Re: pf question: multiple multihomed machines
gwes ohxer:
What is the recommended pf.conf to get symmetrical routing
for incoming and outgoing connections using a dual-homed
gateway and internal hosts with static IPs on both WANs?
I'm assuming "route-to" and "reply-to" are the correct
tools to use.
I've looked at the FAQ, googled for dual & multihomed machines,
and haven't found a clear answer yet.
I know there's a multihome section in the FAQ, but
it only handles pools of nat-ed machines, and the last couple
of lines are not obvious.
Hi, I use policy based routing with PF. I have one local_if and three
external_if.
two of they have own gateway, and one don't have.
Here is my pf.conf, but it havn't comment, but if read carefully - all is
done.
have a nice day with PF=)
#$OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if_a = "xl0"
ext_gw_a = "195.26.xxx.xxx"
ext_if_b = "fxp1"
ext_gw_b = "188.230.xxx.xxx"
ext_if_c = "fxp2"
ext_gw_c = "172.20.252.33"
int_if = "fxp0"
table const { self }
table { 192.168.16.0/24 }
table { 192.168.16.1, 192.168.16.4, 192.168.16.6,
192.168.16.100 }
table { 192.168.16.2 }
table <1c> { 192.168.16.3 }
table{ 192.168.16.4 }
table{ 192.168.16.5 }
table { 192.168.16.7 }
table { 192.168.16.188 }
table { 192.168.16.200 }
#table { }
table { 194.44.xxx.xxx, 217.12.xxx.xxx }
table { 192.168.16.184, 192.168.16.185, 192.168.16.201,
\
192.168.16.207, 192.168.16.210, 192.168.16.218, \
192.168.16.221, 192.168.16.241 }
table { 192.168.15.0/24 }
table { 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table persist
table file "/etc/advertisement"
set skip on { lo0, enc0 }
set loginterface $ext_if_b
set timeout { frag 20, tcp.established 3600 }
set block-policy drop
antispoof quick for { fxp1, fxp2, xl0 }
match in all scrub (no-df)
#anchor "ftp-proxy/*"
#queuening
#altq on fxp0 cbq bandwidth 400Kb queue { q_std_a, q_mail_a, q_www_a }
#queue q_std_abandwidth 10% priority 1 cbq (default)
#queue q_mail_a bandwidth 70% priority 5 cbq (borrow)
#queue q_www_abandwidth 20% priority 3 cbq (borrow)
#altq on fxp1 cbq bandwidth 4Mb queue { q_std_b, q_admin, q_kl-bank,
q_www_b }
#queue q_std_bbandwidth 5% priority 1 cbq(default)
#queue q_adminbandwidth 40% priority 4 cbq(borrow)
#queue q_kl-bank bandwidth 15% priority 7 cbq(borrow)
#queue q_www_bbandwidth 40% priority 2 cbq(borrow)
#nat
match out on $ext_if_a inet proto tcp from to ! nat-to
$ext_if_a
match out on $ext_if_b inet from to ! nat-to $ext_if_b
match out on $ext_if_b inet from to ! nat-to $ext_if_b
match out on $ext_if_c inet proto { tcp, udp } from to any nat-to
$ext_if_c
#rdr
match in on $ext_if_a inet proto tcp from any to $ext_if_a port { smtp,
smtps, 444, 5 } tag MAIL_A rdr-to
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 444 tag
EXT_B rdr-to
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 666 tag
EXT_B rdr-to <1c> port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 50666 tag
EXT_B rdr-to port rdp
#match in on $ext_if_b inet proto udp from any to $ext_if_b port 27015
tag EXT_B rdr-to
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55111 tag
EXT_B rdr-to
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 1 tag
EXT_B rdr-to port rdp
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55222 tag
EXT_B rdr-to 192.168.16.26 port ssh
match in on $ext_if_b inet proto tcp from any to $ext_if_b port 55333 tag
EXT_B rdr-to 192.168.16.26 port 80
#match in on $int_if inet proto tcp from <1c> to any port www rdr-to
127.0.0.1 port 3128
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port 8080 tag
EXT_B rdr-to 192.168.16.100 port 80
#match in on $ext_if_b inet proto tcp from any to $ext_if_b port { 6001,
6002 } tag EXT_B rdr-to 192.168.16.100
#block
block in quick on $ext_if_a from
block in quick on $int_if from any to
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on { $ext_if_a, $ext_if_b } from to any
block out quick on { $ext_if_a, $ext_if_b } from any to
block log all
#in
pass in on $ext_if_a inet proto tcp from any to $ext_if_a port 5522
reply-to ($ext_if_a $ext_gw_a)
pass in on $ext_if_b inet proto udp from any to $ext_if_b port domain
reply-to ($ext_if_b $ext_gw_b)
pass in on $ext_if_a inet proto udp from any to $ext_if_a port domain
reply-to ($ext_if_a $ext_gw_a)
pass in on $ext_if_b inet proto tcp from any to $ext_if_b port { ftp,
smtp,
multicore processors gain
Hello, I got the idea from FAQ that OpenBSD is not using more than one core from multicore processors. Pretending I got it right, what's the benefit to buy an Intel Core 2 Duo ? Just the bigger cache and some extra instructions? Is there a difference in how OpenBSD handles let's say a multicore processor or an arhitecture with blade processors ? Thanks.
Re: OpenBSD 4.8 modify rts values
On 6 January 2011 10:58, Sam Fourman Jr. wrote: > Hello list > > I have a OpenBSD wifi AP and it has a ral 2860 device > > I need to modify the rts values like in this link > > http://supremetechs.com/2009/07/24/slow-wifi-iphone-3gs/ > > > does ifconfig have this ability? mtu setting might be what your after, but I guess this would be better solved in pf using fragment handling. hth Fred
Re: OpenBSD 4.8 modify rts values
On Thu, Jan 6, 2011 at 5:47 AM, Fred Crowson wrote: > On 6 January 2011 10:58, Sam Fourman Jr. wrote: >> Hello list >> >> I have a OpenBSD wifi AP and it has a ral 2860 device >> >> I need to modify the rts values like in this link >> >> http://supremetechs.com/2009/07/24/slow-wifi-iphone-3gs/ >> >> >> does ifconfig have this ability? > > mtu setting might be what your after, but I guess this would be better > solved in pf using fragment handling. > > hth > > Fred > I tried Messing with this line in pf.conf match on ral0 all scrub (random-id min-ttl 254 set-tos lowdelay reassemble tcp max-mss 1472) doesn't seem to help, even if I lower the max-mss setting as low at 1280, the iphone 3gs still is pretty dismal -- Sam Fourman Jr. Fourman Networks http://www.fourmannetworks.com
Re: multicore processors gain
On Thu, 6 Jan 2011 13:45:05 +0200 "Mihai Popescu B.S." wrote: > I got the idea from FAQ that OpenBSD is not using more than one core > from multicore processors. http://www.openbsd.org/faq/faq8.html#SMP As soon as you run more than just the kernel on your system (...), the other CPUs/cores will be used as well. regards, Robert
Re: VPNC - anyone still using it?
On Wed, Jan 05, 2011 at 10:20:03PM +0100, Christian Kildau wrote: > Hi all, > > I'm having a hard time getting vpnc (0.5.3) from packages to work on 4.8. > I have it running on Mac OS X (and Linux also), but it just doesn't work(tm) > on OpenBSD. > > Everything get's set up properly (in my eyes). The tun device is created, the > IP Address is assigned, the routes are set. But it looks like vpnc just > doesn't forward anything. > > net.inet.esp.enable and net.inet.ah.enable are set to 0, as mentioned by the > vpnc installation script. > > # ping sipgate.de > PING sipgate.de (217.10.79.9): 56 data bytes > ping: sendto: No buffer space available > ping: wrote sipgate.de 64 chars, ret=-1 > > Has anyone got this working on a recent OpenBSD? > > > > > > > IPSec gateway secureconnect.sipgate.net > IPSec ID secureconnect.sipgate.net > IPSec secret sipgate-key > #IPSec target network 217.10.64.0/255.255.240.0 > IKE Authmode psk > Xauth username user > Xauth password pass > #NAT Traversal Mode force-natt > Script /etc/vpnc/vpnc-sipgate-script > > (Custom script is the default one, minus the resolv.conf handling and sets > 217.10.64.0/255.255.240.0 instead of default route) > > tun0: flags=51 mtu 1412 > priority: 0 > groups: tun > status: active > inet 212.9.32.144 --> 212.9.32.144 netmask 0x > > # netstat -nrf inet > Routing tables > > Internet: > DestinationGatewayFlags Refs Use Mtu Prio Iface > default10.1.16.1 UGS4 32 - 8 em0 > 10.1.16/24 link#1 UC 20 - 4 em0 > 10.1.16.1 00:50:8b:95:a4:d2 UHLc 15 - 4 em0 > 10.1.16.12800:23:df:a7:8d:9e UHLc 1 154 - 4 em0 > 10.1.16.222127.0.0.1 UGHS 00 33160 8 lo0 > 127/8 127.0.0.1 UGRS 00 33160 8 lo0 > 127.0.0.1 127.0.0.1 UH 20 33160 4 lo0 > 212.9.32.151 212.9.32.151 UH 10 - 4 tun0 > 217.10.64/20 212.9.32.151 UGS00 - 8 tun0 > 224/4 127.0.0.1 URS00 33160 8 lo0 > I use it everyday at work with OpenBSD -current. Do you have a rule in your pf.conf to allow traffic on tunX ? -- Pierre-Emmanuel Andri GPG key: 0x7AE329DC
Re: VPNC - anyone still using it?
(Sorry Piere, that was meant to go to the list in the first place...) I have pf disabled on the vpnc machine. But I indeed have pf running on my gateway (doing nat). But as I said, it does work with other machines. Or do I really have to open anything up on the gateway? 2011/1/6 Pierre-Emmanuel Andri : > On Wed, Jan 05, 2011 at 10:20:03PM +0100, Christian Kildau wrote: >> Hi all, >> >> I'm having a hard time getting vpnc (0.5.3) from packages to work on 4.8. >> I have it running on Mac OS X (and Linux also), but it just doesn't work(tm) >> on OpenBSD. >> >> Everything get's set up properly (in my eyes). The tun device is created, the >> IP Address is assigned, the routes are set. But it looks like vpnc just >> doesn't forward anything. >> >> net.inet.esp.enable and net.inet.ah.enable are set to 0, as mentioned by the >> vpnc installation script. >> >> # ping sipgate.de >> PING sipgate.de (217.10.79.9): 56 data bytes >> ping: sendto: No buffer space available >> ping: wrote sipgate.de 64 chars, ret=-1 >> >> Has anyone got this working on a recent OpenBSD? >> >> >> >> >> >> >> IPSec gateway secureconnect.sipgate.net >> IPSec ID secureconnect.sipgate.net >> IPSec secret sipgate-key >> #IPSec target network 217.10.64.0/255.255.240.0 >> IKE Authmode psk >> Xauth username user >> Xauth password pass >> #NAT Traversal Mode force-natt >> Script /etc/vpnc/vpnc-sipgate-script >> >> (Custom script is the default one, minus the resolv.conf handling and sets >> 217.10.64.0/255.255.240.0 instead of default route) >> >> tun0: flags=51 mtu 1412 >> priority: 0 >> groups: tun >> status: active >> inet 212.9.32.144 --> 212.9.32.144 netmask 0x >> >> # netstat -nrf inet >> Routing tables >> >> Internet: >> DestinationGatewayFlags Refs Use Mtu Prio Iface >> default10.1.16.1 UGS4 32 - 8 em0 >> 10.1.16/24 link#1 UC 20 - 4 em0 >> 10.1.16.1 00:50:8b:95:a4:d2 UHLc 15 - 4 em0 >> 10.1.16.12800:23:df:a7:8d:9e UHLc 1 154 - 4 em0 >> 10.1.16.222127.0.0.1 UGHS 00 33160 8 lo0 >> 127/8 127.0.0.1 UGRS 00 33160 8 lo0 >> 127.0.0.1 127.0.0.1 UH 20 33160 4 lo0 >> 212.9.32.151 212.9.32.151 UH 10 - 4 tun0 >> 217.10.64/20 212.9.32.151 UGS00 - 8 tun0 >> 224/4 127.0.0.1 URS00 33160 8 lo0 >> > > I use it everyday at work with OpenBSD -current. > Do you have a rule in your pf.conf to allow traffic on tunX ? > > > -- > Pierre-Emmanuel Andri > GPG key: 0x7AE329DC > -- http://www.chrisk.de/
Re: Newbie Network/PF Question
While we're piling on ... I have three interfaces, vr0 is my internet (pppoe), vr1 and vr2 are my internal networks. This gives me a good mental picture ... # packet filtering block all # pppoe0:network pass out on pppoe0 inet from (pppoe0) to any pass out on pppoe0 inet from vr1:network nat-to (pppoe0) pass out on pppoe0 inet from vr2:network nat-to (pppoe0) # vr1:network pass in on vr1 inet from vr1:network to any pass out on vr1 inet from vr1 to vr1:network pass out on vr1 inet from vr2:network to vr1:network # vr2:network pass in on vr2 inet from vr2:network to any pass out on vr2 inet from vr2 to vr2:network pass out on vr2 inet from vr1:network to vr2:network ... add echo, port rules, etcetera as necessary. I think that does pretty much what you want - my setup is ziggactly the same. Best wishes.
Re: Newbie Network/PF Question
On 1/5/2011 at 2:56 PM Axton wrote: |On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote: | |> On 1/4/2011 at 10:57 PM Josh Smith wrote: |> |> | |> |pass in on $int_if0 # pass all incomming traffic on our internal |> interface |> |pass in on $int_if1 # pass all incomming traffic on our internal |> interface from the test network |> = |> |> |> |> |> I have two internal subnetworks, one for standard frames and one for |> jumbo frames. |> |> Instead of the two rules you cite, I use the following: |> |> |> |> |> # macros |> std_if = "em1" |> jum_if = "em0" |> loc_if = "lo0" |> |> |> # let internal traffic flow unimpeded |> pass quick on $loc_if |> pass quick on $std_if |> pass quick on $jum_if |> |> |"set skip" is probably more efficient. = It's a very light-duty firewall, but I'll read up on your suggestion anyway. Thanks.
Carregue gratuitamente o telemovel!
-- -- Powered by PHPlist, www.phplist.com -- [demime 1.01d removed an attachment of type image/jpeg which had a name of mail9_4_0.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of mail9_4_1.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of mail9_4_2.jpg] [demime 1.01d removed an attachment of type image/jpeg which had a name of mail9_4_3.jpg] [demime 1.01d removed an attachment of type image/png which had a name of powerphplist.png]
OpenBSD with PHP and MySQL
I know OpenBSD is built for security. Using OpenBSD with bigmem on Mysql and PHP (No need for apache) machine. How much of a preformance difference is there from FreeBSD?? Looking for % or TBS or QBS. Machines will be mini 1U. one Quad core and 8GB of ram. Thanks and yes OpenBSD is built for security. Just looking for performance difference. Ben Adams SpryMed -- http://www.SpryMed.com
Re: OpenBSD with PHP and MySQL
On Thu, Jan 06, 2011 at 10:43:51AM -0500, Ben Adams wrote: > I know OpenBSD is built for security. > Using OpenBSD with bigmem on Mysql and PHP (No need for apache) machine. > How much of a preformance difference is there from FreeBSD?? > Looking for % or TBS or QBS. > > Machines will be mini 1U. > one Quad core and 8GB of ram. > > Thanks and yes OpenBSD is built for security. Just looking for performance > difference. The only way to answer this is to do the measurements yourself, using *your* hardware and *your* application. -Otto
Re: multicore processors gain
This is my not-so-technical understanding. OpenBSD's current SMP status: - The kernel uses a single lock for shared data. My understanding is that this means that the kernel itself doesn't benefit from SMP as much as it could otherwise, but it does use multiple cores. (I believe, but would like confirmation from someone who knows) - Userland processes can run on as many cores as are supported. So if you have multiple processes that are using a lot of CPU time, they will be split across all cores. - However all threads in a multi-threaded process will run on one core. For example Mysql will only use a single core, even though it is multi-threaded. Bottom line, SMP is very well supported. People blow the BKL thing out of proportion. -- Jeremy Chase http://twitter.com/jeremychase On Thu, Jan 6, 2011 at 6:45 AM, Mihai Popescu B.S. wrote: > > Hello, > > I got the idea from FAQ that OpenBSD is not using more than one core > from multicore processors. > Pretending I got it right, what's the benefit to buy an Intel Core 2 > Duo ? Just the bigger cache and some extra instructions? > > Is there a difference in how OpenBSD handles let's say a multicore > processor or an arhitecture with blade processors ? > > Thanks.
no to mbox from smtpd
If I send mail to this_user then delivery is okay. If I send mail
to root:
$ mail
No mail for this_user
# mail
No mail for root
- this is smtpd.conf:
that_if= "re0"
listen on lo0
listen on $that_if
#listen on $wan_if tls enable auth
map aliases { source db "/etc/mail/aliases.db" }
accept for local alias aliases deliver to mbox
#accept for local deliver to mda "procmail -f -"
#accept from all for domain levitch.org deliver to mda "procmail \
-f -"
accept for all relay
- entry in /etc/mail/aliases:
root: this_u...@mail
#mailq
MTA|1294327504.PzDyhzcCkSSMYqdZ.527354188|PROCESSING| \
levi...@mail.levitch.org|levi...@mail|1294327505|345600|0
- then after a while '# mailq' and '# ls /var/spool/smtpd/queue'
have no output
- using current from a couple of days ago on amd64
Darrel
Re: softraid metadata change 4.7 -> 4.8
On 01/05/11 18:17, Rodolfo Gouveia wrote: > On 01/04/2011 08:02 PM, Joachim Schipper wrote: >> On Tue, Jan 04, 2011 at 02:34:08PM +, Rodolfo Gouveia wrote: >>> I have a machine with 4.7 softraid CRYPTO. >>> On the upgrade48.html it's recommended to rebuild the softraid volume >> I believe "rebuild" means "dump and restore" here. > > Hmm ... you mean on a softraid CRYPTO only or would this apply to a > softraid volume with RAID 1? What new feature are you after? Does that feature apply to crypto softraid? There's the answer. :) (i.e., don't sweat it) Nick.
Re: multicore processors gain
On 01/06/11 06:44, Mihai Popescu B.S. wrote: > Hello, > > I got the idea from FAQ that OpenBSD is not using more than one core > from multicore processors. please indicate where you got that from... I can't do much about crap you "...read on the 'net...", but if there is something in the FAQ that implies that, I can correct or clarify... Multi-core is basically just cheap multiprocessor. It works. May not be the fastest system in the world, but probably does more than what you need... Nick.
Re: OpenBSD with PHP and MySQL
* Otto Moerbeek [2011-01-06 18:04]: > On Thu, Jan 06, 2011 at 10:43:51AM -0500, Ben Adams wrote: > > I know OpenBSD is built for security. > > Using OpenBSD with bigmem on Mysql and PHP (No need for apache) machine. > > How much of a preformance difference is there from FreeBSD?? > > Looking for % or TBS or QBS. > > > > Machines will be mini 1U. > > one Quad core and 8GB of ram. > > > > Thanks and yes OpenBSD is built for security. Just looking for performance > > difference. > > The only way to answer this is to do the measurements yourself, using > *your* hardware and *your* application. absolutely. in most cases there isn't much of a difference. in a few cases - that tend to be picked to support an argument, wether they matter in reality or not - there is a substantial difference. in both directions. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: OpenBSD 4.8 modify rts values
That link (and this thread) read like the blind leading the blind. Enabling RTS/CTS with packet sizes above 1500 is probably not what is fixing his problem And changing the mtu has nothing to do with any of this. If enabling RTS fixes problems, then using a cleaner frequency should do the same Unfortunately I don't think you can activate RTS under OpenBSD yet Sam Fourman Jr. [sfour...@gmail.com] wrote: > Hello list > > I have a OpenBSD wifi AP and it has a ral 2860 device > > I need to modify the rts values like in this link > > http://supremetechs.com/2009/07/24/slow-wifi-iphone-3gs/ > > > does ifconfig have this ability? > -- > > Sam Fourman Jr. > Fourman Networks > http://www.fourmannetworks.com -- Let food be thy medicine and medicine be thy food - Hippocrates
Re: multicore processors gain
Jeremy Chase [jeremych...@gmail.com] wrote: > This is my not-so-technical understanding. > > OpenBSD's current SMP status: > - The kernel uses a single lock for shared data. My understanding is > that this means that the kernel itself doesn't benefit from SMP as > much as it could otherwise, but it does use multiple cores. (I > believe, but would like confirmation from someone who knows) Which isn't "symmetric" at all. Having said that, I suspect most people don't get much benefit today from SMP outside of heavy server applications > - Userland processes can run on as many cores as are supported. So if > you have multiple processes that are using a lot of CPU time, they > will be split across all cores. > - However all threads in a multi-threaded process will run on one > core. For example Mysql will only use a single core, even though it is > multi-threaded. > The threaded issue is actively being worked on with the development of the rthreads library and related kernel changes to accommodate rthreads. It turned out to be a deep hole, but it is likely to be working long before the kernel itself can use multiple processors > Bottom line, SMP is very well supported. People blow the BKL thing out > of proportion. I think people have looked at using multiple cores for offloading crypto, pf, various parts of the kernel, but make no mistake, the kernel is totally limited to one core. But, yeah, if you want to maximize your 48 core AMD box in a data center and you don't see make -j48 as a practical application, OpenBSD may not be "there" yet for you. I don't have anything with more than 4 cores, so it was never really a concern for me :)
Re: OpenBSD with PHP and MySQL
Please keep in mind that bigmem is unsupported and it may not work as expected. The support part can be a big issue and it's important if you are using OpenBSD within your business to calculate the risk that you can't buy support directly from OpenBSD. There are consultants in most countries but it's not the same thing. // rancor 2011/1/6 Henning Brauer > * Otto Moerbeek [2011-01-06 18:04]: > > On Thu, Jan 06, 2011 at 10:43:51AM -0500, Ben Adams wrote: > > > I know OpenBSD is built for security. > > > Using OpenBSD with bigmem on Mysql and PHP (No need for apache) > machine. > > > How much of a preformance difference is there from FreeBSD?? > > > Looking for % or TBS or QBS. > > > > > > Machines will be mini 1U. > > > one Quad core and 8GB of ram. > > > > > > Thanks and yes OpenBSD is built for security. Just looking for > performance difference. > > > > The only way to answer this is to do the measurements yourself, using > > *your* hardware and *your* application. > > absolutely. > > in most cases there isn't much of a difference. > in a few cases - that tend to be picked to support an argument, wether > they matter in reality or not - there is a substantial difference. in > both directions. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting
Re: OpenBSD with PHP and MySQL
On Thu, 2011-01-06 at 10:43 -0500, Ben Adams wrote: > I know OpenBSD is built for security. > Using OpenBSD with bigmem on Mysql and PHP (No need for apache) machine. > How much of a preformance difference is there from FreeBSD?? > Looking for % or TBS or QBS. > > Machines will be mini 1U. > one Quad core and 8GB of ram. > > Thanks and yes OpenBSD is built for security. Just looking for performance > difference. In all my years of dealing with bad apps I've found that 99 times out of 100 when an application is spinning enough that the hardware isn't mostly idle that the root cause is the crap code in the app and not the OS or the hardware. If in doubt as to how to run the app to get the most bang for the buck, record a representative flow of transactions to the app and play back that recording as an app specific benchmark on your own hardware (Or if your hardware vendor is really nice on some evaluation hardware from them). That you don't realize that you need to develop and run your own benchmarks tells me that putting OpenBSD into the mix won't do a damn thing to address the security and logic issues within your own app, so you may as well go with whatever OS can bring you the cheapest pool of minions. You're welcome. Chris Dukes P.S. I look forward to reading about SpryMed data leaks in a future issue of Risks Digest.
'\$' or '#' must appear in PS1 in order to be properly exported as root?
Greetings. This is my first post to the OpenBSD community, so please let me know if I'm in the wrong list, this is just too basic or any other faux pas. Under the default ksh, the default /root/.profile and indeed a completely fresh 4.8 install, adding the following line to /root/.profile does not work as expected: export PS1='$PWD ' The login shell is '/root ', which makes sense to me, but all child shells get the default '# ', despite PS1 being exported. Even more strange, this doesn't happen when PS1 contains '\$' or '#'; it looks like the hash must be in the root prompt. Non-root users are not affected by the equivalent restriction (PS1 may not contain '\$' or '$'). Could anyone point out why this happens? Can this behavior be modified? Coming from a fresh install, there is no /etc/profile or /root/.kshrc. Thank you in advance for your help. Cheers, Ezequiel
Re: '\$' or '#' must appear in PS1 in order to be properly exported as root?
Thank you for your reply, Roberth > The default prompt is `$ ' for non-root users, `# ' for root. > If ksh is invoked by root and PS1 does not contain a `#' > character, the default value will be used even if PS1 already > exists in the environment. But isn't PS1 supposed to alter the (default) prompt? It does so for non-root users (even if the new PS1 doesn't contain '$'), and also in other POSIX-compliant shells.
Re: '\$' or '#' must appear in PS1 in order to be properly exported as root?
On Thu, Jan 6, 2011 at 11:18 PM, xSAPPYx wrote: > I think ksh(1) man page has the info, or maybe it is intro(8) > > Try this: > echo "export ENV=$HOME/.kshrc" >> ~/.profile > echo ". /etc/ksh.kshrc" >> ~/.kshrc Yes, in that case the new PS1 value is set by ~/.kshrc, which overrides whatever I did in .profile, but that still leaves me wondering as to why this happens: what other file or setting is being read that changes PS1 back to its default setting?
Re: '\$' or '#' must appear in PS1 in order to be properly exported as root?
On Thu, 6 Jan 2011 23:35:32 +0100
Ezequiel Garzsn wrote:
> On Thu, Jan 6, 2011 at 11:18 PM, xSAPPYx wrote:
> > I think ksh(1) man page has the info, or maybe it is intro(8)
> >
> > Try this:
> > echo "export ENV=$HOME/.kshrc" >> ~/.profile
> > echo ". /etc/ksh.kshrc" >> ~/.kshrc
>
> Yes, in that case the new PS1 value is set by ~/.kshrc, which
> overrides whatever I did in .profile, but that still leaves me
> wondering as to why this happens: what other file or setting is being
> read that changes PS1 back to its default setting?
>
bin/ksh/main.c:
safe_prompt = ksheuid ? "$ " : "# ";
{
struct tbl *vp = global("PS1");
/* Set PS1 if it isn't set, or we are root and prompt doesn't
* contain a # or \$ (only in ksh mode).
*/
if (!(vp->flag & ISSET) ||
(!ksheuid && !strchr(str_val(vp), '#') &&
(Flag(FSH) || !strstr(str_val(vp), "\\$"
/* setstr can't fail here */
setstr(vp, safe_prompt, KSH_RETURN_ERROR);
}
Re: softraid metadata change 4.7 -> 4.8
On 01/06/2011 05:43 PM, Nick Holland wrote: [snip] > What new feature are you after? > Does that feature apply to crypto softraid? > There's the answer. :) None actually. :-) I was just being cautious not run in problems with an "old" softraid volume and newer systems but the upgrade guide clearly states that at least for this release, 4.8, backwards compatibility was achieved. Thanks Joachim and Nick. Cheers, --rodolfo
Re: '\$' or '#' must appear in PS1 in order to be properly exported as root?
Wow, that's what I call deep knowledge! Thank you for explaining it, Roberth.
Best,
Ezequiel
On Thu, Jan 6, 2011 at 11:58 PM, roberth wrote:
> On Thu, 6 Jan 2011 23:35:32 +0100
> Ezequiel Garzsn wrote:
>
>> On Thu, Jan 6, 2011 at 11:18 PM, xSAPPYx wrote:
>> > I think ksh(1) man page has the info, or maybe it is intro(8)
>> >
>> > Try this:
>> > echo "export ENV=$HOME/.kshrc" >> ~/.profile
>> > echo ". /etc/ksh.kshrc" >> ~/.kshrc
>>
>> Yes, in that case the new PS1 value is set by ~/.kshrc, which
>> overrides whatever I did in .profile, but that still leaves me
>> wondering as to why this happens: what other file or setting is being
>> read that changes PS1 back to its default setting?
>>
>
> bin/ksh/main.c:
>safe_prompt = ksheuid ? "$ " : "# ";
>{
>struct tbl *vp = global("PS1");
>
>/* Set PS1 if it isn't set, or we are root and prompt
doesn't
> * contain a # or \$ (only in ksh mode).
> */
>if (!(vp->flag & ISSET) ||
>(!ksheuid && !strchr(str_val(vp), '#') &&
>(Flag(FSH) || !strstr(str_val(vp), "\\$"
>/* setstr can't fail here */
>setstr(vp, safe_prompt, KSH_RETURN_ERROR);
>}
pf and DNS
I try to use OpenBSD wherever I can and in the firewall I have installed in a big jewel store here I have the following problem. Many websites these days "Akamize" or do whatever that gives them a different IP address everytime you access it. And consequently pf which does not know a thing about domains does not help us. I want a solution which can address this. What I currently do is add an entry manually to /etc/hosts and ask everyone in the network to us my DNS. It is crappy and bereft with 100s of problems. First thing is that it does not allow us to use "Akamaizer" and load balancing feature offered by them. And it is not a good idea to change on every computer... Is there a better idea? -Girish -- Gayatri Hitech http://gayatri-hitech.com gir...@gayatri-hitech.com
Re: no to mbox from smtpd
Well, I changed /etc/mail/aliases:
root: this_us...@mail.levitch.org
Mail arrives now. Also, with smtpd.conf modified:
- comment out loopback:
# listen on lo0
effect is the same.
Anyhow, this was the first time I needed fqdn in aliases file on
localhost.
Darrel
On Thu, 6 Jan 2011 levi...@iglou.com wrote:
If I send mail to this_user then delivery is okay. If I send mail
to root:
$ mail
No mail for this_user
# mail
No mail for root
- this is smtpd.conf:
that_if= "re0"
listen on lo0
listen on $that_if
#listen on $wan_if tls enable auth
map aliases { source db "/etc/mail/aliases.db" }
accept for local alias aliases deliver to mbox
#accept for local deliver to mda "procmail -f -"
#accept from all for domain levitch.org deliver to mda "procmail \
-f -"
accept for all relay
- entry in /etc/mail/aliases:
root: this_u...@mail
#mailq
MTA|1294327504.PzDyhzcCkSSMYqdZ.527354188|PROCESSING| \
- then after a while '# mailq' and '# ls /var/spool/smtpd/queue'
have no output
Panic caused by nVidia MPC61 Ethernet adapter.
I installed 4.8-release for i386 via install48.iso found on the FTPs.
However, to finish the install I had to disable my onboard ethernet LAN
in BIOS to get past the network setup phase - otherwise the machine
would completely lock up.
This is the first time I've installed OpenBSD on this machine. I know
nVidia isn't that great of company.
After re-enabling it in BIOS it boots normally and the machine functions
until I issue 'ifconfig' with no arguments - it locks up completely
just like during the install.
When booting it 'enables' networking but does not freeze and I'm able
to do other things like start X and format disks/etc. I don't have any
ethernet cables attached during any of this.
When invoking reboot while the LAN via BIOS was enabled the machine
panicked:
# reboot
panic: rlphy_service: attempt to isolate phy
Stopped at Debugger+0x4: popl%ebp
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT
INFORMATION!
ddb>
Noticing the all caps, I followed orders.
ddb> trace
Debugger(d08bb89c,de256cd8,d08c0128,de256cd8,0) at Debugger+0x4
panic(d08c0128,d2f34f00,de256d0c,d05170a5,d09be940) at panic+0x5d
rlphy_service(d2eba400,d2da52b0,3,d06c39ec,d2da5000) at rlphy_service
+0x13d mii_pollstat(d2da52b0,de256e8c,de256e8c,d8a86c60,100) at
nfe_ifmedia_sts+0x2 2
ifmedia_ioctl(d2da5030,de256e8c,d2da52b0,c0286936,d2da5060) at
ifmedia_ioctl+0x 87
nfe_ioctl(d2da5030,c0286936,de256e8c,d2da5030,d2da5030) at nfe_ioctl
+0xad ifioctl(d8aa2358,c0286936,de256e8c,d8a873c0,28) at ifioctl+0x3b7
sys_ioctl(d8a873c0,de256f64,de256f84,de256fa8,d8a873c0) at sys_ioctl
+0x1b8 syscall() at syscall+0x2f0
--- syscall (number 11) ---
0x2:
ddb> ps
PID PPID PGRPUID S FLAGS WAITCOMMAND
31868 2375 2375 0 2 0 sh
*29447 2375 2375 0 7 0x4000 ifconfig
2375 15715 2375 0 3 0x4080 pause sh
15715 7650 15715 0 3 0x4080 waitreboot
15117 16997 15117 1000 3 0x4080 ttyin ksh
6158 30378 9637 1000 3 0x4080 select FvwmPager
30378 9637 9637 1000 3 0x4080 select fvwm
16997 9637 9637 1000 30x44180 select xterm
9637 12228 9637 1000 3 0x4080 pause sh
4513 1 14772 35 3 0x180 pollxconsole
24126 1 14772 0 3 0x80 netio xconsole
12228 23925 12228 0 3 0x80 waitxdm
14863 18634 18634 0 30x40180 netio Xorg
18634 23925 18634 35 30x44180 select Xorg
25565 1 25565 0 3 0x4080 ttyin getty
18390 1 18390 0 3 0x4080 ttyin getty
19425 1 19425 0 3 0x4080 ttyin getty
11911 1 11911 0 3 0x4080 ttyin getty
7650 1 7650 0 3 0x4080 pause ksh
23925 1 23925 0 3 0x80 pause xdm
27132 1 27132 0 30x40180 select sendmail
16474 1 16474 0 3 0x80 select cron
13751 1 13751 0 3 0x180 select inetd
12754 25203 25203 74 3 0x180 bpf pflogd
26203 1 26203 0 3 0x80 netio pflogd
23062 12058 12058 73 3 0x180 pollsyslogd
12058 1 12058 0 3 0x88 netio syslogd
14 0 0 0 3 0x100200 bored crypto
13 0 0 0 3 0x100200 aiodonedaiodoned
12 0 0 0 3 0x100200 syncer update
11 0 0 0 3 0x100200 cleaner cleaner
10 0 0 0 3 0x100200 reaper reaper
9 0 0 0 3 0x100200 pgdaemonpagedaemon
8 0 0 0 3 0x100200 pftmpfpurge
7 0 0 0 3 0x100200 usbevt usb1
6 0 0 0 3 0x100200 usbtsk usbtask
5 0 0 0 3 0x100200 usbevt usb0
4 0 0 0 3 0x100200 bored syswq
3 0 0 0 3 0x40100200 idle0
2 0 0 0 3 0x100200 kmalloc kmthread
1 0 1 0 3 0x4080 waitinit
0 -1 0 0 30x80200 scheduler swapper
Here is a dmesg, what stood out to me is that it repeats rlphy{0..31} at
nfe0 phy {0..31}: RTL8201L 10/100 PHY, rev. 1 :
OpenBSD 4.8 (GENERIC) #136: Mon Aug
16 09:06:23 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0:
AMD Sempron(tm) 145 Processor ("AuthenticAMD" 686-class, 1024KB L2
cache) 2.82 GHz cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,MWAIT,CX16,POPCNT
real mem = 2113433600 (2015MB) avail mem = 2068897792 (1973MB)
mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/10/09, BIOS32
rev. 0 @ 0x
