove the snapshots directory, or fix it to be current. -Bob
problem with some graphical apps in 4.5 on some machines
Hi,
i update 3 machines from 4.4 to 4.5. On 2 of these machines I have a
very strange problem: Some graphical apps can't display graphical icons
or any image. For example:
Pidgin: Shows no icons (red cross instead of the icons).
Audacious: Unusable, shows no application window
GQview: Unusable as a image viewer, shows no images
xpad: missing icons (red cross instead of the icons)
Other apps works with all icons:
Abiword, Inkscape, OpenOffice.org and Gimp (but image preview doesn't
work).
I use icewm as window manager.
I reinstalled the apps and some dependencieas (with pkg_add -r -F update
-F installed) like gtk+2, glitz, cairo, png and jpeg, but nothing
changes.
One of my machines have the same applications installed but they work
normal! The 2 not working machines have Intel graphic cards, the other a
Ati Radeon. I tryed the vesa driver for x11 on one of the Intel machines
but nothing changed (however one of the Intel machines need the Option
"AccelMethod" "XAA" Workaround in xorg.conf).
If i start audacious from a xterm i have many messages like this:
(audacious:12838): GdkPixbuf-CRITICAL **: gdk_pixbuf_get_width:
assertion `GDK_IS_PIXBUF (pixbuf)' failed
(audacious:12838): GdkPixbuf-CRITICAL **: gdk_pixbuf_get_height:
assertion `GDK_IS_PIXBUF (pixbuf)' failed
The application package itself can't be damaged, because the same
packages work on the third machine.
dmesg of one of the two machines (the other is a Asus Eee PC 701):
OpenBSD 4.5 (GENERIC) #1: Mon Apr 20 20:24:12 CEST 2009
r...@freya.maroufi:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.00GHz ("GenuineIntel" 686-class) 2 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM
real mem = 1063809024 (1014MB)
avail mem = 1020354560 (973MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/24/02, BIOS32 rev. 0 @ 0xfd760, SMBIOS
rev. 2.31 @ 0xf0420 (76 entries)
bios0: vendor FUJITSU SIEMENS // Phoenix Technologies Ltd. version "4.06 Rev.
1.04.1387" date 09/24/2002
bios0: FUJITSU SIEMENS SCENIC L
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC BOOT
acpi0: wakeup devices PCI0(S4) AGPB(S4) PCIH(S4) USB1(S4) USB2(S4) USB3(S4)
USB4(S4) AC97(S4) MC97(S4) KEYB(S4) PS2M(S4) COM1(S1) COM2(S1)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 99MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (AGPB)
acpiprt2 at acpi0: bus 2 (PCIH)
acpicpu0 at acpi0
acpibtn0 at acpi0: PWRB
bios0: ROM list: 0xc/0xb000! 0xcb000/0x1800 0xdc000/0x4000!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82845G Host" rev 0x01
vga1 at pci0 dev 2 function 0 "Intel 82845G Video" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xd800, size 0x800
inteldrm0 at vga1: apic 1 int 16 (irq 9)
drm0 at inteldrm0
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: apic 1 int 16
(irq 9)
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: apic 1 int 19
(irq 11)
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: apic 1 int 18
(irq 10)
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: apic 1 int 23
(irq 9)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x81
pci1 at ppb0 bus 2
ohci0 at pci1 dev 5 function 0 "NEC USB" rev 0x43: apic 1 int 17 (irq 5),
version 1.0
ohci1 at pci1 dev 5 function 1 "NEC USB" rev 0x43: apic 1 int 18 (irq 10),
version 1.0
ehci1 at pci1 dev 5 function 2 "NEC USB" rev 0x04: apic 1 int 19 (irq 11)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "NEC EHCI root hub" rev 2.00/1.00 addr 1
fxp0 at pci1 dev 8 function 0 "Intel PRO/100 VM" rev 0x81, i82562: apic 1 int
20 (irq 11), address 00:30:05:32:9a:0a
inphy0 at fxp0 phy 1: i82562EM 10/100 PHY, rev. 0
puc0 at pci1 dev 9 function 0 "Sunix 40XX" rev 0x01: ports: 2 com
com3 at puc0 port 0 apic 1 int 19 (irq 11): ti16750, 64 byte fifo
com3: probed fifo depth: 32 bytes
com4 at puc0 port 1 apic 1 int 19 (irq 11): ti16750, 64 byte fifo
com4: probed fifo depth: 32 bytes
usb2 at ohci0: USB revision 1.0
uhub2 at usb2 "NEC OHCI root hub" rev 1.00/1.00 addr 1
usb3 at ohci1: USB revision 1.0
uhub3 at usb3 "NEC OHCI root hub" rev 1.00/1.00 addr 1
ichpcib0 at pci0 dev 31 function 0 "Intel 82801DB LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801DB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1
Re: installing i386 filesets with a amd64 cd.... possible?
unix3 wrote: Hi, I want to know if there would be any incompatibility if I use the amd64 install cd to call a http server with the i386 filesets and install them.. is this safe? Thanks No, you should use the same architecture's CD rather than a completely different one. Even if you managed to get this to work somehow, you wouldn't be able to use the amd64 installer without the processor supporting amd64 instructions; at that point, why are you bothering to install i386 when you clearly have the option to use the superior arch?
Re: installing i386 filesets with a amd64 cd.... possible?
On Mon, Apr 27, 2009 at 12:16:55PM -0400, unix3 wrote: > Hi, I want to know if there would be any incompatibility if I use the amd64 > install cd to call a http server with the i386 filesets and install them.. > is this safe? > > Thanks Since the install process involves running some of the code that is installed, the amd64 install media will encounter problems running the i386 executables that you ask it to install. Ken
Re: soekris 5501, ral(4) and 4.5-current
Well, my 4.5-release CD came. Kernel is dated Feb. 28th 2009. So, I installed and I still get a ral(4) lockup, but now it takes hours to happen. Some of the symptoms that show at first are clients disconnecting. Then finally, the machine gives up and locks itself up. (no response on the serial console.) I can make the lockup happen faster by transferring a lot of data at a time through ral0. I'm going to take my RT2860 into work, and put it on a 4.5-current machine I have and see if it makes the machine crash as well, to rule out the Soekris being an issue. Tom
Re: problem with some graphical apps in 4.5 on some machines
Sorry, sorry for this mail, forgot it. On Mon, Apr 27, 2009 at 10:51:43PM +0200, Rene Maroufi wrote: > > The application package itself can't be damaged, because the same > packages work on the third machine. I was wrong. I installed the working machine from a cd, the others from my internal ftp server. The gtk+2 package from the ftp server have a different md5 sum then the package on the cd! I reinstalled gtk+2 from the cd and all apps works well! Cheers Reni -- Reni Maroufi i...@maroufi.net
Re: Transparent firewall (bridge) with DMZ + LAN
openbsd misc wrote: > > > You can either read the code or listen to somebody who has. I don't > > know you either, but I know Henning and I know the bridge code, and > > the short version is he's right. > > > > > Has anyone noticed > > That if you substitute BIble for code , in the section quoted above- > its like listening to someone who believes in a technical > high-priesthood - all blessed with the doctrine of technical > infallibility Yep, I've noticed. This blessed with the doctirne of technical infallibility you spead of seems to be the proponents of sticking all sorts of wacko stuff into a transparent bridge and giving it blessing of many web links. Me, I'd rather trust the voice from the wildernss proclaiming truth.
Re: build fails on 4.5
Ted Unangst wrote: On Mon, Apr 27, 2009 at 1:54 PM, Maurice Janssen wrote: ===> libexec/ld.so /bin/sh: cd: /usr/src/libexec/ld.so - No such file or directory *** Error code 1 The mirror is broken because rsync, in its infinite wisdom, doesn't copy directories named *.so. And since the mirror doesn't have that directory, you don't have it either. Get it from somewhere else. Thanks, that's exactly what was wrong, make build runs fine now. Maurice
Re: Recipient Validation & Design Opinions
Hi, On Fri, 24.04.2009 at 08:47:00 -0400, Mario Vega wrote: > The two internal servers use several different domains and accept a > variety of different name formats. In addition, some users have one or > more aliases. Furthermore, only the primary address is published in > LDAP. One server serves approximately 1k users and the other > approximately 20. would it be possible to list all users in LDAP? Then you can "easily" verify against that list. > day, 115k of which are rejected as invalid. Does anyone have experience > with scam-backscatter or are there other solutions we should be > investigating? If you are able to weed out illegitimate recipients, this may go a long way to reduce spam, or at least it did for us. Looking the email address up in LDAP is *much* cheaper than doing a call-out to the backend server(s). Greylisting helps us, too, but seems to "cost" mail from broken servers (there are imho more than enough of these out there). > running Postfix, amavis, clamav and spamassassin. Due to the nature of > the store and scan system, we've noticed a tendency for the system to > become swamped under heavy load and take several hours to clear out. Imho, the bulk of the load should be consumed by spamassassin which could esp. lead to trashing if you can't restrict the parallelism of spamassassin runs. FWIW, I think that Postfix should generally be preferable to sendmail, and you also seem to have more Postfix experience already. > Furthermore, we're quarantining viruses and and obvious spam in the > neighborhood of 89k a day, which I would rather leave at the door. This you can only do if you don't accept the email, then scan and/or quarantine it. To do this, there are several possibilities, but I suggest taking a look at this program: http://smtpd.develooper.com/ You need to keep the connection with your clients open as long as you have decided on the fate of any given message, then you can emit a 5xx code at anytime, thus leaving part of the burden at the sender's side. > The OpenBSD system would be running spamd, the base sendmail, > smtp-vilter, clamav and spamassassin. Imho, both clamav and spamassassin are very heavyweight. If you can devise heuristics to weed out messages early, using these before feeding these two programs should reduce your load. Kind regards, --Toni++
Re: build fails on 4.5
On Mon, Apr 27, 2009 at 3:32 PM, wrote: > Ted Unangst wrote: > >> On Mon, Apr 27, 2009 at 1:54 PM, Maurice Janssen wrote: >>> >>> ===> libexec/ld.so >>> /bin/sh: cd: /usr/src/libexec/ld.so - No such file or directory >>> *** Error code 1 >> >> The mirror is broken because rsync, in its infinite wisdom, doesn't >> copy directories named *.so. And since the mirror doesn't have that >> directory, you don't have it either. Get it from somewhere else. > > Erm? rsync doesn't arbitrarily decide to ignore directories named *.so. > Perhaps you mean that someone's configuration is excluding it > inappropriately? That's what I remembered from the last time it happened, but I just double checked. It seems rsync only does this when -C cvs-exclude is passed. The problem is that it ignores directories, not just files.
Re: T1 card compatible with 4.4
On Fri, 24.04.2009 at 11:26:42 -0400, (private) HKS wrote: > I'm looking for a T1 card compatible with 4.4. ;) > There were a fair number of recommendations for Sangoma's a101 a few > years ago, followed by threads describing major problems and Sangoma > yanking support for OpenBSD. What alternatives work decently under > OpenBSD? A while back Accoom cards were very fine, and if you can get them, do it. I'm very much interested in getting two or three more, although they should be available only used by now. Please send me your offers off-list. Thank you! Kind regards, --Toni++
Re: Cannot load Zend/IonCube "File not an ELF object"
OpenBSD/i386 and OpenBSD/amd64 are 2 entirely different architectures.. you cannot run i386 binaries under the amd64 port, it is not supported. -Brynet
Re: Internet access over Bluetooth; a summary.
On Mon, 27 Apr 2009 21:04:01 +0200 Otto Moerbeek wrote: > On Mon, Apr 27, 2009 at 08:43:16PM +0200, Thomas Pfaff wrote: > > Bring the Bluetooth interface up and verify that you're able > > to detect your phone: > > > >$ sudo btconfig ubt0 up This probably require a few more parameters that I forgot about: $ sudo btconfig ubt0 up switch auth encrypt class 0x02010c Not sure I need all of them yet, but this at least worked for me (0x02010c is a "laptop computer", 0x20104 is a desktop). > >$ sudo echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts > > I don't think you tested the above command. Hint: the redirect is not > done as root. Quite right, sorry about that. Just to make the archives happy: # echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts > > I've no idea what the name servers are supposed to be, so I > > just started a local one and pointed /etc/resolv.conf at it; > > not very nice, better find out what the actual nameservers are. I > believe ppp has some way to tell the client, see the ppp man page. I'm probably missing something obvious here, but can someone enlighten me as to why running a local (recursive) name server is "not very nice"?
Re: Internet access over Bluetooth; a summary.
On Mon, 27 Apr 2009 23:22:03 +0400 Vadim Zhukov wrote: > On 27 April 2009 c. 22:43:16 Thomas Pfaff wrote: > > So, I finally got Internet access over Bluetooth to my Nokia 6233 > > working. Here's a short summary of the steps taken (this assumes > > a properly configured phone). [...] > Enough good howto. I think it's even worth to be included in FAQ (after > some developer magic, of course). Well, that would require some more work. This is just a quick summary of what I did, what worked for me, so it can be found in the archives.
Re: build fails on 4.5
On Mon, 27.04.2009 at 14:14:07 -0400, Ted Unangst wrote: > The mirror is broken because rsync, in its infinite wisdom, doesn't > copy directories named *.so. And since the mirror doesn't have that > directory, you don't have it either. Get it from somewhere else. dtalk has given the right answer already, but you can easily verify this for yourself: $ mkdir -p a/some.so b $ rsync -a a b $ find a b a a/some.so b b/a b/a/some.so $ Kind regards, --Toni++
Re: Internet access over Bluetooth; a summary.
Hi!
I have taken a bit different route.
sudo btconfig ubt0 up
sudo sdpd
sudo bthcid
btpin -d ubt0 -a -p
; cat /etc/ppp/ppp.conf
gprs:
set device !"rfcomm_sppd -a -s DUN"
set dial "ABORT ERROR ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" ATZ
OK-ATZ-OK AT+CGDCONT=1,\\\"IP\\\",\\\"internet\\\" OK \\dATD\\T TIMEOUT 40
CONNECT"
set phone "*99#"
set speed 115200
set login
set timeout 0
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
; sudo ppp
ppp> call gprs
To be able to use with ppp(8) I had to patch rfcomm_sppd.
--- rfcomm_sppd/rfcomm_sppd.c.orig Sat Nov 22 05:03:03 2008
+++ rfcomm_sppd/rfcomm_sppd.c Sun Dec 21 10:54:54 2008
@@ -228,16 +228,16 @@
* be used directly with stdio
*/
if (tty == NULL) {
- if (tcgetattr(tty_in, &t) < 0)
- err(EXIT_FAILURE, "tcgetattr");
memcpy(&tio, &t, sizeof(tio));
t.c_lflag &= ~(ECHO | ICANON);
t.c_iflag &= ~(ICRNL);
if (memcmp(&tio, &t, sizeof(tio))) {
- if (tcsetattr(tty_in, TCSANOW, &t) < 0)
- err(EXIT_FAILURE, "tcsetattr");
atexit(reset_tio);
}
--
rix
http://www.ripe.net/perl/whois?...@estpak.ee
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 3:02 PM, openbsd misc wrote: >> You can either read the code or listen to somebody who has. I don't >> know you either, but I know Henning and I know the bridge code, and >> the short version is he's right. >> >> > Has anyone noticed > > That if you substitute BIble for code , in the section quoted above- > its like listening to someone who believes in a technical > high-priesthood - all blessed with the doctrine of technical > infallibility > which is great if you like dogma and blind faith. For Me the > occasional rational explanation for why not to do something with a > little concrete technical backup to support the assertion, is usually > more useful. stupid analogy. I said to read the code. OpenBSD's behavior is defined by the code. My "faith" has no impact on that behavior.
Re: build fails on 4.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ted Unangst wrote: On Mon, Apr 27, 2009 at 1:54 PM, Maurice Janssen wrote: ===> libexec/ld.so /bin/sh: cd: /usr/src/libexec/ld.so - No such file or directory *** Error code 1 The mirror is broken because rsync, in its infinite wisdom, doesn't copy directories named *.so. And since the mirror doesn't have that directory, you don't have it either. Get it from somewhere else. Erm? rsync doesn't arbitrarily decide to ignore directories named *.so. Perhaps you mean that someone's configuration is excluding it inappropriately? - -d - -- David Talkington dt...@drizzle.com - -- PGP key: http://www.flyingjoke.org/keys/801E3976.asc (What's this? http://en.wikipedia.org/wiki/Digital_signature) iQEcBAEBAgAGBQJJ9ghBAAoJEO7jL1CAHjl2jxAH/iknQEXxr4BGkPrnxPAdjoV+ iBWu70dMFNZ4EWLFAB2GvlwCUewVC2KmGLU2LXZ8rD+JpwA+2ogIqicFa7omNa7X M1Zvi5GbCtutYEhd3oCBQmdcWcfLK76s+l1OEn7PraHMIKJ7ZwKTxD1pb3hPBEJI AdbSAnXJFnuueLvSjRJ6cG2hE8uE8/KXjxvaNmWSLLOswfdIossLLhDgmc3Cyl2Q kgUx+nDREYIIpIPqnzYXhpMtAmP9j/5vjKikdkLjwVXAMIQOTm0axOBPnS3/DnqQ h0CUjbshOk/IDN3/48frLjp7KM5xn8x/JCvQRJCfuKU+2A34b2JAlDUvhIyFCUU= =IMZd -END PGP SIGNATURE-
Re: Internet access over Bluetooth; a summary.
On 27 April 2009 c. 22:43:16 Thomas Pfaff wrote: > So, I finally got Internet access over Bluetooth to my Nokia 6233 > working. Here's a short summary of the steps taken (this assumes > a properly configured phone). > > Make sure your Bluetooth device is recognized by OpenBSD: > >$ dmesg | grep ubt >ubt0 at uhub4 port 1 "Micro Star International Bluetooth" \ >rev 2.00/32.64 addr 2 > > Install the bluetooth-tools package. This provides, among > other things, btconfig, btpin and rfcomm_sppd. > > Bring the Bluetooth interface up and verify that you're able > to detect your phone: > >$ sudo btconfig ubt0 up >bthub0 at ubt0 00:21:85:b2:51:41 >$ btconfig ubt0 inquiry >Device Discovery from device: ubt0 1 response > 1: bdaddr 00:1d:e9:e5:ad:01 (phone) > > : name "Nokia 6233" > : class: [0x5a0204] Cellular Phone > : > > > > : page scan rep mode 0x01 > : clock offset 27997 > > Add the bdaddr to /etc/bluetooth/hosts so you don't have to > type in the address each time you want to refer to your phone: > >$ sudo echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts > > Start bthcid(8), generate a pin using btpin(1) and connect to > your phones' Dial Up Networking (DUN) service using rfcomm_sppd(1). > >$ sudo /usr/local/sbin/bthcid >$ btpin -a phone -r -l 4 >PIN: 2701 >$ rfcomm_sppd -d ubt0 -a phone -s DUN > > You should receive a question on your phone if you want to accept > the connection and then type in the PIN generated above. You > should now be able to communicate with your phone: > >rfcomm_sppd[16519]: Starting on stdio... >AT >OK >ATI3 >Nokia 6233 > >OK > > Now that we know this works, we can attach this to a pty: > >$ rfcomm_sppd -d ubt0 -a phone -s DUN -t /dev/ttyp0 >$ In my expirience, some phones want DUN and some want SP. Maybe, some more phones want something else. > Create a ppp interface and connect using pppd(8) [1] > >$ sudo ifconfig ppp0 create >$ pppd call netcom >$ ifconfig ppp0 >ppp0: flags=8051 mtu 1500 >priority: 0 >groups: ppp >inet 89.8.5.99 --> 10.6.6.6 netmask 0xff00 > > (fancy IP address ;-)). Now check the routing table: > >$ netstat -rnf inet | grep default >default10.6.6.6 UG 00 - > 56 ppp0 > > I've no idea what the name servers are supposed to be, so I > just started a local one and pointed /etc/resolv.conf at it; > >$ sudo /usr/sbin/named >$ sudo echo "nameserver 127.0.0.1" >> /etc/resolv.conf > > We're on! > >$ ping -c 4 www.google.com >PING www.l.google.com (209.85.137.104): 56 data bytes >64 bytes from 209.85.137.104: icmp_seq=0 ttl=237 time=640.756 ms >64 bytes from 209.85.137.104: icmp_seq=1 ttl=237 time=595.876 ms >64 bytes from 209.85.137.104: icmp_seq=2 ttl=237 time=619.887 ms >64 bytes from 209.85.137.104: icmp_seq=3 ttl=237 time=645.883 ms >--- www.l.google.com ping statistics --- >4 packets transmitted, 4 packets received, 0.0% packet loss >round-trip min/avg/max/std-dev = 595.876/625.600/645.883/19.746 ms > > > [1] My option file and chat script is as follows (you probably have > to modify this): > > $ cat /etc/ppp/peers/netcom # probably don't need all this poop > /dev/ttypz > 115200 > local > debug > #crtscts > nodetach > noipdefault > defaultroute > lock > novj > nobsdcomp > novjccomp > nopcomp > noaccomp > noauth > connect '/usr/sbin/chat -f /etc/ppp/peers/chat/umts.netcom' > > $ cat /etc/ppp/peers/chat/umts.netcom > TIMEOUT 5 > ECHO ON > ABORT '\nBUSY\r' > ABORT '\nERROR\r' > ABORT '\nNO ANSWER\r' > ABORT '\nNO DIAL TONE\r' > ABORT '\nNO DIALTONE\r' > ABORT '\nRINGING\r\n\r\nRINGING\r' > ''\rAT > TIMEOUT 30 > OKATD*99# > TIMEOUT 10 > CONNECT "" Enough good howto. I think it's even worth to be included in FAQ (after some developer magic, of course). -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: OpenBSD on Sun Netra X1
On 4/27/09, Christopher Intemann wrote: > Thank you very much, your guide will be very helpful to me. > Maybe you should blog it somewhere? That's what mailing list archives are for: http://marc.info/?l=openbsd-misc&w=2&r=1&s=Netra+X1&q=b hth Fred
Re: Internet access over Bluetooth; a summary.
On Mon, Apr 27, 2009 at 08:43:16PM +0200, Thomas Pfaff wrote: > So, I finally got Internet access over Bluetooth to my Nokia 6233 > working. Here's a short summary of the steps taken (this assumes > a properly configured phone). Cool, this might indeed help other people struggling with this. I have a few comments inline. > > Make sure your Bluetooth device is recognized by OpenBSD: > >$ dmesg | grep ubt >ubt0 at uhub4 port 1 "Micro Star International Bluetooth" \ >rev 2.00/32.64 addr 2 > > Install the bluetooth-tools package. This provides, among > other things, btconfig, btpin and rfcomm_sppd. > > Bring the Bluetooth interface up and verify that you're able > to detect your phone: > >$ sudo btconfig ubt0 up >bthub0 at ubt0 00:21:85:b2:51:41 >$ btconfig ubt0 inquiry >Device Discovery from device: ubt0 1 response > 1: bdaddr 00:1d:e9:e5:ad:01 (phone) > : name "Nokia 6233" > : class: [0x5a0204] Cellular PhoneTransfer> > > : page scan rep mode 0x01 > : clock offset 27997 > > Add the bdaddr to /etc/bluetooth/hosts so you don't have to > type in the address each time you want to refer to your phone: > >$ sudo echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts I don't think you tested the above command. Hint: the redirect is not done as root. > > Start bthcid(8), generate a pin using btpin(1) and connect to > your phones' Dial Up Networking (DUN) service using rfcomm_sppd(1). > >$ sudo /usr/local/sbin/bthcid >$ btpin -a phone -r -l 4 >PIN: 2701 >$ rfcomm_sppd -d ubt0 -a phone -s DUN > > You should receive a question on your phone if you want to accept > the connection and then type in the PIN generated above. You > should now be able to communicate with your phone: > >rfcomm_sppd[16519]: Starting on stdio... >AT >OK >ATI3 >Nokia 6233 > >OK > > Now that we know this works, we can attach this to a pty: > >$ rfcomm_sppd -d ubt0 -a phone -s DUN -t /dev/ttyp0 >$ > > Create a ppp interface and connect using pppd(8) [1] > >$ sudo ifconfig ppp0 create >$ pppd call netcom >$ ifconfig ppp0 >ppp0: flags=8051 mtu 1500 >priority: 0 >groups: ppp >inet 89.8.5.99 --> 10.6.6.6 netmask 0xff00 > > (fancy IP address ;-)). Now check the routing table: > >$ netstat -rnf inet | grep default >default10.6.6.6 UG 00 -56 > ppp0 > > I've no idea what the name servers are supposed to be, so I > just started a local one and pointed /etc/resolv.conf at it; not very nice, better find out what the actual nameservers are. I believe ppp has some way to tell the client, see the ppp man page. > >$ sudo /usr/sbin/named >$ sudo echo "nameserver 127.0.0.1" >> /etc/resolv.conf > > We're on! > >$ ping -c 4 www.google.com >PING www.l.google.com (209.85.137.104): 56 data bytes >64 bytes from 209.85.137.104: icmp_seq=0 ttl=237 time=640.756 ms >64 bytes from 209.85.137.104: icmp_seq=1 ttl=237 time=595.876 ms >64 bytes from 209.85.137.104: icmp_seq=2 ttl=237 time=619.887 ms >64 bytes from 209.85.137.104: icmp_seq=3 ttl=237 time=645.883 ms >--- www.l.google.com ping statistics --- >4 packets transmitted, 4 packets received, 0.0% packet loss >round-trip min/avg/max/std-dev = 595.876/625.600/645.883/19.746 ms > > > [1] My option file and chat script is as follows (you probably have > to modify this): > > $ cat /etc/ppp/peers/netcom # probably don't need all this poop > /dev/ttypz > 115200 > local > debug > #crtscts > nodetach > noipdefault > defaultroute > lock > novj > nobsdcomp > novjccomp > nopcomp > noaccomp > noauth > connect '/usr/sbin/chat -f /etc/ppp/peers/chat/umts.netcom' > > $ cat /etc/ppp/peers/chat/umts.netcom > TIMEOUT 5 > ECHO ON > ABORT '\nBUSY\r' > ABORT '\nERROR\r' > ABORT '\nNO ANSWER\r' > ABORT '\nNO DIAL TONE\r' > ABORT '\nNO DIALTONE\r' > ABORT '\nRINGING\r\n\r\nRINGING\r' > ''\rAT > TIMEOUT 30 > OKATD*99# > TIMEOUT 10 > CONNECT "" -Otto
Re: Transparent firewall (bridge) with DMZ + LAN
> You can either read the code or listen to somebody who has. I don't > know you either, but I know Henning and I know the bridge code, and > the short version is he's right. > > Has anyone noticed That if you substitute BIble for code , in the section quoted above- its like listening to someone who believes in a technical high-priesthood - all blessed with the doctrine of technical infallibility which is great if you like dogma and blind faith. For Me the occasional rational explanation for why not to do something with a little concrete technical backup to support the assertion, is usually more useful. ;)
Re: soekris 5501, ral(4) and 4.5-current
try ifconfig ral0 down; ifconfig ral0 up. that's a different thing and I suspect is a problem either in the driver or net80211. I have seen this on ral occasionally and have now seen something similar or the same on an acx which used to be stable; the only change at all with the acx was moving it to an environment with more other wireless devices around. unfortunately the places where I can actually get any diagnostic output are not places where this problem occurs... On 2009/04/27 11:46, Chris Jones wrote: > > > Stuart Henderson wrote: > > On 2009-04-26, Tom wrote: > >> On 2009-04-26. Stuart Henderson wrote: > >> On 2009-04-25, Tom wrote: > I have a ral(4) acting as a hostap. The problems began since > ugrading from Feb 28th snapshot to April 10th (and higher). I have a > Soekris 5501. I bought 2 different ral(4) PCI cards, one is a RT2661 > and the other is a RT2860 (Planex GW-DS3300N). The RT2661 actually > lasts longer than the RT2860. When I have the RT2860 in the box, it > doesn't matter whether I use no encryption, WEP, WPA1 or WPA2. The box > locks up without any kind of drop into ddb. When the RT2661 is in the > machine, it will stay up a day, maybe two tops before it locks solid. > >>> try a different psu, especially if you have the lower-power of the ones > >>> that soekris sell. > >> Hi, > >> > >> I got the higher psu of the ones soekris sell. It's 12V, 3A. That > >> should be enough > >> for the 2.5" laptop disk plus the PCI card I run, right? > > > > usually, yes, but there have been so many reported strange problems > > with soekris boxes that went away after switching PSU, it's a good thing > > to check early on. > > > > I'll try moving my alix with RT2860 to -current to see if I can > > replicate though.. > > > I picked up a 12V, 3A PSU for my net4501 and it didn't fix the issue I > am having running my ral(4) card in hostap mode on 4.4-stable. > > ral0 at pci0 dev 17 function 0 "Ralink RT2860" rev 0x00: irq 11, address > 00:0e:8e:20:84:94 > ral0: MAC/BBP RT2860 (rev 0x0102), RF RT2850 (2T3R) > > I'm having a different issue where the clients are connecting > momentarily and then disconnecting. > > When I have a moment I'm going to throw this card in a spare desktop I > have to rule out an issue with the hardware or driver under 4.4-stable. > I'll update the list when I test this. > > Cheers, > -C
Re: soekris 5501, ral(4) and 4.5-current
Stuart Henderson wrote: > On 2009-04-26, Tom wrote: >> On 2009-04-26. Stuart Henderson wrote: >> On 2009-04-25, Tom wrote: I have a ral(4) acting as a hostap. The problems began since ugrading from Feb 28th snapshot to April 10th (and higher). I have a Soekris 5501. I bought 2 different ral(4) PCI cards, one is a RT2661 and the other is a RT2860 (Planex GW-DS3300N). The RT2661 actually lasts longer than the RT2860. When I have the RT2860 in the box, it doesn't matter whether I use no encryption, WEP, WPA1 or WPA2. The box locks up without any kind of drop into ddb. When the RT2661 is in the machine, it will stay up a day, maybe two tops before it locks solid. >>> try a different psu, especially if you have the lower-power of the ones >>> that soekris sell. >> Hi, >> >> I got the higher psu of the ones soekris sell. It's 12V, 3A. That >> should be enough >> for the 2.5" laptop disk plus the PCI card I run, right? > > usually, yes, but there have been so many reported strange problems > with soekris boxes that went away after switching PSU, it's a good thing > to check early on. > > I'll try moving my alix with RT2860 to -current to see if I can > replicate though.. > I picked up a 12V, 3A PSU for my net4501 and it didn't fix the issue I am having running my ral(4) card in hostap mode on 4.4-stable. ral0 at pci0 dev 17 function 0 "Ralink RT2860" rev 0x00: irq 11, address 00:0e:8e:20:84:94 ral0: MAC/BBP RT2860 (rev 0x0102), RF RT2850 (2T3R) I'm having a different issue where the clients are connecting momentarily and then disconnecting. When I have a moment I'm going to throw this card in a spare desktop I have to rule out an issue with the hardware or driver under 4.4-stable. I'll update the list when I test this. Cheers, -C
Internet access over Bluetooth; a summary.
So, I finally got Internet access over Bluetooth to my Nokia 6233 working. Here's a short summary of the steps taken (this assumes a properly configured phone). Make sure your Bluetooth device is recognized by OpenBSD: $ dmesg | grep ubt ubt0 at uhub4 port 1 "Micro Star International Bluetooth" \ rev 2.00/32.64 addr 2 Install the bluetooth-tools package. This provides, among other things, btconfig, btpin and rfcomm_sppd. Bring the Bluetooth interface up and verify that you're able to detect your phone: $ sudo btconfig ubt0 up bthub0 at ubt0 00:21:85:b2:51:41 $ btconfig ubt0 inquiry Device Discovery from device: ubt0 1 response 1: bdaddr 00:1d:e9:e5:ad:01 (phone) : name "Nokia 6233" : class: [0x5a0204] Cellular Phone : page scan rep mode 0x01 : clock offset 27997 Add the bdaddr to /etc/bluetooth/hosts so you don't have to type in the address each time you want to refer to your phone: $ sudo echo "00:1d:e9:e5:ad:01 phone" >> /etc/bluetooth/hosts Start bthcid(8), generate a pin using btpin(1) and connect to your phones' Dial Up Networking (DUN) service using rfcomm_sppd(1). $ sudo /usr/local/sbin/bthcid $ btpin -a phone -r -l 4 PIN: 2701 $ rfcomm_sppd -d ubt0 -a phone -s DUN You should receive a question on your phone if you want to accept the connection and then type in the PIN generated above. You should now be able to communicate with your phone: rfcomm_sppd[16519]: Starting on stdio... AT OK ATI3 Nokia 6233 OK Now that we know this works, we can attach this to a pty: $ rfcomm_sppd -d ubt0 -a phone -s DUN -t /dev/ttyp0 $ Create a ppp interface and connect using pppd(8) [1] $ sudo ifconfig ppp0 create $ pppd call netcom $ ifconfig ppp0 ppp0: flags=8051 mtu 1500 priority: 0 groups: ppp inet 89.8.5.99 --> 10.6.6.6 netmask 0xff00 (fancy IP address ;-)). Now check the routing table: $ netstat -rnf inet | grep default default10.6.6.6 UG 00 -56 ppp0 I've no idea what the name servers are supposed to be, so I just started a local one and pointed /etc/resolv.conf at it; $ sudo /usr/sbin/named $ sudo echo "nameserver 127.0.0.1" >> /etc/resolv.conf We're on! $ ping -c 4 www.google.com PING www.l.google.com (209.85.137.104): 56 data bytes 64 bytes from 209.85.137.104: icmp_seq=0 ttl=237 time=640.756 ms 64 bytes from 209.85.137.104: icmp_seq=1 ttl=237 time=595.876 ms 64 bytes from 209.85.137.104: icmp_seq=2 ttl=237 time=619.887 ms 64 bytes from 209.85.137.104: icmp_seq=3 ttl=237 time=645.883 ms --- www.l.google.com ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 595.876/625.600/645.883/19.746 ms [1] My option file and chat script is as follows (you probably have to modify this): $ cat /etc/ppp/peers/netcom # probably don't need all this poop /dev/ttypz 115200 local debug #crtscts nodetach noipdefault defaultroute lock novj nobsdcomp novjccomp nopcomp noaccomp noauth connect '/usr/sbin/chat -f /etc/ppp/peers/chat/umts.netcom' $ cat /etc/ppp/peers/chat/umts.netcom TIMEOUT 5 ECHOON ABORT '\nBUSY\r' ABORT '\nERROR\r' ABORT '\nNO ANSWER\r' ABORT '\nNO DIAL TONE\r' ABORT '\nNO DIALTONE\r' ABORT '\nRINGING\r\n\r\nRINGING\r' '' \rAT TIMEOUT 30 OK ATD*99# TIMEOUT 10 CONNECT ""
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 10:25 AM, Felipe Alfaro Solana wrote: > Again, not a single or valid technical argument on why a bridging firewall > is a bad idea. Just a moot and offensive responsive, and a very > strong assessment from someone that doesn't know me at all. It's also very > sad to see so many impolite answers in this list. Perhaps saying "are > apparently black magic" would be more appropriate. http://marc.info/?l=openbsd-misc&m=124082008204226&w=2 You can either read the code or listen to somebody who has. I don't know you either, but I know Henning and I know the bridge code, and the short version is he's right.
Re: build fails on 4.5
On Mon, Apr 27, 2009 at 1:54 PM, Maurice Janssen wrote: > ===> libexec/ld.so > /bin/sh: cd: /usr/src/libexec/ld.so - No such file or directory > *** Error code 1 The mirror is broken because rsync, in its infinite wisdom, doesn't copy directories named *.so. And since the mirror doesn't have that directory, you don't have it either. Get it from somewhere else.
Re: Transparent firewall (bridge) with DMZ + LAN
On Sun, 26 Apr 2009, bofh wrote: Anyone who puts in an inline IDS is a damned idiot. D stands for detection, so you should always use a tap or something else. Only IPS should be inline. I know of inline IDS systems that work, but they're custom hardware solutions running on FPGA based cards, Virtex IV for example. diana
build fails on 4.5
Hi, I'm trying to build a release (to be able to publish file sets for the stable tree for a number of architectures on May 1st), but I'm having some troubles. Creating the links for the obj directories during 'make obj' fails like this: ===> libexec/login_token /usr/src/libexec/login_token/obj -> /usr/obj/libexec/login_token ===> libexec/login_radius /usr/src/libexec/login_radius/obj -> /usr/obj/libexec/login_radius ===> libexec/login_tis /usr/src/libexec/login_tis/obj -> /usr/obj/libexec/login_tis ===> libexec/rpc.yppasswdd /usr/src/libexec/rpc.yppasswdd/obj -> /usr/obj/libexec/rpc.yppasswdd ===> libexec/ld.so /bin/sh: cd: /usr/src/libexec/ld.so - No such file or directory *** Error code 1 Stop in /usr/src/libexec (line 48 of /usr/share/mk/bsd.subdir.mk). *** Error code 1 Stop in /usr/src (line 48 of /usr/share/mk/bsd.subdir.mk). This happens on amd64, i386, macppc and sparc64. Is there something wrong with the source tree (my tree is in sync with the anoncvs mirror (tag: OPENBSD_4_5) or am I doing something wrong? Maurice
Re: Transparent firewall (bridge) with DMZ + LAN
On Sun, 26 Apr 2009, Felipe Alfaro Solana wrote: SNIP Really? What's wrong with transparent bridging? What's wrong with a transparent, in-line IDS? What's wrong with a software tap? All of these technologies use some sort of transparent bridging and are not being used exclusively by idiots, but also smart people [1] [2] Lessee, running the bridge interfaces in promiscous mode is not the fastest thing in the world. I'll leave it to other people to chime in for other reasons. diana
Re: Cannot load Zend/IonCube "File not an ELF object"
Now with me i386 install everything seems to work fine, but again I couldnt get it to work on amd64.Much less zend which only has 32bit modules for OBSD. Thank you. On Mon, 27 Apr 2009 12:11:44 -0400, unix3 wrote: > I had an error... I was trying to use the 32bit.. and not the 64bit for > AMD. > > However... The 64bit is titled: ioncube_loaders_ope_3.9_x86-64.tar.gz .. > seems older because of the 3.9 .. ? > > In any case, I tried it and it generated a php core dump that prevents me > into running any php scripts. > > Iam formatting now and installing i386 OBSD 4.4 to see .. > > > > > > > On Mon, 27 Apr 2009 19:13:36 +1200, Richard Toohey > wrote: >> On 27/04/2009, at 11:22 AM, unix3 wrote: >> >>> HI, I tried installing seperately Zend Optimizer, or IonCube ... >>> but the error that I get is >>> >>> Failed loading /var/www/usr/lib/php/ZendExtensionManager.so: File >>> not an ELF object >>> Failed loading /var/www/usr/lib/php/ZendOptimizer.so: File not an >>> ELF object >>> >>> The error is the same for IonCube just that the path changes >>> obviously. >>> >>> PLease note iam running inside the chroot. Iam running on an amd64 >>> GENERIC kernel. >>> >>> Could it be because iam using amd64 (4.4) instead of the i386? >>> >>> >>> Thanks. >> >> So, where did you get the files from? What URL? >> >> http://marc.info/?l=openbsd-misc&m=119790234006529&w=2 >> (different problem, but same sort of question.) >> >> Thanks.
installing i386 filesets with a amd64 cd.... possible?
Hi, I want to know if there would be any incompatibility if I use the amd64 install cd to call a http server with the i386 filesets and install them.. is this safe? Thanks
Re: Cannot load Zend/IonCube "File not an ELF object"
I had an error... I was trying to use the 32bit.. and not the 64bit for AMD. However... The 64bit is titled: ioncube_loaders_ope_3.9_x86-64.tar.gz .. seems older because of the 3.9 .. ? In any case, I tried it and it generated a php core dump that prevents me into running any php scripts. Iam formatting now and installing i386 OBSD 4.4 to see .. On Mon, 27 Apr 2009 19:13:36 +1200, Richard Toohey wrote: > On 27/04/2009, at 11:22 AM, unix3 wrote: > >> HI, I tried installing seperately Zend Optimizer, or IonCube ... >> but the error that I get is >> >> Failed loading /var/www/usr/lib/php/ZendExtensionManager.so: File >> not an ELF object >> Failed loading /var/www/usr/lib/php/ZendOptimizer.so: File not an >> ELF object >> >> The error is the same for IonCube just that the path changes >> obviously. >> >> PLease note iam running inside the chroot. Iam running on an amd64 >> GENERIC kernel. >> >> Could it be because iam using amd64 (4.4) instead of the i386? >> >> >> Thanks. > > So, where did you get the files from? What URL? > > http://marc.info/?l=openbsd-misc&m=119790234006529&w=2 > (different problem, but same sort of question.) > > Thanks.
Re: vmware esxi 3.5u4: amd64 4.4 generic bsd.mp kernel panic
On Mon, 27 Apr 2009 16:16:57 +0200 "Erwin van Maanen" wrote: > Running OpenBSD on a vmware esxi server, whenever i boot the amd64 > bsd.mp version i get stuck with kernel panic. > > panic: fp_save ipi didn't > > > > I've tried several things: > > - amd64 bsd.mp, without network card(s): boots normal > > - amd64 bsd.mp, with tricked network card to flexible (pcn device): > same panic just right after the httpd loads > > - i386 bsd.mp: no problems so far > > - amd64 without mp: no problems > > > > dmesg (of the normal bsd boot, not mp): > > http://www.hutmeel.nl/panic/dmesg.txt > > > > I've made a few screenshots of the panic message, trace, ps and show > registers. > > http://www.hutmeel.nl/panic/panic0-2.gif > > http://www.hutmeel.nl/panic/panic0.gif > > http://www.hutmeel.nl/panic/panic1.gif > > http://www.hutmeel.nl/panic/panic2.gif > > http://www.hutmeel.nl/panic/panic3.gif > > http://www.hutmeel.nl/panic/panic4.gif > > > > As you can see on the first screenshot, it looks like it happens as > soon as ntpd starts. > > Any help in the right direction would be greatly appreciated. (was > searching the archives, but couldn't find a similar problem) > > > > -- Erwin > First of all, running OpenBSD on anything other than real hardware is not supported. --The developers have better things to do than fight with imaginary bugs on imaginary hardware (i.e. "virtualization"). If you hit a bug running under virtualization, then the problem is the responsibility of the vendor of said virtualization because they are obviously failing to emulate hardware exactly. Secondly, what part of the following message did you fail to understand? "RUN AT LEAST 'trace' AND 'ps' AND INCLUDE THE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THIS INFORMATION" O.K. Now with stating the obvious above out of the way, I did get an ESX license last week for the lab, but I'm still waiting on Dell to deliver the T610 hardware. If you can explain what you mean by, "tricked network card to flexible," it would help. Also, even though we are off topic for m...@openbsd, it might help to state the exact, *real* hardware you're using to run ESX. As I found out the hard way, ESX is *very* picky and doesn't play well with most real hardware. Did you realize you are *supposed* have two (2) populated processor sockets (2 physical processors) in order to run *any* 64-bit operating system as a guest on top of ESX? --I found this limitation buried deep in the ESX docs, and hence the question about the real hardware you're using to run ESX. -- J.C. Roberts
Re: OpenBSD on Sun Netra X1
Thank you very much, your guide will be very helpful to me. Maybe you should blog it somewhere? I'm just only getting a bit confused about the serial ports of the Netra box. Where do i get the appropriat cables to either connect this port to an ordinary RS/232 port, or to another netra x1? By the way, I just learned from the OBSD 4.5 changelog that the 4.5 release will be able to scale down the CPU frequency of UltraSPARC IIe CPUs to save power, thats great! Regards, Chris On Mon, Apr 27, 2009 at 4:15 AM, Daniel Ouellet wrote: > OK, > > Here I put a little bit of details on how to setup that box from scratch. I > guess I spend a little bit of time putting it together because I also I > remember my first one, years ago, where I did plenty of Google before I > could set one up. > > It wasn't a 5 minutes process then, but it is sure not hard either. So, to > save you time and may be for the next guys as well to make life easier for > them here it is. > > First question you may have is.. Where do I plug my keyboard, or monitor. > Or if you are an MCSE, where do I plug my mouse. (;> OK, just a joke, but > surprisingly many can't do much without GUI. > > Anyway, joke aside. > > You do everything from a console access on these boxes. T1-105, AC200, X1, > V100, V120, etc, etc. There isn't monitor port, or keyboard, or mouse ports > there. (;> Nor there is a need for it either. > > On the back you have the serial A that is also use for LOM. That's what you > need to use to have console access to that box. Use any software you want, > doesn't matter as long as you set it up VT100 emulation and use 9600-8-N-1 > for the setting communications. Plain old serial cable, like any Cisco > console cable do just fine, or what ever you have available as long as the > connector is RJ-45 to go to the Sun box. > > Now, one command that is very useful and that I had to dig on Google is how > to switch to LOM and the console from that terminal. Well, it's very simple, > but I had to dig it up. > > To access the LOM: > #. > > To go back to the console: > console > > To get of of the console: > ~. > > Simple command, but when you don't know them, well, you can search a long > time. (;> > > Next, to stop the booting process as who know the stage in witch you will > get the box. > > It may try to boot from the network all the time, or what not. > > So, when the box is plug in the AC, but actually off. The console will give > you the LOM access by default. > > The following steps may or may not be needed, depending on what stage the > box was ship to you, but as a rule of thumb, I like to reset everything to > defaults, just to know where I am, so: > > From there, make sure the box will not try to boot, but give you the # > prompt so that you can access the box hardware. > > So, first is to stop the auto boot: > > lom>bootmode help > Usage: bootmode [[-u] forth|reset_nvram|diag|skipdiag|normal] > > So, just do bootmode forth > > This will simply stop the normal boot process and when the box goes to the > usual hardware check, it will then give you the OK prompt. > > And a side note, in case you haven't seen that before, or use Sun before, > you can turn on/off the box from the console, reset it and all, witch can be > useful at time specially if you have two of these boxes connected together > via a simply flat cable between the console port and the serial port of the > other box, but will get back to that later. > > So, turn on the box: > > lom>poweron > > Then when you get the # prompt may be one minute later or so. > > init 0 > ok setenv auto-boot? false (This is so that it doesn't try to reboot all > the time yet) > > #depending on which Hardware and OBP Version you are running it is > either or ( I do both in order to be sure on my SunFire) > > ok reset > > ok reset-all > > Each step above, like the reset and the reset-all will, well like it said > reset the box. > > Then, when the OBP is back you can run eg > ok probe-scsi-all (for the SCSI type server, T1, AC200, V120, etc) > > or > > ok probe-ide-all for the IDE servers type, like the V100, X1, etc. > > I do both anyway on all boxes, it doesn't create any problem and even on > system without and SCSI drives, the probe-scsi-all will actually find the > drives oppose to the probe-ide-all one. (;< It may be related with the LOM > version, I can't say really and I am sure better mind then me would know. > > I never find a way to upgrade the LOM anyway without having Solaris running > on these boxes. I would love to know how, or even if possible, but really, I > haven't got a clue on that! > > If anyone actually know how, I would really, really love to know how! > > Anyway, lets move one. > > It detect the hardware you have in case hardware was changed between the > real last run and what was ship to you. (;> Not always needed, but good > practice anyway. In some cases it will save you lots of time specially wen > you get the "processor miss align errors" I can't recall exactly
8 526 Case per le vacanze, Appartamenti per le vacanze, Hotel
Ferienunterkunft vacation rentals worldwide * secondcasa.com * vacation rentals worldwide * Reuchlinstrasse 23 * 72800 Eningen unter Achalm * Germania * Telefono/Telefax +49 (0)7123 2846889/2846892 * E-Mail i...@secondcasa.com * Greece Gentili signore ed egregi signori, e con piacere che vi presentiamo personalmente secondcasa, il portale per le vacanze unico nel suo genere, ed e con altrettanto piacere che saremmo lieti di darvi il nostro caloroso benvenuto come nuovo inserzionista secondcasa e una piattaforma plurilingue in funzione di intermediario per alloggi di villeggiatura. Se avete altri quesiti il nostro servizio assistenza e a vostra completa disposizione per rispondervi. * Traduzione automatica del vostro annuncio in 20 lingue * Elaborazione sicura e facile gestione degli affitti per le vacanze * Sviluppo sicuro delle richieste di prenotazione * Organizzazione online dell'anagrafica clienti * Ed inoltre avrete a disposizione un sito Internet aggiornabile e dotato di un libro degli ospiti * Statistiche e newsletter * Presentazione dettagliata dei vostri immobili compreso il piano delle prenotazioni e la galleria fotografica * Oltre 8.500 alloggi di villeggiatura in 92 paesi * 949.000 ospiti al mese Approfittate di questa occasione e registratevi oggi stesso: Maggiori informazioni / secondcasa.com ; Distinti saluti, Maik Schmidt Mallorca Toscana New York If you wish to unsubscribe from the Publisher Email Notifications, simply click on this unsubscribe-link.
Re: vmware esxi 3.5u4: amd64 4.4 generic bsd.mp kernel panic
On 2009-04-27, Erwin van Maanen wrote: > Running OpenBSD on a vmware esxi server, whenever i boot the amd64 bsd.mp > version i get stuck with kernel panic. please try 4.5 or -current; esxi amd64 MP works fine in -current for sure.
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 2:52 PM, Marcello Cruz wrote: > Hey guys, > > There are some articles that may bring some light to the discussion: > * http://en.wikipedia.org/wiki/Network_bridge (best bet) > * http://en.wikipedia.org/wiki/Bridging_(networking) > * http://en.wikipedia.org/wiki/Transparent_bridge > * > http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Bridging-Basics.html > I was talking about something like: http://www.snort.org/docs/snort_manual/node16.html http://snort-inline.sourceforge.net/ http://en.hakin9.org/attachments/hakin9_6-2006_str22-33_snort_EN.pdf and not a pure bridge, as described in the links you sent. > > Best, > Marcello > > - Original Message - From: "Daniel Ouellet" > To: "Openbsd-Misc" > Sent: Monday, April 27, 2009 12:10 AM > Subject: Re: Transparent firewall (bridge) with DMZ + LAN > > > > patrick keshishian wrote: >> >>> On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote: >>> It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off. People use it because they have a need to do something. B When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. >>> >>> so you prefer to take someone's word blindly without any backing >>> evidence or facts, so long as you believe they are a credible source? >>> >> >> Well, let say that if they spend years developing the system, including PF >> and the capability of bridge and the same people tells me that it's bad to >> do so. Well, HELL yes I would listen to them. They are better mind then me >> and they have the code to back it up as well as their saying too. >> >> So, to that answer yes. They are a credible source, they design it for >> crying wolf. >> >> Maybe management is a good place for you, but I'd hate to be a >>> shareholder in a company people like you may have any sort of >>> influential role in steering its goals and/or direction. >>> >> >> Not relevant at all. But even if that was, contrary to the majority of >> managers that only listen to marketing vapor ware, or oppose to dig up >> themselves, this might, may be very good to listen to the source of reason, >> and not to say as well the origin of the product oppose to marketing people, >> then yes. I would. Most manager wouldn't even understand it anyway and there >> is exceptions, but by all mean not the norm, so your analogy is pointless >> and off topic. >> >> "Perhaps as one of the older generation, I should preach a >>> little sermon to you, but I do not propose to do so. I shall, >>> instead, give you a word of advice about how to behave >>> toward your elders. When an old and distinguished person >>> apeaks to you, listen to him carefully and with respect -- but >>> do not believe him. Never put your trust in anything but your >>> own intellect. Your elder, no matter whether he has gray hair >>> or lost his hair, no matter whether he is a Nobel Laureate, >>> may be wrong... So you must always be skeptical -- always >>> think for yourself." >>> >> >> I am so glad for you that you are born with the knowledge you need already >> and do not need to listen to anyone that might speak from years of >> experience. I envy you really I do! I can't claim that gift from birth >> itself. >> >> Some might become senile at old age, yes, by the simple fact of getting >> older. Still the natural path of life as we know it. May you be bless as to >> never suffer that sad outcome. >> >> But, many are still very sound and a few of them oppose to the "young >> padawan" with the hope to may be, become Jedi one day, don't need to proof >> anything to anyone anymore, and actually provide valuable informations from >> experiences without asking anything in return and without alternate >> motivations other then helping who ever are welling to listen. Many are not >> withholding knowledge in the hopes of getting ahead ans screwing you over in >> the process to get an edge over you. Yes, it's rare, but there is still many >> people like that. I guess it comes with self confidence and actual real >> knowledge. I actually welcome their input. But do as you wish, no one is >> stoping you rally. (;> >> >> As for why not to do bridge setup. May be something as simple as for one >> example that comes to mind. Your bridge needs to work in promiscuous mode >> and will see, received and process all kind of crap that it wouldn't need to >> do otherwise. >> >> More resources will be use on the
Re: svnd is incredible slow... somebody else notice that?
On Mon, Apr 27, 2009 at 12:26:13AM +0200, Sebastian Rother wrote:
> > If the way you do something take too long.
> > Seems like that is a bug.
> > Most likely in the way you are doing it.
> > A lot of things, you can do them wrong and get away with it for a while.
> > Getting away with doing something wrong is far from proof that you were
> > doing it right.
>
> That's for sure right but I somehow think I know how to use vnconfig.
> And 'course the devs LOVE ME they'd flamed more then they did if would
> have done something wrong.
Your tone of voice in the whole thread suggests you rather like the
flames. You start out with the assumption that you are right, then
continue on a tone that suggests the developers are wrong, don't have a
clue and should fix your problem right now.
Your tone of voice is unacceptable to a person doing you a favour. Your
tone of voice is even not acceptable if you had a million dollar support
contract/SLA; those often get terminated at the earliest convenience for
costumers like you.
> vnconfig -cK 52527 -S saltfile /dev/sd0k /dev/svnd1c
>
> Creates: a svnd, why svnd1 and not 0? 'course of make build and make
> release.
And if your problem was indeed confined to vnconfig, you would stop
there and not build a filesystem on top. Instead, you'd be copying
directly to svnd1c and show it is indeed slow, as opposed to the
copy-operation on top of the filesystem on top of the disklabel on top
of vnconfig. (Yeah, a developer analysing your case despite your
rudeness...)
> disklabel -E svnd1
> -> a a
> -> r
> -> w
> -> q
>
> You can use svnd1c direct but then be sure you get flamed by the
> developers so I choosed to validate it even with a partition (which I
> normaly never do use nor used in the past, it wont matter for the
> result).
>
> newfs /dev/rsvnd1a *wait some time.. for me it was a 220G partition*
FFS2 may help you: man newfs.
Actually, newfs contains many options and you may want to see if
changing some of those helps your case.
> mount -o noatime,softdep /dev/svnd1a /home
> cd /home
>
> Benchmark it like you want.. with whateve rmakes your horny.. dd,
> bonniee++
If benchmarks are your thing, knock yourself out. But they can't tell
you why things behave a certain way and without understanding the
benchmark, they won't tell you anything.
Smart people would try to find a cause, because it goes a long way to
fixing a problem, instead of bitching about it.
That's the very short summary of why benchmarks are useless, not taking
into account of the usual work-around way of speeding them up.
> I get awefull slow results with:
> i386, AMD64, different {CPUs,Motherboards,RAM,HDDs,NICs},
> oBSD-stable/current
So you changed 8 variables at the same time? Wonderful isolation of
the problem, please wait for a few minutes while each of us rushes to
the shop to buy your specific hardware layouts and further isolates the
problem.
> It's all the same: writing speed about 2-4MB/s
man bonnie++:
There are two sections to the program's operations. The
first is to test the IO throughput in a fashion that is
designed to simulate some types of database applications.
The second is to test creation, reading, and deleting many
small files in a fashion similar to the usage patterns of
programs such as Squid or INN.
So it is a bad idea to run a database server, squid or inn on your
svnd. Now explain why this is relevant to your problem?
> I was already asked by people how to encrypt a partition and all I can
> tell them for now is: Sorry that wont make you happy with OpenBSD
> because of a speed issue nobody admits (or you get a 2nd HDD because
> softraid works perfectly).
>
> So why do devs just listen if it wents security critical like the stuff
> with PF..
I think the pf stuff that you're referring to was handled fine. I don't
see what your problem is with that. Nor do I see the relevance to
vnconfig.
> > I reserve the right to be as annoying on this list as you are.
>
> Good argument, and a valid one.
> At least you're no retard who starts to talk in a way making you belief
> you entered a digital gh3tt0 :-D
Even a ghetto is a cozy place compared to your posts. And even my boss
doesn't get to use the tone of voice you used in this thread. So what
are you trying to achieve? Getting on every developers blacklist?
Getting hated by every developer? Or maybe you aim to be ignored
forever..?
If that's your goal, just tell us. Otherwise, being civil will get you
places, especially if you are the one asking the favour.
--
Ariane
Re: USB->PS2 converter with KVM?
From: "J.C. Roberts" Subject: USB->PS2 converter with KVM? I'm attempting to use a USB-to-PS2 converter and running the PS2 through a Belkin KVM. The converts I bought seem to be old USB 1.1 stuff, and they don't play very well with any OS. [..snip..] Can anyone suggest a brand (and model) for a good quality USB->PS2 converter that plays well with Belkin KVM's? Newlink USB->PS/2 convertors are quite good. However, I suspect your problem is the Belkin - not the convertor. My SGI O2 boxes *really* don't like the Belkin Omnicube I still have somewhere, and my pentium OS/2/DOS box won't see the mouse unless the KVM is switched to that box on bootup.. Solution : ebay! I got a very nice Compaq (rebadged Avocent, IIRC) eight way KVM for about thirty quid PK
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 1:00 PM, Henning Brauer wrote: > * Felipe Alfaro Solana [2009-04-27 11:56]: > > For a two-interface router/firewall, most of the traffic that reaches is > > will probably have to traverse it anyways, so I don't see how a > > two-interface bridge or a two-interface router will have different > > workloads. > > it has been pointed out, but if you don't read it the first time there > is no point in repeating... I saw some pretty good arguments from Daniel, but no data backing them up. I will need to search a bit around to understand why a two-interface bridging firewall will see more interrupts and data traffic than a two-interface routing firewall. > But, fortunately, someone on this thread pointed out good technical > > arguments on why bridging in OpenBSD is perhaps not a good idea. > > . > > > But, to me, > > it doesn't mean that bridging firewalls are a bad idea in other > platforms. > > That is because, to you, networking an operating system internals are > apparently black magic. It is not an OpenBSD problem. Again, not a single or valid technical argument on why a bridging firewall is a bad idea. Just a moot and offensive responsive, and a very strong assessment from someone that doesn't know me at all. It's also very sad to see so many impolite answers in this list. Perhaps saying "are apparently black magic" would be more appropriate. -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- http://www.felipe-alfaro.org/blog/disclaimer/
USB->PS2 converter with KVM?
I'm attempting to use a USB-to-PS2 converter and running the PS2 through a Belkin KVM. The converts I bought seem to be old USB 1.1 stuff, and they don't play very well with any OS. uhidev1 at uhub1 port 5 configuration 1 interface 1 "CHESEN PS2 to USB Converter" rev 1.10/0.10 addr 2 uhidev1: iclass 3/1, 3 report ids On switching, the mouse has a personality conflict and goes on a drunken right-clicking binge. The problem is not OpenBSD specific, but someone here might know the joys of dealing with PS2-less systems combined with a KVM. Can anyone suggest a brand (and model) for a good quality USB->PS2 converter that plays well with Belkin KVM's? Thanks! jcr OpenBSD 4.5-current (GENERIC.MP) #0: Fri Apr 24 17:27:23 PDT 2009 j...@cvs.foo.bar:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2078081024 (1981MB) avail mem = 2005647360 (1912MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf (71 entries) bios0: vendor Dell Inc. version "2.1.8" date 07/03/2008 bios0: Dell Inc. OptiPlex 740 Enhanced acpi0 at bios0: rev 0 acpi0: tables DSDT FACP BOOT SSDT ASF! HPET MCFG SLIC APIC acpi0: wakeup devices HUB0(S5) XVRA(S5) XVRB(S5) XVRC(S5) USB0(S3) USB2 (S3) AZAD(S5) MMAC(S5) MMCI(S5) UAR1(S5) PS2M(S4) PS2K(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2500 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+, 2706.00 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+, 2705.65 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative ioapic0 at mainbus0 apid 4 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (HUB0) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpibtn0 at acpi0: PWRB cpu0: PowerNow! K8 2705 MHz: speeds: 2700 2600 2400 2200 2000 1800 1000 MHz pci0 at mainbus0 bus 0 "NVIDIA C51 Host" rev 0xa2 at pci0 dev 0 function 0 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 1 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 2 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 3 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 4 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 5 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 6 not configured "NVIDIA C51 Memory" rev 0xa2 at pci0 dev 0 function 7 not configured ppb0 at pci0 dev 2 function 0 "NVIDIA C51 PCIE" rev 0xa1 pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 "NVIDIA C51 PCIE" rev 0xa1 pci2 at ppb1 bus 2 bge0 at pci2 dev 0 function 0 "Broadcom BCM5754" rev 0x02, BCM5754/5787 A2 (0xb002): apic 4 int 14 (irq 14), address 00:22:19:26:b4:a7 brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0 ppb2 at pci0 dev 4 function 0 "NVIDIA C51 PCIE" rev 0xa1 pci3 at ppb2 bus 3 vga1 at pci0 dev 5 function 0 "NVIDIA GeForce 6150 LE" rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "NVIDIA MCP51 Host" rev 0xa2 at pci0 dev 9 function 0 not configured pcib0 at pci0 dev 10 function 0 "NVIDIA MCP51 ISA" rev 0xa3 nviic0 at pci0 dev 10 function 1 "NVIDIA MCP51 SMBus" rev 0xa3 iic0 at nviic0 spdmem0 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-6400CL5 spdmem1 at iic0 addr 0x53: 1GB DDR2 SDRAM non-parity PC2-6400CL5 iic1 at nviic0 "NVIDIA MCP51 Memory" rev 0xa3 at pci0 dev 10 function 2 not configured ohci0 at pci0 dev 11 function 0 "NVIDIA MCP51 USB" rev 0xa3: apic 4 int 15 (irq 15), version 1.0, legacy support ehci0 at pci0 dev 11 function 1 "NVIDIA MCP51 USB" rev 0xa3: apic 4 int 5 (irq 5) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "NVIDIA EHCI root hub" rev 2.00/1.00 addr 1 pciide0 at pci0 dev 14 function 0 "NVIDIA MCP51 SATA" rev 0xa1: DMA pciide0: using apic 4 int 10 (irq 10) for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 152587MB, 31250 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 t
vmware esxi 3.5u4: amd64 4.4 generic bsd.mp kernel panic
Running OpenBSD on a vmware esxi server, whenever i boot the amd64 bsd.mp version i get stuck with kernel panic. panic: fp_save ipi didn't I've tried several things: - amd64 bsd.mp, without network card(s): boots normal - amd64 bsd.mp, with tricked network card to flexible (pcn device): same panic just right after the httpd loads - i386 bsd.mp: no problems so far - amd64 without mp: no problems dmesg (of the normal bsd boot, not mp): http://www.hutmeel.nl/panic/dmesg.txt I've made a few screenshots of the panic message, trace, ps and show registers. http://www.hutmeel.nl/panic/panic0-2.gif http://www.hutmeel.nl/panic/panic0.gif http://www.hutmeel.nl/panic/panic1.gif http://www.hutmeel.nl/panic/panic2.gif http://www.hutmeel.nl/panic/panic3.gif http://www.hutmeel.nl/panic/panic4.gif As you can see on the first screenshot, it looks like it happens as soon as ntpd starts. Any help in the right direction would be greatly appreciated. (was searching the archives, but couldn't find a similar problem) -- Erwin
Re: ipsec.conf + RoadWarrior
On 2009-04-27, Edvard Fagerholm wrote: > 1. Clients are either OS X or Windows connecting from arbitrary IPs > and hostnames and sometimes behind NAT connections. > > 2. OpenBSD 4.4 server. > > I have certificates created and signed by our CA with the e-mail > address used as the UFQDN in the subjectAltName field. Similarly I > have a certificate for the firewall with its IP address in the > subjectAltName. > > The internal network is the subnet 192.168.0/24 and I would like to > have addresses in the 192.168.1/24 range assigned to the VPN > connections. I was wondering how this would be done with ipsec.conf? I > have previously configured a similar setup using isakmpd.conf, but the > examples for ipsec.conf only seem to address cases where both ends > have hostnames or IP addresses that are known. In this case I don't > have any idea of the client (except the cert). you can use "to any" to do this, but you also need a keynote policy to restrict the addresses users are allowed to ask for (otherwise you can be in for a whole bunch of fun if somebody enters a bad address).
Re: Auto allocations in 4.6 with big drives and bios limitations
On 2009-04-27, Daniel Ouellet wrote: > pciide0 at pci0 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc3: > DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI > pciide0: using ivec 0x7cc for native-PCI interrupt > wd0 at pciide0 channel 0 drive 0: > wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > wd1 at pciide0 channel 1 drive 0: > wd1: 16-sector PIO, LBA48, 152627MB, 312581808 sectors > wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 > >> (and I'm not entirely sure I remember what the big disk issue is >> with sparc64 systems...guess I need to find out, and put it in >> the FAQ so I can look it up next time I forget. :) The M5229 only supports 24-bit LBA. I don't think this is something the installer should address. Possibly pciide could cap the drive size on this chip though, I'm not sure...
Re: Transparent firewall (bridge) with DMZ + LAN
Hey guys, There are some articles that may bring some light to the discussion: * http://en.wikipedia.org/wiki/Network_bridge (best bet) * http://en.wikipedia.org/wiki/Bridging_(networking) * http://en.wikipedia.org/wiki/Transparent_bridge * http://www.cisco.com/en/US/docs/internetworking/technology/handbook/Bridging-Basics.html Best, Marcello - Original Message - From: "Daniel Ouellet" To: "Openbsd-Misc" Sent: Monday, April 27, 2009 12:10 AM Subject: Re: Transparent firewall (bridge) with DMZ + LAN patrick keshishian wrote: On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote: It's called going off on a related tangent - whenever I hear people talking about using something because someone has published a paper and here's all these smart people using it (transparent bridging, etc, or in my case natting externally accessible/routable hosts), it pisses me off. People use it because they have a need to do something. B When you're told there's a better way to do things, pay attention, instead of telling the experts here (and I'm talking about the openbsd developers in this thread - not me, I'm in management now, no brain cells left) they're wrong because you have all these great URLs - if you want to listen to those people, then you should be using the OS they use too. so you prefer to take someone's word blindly without any backing evidence or facts, so long as you believe they are a credible source? Well, let say that if they spend years developing the system, including PF and the capability of bridge and the same people tells me that it's bad to do so. Well, HELL yes I would listen to them. They are better mind then me and they have the code to back it up as well as their saying too. So, to that answer yes. They are a credible source, they design it for crying wolf. Maybe management is a good place for you, but I'd hate to be a shareholder in a company people like you may have any sort of influential role in steering its goals and/or direction. Not relevant at all. But even if that was, contrary to the majority of managers that only listen to marketing vapor ware, or oppose to dig up themselves, this might, may be very good to listen to the source of reason, and not to say as well the origin of the product oppose to marketing people, then yes. I would. Most manager wouldn't even understand it anyway and there is exceptions, but by all mean not the norm, so your analogy is pointless and off topic. "Perhaps as one of the older generation, I should preach a little sermon to you, but I do not propose to do so. I shall, instead, give you a word of advice about how to behave toward your elders. When an old and distinguished person apeaks to you, listen to him carefully and with respect -- but do not believe him. Never put your trust in anything but your own intellect. Your elder, no matter whether he has gray hair or lost his hair, no matter whether he is a Nobel Laureate, may be wrong... So you must always be skeptical -- always think for yourself." I am so glad for you that you are born with the knowledge you need already and do not need to listen to anyone that might speak from years of experience. I envy you really I do! I can't claim that gift from birth itself. Some might become senile at old age, yes, by the simple fact of getting older. Still the natural path of life as we know it. May you be bless as to never suffer that sad outcome. But, many are still very sound and a few of them oppose to the "young padawan" with the hope to may be, become Jedi one day, don't need to proof anything to anyone anymore, and actually provide valuable informations from experiences without asking anything in return and without alternate motivations other then helping who ever are welling to listen. Many are not withholding knowledge in the hopes of getting ahead ans screwing you over in the process to get an edge over you. Yes, it's rare, but there is still many people like that. I guess it comes with self confidence and actual real knowledge. I actually welcome their input. But do as you wish, no one is stoping you rally. (;> As for why not to do bridge setup. May be something as simple as for one example that comes to mind. Your bridge needs to work in promiscuous mode and will see, received and process all kind of crap that it wouldn't need to do otherwise. More resources will be use on the bridge that could be better use else where. Should I also add that a miss configuration of a bridge can stay undetected for years, oppose to a miss configuration of a decent firewall not in bridge mode would become more obvious sooner in most cases anyway. Call that security by default setup if you like. (;> Don't forget that the simple action to put a box in bridge mode have the effect to pass all traffic across it. You may think your bridge is working as the traffic is passing, but in reality, may be someone affected it adversely and you can't see it. Bridg
Re: mount_mfs partition size (sparc64)
Hi, Otto Moerbeek wrote: > You missed some context. Look at the #if 0 a few lines higher. Just to clarify... because of some weird thing (bug?) it can only use 32 bit even though the arch is actually 64 bit? >From the 32-bit part of: /usr/src/sys/arch/sparc64/include/vmparam.h * This is silly. Apparently if we go above these numbers * integer overflows in other parts of the kernel cause hangs. Michael
Re: Someone has running Ekiga?
On 2009-04-27, Toma? Bod?ar wrote: > I made it,but it doesn't help.That's why I'm asking. did you follow the "You have to restart..." section here? $ pkg_info ekiga Information for ftp://obsd.cec.mtu.edu//pub/OpenBSD/snapshots/packages/i386/ekiga-2.0.12p14.tgz Comment: SIP and H.323 compatible conferencing application Description: Ekiga (formely known as GnomeMeeting) is an open source VoIP and video conferencing application for GNOME. Ekiga uses both the H.323 and SIP protocols. It supports many audio and video codecs, and is interoperable with other SIP compliant software and also with Microsoft NetMeeting. Maintainer: Jasper Lievisse Adriaanse , Antoine Jacoutot WWW: http://www.ekiga.org/ Install notice: You have to restart the GConf daemon by killing it before running Ekiga for the first time. As a regular user: gconftool-2 --shutdown && ekiga
Re: soekris 5501, ral(4) and 4.5-current
On 2009-04-26, Tom wrote: > On 2009-04-26. Stuart Henderson wrote: > On 2009-04-25, Tom wrote: >>>I have a ral(4) acting as a hostap. The problems began since >>> ugrading from Feb 28th snapshot to April 10th (and higher). I have a >>> Soekris 5501. I bought 2 different ral(4) PCI cards, one is a RT2661 >>> and the other is a RT2860 (Planex GW-DS3300N). The RT2661 actually >>> lasts longer than the RT2860. When I have the RT2860 in the box, it >>> doesn't matter whether I use no encryption, WEP, WPA1 or WPA2. The box >>> locks up without any kind of drop into ddb. When the RT2661 is in the >>> machine, it will stay up a day, maybe two tops before it locks solid. > >>try a different psu, especially if you have the lower-power of the ones >>that soekris sell. > > Hi, > > I got the higher psu of the ones soekris sell. It's 12V, 3A. That > should be enough > for the 2.5" laptop disk plus the PCI card I run, right? usually, yes, but there have been so many reported strange problems with soekris boxes that went away after switching PSU, it's a good thing to check early on. I'll try moving my alix with RT2860 to -current to see if I can replicate though..
Re: RadiusClient
Anyone can help me about the following problem?
* I need to authenticate the users of my network that uses pptpd on an
Active Directory base. On Linux (Ubuntu / Debian) its easy to do, using
pptpd + radiusclient. The pptpd doesn't uses the ppp(8) for authentication.
It only uses the libraries (radius.so and radattr.so) for communicate with
radiusclient package. But, these libraries comes from the ppp(8) package for
Linux (www.samba.org/ppp) that is not supported for OpenBSD.
CLIENT - PPTPD - INTERNET
|
AD
*
2009/4/26 Bruno Galindro da Costa
> Stuart / Claudio,
>
> Thank's very much for anwser my questions. I have read about ppp(8) on
> OpenBSD and it have a Radius Support, but I don't know how can I use them
> with pptpd.
>
>I need to authenticate the users of my network that uses pptpd on an
> Active Directory base. On Linux (Ubuntu / Debian) its easy to do, using
> pptpd + radiusclient. The pptpd doesn't uses the ppp(8) for authentication.
> It only uses the libraries (radius.so and radattr.so) for communicate with
> radiusclient package. But, these libraries comes from the ppp(8) package
for
> Linux (www.samba.org/ppp) that is not supported for OpenBSD.
>
> CLIENT - PPTPD - INTERNET
>|
> AD
>
> Any sugestions to do the above authentication on OpenBSD?
>
>
> 2009/4/25 Stuart Henderson
>
> On 2009-04-25, Bruno Galindro da Costa wrote:
>> >I have downloaded and compiled radiusclient on OpenBSD:
>> > ftp://ftp.freeradius.org/pub/freeradius/freeradius-client-1.1.6.tar.bz2
>>
>> its local-ip-address detection is somewhat broken on OpenBSD, btw.
>> my WIP port sort-of works, but you have to specify the address manually.
>>
>> > But, on OpenBSD, the ppp package is installed by default, and does not
>> have
>> > these following libraries needed for poptop radius authentication:
>>
>> oh, poptop uses an external ppp daemon? if it can use ppp(8) ("user-ppp"),
>> your battle is won, as it already supports radius...
>>
>> > These libraries comes on package ppp for Ubuntu / Debian. Anyone knows
>> how
>> > can I get the source code of them?
>>
>> www.samba.org/ppp; we are somewhat behind the cutting edge.
>>
>>
>
>
> --
> Att.
> Bruno Galindro da Costa
> bruno.galin...@gmail.com
> Florianspolis - SC
>
--
Att.
Bruno Galindro da Costa
bruno.galin...@gmail.com
Florianspolis - SC
ipsec.conf + RoadWarrior
Hi, I'm trying to setup the following IPsec scenario. 1. Clients are either OS X or Windows connecting from arbitrary IPs and hostnames and sometimes behind NAT connections. 2. OpenBSD 4.4 server. I have certificates created and signed by our CA with the e-mail address used as the UFQDN in the subjectAltName field. Similarly I have a certificate for the firewall with its IP address in the subjectAltName. The internal network is the subnet 192.168.0/24 and I would like to have addresses in the 192.168.1/24 range assigned to the VPN connections. I was wondering how this would be done with ipsec.conf? I have previously configured a similar setup using isakmpd.conf, but the examples for ipsec.conf only seem to address cases where both ends have hostnames or IP addresses that are known. In this case I don't have any idea of the client (except the cert). Anyone know how to do this? I was also wondering if its somehow possible to assign IP addresses dynamically in the 192.168.1/24 net for the clients? Previously I had a hardcoded IP for each client. Best regards, Edvard Fagerholm
Re: Transparent firewall (bridge) with DMZ + LAN
* Felipe Alfaro Solana [2009-04-27 11:56]: > For a two-interface router/firewall, most of the traffic that reaches is > will probably have to traverse it anyways, so I don't see how a > two-interface bridge or a two-interface router will have different > workloads. it has been pointed out, but if you don't read it the first time there is no point in repeating... > But, fortunately, someone on this thread pointed out good technical > arguments on why bridging in OpenBSD is perhaps not a good idea. . > But, to me, > it doesn't mean that bridging firewalls are a bad idea in other platforms. That is because, to you, networking an operating system internals are apparently black magic. It is not an OpenBSD problem. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 5:10 AM, Daniel Ouellet wrote: > patrick keshishian wrote: > >> On Sun, Apr 26, 2009 at 4:10 PM, bofh wrote: >> >>> It's called going off on a related tangent - whenever I hear people >>> talking about using something because someone has published a paper >>> and here's all these smart people using it (transparent bridging, etc, >>> or in my case natting externally accessible/routable hosts), it pisses >>> me off. >>> >>> People use it because they have a need to do something. B When you're >>> told there's a better way to do things, pay attention, instead of >>> telling the experts here (and I'm talking about the openbsd developers >>> in this thread - not me, I'm in management now, no brain cells left) >>> they're wrong because you have all these great URLs - if you want to >>> listen to those people, then you should be using the OS they use too. >>> >> >> so you prefer to take someone's word blindly without any backing >> evidence or facts, so long as you believe they are a credible source? >> > > Well, let say that if they spend years developing the system, including PF > and the capability of bridge and the same people tells me that it's bad to > do so. Well, HELL yes I would listen to them. They are better mind then me > and they have the code to back it up as well as their saying too. > > So, to that answer yes. They are a credible source, they design it for > crying wolf. > > Maybe management is a good place for you, but I'd hate to be a >> shareholder in a company people like you may have any sort of >> influential role in steering its goals and/or direction. >> > > Not relevant at all. But even if that was, contrary to the majority of > managers that only listen to marketing vapor ware, or oppose to dig up > themselves, this might, may be very good to listen to the source of reason, > and not to say as well the origin of the product oppose to marketing people, > then yes. I would. Most manager wouldn't even understand it anyway and there > is exceptions, but by all mean not the norm, so your analogy is pointless > and off topic. > > "Perhaps as one of the older generation, I should preach a >> little sermon to you, but I do not propose to do so. I shall, >> instead, give you a word of advice about how to behave >> toward your elders. When an old and distinguished person >> apeaks to you, listen to him carefully and with respect -- but >> do not believe him. Never put your trust in anything but your >> own intellect. Your elder, no matter whether he has gray hair >> or lost his hair, no matter whether he is a Nobel Laureate, >> may be wrong... So you must always be skeptical -- always >> think for yourself." >> > > I am so glad for you that you are born with the knowledge you need already > and do not need to listen to anyone that might speak from years of > experience. I envy you really I do! I can't claim that gift from birth > itself. > > Some might become senile at old age, yes, by the simple fact of getting > older. Still the natural path of life as we know it. May you be bless as to > never suffer that sad outcome. > > But, many are still very sound and a few of them oppose to the "young > padawan" with the hope to may be, become Jedi one day, don't need to proof > anything to anyone anymore, and actually provide valuable informations from > experiences without asking anything in return and without alternate > motivations other then helping who ever are welling to listen. Many are not > withholding knowledge in the hopes of getting ahead ans screwing you over in > the process to get an edge over you. Yes, it's rare, but there is still many > people like that. I guess it comes with self confidence and actual real > knowledge. I actually welcome their input. But do as you wish, no one is > stoping you rally. (;> > > As for why not to do bridge setup. May be something as simple as for one > example that comes to mind. Your bridge needs to work in promiscuous mode > and will see, received and process all kind of crap that it wouldn't need to > do otherwise. For a two-interface router/firewall, most of the traffic that reaches is will probably have to traverse it anyways, so I don't see how a two-interface bridge or a two-interface router will have different workloads. But, fortunately, someone on this thread pointed out good technical arguments on why bridging in OpenBSD is perhaps not a good idea. But, to me, it doesn't mean that bridging firewalls are a bad idea in other platforms. > > More resources will be use on the bridge that could be better use else > where. Should I also add that a miss configuration of a bridge can stay > undetected for years, oppose to a miss configuration of a decent firewall > not in bridge mode would become more obvious sooner in most cases anyway. > Call that security by default setup if you like. (;> > > Don't forget that the simple action to put a box in bridge mode have the > effect to pass all traffic across it. You may think
Re: mount_mfs partition size (sparc64)
On Mon, Apr 27, 2009 at 10:30:45AM +0200, Michael wrote: > Hi, > > when trying to create a mfs file system I can never get is larger than 1 > GB even though I actually got >6 GB of free RAM. > > Depening on how close I get to the 1 GB barrier I see the following > error messages. The last attempt was successfull, but that doesn't mean > that,l even though it was successfull now, it will be again... the limit > seems to be varying. > > # mount_mfs -s 2097000 swap /mnt && umount /mnt > mount_mfs: mmap: Cannot allocate memory > > # mount_mfs -s 2096900 swap /mnt && umount /mnt > mount_mfs: calloc failed > > # mount_mfs -s 2096833 swap /mnt && umount /mnt > mount_mfs: cannot allocate I/O buffer > > # mount_mfs -s 2096832 swap /mnt && umount /mnt > > ... wait some time ... > > # mount_mfs -s 3096832 swap /mnt && umount /mnt > mount_mfs: mmap: Cannot allocate memory > > > The manpage of mfs says the following: > > Note however that for mount_mfs the practical limit is based on datasize > in login.conf(5), and ultimately depends on the per-arch MAXDSIZ limit. > > Well, the datasize is set ti infinity for root (daemon) so it must be > MAXDSIZ that is set in /usr/src/sys/arch/sparc64/include/vmparam.h and > describes as values in byte. > > for 64 bit > #define MAXDSIZ (512L*1024*1024*1024) /* max data size */ > > for 32 bit > #define MAXDSIZ (1*1024*1024*1024) /* max data size */ > > What does that 512L for 64 bit mean? However, if I read that correctly, > I should be able to allocate way more than just ~1 GB of memory for each > MFS partition? > > Is anyone here able to enlighten me? Is ~1 GB the limit or do I miss > something? You missed some context. Look at the #if 0 a few lines higher. -Otto
enc and IPSec question
Hello,
I configured an IPSec tunnel with ipssecctl and ipsec.conf.
The default interface of the gateway is 219.17.10.1.
The other gateway runs Checkpoint.
Here is a part of my ipsec.conf :
ike active esp from 192.168.36.0/24 to 10.128.203.0/24 \
peer 161.144.27.32 \
main auth hmac-md5 enc 3des group grp2 \
quick auth hmac-md5 enc 3des group none \
psk x
Last friday, I ran a ping every 5 seconds, from 192.168.36.254 to
10.128.203.1.
Ping was not replying, but tcpdump on enc0 was ok.
This morning, I looked at the enc0 interface :
# tcpdump -envps 1500 -i enc0 -l
10:35:15.920320 (authentic,confidential): SPI 0xa63e5fd1: 219.10.10.1 >
161.144.27.32: 219.10.10.1 > 10.128.203.1: icmp: echo request (id:b4e2
seq:47649) (ttl 63, id 34775, len 84) (ttl 64, id 30353, len 104, bad
cksum 0!)
Why does the source address of the ping has become the internet address
of the gateway ?
Part of my pf.conf :
int_if = "sis0"
ext_if = "sis2"
ext_addr = "219.10.10.1"
maint_net = 192.168.36.0/24"
ipsec_vpn_addr="161.144.27.32"
ipsec_remote_lan_net="10.128.203.0/24"
block in all
# Some other traffic than the IPsec one can reach the internet.
nat on $ext_if from $maint_net to any -> $ext_addr
# Traffic from internal network the the internet
pass in on $int_if inet from $maint_net to any keep state
# IPsec traffic from the other VPN gateway
pass in on $ext_if proto udp from $ipsec_vpn_addr port = isakmp \
to $ext_addr port {isakmp, ipsec-nat-t}
pass in on $int_if inet from $maint_net to $ipsec_remote_lan_net keep state
pass in on enc0 from $ipsec_remote_lan_net to $maint_net keep state
(if-bound)
pass out on enc0 from $maint_net to $ipsec_remote_lan_net keep state
(if-bound)
Thanks for your help.
Re: svnd is incredible slow... somebody else notice that?
PS: I made a mistake today in the morning (I wrote the e-mail in the small hours and I was feeling like dead). I wrote: "I have an old usb drive encrypted with /dev/arandom (much slower than zero) which I mount without softdep I just finished a full backup of 43.98G It took 1h33min" That's wrong. It took 2h33min Still, that's far away from the claimed 10h+ hours for 16G Cheers, Pau 2009/4/27 Henning Brauer : > * sebastian.rot...@jpberlin.de [2009-04-25 > 23:48]: >> I wrote Marco personaly, provided all informations and asked if he needs >> further benchmarks or what-so-ever. > > did you find the commit between 4.1 and 4.2 or whatever your claim was > where it got slower? > I am sure what the answer is. You did no work, as usual, just whining. > >> It's like the PF bug you know? You write a developer.. you receive no >> answer and the patch which gets released does not even fix the affected >> codebase but add's a "workaround". > > I don't reply to your mail because it could lead to another reply from > you. banging my head against a wall is a more useful use of time and > energy than talking to you. > > and now for the pf bug. as usual, you did nothing. you accidently > found some way to crash a box in a specific setup. you did no work at > all looking where the bug could be or what could trigger it. nothing. > I ran the command you claimed crashes pf. my box stayed up just fine. > if I hadn't mentioned it on icb and sthen trying against his box the > bug hadn't been found until now. You don't understand the bug yet > obviously. There is no workaround committed, there is the perfect fix > committed. I could go on explaning you that it was the NAT code > misbehaving on an ICMPv6 header in a IPv4 packet, but you wouldn't get > that anyway. > >> I gonna do again a bonnie++ benchmark and again I will post my DMESG and >> again that will solve nothing. > > right. because that is useless. you have been told what would be > useful, but that'd be work. > > don't bother replying, I won't read it. and don't mail me personally > ever again. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > -- Let there be peace on earth. And let it begin with misc
Re: svnd is incredible slow... somebody else notice that?
* Henning Brauer [2009-04-27 10:33]: > and now for the pf bug. as usual, you did nothing. you accidently > found some way to crash a box in a specific setup. you did no work at > all looking where the bug could be or what could trigger it. nothing. > I ran the command you claimed crashes pf. my box stayed up just fine. > if I hadn't mentioned it on icb and sthen trying against his box the > bug hadn't been found until now. You don't understand the bug yet > obviously. There is no workaround committed, there is the perfect fix > committed. I could go on explaning you that it was the NAT code > misbehaving on an ICMPv6 header in a IPv4 packet, but you wouldn't get > that anyway. I forgot credit where credit is due. it was jsing@ who did the work you should have done, finding out what actually causes the crash. a null pointer deref in case of a ICMPv6 header in an IPv4 packet. it was jsing@ who went further and found the spot in the code misbehaving in that case. And it was him who fixed it. With a little input from me, but he did all the work. The work you should have done, at least partially. You did nothing but whining, as usual. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Someone has running Ekiga?
I made it,but it doesn't help.That's why I'm asking. Dne 27. duben 2009 10:29 Antoine Jacoutot napsal(a): > On Mon, 27 Apr 2009, TomC!E! BodE>C!r wrote: > >> Hi all, >> >> I installed ekiga trough ports (pkg_add wasn't succesfull) and I'm >> maybe missing some info. >> >> $ pkg_info -M gnome-keyring >> Information for inst:gnome-keyring-2.24.1p3 > > ??? > You should use > $ pkg_info -M ekiga > > And surprise, you'll have everything needed to make this work. By the > way, this is an ekiga FAQ on their website. > > -- > Antoine > -- http://www.openbsd.org/lyrics.html
mount_mfs partition size (sparc64)
Hi, when trying to create a mfs file system I can never get is larger than 1 GB even though I actually got >6 GB of free RAM. Depening on how close I get to the 1 GB barrier I see the following error messages. The last attempt was successfull, but that doesn't mean that,l even though it was successfull now, it will be again... the limit seems to be varying. # mount_mfs -s 2097000 swap /mnt && umount /mnt mount_mfs: mmap: Cannot allocate memory # mount_mfs -s 2096900 swap /mnt && umount /mnt mount_mfs: calloc failed # mount_mfs -s 2096833 swap /mnt && umount /mnt mount_mfs: cannot allocate I/O buffer # mount_mfs -s 2096832 swap /mnt && umount /mnt ... wait some time ... # mount_mfs -s 3096832 swap /mnt && umount /mnt mount_mfs: mmap: Cannot allocate memory The manpage of mfs says the following: Note however that for mount_mfs the practical limit is based on datasize in login.conf(5), and ultimately depends on the per-arch MAXDSIZ limit. Well, the datasize is set ti infinity for root (daemon) so it must be MAXDSIZ that is set in /usr/src/sys/arch/sparc64/include/vmparam.h and describes as values in byte. for 64 bit #define MAXDSIZ (512L*1024*1024*1024) /* max data size */ for 32 bit #define MAXDSIZ (1*1024*1024*1024) /* max data size */ What does that 512L for 64 bit mean? However, if I read that correctly, I should be able to allocate way more than just ~1 GB of memory for each MFS partition? Is anyone here able to enlighten me? Is ~1 GB the limit or do I miss something? Thanks in advance, Michael OpenBSD 4.4-current (GENERIC.MP) #585: Fri Jan 9 11:36:04 MST 2009 t...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC.MP real mem = 8589934592 (8192MB) avail mem = 8367955968 (7980MB) mainbus0 at root: Sun Fire V440 cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) cpu1 at mainbus0: SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz cpu1: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) cpu2 at mainbus0: SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz cpu2: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) cpu3 at mainbus0: SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz cpu3: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) "memory-controller" at mainbus0 not configured "memory-controller" at mainbus0 not configured "memory-controller" at mainbus0 not configured "memory-controller" at mainbus0 not configured schizo0 at mainbus0: "Tomatillo", version 4, ign 700, bus A 0 to 0 schizo0: dvma map c000-dfff pci0 at schizo0 cas0 at pci0 dev 2 function 0 "Sun Cassini" rev 0x20: ivec 0x718, address 00:03:ba:66:75:d1 brgphy0 at cas0 phy 1: BCM5421 10/100/1000baseT PHY, rev. 1 "ppm" at mainbus0 not configured schizo1 at mainbus0: "Tomatillo", version 4, ign 740, bus B 0 to 0 schizo1: dvma map c000-dfff pci1 at schizo1 mpi0 at pci1 dev 2 function 0 "Symbios Logic 53c1030" rev 0x08: ivec 0x740 scsibus0 at mpi0: 16 targets, initiator 7 schizo2 at mainbus0: "Tomatillo", version 4, ign 780, bus A 0 to 0 schizo2: dvma map c000-dfff pci2 at schizo2 ebus0 at pci2 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 "flashprom" at ebus0 addr 0-f, 290-290 not configured rtc0 at ebus0 addr 70-71: m5819p pcfiic0 at ebus0 addr 320-321 ivec 0x1b iic0 at pcfiic0 "SUNW,i2c-imax" at iic0 addr 0xb not configured "SUNW,i2c-imax" at iic0 addr 0xc not configured admtemp0 at iic0 addr 0x18: max1617, cannot get control register "pca9555" at iic0 addr 0x21 not configured "pca9555" at iic0 addr 0x22 not configured "pca9555" at iic0 addr 0x23 not configured "pca9555" at iic0 addr 0x24 not configured "adm1026" at iic0 addr 0x2e not configured admtemp1 at iic0 addr 0x32: max1617, cannot get control register admtemp2 at iic0 addr 0x40: max1617, cannot get control register admtemp3 at iic0 addr 0x48: max1617, cannot get control register lmtemp0 at iic0 addr 0x4e: lm75, fails to respond "spd" at iic0 addr 0x5b not configured "spd" at iic0 addr 0x5c not configured "spd" at iic0 addr 0x5d not configured "spd" at iic0 addr 0x5e not configured "spd" at iic0 addr 0x63 not configured "spd" at iic0 addr 0x64 not configured "spd" at iic0 addr 0x65 not configured "spd" at iic0 addr 0x66 not configured "spd" at iic0 addr 0x6b not configured "spd" at iic0 addr 0x6c not configured "spd" at iic0 addr 0x6d not configured "spd" at iic0 addr 0x6e not configured "spd" at iic0 addr 0x73 not configured "spd" at iic0 addr 0x74 not configured "spd" at iic0 addr 0x75 not configured "spd" at iic0 addr 0x76 not configured "ics951601" at iic0 addr 0x69 not configured power0 at ebus0 addr 800-82f ivec 0x1a com0 at ebus0 addr 3f8-3ff ivec 0x22: ns16550a, 16 byte fifo com1 at ebus0 addr 2e8-2ef ivec 0x22: ns16550a, 16 byte fifo "rmc-comm" at ebus0 addr 3e8-3ef ivec 0x22 not configured cas1 at pci2 dev 2 function 0 "NS Saturn" rev 0x30: ivec
Re: Transparent firewall (bridge) with DMZ + LAN
Felipe Alfaro Solana wrote: On Mon, Apr 27, 2009 at 1:10 AM, bofh wrote: People use it because they have a need to do something. When you're told there's a better way to do things, pay attention, Still no arguments on why idiots use transparent firewalls. Good to know. Just read up on.. for instance OpenVPN maillists. People get stuck, they figure they must go to layer-2 solutions because they cant be arsed to figure out how this weird routing thing works, and they switch to bridging since "now I can see the WINS server on the other end!" and they figure everything is nice and good, whereas they now send every broadcast over everyones VPNs. And lots more. Same thing with Layer-2 firewalls. People see how it must be good, since now I dont have to figure out this routing thing, nor design my network so it must be a good thing to run L2 fws. Then they start using it, and sooner or later they want to add something to the FW, like VPN enpoints, proxies, relays, remote-manageability or whatever and then this ip-less bridge FW isnt so smart after all, but since you have wedged yourself into the L2 solution, redesigning is still off the map, so adding even more nonstandard shit to the L2 and cursing how sucky PF is or how weird OBSD is becomes the only way out for the admin without a clue. Have we seen this before? Sure. Been there, tried that. Now, you can do all the 15 steps required to paint yourself and your network in a corner, OR, you can listen to advice. I dont even claim to be one of those gurus, I just know that the advice is sound. I did bridging FWs when OBSD had IPF and it was stupid then. It hasn't become less stupid since, for most setups. Yes, there are corner cases, but mine wasn't at the time. Chances are most peoples cases aren't either.
Re: Someone has running Ekiga?
On Mon, 27 Apr 2009, TomC!E! BodE>C!r wrote: > Hi all, > > I installed ekiga trough ports (pkg_add wasn't succesfull) and I'm > maybe missing some info. > > $ pkg_info -M gnome-keyring > Information for inst:gnome-keyring-2.24.1p3 ??? You should use $ pkg_info -M ekiga And surprise, you'll have everything needed to make this work. By the way, this is an ekiga FAQ on their website. -- Antoine
Re: svnd is incredible slow... somebody else notice that?
* sebastian.rot...@jpberlin.de [2009-04-25 23:48]: > I wrote Marco personaly, provided all informations and asked if he needs > further benchmarks or what-so-ever. did you find the commit between 4.1 and 4.2 or whatever your claim was where it got slower? I am sure what the answer is. You did no work, as usual, just whining. > It's like the PF bug you know? You write a developer.. you receive no > answer and the patch which gets released does not even fix the affected > codebase but add's a "workaround". I don't reply to your mail because it could lead to another reply from you. banging my head against a wall is a more useful use of time and energy than talking to you. and now for the pf bug. as usual, you did nothing. you accidently found some way to crash a box in a specific setup. you did no work at all looking where the bug could be or what could trigger it. nothing. I ran the command you claimed crashes pf. my box stayed up just fine. if I hadn't mentioned it on icb and sthen trying against his box the bug hadn't been found until now. You don't understand the bug yet obviously. There is no workaround committed, there is the perfect fix committed. I could go on explaning you that it was the NAT code misbehaving on an ICMPv6 header in a IPv4 packet, but you wouldn't get that anyway. > I gonna do again a bonnie++ benchmark and again I will post my DMESG and > again that will solve nothing. right. because that is useless. you have been told what would be useful, but that'd be work. don't bother replying, I won't read it. and don't mail me personally ever again. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Transparent firewall (bridge) with DMZ + LAN
* Henning Brauer [2009-04-27 10:00]: > "transparent" firewalls are beyond stupid. and, btw, I love that idiotic term. what is a transparent firewall? is it trasparent? then it cannot be a firewall. is it a firewall? then it cannot be transparent. how is dropping packets (or even sending sth back) transparent? how is not doing so firewalling? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Transparent firewall (bridge) with DMZ + LAN
* FRLinux [2009-04-27 09:05]: > On Mon, Apr 27, 2009 at 4:10 AM, Daniel Ouellet wrote: > > The bright people that did the code said it wasn't good to do so. The normal > > operations of such a setup needs more resources from the same box to do the > > same things, showing in practice that it's not the most efficient way to do > > so with hard numbers to proof it. Just look at top for the same box, doing > > the same thing, one in bridge mode and one in routing mode. Look at your > > interrupts level, the interrupts process, the traffic it needs to process, > > the useless aditional data that it needs to also process from the promiscous > > mode alone and the additional easy way to have a miss configure box that > > will pass the traffic because of the bridge mode enable where you might > > think it's running as it should. If all that and more that I haven't put > > here doesn't convince you, then please by all mean do so and run bridge mode > > on your firewall. > > Very good explanation, thanks for that. and he didn't even start on debugability. or the lack of a queue in the bridge codepath. and, related, the lack of overload mitigation (ok, some drivers do something there now; but it is only part of the game. we can do much more in routing mode, and if it is only for freakin' ipintrq's existance) or the fact that most bridge processing is at splnet and blocks too much. i could go on for hours, but I'll do something more useful with my time. love livelocks? undebuggable setups? go run bridges. make sure to have a glas of methanol with it for the full experience. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Someone has running Ekiga?
Hi all, I installed ekiga trough ports (pkg_add wasn't succesfull) and I'm maybe missing some info. $ pkg_info -M gnome-keyring Information for inst:gnome-keyring-2.24.1p3 Install notice: The gnome-keyring SSH agent is disabled by default. If needed, there are two ways to enable it. System-wide: sudo gconftool-2 --direct --config-source=`gconftool-2 --get-default-source` \ --type bool --set /apps/gnome-keyring/daemon-components/ssh true Per user: gconftool-2 --set --type bool /apps/gnome-keyring/daemon-components/ssh true $ I haven't /apps directory on the system.This directory is only in my home folder under ~/.gconf and I can't set path with '.' after '/'. Ekiga is not able to start then. Gconf key error Ekiga got an invalid value for the GConf key "/apps/ekiga/general/gconf_test_age". It probably means that your GConf schemas have not been correctly installed or the that permissions are not correct. Please check the FAQ (http://www.ekiga.org/), the troubleshooting section of the GConf site (http://www.gnome.org/projects/gconf/) or the mailing list archives for more information (http://mail.gnome.org) about this problem. I'm googling but still no point :-( -- http://www.openbsd.org/lyrics.html
Re: svnd is incredible slow... somebody else notice that?
* sebastian.rot...@jpberlin.de [2009-04-26 15:28]: > You could test the svnd on your own BTW because I doubt it's HW related... .oO how comes you don't receive replies from developers? I have no idea. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Transparent firewall (bridge) with DMZ + LAN
* Felipe Alfaro Solana [2009-04-26 20:37]: > On Sat, Apr 25, 2009 at 3:57 PM, Henning Brauer wrote: > > > * openbsder [2009-04-24 12:19]: > > > Recently, it has been suggested that a transparent firewall > > implementation > > > is ideal where possible. But as far as I understand, transparency is only > > > available when the firewall acts as a bridge between TWO networks. How > > would > > > I keep my DMZ and LAN both while using a bridging firewall. Is it even > > > possible? > > > > yes. lots of idiots do it. > > > Really? What's wrong with transparent bridging? What's wrong with a > transparent, in-line IDS? What's wrong with a software tap? All of these > technologies use some sort of transparent bridging and are not being used > exclusively by idiots, but also smart people [1] [2] you call them smart, I say they are idiots. bridging just makes your life harder. > > bridging is stupid. don't. there are cases where you can't avoid it, > > but deliberately? about as clever as knowingly drinking methanol. > Bridging, in the ample sense, is not stupid. Your switch is doing that. > Bridging, in the sense of firewalls, is also not stupid. There are reasons > why you want to use a transparent bridging-mode firewall. we are not talking about switches. "transparent" firewalls are beyond stupid. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Cannot load Zend/IonCube "File not an ELF object"
On 27/04/2009, at 11:22 AM, unix3 wrote: HI, I tried installing seperately Zend Optimizer, or IonCube ... but the error that I get is Failed loading /var/www/usr/lib/php/ZendExtensionManager.so: File not an ELF object Failed loading /var/www/usr/lib/php/ZendOptimizer.so: File not an ELF object The error is the same for IonCube just that the path changes obviously. PLease note iam running inside the chroot. Iam running on an amd64 GENERIC kernel. Could it be because iam using amd64 (4.4) instead of the i386? Thanks. So, where did you get the files from? What URL? http://marc.info/?l=openbsd-misc&m=119790234006529&w=2 (different problem, but same sort of question.) Thanks.
Re: Transparent firewall (bridge) with DMZ + LAN
On Mon, Apr 27, 2009 at 4:10 AM, Daniel Ouellet wrote: > The bright people that did the code said it wasn't good to do so. The normal > operations of such a setup needs more resources from the same box to do the > same things, showing in practice that it's not the most efficient way to do > so with hard numbers to proof it. Just look at top for the same box, doing > the same thing, one in bridge mode and one in routing mode. Look at your > interrupts level, the interrupts process, the traffic it needs to process, > the useless aditional data that it needs to also process from the promiscous > mode alone and the additional easy way to have a miss configure box that > will pass the traffic because of the bridge mode enable where you might > think it's running as it should. If all that and more that I haven't put > here doesn't convince you, then please by all mean do so and run bridge mode > on your firewall. Very good explanation, thanks for that. Steph
