Re: Lemote Leeyong 8101B pr0n

[Wolf Stettler]

Hello
The Lemote Netbook is great, got mine some month ago. And the progress 
of OpenBSD development for it is impressive (as usual). The only 
disadvantage are the graphical browsers wich keep crashing. But links -g 
works for most stuff.


Greetings and thanks to the developers
Wolf

On 05/19/11 12:44, Gilbert Fernandes wrote:

Hello

Just received a Lemote Leeyong 8101B (the 10 inches display model).
I took pictures of the machine from all sides + a few with a
centimeters/inches ruler for people interested by this machine.

OpenBSD support page for the platform :
http://www.openbsd.org/loongson.html

If you do not know anything about it, it's a netbook that is powered by
a Loongson (chinese) MIPS-III chip (it has some MIPS-IV operands I
think, from a PDF I downloaded that covers its chip available operands).
The machine is fully open about it's hardware : no binary blob is used
for anything and the BIOS is PMON, a C-written BIOS (Miod says it's crap
so it probably is).

Weak point of the machine would be autonomy : battery is light and
small, is rated for 23 W/h of power (fully charged I get 25 W/h from
it). SD model uses 12 W/h and hard-disk model uses 15 W/h so it gives
you 1.5 hour of autonomy under load (might get near 2h if not loaded too
much but don't hope too much for it).

The machine is loaded with a Linux (I did not power it yet).

Here are the pictures :
https://picasaweb.google.com/gilb/LemoteLeeyong8101_B#

If you want some specific pictures, close ups of some parts, please
email me.

I am going to install OpenBSD using Miod's doc and document each part of
it with pictures so the whole process for total noobs can be used.

I think this machine is the only machine currently used by Richard
Stallman because of its open hardware approach. While Theo is loading
his shotgun with salt to take care of me for saying that, please check
the pictures and consider it. It's MIPS, it runs OpenBSD, and it works
without any binary blob (it also has two stereo speakers on front if you
like to listen to music while coding ! Very nice !)

Greeting to Miod for his work on the platform, but also Jasper Lievisse,
Adriaanse for allowing us to be able to use this very nice platform
on OpenBSD. Your beers are waiting for you, all expenses covered by me.

IBM xServer 336/346 - OpenBSD 4.9

[LEVAI Daniel]

Hi!


(Just for the record)
Regarding PR#6523, OpenBSD 4.9 works with pci.c 1.88 (from OPENBSD_4_9),
patched with kettenis@'s pci.c patch 1.72 [1].
I was afraid it won't apply, or there will be incompatibilities with
other parts, but so far so good.
(It's unfortuane it broke other systems :( )


Anyway, thanks!


[1]:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/pci.c.diff?r1=1.71;r2=1.72



Daniel

-- 
LIVAI Daniel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D  650C C69B BE4C 83B6 3A8F

TODOS FRACASOS - Dr. HORACIO SEREBRINSKY

[difusion-esa]

Psicolibro Ediciones y la

  Escuela Sistimica Argentina

Invitan a la presentacisn del libro

TODOS FRACASOS

Experiencias Terapiuticas. Para Psicslogos,

Pacientes e impacientes.

De HORACIO SEREBRINSKY

COLECCISN CUENTOS

Martes 24 de Mayo a las 19.30 hs.

en Dolce Vita

Nicaragua 4849  Ciudad de Bs. As.

Te encontraras con los personajes de los cuentos que se

escaparon del libro. Compartiremos algunos de ellos entre vinos y
empanadas.

Berta Kucher firmara ejemplares.

No soy un amante de la conversacisn, del tener que decirse cosas por mas
fuertes que sean. No hay dudas de que es liberador para el humano y que,
temo admitirlo, hace crecer relaciones. Pero al leer cada pagina que
precede a este prslogo, me hace sentir un poco deseoso de ser parte de lo
que se cuenta. Y ahm encuentro a alguien que siempre vivis, como dira el
al comienzo, relatando cuentos. Contando y siendo parte de historias.
Algunas graciosas, como al llegar a demostrar que Alma y Culo pueden
llegar a ser lo mismo y otras un poco mas tristes como ser de Racing
(necesitaba decirlo)

Del prslogo de Mario Pergolini.

Lo producido por la venta sera donado al Comedor La Buena Voluntad de
Ciudad Oculta. Bs As.

[IMAGE]

Maximum bandwidth per IP

[Leonardo Lombardo]

I see... I have to define a separate queue for each IP. But as far as i know I'd have to recompile the kernel in order to have as much queues as I need (more 
than 200).


Don't you think I'd be nice to have something that helps in defining such 
things ? Maybe I'm approaching this problem the wrong way ?

Thanks for any suggestion

Regards,
Leonardo

Re: Odd CARP behavior

[MAROUNI Abbass]

Hello,

We had the same problem a few weeks ago, where one interface on the 
backup machine decides to become master.
This will create an ARP conflict as both machines will respond to the 
ARP request, and that will make it very slow.


The first thing to check is wether the two interfaces see each other, 
are they receiving the CARP messages? do a tcpdump and find out if the 
CARP packets are received

(they will be marked as VRRP in wireshark).
Next check your firewall rules (pf.conf if you are using it) make sure 
that you pass carp packets (add these rules after the global block rule)


After resovling this issue use ifstated that comes with openbsd to force 
MASTER/MASTER interfaces on the machine that becomes MASTER.



Le 20/05/11 00:57, Gary Thornock a icrit :

My previous company has a pair of firewalls running OpenBSD 4.4 with
CARP.  They've been running with no problem since just after the 4.4
release, until the last couple of days.

Now, the firewall that should be in BACKUP state has somehow decided
that it needs to be MASTER for some, but not all, of the CARP interfaces,
even though the master machine is running fine.  Something like this:


if  machine 1   machine 2
carp0   MASTER  BACKUP
carp1   MASTER  BACKUP
carp2   MASTER  MASTER
carp3   MASTER  BACKUP
carp4   MASTER  MASTER


The interfaces where both machines try to be MASTER at the same time
become unreliable or unreachable.

I looked around Google but couldn't turn up any reports of similar
issues.  Admittedly I might have been searching for the wrong terms,
though.

Any ideas as to what could be causing this problem?  They're likely
to rebuild both machines in the next week or so, either with 4.6 (so
they can keep their existing pf.conf) or with 4.9 so as to be current,
but they'd like some assurance that a rebuild will actually solve the
problem.  (If it were, say, a failing NIC, updating the software
wouldn't help.)

For whatever it's worth, the machines in question are Poweredge R200s,
with the two on-board Broadcom gigabit ports and an additional Intel
gigabit card for pfsync.  They're running the i386 rather than the
amd64 version of OpenBSD.

Thanks in advance for any suggestions.




--
Abbass MAROUNI
Internet Memory Foundation
internetmemory.org

merge 2 internet connection

[Wesley MOUEDINE ASSABY]

Hi, 

I have a client who have 2 locations : A, B 

On side A : he has a RDS Server (TSE), with a router provided by ISP
(there's no internet, it's a 2M connection) 

On side B : he has 2 IP VPN Connection to Side A (2 x routers, there's no
internet, but the link is 1M, so 2 x 1M). Users in B works on RDS Server
thanks to VPN.

(A) router A ---IP VPN--1MrouterB1 (B) 

(A) router A---IP VPN --1MrouterB2 (B) 

I want to put an OpenBSD Gateway at B Location, with 3 network cards. 

Rl0 : router B1 

Rl1 : router B2 

RL2 : LAN B

Is it possible to have thanks to PF , the 2 bandwidths (router B1 and
routerB2) cumulated, and so have a 2M connection instead of 2x 1M ? 

Thank you very mych for your replies. 

Best Regards, 

Wesley MOUEDINE ASSABY

Re: sparc64 v120 needed in the Netherlands

[Theo de Raadt]

 On Wed, May 18, 2011 at 6:48 PM, Ariane van der Steldt ari...@stack.nl 
 wrote:
  Hi,
 
  For development on OpenBSD, I need a sun v120 machine in Eindhoven,
  the Netherlands.
  It turns out, I don't have a 64-bit big-endian machine (and suns are
  just awesome).
 
  Please contact me if you have one.
  Thanks,
 
 I assume this is for legacy compatibility work?

No.

We do not consider any machines like that 'legacy'.

Running the same kernel code, different machines architectures can
expose bugs differently.

Besides the i386/amd64 differences, the sparc64 and hppa architectures
are very important.  They are relatively fast and pretty weird in some
ways, so bugs are spotted fast.

 While Sun made good
 hardware, My friends in Boston universities, such as MIT and Harvard,
 with Sun hardware have been extremely unhappy with Oracle's
 support. The Oracle presented upgrade paths for such hardware has been
 basically replace the hardware and install a more supported OS such
 as the Oracle rebundled RHEL called Unbreakable Linux.

I am still hoping someone will get me a Sun/Fujitsu M3000.

Invitaci�n a Curso Experto en Google y Posicionamiento Web

[Pilar]

Invitacisn a Curso Experto en Google y Posicionamiento Web, Curso con
sede en:
Cursos de Posicionamiento en Google.
11 de Mayo en Santiago de Chile.
13 de Mayo en Temuco Chile.
21 de Mayo en Monterrey
02 de Junio en Canczn
7 de Junio Online en la comodidad de su casa u Oficina.
10 de Junio en Mixico D.F.
17 de Junio en Guadalajara.
Dirigido a Empresas que desean Mejorar su Posicionamiento Natural en
Buscadores.
Usuarios de Google Adwords interesados en Optimizar sus campaqas y
sistema de pago por clic.

Redes Sociales Orientado a Empresas.
Santiago de Chile 12 de Mayo
Monterrey 19 de Mayo
Canczn 03 de Junio
Guadalajara 16 de Junio
Mexico D.F 24 de Junio
El participante finalizara el curso con conocimientos suficientes para
desarrollar y ejecutar una estrategia de Marketing en Redes Sociales que
le permita promocionar su web haciendo uso de las herramientas de
Publicidad ya sea de paga o Gratis.

Para Mas informacisn visite Nuestra web seminariosenmexico.com

http://www.seminariosenmexico.com/ /A

Telifonos
+52 (55) 5523 0796 (Mixico)
+56- 2 8977537 (Chile)
Contacto vma correo electrsnico conta...@seminariosenmexico.com
 Messenger seminariosenmex...@hotmail.com

Segzn la nueva legislacisn sobre E m a i l, Por seccisn 301, Bajo el
decreto aprobado por el 105 congreso base de las normativas
Internacionales sobre S P A M, un E m a i l no podra ser considerado S P
A M mientras incluya una forma de ser removido. Si usted desea ser
removido de nuestra base de datos en forma definitiva por favor responda
a este e m a i l indicando Remover en el campo del asunto gracias por
su apoyo.

Para ser eliminado de nuestra lista de contactos por favor pulse aqum y
mandenos un mail indicandolo. unsuscribir.seminarios enmex...@gmail.com

Re: merge 2 connections

[Wesley MOUEDINE ASSABY]

Sorry for the subject, but there's no Internet in the 2 connection. It is
IP VPN, to connect 2 sites.
But i have 2 connections RouterB1 and RouterB2 connected to router A.
I want to accumulate the 2 x 1M with OpenBSD,(if it is possible) and so
have A big Connection 2M.

(B)---LANOpenBSD(routerB1,routerB2)---VPN-NO-INTERNET--LAN---RDS(TSE)--(A)

Possible to do it with PF or trunk ? roundrobin ? 
Thank you for replies.

Wesley.

On Fri, 20 May 2011 15:33:46 +0200 (CEST), Francois Pussault
fpussa...@contactoffice.fr wrote:
 hi,
 
 I guess so, because some hardware routers have bandwidth with 2 input.
 At my last work, we used one from 2 distinct DSL connections, the router

 after it the network.
 
 So As you want to use RouterB1  RouterB2, using an unique one with 2
 inputs should be a good solution, it cots about 100$
 or you may use a software solution (but i dont know how to).
 
 
 From: Wesley MOUEDINE ASSABY open...@e-solutions.re
 Sent: Fri May 20 15:07:31 CEST 2011
 To: misc@openbsd.org
 Subject: merge 2 internet connection
 
 
 Hi, 
 
 I have a client who have 2 locations : A, B 
 
 On side A : he has a RDS Server (TSE), with a router provided by ISP
 (there's no internet, it's a 2M connection) 
 
 On side B : he has 2 IP VPN Connection to Side A (2 x routers, there's
no
 internet, but the link is 1M, so 2 x 1M). Users in B works on RDS
Server
 thanks to VPN.
 
 (A) router A ---IP VPN--1MrouterB1 (B) 
 
 (A) router A---IP VPN --1MrouterB2 (B) 
 
 I want to put an OpenBSD Gateway at B Location, with 3 network cards. 
 
 Rl0 : router B1 
 
 Rl1 : router B2 
 
 RL2 : LAN B
 
 Is it possible to have thanks to PF , the 2 bandwidths (router B1 and
 routerB2) cumulated, and so have a 2M connection instead of 2x 1M ? 
 
 Thank you very mych for your replies. 
 
 Best Regards, 
 
 Wesley MOUEDINE ASSABY
 
 
 
 Cordialement
 Francois Pussault
 3701 - 8 rue Marcel Pagnol
 31100 ToulouseB 
 FranceB 
 +33 6 17 230 820 B  +33 5 34 365 269 
 fpussa...@contactoffice.fr

Re: Odd CARP behavior

[Bryan Irvine]

On Thu, May 19, 2011 at 3:57 PM, Gary Thornock gthorn...@yahoo.com wrote:
 My previous company has a pair of firewalls running OpenBSD 4.4 with
 CARP.  They've been running with no problem since just after the 4.4
 release, until the last couple of days.

 Now, the firewall that should be in BACKUP state has somehow decided
 that it needs to be MASTER for some, but not all, of the CARP interfaces,
 even though the master machine is running fine.  Something like this:


 if  machine 1   machine 2
 carp0   MASTER  BACKUP
 carp1   MASTER  BACKUP
 carp2   MASTER  MASTER
 carp3   MASTER  BACKUP
 carp4   MASTER  MASTER


 The interfaces where both machines try to be MASTER at the same time
 become unreliable or unreachable.

 I looked around Google but couldn't turn up any reports of similar
 issues.  Admittedly I might have been searching for the wrong terms,
 though.

 Any ideas as to what could be causing this problem?  They're likely
 to rebuild both machines in the next week or so, either with 4.6 (so
 they can keep their existing pf.conf) or with 4.9 so as to be current,
 but they'd like some assurance that a rebuild will actually solve the
 problem.  (If it were, say, a failing NIC, updating the software
 wouldn't help.)

 For whatever it's worth, the machines in question are Poweredge R200s,
 with the two on-board Broadcom gigabit ports and an additional Intel
 gigabit card for pfsync.  They're running the i386 rather than the
 amd64 version of OpenBSD.



What does netstat -s -p carp show?

Run that on each firewall.

Also, can you paste the contents of hostname.carp2 and hostname.carp4
from each firewall?

-Bryan

We Provide and Monetise Bank Instruments

[John Pitts]

o;?!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.0 Transitional//EN
HTMLHEAD
META content=text/html; charset=utf-8 http-equiv=Content-Type
META name=GENERATOR content=MSHTML 9.00.8112.16421/HEAD
BODY
P style=TEXT-ALIGN: center; MARGIN: 0in 0in 0pt class=MsoNormal 
align=centerSPAN style=FONT-SIZE: 16ptFONT size=6Lease/Monetize Bank
Instrument?xml:namespace prefix = o ns = 
urn:schemas-microsoft-com:office:office /o:p/o:p/FONT/SPAN/P
P style=TEXT-ALIGN: center; MARGIN: 0in 0in 0pt class=MsoNormal 
align=centerSPAN style=FONT-SIZE: 16pto:pFONT 
size=6nbsp;/FONT/o:p/SPAN/P
P style=TEXT-ALIGN: center; MARGIN: 0in 0in 0pt class=MsoNormal 
align=centerSPAN style=FONT-SIZE: 14ptFONT size=6We can arrange an 
instrument in your name/company name from Major Banks and Institutions
which 
include: Barclays, HSBC, Bank of America and others (Top 25) with a time
period 
available from 1 to 5 years.o:p/o:p/FONT/SPAN/P
P style=TEXT-ALIGN: center; MARGIN: 0in 0in 0pt class=MsoNormal 
align=centerSPAN style=FONT-SIZE: 14pto:pFONT 
size=6nbsp;/FONT/o:p/SPAN/P
P 
style=TEXT-INDENT: -0.25in; MARGIN: 0in 0in 0pt 0.5in; mso-list: l3 level1
lfo1; tab-stops: list .5in 
class=MsoNormalFONT size=6SPAN 
style=FONT-FAMILY: Symbol; FONT-SIZE: 14pt; mso-fareast-font-family:
Symbol; mso-bidi-font-family: SymbolSPAN 
style=mso-list: IgnoreB7SPAN 
style=FONT: 7pt 'Times New
Roman'nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 
/SPAN/SPAN/SPANSPAN style=FONT-SIZE: 14ptSBLC/BG/MTN in U.S.D. or
Euroso:p/o:p/SPAN/FONT/P
P 
style=TEXT-INDENT: -0.25in; MARGIN: 0in 0in 0pt 0.5in; mso-list: l3 level1
lfo1; tab-stops: list .5in 
class=MsoNormalFONT size=6SPAN 
style=FONT-FAMILY: Symbol; FONT-SIZE: 14pt; mso-fareast-font-family:
Symbol; mso-bidi-font-family: SymbolSPAN 
style=mso-list: IgnoreB7SPAN 
style=FONT: 7pt 'Times New
Roman'nbsp;nbsp;nbsp;nbsp;nbsp;nbsp;nbsp; 
/SPAN/SPAN/SPANSPAN style=FONT-SIZE: 14ptAvailable with swift 
MT-760o:p/o:p/SPAN/FONT/P
P style=MARGIN: 0in 0in 0pt class=MsoNormalSPAN 
style=FONT-SIZE: 14pto:pFONT size=6nbsp;/FONT/o:p/SPAN/P
P align=center
TABLE 
style=BORDER-BOTTOM: medium none; BORDER-LEFT: medium none;
BORDER-COLLAPSE: collapse; BORDER-TOP: medium none; BORDER-RIGHT: medium none;
mso-border-alt: solid windowtext .5pt; mso-yfti-tbllook: 480; mso-padding-alt: 
0in 5.4pt
0in 5.4pt; mso-border-insideh: .5pt solid windowtext; mso-border-insidev:
.5pt solid windowtext 
class=MsoTableGrid border=1 cellSpacing=0 cellPadding=0
  TBODY
  TR style=mso-yfti-irow: 0; mso-yfti-firstrow: yes
TD 
style=BORDER-BOTTOM: windowtext 1pt solid; BORDER-LEFT: windowtext 1pt
solid; PADDING-BOTTOM: 0in; BACKGROUND-COLOR: transparent; PADDING-LEFT:
5.4pt; WIDTH: 221.4pt; PADDING-RIGHT: 5.4pt; BORDER-TOP: windowtext 1pt solid;
BORDER-RIGHT: windowtext 1pt solid; PADDING-TOP: 0in; mso-border-alt: solid
windowtext .5pt 
vAlign=top width=295
  P style=TEXT-ALIGN: center; MARGIN: 0in 0in 0pt class=MsoNormal 
  align=centerSPAN style=FONT-SIZE: 14ptFONT 
  size=6SBLC/BGo:p/o:p/FONT/SPAN/P/TD
TD 
style=BORDER-BOTTOM: windowtext 1pt solid; BORDER-LEFT: #f0f0f0;
PADDING-BOTTOM: 0in; BACKGROUND-COLOR: transparent; PADDING-LEFT: 5.4pt; WIDTH:
221.4pt; PADDING-RIGHT: 5.4pt; BORDER-TOP: windowtext 1pt solid; BORDER-RIGHT:
windowtext 1pt solid; PADDING-TOP: 0in; mso-border-alt: solid windowtext
.5pt; mso-border-left-alt: solid windowtext .5pt 
vAlign=top width=295
  P style=TEXT-ALIGN: center; MARGIN: 0in 0in 0pt class=MsoNormal 
  align=centerSPAN style=FONT-SIZE: 14ptFONT size=6% 
  Rateo:p/o:p/FONT/SPAN/P/TD/TR
  TR style=mso-yfti-irow: 1
TD 
style=BORDER-BOTTOM: windowtext 1pt solid; BORDER-LEFT: windowtext 1pt
solid; PADDING-BOTTOM: 0in; BACKGROUND-COLOR: transparent; PADDING-LEFT:
5.4pt; WIDTH: 221.4pt; PADDING-RIGHT: 5.4pt; BORDER-TOP: #f0f0f0; BORDER-RIGHT:
windowtext 1pt solid; PADDING-TOP: 0in; mso-border-alt: solid windowtext
.5pt; mso-border-top-alt: solid windowtext .5pt 
vAlign=top width=295
  P style=TEXT-ALIGN: center; MARGIN: 0in 0in 0pt class=MsoNormal 
  align=centerSPAN style=FONT-SIZE: 14ptFONT size=6$10 Million
to 
  $1Billion pluso:p/o:p/FONT/SPAN/P/TD
TD 
style=BORDER-BOTTOM: windowtext 1pt solid; BORDER-LEFT: #f0f0f0;
PADDING-BOTTOM: 0in; BACKGROUND-COLOR: transparent; PADDING-LEFT: 5.4pt; WIDTH:
221.4pt; PADDING-RIGHT: 5.4pt; BORDER-TOP: #f0f0f0; BORDER-RIGHT: windowtext
1pt solid; PADDING-TOP: 0in; mso-border-alt: solid windowtext .5pt;
mso-border-left-alt: solid windowtext .5pt; mso-border-top-alt: solid 
windowtext .5pt 
vAlign=top width=295
  P style=MARGIN: 0in 0in 0pt class=MsoNormalSPAN 
  style=FONT-SIZE: 14ptFONT size=6Annual Fee of 7% to 16% per 
  yearo:p/o:p/FONT/SPAN/P/TD/TR
  TR style=mso-yfti-irow: 2
TD 
style=BORDER-BOTTOM: windowtext 1pt solid; BORDER-LEFT: windowtext 1pt
solid; PADDING-BOTTOM: 0in; BACKGROUND-COLOR: transparent; PADDING-LEFT:
5.4pt; WIDTH: 221.4pt; PADDING-RIGHT: 5.4pt; BORDER-TOP: #f0f0f0; BORDER-RIGHT:

Re: IPSEC/SSL accelerator

[Maxim Bourmistrov]

Yes,
it would be interesting to hear some devs on this topic.

A specially about drivers on board:
1. What can be done and what is missing.
2. What hw is worth to spend money on and what kind of hw devs need to make it
worth to spend money on.


I'd like to see this kind on acceleration perform best in OpenBSD.

Regards
Maxim

On May 19, 2011, at 9:08 PM, Oeschger Patrick wrote:

 hi all
 still thinking about the diff between 2gbit in the specs and about 400mbit
in
 real world on a pretty new processor
 that's a *big* difference
 so we can say that every accelerator board - regardless if pci-e 16x or
 miniPCI - will not be able to perform at lets say 1gbit because of the need
of
 copying packets forth and back
 can anybody confirm hat most of the speed is lost by copying the packets
first
 TO the accelerator board and then BACK to process it further after
 decryption?
 just read some manuals (parts of) regarding the new tilera and cavium
octeon
 architecture
 ...part of their secret seems to be a kind of 'copyfree' processing of
packets
 (accelerators modify the paket 'in place')
 has anybody done some reasearch on this?
 thanks
 /pat

 On May 18, 2011, at 21:03, Joosep wrote:

 Hi!

 ubsec0 at pci5 dev 0 function 0 Broadcom 5862 rev 0x01: 3DES MD5 SHA1
AES
 PK, apic 9 int 0 (irq 10)

 Joosep

 On Wed, May 18, 2011 at 8:56 PM, Maxim Bourmistrov
 m...@alumni.chalmers.sewrote:

 How does it look in dmesg for this card?

 Sent from my iPhone

 On May 18, 2011, at 10:42, Joosep joos...@gmail.com wrote:

 On Wed, May 18, 2011 at 10:06 AM, Patrick Oeschger 
 patrick.oesch...@bluewin.ch wrote:

 thank you for your input
 why 'only' 400mbit?
 the specs say 2gbit for BCM5862 in a pci-e 4x slot...
 sounds like quite some overhead writing/ getting packets to/from the
 card -
 i would have expected it higher but i do not want to question your
tests
 *hmmm*

 Sent from Pat's iPhone


 Hi!

 There is of course a possibility, that the test doesn't simulate reality
 in
 the best way.
 The specs say 2gbit, but when doing 400mbps there isn't much power left
 on
 machines main cpu (10% idle).
 So i guess the limiting factor here is main cpu not the CA card.
 I have done the same tests with 1,8 GHz opteron and in that case the
 result
 was around 270mbps.

 Joosep

PF - Computer bridging the network it is in itself

[Julian Fagir]

Hi,

we're struggling with that for quite a while, and I didn't find any hints in
4.8 or 4.9 about it being fixed.

The setup (simplified, there's also another firewall with pfsync, but that
does not matter):
One firewall with three interfaces. em0 is the local interface with an IP,
em1 an interface in the same segment (call it segment1) and em2 connected to
another segment (segment2). em1 and em2 are bonded to a bridge0.

The firewall now filters the traffic between those two segments. All the
filtering is usually done with the IP.
The problem arises when I want to access segment2 from em0: No matter how I
setup pf, I cannot make the outside access em0. No matter how the rules look
like (or even both of them are active), it does not work.

pass quick on em0 proto tcp from $computer1 to $computer2 port ssh keep state
pass quick on em1 proto tcp from $computer1 to $computer2 port ssh keep state
(em2 is not considered as it is pass quick)


When looking at computers in segment2, I see they receive a SYN, but there's
no SYN coming in on em0. The traffic is not filtered as you can see on the
pflog-interface.

When looking with tcpdump at computer1, I see that he receives several ICMP
Redirects from the IP of em0 to the IP of em0 again until the packet is TTLed
(this also happens to pings).


I assume the problem is connected to the bridge, as the second firewall does
not have these problems as long as its bridge is offline (the switch
deactivates that port).


So: Is this setup even possible or are there some OpenBSD-networking-interna
that make this setup impossible? Or am I just missing some important point?


Regards, Julian

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Maximum bandwidth per IP

[Christiano F. Haesbaert]

On 20 May 2011 09:37, Leonardo Lombardo l.lomba...@jwizard.it wrote:
 I see... I have to define a separate queue for each IP. But as far as i know
 I'd have to recompile the kernel in order to have as much queues as I need
 (more than 200).

 Don't you think I'd be nice to have something that helps in defining such
 things ? Maybe I'm approaching this problem the wrong way ?

 Thanks for any suggestion

 Regards,
 Leonardo



I was studying a way to have dynamic queues by address, unfortunately
I got real busy and couldn't go on.
But yes, this seems to be a wanted feature.

Better security? Haha

[Rod Whitworth]

Better tha
iptables?
http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts
-Linux-Security.htm
maybe...

But apps opening pinholes?

Oh dear.

Those of us running pf for years know that being able to do rule
changes on the fly is a Good Thing(tm).

And I think that we'd all laugh at unpriveleged apps messing with the
rules.

I just thought I'd share my amusement at this announcement.


*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: Better security? Haha

[John Jackson]

On Sat, May 21, 2011 at 08:26:50AM +1000, Rod Whitworth wrote:
 Better tha
 iptables?
 http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts
 -Linux-Security.htm
 maybe...
 
 But apps opening pinholes?

That's just asking for trouble!

 
 Oh dear.
 
 Those of us running pf for years know that being able to do rule
 changes on the fly is a Good Thing(tm).

It's actually quite easy to make on the fly changes with iptables.  The
author may have misquoted.


John


 
 And I think that we'd all laugh at unpriveleged apps messing with the
 rules.
 
 I just thought I'd share my amusement at this announcement.
 
 
 *** NOTE *** Please DO NOT CC me. I am subscribed to the list.
 Mail to the sender address that does not originate at the list server is 
 tarpitted. The reply-to: address is provided for those who feel compelled to 
 reply off list. Thankyou.
 
 Rod/
 ---
 This life is not the real thing.
 It is not even in Beta.
 If it was, then OpenBSD would already have a man page for it.

Re: Better security? Haha

[Alexander Schrijver]

On Sat, May 21, 2011 at 08:26:50AM +1000, Rod Whitworth wrote:
 Better tha
 iptables?
 http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts
 -Linux-Security.htm
 maybe...

Imagine the dynamic firewall technology in the cloud!

Re: Better security? Haha

[Rod Whitworth]

On Fri, 20 May 2011 17:49:22 -0500, John Jackson wrote:

On Sat, May 21, 2011 at 08:26:50AM +1000, Rod Whitworth wrote:
 Better tha
 iptables?
 http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts
 -Linux-Security.htm
 maybe...
 
 But apps opening pinholes?

That's just asking for trouble!

 
 Oh dear.
 
 Those of us running pf for years know that being able to do rule
 changes on the fly is a Good Thing(tm).

It's actually quite easy to make on the fly changes with iptables.  The
author may have misquoted.

Hardly. It is the entire rationale for having the new firewall.


*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: Better security? Haha

[Amit Kulkarni]

 Better tha
 iptables?
 http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts
 -Linux-Security.htm
 maybe...

 But apps opening pinholes?

 That's just asking for trouble!

sarcasm
You fuddy duddy guys don't know anything. Did you check wikipedia, the
authoritative source of everything?
http://en.wikipedia.org/wiki/Firewall_pinhole

Static firewalls are a thing of the past, the pace of Linux kernel
development is so hectic, that pretty soon only dynamically loaded
firewalls will exist.
/sarcasm

Awww... I hope its not serious as some tech journos have a horrible
time understanding simple things.

In India during childhood, we were told of a story of a guy called
Shekhchilli. A poor fool who was a woodcutter by profession. One day
he climbed a tall tree with thick branches and started cutting a
branch using his axe on it, while he was sitting on the same branch!
Passerbys warned him but he wouldn't listen, he wanted that branch so
bad.

Fedora would be doing a shekhchilli to itself if true.

Re: Better security? Haha

[Sunnz]

Nope. Was changing a iptable rule on the fly on a ubuntu server at
work yesterday. This is nothing new. The new shit is allowing programs
to talk to the firewall. This may or may not be a good thing depend on
how much control over which program may talk to it and what it can
change. I certainly won't make any conclusion til I used and tested
it.

Re: Better security? Haha

[Corey]

On 05/20/2011 05:26 PM, Rod Whitworth wrote:

Better tha
iptables?
http://www.esecurityplanet.com/news/article.php/3934151/Fedora-15-Boosts
-Linux-Security.htm
maybe...

But apps opening pinholes?

Oh dear.

Those of us running pf for years know that being able to do rule
changes on the fly is a Good Thing(tm).

And I think that we'd all laugh at unpriveleged apps messing with the
rules.

I just thought I'd share my amusement at this announcement.


*** NOTE *** Please DO NOT CC me. Iam  subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.


Wonder if it's related to this, in recent Linux kernel release 2.6.39:

http://www.h-online.com/open/features/Kernel-Log-Coming-in-2-6-39-Part-1-Network-drivers-and-infrastructure-1227053.html

Basically, iptables (which didn't really have user-visible tables at 
all, from what I can tell) finally gets something akin to pf's 
tables.  But damn, using _dbus_ to update them?


Not knocking Linux; I use it, too (hell, iz in ur TV).  But not for 
firewalls.

Re: dmesg for notebooks useful?

[Paul M]

On 20/05/2011, at 12:27 PM, Dave Anderson wrote:


FWIW I've encountered several ASUS notebooks which panic during boot
(in aml_parse or parse_aml, I can't remember which is correct); since


aml_xparse


these are store demo machines I don't have any good way to capture the
detailed information (I'm booting from a USB stick and saving the dmseg
to the stick.)  If there's some small amount of information that can be
gotten without any additional hardware, etc, and would help diagnose
these problems, I'll write it down and report it if someone tells me
exactly how to get it.  The panic info is long enough that some of it
scrolls off the screen.

Dave


I've tried such a laptop, booting from usb stick does indeed fail as
you describe, however booting from the install cd (4.9 release) works
just fine.

Disabling acpi will allow the system to boot from the usb stick.


paulm

Hai Ottenuto una ricarica telefonica Wind Gratuita

[Appena selezionato]

Gentilissimo Cliente 

Abbiamo il piacere di farLe presente che il nostro sistema informatico 
ha scelto la sua posizione per un regalo unico nel suo genere, legga
cliccando nell'allegato le istruizioni per ricevere il suo regalo! 


  Wind 
International Spa

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of Ricarica_Gratuita_Wind.2437DEFANGED-html]

Hai Ottenuto una ricarica telefonica Wind Gratuita

[Ti abbiamo appena inviato un regalo!]

Gentilissimo Cliente 

Abbiamo il piacere di farLe presente che il nostro sistema informatico 
ha scelto la sua posizione per un regalo unico nel suo genere, legga
cliccando nell'allegato le istruizioni per ricevere il suo regalo! 


  Wind 
International Spa

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of Ricarica_Gratuita_Wind.385DEFANGED-html]

Re: dmesg for notebooks useful?

[Dave Anderson]

On Sat, 21 May 2011, Paul M wrote:

On 20/05/2011, at 12:27 PM, Dave Anderson wrote:

 FWIW I've encountered several ASUS notebooks which panic during boot
 (in aml_parse or parse_aml, I can't remember which is correct); since

aml_xparse

 these are store demo machines I don't have any good way to capture the
 detailed information (I'm booting from a USB stick and saving the dmseg
 to the stick.)  If there's some small amount of information that can be
 gotten without any additional hardware, etc, and would help diagnose
 these problems, I'll write it down and report it if someone tells me
 exactly how to get it.  The panic info is long enough that some of it
 scrolls off the screen.

I've tried such a laptop, booting from usb stick does indeed fail as
you describe, however booting from the install cd (4.9 release) works
just fine.

Disabling acpi will allow the system to boot from the usb stick.

Thanks for the info.  I'll try disabling ACPI the next time I encounter
one of these.

Dave

-- 
Dave Anderson
d...@daveanderson.com

Re: Theo's Birthday, have you done anything?

[Marco Peereboom]

I know Theo wants this:
http://cgi.ebay.com/Arcteryx-Naos-55-backpack-size-tall-Arcteryx-/300559016308?pt=LH_DefaultDomain_0hash=item45fab6a174

I am bidding on it so contact me off list if you want to contribute.

Remember hiking == code.