Re: Large (3TB) HDD support
Otto Moerbeek o...@drijf.net wrote: I just fsck'ed a 2.7TB filesystem in 1 minute, 43 seconds. 61% full, 447166 files. What CPU and how much RAM? SATA2 or 3? Even more important: block size, fragment size, # of inodes? Default values all the way. 64k/8k. Filesystem SizeUsed Avail Capacity iused ifree %iused Mounted on /dev/sd1d 2.7T1.6T1.0T61% 447167 91273535 0% /export Watching this with top, I see fsck_ffs grow to a measly ~44 MB resident size. -- Christian naddy Weisgerber na...@mips.inka.de
amd unmounting
Can anyone help with a little amd problem? I have some partitions on SSD and some on HD and would like to use amd(8) so that the HD filesystems are only mounted on-demand, reducing fsck time in a crash. I've got them mounting OK... $ cat /etc/amd/master -c 60 -x all -l syslog /a bamboo.map $ cat /etc/amd/bamboo.map cvs host==bamboo;type:=ufs;dev:=/dev/sd0d disthost==bamboo;type:=ufs;dev:=/dev/sd0e morehost==bamboo;type:=ufs;dev:=/dev/sd0f $ grep amd /etc/rc.conf.local amd_flags= My understanding was that they should timeout after -c seconds (default 5 mins, I reduced it for testing) and then attempt to dismount them every -w seconds (default 2 mins). But I don't see this. If I ls -l /cvs it gets mounted: Jun 2 12:21:03 bamboo amd[29958]: /dev/sd0d mounted fstype ufs on /tmp_mnt/bamboo/a/cvs but leave the machine idle and it doesn't unmount. Any suggestions? Thanks.
Re: IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC vpn
On 2012-06-01, Sarah Caswell s.casw...@protocol6.com wrote: Hi all, I am currently using vpnc to connect to a client site (which has an CISCO ASA firewall/vpn endpoint) This setup works, but everytime I use vpnc from my server it breaks other networking, especially the openvpn tunnels I maintain to other sites. I'd prefer to use the built-in IPSEC software in OpenBSD to establish the tunnel instead (and terminate it locally on a tun or tap interface) All my attempts so far have failed and I must admit I'm an IPSEC newbie, at least with the OpenBSD tools. My vpc.conf file is very simple: --- IPSec gateway ww.xx.yy.zz IPSec ID somevpn IPSec secret somesecretString IKE Authmode psk --- Is there an equivalent config for ipsecctl (and/or isakmpd) that is known to work with remote ASA firewalls? Any help or suggestions would be greatly appreciated. Thanks in advance. :-) Sarah Presumably some default settings are different between vpnc and isakmpd. Typical possibilities are the authentication and encryption parameters and one which people often forget, lifetime values. Usually you would get these settings froe the people operating the other side (or tell them what you are using and have them adjust theirs). If they are not forthcoming then tcpdump can help (on the physical interface and also on isakmpd packet capture files, see isakmpd manual about -L). Note that lifetimes are set in /etc/isakmpd/isakmpd.conf even if you use ipsec.conf, here's an example of a file I'm using [General] Default-phase-1-lifetime=86400,60:86400 Default-phase-2-lifetime=86400,60:86400 The biggest problem I had running IPsec to an ASA with isakmpd was when the ASA was behind NAT; cisco didn't bother to follow the RFC document they helped write and still use encapsulation-type values from the internet-draft... But if NAT is not involved then that's not your problem.
How-To VPN IKEv2
Hi, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Advices are welcome. Thank you very much. Regards, Wesley MOUEDINE ASSABY wesley [at] mouedine[dot] net
Re: How-To VPN IKEv2
Wesley open...@e-solutions.re writes: Hi, 'lo, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Woo hoo, an entire home page dedicated to *one* howto about *one* OpenBSD version and *one* Windows version? Hope you'll keep it updated. ;) Advices are welcome. I'm no iked expert, but: 1. does the configuration related to OpenBSD and iked really add something to the manpages? Documentation duplication leads to documentation deprecation. 2. I suggest to change What we want to achieve ? to something that would sound better. Considering point 1., perhaps could it be: Windows Seven as an (OpenBSD) IKE client: some useful tips 3. I wouldn't put that on the home page of a web server. Thank you very much. Thank you for sharing your experience. -- JC)rC)mie CourrC(ges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
OpenBSD mailing lists demime in an ascii world
As you'll see in my signature above, 8 bit characters are mangled on OpenBSD mailing lists. Not that I care much, but passing the demime perl script a ''-8'' argument would be enough to solve that (if that is desired). -- JC)rC)mie CourrC(ges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: How-To VPN IKEv2
Le 2012-06-02 20:37, jca+o...@wxcvbn.org a C)critB : Wesley open...@e-solutions.re writes: 3. I wouldn't put that on the home page of a web server. Thank you very much. Thank you for sharing your experience. It is a first draft, just to know if people are interested. ASAP, i will put a full website, or perhaps i will send some tutorials to openbsdsupport.org Thank you very much for your reply. Cheers, Wesley MOUEDINE ASSABY wesley[at] mouedine [dot] net
Re: IKEv2 HowTo
Le 2012-06-02 19:56, Sebastian Rother a C)critB : 2. You installed zip but I see no step where it is used. So why did you installed zip? Please provide the steps as well to make the HowTo more complete Without the zip package, when you export the certificates, you will get a file .tar.gz not a zip. And inside, there's several sorts of certificate. On windows 7 using .pfx is enough. 3. Configuration files like the pf.conf are incomplete. This might be benefitial for new users of OpenBSD. Please complete the examples because I think that is something new users will find very benefitial. For new users, it is enough, workstations located on the 'lan' side can use INTERNET (all are opened in out) On the web, we can access the box using ssh or vpn. SSH can be filtered using the file sshd.conf (with Match keywordsb) 4. The PF rules do not look good to me. pass in on egress proto {ah,esp} pass in on egress proto udp from any to any port {500,4500} pass in on egress proto tcp from any to any port 22 If I understand PF correctly you allow ah/esp packets to any port. Furthermore you allow any source adress to contact port 500 and 4500. I aint totaly sure right now but I would use: pass in on egress proto {udp,ah,esp} from any to any port {500,4500} It is just to understand how things works. It is not a tutorial on PF. Effectively, we can put : admin=ff.gg.hh.ii set block-policy drop set skip on {lo enc0} match out on egress from lan:network to any nat-to egress block log all pass in on egress proto tcp from $admin to any port 22 pass in on egress proto udp from any to any port {500,4500} pass in on egress proto {ah,esp} 5. I would assume it would be handy to provide screenshots for the Windows7 part. Import certificates Use mmc / Certificates snap / import ca.pfx in trusted root certification authorities Use mmc / Certificates snap / import win7.pfx in Personal 6. Maybe a DHCP-example would also be nice. of course. 7. Maybe you like to enhance the example to a site-to-site VPN example including road warriors at one branch office. I am sure that is a very common scenario. I am not right sure if iked accapts hostnames as well so homesuers with a dyndns client could use your setup as well. But I aint sure if OpenBSD allows this. Site-to-site, why not use isakmpd -K with the conf file : /etc/ipsec.conf Except this it is a nice and short HowTo. You might consider to http://www.openbsdsupport.org/ because I assume serval people will appreciate your HowTo. I like to thank you for your time which was needed to figure out each step and providing a HowTo for everybody even it might be uncommon that a CEO is tech-aware nowdays. :-) Thank you very much. ;-) -- Wesley MOUEDINE ASSABY wesley[at] mouedine [dot] net
Re: How-To VPN IKEv2
On 2012-06-02, Wesley open...@e-solutions.re wrote: Hi, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Advices are welcome. Thank you very much. Regards, Wesley MOUEDINE ASSABY wesley [at] mouedine[dot] net You do refer to the manual which is good, but it is probably worth drawing a bit more attention to the CAVEATS section of iked(8).
Re: Tuning for pppoe over fibre 30M/1M link
On 2012-05-29, David Diggles da...@elven.com.au wrote: I would love to get 3MB/s, but maybe 1.8MB/s is the limit of the realtek NIC. There are various different realtek-based nics. rl(4) are generally quite poor and need a fair bit of CPU power to drive. re(4) should be a bit better. But Geode is slow anyway especially for I/O, and 300MHz is not a particularly fast Geode. 1.8MB/s (~14Mb/s) seems a bit slow but not out of the realms of possibility especially if it's rl not re. I have just ordered an Atom 1.8GHz with Gigabit Intel NICs, should be more than good enough as an upgrade? I may upgrade my link from 30Mbit to 100Mbit in future, I would expect the Atom to handle this. Should be a fair bit better.
Re: How-To VPN IKEv2
Right, not to put in production... Small oversight ;-) Le 2012-06-02 23:02, Stuart Henderson a C)critB : On 2012-06-02, Wesley open...@e-solutions.re wrote: Hi, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Advices are welcome. Thank you very much. Regards, Wesley MOUEDINE ASSABY wesley [at] mouedine[dot] net You do refer to the manual which is good, but it is probably worth drawing a bit more attention to the CAVEATS section of iked(8).
Re: pfctl - show port numbers
From: Henning Brauer (lists-openbsdbsws.de) Date: Sun Dec 02 2007 - 14:45:37 CST * MikeM the.listsmgm51.com [2007-12-02 15:35]: When I run the command pfctl -sr a list of the rules is displayed, a sample line is below. pass in log quick on fxp0 inet proto tcp from 226.174.167.164 to (fxp0) port = smtp flags S/FSRA keep state Is there a way for me to tell pfctl that I want to see port = 25 instead of port = smtp ? short of hacking pfctl source, no. -- Henning Brauer, hbbsws.de, henningopenbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam Thank-you! I see the change was made in 5.1. Yea. No more hacking print_ports()!
Re: xidle(1) not working well
I have made progress, but I still have weirdness: $ cat /home/ashes/bin/xlock.sh #!/bin/sh exec /usr/X11R6/bin/xlock -mode blank -lockdelay 60 -dpmsoff 90 -startCmd 'apm -C' -endCmd 'apm -H' +description $ cat /home/ashes/.kde/Autostart/startup #!/bin/sh xset m 10,1 1 xidle -area 1 -timeout 900 -program /home/ashes/bin/xlock.sh $ ls -l /home/ashes/bin/xlock.sh /home/ashes/.kde/Autostart/startup -rwxr-xr-x 1 ashes ashes 89 Jun 2 18:45 /home/ashes/.kde/Autostart/startup -rwxr-xr-x 1 ashes ashes 124 Jun 2 18:37 /home/ashes/bin/xlock.sh I used .kde/Autostart because KDM seems to ignore .xinitrc. xidle(1) is running after I reboot. If I let the system idle for 990 seconds, the blank screen comes up and the monitor turns off, but there is no password lock, and this is the problem. If I run /home/ashes/bin/xlock.sh manually, or if I 'pkill -30 -x xidle', then I do get a password prompt after waiting 60 seconds. xlock seems to ignore the -lockdelay option when it is run from xidle, but the rest of the options are working. Also, when I check /var/log/messages, I see entries for apm -C/H, but apm -C is being run when I tap the keyboard after 990 seconds... apm -C is not being run when xlock starts from xidle. apm -C is starting immediately when xlock is run from pkill or manually. Help please.
Re: Acer 5552-7858 notebook dmesg
Update: There is a BIOS upgrade for this notebook. I downloaded a 31MB FreeDOS USB image, and wrote it to a 32GB USB stick. The FreeDOS image is almost completely free space, so after unzipping the Acer BIOS upgrade and copying the DOS directory files to the mounted FreeDOS image, it booted, ran the .bat file (as per readme.txt), and the upgrade went smoothly. My point is that the BIOS upgrade for this notebook is very easy without Windows.
ospf broken on trunk interfaces?
I'm trying to setup ospf on a trunk interface. I've had it configured and working fine on a regular interface for quite some time, and now am trying to add another neighbor on a trunk interface, and it just shows the interface as down: # ospfctl show i Interface AddressState HelloTimer Linkstate Uptimenc ac trunk0 10.128.0.9/30 DOWN - active 00:00:00 0 0 lo1 10.128.0.4/32 LOOP - unknown17w5d04h 0 0 re0 10.128.0.1/30 BCKUP 00:00:05 active 17w5d08h 1 1 The trunk is definitely up: # ifconfig trunk0 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:30:18:a8:7c:cc priority: 0 trunk: trunkproto lacp trunk id: [(8000,00:30:18:a8:7c:cc,4094,,), (8000,f0:25:72:53:82:00,0001,,)] trunkport re1 active,collecting,distributing groups: trunk media: Ethernet autoselect status: active inet 10.128.0.9 netmask 0xfffc broadcast 10.128.0.11 inet6 fe80::230:18ff:fea8:7ccc%trunk0 prefixlen 64 scopeid 0x12 I currently only have one physical port in the trunk (planning to add a second later once it's all working): # ifconfig re1 re1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:30:18:a8:7c:cc priority: 0 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::230:18ff:feac:b83a%re1 prefixlen 64 scopeid 0x2 Traffic is definitely passing, I can ping the other side (which is a cisco layer3 switch): # ping 10.128.0.10 PING 10.128.0.10 (10.128.0.10): 56 data bytes 64 bytes from 10.128.0.10: icmp_seq=0 ttl=255 time=4.427 ms tcpdump on trunk0 shows ospf hello packets from the cisco gear: 22:26:09.862595 cisco-bart.pbhware.com ospf-all.mcast.net: OSPFv2-hello 44[80]: rtrid cisco.nms.pbhware.com backbone dr cisco-bart.pbhware.com [tos 0xc0] [ttl 1] I found this mailing list posting with exactly the same problem it would seem: http://old.nabble.com/trunk-and-ospf-on-openbsd-4.8-td31833059.html But there were no responses. I'm running OpenBSD 5.0, and in case I'm doing something stupid here's the ospf config: router-id 10.128.0.4 redistribute default redistribute connected area 0.0.0.0 { interface lo1:10.128.0.4 { passive } interface re0 { auth-type crypt auth-md 1 X auth-md-keyid 1 } interface trunk0 { auth-type crypt auth-md 1 X auth-md-keyid 1 } } Any suggestions? Is ospf not supported on trunk interfaces as surmised by the other mailing list posting? Thanks much for any assistance...