Boot hang on 4.7/sparc64

[Nathan Sandver]

I've been trying to set up a sparc64 machine this evening with two
drives: a 512MB CF card on an IDE adapter, and a 4GB IDE drive. The
boot disk is the CF card at wd0. I decided to put a small swap
partition on the 4GB drive, which is wd1. FAQ 14.5.2 said 'If you do
not wish to use swap on the boot disk, do not define a b partition.'
so I didn't:
-
# disklabel wd0
# /dev/rwd0c:
type: ESDI
disk: ESDI/IDE disk
label: LEXAR ATA FLASH
flags: vendor
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 994
total sectors: 1001952
rpm: 3600
interleave: 1
boundstart: 0
boundend: 1001952
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a:  10019520  4.2BSD   2048 163841
  c:  10019520  unused

# disklabel wd1
# /dev/rwd1c:
type: ESDI
disk: ESDI/IDE disk
label: ST34313A
flags: vendor
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 15
sectors/cylinder: 945
cylinders: 8912
total sectors: 8421840
rpm: 3600
interleave: 1
boundstart: 0
boundend: 8421840
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
  a:  78983100  4.2BSD   2048 163841
  b:   523530  7898310swap
  c:  84218400  unused

-

The swap partition I created at wd1b is correctly listed in /etc/fstab:
# cat /mnt/etc/fstab
/dev/wd1b none swap sw 0 0
/dev/wd0a / ffs rw 1 1
/dev/wd1a /usr ffs rw,nodev 1 2


But when I reboot the machine, the system hangs and the last line
printed in the output says the system is trying to use wd0b for swap.
Am I missing something, or have I stumbled onto a bug?

dmesg from the boot hang:
--
Rebooting with command: boot
Boot device: disk  File and args:
OpenBSD IEEE 1275 Bootblock 1.3
.. OpenBSD BOOT 1.3
Trying bsd...
Booting /p...@1f,0/p...@1,1/i...@3/d...@0,0:a/bsd
6372...@0x100+616@0x1613d98+190...@0x180+4004176@0x182e6b0
symbols @ 0xfef642c0 81+390912+244649 start=0x100
[ using 636360 bytes of bsd ELF symbol table ]
console is /p...@1f,0/p...@1,1/e...@1/s...@14,40:b
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2010 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.7 (GENERIC) #258: Wed Mar 17 23:40:34 MDT 2010
dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 134217728 (128MB)
avail mem = 115802112 (110MB)
mainbus0 at root: Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 360MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIi (rev 9.1) @ 360 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K
external (64 b/l)
psycho0 at mainbus0 addr 0xfffc4000: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-2, PCI bus 0
psycho0: dvma map c000-dfff
pci0 at psycho0
ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x13
pci1 at ppb0 bus 1
ebus0 at pci1 dev 1 function 0 Sun PCIO EBus2 rev 0x01
auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003,
72c000-72c003, 72f000-72f003
power0 at ebus0 addr 724000-724003 ivec 0x25
SUNW,pll at ebus0 addr 504000-504002 not configured
sab0 at ebus0 addr 40-40007f ivec 0x2b: rev 3.2
sabtty0 at sab0 port 0
sabtty1 at sab0 port 1: console
comkbd0 at ebus0 addr 3083f8-3083ff ivec 0x29: no keyboard
comms0 at ebus0 addr 3062f8-3062ff ivec 0x2a
wsmouse0 at comms0 mux 0
lpt0 at ebus0 addr 3043bc-3043cb, 30015c-30015d, 70-7f ivec 0x22: polled
clock1 at ebus0 addr 0-1fff: mk48t59
flashprom at ebus0 addr 0-f not configured
audioce0 at ebus0 addr 20-2000ff, 702000-70200f, 704000-70400f,
722000-722003 ivec 0x23 ivec 0x24: nvaddrs 0
audio0 at audioce0
hme0 at pci1 dev 1 function 1 Sun HME rev 0x01: ivec 0x7e1, address
08:00:20:d1:7e:f8
nsphy0 at hme0 phy 1: DP83840 10/100 PHY, rev. 1
machfb0 at pci1 dev 2 function 0 ATI Mach64 rev 0x5c
machfb0: ATY,GT-C, 1152x900
wsdisplay0 at machfb0 mux 1
wsdisplay0: screen 0 added (std, sun emulation)
pciide0 at pci1 dev 3 function 0 CMD Technology PCI0646 rev 0x03:
DMA, channel 0 configured to native-PCI, channel 1 configured to
native-PCI
pciide0: using ivec 0x7e0 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: LEXAR ATA FLASH
wd0: 4-sector PIO, LBA, 489MB, 1001952 sectors
wd1 at pciide0 channel 0 drive 1: ST34313A
wd1: 32-sector PIO, LBA, 4112MB, 8421840 sectors
wd0(pciide0:0:0): using PIO mode 4
wd1(pciide0:0:1): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LG, CD-ROM CRD-8322B, 1.05 ATAPI
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
ppb1 at pci0 dev 1 function 0 Sun Simba PCI-PCI rev 0x13
pci2 at ppb1 bus 2
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
bootpath: /p...@1f,0/p...@1,1/i...@3,0/d...@0,0
root on wd0a swap on wd0b dump on wd0b
-

Re: Thinkpad SL510 woes

[Tomas Vavrys]

Small update. Theo has suggested to try i386 without apm support.

@@ -1,4 +1,4 @@
-OpenBSD 4.7-current (RAMDISK_CD) #6: Thu Jul 22 20:21:46 EDT 2010
+OpenBSD 4.8-beta (RAMDISK_CD) #1: Thu Jul 27 20:29:08 EDT 2010
 r...@acer.westerback.sa:/usr/src/sys/arch/i386/compile/RAMDISK_CD
 cpu0: Intel(R) Core(TM)2 Duo CPU T6570 @ 2.10GHz (GenuineIntel
686-class) 2.10 Ghz
 cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE
@@ -14,18 +14,17 @@
 pcibios0 at bios0: rev 3.0 @ 0xfdbf0/0x410
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/304 (17 entries)
 pcibios0: bad IRQ table checksum
-uvm_fault(0xd07e834c, 0x0, 0, 1) - e
+uvm_fault(0xd07e6210, 0xe000, 0, 1) - e
 kernel: page fault trap, code=0
-Stopped at 0xfde5d: uvm_fault(0xd07e834c, 0xfd000, 0, 1) - e
+Stopped at 0xfde5d: uvm_fault(0xd07e6210, 0xfd000, 0, 1) - e
 kernel: page fault trap, code=0
 Stopped at db_read_bytes+0xf: movb 0x(%ebx),%al
-db_read_bytes(fde5d,1,d0900a8c,d02df9f4,2) at db_read_bytes+0xf
-db_get_value(fde5d, 1, 0, d0900b1b, 78) at db_get_value+0x18
-db_disasm(fde5d, 0, d030404f, 0) at db_disasm+0x16
-db_print_loc_and_inst(fde5d, d0900b60, d0900b60, d048fcc3, d048fcc3)
-at db_print_loc_and_inst+0x2d
-db_trap(6, 0, 58, f0, d0900b94) at db_trap+0xaf
-kdb_trap(6, 0, d0900bf4, d07e8444) at kdb_trap+0xae
+db_read_bytes(fde5d,1,d08fea9c,d02df9fc,2) at db_read_bytes+0xf
+db_get_value(fde5d, 1, 0, d08feb2b, 78) at db_get_value+0x18
+db_disasm(fde5d, 0, d030406f, 0) at db_disasm+0x16
+db_print_loc_and_inst(fde5d, d08feb70, d048fa57, d048fa57) at
db_print_loc_and_inst+0x2d
+db_trap(6, 0, 58, f0, d08feba4) at db_trap+0xaf
+kdb_trap(6, 0, d08fec04, d07e6308) at kdb_trap+0xae
 trap() at trap+0x178
 --- trap (number 14) ---
 0:

Re: Boot hang on 4.7/sparc64

[Fred Crowson]

On 28 July 2010 06:57, Nathan Sandver nsand...@gmail.com wrote:

 The swap partition I created at wd1b is correctly listed in /etc/fstab:
 # cat /mnt/etc/fstab
 /dev/wd1b none swap sw 0 0
 /dev/wd0a / ffs rw 1 1
 /dev/wd1a /usr ffs rw,nodev 1 2


What happens when you remove the wd1b line from fstab?

OpenBSD Training

[openbsd]

Hi,

I have th following aim : Master OpenBSD, pass BSDP(OpenBSD)exam when this
one will be available.
I have good knowledege on TCP/IP;PF use
Is there a good training center in French or English language?
(I will be ready to buy a plane ticket.)
With these covered topics :
INSTALLATION
UNIX BASIC COMMAND LINE
NETWORK CONFIGURATION
ADMINISTRATION(Web Hosting, Mailserver, Proxy Cache, DNS, LDAP,SSH)
VPN(Site to Site, Nomade use (Home with mac/PC))
BACKUP AND RESTORE
HARDENNING THE BOX
VIRTUALISATION with QEMU
PF with CARP

Thank's

Re: zyd fails to associate with a network

[Dmitrij D. Czarkoff]

Maybe anyone knows how can I get any debugging information about my device?
I could try to solve it on my own if I understood where the error is...

Dmitrij D. Czarkoff czark...@gmail.com wrote:

 Hello!

 I'm trying to connect a wireless network on my ASUS R2Hv. Both the built-in
 and usb dongle wireless adapters are zyd-based:

 Asus WL-159g (built-in):
  $ usbdevs -vdf /dev/usb0 -a 3
  Controller /dev/usb0:
  addr 3: high speed, power 500 mA, config 1, USB2.0 WLAN(0x171b), 
 ASUS(0x0b05),
  rev 48.02
zyd0

 3COM 3CRUSB10075 (usb dongle):
  $ usbdevs -vdf /dev/usb0 -a 7 
  Controller /dev/usb0:
  addr 7: high speed, power 500 mA, config 1, USB2.0 WLAN(0x1215),
  ZyDAS(0x0ace), rev 48.10
zyd1

 zyd(4) mensions both as supported. They both attach as zyd0 and zyd1
 respectively. Scanning on them succeeds with my network being found, but
 connecting to it gives troubles:

 $ sudo ifconfig zyd0 scan  
 zyd0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:1d:60:62:59:ef
 priority: 4
 groups: wlan
 media: IEEE802.11 autoselect (DS1 mode 11g)
 status: no network
 ieee80211: nwid  100dBm
 nwid bedova chan 11 bssid 00:23:54:71:50:71 26dB 54M
 short_preamble,short_slottime 
 $ sudo ifconfig zyd0 nwid bedova 
 $ sudo ifconfig zyd0 
 zyd0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:1d:60:62:59:ef
 priority: 4
 groups: wlan
 media: IEEE802.11 autoselect (DS1 mode 11g)
 status: no network
 ieee80211: nwid bedova 100dBm
 inet6 fe80::21d:60ff:fe62:59ef%zyd0 prefixlen 64 scopeid 0x4
 $ sudo dhclient zyd0
 zyd0: no link . sleeping

 What can I do to further investigate the problem?

Re: X default screen resolution on sparc64

[Pete Vickers]

On 27. juli 2010, at 15.09, Pete Vickers wrote:

 Hi,

 From dmesg, the graphics card in my Sun blade100 is:

 machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27
 machfb0: ATY,RageXL, 1280x1024

 which is connected via DVI cable to a Sun monitor #365-1429. This monitor
 supports 1280x1...@60hz. However starting X without a config file only run
it
 at 800x600. These line appears relevant in the Xorg log file:


 (II) MACH64(0): default monitor: Using default hsync range of 31.50-37.90
 kHz
 (II) MACH64(0): default monitor: Using default vrefresh range of
50.00-70.00
 Hz
 ...
 (II) MACH64(0): Not using default mode 1280x1024 (hsync out of range)


 I thought that one of the big advantages of DVI was that the card could
query
 the monitor to discover the supported modes automatically ? Is there any
 commands I can use to enable such probing ? or do I can to create an entire
 cfg file to manually enable a higher resolution ? Is there any way to
 automatically generate a basic config file to subsequently edit ?



To answer my own question for the sake of the archive, you can ofcourse just
write a partial /etc/X11/xorg.conf, and let the defaults provide the rest.
This was all that was necessary for me:


Section Device
 Identifier  ATI Rage XL
 Driver  ati
 BusID   PCI:0:19:0
 Option  composite_sync True
 Option  reference_clock 29.5MHz
EndSection

Section Monitor
 Identifier Sun L9ZF
 # 31.5 kHz to 81.1 kHz Horizantal
 # 56.0 Hz to 76.0 Hz Vertical
 HorizSync 32-81
 VertRefresh 56-76
EndSection

Section Screen
 Identifier Default Screen
 Device ATI Rage XL
 Monitor Sun L9ZF
 DefaultDepth 16
  SubSection Display
  Depth 16
  Modes 1280x1024
  EndSubSection
EndSection
===

Re: OpenBSD Training

[Chris Bennett]

On 07/28/10 04:44, open...@e-solutions.re wrote:

Hi,

I have th following aim : Master OpenBSD, pass BSDP(OpenBSD)exam when this
one will be available.
I have good knowledege on TCP/IP;PF use
Is there a good training center in French or English language?
(I will be ready to buy a plane ticket.)
With these covered topics :
INSTALLATION
UNIX BASIC COMMAND LINE
NETWORK CONFIGURATION
ADMINISTRATION(Web Hosting, Mailserver, Proxy Cache, DNS, LDAP,SSH)
VPN(Site to Site, Nomade use (Home with mac/PC))
BACKUP AND RESTORE
HARDENNING THE BOX



Concrete with re-bar works well for hardening the box.
As far as the software, OpenBSD comes pre-hardened.
Nothing really needs to be changed for security.
Use good passwords and long passwords is about all you have to do.


VIRTUALISATION with QEMU
PF with CARP

Thank's




My advice is to setup a server with some websites (doesn't matter if the 
are real or bogus) and learn to deal with the problems that pop-up. Be 
sure to get an ISP with remote IP-KVM so you can fix any mistakes that 
lock you out.


Throw on a mail server, make some different types of connections with 
your home box, etc.


Training is good to get, but getting down in the trenches seems to be 
essential.



I learned to use OpenBSD by setting up a server for my websites, then I 
added to my home computers.

Re: PF synproxy - never worked?

[Tom Murphy]

Synproxy only appears to work on the interface with the default gateway
(egress). I could never make it work on a firewall with more than 1
external interface properly.

I don't know if this is a bug or by design.

Tom

Re: OpenBSD Training

[Robert]

On Wed, 28 Jul 2010 05:50:19 -0600
Chris Bennett ch...@bennettconstruction.biz wrote:
 My advice is to setup a server with some websites (doesn't matter if the 
 are real or bogus) and learn to deal with the problems that pop-up. Be 
 sure to get an ISP with remote IP-KVM so you can fix any mistakes that 
 lock you out.

I think it's too risky for a newcomer to go straight for a real server.

Get a dual/quad core machine with 8GB (used ones are pretty cheap) and
install the free (no licence cost) vmWare ESXi server. Use this to
host a whole network (dns, file server, email, etc.). Put another low
cost machine with 2 NICs in front of it; this will be your firewall.
Now you can simulate locally the daily business, e.g. remote
administration, remote upgrades, road warrior setups etc.
But you don't have the risk that someone roots your box because you
made a mistake. Instead you can (should!) try out to attack it ;)

When you're very confident in working with your network, yes, then you
need to go out on The Hostile Internet to learn more.

regards,
Robert

Bandwidth Queue'ing

[Liam]

Hi,

I'm trying to get my head round Queue'ing / Atlq and have read 
(http://www.openbsd.org/faq/pf/queueing.html).

We are getting a Gigabit connection to the local internet peering exchange, and 
I would like to offer other tenants in our building internet access to help 
offset our costs.

What I plan to do is offer 4 users the following, 2Mb International with burst 
to 10Mb, 5Mb National with burst to 20Mb, and 25Mb Local IX burst to 100Mb.

Can I do this with the following rules, (assuming similar rules for inbound 
traffic (outbound on the internal NIC))?

altq on ext0 cbq bandwidth 1Gb queue { intl_ext, nat_ext, ix_ext }

queue intl_ext bandwidth 10Mb { intl_ext_pool1 }
queue int_ext_pool1 10Mb { intl_ext_pool1_usr1, intl_ext_pool1_usr2, 
intl_ext_pool1_usr3, intl_ext_pool1_usr4 }
intl_ext_pool1_usr1 2Mb cbq(borrow)
intl_ext_pool1_usr2 2Mb cbq(borrow)
intl_ext_pool1_usr3 2Mb cbq(borrow)
intl_ext_pool1_usr4 2Mb cbq(borrow)

queue nat_ext bandwidth 20Mb { nat_ext_pool1 }
queue nat_ext_pool1 20Mb { nat_ext_pool1_usr1, nat_ext_pool1_usr2, 
nat_ext_pool1_usr3, nat_ext_pool1_usr4 }
nat_ext_pool1_usr1 5Mb cbq(borrow)
nat_ext_pool1_usr2 5Mb cbq(borrow)
nat_ext_pool1_usr3 5Mb cbq(borrow)
nat_ext_pool1_usr4 5Mb cbq(borrow)

que ix_ext 100Mb { ix_ext_pool1 }
ix_ext_pool1 100Mb { ix_ext_pool1_usr1, ix_ext_pool1_usr2, 
ix_ext_pool1_usr3, ix_ext_pool1_usr4 }
ix_ext_pool1_usr1 25Mb cbq(borrow)
ix_ext_pool1_usr2 25Mb cbq(borrow)
ix_ext_pool1_usr3 25Mb cbq(borrow)
ix_ext_pool1_usr4 25Mb cbq(borrow)

Assuming the queue's are matched by using some BGP route magic (to determine if 
connection is Local IX, National, or International), and the user's local 
subnet, (assuming a /29 for each local user).

Does this make sense? Am I approaching things the right way? Is there any 
particular material I should be reading up on?



Cheers

Liam

Re: X default screen resolution on sparc64

[Christian Weisgerber]

Pete Vickers p...@systemnet.no wrote:

 From dmesg, the graphics card in my Sun blade100 is:
 
 machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27
 machfb0: ATY,RageXL, 1280x1024
 
 which is connected via DVI cable to a Sun monitor #365-1429.

DVI?  On a Blade 100?

 I thought that one of the big advantages of DVI was that the card could query
 the monitor to discover the supported modes automatically ?

DDC was already available on VGA connectors.

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Re: OpenBSD Training

[Chris Bennett]

On 07/28/10 07:49, Robert wrote:

On Wed, 28 Jul 2010 05:50:19 -0600
Chris Bennettch...@bennettconstruction.biz  wrote:

My advice is to setup a server with some websites (doesn't matter if the
are real or bogus) and learn to deal with the problems that pop-up. Be
sure to get an ISP with remote IP-KVM so you can fix any mistakes that
lock you out.


I think it's too risky for a newcomer to go straight for a real server.

Get a dual/quad core machine with 8GB (used ones are pretty cheap) and
install the free (no licence cost) vmWare ESXi server. Use this to
host a whole network (dns, file server, email, etc.). Put another low
cost machine with 2 NICs in front of it; this will be your firewall.
Now you can simulate locally the daily business, e.g. remote
administration, remote upgrades, road warrior setups etc.
But you don't have the risk that someone roots your box because you
made a mistake. Instead you can (should!) try out to attack it ;)

When you're very confident in working with your network, yes, then you
need to go out on The Hostile Internet to learn more.

regards,
Robert




You're probably right about that. I am just cursed/blessed with one of 
those high-risk loving personalities.


Its more fun to live that way! :)

There are a great many good tricks you can do with your own stuff, which 
are good teachers. And you can get Google and some other search engines 
to index a site without a domain name if you set up a sitemap.xml and 
ping it to them.

UTF-8 (was: Re: CVS: cvs.openbsd.org: src)

[Christian Weisgerber]

Stefan Sperling s...@cvs.openbsd.org wrote:

 Log message:

 Install the en_US.UTF-8 ctype locale support file, and allow the UTF-8
 ctype locale to be enabled via setlocale(3) (export LC_CTYPE='en_US.UTF-8').
 
 A lot of programs, especially from ports, will now start using UTF-8 if the
 UTF-8 locale is enabled. Use at your own risk, and please report any breakage.
 Note that ncurses-based programs cannot display UTF-8 right now, this is being
 worked on.

Some stuff that works:

== xterm ==

If you start xterm with LC_CTYPE=en_US.UTF-8 set, it will come up
in UTF-8 mode.  Apart from displaying UTF-8 encoded text, it will
also allow you to enter such text.  Keysyms are translated, e.g.
if you use a German, Swedish, etc. keymap with adiaeresis, that
key will produce the byte sequence 0xC4 0xA4 in xterm.

If you have a compose key (Multi_key in X11 terms), you can enter
_a lot_ of characters with compose sequences.  For instance, you
can use
$ setxkbmap -option compose:ralt
to configure the right Alt key as compose.

Compose sequences work by pressing (and releasing) the compose key
and then two or three other keys that get combined into a single
character, e.g.:
  'e  e with acute (French etc.)
  cr  r with caron (Czech)
  /l  l with stroke (Polish)
Some combinations are fairly intuitive, some are not.  The complete
list of supported sequences is here:
/usr/X11R6/share/X11/locale/en_US.UTF-8/Compose

If you have been using a compose key for ISO 8859-X input all along,
note that the UTF-8 sequences can be different, and in particular
the order is important, e.g. it is always 'e now and e'
is not accepted.

== GTK2 ==

The default GTK2 input method provides its own compose key processing,
which already worked without UTF-8 locale.  However, GTK2's compose
sequences diverge from the X11 ones, and if you find that as confusing
as I do, you can disable GTK2's own compose handling and use the
X11 one by setting GTK_IM_MODULE=xim in the environment.  That
didn't work before, but now does.

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Re: OpenBSD Training

[Michal]

On 28/07/10 14:49, Robert wrote:

On Wed, 28 Jul 2010 05:50:19 -0600
Chris Bennettch...@bennettconstruction.biz  wrote:
   

My advice is to setup a server with some websites (doesn't matter if the
are real or bogus) and learn to deal with the problems that pop-up. Be
sure to get an ISP with remote IP-KVM so you can fix any mistakes that
lock you out.
 

I think it's too risky for a newcomer to go straight for a real server.

Get a dual/quad core machine with 8GB (used ones are pretty cheap) and
install the free (no licence cost) vmWare ESXi server. Use this to
host a whole network (dns, file server, email, etc.). Put another low
cost machine with 2 NICs in front of it; this will be your firewall.
Now you can simulate locally the daily business, e.g. remote
administration, remote upgrades, road warrior setups etc.
But you don't have the risk that someone roots your box because you
made a mistake. Instead you can (should!) try out to attack it ;)

When you're very confident in working with your network, yes, then you
need to go out on The Hostile Internet to learn more.

regards,
Robert

   


Apart from ESXi is free but the management isn't...you need vSphere to 
manage the thing. This seams like a very expensive way to learn an 
OS...you can install a free virtual piece of software on your computer, 
virtual box, vmware server etc and get going, or even get some very 
cheap PC's off ebay. And to be honest I wouldn't worry about a cert that 
much, just get some real experience under your belp. Certs help but they 
are not the be all and end all that some people like to make out

Crema de Concha Nacar Venus Veracruz de Mexico

[Concha Nacar Venus]

Buenos Dias/Tardes  Sr/a:

La crema de Concha Nacar, borra manchas generadas por el paso de los
aqos, por el sol y aquellas producidas por el embarazo. Atenza todo tipo
de cicatrices, elimina el acni, los barritos y espinillas en forma rapida
y efectiva. Alivia las picaduras de insectos y elimina su marca, humecta
la piel seca sin dejarla grasosa, alivia la irritacisn despuis de la
afeitada.

Concha de Nacar Venus Veracruz de Mexico

Este producto maravilloso es elaborado por el prestigioso Laboratorio
Venus Veracruz de Mixico. Su principal ingrediente es el fantastico polvo
de CONCHA NACAR.

El polvo de nacar se obtiene de las conchas marinas, formada en el Tondo
de los mares, demostrando tener propiedades insuperables para el
tratamiento en el cuidado de la piel. Es conocido que desde hace
muchmsimos aqos, los indmgenas de Amirica del Sur mezclaban este polvo de
nacar con jugo de Limsn; con la finalidad de obtener una crema pastosa
para ser usada en la piel, que ha sido deteriorada, daqada con
cicatrices, manchas y otras imperfecciones.

La crema Concha Nacar penetra profundamente en las capas de la piel
actuando sobre las bacterias y los depssitos de grasa en la estructura de
la dermis y epidermis, evitando asm la acumulacisn de bacterias y grasa
que pueden producir infecciones, como en el caso del acni.

La Original Crema de Concha Nacar, es la del Envase rosado, Producida en
los prestigiosos laboratorios VENUS VERACRUZ DE MEXICO y distribuida
unica y exclusivamente por Prestige Universal Corp USA NO SE DEJE ENGAQAR
POR FALSAS IMITACIONES! Para pedidos contactenos en el DF PBX: +52 55
8525-9069

Re: zyd fails to associate with a network

[damien . bergamini]

| Maybe anyone knows how can I get any debugging information about my device?
| I could try to solve it on my own if I understood where the error is...

ifconfig zyd0 debug is usually a good start.

Damien

Re: HP laptops again

[Marco Peereboom]

Little status update.  We got one laptop ordered (thanks everyone!) and
are a few hundred short of the next.  So if you care about these bugs
please pony up ;-)

/marco

On Mon, Jul 26, 2010 at 12:52:35PM -0500, Marco Peereboom wrote:
 I have got a few pledges for hp laptops.  I have gotten good (as in bad)
 test reports of the following models that fail one way or another:
 * HP eb8730w
 * HP nw9440
 * HP Mini 5102
 * HP 530
 
 I think we have 2 major acpi issues with these.  One of them looks like
 an aml bug where we don't dereference an object deep enough and some
 thermal zone issues.  Unfortunately it seems that these are 2 distinct
 issues and therefore potentially require 2 laptops to figure them out.
 The laptops in question are relatively cheap on ebay so I think we can
 make do with about $800USD worth for 2 machines.
 
 One of these machines fails to boot; different class of bug but very
 interesting nonetheless to fix.
 
 I am 25% there with pledges.  So if you are interested in getting these
 2 bugs fixed send me an email with the pledge amount. I won't accept
 cash until we have enough to actually order machines.
 
 Oh and so that you know once these bugs are fixed we'll try to make
 these laptops suspend and resume (an entire different beast!).  And
 after that the laptops will go to a developer who needs a laptop to work
 on.
 
 Please contact me at ma...@openbsd.org and not on the list.

Re: OpenBSD Training

[Robert]

On Wed, 28 Jul 2010 15:59:33 +0100
Michal mic...@sharescope.co.uk wrote:
 Apart from ESXi is free but the management isn't...you need vSphere to 
 manage the thing. This seams like a very expensive way to learn an 

Just a note:
You don't need vSphere for this setup; only if you have to manage a
couple of vmware servers (= real hardware) you would need it.
In the free version you have to manage each vmware host (not virtual
machine) manually through a web interface, which unfortunately only
runs under Windows...
So, yes, you can run this at without any vmWare licence cost.

regards,
Robert

Re: HP laptops again

[Jan Stary]

 On Mon, Jul 26, 2010 at 12:52:35PM -0500, Marco Peereboom wrote:
  I have got a few pledges for hp laptops.  I have gotten good (as in bad)
  test reports of the following models that fail one way or another:
  * HP eb8730w
  * HP nw9440
  * HP Mini 5102
  * HP 530

While I cannot donate my HP eb8530w (NB: 8530, not 8730),
I would at least like to provide a good (=bad) test report.

  I think we have 2 major acpi issues with these.  One of them looks like
  an aml bug where we don't dereference an object deep enough and some
  thermal zone issues.

I have had issues with acpitz shuting down on boot because
of critical temperature, as described also by others on
this list some time ago.

What else do I need to provide besides dmesg, sysctl hw,
and an acpidump (which I did)?

Thank you for your time

Jan

Re: HP laptops again

[Marco Peereboom]

On Wed, Jul 28, 2010 at 05:45:14PM +0200, Jan Stary wrote:
  On Mon, Jul 26, 2010 at 12:52:35PM -0500, Marco Peereboom wrote:
   I have got a few pledges for hp laptops.  I have gotten good (as in bad)
   test reports of the following models that fail one way or another:
   * HP eb8730w
   * HP nw9440
   * HP Mini 5102
   * HP 530
 
 While I cannot donate my HP eb8530w (NB: 8530, not 8730),
 I would at least like to provide a good (=bad) test report.

Actually a test with up to the second -current would be helpful to get a
baseline where we are at with this machine.

Then mail me acpidump -o hp8350 results + dmesg + pcidump -v

 
   I think we have 2 major acpi issues with these.  One of them looks like
   an aml bug where we don't dereference an object deep enough and some
   thermal zone issues.
 
 I have had issues with acpitz shuting down on boot because
 of critical temperature, as described also by others on
 this list some time ago.
 
 What else do I need to provide besides dmesg, sysctl hw,
 and an acpidump (which I did)?
 
   Thank you for your time
 
   Jan

Re: HP laptops again

[matteo filippetto]

 Then mail me acpidump -o hp8350 results + dmesg + pcidump -v


Hi,

I have an hp ProBook 4520s that has problem with acpi (boot only with
acpi disable).

Do you need my results for those commands?

Best regards.

-- 
Matteo Filippetto

Re: OpenBSD Training

[Internet Retard]

 Date: Wed, 28 Jul 2010 05:50:19 -0600
 From: ch...@bennettconstruction.biz

 Concrete with re-bar works well for hardening the box.
 As far as the software, OpenBSD comes pre-hardened.
 Nothing really needs to be changed for security.
 Use good passwords and long passwords is about all you have to do.

Good point, all the salting, encrypting, and multiple encryption rounds in the
world won't save the Internet from the idiots that set root passwords to
password. The irony of it all is that these 0wned idiots will complain that
their system was insecure (that's why they got hacked). Unfortunately, we
in OpenBSD-land live in a vacum of common sense that does not exist out in the
real world. People actually use password for their password, or the ones who
believe themselves clever set it to secret or letmein. Don't believe me,
look at the logs on your bastion OpenBSD servers. The reason there are so many
ssh bruteforce attempts is because... wait for it..  it works.

While we thank the gods for OpenBSD and all of the common sense it comes with,
let's not forget that humans can break anything and overcome any amount of
logic and careful design.

Sincerely,

IR

_
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969

Re: OpenBSD Training

[Peter N. M. Hansteen]

open...@e-solutions.re writes:

 I have th following aim : Master OpenBSD, pass BSDP(OpenBSD)exam when this
 one will be available.
 I have good knowledege on TCP/IP;PF use
 Is there a good training center in French or English language?
 (I will be ready to buy a plane ticket.)

Assuming the EuroBSDCon programme turns out roughly like the earlier
conferences, there's a distinct possibility that there will be useful
tutorials in Karlsruhe in October (http://2010.eurobsdcon.org/).  The
schedule isn't done yet it appears, but there as far as I can tell
from the bsdcertification.org web, the BSDA exam will be offered
during the conference.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: HP laptops again

[Matthew Dempsky]

On Wed, Jul 28, 2010 at 9:21 AM, matteo filippetto
matteo.filippe...@gmail.com wrote:
 Then mail me acpidump -o hp8350 results + dmesg + pcidump -v


 Hi,

 I have an hp ProBook 4520s that has problem with acpi (boot only with
 acpi disable).

 Do you need my results for those commands?

Only if you want it fixed. :)

Lenovo ThinkPad Edge 14 i330

[fqui nonez]

Hello

I have a Compaq Presario 3019US working correctly with OBSD-4.7, and i
have recived a ThinkPad Edge 14 i330 (4 processors) as a present; it
has Windows 7.
The parttions do not finish at the end of cilinders by defaults. My
question is if you recomend keeping Windows 7 beside to OBSD working
well?

I installed OBSD-4.7 resulting that TTYs do not work correctly, but
this Laptop has an extra key (fn) which i could not find how to use it
to jump to TTYs. Another question is related to use ix86 or amd64? i
could observed that temperature was higher than with Windows using
amd64.

Thanks

--
   Agr. francisco Quinonez.
  Our mission, feed the World
   notre mission, nourrir au monde
 Nuestra mision, alimentar al mundo

Re: PF synproxy - never worked?

[Justin]

  Well, only one interface is set to be a default gateway out, the 
other has an IP with no gateway, but a manual route entry for how to 
reach the client machine. I've also tried applying the synproxy rules on 
the interface facing the client heading outbound to no avail.



On 7/28/2010 5:26 AM, Tom Murphy wrote:

Synproxy only appears to work on the interface with the default gateway
(egress). I could never make it work on a firewall with more than 1
external interface properly.

I don't know if this is a bug or by design.

Tom

Re: Lenovo ThinkPad Edge 14 i330

[Dmitrij D. Czarkoff]

fqui nonez fquinon...@gmail.com wrote:
 this Laptop has an extra key (fn) which i could not find how to use it
 to jump to TTYs.

As I understand, Fn key doesn't send a separate keypress event and therefor
can't be remapped.

Another question is related to use ix86 or amd64?

i386 is much better tested, but amd64 should be fine. Actually, my experience
shows that there's no big difference on a home user laptop untill You want to
have more then 4Gb of RAM and Your laptops supports that.

--
Dmitrij D. Czarkoff

Re: zyd fails to associate with a network

[Dmitrij D. Czarkoff]

damien.bergam...@free.fr wrote:
 ifconfig zyd0 debug is usually a good start.

Thanks.

Actually, I didn't get anything I believe to be helpful.

So, my steps were:

# ifconfig zyd0 debug
# ifconfig zyd0 up
# ifconfig zyd0 scan
zyd0: flags=8847UP,BROADCAST,DEBUG,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:18:6e:35:fd:7f
priority: 4
groups: wlan
media: IEEE802.11 autoselect
status: no network
ieee80211: nwid  100dBm
nwid STREAM-15 chan 6 bssid 00:13:33:8a:03:bf 142dB 54M 
privacy,short_slottime 
nwid TheTail chan 6 bssid 00:14:d1:59:16:d3 143dB 54M 
privacy,short_preamble,short_slottime 
nwid TP-LINK chan 6 bssid 00:1d:0f:f3:1e:5b 156dB 54M 
privacy,short_preamble,short_slottime 
nwid kusso chan 6 bssid 00:1e:58:b8:99:2b 20dB 54M 
privacy,short_preamble,short_slottime 
nwid bedova chan 11 bssid 00:23:54:71:50:71 24dB 54M 
short_preamble,short_slottime 
# ifconfig zyd0 nwid bedova
# dhclient zyd0
zyd0: no link . sleeping
# ifconfig zyd0 down

The corresponding dmesg says:

zyd0 at uhub0 port 2 configuration 1 interface 0 ZyDAS USB2.0 WLAN rev 
2.00/48.10 addr 3
zyd0: HMAC ZD1211B, FW 47.25, RF AL2230, PA 0, address 00:18:6e:35:fd:7f
zyd0: begin active scan
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 2 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 3 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 4 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 5 mode 11g
zyd0: received beacon from 00:1e:58:b8:99:2b rssi 20 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 6 mode 11g
zyd0: received beacon from 00:14:d1:59:16:d3 rssi 143 mode 11g
zyd0: received beacon from 00:13:33:8a:03:bf rssi 140 mode 11g
zyd0: received beacon from 00:13:33:8a:03:bf rssi 142 mode 11g
zyd0: received beacon from 00:1d:0f:f3:1e:5b rssi 156 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 7 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 8 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 9 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 10 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 172 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 11 mode 11g
zyd0: received probe_resp from 00:23:54:71:50:71 rssi 161 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 24 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 24 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 12 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 156 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 162 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 161 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 13 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 14 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 1 mode 11g
zyd0: end active scan
zyd0: begin active scan
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 2 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 3 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 4 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 5 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 6 mode 11g
zyd0: received beacon from 00:13:33:8a:03:bf rssi 138 mode 11g
zyd0: received beacon from 00:14:d1:59:16:d3 rssi 119 mode 11g
zyd0: received beacon from 00:13:33:8a:03:bf rssi 137 mode 11g
zyd0: received beacon from 00:14:d1:59:16:d3 rssi 137 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 7 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 8 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 9 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 10 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 56 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 159 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 11 mode 11g
zyd0: received probe_resp from 00:23:54:71:50:71 rssi 160 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 30 mode 11g
zyd0: received beacon from 00:16:e3:f3:a3:ce rssi 147 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 147 mode 11g
zyd0: received beacon from 00:16:e3:f3:a3:ce rssi 25 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 20 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 12 mode 11g
zyd0: received beacon from 00:23:54:71:50:71 rssi 165 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 13 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 14 mode 11g
zyd0: sending probe_req to ff:ff:ff:ff:ff:ff on channel 1 mode 11g
zyd0: end active scan
zyd0: sending auth to 00:23:54:71:50:71 on channel 11 mode 11g
zyd0: received auth from 00:23:54:71:50:71 rssi 27 mode 11g
zyd0: sending assoc_req to 

Re: UTF-8 (was: Re: CVS: cvs.openbsd.org: src)

[Christian Weisgerber]

Christian Weisgerber na...@mips.inka.de wrote:

 == xterm ==

What doesn't work: UTF-8 mode is incompatible with 8-bit control
sequences.  If that doesn't ring a bell for you, then you don't
need to worry about it. ;-)

I only noticed because the RMC on my AlphaServer 800 inserts 8-bit
controls to set bold and blink attributes in its status output.

-- 
Christian naddy Weisgerber  na...@mips.inka.de

Re: zyd fails to associate with a network

[damien . bergamini]

| So now I know that that:
| 
| 1. the association fails with status 25;
| 2. the drivers actively sends free-roaming requests during
| asssociation
| process while is requested to connect an exact network.
| 
| Where can I read what is association failed (status 25) and
| deauthenticate (reason 3)? Does anyone know what the problem is?

Status 25 is IEEE80211_STATUS_SHORTSLOT_REQUIRED.
It means that the access point refuses association from
clients that do not support short slot time.
zyd(4) does not have the IEEE80211_C_SHSLOT capability.
I'll try to see what is required to support that functionnality.
I suggest you submit a PR with sendbug so it does not get lost.

Damien

misc@openbsd.org a project worth $22.7M for you. Contact me for information

[ZHANG LIU]

Contact me for information

Re: HP laptops again

[Jan Stary]

On Jul 28 11:07:08, Marco Peereboom wrote:
 On Wed, Jul 28, 2010 at 05:45:14PM +0200, Jan Stary wrote:
   On Mon, Jul 26, 2010 at 12:52:35PM -0500, Marco Peereboom wrote:
I have got a few pledges for hp laptops.  I have gotten good (as in bad)
test reports of the following models that fail one way or another:
* HP eb8730w
* HP nw9440
* HP Mini 5102
* HP 530
  
  While I cannot donate my HP eb8530w (NB: 8530, not 8730),
  I would at least like to provide a good (=bad) test report.
 
 Actually a test with up to the second -current would be helpful to get a
 baseline where we are at with this machine.

What is the second -current?

I have just seen the very current bsd.rd (from ftp.openbsd.org)
segfault on me during the fdisk stage of an install. (This has
happened sooner today on another machine, too.)

So I have used the 4.7/i386/bsd.rd to install -current,
ignoring the checksum missmatches.

 Then mail me acpidump -o hp8350 results + dmesg + pcidump -v

The acpidump is at http://stare.cz/~hans/.tmp/hp8530w.tar
and the dmesg and pcidump -v is below.


(1)
Right after the first (re)boot, the system gets
shut down because of critical temperature:

acpitz2: Critical temperature 4989C (52624K), shutting down

A workaround that works for me is to simply
'disable acpitz' in UKC.

(2)
'apmd -C' works OK: the CPU scales appropriately based on load;
the battery status is reported correctly; the monitor dims/brightens
when AC is plugged out/in.

(3)
'apm -S' puts the machine to standby; everything goes black,
just the power button's led starts blinking. After
pressing the power button everything comes back up,
including the network connections (of em0; don't know
about iwn0, I am not in a reach of a wifi network
right now; will test tomorrow).

One exception is the monitor: it is still dark;
I can log in remotely though, bring my
tmux sessions back up etc. The tmux sessions come back
up with the windows reduced (as happens in a larger
xterm when the same session is still open with smaller
80x25 windows elsewhere).

I was at the console when I issued 'apm -S', X was not running.
If it makes any difference, I issued the 'apm -S' from within
root's tmux session.

According to my cheap wattmeter, the power consumption
drops from about 30W to 0 during the standby mode, and 
comes back up to 23W (the difference being the monitor
not comming back up?).
 
(4)
'apm -z' suspends the machine. On the outside the behaviour
is just like (3), incluing the monitor not comming back up.
(not that I really understand the exact differences of what
apm -S / apm -z is supposed to do).


(5)
Both (3) and (4) behave the same on AC and on battery.


(6)
apm -S worked with both closed and open lid.


(7)
apm -z worked with the lid open; with the lid closed,
it worked more then once and failed more then once.

Actually, it *sometimes* happens that the machine
does not boot - the LEDs turn on, but the monitor
does not, and nothing else happens. I have seen this
even before trying suspend, just on normal boots in the
last months. Now this seems to be the same state into which
the machine gets after an unsuccesfull suspend/resume
- it almost reboots, but not really. I have not
been able to detect any pattern of when this happens.


(8)
*Sometimes* the machine boots fully, but then
I cannot type my login; when this happens, then also
the sound and wifi hardware icons do not work.
As if the whole keyboard was not there. I haven't
detected any pattern in this either.


Please let me knoe of what more I should test.

Thank you very much for you efforts!

Jan



dmesg of a boot that ends with a shutdown
due to critical temperature:

Jul 28 21:07:34 hp syslogd: start
Jul 28 21:07:34 hp /bsd: OpenBSD 4.8-beta (GENERIC.MP) #282: Tue Jul 27 
14:43:59 MDT 2010
Jul 28 21:07:34 hp /bsd: 
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
Jul 28 21:07:34 hp /bsd: RTC BIOS diagnostic error 
bbclock_battery,config_unit,memory_size,fixed_disk
Jul 28 21:07:34 hp /bsd: cpu0: Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz 
(GenuineIntel 686-class) 2.53 GHz
Jul 28 21:07:34 hp /bsd: cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1
Jul 28 21:07:34 hp /bsd: real mem  = 2125561856 (2027MB)
Jul 28 21:07:34 hp /bsd: avail mem = 2080784384 (1984MB)
Jul 28 21:07:34 hp /bsd: mainbus0 at root
Jul 28 21:07:34 hp /bsd: bios0 at mainbus0: AT/286+ BIOS, date 11/10/08, SMBIOS 
rev. 2.4 @ 0x7edc4000 (21 entries)
Jul 28 21:07:34 hp /bsd: bios0: vendor Hewlett-Packard version 68PDV Ver. 
F.06 date 12/15/2008
Jul 28 21:07:34 hp /bsd: bios0: Hewlett-Packard HP EliteBook 8530w
Jul 28 21:07:34 hp /bsd: acpi0 at bios0: rev 2
Jul 28 21:07:34 hp /bsd: acpi0: tables DSDT FACP HPET APIC MCFG TCPA SSDT SLIC 
SSDT DMAR ASF! SSDT SSDT SSDT
Jul 28 21:07:34 hp /bsd: acpi0: wakeup devices 

Re: HP laptops again

[Peter N. M. Hansteen]

Jan Stary h...@stare.cz writes:

 Actually a test with up to the second -current would be helpful to get a
 baseline where we are at with this machine.

 What is the second -current?

up to the second -- as fresh as physically possible

- p
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: HP laptops again

[Ted Unangst]

On Wed, Jul 28, 2010 at 4:36 PM, Jan Stary h...@stare.cz wrote:
 Actually a test with up to the second -current would be helpful to get a
 baseline where we are at with this machine.

 What is the second -current?

-current that is current as of this second.

Re: HP laptops again

[Jan Stary]

On Jul 28 23:06:48, Peter N. M. Hansteen wrote:
 Jan Stary h...@stare.cz writes:
 
  Actually a test with up to the second -current would be helpful to get a
  baseline where we are at with this machine.
 
  What is the second -current?
 
 up to the second -- as fresh as physically possible

aaargh, sorri me not gut english.

Re: zyd fails to associate with a network

[Dmitrij D. Czarkoff]

damien.bergam...@free.fr wrote:
 Status 25 is IEEE80211_STATUS_SHORTSLOT_REQUIRED.
 It means that the access point refuses association from
 clients that do not support short slot time.

Thanks!

While it's not a valid workaround, I've set my router up to long slot, so my
issue is resolved.

Still, could You please tell me where can I find that info without disturbing
developpers and mailing list memebers?

--
Dmitrij D. Czarkoff

Re: zyd fails to associate with a network

[damien . bergamini]

| Thanks!
| 
| While it's not a valid workaround, I've set my router up to long slot,
| so my issue is resolved.
| 
| Still, could You please tell me where can I find that info without
| disturbing developpers and mailing list memebers?

In the IEEE 802.11 standard or in /usr/src/sys/net80211/ieee80211.h
or /usr/include/net80211/ieee80211.h

Damien

Re: HP laptops again

[richardtoohey]

Quoting Peter N. M. Hansteen pe...@bsdly.net:

 Jan Stary h...@stare.cz writes:
 
  Actually a test with up to the second -current would be helpful to
 get a
  baseline where we are at with this machine.
 
  What is the second -current?
 
 up to the second -- as fresh as physically possible

That's what hyphens are for - so up-to-the-second would show that the words
are related.

 
 - p
 -- 
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 Remember to set the evil bit on all malicious network traffic
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: HP laptops again

[Jiri B.]

On Mon, 26 Jul 2010 12:52:35 -0500
Marco Peereboom sl...@peereboom.us wrote:

 I am 25% there with pledges.  So if you are interested in getting
 these 2 bugs fixed send me an email with the pledge amount. I won't
 accept cash until we have enough to actually order machines.

150 USD sent. Thank you very much for you time to help us solving this
issues.

jirib

Re: PF synproxy - never worked?

[Justin]

  I got a reply on the FreeBSD lists suggesting the firewall itself 
-had- to be the default gateway for the client;


  Ahh. That explains it then. I was operating under the assumption that 
the machine doing the synproxy would forge the reply such that the 
TARGET host would reply to the synproxy box, not its default gateway.


As in 1.2.3.4 request to client 5.5.5.5 via - 2.3.4.5, forged 2.3.4.5 
request to 5.5.5.5, 5.5.5.5 replies to 2.3.4.5, 2.3.4.5 no long proxies 
state and allows 1.2.3.4 and 5.5.5.5 to talk to each other directly.


The topology is as such:

internet - switch - em0 | pf | em1 - switch - client
\--/

  So the clients default gateway out is the switch, which doesn't send 
all traffic back over the PF machine.  From what you've described, the 
PF synproxy box would literally have to be inline and the default gateway.


internet - em0 | pf | em1 - client

  Is this the case?  Would it not be possible to add this functionality 
in some way?




On 7/28/2010 11:42 AM, Justin wrote:
  Well, only one interface is set to be a default gateway out, the 
other has an IP with no gateway, but a manual route entry for how to 
reach the client machine. I've also tried applying the synproxy rules 
on the interface facing the client heading outbound to no avail.



On 7/28/2010 5:26 AM, Tom Murphy wrote:

Synproxy only appears to work on the interface with the default gateway
(egress). I could never make it work on a firewall with more than 1
external interface properly.

I don't know if this is a bug or by design.

Tom

Re: PF synproxy - never worked?

[Denis Doroshenko]

On 7/29/10, Justin jus...@sk1llz.net wrote:
   I got a reply on the FreeBSD lists suggesting the firewall itself -had- to
 be the default gateway for the client;

   Ahh. That explains it then. I was operating under the assumption that the
 machine doing the synproxy would forge the reply such that the TARGET host
 would reply to the synproxy box, not its default gateway.

  As in 1.2.3.4 request to client 5.5.5.5 via - 2.3.4.5, forged 2.3.4.5
 request to 5.5.5.5, 5.5.5.5 replies to 2.3.4.5, 2.3.4.5 no long proxies
 state and allows 1.2.3.4 and 5.5.5.5 to talk to each other directly.

how could it be done within the same TCP connection? a TCP connection
is identified with two addresses and two ports. if the handshake is
done off 2.3.4.5, how can the connection go on aftewards off 1.2.3.4?
the connection should be proxied then till the end, and 5.5.5.5 will
never know who was the real originator of the connection. obviously,
for 5.5.5.5 to be able to answer to 1.2.3.4, the firewall doing the
synproxying should be the gateway. sounds logical.

macppc: firefox 3.6.8 crashing (same as 3.6.7)

[patrick keshishian]

FF 3.6.7 was crashing as reported by Dawe and me[1] same as X (from
snapshots and built from source). Rebuilding xenocara from source with
debug got X working (don't know why).

I tried building FF 3.6.8 and it too is crashing with signal 11. I
built FF 3.6.8 with DEBUG=-g -O0 hoping to at least get a backtrace
out of the core, but evidently the resulting binary is stripped[2]
(brilliant!).

Question: I'm about to rebuild this monster again on my slow ibook.
how do I prevent it from being stripped?

Google finds me --disable-install-strip, but does our port
infrastructure provide a more uniform way of handling this across all
(or most) ports?

Also, what's the idea behind 'make repackage' deleting every
dependency package from /usr/ports/packages/ directory? This seems
quite insane, especially when those packages aren't rebuilt (although,
the latter is besides the point)? I don't know how to express my
frustration over this, when the dependency packages (python, gtk+,
etc. etc.) took 6+ hours to build and now they are fucking gone.

--patrick


[1] http://marc.info/?l=openbsd-miscm=128002243807124w=2
[2] $ gdb /usr/local/mozilla-firefox/firefox-bin firefox-bin.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as powerpc-unknown-openbsd4.7...
(no debugging symbols found)

Core was generated by `firefox-bin'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/mozilla-firefox/libxul.so.22.0...done.
Loaded symbols for /usr/local/mozilla-firefox/libxul.so.22.0
Reading symbols from /usr/local/mozilla-firefox/libmozjs.so.22.0...done.
Loaded symbols for /usr/local/mozilla-firefox/libmozjs.so.22.0
Reading symbols from /usr/local/mozilla-firefox/libxpcom.so.22.0...done.
Loaded symbols for /usr/local/mozilla-firefox/libxpcom.so.22.0
Reading symbols from /usr/local/lib/libplds4.so.21.0...done.
Loaded symbols for /usr/local/lib/libplds4.so.21.0
Reading symbols from /usr/local/lib/libplc4.so.21.0...done.
Loaded symbols for /usr/local/lib/libplc4.so.21.0
Reading symbols from /usr/local/lib/libnspr4.so.21.0...done.
Loaded symbols for /usr/local/lib/libnspr4.so.21.0
Reading symbols from /usr/local/lib/libgtk-x11-2.0.so.1403.0...done.
Loaded symbols for /usr/local/lib/libgtk-x11-2.0.so.1403.0
Reading symbols from /usr/local/lib/libatk-1.0.so.2800.0...done.
Loaded symbols for /usr/local/lib/libatk-1.0.so.2800.0
Reading symbols from /usr/local/lib/libgdk-x11-2.0.so.1403.0...done.
Loaded symbols for /usr/local/lib/libgdk-x11-2.0.so.1403.0
Reading symbols from /usr/local/lib/libgdk_pixbuf-2.0.so.1403.0...done.
Loaded symbols for /usr/local/lib/libgdk_pixbuf-2.0.so.1403.0
Reading symbols from /usr/local/lib/libpangocairo-1.0.so.1802.0...done.
Loaded symbols for /usr/local/lib/libpangocairo-1.0.so.1802.0
Reading symbols from /usr/local/lib/libpangoft2-1.0.so.1802.0...done.
Loaded symbols for /usr/local/lib/libpangoft2-1.0.so.1802.0
Reading symbols from /usr/local/lib/libpango-1.0.so.1802.0...done.
Loaded symbols for /usr/local/lib/libpango-1.0.so.1802.0
Reading symbols from /usr/local/lib/libgio-2.0.so.1803.0...done.
Loaded symbols for /usr/local/lib/libgio-2.0.so.1803.0
Reading symbols from /usr/local/lib/libgobject-2.0.so.1803.0...done.
Loaded symbols for /usr/local/lib/libgobject-2.0.so.1803.0
Reading symbols from /usr/local/lib/libgthread-2.0.so.1803.0...done.
Loaded symbols for /usr/local/lib/libgthread-2.0.so.1803.0
Reading symbols from /usr/local/lib/libgmodule-2.0.so.1803.0...done.
Loaded symbols for /usr/local/lib/libgmodule-2.0.so.1803.0
Reading symbols from /usr/local/lib/libglib-2.0.so.1803.0...done.
Loaded symbols for /usr/local/lib/libglib-2.0.so.1803.0
Reading symbols from /usr/local/lib/libintl.so.5.0...done.
Loaded symbols for /usr/local/lib/libintl.so.5.0
Reading symbols from /usr/local/lib/libiconv.so.6.0...done.
Loaded symbols for /usr/local/lib/libiconv.so.6.0
Reading symbols from /usr/X11R6/lib/libXinerama.so.5.0...done.
Loaded symbols for /usr/X11R6/lib/libXinerama.so.5.0
Reading symbols from /usr/X11R6/lib/libXi.so.11.0...done.
Loaded symbols for /usr/X11R6/lib/libXi.so.11.0
Reading symbols from /usr/X11R6/lib/libXrandr.so.6.1...done.
Loaded symbols for /usr/X11R6/lib/libXrandr.so.6.1
Reading symbols from /usr/X11R6/lib/libXcursor.so.4.0...done.
Loaded symbols for /usr/X11R6/lib/libXcursor.so.4.0
Reading symbols from /usr/X11R6/lib/libXcomposite.so.3.0...done.
Loaded symbols for /usr/X11R6/lib/libXcomposite.so.3.0
Reading symbols from /usr/X11R6/lib/libXext.so.11.0...done.
Loaded symbols for /usr/X11R6/lib/libXext.so.11.0
Reading symbols from /usr/X11R6/lib/libXdamage.so.3.1...done.
Loaded symbols for /usr/X11R6/lib/libXdamage.so.3.1
Reading symbols from 

Re: Boot hang on 4.7/sparc64

[Nathan Sandver]

On Wed, Jul 28, 2010 at 2:43 AM, Fred Crowson fred.crow...@gmail.com wrote:
 On 28 July 2010 06:57, Nathan Sandver nsand...@gmail.com wrote:

 The swap partition I created at wd1b is correctly listed in /etc/fstab:
 # cat /mnt/etc/fstab
 /dev/wd1b none swap sw 0 0
 /dev/wd0a / ffs rw 1 1
 /dev/wd1a /usr ffs rw,nodev 1 2


 What happens when you remove the wd1b line from fstab?

Exactly the same thing. The system hangs at the same point, with the
same message (dmesg output below).

Rebooting with command: boot
Boot device: disk  File and args:
OpenBSD IEEE 1275 Bootblock 1.3
.. OpenBSD BOOT 1.3
Trying bsd...
Booting /p...@1f,0/p...@1,1/i...@3/d...@0,0:a/bsd
6372...@0x100+616@0x1613d98+190...@0x180+4004176@0x182e6b0
symbols @ 0xfef642c0 81+390912+244649 start=0x100
[ using 636360 bytes of bsd ELF symbol table ]
console is /p...@1f,0/p...@1,1/e...@1/s...@14,40:b
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2010 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.7 (GENERIC) #258: Wed Mar 17 23:40:34 MDT 2010
dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 134217728 (128MB)
avail mem = 115802112 (110MB)
mainbus0 at root: Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 360MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIi (rev 9.1) @ 360 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K
external (64 b/l)
psycho0 at mainbus0 addr 0xfffc4000: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-2, PCI bus 0
psycho0: dvma map c000-dfff
pci0 at psycho0
ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x13
pci1 at ppb0 bus 1
ebus0 at pci1 dev 1 function 0 Sun PCIO EBus2 rev 0x01
auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003,
72c000-72c003, 72f000-72f003
power0 at ebus0 addr 724000-724003 ivec 0x25
SUNW,pll at ebus0 addr 504000-504002 not configured
sab0 at ebus0 addr 40-40007f ivec 0x2b: rev 3.2
sabtty0 at sab0 port 0
sabtty1 at sab0 port 1: console
comkbd0 at ebus0 addr 3083f8-3083ff ivec 0x29: no keyboard
comms0 at ebus0 addr 3062f8-3062ff ivec 0x2a
wsmouse0 at comms0 mux 0
lpt0 at ebus0 addr 3043bc-3043cb, 30015c-30015d, 70-7f ivec 0x22: polled
clock1 at ebus0 addr 0-1fff: mk48t59
flashprom at ebus0 addr 0-f not configured
audioce0 at ebus0 addr 20-2000ff, 702000-70200f, 704000-70400f,
722000-722003 ivec 0x23 ivec 0x24: nvaddrs 0
audio0 at audioce0
hme0 at pci1 dev 1 function 1 Sun HME rev 0x01: ivec 0x7e1, address
08:00:20:d1:7e:f8
nsphy0 at hme0 phy 1: DP83840 10/100 PHY, rev. 1
machfb0 at pci1 dev 2 function 0 ATI Mach64 rev 0x5c
machfb0: ATY,GT-C, 1152x900
wsdisplay0 at machfb0 mux 1
wsdisplay0: screen 0 added (std, sun emulation)
pciide0 at pci1 dev 3 function 0 CMD Technology PCI0646 rev 0x03:
DMA, channel 0 configured to native-PCI, channel 1 configured to
native-PCI
pciide0: using ivec 0x7e0 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: LEXAR ATA FLASH
wd0: 4-sector PIO, LBA, 489MB, 1001952 sectors
wd1 at pciide0 channel 0 drive 1: ST34313A
wd1: 32-sector PIO, LBA, 4112MB, 8421840 sectors
wd0(pciide0:0:0): using PIO mode 4
wd1(pciide0:0:1): using PIO mode 4, DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: LG, CD-ROM CRD-8322B, 1.05 ATAPI
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
ppb1 at pci0 dev 1 function 0 Sun Simba PCI-PCI rev 0x13
pci2 at ppb1 bus 2
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
bootpath: /p...@1f,0/p...@1,1/i...@3,0/d...@0,0
root on wd0a swap on wd0b dump on wd0b



-- 
Nathan Sandver nsand...@gmail.com

Re: PF synproxy - never worked?

[Justin]

   This removes any chance of scalability or the ability to separate 
out single targeted IP addresses. I suppose the synproxy machine would 
have to in some way act as NAT - translating between the two - or 
alternately, act as a NAT to establish an initial session, then insert a 
state to pass all traffic between both ends without additional 
inspection or proxying... perhaps some sort of validation then push 
back... I just can't see how to impliment it with existing stuff...




On 7/28/2010 6:24 PM, Denis Doroshenko wrote:

On 7/29/10, Justinjus...@sk1llz.net  wrote:
   

   I got a reply on the FreeBSD lists suggesting the firewall itself -had- to
be the default gateway for the client;

   Ahh. That explains it then. I was operating under the assumption that the
machine doing the synproxy would forge the reply such that the TARGET host
would reply to the synproxy box, not its default gateway.

  As in 1.2.3.4 request to client 5.5.5.5 via -  2.3.4.5, forged 2.3.4.5
request to 5.5.5.5, 5.5.5.5 replies to 2.3.4.5, 2.3.4.5 no long proxies
state and allows 1.2.3.4 and 5.5.5.5 to talk to each other directly.
 

how could it be done within the same TCP connection? a TCP connection
is identified with two addresses and two ports. if the handshake is
done off 2.3.4.5, how can the connection go on aftewards off 1.2.3.4?
the connection should be proxied then till the end, and 5.5.5.5 will
never know who was the real originator of the connection. obviously,
for 5.5.5.5 to be able to answer to 1.2.3.4, the firewall doing the
synproxying should be the gateway. sounds logical.

Re: pf synproxy

[Justin]

   Confirmed - synproxy works great if the synproxy machine is the 
default gateway for the end host. Sadly this means scalability (adding 
multiple synproxy boxes) is not possible, nor is it possible to filter a 
specific IP out of the end machines ranges.


   Perhaps I'm shooting for the moon here - but shouldn't it be 
possible to have a machine validate a remote host to be real and then 
create a state to simply permit all traffic from it to pass without 
additional filtering? Thus no breaking of packets and allowing the 
remote host to respond directly?




On 7/28/2010 2:01 PM, Justin wrote:



  Ahh. That explains it then. I was operating under the assumption 
that the machine doing the synproxy would forge the reply such that 
the TARGET host would reply to the synproxy box, not its default gateway.


As in 1.2.3.4 request to client 5.5.5.5 via - 2.3.4.5, forged 2.3.4.5 
request to 5.5.5.5, 5.5.5.5 replies to 2.3.4.5, 2.3.4.5 no long 
proxies state and allows 1.2.3.4 and 5.5.5.5 to talk to each other 
directly.


The topology is as such:

internet - switch - em0 | pf | em1 - switch - client
\--/

  So the clients default gateway out is the switch, which doesn't send 
all traffic back over the PF machine.  From what you've described, the 
PF synproxy box would literally have to be inline and the default 
gateway.


internet - em0 | pf | em1 - client

  Is this the case?

El Planeador Maestro de Produccion Altamente Competitivo

[Erendira Martin]

El Planeador Maestro de ProducciC3n Altamente Competitivo - TC)cnicas,
Habilidades y Herramientas de Excelencia

ConviC)rtase en un verdadero Mariscal de Campo organizando, integrando
y coordinando de manera inteligente los esfuerzos de las C!reas que
forman parte del negocio manufacturero (ventas, producciC3n, control de
inventarios, almacenes, compras, control de calidad, ingenierCa, etc.) y
diseC1e el modelo de PlaneaciC3n Maestra que se ajuste perfectamente a su
organizaciC3n, considerando la estructura de su producto, el tipo de
proceso, las polCticas de servicio a clientes, su estrategia de
manufactura, polCticas de inventarios, de  utilizaciC3n de  gente  y 
equipos,  logrando  asC:

- Asegurar la satisfacciC3n de sus clientes con embarques en tiempo y
forma, sin el estrC)s, la presiC3n y los costos extra que implica una
programaciC3n deficiente - B!Planear el futuro y no padecer el presente!
-Aprovechar de la manera mC!s C3ptima sus recursos productivos (gente,
mC!quinas, equipos, materiales) sin que le afecten los cambios abruptos
que haya en la demanda de sus productos.
-Controlar los niveles de inventario en proceso, alimentando los
materiales a la planta de acuerdo al plan de fabricaciC3n y a los pedidos
y pronC3sticos de demanda de sus productos.
-El diseC1o de estrategias que le permitan disminuir los pedidos
atrasados (backorder) hasta ponerse al corriente.
-Eliminar las quejas constantes de las C!reas financieras por altos
costos de operaciC3n (mantenimiento de inventarios, gastos por fletes
urgentes, tiempo extra desmedido, pago de penalizaciones a clientes
insatisfechos, costos de calidad, etc.).
-La C3ptima utilizaciC3n de la capacidad de planta, considerando el
tamaC1o de la demanda, perCodos estacionales, paros por mantenimiento,
inventarios de anticipaciC3n, utilizaciC3n de maquiladores, rotaciC3n de
personal, entre otros.
-CC3mo sacar el mC!ximo provecho del costoso ERP de su empresa,
utilizando las bondades del mC3dulo de PlaneaciC3n Maestra (Master
Scheduling).

Programado en:
Guadalajara 11 de agosto
Monterrey 18 de agosto
MC)xico, D.F. 20 de agosto

Si desea recibir un folleto GRATUITO sobre este seminario,

Responda este correo con los siguientes datos:
Empresa:
Nombre:
Puesto:
Tel: (  )
E-mail:  misc@openbsd.org
Fecha de interC)s: ( ) Guadalajara  - ( ) Monterrey  b ( ) MC)xico,
D.F. 

o Llame a nuestra lada sin costo: 01 800 250 10 20

Q U A L I T Y  T R A I N I N G  D E  M E X I C O

Para cancelar su suscripciC3n haga reply  con el asunto omitir08

Re: macppc: firefox 3.6.8 crashing (same as 3.6.7)

[David Coppa]

On Thu, Jul 29, 2010 at 3:42 AM, patrick keshishian pkesh...@gmail.com wrote:
 FF 3.6.7 was crashing as reported by Dawe and me[1] same as X (from
 snapshots and built from source). Rebuilding xenocara from source with
 debug got X working (don't know why).

 I tried building FF 3.6.8 and it too is crashing with signal 11. I
 built FF 3.6.8 with DEBUG=-g -O0 hoping to at least get a backtrace
 out of the core, but evidently the resulting binary is stripped[2]
 (brilliant!).

 Question: I'm about to rebuild this monster again on my slow ibook.
 how do I prevent it from being stripped?

 Google finds me --disable-install-strip, but does our port
 infrastructure provide a more uniform way of handling this across all
 (or most) ports?

DEBUG=-g -O0 INSTALL_STRIP= make clean repackage reinstall

Ciao,
David

Re: pf synproxy

[Ryan McBride]

On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote:
Confirmed - synproxy works great if the synproxy machine is the
 default gateway for the end host.

Yes, PF has to handle every packet of a synproxy'd connection.


  Sadly this means scalability (adding multiple synproxy boxes) is not
  possible, nor is it possible to filter a specific IP out of the end
  machines ranges.

It's not clear what you mean by either of these statements.


Perhaps I'm shooting for the moon here - but shouldn't it be
 possible to have a machine validate a remote host to be real and
 then create a state to simply permit all traffic from it to pass
 without additional filtering? Thus no breaking of packets and
 allowing the remote host to respond directly?

I don't think it is possible to do what you want.  Once you have
completed the 3-way handshake and negotiated a set of sequence numbers
to use for the connection, there is no way to simply dump the
established connection on another box that knows nothing about it.

synproxy works by completing the 3-way handshake with the source first,
then negotiating a separate 3-way handshake with the client. Because the
negotiations are separate and the two endpoints have no direct knowlege
of each other, there sequence numbers negotiated are different. PF
handles translation between the different sets of sequence numbers, and
has to be man-in-the middle for every packet on the connection in order
to do this translation.