re0 device not receiving
Hello misc@, I have a new computer with an re(4) NIC onboard, running 5.7, GENERIC.MP#881 amd64. When I run dmesg | grep re0 I get the following re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x11: RTL8168G/8111G (0x4c00), msi, address d0:50:99:26:2d:e7 rgephy0 at re0 phy7: RTL8251 PHY, rev. 0 This chip doesn't work in a way I have not seen before. It can send packets, but doesn't receive. If I run tcpdump on re0, I can see DHCPDISCOVER packets going out, but I don't see any network traffic other than that. It doesn't even see the packets my other computers on that subnet see. I know that the first chip is sending those DHCPDISCOVER packets because my OpenBSD gateway sees them, and responds with the correct IP address for the MAC address. I've manually copied down the output of: ifconfig re0 re0: flags=8843 mtu 1500 lladdr d0:50:99:26:2d:e7 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active I have tried setting static addresses, booting into GENERIC.SP#825, and twiddling with the options on the interface, but it still doesn't work. Any input on how to resolve this would be wonderful.
Re: mail server on rental server , cannot send gmail.com
thnks your advice . i shoud study postfix sasl reading following your teaching . http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from etc i lookup thunderbird's automatic setting. port 587 connection security :none authentification method: passwd, tranmitted insecurely is it possible to fake IPV4 adress ? if so the internet address system collapsed . regards
Re: httpd stops accepting connections after a few hours on current
In my very limited test I could only hang up a server on 443 not 80.
Re: SOHO IPv6 router problems
Em 13-07-2015 17:42, Daniel Melameth escreveu: I’d love it if someone would be open to spending the time to do a “PHD” write up on getting OpenBSD base usable as a stateless IPv6 router/firewall with Comcast. While I agree that write ups like these should be unnecessary, and man pages should have all the relevant information needed for someone to do this without hand holding, IPv6 is still “new,” has a lot of moving parts and still isn’t widely used. For one, I didn’t know all of this could be done without DHCPv6 so I’m very interested in doing this at home. Well, I prepared myself studying IPv6 years ago using tunnel brokers like sixxs. You can find a lot of relevant information on the man pages, but, since a man page is better to be simple and clean, some things need RFC's digging and/or source code. I will take some time in the near future to try to port a NDP proxy to OpenBSD. I'm currently using a bridge firewall between my CPE and the client machines. While this works, the machines get the DNS servers from the CPE, and not from my firewall, which is far from optimal. But I can at least filter on the packets as they pass through my bridge. Better to have the clients talk directly to the CPE,which, by the way, comes from factory with no firewall enabled. Any connection from outside gets routed to the clients. Better enable firewall on your clients too. You never know when you will connect to an IPv6 enabled network that routes every incoming connection. I know, I know, end to end connectivity, etc. But people aren't prepared to this. The CPE routers today do not allow incoming connections, because we have to use NAT. So it would never know where to forward the packets to, unless you tell it to. But, with IPv6 end to end, there will be a lot of people that will be caught off guard, specially because almost every OS (except OpenBSD) will automatically configure IPv6 if present. Cheers, Giancarlo Razzolini
Re: SOHO IPv6 router problems
On Mon, Jul 13, 2015 at 2:42 PM, Daniel Melameth wrote: > I’d love it if someone would be open to spending the time to do a > “PHD” write up on getting OpenBSD base usable as a stateless IPv6 > router/firewall with Comcast. While I agree that write ups like these > should be unnecessary, and man pages should have all the relevant > information needed for someone to do this without hand holding, IPv6 > is still “new,” has a lot of moving parts and still isn’t widely used. > For one, I didn’t know all of this could be done without DHCPv6 so I’m > very interested in doing this at home. > > Thanks. I meant to say PHD as in “Push Here Dummy.” Cheers.
Re: SOHO IPv6 router problems
On Mon, Jul 13, 2015 at 1:17 PM, Michael McConville wrote: > On Mon, Jul 13, 2015 at 03:12:50PM -0300, Giancarlo Razzolini wrote: >> The client doesn't need inbound UDP ports to be open. The OpenBSD >> firewall do, if you're using DHCPv6 to configure it. If using SLAAC, >> only RS and RA icmp messages are needed. Since stateless configuration >> is done using multicast (ff02) and link-local (fe80) addresses, no >> need to worry. You can even make a rule allowing only your CPE >> link-local, if you want. > > I stand corrected. > > I just disabled all of my IPv6-related pf exceptions and it still works. > I must have inadvertantly fixed something else when I added them. > >> You don't need DHCPv6. I use stateless both for my firewall getting >> it's IPv6 address from the CPE and for it advertising the prefix on >> the internal network. Most modern systems can configure the dns using >> stateless configuration. So only a subset of ICMPv6 messages need to >> be allowed both on the router and clients. > > Also correct. I just checked, and Comcast home routers let you choose > between stateless and stateful IPv6 config in their control panel. > > Sorry for the noise, > Michael I’d love it if someone would be open to spending the time to do a “PHD” write up on getting OpenBSD base usable as a stateless IPv6 router/firewall with Comcast. While I agree that write ups like these should be unnecessary, and man pages should have all the relevant information needed for someone to do this without hand holding, IPv6 is still “new,” has a lot of moving parts and still isn’t widely used. For one, I didn’t know all of this could be done without DHCPv6 so I’m very interested in doing this at home. Thanks.
Re: how to add squid access log in /etc/newsyslog.conf
On 2015-07-13, Indunil Jayasooriya wrote: > I delted 30 from that line. Now it looks like this. > > /var/squid/logs/access.log _squid:_squid 640 14 * > @T00Z /var/squid/logs/squid.pid > > Now it seems to work But now it sends the default signal which is HUP. In Squid, this drains existing connections and reloads the configuration, blocking new connections while that occurs. You probably want USR1.
Re: Thinkpad Batteries
It is reasonable to expect reduced lifetime on refurbished systems for their batteries, fans, and keyboards, cabling, plastic casing, hinges, light sources for display and indication etc. The value of using pre-owned laptops is questionable unless specifically addressing the favourite brand/models, though for technical people it's a good source of savings, tinkering options and overall fun times. https://en.wikipedia.org/wiki/Lithium-ion_battery#Battery_life All batteries use chemical elements that wear off depending on: - charge/recharge pattern - number of cycles - temperature - usage pattern (drain current/speed/depth of depletion) - storage pattern - general longevity of the chemical system The laptop manufacturer has calculated a typical usage pattern and expiration date. Much can be done to address this, yet not much can be done to escape the physical and chemical processes. In the end, all batteries age and need replacement, always sooner than desired. What may be worth mentioning is that many unnamed sellers online ship unoriginal, unofficial, knock-off, replacements, or merely lower quality items, some of which may have been binned at the factory and/or exported without quality control. Or simply not as good as the original. There are also better than original parts, when the capacity of the battery may be larger in the same casing. It is reasonable to order a battery when you need it, and not years ahead though see above storage affects the performance. As much as official (branded etc) sales chains bring problems with pricing and availability, it may be worth using them for batteries and recycle responsibly. You can get lucky replacing the elements in the battery pack, though not recommended for people without electrical engineering knowledge. The so called original parts are overpriced, so you can invest the same money in several knock-off batteries and not worry much, or use an external battery + inverter, or better direct feed the DC stabilised as in place of the AC charger. If monstrous battery time is required, one can always use more than one battery, internal and/or external (jump-start packs), car adaptor plug + inverter with the stock AC adaptor etc. Use your imagination what you can stick in a tough rucksack, example can be followed by searching online what amateur radio techs do for their field / mobile stations. For general use though, the internal battery is just as good, and depending on your enthusiasm this can get you far. Much of the above is general knowledge, and personal opinion only. Your mileage may vary greatly, and there are a ton of places for bad practices or bad luck. Some batteries though can last 5-6 years of moderate usage quite well. Please add more interesting suggestions or correct blunt edges.
Re: SOHO IPv6 router problems
On Mon, Jul 13, 2015 at 03:12:50PM -0300, Giancarlo Razzolini wrote: > The client doesn't need inbound UDP ports to be open. The OpenBSD > firewall do, if you're using DHCPv6 to configure it. If using SLAAC, > only RS and RA icmp messages are needed. Since stateless configuration > is done using multicast (ff02) and link-local (fe80) addresses, no > need to worry. You can even make a rule allowing only your CPE > link-local, if you want. I stand corrected. I just disabled all of my IPv6-related pf exceptions and it still works. I must have inadvertantly fixed something else when I added them. > You don't need DHCPv6. I use stateless both for my firewall getting > it's IPv6 address from the CPE and for it advertising the prefix on > the internal network. Most modern systems can configure the dns using > stateless configuration. So only a subset of ICMPv6 messages need to > be allowed both on the router and clients. Also correct. I just checked, and Comcast home routers let you choose between stateless and stateful IPv6 config in their control panel. Sorry for the noise, Michael
Re: SOHO IPv6 router problems
Em 13-07-2015 14:42, Michael McConville escreveu: Part of it was that you need inbound IPv6 ICMP and UDP ports open. This seems like a fundamentally bad idea because it prevents client machines from just blocking all incoming connections (something I've done since starting with OpenBSD). The client doesn't need inbound UDP ports to be open. The OpenBSD firewall do, if you're using DHCPv6 to configure it. If using SLAAC, only RS and RA icmp messages are needed. Since stateless configuration is done using multicast (ff02) and link-local (fe80) addresses, no need to worry. You can even make a rule allowing only your CPE link-local, if you want. Also, DHCPv4 seems to do fine without incoming connections. Maybe there's a good reason for them, though. DHCPv4 needs port 68 udp to be open. The difference is that many firewall implementations (not pf) have this allowed in their default configuration. Here's the guide that solved my pf woes: http://pivotallabs.com/configuring-freebsd-9-1-as-an-ipv6-dhcp-client/ I was considering trying to develop a tool to make it a smoother process. However, it increasingly seems like a consequence of DHCPv6 being unnecessarily complex. You don't need DHCPv6. I use stateless both for my firewall getting it's IPv6 address from the CPE and for it advertising the prefix on the internal network. Most modern systems can configure the dns using stateless configuration. So only a subset of ICMPv6 messages need to be allowed both on the router and clients. Cheers, Giancarlo Razzolini
Re: Thinkpad Batteries
> This doesn't directly apply to OpenBSD, but it gives you an idea of > the complexity: > > https://wiki.freebsd.org/TuningPowerConsumption Good info. Thanks, Walter
Re: SOHO IPv6 router problems
On Mon, Jul 13, 2015 at 04:39:39PM +, Christian Weisgerber wrote: > On 2015-07-02, Patrik Lundin wrote: > > > In summary, using the following commands (together with ip6 > > forwarding enabled) allows us to have a working setup without any > > other manual intervention: > >=== > > # ifconfig em0 inet6 autoconf > > # ifconfig em1 inet6 autoconf > > # dhcp6c -Df -c /etc/dhcp6c.conf em0 > > # rtadvd em1 > >=== > > > > But like stated initially, we do not really like the idea of > > enabling autoconf on em1. > > Once you get that far, you might notice that dynamic addresses for > your network are rather inconvenient. You'll need to update all > references to your internal hosts in > * pf.conf > * DNS zones > * ... any other daemons that might refer to them ... > > You'll also need to distribute the addresses to your hosts. If you > don't like SLAAC-style addresses, you'll need DHCPv6. Which you might > also need for the nameserver, NTP server, etc. > > Out of the box, OpenBSD is poorly equipped for all of this. I found setting up IPv6 on a Comcast home network to be very painful. Part of it was that you need inbound IPv6 ICMP and UDP ports open. This seems like a fundamentally bad idea because it prevents client machines from just blocking all incoming connections (something I've done since starting with OpenBSD). Also, DHCPv4 seems to do fine without incoming connections. Maybe there's a good reason for them, though. Here's the guide that solved my pf woes: http://pivotallabs.com/configuring-freebsd-9-1-as-an-ipv6-dhcp-client/ I was considering trying to develop a tool to make it a smoother process. However, it increasingly seems like a consequence of DHCPv6 being unnecessarily complex.
Re: SOHO IPv6 router problems
Em 13-07-2015 13:39, Christian Weisgerber escreveu: Once you get that far, you might notice that dynamic addresses for your network are rather inconvenient. You'll need to update all references to your internal hosts in * pf.conf * DNS zones * ... any other daemons that might refer to them ... And you need to reload you pf rules when any of them changes (specially privacy addresses). You'll also need to distribute the addresses to your hosts. If you don't like SLAAC-style addresses, you'll need DHCPv6. Which you might also need for the nameserver, NTP server, etc. This for a IPv6 only network. My approach is to keep the RFC 1918 internal IPv4 net for these. Out of the box, OpenBSD is poorly equipped for all of this. Agreed. On the other hand it's quite equipped in the routing and firewalling of IPv6 networks. Even NAT64 is simple to do with pf. I recently switched ISPs and the new one offers native IPv6 the TR-187 way, but given that level of pain I'll stay with my SixXS tunnel and my static /48 for the time being. I'm doing the exact same thing. My tunnel have an acceptable latency and, since I'm using it only for a site to site VPN, I'll stay with it for a while. But my ISP is implementing native IPv6 and sooner or later I'll have to deal with this. So will you. Cheers, Giancarlo Razzolini
Re: Thinkpad Batteries
On 2015-07-13, Walter Alejandro Iglesias wrote: > About Thinkpad's batteries. I think very little can be said. Too much depends on the model, the condition of the batteries, and your usage pattern. There's a big difference whether you run make -j4 build or stare at vi in an xterm. Apart from CPU load, display brightness is probably the single biggest factor. The battery sensors may be useful: hw.sensors.acpibat0.volt0=11.10 VDC (voltage) hw.sensors.acpibat0.volt1=12.55 VDC (current voltage) hw.sensors.acpibat0.power0=8.86 W (rate) hw.sensors.acpibat0.watthour0=46.54 Wh (last full capacity) hw.sensors.acpibat0.watthour1=2.33 Wh (warning capacity) hw.sensors.acpibat0.watthour2=0.20 Wh (low capacity) hw.sensors.acpibat0.watthour3=46.18 Wh (remaining capacity), OK hw.sensors.acpibat0.watthour4=62.16 Wh (design capacity) hw.sensors.acpibat0.raw0=1 (battery discharging), OK This tells us that this, IIRC, approximately three-year-old battery in my X230 is now reduced to ~75% of its design capacity. > As I told you my experience with these laptops (and laptops in general) > is short so I don't know if I wasn't lucky or those in forums that > assure these batteries can give *15 hours* did the test in suspended to > RAM state :-). Maximizing laptop runtime can't be accomplished by one big button, but involves many small optimizations. Apparently the MS Windows installs shipped with most laptops are quite effective in this regard. Somebody wrote up possible power-saving measures for FreeBSD on a laptop. This doesn't directly apply to OpenBSD, but it gives you an idea of the complexity: https://wiki.freebsd.org/TuningPowerConsumption -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Thinkpad Batteries
FYI: I have T500, bought 9 cell battery 2 years ago? or was it 3 years? hw.sensors tells me that "design capacity" is 84.24Wh and that current capacity is 57.01Wh. Note that battery as it is was barely used since I don't use this computer that much recent years. I'm just using it more 2-3 last weeks going out and hence batter is used (finally). I remember it was 57.7Wh current when I started experimenting with OpenBSD on it (2-3 weeks ago), now it's 57.01Wh this is after about 13-17 recharge (not fulll!) cycles. So well, batteries are expensive and do not last that long at the end. Cheers, Karel On Mon, Jul 13, 2015 at 5:44 PM, Walter Alejandro Iglesias wrote: > On Mon, Jul 13, 2015 at 04:56:33PM +0200, Walter Alejandro Iglesias wrote: >> I bought a refurbished x201 in Jan 2014 and a T420... > > Sorry, I'm getting old and idiot. The laptop isn't a T420, it's a "T410". > > > Walter
Re: SOHO IPv6 router problems
On 2015-07-02, Patrik Lundin wrote: > In summary, using the following commands (together with ip6 forwarding > enabled) > allows us to have a working setup without any other manual intervention: >=== > # ifconfig em0 inet6 autoconf > # ifconfig em1 inet6 autoconf > # dhcp6c -Df -c /etc/dhcp6c.conf em0 > # rtadvd em1 >=== > > But like stated initially, we do not really like the idea of enabling autoconf > on em1. Once you get that far, you might notice that dynamic addresses for your network are rather inconvenient. You'll need to update all references to your internal hosts in * pf.conf * DNS zones * ... any other daemons that might refer to them ... You'll also need to distribute the addresses to your hosts. If you don't like SLAAC-style addresses, you'll need DHCPv6. Which you might also need for the nameserver, NTP server, etc. Out of the box, OpenBSD is poorly equipped for all of this. I recently switched ISPs and the new one offers native IPv6 the TR-187 way, but given that level of pain I'll stay with my SixXS tunnel and my static /48 for the time being. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Thinkpad Batteries
On Mon, Jul 13, 2015 at 04:56:33PM +0200, Walter Alejandro Iglesias wrote: > I bought a refurbished x201 in Jan 2014 and a T420... Sorry, I'm getting old and idiot. The laptop isn't a T420, it's a "T410". Walter
Thinkpad Batteries
About Thinkpad's batteries. A bit off-topic being a hardware specific question but taking in care several people here say to use Thinkpads (and the cost of their batteries) I think it'll be useful for everyone to share our experience. My experience with these laptops is short, I bought a refurbished x201 in Jan 2014 and a T420, second hand too, in Sep 2014. The first came with a *new* 9-cell lenovo original battery that lasts almost 6 hours long as who sold me had promised me. I received the T420 with a used 6-cell lenovo original battery that gave me barely 2 hours. I presumed it'd give me 6 like the x201 with a 9-cell one, so I bought through ebay a *supposed* "lenovo original" new 9-cell battery that suddenly *died* after 15 days of use :-). The vendor refunded me the money so the second time I bought some of those *trade-less* 9-cell ones you find in ebay. That's the one I have in use since Dec 2014. Initially it lasted ~4.5 hours, but now, after 7 months of use, it lasts no longer than 2 hours. As I told you my experience with these laptops (and laptops in general) is short so I don't know if I wasn't lucky or those in forums that assure these batteries can give *15 hours* did the test in suspended to RAM state :-). Did some of you get 15 hours from some of these batteries? If that's true, what tech specs should I take in care at time to buy a new one? Walter -- PLEASE, LET'S PRESERVE GOOD EMAIL PRACTICES - Use plain text (no HTML please). - Separate paragraphs with empty lines. - Use hard wrapped lines at no more than 72 columns. - Avoid top-posting. - You'll find the above easy to accomplish by using a decent email client (i.e. Thunderbird, Claws mail, Mutt).
Re: httpd stops accepting connections after a few hours on current
Hi, maybe this problem is related to this one? http://marc.info/?l=openbsd-misc&m=143091663725238&w=2 thanks, Alex
Re: httpd stops accepting connections after a few hours on current
On Mon, Jul 13, 2015 at 10:52:46PM +0930, Jack Burton wrote: > > > > I don't pretend to know httpd (at all), but I'm wondering, what should > > fstat(1) say, over time, for the httpd processes? > > Thanks Tor -- that was exactly the clue I needed to isolate the > problem. > > [snip] > > admin talks to a custom FastCGI daemon, which is most likely the culprit > -- I'll debug it tomorrow. > > "portal" (the other HTTPS server) also talks to a (different) custom > FastCGI daemon, but carries orders of magnitude more traffic and didn't > have any stale sockets -- so clearly our problem is at the other end of > admin's FastCGI socket (not with httpd itself). Sorry for the noise. > > Ted -- similarly, you may want to look into whatever is at the other end > of your "server1"'s FastCGI socket. If your issue is the same as ours, > that's likely where you'll find the cause. > I am not sure you should conclude yet. I don't use FastCGI. ;-} Now, as I write, I have 218 open fd's, compared to the 206 or whatever I had in my previous post. I've got a few "dangling" :443 streams (the :80 ones seem to disappear like they should), and then a bunch of these: www httpd 17244 213* internet stream tcp 0x0 *:0 While I have been writing this, the recent (since this morning) fd's have looked like this ('$' denotes end of list): www httpd 17244 206* internet stream tcp 0x0 193.214.208.180:443 <-- 193.214.208.185:57311 www httpd 17244 207* internet stream tcp 0x0 *:0 www httpd 17244 208* internet stream tcp 0x0 *:0 www httpd 17244 209* internet stream tcp 0x0 *:0 www httpd 17244 210* internet stream tcp 0x0 *:0 www httpd 17244 211* internet stream tcp 0x0 *:0 www httpd 17244 212* internet stream tcp 0x0 *:0 www httpd 17244 213* internet stream tcp 0x0 *:0 www httpd 17244 214* internet stream tcp 0x0 193.214.208.180:80 <-- 66.249.78.231:59307 $ www httpd 17244 206* internet stream tcp 0x0 193.214.208.180:443 <-- 193.214.208.185:57311 www httpd 17244 207* internet stream tcp 0x0 *:0 www httpd 17244 208* internet stream tcp 0x0 *:0 www httpd 17244 209* internet stream tcp 0x0 *:0 www httpd 17244 210* internet stream tcp 0x0 *:0 www httpd 17244 211* internet stream tcp 0x0 *:0 www httpd 17244 212* internet stream tcp 0x0 *:0 www httpd 17244 213* internet stream tcp 0x0 *:0 $ Notice how 214 (:80) closed and went away. A few minutes later, I have these: www httpd 17244 206* internet stream tcp 0x0 193.214.208.180:443 <-- 193.214.208.185:57311 www httpd 17244 207* internet stream tcp 0x0 *:0 www httpd 17244 208* internet stream tcp 0x0 *:0 www httpd 17244 209* internet stream tcp 0x0 *:0 www httpd 17244 210* internet stream tcp 0x0 *:0 www httpd 17244 211* internet stream tcp 0x0 *:0 www httpd 17244 212* internet stream tcp 0x0 *:0 www httpd 17244 213* internet stream tcp 0x0 *:0 www httpd 17244 214* internet stream tcp 0x0 193.214.208.180:443 <-- 86.129.139.178:60804 $ www httpd 17244 206* internet stream tcp 0x0 193.214.208.180:443 <-- 193.214.208.185:57311 www httpd 17244 207* internet stream tcp 0x0 *:0 www httpd 17244 208* internet stream tcp 0x0 *:0 www httpd 17244 209* internet stream tcp 0x0 *:0 www httpd 17244 210* internet stream tcp 0x0 *:0 www httpd 17244 211* internet stream tcp 0x0 *:0 www httpd 17244 212* internet stream tcp 0x0 *:0 www httpd 17244 213* internet stream tcp 0x0 *:0 www httpd 17244 214* internet stream tcp 0x0 *:0 www httpd 17244 215* internet stream tcp 0x0 *:0 www httpd 17244 216* internet stream tcp 0x0 193.214.208.180:443 <-- 86.129.139.178:61345 $ FWIW, the following is a dump from some earlier connections from the same client (they look too short): 07:23:48.292311 193.214.208.180.443 > 86.129.139.178.51968: S 4293888040:4293888040(0) ack 147006770 win 16384 (DF) : 4500 0034 2113 4000 4006 a4f2 c1d6 d0b4 E..4!.@.@... 0010: 5681 8bb2 01bb cb00 ffef 8828 08c3 2532 V..(..%2 0020: 8012 4000 377d 0204 05b4 0101 0402 ..@.7}.. 0030: 0103 0303 07:23:48.345674 86.129.139.178.51968 > 193.214.208.180.443: . ack 1 win 16698 (DF) : 4500 0028 5a8a 4000 7206 3987 5681 8bb2 E..(Z.@.r.9.V... 0010: c1d6 d0b4 cb00 01bb 08c3 2532 ffef 8829 ..%2...) 0020: 5010 413a 7711 dd2d P.A:w- 07:23:48.346721 86.129.139.178.51968 > 193.214.208.180.443: P 1:116(115) ack 1 win 16698 (DF) : 4500 009b 5a8b 4000 7206 3913 5681 8bb2 E...Z.@.r.9.V... 0010: c1d6 d0b4 cb00 01bb 08c3 2532 ffef 8829 ..%2...) 0020: 5018 413a 0813 1603 0100 6e01 P.A:..
Re: httpd stops accepting connections after a few hours on current
On Mon, 2015-07-13 at 11:02 +0200, Tor Houghton wrote: > On Sun, Jul 12, 2015 at 07:56:37PM +0930, Jack Burton wrote: > > > > It is possible I simply failed to provision sufficient capacity -- > > which could easily be fixed by adding a login class for www with a > > higher limit on open fds -- but I fear that might just be hiding the > > problem rather than addressing it: exhausting a 512 fd limit with with > > peak load of only 48 req/sec (and average load of 2 req/sec) just > > doesn't feel right (especially when that peak load is all 303s > > generated internally by httpd, which each take only a tiny fraction of > > a second to process). > > I don't pretend to know httpd (at all), but I'm wondering, what should > fstat(1) say, over time, for the httpd processes? Thanks Tor -- that was exactly the clue I needed to isolate the problem. Wrote a short script to parse the output of running fstat -p for each running httpd (we're running with prefork 8, so I didn't fancy doing it by hand), and report the timestamp of the last request in the relevant access log of each client IP with an open socket (or 'missing' if no entry in the current access log). Ran it roughly 4 hours after the last log rotation and found only 34 matches out of 73 open sockets. We don't run anything here that would take anywhere near 4 hours to return a response, so the 39 that didn't match entries in any of the current access logs were clearly where I needed to look. All 39 related to "admin" -- the one HTTPS server that I hadn't spent any time looking into (since it accounts for only 0.02% of httpd's load here, it didn't occur to me that that tiny little thing could be bringing httpd to its knees ... famous last words). admin talks to a custom FastCGI daemon, which is most likely the culprit -- I'll debug it tomorrow. "portal" (the other HTTPS server) also talks to a (different) custom FastCGI daemon, but carries orders of magnitude more traffic and didn't have any stale sockets -- so clearly our problem is at the other end of admin's FastCGI socket (not with httpd itself). Sorry for the noise. Ted -- similarly, you may want to look into whatever is at the other end of your "server1"'s FastCGI socket. If your issue is the same as ours, that's likely where you'll find the cause.
Re: OpenBSD 5.5 won't initiate VPN (Ipsec site-to-site)connection to Cisco device
On 2015-07-10, Motty Cruz wrote: > Hello, > > I have a gateway machine OpenBSD 5.5 that won't not initiate connection > to peer. The one way to establish VPN tunnel is if peer ping IP in my > subnet. isakmpd usually tries to bring up the connection as soon as it's configured, but perhaps this negotiation is failing, maybe due to a firewall rule somewhere on/near the cisco side? Last time I setup a VPN with a cisco device, it only brought up the tunnel from their side on-demand, so if the initiation from isakmpd side fails, it might rely on network traffic from the peer's side to bring it up.
Re: how to add squid access log in /etc/newsyslog.conf
On 2015/07/13 16:20, Indunil Jayasooriya wrote: > > Hmm, thanks for your reply. this is the error. > > # newsyslog -v -F > > newsyslog: /etc/newsyslog.conf:18: unrecognized field: 30 > > > > here's my full file > > > # cat /etc/ > newsyslog.conf > > # $OpenBSD: newsyslog.conf,v 1.29 2011/04/14 20:32:34 sthen Exp $ > # > # configuration file for newsyslog > # > # logfile_name owner:group mode count size when flags > /var/cron/log root:wheel 600 3 10 * Z > /var/log/aculog uucp:dialer 660 7 * 24 Z > /var/log/authlog root:wheel 640 7 * 168 Z > /var/log/daemon 640 5 30 * Z > /var/log/lpd-errs 640 7 10 * Z > /var/log/maillog 600 4 * $M1D0 Z > /var/log/messages 644 4 * $M1D0 Z > /var/log/secure 600 7 * 168 Z > /var/log/wtmp 644 7 * $W6D4 B > /var/log/xferlog 640 7 250 * Z > /var/log/ppp.log 640 7 250 * Z > /var/log/pflog 600 3 250 * ZB "pkill > -HUP -u root -U root -t - -x pflogd" > /var/squid/logs/access.log _squid:_squid 640 14 * > @T00 Z /var/squid/logs/squid.pid 30 > > > any help to correct it. "man syslog.conf" says this: signalSpecify the signal to send to the process instead of SIGHUP. Signal names must start with “SIG” and be the signal name, not the number, e.g., SIGUSR1. So it looks like you need to use a name, not the number 30.
Re: how to add squid access log in /etc/newsyslog.conf
I delted 30 from that line. Now it looks like this. /var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid Now it seems to work # newsyslog -v -F /var/cron/log <3Z>: size (KB): 664.08 [10] --> trimming log /var/log/authlog <7Z>: age (hr): 435 [168] --> trimming log /var/log/daemon <5Z>: size (KB): 26.76 [30] --> trimming log /var/log/lpd-errs <7Z>: size (KB): 0.00 [10] --> trimming log /var/log/maillog <4Z>: --> trimming log /var/log/messages <4Z>: --> trimming log /var/log/secure <7Z>: age (hr): 461 [168] --> trimming log /var/log/wtmp <7B>: --> trimming log /var/log/xferlog <7Z>: size (KB): 0.00 [250] --> trimming log /var/log/pflog <3ZB>: size (KB): 1557278.09 [250] --> trimming log /var/squid/logs/access.log <14Z>: --> trimming log Now I have 2 files in this way. -rw-r- 1 _squid _squid 28668 Jul 13 16:27 access.log -rw-r- 1 _squid _squid56380324 Jul 13 16:24 access.log.0.gz Let's see tomorrow morning, On Mon, Jul 13, 2015 at 4:24 PM, Craig Skinner wrote: > On 2015-07-13 Mon 13:25 PM |, Indunil Jayasooriya wrote: > > Hi mics, > > > > > > I want /etc/newsyslog.conf to generate /var/squid/logs/access.log daily. > > This is the entry I have added to /etc/newsyslog.conf file. But it does > NOT > > work. > > > > */var/squid/logs/access.log _squid:_squid 640 14 * > > @T00Z /var/squid/logs/squid.pid 30* > > > > > > any comments ? > > > > Squid can rotate its own logs. > > Search for 'rotate' in squid(8) and 'logfile_rotate' in > /usr/local/share/examples/squid/squid.conf.documented > Which says: "It is best to get in the habit of using > 'squid -k rotate' instead of 'kill -USR1 '" > > I use a monthly _squid cron job like this: > > > # -- 8< -- > > # crontab(5) ENVIRONMENT > # PATH (& umask) defined in /etc/login.conf > MAILTO=webmaster > # ENVIRONMENT debug: > # * * * * * logname; umask; pwd; printenv | sort > @monthlynice -n 20 squid -k rotate || print $? > > # -- 8< -- > > > Edit _squid's crontab with: > > $ sudo su -l -s /bin/sh _squid -c 'crontab -e' > > Cheers. > -- > Drugs may be the road to nowhere, but at least they're the scenic route! > > -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: odd behaviour of spamdb
Op Mon, 13 Jul 2015 09:14:37 +0200 schreef Markus Rosjat : hi there, I have a script the following script to delete spam mx ip from the spamd whitelist and write them in my own blacklist. After that I reload the blacklist with spamd- setup. This seems to work but I noticed when the same ip has another mail in the greylist the ip becomes whitelisted if the delivery attempt is successful (which it shouldnt in the first place because I trapped the ip and put it in my blacklist). This seems like an odd behaviour to me, its not the end of the world but it feels kinda wrong :) here is the script: ip_range=$1 for i in `spamdb | grep $ip_range | grep WHITE | awk -F "|" '{print $2}'`; do echo $i /usr/sbin/spamdb -d $i /usr/sbin/spamdb -a -t $i echo $i >> /etc/mail/blacksheep.txt done /usr/libexec/spamd-setup maybe someone give me some hints for improvement The explicit deletion (-d) is unnecessary and may have race condition problems. An IP that is both trapped and grey will not be re-added to the whitelist, unless spamlogd interferes. -- (Remove the obvious prefix to reply privately.) Gemaakt met Opera's e-mailprogramma: http://www.opera.com/mail/
Re: how to add squid access log in /etc/newsyslog.conf
On 2015-07-13 Mon 13:25 PM |, Indunil Jayasooriya wrote: > Hi mics, > > > I want /etc/newsyslog.conf to generate /var/squid/logs/access.log daily. > This is the entry I have added to /etc/newsyslog.conf file. But it does NOT > work. > > */var/squid/logs/access.log _squid:_squid 640 14 * > @T00Z /var/squid/logs/squid.pid 30* > > > any comments ? > Squid can rotate its own logs. Search for 'rotate' in squid(8) and 'logfile_rotate' in /usr/local/share/examples/squid/squid.conf.documented Which says: "It is best to get in the habit of using 'squid -k rotate' instead of 'kill -USR1 '" I use a monthly _squid cron job like this: # -- 8< -- # crontab(5) ENVIRONMENT # PATH (& umask) defined in /etc/login.conf MAILTO=webmaster # ENVIRONMENT debug: # * * * * * logname; umask; pwd; printenv | sort @monthlynice -n 20 squid -k rotate || print $? # -- 8< -- Edit _squid's crontab with: $ sudo su -l -s /bin/sh _squid -c 'crontab -e' Cheers. -- Drugs may be the road to nowhere, but at least they're the scenic route!
Re: Libreoffice i386 crash on 5.8 snapshot
On 2015-07-12, Alexis Parseghian wrote: > On Sun, Jul 12, 2015 at 5:23 PM, Edgar Pettijohn > wrote: > > Attempting to run libreoffice (be it writer, calc or the 'soffice' > chooser component) fails with the error listed below. > > terminate called after throwing an instance of > 'com::sun::star::uno::DeploymentException' > (more snipping : double-checking sysmerge and pkg_add -u) > >> I would recommend removing it an reinstalling. My mirror shows 4.4.3.2 to >> be the latest. You're showing to have 4.3.5.2 installed which is probably >> what the problem is. If you installed from ports did you update your tree >> first if not is PKG_PATH set correctly. > > I set installpath in pkg.conf, and I try to stick to packages whenever > possible (99% of the time :) ). > > The old installed version was indeed the problem, 'pkg_delete > libreoffice' followed by 'pkg_add libreoffice' bumped me to 4.4.3.2 > which works as expected. First time I see a package failing to upgrade > this way, though. Maybe I missed something with the jump to snapshots > itself ? > > Anyway, case solved. > > Thank you. > > If you update to snapshots, you should run "pkg_add -u", did you do that?
Re: Dell FX2 or Huawei E9000 dmesg(s), anyone?
> Would anyone care to share amd64 dmesg(s) from Dell FX2 or Huawei E9000? If this question is not a joke, the guesstimate is you'd be posting a dmesg when/if you come to spin these in production use, no?
Re: how to add squid access log in /etc/newsyslog.conf
On 2015-07-13, Indunil Jayasooriya wrote: > Hi mics, > > > I want /etc/newsyslog.conf to generate /var/squid/logs/access.log daily. > This is the entry I have added to /etc/newsyslog.conf file. But it does NOT > work. > > */var/squid/logs/access.log _squid:_squid 640 14 * > @T00Z /var/squid/logs/squid.pid 30* > > > any comments ? > > > I referred to below urls > > http://jamesoff.net/site/reference/squid-log-rotation-with-newsyslog/ > > http://lists.freebsd.org/pipermail/freebsd-questions/2007-July/154219.html > > http://lists.freebsd.org/pipermail/freebsd-questions/2003-October/021765.html > > > In what way does it "not work"? What does "newsyslog -v -F" say?
Re: mail server on rental server , cannot send gmail.com
Hi Tuyosi On 2015-07-13 Mon 16:41 PM |, Tuyosi Takesima wrote: > > perhaps i solved the quize to send and rcieve email . > > openbsd mail server (this has main cf) > | > internet > | > 1.2.3.4 > router > | > dhcp > linux(thunderberd) > > > in /etc/postfix/main.cf > mynetworks = 127.0.0.0/8, 1.2.3.4/32 > This works because the default smtp daemon relay restrictions permit $mynetworks, and authenticated connections: $ postconf -dh smtpd_relay_restrictions permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination Users either need to authenticate, or have an IP address in $mynetworks. When your WiFi router changes IP address, this won't work anymore. If someone else gets DHCP allocated your WiFi router's address, they can relay spam through your server. The server rental company could evict you. When you connect from a cafe, train, airport, hotel, it wont work. $mynetworks is usually for NAT & ISP customer address blocks. See: /usr/local/share/doc/postfix/html/BASIC_CONFIGURATION_README.html#relay_from mynetworks and smtpd_relay_restrictions in postconf(5) Web: http://www.postfix.org/BASIC_CONFIGURATION_README.html#relay_from http://www.postfix.org/postconf.5.html#mynetworks http://www.postfix.org/postconf.5.html#smtpd_relay_restrictions The solution is for remote users to authenticate on the submission port.
Re: httpd stops accepting connections after a few hours on current
On Sun, Jul 12, 2015 at 07:56:37PM +0930, Jack Burton wrote: > > It is possible I simply failed to provision sufficient capacity -- > which could easily be fixed by adding a login class for www with a > higher limit on open fds -- but I fear that might just be hiding the > problem rather than addressing it: exhausting a 512 fd limit with with > peak load of only 48 req/sec (and average load of 2 req/sec) just > doesn't feel right (especially when that peak load is all 303s > generated internally by httpd, which each take only a tiny fraction of > a second to process). > I don't pretend to know httpd (at all), but I'm wondering, what should fstat(1) say, over time, for the httpd processes? Of the (2) processes that have streams related to remote hosts, there are several IP addresses that are never logged to the SSL access log. For example, this one from umich.edu, which is more than 2 days old*: $ fstat -p 29431 | grep 141.212.122.50 www httpd 294315* internet stream tcp 0x0 193.214.208.180:443 <-- 141.212.122.50:29801 $ fstat -p 17244 |grep 141.212.122.50 $ $ grep 141.212.122.50 /local/www/logs/ssl-access.log $ Is this normal behaviour? Tor * This one, from shadowserver.org, which does exist in the ssl-access.log, was opened on 10 July, same day the server was rebooted: www httpd 29431 12* internet stream tcp 0x0 193.214.208.180:443 <-- 184.105.247.196:35517 www.bogus.net 184.105.247.196 - - [10/Jul/2015:03:41:05 +0200] "GET / HTTP/1.1" 200 67 "" ""
Re: odd behaviour of spamdb
Am 13.07.2015 um 10:07 schrieb patrick keshishian: On 7/13/15, Markus Rosjat wrote: hi there, I have a script the following script to delete spam mx ip from the spamd whitelist and write them in my own blacklist. After that I reload the blacklist with spamd- setup. This seems to work but I noticed when the same ip has another mail in the greylist the ip becomes whitelisted if the delivery attempt is successful (which it shouldnt in the first place because I trapped the ip and put it in my blacklist). This seems like an odd behaviour to me, its not the end of the world but it feels kinda wrong :) If i understand your message correctly, after removal of the ip from the WHITE list, it still remains in the GREY, which will be WHITE-listed again, on the next spamd scan (60 second interval), thus, allowing for the successful delivery. well after the first run of the script the ip should be trapped and in my opinion the grey mail shouldnt white list the ip again. I just saw this behaviour 2 times with the same ip because they sent the mail to 3 different mailaddresses. To see this with an IP that has been WHITE-listed, but still in the GREY, do: $ spamdb | grep $ip WHITE|$ip|... GREY|$ip|... $ spamdb -d $ip $ spamdb | grep $ip GREY|$ip|... $ sleep 60 $ spamdb | grep $ip WHITE|$ip|... GREY|$ip|... As a side note, your awk bit can be replaced by a `cut -d \| -f 2'. thanks for the hint :) --patrick here is the script: ip_range=$1 for i in `spamdb | grep $ip_range | grep WHITE | awk -F "|" '{print $2}'`; do echo $i /usr/sbin/spamdb -d $i /usr/sbin/spamdb -a -t $i echo $i >> /etc/mail/blacksheep.txt done /usr/libexec/spamd-setup maybe someone give me some hints for improvement regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: odd behaviour of spamdb
On 7/13/15, Markus Rosjat wrote: > hi there, > > I have a script the following script to delete spam mx ip from the spamd > whitelist and write them in my own blacklist. After that I reload the > blacklist with spamd- setup. This seems to work but I noticed when the > same ip has another mail in the greylist the ip becomes whitelisted if > the delivery attempt is successful (which it shouldnt in the first place > because I trapped the ip and put it in my blacklist). This seems like an > odd behaviour to me, its not the end of the world but it feels kinda > wrong :) If i understand your message correctly, after removal of the ip from the WHITE list, it still remains in the GREY, which will be WHITE-listed again, on the next spamd scan (60 second interval), thus, allowing for the successful delivery. To see this with an IP that has been WHITE-listed, but still in the GREY, do: $ spamdb | grep $ip WHITE|$ip|... GREY|$ip|... $ spamdb -d $ip $ spamdb | grep $ip GREY|$ip|... $ sleep 60 $ spamdb | grep $ip WHITE|$ip|... GREY|$ip|... As a side note, your awk bit can be replaced by a `cut -d \| -f 2'. --patrick > here is the script: > > ip_range=$1 > > for i in `spamdb | grep $ip_range | grep WHITE | awk -F "|" '{print $2}'`; > do >echo $i >/usr/sbin/spamdb -d $i >/usr/sbin/spamdb -a -t $i >echo $i >> /etc/mail/blacksheep.txt > done > > /usr/libexec/spamd-setup > > maybe someone give me some hints for improvement > > regards > > -- > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > G+H Webservice GbR Gorzolla, Herrmann > Königsbrücker Str. 70, 01099 Dresden > > http://www.ghweb.de > fon: +49 351 8107220 fax: +49 351 8107227 > > Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you > print it, think about your responsibility and commitment to the ENVIRONMENT
how to add squid access log in /etc/newsyslog.conf
Hi mics, I want /etc/newsyslog.conf to generate /var/squid/logs/access.log daily. This is the entry I have added to /etc/newsyslog.conf file. But it does NOT work. */var/squid/logs/access.log _squid:_squid 640 14 * @T00Z /var/squid/logs/squid.pid 30* any comments ? I referred to below urls http://jamesoff.net/site/reference/squid-log-rotation-with-newsyslog/ http://lists.freebsd.org/pipermail/freebsd-questions/2007-July/154219.html http://lists.freebsd.org/pipermail/freebsd-questions/2003-October/021765.html -- cat /etc/motd Thank you Indunil Jayasooriya http://www.theravadanet.net/ http://www.siyabas.lk/sinhala_how_to_install.html - Download Sinhala Fonts
Re: mail server on rental server , cannot send gmail.com
Hi,all. perhaps i solved the quize to send and rcieve email . openbsd mail server (this has main cf) | internet | 1.2.3.4 router | dhcp linux(thunderberd) in /etc/postfix/main.cf mynetworks = 127.0.0.0/8, 1.2.3.4/32 1.2.3.4 is obtaind curl ifconfig.me on linux . or show ifonfig.me on firefox details is on http://aoiyuma.mydns.jp/mail-server.html* * --- regards * *
odd behaviour of spamdb
hi there, I have a script the following script to delete spam mx ip from the spamd whitelist and write them in my own blacklist. After that I reload the blacklist with spamd- setup. This seems to work but I noticed when the same ip has another mail in the greylist the ip becomes whitelisted if the delivery attempt is successful (which it shouldnt in the first place because I trapped the ip and put it in my blacklist). This seems like an odd behaviour to me, its not the end of the world but it feels kinda wrong :) here is the script: ip_range=$1 for i in `spamdb | grep $ip_range | grep WHITE | awk -F "|" '{print $2}'`; do echo $i /usr/sbin/spamdb -d $i /usr/sbin/spamdb -a -t $i echo $i >> /etc/mail/blacksheep.txt done /usr/libexec/spamd-setup maybe someone give me some hints for improvement regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT