Re: Broadcom BCM5709 and BCM57711 driver features
On 24 Jul 2014, at 19:37, def d...@fromru.com wrote: Hi! Currently using 5.5-stable and It seems (as per hwfeatures) that driver for BCM 5709 (1GE dual port adapter) doesnt support jumbo frames at all which is critical for activation mpls on bnx. The card supports jumbo itself. Return invalid argument when trying to setup jumbo via ifconfig. is there an way to reach the high mtu values? yes. from memory it just required the use of vi and make. Also, simple question - is the driver for Broadcom 10GE dual port adapter BCM 57711 availiable ? Cant see detected card in dmesg, but googled that someone seen that. i started working on that and got distracted. ill see if i can dig the bnx jumbo diff out. it wont make 5.6 but you can try it out if you want.
Re: pfctl: DIOCADDQUEUE: No such process
Hello after the reboot the problem persists... pfctl: DIOCADDQUEUE: No such process The default ruleset has been loaded: block drop all pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol pass out inet6 proto ipv6-icmp all icmp6-type routersol pass out inet6 proto udp from any port = 546 to any port = 547 pass out inet proto icmp all icmp-type echoreq pass out inet proto udp from any port = 68 to any port = 67 pass out proto tcp from any to any port = 53 flags S/SA pass out proto udp from any to any port = 53 pass in inet6 proto ipv6-icmp all icmp6-type neighbradv pass in inet6 proto ipv6-icmp all icmp6-type routeradv pass in inet6 proto udp from any port = 547 to any port = 546 pass in proto tcp from any to any port = 22 flags S/SA pass in inet proto udp from any port = 67 to any port = 68 pass on lo0 all flags S/SA pass proto carp all keep state (no-sync) -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 24 juillet 2014 à 17:44 +0200, Loïc Blot a écrit : Hi David, in fact no, now the ruleset is empty and everything is allowed, erf. Now i have no choice, i need to reboot this critical router :(. I think there is a bug somewhere, i'll try to found why this is happening before rebooting (maybe a patch if i can)
Re: pfctl: DIOCADDQUEUE: No such process
Erf... i found the error. An admin has configured a queue on a inexisting interface... Maybe the pfctl tell us the interface doesn't exists ? Sorry for the inconvenience -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le vendredi 25 juillet 2014 à 09:25 +0200, Loïc Blot a écrit : Hello after the reboot the problem persists... pfctl: DIOCADDQUEUE: No such process The default ruleset has been loaded: block drop all pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol pass out inet6 proto ipv6-icmp all icmp6-type routersol pass out inet6 proto udp from any port = 546 to any port = 547 pass out inet proto icmp all icmp-type echoreq pass out inet proto udp from any port = 68 to any port = 67 pass out proto tcp from any to any port = 53 flags S/SA pass out proto udp from any to any port = 53 pass in inet6 proto ipv6-icmp all icmp6-type neighbradv pass in inet6 proto ipv6-icmp all icmp6-type routeradv pass in inet6 proto udp from any port = 547 to any port = 546 pass in proto tcp from any to any port = 22 flags S/SA pass in inet proto udp from any port = 67 to any port = 68 pass on lo0 all flags S/SA pass proto carp all keep state (no-sync)
Patch: porters guide chapter 2.2, item no. 23
Hi, The original wording doesn't seems to flow too well: Create pkg/PLIST. After the install is complete use the developer's command, make plist which makes the file PLIST in the pkg directory. This file is a candidate packing list. I would like to suggest changing to the followig: Create pkg/PLIST. After the installation is done, use the developer's command make plist, which creates the file PLIST in pkg sub-directory. It will be a template for this port. The patch to my suggestion is at the bottom of this mail, ok? Regards, Edward. Index: guide.html === RCS file: /cvs/www/faq/ports/guide.html,v retrieving revision 1.29 diff -u -p -r1.29 guide.html --- guide.html 21 Jun 2014 12:17:47 - 1.29 +++ guide.html 25 Jul 2014 08:08:35 - @@ -498,10 +498,9 @@ generated packing-lists). Remember that For automatic updating of tt/etc/tt, sysmerge(8) may help. brbrli Create ttpkg/PLIST/tt. -After the install is complete use the developer's command, -ttbmake plist/b/tt which makes the file ttPLIST/tt in the -ttpkg/tt directory. -This file is a candidate packing list. +After the installation is done, use the developer's command +ttbmake plist/b/tt, which creates the file ttPLIST/tt in +ttpkg/tt sub-directory. It will be a template for this port. p Peruse ttPLIST/tt and verify that everything was installed and that it was installed in the proper locations.
Re: carp setup firewall
Hello Waldemar, On 24.07.2014 17:44, Waldemar Brodkorb wrote: Hi Peter, Peter Hessler wrote, if the addresses on the carp interface are out of sync, then the hashes won't mash, and the firewalls *WILL* conflict with each other. I recommend one IP per carp interface. Far nicer in case you screw that bit up, and much easier to balance IPs to one system or the other. Thanks for the hints. The previous firewall is managed via fwbuilder, which does manage all the ip aliases for the wan interface for us. It seems fwbuilder has some support for carp, but I am not sure it will work with ip aliases. Thanks so far Waldemar we have a similar setup here, with only a /29 range of external addresses. Until now, we have had no problems so far running this using only one external carp IF (using a private IP) and adding all external addresses as aliases. But we do not use bi-nat for our DMZ Servers. As for fwbuilder, we did use it for some years with iptables, but during our switch to OpenBSD found writing pf.conf by hand gave a cleaner and faster fw. The file is under version control and distributed and enabled by Puppet on both our FW-CARP nodes. Cheers, Kim
Patch: porters guide chapter 2.2, item no. 23 (again)
Hi, I thought pkg_create(1) is worth mentioning in the porting checklist so that a new porter would know where to find more information on PLIST variables annotations that's useful to the PLIST file. The below patch appended the sentence PLIST variables/annotations can be found in pkg_create(1). to the second paragraph of item 23, chapter 2.2 of Porting guide[1]. Regards, Edward. [1]http://www.openbsd.org/faq/ports/guide.html Index: guide.html === RCS file: /cvs/www/faq/ports/guide.html,v retrieving revision 1.29 diff -u -p -r1.29 guide.html --- guide.html 21 Jun 2014 12:17:47 - 1.29 +++ guide.html 25 Jul 2014 09:17:40 - @@ -506,7 +506,9 @@ This file is a candidate packing list. Peruse ttPLIST/tt and verify that everything was installed and that it was installed in the proper locations. Anything not installed can be added to a port ttMakefile/tt -ttpost-install/tt rule. +ttpost-install/tt rule. ttPLIST/tt variables/annotations can be found in +a href=http://www.openbsd.org/cgi-bin/man.cgi?sektion=1amp;query=pkg_create; +pkg_create(1)/a. p Ports that install shared libraries will have another file called ttPFRAG.shared/tt.
[Cannot allocate memory][Qemu][x86 i386] limits ? login.conf ?
Hi, had same Problem.the only (poor) workaround i found is running qemu as root .
LDAPD attribute and ACL'S
Hi Is it possibile to give write access only for userPassword field ? sth like: allow write access to attr=userPassword by self Regards Bambero
Re: LDAPD attribute and ACL'S
On 07/25/2014 05:48 AM, Bambero wrote: Hi Is it possibile to give write access only for userPassword field ? sth like: allow write access to attr=userPassword by self There are no per-attribute permissions in the base ldapd(8). I think the 'normal' way to accomplish this is to create a user who does have write permission to users' entries, and then write a program that will authenticate as that DN to modify passwords on users' behalf. -- Matthew Weigel hacker unique idempot . ent
Re: reload isakmpd
Try ipsecctl -f /etc/ipsec.conf On Fri 25 Jul 2014 16:17:15 BST, motty cruz wrote: Hello, how to reload configuration without restarting isakmpd? Thanks,
Re: reload isakmpd
On Fri, Jul 25, 2014 at 08:17:15AM -0700, motty cruz wrote: Hello, how to reload configuration without restarting isakmpd? Thanks, Have a look at THE FIFO USER INTERFACE in isakmpd(8): NOTE: Sending isakmpd a SIGHUP or an R through the FIFO will void any updates done to the configuration. You can also try to SIGHUP and re-run ipsecctl afterwards. Good luck! Reyk
reload isakmpd
Hello, how to reload configuration without restarting isakmpd? Thanks,
openbsd and chromebooks
has anyone tried any of the existing chromebooks? any dmesgs? http://en.wikipedia.org/wiki/Chromebook#Chromebook_models -f -- tap here with hammer for a new monitor.
Re: openbsd and chromebooks
I tried putting it on an SD card on my acer c270. I don't have a dmesg at the moment. Wireless and the trackpad didn't work, but a cheapy USB wireless device did. The biggest problem was putting it on the SD card made disk IO really, really slow. The lack of 802.11n was also kinda a bummer. J. Stuart McMurray On Fri, Jul 25, 2014 at 11:40 AM, frantisek holop min...@obiit.org wrote: has anyone tried any of the existing chromebooks? any dmesgs? http://en.wikipedia.org/wiki/Chromebook#Chromebook_models -f -- tap here with hammer for a new monitor.
Re: openbsd and chromebooks
hmm, on Fri, Jul 25, 2014 at 11:45:32AM -0400, Stuart McMurray said that I tried putting it on an SD card on my acer c270. I don't have a dmesg at the moment. Wireless and the trackpad didn't work, but a cheapy USB wireless device did. The biggest problem was putting it on the SD card made disk IO really, really slow. The lack of 802.11n was also kinda a bummer. well, there is no 802.11n in openbsd :) but i understand what you mean. the wifi is not supported on my current notebook either, so i am used to usb helpers. i am interested in the newest samsung chromebook. looks quite nice. -f -- in the country of the blind, the one-eyed man is king.
Re: openbsd and chromebooks
The other thing that kept me from putting OpenBSD on here is that dual-booting is kinda kooky and has security implications for the ChromeOS side. A better question: Anybody know of any small laptops (not necessarily chromebooks) that run OpenBSD well? J. Stuart McMurray On Fri, Jul 25, 2014 at 11:56 AM, frantisek holop min...@obiit.org wrote: hmm, on Fri, Jul 25, 2014 at 11:45:32AM -0400, Stuart McMurray said that I tried putting it on an SD card on my acer c270. I don't have a dmesg at the moment. Wireless and the trackpad didn't work, but a cheapy USB wireless device did. The biggest problem was putting it on the SD card made disk IO really, really slow. The lack of 802.11n was also kinda a bummer. well, there is no 802.11n in openbsd :) but i understand what you mean. the wifi is not supported on my current notebook either, so i am used to usb helpers. i am interested in the newest samsung chromebook. looks quite nice. -f -- in the country of the blind, the one-eyed man is king.
Re: openbsd and chromebooks
the keyboard and trackpad are horrendeous. I hate typing on it. no wifi, which is also really annoying. On 2014 Jul 25 (Fri) at 17:40:24 +0200 (+0200), frantisek holop wrote: :has anyone tried any of the existing chromebooks? :any dmesgs? : :http://en.wikipedia.org/wiki/Chromebook#Chromebook_models : :-f :-- :tap here with hammer for a new monitor. : -- In 1750 Isaac Newton became discouraged when he fell up a flight of stairs.
Re: reload isakmpd
Thank you all, I used this command. ps aux kill 29309 kill 7908 ps aux isakmpd -S sasyncd Thanks, On Fri, Jul 25, 2014 at 8:29 AM, Reyk Floeter r...@openbsd.org wrote: On Fri, Jul 25, 2014 at 08:17:15AM -0700, motty cruz wrote: Hello, how to reload configuration without restarting isakmpd? Thanks, Have a look at THE FIFO USER INTERFACE in isakmpd(8): NOTE: Sending isakmpd a SIGHUP or an R through the FIFO will void any updates done to the configuration. You can also try to SIGHUP and re-run ipsecctl afterwards. Good luck! Reyk
Re: reload isakmpd
On 2014-07-25, Andy a...@brandwatch.com wrote: Try ipsecctl -f /etc/ipsec.conf Sometimes this works ok, but I do have some occasions when I need to shutdown isakmpd, ipsecctl -F and restart. Note that this doesn't clear old config, so you can't use it to tear down sessions that you no longer want - you can paste the relevant config lines to ipsecctl -df - to delete them though.
Re: reload isakmpd
Note that this doesn't clear old config, so you can't use it to tear down sessions that you no longer want - you can paste the relevant config lines to ipsecctl -df - to delete them though. As an added note for ipsecctl -df, you can break all your peers into their own files and include them from the main ipsec.conf. Then you can ipsecctl -df /etc/ipsec/peer.conf... When you have several dozen peers, it makes troubleshooting individual ones a bit easier. -- James Shupe
Re: reload isakmpd
On 25.07.2014 19:42, James Shupe wrote: Note that this doesn't clear old config, so you can't use it to tear down sessions that you no longer want - you can paste the relevant config lines to ipsecctl -df - to delete them though. As an added note for ipsecctl -df, you can break all your peers into their own files and include them from the main ipsec.conf. Then you can ipsecctl -df /etc/ipsec/peer.conf... When you have several dozen peers, it makes troubleshooting individual ones a bit easier. There is a good article about isakmpd/ipsec on undeadly: http://undeadly.org/cgi?action=articlesid=20131125041429
Re: [Bulk] Re: openbsd and chromebooks
previously on this list Stuart McMurray contributed: The other thing that kept me from putting OpenBSD on here is that dual-booting is kinda kooky and has security implications for the ChromeOS side. A better question: Is that because you have to unlock the bootloader or root it? Anybody know of any small laptops (not necessarily chromebooks) that run OpenBSD well? I believe I've seen atleast one dev with a lenovo x201 which I have used briefly with OpenBSD and the T's seem to run well enough. I rarely use wifi though and so can't vouch there. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd ___ ___
MinnowBoard MAX
new toy for OpenBSD? ;) - http://www.minnowboard.org/meet-minnowboard-max/
Re: openbsd and chromebooks
On 2014-07-25 11.59.33 -0400, Stuart McMurray wrote: Anybody know of any small laptops (not necessarily chromebooks) that run OpenBSD well? Thinkpad X1 Carbon. -current works well: wifi, keyboard, mouse, touchscreen, suspend, resume, USB, headphones. See my recent thread zzz + /dev/wsmouse if you run into suspend/resume issues, or if you want to see a dmesg. Have not yet tried: camera, fingerprint reader, mini-DisplayPort, BlueTooth. If you buy one, double-check the keyboard layout first. You may have to buy from a reseller. -Mike
Re: Patch: porters guide chapter 2.2, item no. 23
On 7/25/14, Edward edw...@rdtan.net wrote: Hi, The original wording doesn't seems to flow too well: Create pkg/PLIST. After the install is complete use the developer's command, make plist which makes the file PLIST in the pkg directory. This file is a candidate packing list. I would like to suggest changing to the followig: Create pkg/PLIST. After the installation is done, use the developer's command make plist, which creates the file PLIST in pkg sub-directory. It will be a template for this port. I don't think definition of the word template fits this use-case. What issue do you have with the original wording? --patrick The patch to my suggestion is at the bottom of this mail, ok? Regards, Edward. Index: guide.html === RCS file: /cvs/www/faq/ports/guide.html,v retrieving revision 1.29 diff -u -p -r1.29 guide.html --- guide.html21 Jun 2014 12:17:47 - 1.29 +++ guide.html25 Jul 2014 08:08:35 - @@ -498,10 +498,9 @@ generated packing-lists). Remember that For automatic updating of tt/etc/tt, sysmerge(8) may help. brbrli Create ttpkg/PLIST/tt. -After the install is complete use the developer's command, -ttbmake plist/b/tt which makes the file ttPLIST/tt in the -ttpkg/tt directory. -This file is a candidate packing list. +After the installation is done, use the developer's command +ttbmake plist/b/tt, which creates the file ttPLIST/tt in +ttpkg/tt sub-directory. It will be a template for this port. p Peruse ttPLIST/tt and verify that everything was installed and that it was installed in the proper locations.
Re: carp setup firewall
On 2014-07-24, Waldemar Brodkorb m...@waldemar-brodkorb.de wrote: Hi OpenBSD hackers, we like to use OpenBSD for our corporate firewall. We have two appliances and want to setup carp and pfsync. In the past I used this for a simple firewall connected to a provider via dsl without a DMZ. This worked fine and I know how to configure it. Now our firewall is used for outgoing connections into the internet and for incoming connections to our DMZ servers. (We use binat, the ip adresses of the network (/26) are bound on the wan interface of the firewall. According to http://collaboration.cmc.ec.gc.ca/science/rpn/biblio/ddj/Website/articles/SA/v14/i05/a6.htm I could use aliases with ifconfig. Do you think there would be any issues in using 60 aliases for the wan interface? best regards Waldemar Is your upstream router within the /26, or do you have a separate link network for that? If it's in the /26 I think you'll have to do it that way, but if you have (or if you can get) a separate link net (e.g. /29 with your+their router and carp/vrrp addresses, you can just nat them, there's no need to place the addresses on an interface.
Re: l2tp / ipsec issue
Probably, but you can play with ipsec-config and send your results over here. On 24 jul 2014, at 13:23, Stefan Krueger stadtki...@gmx.de wrote: In mailing.openbsd.misc, you wrote: the public_ip in your ipsec.conf should be the external ip of your router, not the openbsd box. other setup checks can be referred to the following article. http://undeadly.org/cgi?action=articlesid=20120427125048 Say I'm using PPPoE and my IP address changes every night, do I have to restart isakmpd + change the $public_ip in /etc/ipsec.conf every night, too?
Re: carp setup firewall
On 2014-07-24, Peter Hessler phess...@theapt.org wrote: if the addresses on the carp interface are out of sync, then the hashes won't mash, and the firewalls *WILL* conflict with each other. I recommend one IP per carp interface. Far nicer in case you screw that bit up, and much easier to balance IPs to one system or the other. That's going to involve a fair bit of multicast chatter for 60 addresses, if binding addresses to carp interfaces is unavoidable I'd usually try to go for the don't screw up option :)
Re: add a new partition in USB ( clone )
Hi, all . this is a method to make clone USB larger size than original . 1) use linux (because openbsd fdisk is hard to use) by fdisk , make /dev/sdb4 Id:a6 2)then use 'openbsd5.5 install CD disk' for installboot on installing OpenBSD use OpenBSD area - 1) mount point / (because original USB has a and b only) install bsd, bsd.rd, base55 only 3)then openbsd runninng machine, # mkdir /mnt0 # mkdir /mnt1 # mount /dev/sd0a /mnt0 - / partition # mount /dev/sd1a /mnt - / partition # (cd /mnt0; tar cvpf - .)|(cd /mnt1 ; tar xpf -) #umount /mnt0 = cannot #umount /mnt1 = cannot so halt openbsd machine , 4)then goto linux machine fdisk /dev/sdb make bootable flag on sdb4 ( if 1) has this priicedure , this may be needless ) --- this method is perhaps effective to smaller USB clone , or USB to Hard disk clone and so so . --- tuyosi
Re: Patch: porters guide chapter 2.2, item no. 23
On Fri, Jul 25, 2014 at 11:22:44AM -0700, patrick keshishian wrote: On 7/25/14, Edward edw...@rdtan.net wrote: Hi, The original wording doesn't seems to flow too well: Create pkg/PLIST. After the install is complete use the developer's command, make plist which makes the file PLIST in the pkg directory. This file is a candidate packing list. I would like to suggest changing to the followig: Create pkg/PLIST. After the installation is done, use the developer's command make plist, which creates the file PLIST in pkg sub-directory. It will be a template for this port. I don't think definition of the word template fits this use-case. What issue do you have with the original wording? --patrick Hi Patrick, Refering to this sentence: After the install is complete use the developer's command, make plist which makes the file PLIST in the pkg directory. There's 3 points to make in this original sentence: 1. After the install is complete 2. use the developer's command, make plist 3. which makes the file PLIST in the pkg directory. Which I think should be broken up with commas so that it appears clearer. And thus my suggestion to change it to: After the installation is done, use the developer's command make plist, which creates the file PLIST in pkg sub-directory. As for the last sentences, This file is a candidate packing list., I think the word candidate usually refers to a person than an object. But I do agree, template might not be as good. Regards, Edward.