Re: Large (3TB) HDD support
Otto Moerbeek o...@drijf.net wrote: I just fsck'ed a 2.7TB filesystem in 1 minute, 43 seconds. 61% full, 447166 files. What CPU and how much RAM? SATA2 or 3? Even more important: block size, fragment size, # of inodes? Default values all the way. 64k/8k. Filesystem SizeUsed Avail Capacity iused ifree %iused Mounted on /dev/sd1d 2.7T1.6T1.0T61% 447167 91273535 0% /export Watching this with top, I see fsck_ffs grow to a measly ~44 MB resident size. -- Christian naddy Weisgerber na...@mips.inka.de
amd unmounting
Can anyone help with a little amd problem? I have some partitions on SSD and some on HD and would like to use amd(8) so that the HD filesystems are only mounted on-demand, reducing fsck time in a crash. I've got them mounting OK... $ cat /etc/amd/master -c 60 -x all -l syslog /a bamboo.map $ cat /etc/amd/bamboo.map cvs host==bamboo;type:=ufs;dev:=/dev/sd0d disthost==bamboo;type:=ufs;dev:=/dev/sd0e morehost==bamboo;type:=ufs;dev:=/dev/sd0f $ grep amd /etc/rc.conf.local amd_flags= My understanding was that they should timeout after -c seconds (default 5 mins, I reduced it for testing) and then attempt to dismount them every -w seconds (default 2 mins). But I don't see this. If I ls -l /cvs it gets mounted: Jun 2 12:21:03 bamboo amd[29958]: /dev/sd0d mounted fstype ufs on /tmp_mnt/bamboo/a/cvs but leave the machine idle and it doesn't unmount. Any suggestions? Thanks.
Re: IPSEC newbie looking to replace vpnc with Openbsd built-in IPSEC vpn
On 2012-06-01, Sarah Caswell s.casw...@protocol6.com wrote: Hi all, I am currently using vpnc to connect to a client site (which has an CISCO ASA firewall/vpn endpoint) This setup works, but everytime I use vpnc from my server it breaks other networking, especially the openvpn tunnels I maintain to other sites. I'd prefer to use the built-in IPSEC software in OpenBSD to establish the tunnel instead (and terminate it locally on a tun or tap interface) All my attempts so far have failed and I must admit I'm an IPSEC newbie, at least with the OpenBSD tools. My vpc.conf file is very simple: --- IPSec gateway ww.xx.yy.zz IPSec ID somevpn IPSec secret somesecretString IKE Authmode psk --- Is there an equivalent config for ipsecctl (and/or isakmpd) that is known to work with remote ASA firewalls? Any help or suggestions would be greatly appreciated. Thanks in advance. :-) Sarah Presumably some default settings are different between vpnc and isakmpd. Typical possibilities are the authentication and encryption parameters and one which people often forget, lifetime values. Usually you would get these settings froe the people operating the other side (or tell them what you are using and have them adjust theirs). If they are not forthcoming then tcpdump can help (on the physical interface and also on isakmpd packet capture files, see isakmpd manual about -L). Note that lifetimes are set in /etc/isakmpd/isakmpd.conf even if you use ipsec.conf, here's an example of a file I'm using [General] Default-phase-1-lifetime=86400,60:86400 Default-phase-2-lifetime=86400,60:86400 The biggest problem I had running IPsec to an ASA with isakmpd was when the ASA was behind NAT; cisco didn't bother to follow the RFC document they helped write and still use encapsulation-type values from the internet-draft... But if NAT is not involved then that's not your problem.
How-To VPN IKEv2
Hi, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Advices are welcome. Thank you very much. Regards, Wesley MOUEDINE ASSABY wesley [at] mouedine[dot] net
Re: How-To VPN IKEv2
Wesley open...@e-solutions.re writes: Hi, 'lo, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Woo hoo, an entire home page dedicated to *one* howto about *one* OpenBSD version and *one* Windows version? Hope you'll keep it updated. ;) Advices are welcome. I'm no iked expert, but: 1. does the configuration related to OpenBSD and iked really add something to the manpages? Documentation duplication leads to documentation deprecation. 2. I suggest to change What we want to achieve ? to something that would sound better. Considering point 1., perhaps could it be: Windows Seven as an (OpenBSD) IKE client: some useful tips 3. I wouldn't put that on the home page of a web server. Thank you very much. Thank you for sharing your experience. -- JC)rC)mie CourrC(ges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
OpenBSD mailing lists demime in an ascii world
As you'll see in my signature above, 8 bit characters are mangled on OpenBSD mailing lists. Not that I care much, but passing the demime perl script a ''-8'' argument would be enough to solve that (if that is desired). -- JC)rC)mie CourrC(ges-Anglas GPG fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: How-To VPN IKEv2
Le 2012-06-02 20:37, jca+o...@wxcvbn.org a C)critB : Wesley open...@e-solutions.re writes: 3. I wouldn't put that on the home page of a web server. Thank you very much. Thank you for sharing your experience. It is a first draft, just to know if people are interested. ASAP, i will put a full website, or perhaps i will send some tutorials to openbsdsupport.org Thank you very much for your reply. Cheers, Wesley MOUEDINE ASSABY wesley[at] mouedine [dot] net
Re: IKEv2 HowTo
Le 2012-06-02 19:56, Sebastian Rother a C)critB :
2. You installed zip but I see no step where it is used. So why did
you
installed zip? Please provide the steps as well to make the HowTo
more complete
Without the zip package, when you export the certificates, you will get
a file .tar.gz not a zip.
And inside, there's several sorts of certificate.
On windows 7 using .pfx is enough.
3. Configuration files like the pf.conf are incomplete. This might be
benefitial for new users of OpenBSD. Please complete the examples
because I think that is something new users will find very
benefitial.
For new users, it is enough,
workstations located on the 'lan' side can use INTERNET (all are opened
in out)
On the web, we can access the box using ssh or vpn.
SSH can be filtered using the file sshd.conf (with Match keywordsb)
4. The PF rules do not look good to me.
pass in on egress proto {ah,esp}
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto tcp from any to any port 22
If I understand PF correctly you allow ah/esp packets to any port.
Furthermore you allow any source adress to contact port 500 and
4500.
I aint totaly sure right now but I would use:
pass in on egress proto {udp,ah,esp} from any to any port
{500,4500}
It is just to understand how things works. It is not a tutorial on PF.
Effectively, we can put :
admin=ff.gg.hh.ii
set block-policy drop
set skip on {lo enc0}
match out on egress from lan:network to any nat-to egress
block log all
pass in on egress proto tcp from $admin to any port 22
pass in on egress proto udp from any to any port {500,4500}
pass in on egress proto {ah,esp}
5. I would assume it would be handy to provide screenshots for the
Windows7 part.
Import certificates
Use mmc / Certificates snap / import ca.pfx in trusted root
certification authorities
Use mmc / Certificates snap / import win7.pfx in Personal
6. Maybe a DHCP-example would also be nice.
of course.
7. Maybe you like to enhance the example to a site-to-site VPN
example
including road warriors at one branch office. I am sure that is a
very common scenario. I am not right sure if iked accapts
hostnames
as well so homesuers with a dyndns client could use your setup as
well. But I aint sure if OpenBSD allows this.
Site-to-site, why not use isakmpd -K with the conf file :
/etc/ipsec.conf
Except this it is a nice and short HowTo. You might consider to
http://www.openbsdsupport.org/ because I assume serval people will
appreciate your HowTo.
I like to thank you for your time which was needed to figure out each
step and providing a HowTo for everybody even it might be uncommon
that
a CEO is tech-aware nowdays. :-)
Thank you very much. ;-)
--
Wesley MOUEDINE ASSABY
wesley[at] mouedine [dot] net
Re: How-To VPN IKEv2
On 2012-06-02, Wesley open...@e-solutions.re wrote: Hi, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Advices are welcome. Thank you very much. Regards, Wesley MOUEDINE ASSABY wesley [at] mouedine[dot] net You do refer to the manual which is good, but it is probably worth drawing a bit more attention to the CAVEATS section of iked(8).
Re: Tuning for pppoe over fibre 30M/1M link
On 2012-05-29, David Diggles da...@elven.com.au wrote: I would love to get 3MB/s, but maybe 1.8MB/s is the limit of the realtek NIC. There are various different realtek-based nics. rl(4) are generally quite poor and need a fair bit of CPU power to drive. re(4) should be a bit better. But Geode is slow anyway especially for I/O, and 300MHz is not a particularly fast Geode. 1.8MB/s (~14Mb/s) seems a bit slow but not out of the realms of possibility especially if it's rl not re. I have just ordered an Atom 1.8GHz with Gigabit Intel NICs, should be more than good enough as an upgrade? I may upgrade my link from 30Mbit to 100Mbit in future, I would expect the Atom to handle this. Should be a fair bit better.
Re: How-To VPN IKEv2
Right, not to put in production... Small oversight ;-) Le 2012-06-02 23:02, Stuart Henderson a C)critB : On 2012-06-02, Wesley open...@e-solutions.re wrote: Hi, I just done this tutorial, if it can help someone ;-) http://www.mouedine.net Advices are welcome. Thank you very much. Regards, Wesley MOUEDINE ASSABY wesley [at] mouedine[dot] net You do refer to the manual which is good, but it is probably worth drawing a bit more attention to the CAVEATS section of iked(8).
Re: pfctl - show port numbers
From: Henning Brauer (lists-openbsdbsws.de) Date: Sun Dec 02 2007 - 14:45:37 CST * MikeM the.listsmgm51.com [2007-12-02 15:35]: When I run the command pfctl -sr a list of the rules is displayed, a sample line is below. pass in log quick on fxp0 inet proto tcp from 226.174.167.164 to (fxp0) port = smtp flags S/FSRA keep state Is there a way for me to tell pfctl that I want to see port = 25 instead of port = smtp ? short of hacking pfctl source, no. -- Henning Brauer, hbbsws.de, henningopenbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam Thank-you! I see the change was made in 5.1. Yea. No more hacking print_ports()!
Re: xidle(1) not working well
I have made progress, but I still have weirdness: $ cat /home/ashes/bin/xlock.sh #!/bin/sh exec /usr/X11R6/bin/xlock -mode blank -lockdelay 60 -dpmsoff 90 -startCmd 'apm -C' -endCmd 'apm -H' +description $ cat /home/ashes/.kde/Autostart/startup #!/bin/sh xset m 10,1 1 xidle -area 1 -timeout 900 -program /home/ashes/bin/xlock.sh $ ls -l /home/ashes/bin/xlock.sh /home/ashes/.kde/Autostart/startup -rwxr-xr-x 1 ashes ashes 89 Jun 2 18:45 /home/ashes/.kde/Autostart/startup -rwxr-xr-x 1 ashes ashes 124 Jun 2 18:37 /home/ashes/bin/xlock.sh I used .kde/Autostart because KDM seems to ignore .xinitrc. xidle(1) is running after I reboot. If I let the system idle for 990 seconds, the blank screen comes up and the monitor turns off, but there is no password lock, and this is the problem. If I run /home/ashes/bin/xlock.sh manually, or if I 'pkill -30 -x xidle', then I do get a password prompt after waiting 60 seconds. xlock seems to ignore the -lockdelay option when it is run from xidle, but the rest of the options are working. Also, when I check /var/log/messages, I see entries for apm -C/H, but apm -C is being run when I tap the keyboard after 990 seconds... apm -C is not being run when xlock starts from xidle. apm -C is starting immediately when xlock is run from pkill or manually. Help please.
Re: Acer 5552-7858 notebook dmesg
Update: There is a BIOS upgrade for this notebook. I downloaded a 31MB FreeDOS USB image, and wrote it to a 32GB USB stick. The FreeDOS image is almost completely free space, so after unzipping the Acer BIOS upgrade and copying the DOS directory files to the mounted FreeDOS image, it booted, ran the .bat file (as per readme.txt), and the upgrade went smoothly. My point is that the BIOS upgrade for this notebook is very easy without Windows.
ospf broken on trunk interfaces?
I'm trying to setup ospf on a trunk interface. I've had it configured
and working fine on a regular interface for quite some time, and now am
trying to add another neighbor on a trunk interface, and it just shows
the interface as down:
# ospfctl show i
Interface AddressState HelloTimer Linkstate Uptimenc ac
trunk0 10.128.0.9/30 DOWN - active 00:00:00 0 0
lo1 10.128.0.4/32 LOOP - unknown17w5d04h 0 0
re0 10.128.0.1/30 BCKUP 00:00:05 active 17w5d08h 1 1
The trunk is definitely up:
# ifconfig trunk0
trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:18:a8:7c:cc
priority: 0
trunk: trunkproto lacp
trunk id: [(8000,00:30:18:a8:7c:cc,4094,,),
(8000,f0:25:72:53:82:00,0001,,)]
trunkport re1 active,collecting,distributing
groups: trunk
media: Ethernet autoselect
status: active
inet 10.128.0.9 netmask 0xfffc broadcast 10.128.0.11
inet6 fe80::230:18ff:fea8:7ccc%trunk0 prefixlen 64 scopeid 0x12
I currently only have one physical port in the trunk (planning to add a second
later once it's all working):
# ifconfig re1
re1: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu
1500
lladdr 00:30:18:a8:7c:cc
priority: 0
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::230:18ff:feac:b83a%re1 prefixlen 64 scopeid 0x2
Traffic is definitely passing, I can ping the other side (which is a cisco
layer3
switch):
# ping 10.128.0.10
PING 10.128.0.10 (10.128.0.10): 56 data bytes
64 bytes from 10.128.0.10: icmp_seq=0 ttl=255 time=4.427 ms
tcpdump on trunk0 shows ospf hello packets from the cisco gear:
22:26:09.862595 cisco-bart.pbhware.com ospf-all.mcast.net: OSPFv2-hello
44[80]: rtrid cisco.nms.pbhware.com backbone dr cisco-bart.pbhware.com [tos
0xc0] [ttl 1]
I found this mailing list posting with exactly the same problem it would seem:
http://old.nabble.com/trunk-and-ospf-on-openbsd-4.8-td31833059.html
But there were no responses. I'm running OpenBSD 5.0, and in case I'm doing
something stupid here's the ospf config:
router-id 10.128.0.4
redistribute default
redistribute connected
area 0.0.0.0 {
interface lo1:10.128.0.4 { passive }
interface re0 {
auth-type crypt
auth-md 1 X
auth-md-keyid 1
}
interface trunk0 {
auth-type crypt
auth-md 1 X
auth-md-keyid 1
}
}
Any suggestions? Is ospf not supported on trunk interfaces as surmised by the
other mailing list posting?
Thanks much for any assistance...
