Re: OBSD 4.1 drops to ddb with cdd0: error 22 on component 0 (and 1 (mirror))

[Brian A. Seklecki]

This is the expected behavior for a failure on a CCD component.  Try
cutting the SATA cable to a live system some time; watch the kernel
panic there as well.  Suddenly it cant stat() / or read/write from swap.

You're playing with fire with CCD anyway: RAID0.  The stuff in 4.1
wasn't touched for months...6, 10, 11, 11, look at the time between
commits.  There's some new recent activity.

Try RAIDFrame w/ raid0 for a little-more-active development.

~BAS

On Thu, 2007-06-14 at 15:56 +0200, Marius Hooge wrote:
> Hi, I don't know how to handle this:
> 
> My OpenBSD 4.1 Generic i386 box "occasionally" freezes completely,
> without any warning.
> No Ctrl+Mod1+F1 or any other key-combination, no ssh or ping works.





IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: max number of connections through the firewall

[Brian A. Seklecki]

From previous discussions (search the archives) this has nothing to do 

with userland memory available but to kernel data structures.

Also read pf.conf(5) man page:

OPTIONS
 pf(4) may be tuned for various situations using the set command.

   interval   Interval between purging expired states and

[...snip...]
 set limit states 1


~BAS

On Wed, 20 Jun 2007, Florin Andrei wrote:

I am trying to approximate the maximum number of open TCP connections that an 
OpenBSD firewall can support at any given time.


The scenario here is a firewall with 2 interfaces, a bunch of Web servers 
behind it on private IP addresses, a fairly simple set of rules (NAT each 
server on a public IP address on the external interface, allow HTTP in, deny 
the rest).


How much memory is used by every new TCP connection that the firewall needs 
to keep track of? Will the firewall run into other problems before it runs 
out of memory? Will NAT use memory in the scenario described above?


--
Florin Andrei

http://florin.myip.org/




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: [Nagiosplug-devel] nagios check_carp for OpenBSD carp(4)

[Brian A. Seklecki]

Just to follow-up:

I have written a plugin that uses the somewhat complete PHP Net-SNMP
bindings (no getsnmptable() ?!) and the new PF-MIB::CARP Agent
Extensions to Net-SNMP snmpd(8).

I'll post it on NagiosExchange for review if/when I can deploy a
production 4.1-stable system.

~BAS

On Fri, 2006-12-15 at 19:15 -0500, Brian A. Seklecki wrote:
> Thoughts? Strategies? Ideas?
> ---





IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

CARP interface state change logging patch

[Brian A. Seklecki]

The OpenBSD PF-MIB stuff is incredibly useful -- especially the 
PF-MIB:CarpIFTable objects.  Thanks to all involved with that.  I've also 
had success with Net-SNMP 5.4 (opti@'s version) with those patches; will 
try to port them to other PF-enabled OSs soon.


In the mean time, I want to keep going with additional debugging and 
monitoring functionality in CARP.  Here is a small patch that is 
incredibly useful for troubleshooting and debugging cumbersome issues. 
Silence is killer, especially when you turn on "logging" and receive 
nothing:


This adds functionality similar to "debug standby" in Cisco-land:

*Mar 1 02:56:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
FastEthernet3/0, changed state to up

*Mar 1 02:56:14: SB0: FastEthernet3/0 state Listen -> Init
*Mar 1 02:56:20: SB0: FastEthernet3/0 state Init -> Listen
*Mar 1 02:56:30: SB0: FastEthernet3/0 state Listen -> Speak
*Mar 1 02:56:40: SB0: FastEthernet3/0 state Speak -> Standby
*Mar 1 02:56:41: SB0: FastEthernet3/0 state Standby -> Active

With this patch:

# ifconfig carp40 vhid 40 carpdev pcn0 pass foo up

Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: MASTER 
-> to: INIT
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT -> 
to: BACKUP
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP 
-> to: INIT
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT -> 
to: BACKUP
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP 
-> to: INIT
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT -> 
to: BACKUP
Jun 20 03:05:49 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP 
-> to: MASTER


I think there are probably ~20 other CARP_LOG() calls that could improve 
the experience, but this is a good place to start and we'll move on from 
there.


Against the OPENBSD_4_1 tree (rev 1.132.2.1):

# cvs diff -u ip_carp.c
Index: ip_carp.c
===
RCS file: /cvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.132.2.1
diff -u -r1.132.2.1 ip_carp.c
--- ip_carp.c   2007/04/30 20:39:44 1.132.2.1
+++ ip_carp.c   2007/06/20 07:03:15
@@ -2111,6 +2111,8 @@
 void
 carp_set_state(struct carp_softc *sc, int state)
 {
+   static const char *carp_states[] = { CARP_STATES };
+   CARP_LOG(sc, ("state transition from: %s -> to: %s", 
carp_states[sc->sc_state], carp_states[state]));

    if (sc->sc_state == state)
return;



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface

[Brian A. Seklecki]

Very bizarre.  The only advice I can offer is that maybe it's getting 
confused on "-> $nat_if" instead of the more-pragmatic "-> ($nat-if)".


Perhaps the parse code is trying too hard to resolve $nat_if in the 
former, and thus finding the underlying interface instead of the logical 
upper layer vlan interface?


Give it a shot.  If not, we'll turn up debugging and log

~BAS

On Tue, 19 Jun 2007, Albert Chin wrote:


I have a perfectly-working 4.0 firewall and decided to move one of the
physical interfaces to a new vlan tagged interface. I changed the
interface name in pf.conf and noticed that NAT wasn't working. The NAT
rule is:
 nat_if = "vlan109"
 table  const { 192.168.1.0/24, 192.168.4.0/24, 10.191.57.0/24 }
 nat pass log on $nat_if from  to any -> $nat_if

If nat_if is a physical interface, like fxp0, the above nat rule
works. I can get the nat rule to work if I omit the use of the table:
 nat pass log on $nat_if from { 192.168.1.0/24, \
192.168.4.0/24, \
10.191.57.0/24 } to any -> $nat_if

So:
 1. If the only change I make to pf.conf is a global search/replace
from "fxp0" to "vlan109", why doesn't pf behave as if using
a physical interface?
 2. Why the workaround above to get pf working with the vlan tagged
    interface? Bug in pf?

--
albert chin ([EMAIL PROTECTED])




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: Random crash

[Brian A. Seklecki]

This is part of the strong psuedo-random number generator:

$ grep -ir enqueue_randomness /usr/src/sys/*
/usr/src/sys/dev/rnd.c:enqueue_randomness(state, val)
/usr/src/sys/dev/rndvar.h:#define   add_true_randomness(d) 
enqueue_randomness(RND_SRC_TRUE,  (int)(d))
/usr/src/sys/dev/rndvar.h:#define   add_timer_randomness(d) 
enqueue_randomness(RND_SRC_TIMER, (int)(d))
/usr/src/sys/dev/rndvar.h:#define   add_mouse_randomness(d) 
enqueue_randomness(RND_SRC_MOUSE, (int)(d))
/usr/src/sys/dev/rndvar.h:#define   add_tty_randomness(d) 
enqueue_randomness(RND_SRC_TTY,   (int)(d))
/usr/src/sys/dev/rndvar.h:#define   add_disk_randomness(d) 
enqueue_randomness(RND_SRC_DISK,  (int)(d))
/usr/src/sys/dev/rndvar.h:#define   add_net_randomness(d) 
enqueue_randomness(RND_SRC_NET,   (int)(d))
/usr/src/sys/dev/rndvar.h:#define   add_audio_randomness(d) 
enqueue_randomness(RND_SRC_AUDIO, (int)(d))
/usr/src/sys/dev/rndvar.h:#define   add_video_randomness(d) 
enqueue_randomness(RND_SRC_VIDEO, (int)(d))

/usr/src/sys/dev/rndvar.h:void enqueue_randomness(int, int);

Are you doing something strong with Cryptography?

~~BAS

On Tue, 19 Jun 2007, Jacob Yocom-Piatt wrote:


Luca Losio wrote:

Hi all,
I'm having a lot of crashes with my 4.1 since I updated from 4.0 ...the
console output is:

page fault trap code=0
stopped at enqueue_randomness+0xc5addb%al,0(%eax)
ddb>


I tried checking the RAM (Memtest runned 20 hours withour any error and I
used this box with another ram stick) and I get the same result..a crash
every 10-15 hours. Any suggestion?




read http://openbsd.org/report.html .

it contains the following wisdom "*This is essential whenever possible. Panic 
reports without panic message, traceback and ps output are useless."*


cheers,
jake




l8*
        -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: PF overload table

[Brian A. Seklecki]

see the "-x" argument to pfctl(8); try turning up the debugging level to
various settings and watch syslog ~BAS

On Mon, 2007-06-18 at 13:46 +0200, Alberich de megres wrote:
> I'm wandering if there is some way to log when an ip is inserted in a
> table?
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: Strange error after upgrade 4.0->4.1

[Brian A. Seklecki]

When your pfctl(8) or related binaries are 4.0 and are out of date for the 
4.1 kernel data structures, you get this error.


Rebuild pfstat against the new headers?

~BAS

On Thu, 14 Jun 2007, Tim Kuhlman wrote:


On Thu June 14 2007 10:02:29 am Uwe Dippel wrote:

I am getting this into my mailbox; as a result of /usr/local/bin/pfstat -q:

ioctl: DIOCGETALTQS: Permission denied
pf_query: query_queues() failed


You are getting that in your mailbox? Are you running it via cron and if so
what user is it running as? It is a permissions error you should be running
the command as root.

--
Tim Kuhlman
Network Administrator
ColoradoVnet.com




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: Load balancing with DSR

[Brian A. Seklecki]

No argument there on the pragmatics.

But it does work, and a lot of places use it.  

~BAS

FYI I wasn't advocating implementing it; just providing background.  If
you want it, shell the $500k for the hardware L.B.

On Thu, 2007-06-14 at 00:07 +0200, Reyk Floeter wrote:
> On Wed, Jun 13, 2007 at 12:36:33PM -0400, Brian A. Seklecki wrote:
> > Such as Distributed computing environments where you have your HAL4
> > service VIP on the same segment/subnet as your distributed server farm.
> > 
> 
> so they should redesign their network instead of inventing crazy
> features. this DSR sounds like a hack, an evil workaround which can be
> sold as a $ feature by the named companies. 
> 
> i still do not believe in it, because it bypasses the main benefit of
> OpenBSD-based loadbalancing: running a good firewall and "network
> optimizer" in front of the loadbalanced servers. and it does some very
> strange tricks with the network stacks.
> 
> > Or HA databses
> > 
> 
> and there is no better way to connect them?
> 
> > ~BAS
> > 
> > On Wed, 2007-06-13 at 17:49 +0200, Pierre-Yves Ritschard wrote:
> > > best pf network stack cannot solve.
> > -- 
> > Brian A. Seklecki <[EMAIL PROTECTED]>
> > Collaborative Fusion, Inc.
> > 
> > 
> > 
> > 
> > IMPORTANT: This message contains confidential information and is intended 
> > only for the individual named. If the reader of this message is not an 
> > intended recipient (or the individual responsible for the delivery of this 
> > message to an intended recipient), please be advised that any re-use, 
> > dissemination, distribution or copying of this message is prohibited.  
> > Please notify the sender immediately by e-mail if you have received this 
> > e-mail by mistake and delete this e-mail from your system.
> > 
> 
> 
> 
> 
> 
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: A question about OpenBSD

[Brian A. Seklecki]

md5.exe and md5sum.exe can also be found for windows.

~BAS

On Tue, 2007-06-12 at 23:10 +0100, Stuart Henderson wrote:
> On 2007/06/13 07:48, John Tate wrote:
> > I am downloading OpenBSD 4.2
> 
> 4.2, that's impressive (-:
> 
> > I know how to use everything in that but being
> > young I am not too sure about the checksum format, md5 tends to rule the
> > world these days.
> > 
> > What is it called exactly?
> 
> You mean, in CKSUM? Cyclic redundancy check. See cksum(1).
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: Load balancing with DSR

[Brian A. Seklecki]

Such as Distributed computing environments where you have your HAL4
service VIP on the same segment/subnet as your distributed server farm.

Or HA databses

~BAS

On Wed, 2007-06-13 at 17:49 +0200, Pierre-Yves Ritschard wrote:
> best pf network stack cannot solve.
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: Load balancing with DSR

[Brian A. Seklecki]

This is like "Local Triangulation" in Radware-speak? (Don't know what
F5) calls it.  Basically you bring up an alias on lo0 or lo1 primary as
the inet4 of your HAL4 address and as long as everything is in the same
subnet...

~BAS

On Wed, 2007-06-13 at 12:25 +1000, Linden Varley wrote:
> Hi,
> 
> Anyone know of any load balancing software for OpenBSD that can do 
> direct-server return? (our load balancers (openbsd boxes) are co-located 
> and we pay for all data bandwidth).
> 
> Something like BalanceNG (which unfortunately doesnt run on OpenBSD) 
> woudl be ideal.
> 
> It is generally for http layer requests but I don't think apache 
> re-directs will suffice.
> 
> Cheers,
> Linden.
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: syslog disabling question

[Brian A. Seklecki]

modify /etc/rc (this looks questionable anyway -- looks like someone
snook the named stuff in there because it needs  aprivate log device in
the chroot):


echo 'starting system logger'
rm -f /dev/log


if [ X"${named_flags}" != X"NO" ]; then
rm -f /var/named/dev/log
syslogd_flags="${syslogd_flags} -a /var/named/dev/log"
fi
if [ -d /var/empty ]; then
rm -f /var/empty/dev/log
mkdir -p -m 0555 /var/empty/dev
syslogd_flags="${syslogd_flags} -a /var/empty/dev/log"
fi
syslogd ${syslogd_flags}


--
echo 'starting system logger'
if [ X"${syslogd_flags}" != X"NO" ]; then
rm -f /var/named/dev/log
rm -f /dev/log
mkdir -p -m 0555 /var/empty/dev
syslogd_flags="${syslogd_flags} -a /var/empty/dev/log"
syslogd ${syslogd_flags}
fi

then syslogd_flags=NO in rc.conf(5).

~BAS



On Wed, 2007-06-13 at 10:19 +0100, Stuart Henderson wrote:
> On 2007/06/13 02:00, Kian Mohageri wrote:
> > Is my best option to kill syslogd from rc.local or manually edit /etc/rc?
> 
> How about leaving them both running, and binding syslog-ng to just
> the relevant IP address?
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: Sometime NAT, sometimes NOT?

[Brian A. Seklecki]

Good catch on this guys.  We should remember that most modern NAT is
PAT, or hybrid NAT+PAT.   You should ask your ISP for more space to NAT
to (A NAT+PAT hybrid pool).

Cisco calls it overloading.  Reminds me of a Soundgarden song.

~BAS

On Wed, 2007-06-13 at 12:03 +0100, Stuart Henderson wrote:
> On 2007/06/13 12:01, Geraerts Andy wrote:
> > >> Jun 13 11:05:01 spock /bsd: pf: NAT proxy port allocation (50001-65535)
> > >> failed
> > >> 




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: pkg_add on macppc stall at end of ftp

[Brian A. Seklecki]

Maybe the FTP control connection is timing out before the data connection, 
the fetch(1)/ftp(1) cant gracefully send a disconnect command?


Try HTTP instead?

I think that you can set FETCH_COMMAND or FTP_COMMAND or

FETCH_CMD ?= /usr/bin/ftp -V -m

To enable debugging

Use tcpdump(8) if things get back.

~BAS

On Tue, 12 Jun 2007, Daniel Ouellet wrote:


Hi,

Not sure if this is a new problem, or specific to 4.1 on powerpc, or all 
architecture.


But I setup a few times an old iMac for my sun that really wanted to try 
OpenBSD desktop setup and so far loved it! (;>


In the process of installing packages on it, I always have the same issue 
recurring at various places, but always constant however.


I can do pkg_add ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/`machine 
-a`/enlightenment-0.16.7.2p2.tgz or many other packages, like the 
kdebase-3.5.6.tgz, etc.


All goes well, but some dependency will stop and freeze the download when all 
is finish and the screen display 100%, or sometime 96% and nothing happen 
after that.


looking at top, etc. I see that the process of download is really finish and 
the only ting I do is to kill the ftp process, nothing else and then the 
pkg_add process continue as normal and all is install properly, etc. This 
happen on many packages, sometime twice in the same process out or 50 for 
example.


I never had to do this before and I haven't tested, or have problem on i386 
or AMD64 yet. I am not saying there is issue on them, or that there isn't 
either. I haven't tested that yet as I install a much limited number of 
packages on my servers and never did I experience this problem yet.


I don't know if that's following many changes to the pkg_add that was done 
for 4.1 and definitely continue heavy now from source-changes@, but I thought 
to pass that along and if you need more details, I could provide some. Didn't 
try current yet as the kid spend a lots of time ready the FAQ to get this 
going and I had to help out because of the issue on the powerpc install not 
creating the MSDOS partition properly for the i one. I have to follow step by 
step the process here:


http://marc.info/?l=openbsd-ppc&m=117871289207004&w=2

Meaning trick the disklabel to get it going.

Best,

Daniel




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: dhcp server with 2 interfaces and 2 different subnets

[Brian A. Seklecki]

The following:

$ sudo tcpdump -i vr0 "port bootpc || port bootps" && tcpdump -i sk0 "port 
bootpc || port bootps"


$ sudo dhcpd -vf

$ sudo netstat -tan|egrep -i "67|68"

~BAS

On Tue, 12 Jun 2007, Jeff Santos wrote:


Hi,

I am trying to setup a DHCP server on a multi-homed firewall. One of the
interfaces is vr0 and should supply addresses 172.16.255.x/24. The other
is sk0 and should supply 200.232.140.x/24.

My /etc/dhcpd.interfaces looks like

sk0
vr0

My /etc/dhcpd.conf looks like

shared-network LOCAL-NET {
 option domain-name-servers 200.232.140.1;

 subnet 200.232.140.0 netmask 255.255.255.0 {
option routers 200.232.140.1;
range 200.232.140.20 200.232.140.200;
 }


 subnet 172.16.255.0 netmask 255.255.255.0 {
option routers 172.16.255.1;
range 172.16.255.20 172.16.255.200;
 }
}

Now how can I tell the dhcp server to only allocate 172.16.255
addresses to vr0 and 200.232.140.0 to sk0?

Thank you very much.

Jeff

--
Get a Free E-mail Account at Mail.com!
Choose From 100+ Personalized Domains
Visit http://www.mail.com today




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: Sometime NAT, sometimes NOT?

[Brian A. Seklecki]

pfctl -x loud  && tail -f /var/log/messages

~BAS

On Mon, 11 Jun 2007, Geraerts Andy wrote:




We have an OpenBSD firewall running for a while now. Since a few days we
encounter some sort of selective natting. I try to ping a host, I get reply,
and 2 minutes later I try to ping the same host and I dont get replies.



So despite the state being created in both instances, you see a packet
egress your external interface with the source address of the internal
host instead of the external interface of the NAT box?


We indeed see the state being created. The packet egresses on the external 
interface without NAT. So the ip packet contains the source ip address of my 
laptop and therefor further on the path gets blocked because it isn't natted. A 
few seconds/minutes later I try again and everything works again.

Is there a way to see why it isn't doing the NAT?

(There are around 80 interfaces (vlan + carp) on the box.)

Regards,

Andy.



No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.472 / Virus Database: 269.8.13/843 - Release Date: 10/06/2007 13:39


__

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager at : 
[EMAIL PROTECTED] or call +32-(0)11-240234.
This footnote also confirms that this email message has been swept by Sophos 
for the presence of computer viruses.
__




l8*
        -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan

Re: openbsd 3.9, openbsd 4.0 install errors, most likely hardware

[Brian A. Seklecki]

I've seen this before.  On old HP gear.  Is your HP?  Only FreeBSD would 
run on the system.  NetBSD/OpenBSD dead in the water.  Some obscure bug 
when the I/O went up (Symbios SCSI).


One of many reason why I want nothing to do with HP (H-PHUX) ever again.

Anyway, how about underclocking your Duron some?  Reset the BIOS timings 
and power levels to failsafe?  The old K7+VIA Chipset boards were a rough 
crowd.



~BAS

On Tue, 12 Jun 2007, John Mendenhall wrote:


openbsd gurus,

As my saga continues...
I have a newly built server on which I am attempting to install
openbsd 4.0.  Problems occurred on install of sets, where comp
set keeps throwing errors.  Suggestion was made that it was probably
a bad CD.  Try a previous CD of an earlier version.  I had 3.9
available.  The logs of the attempts are posted at:

 http://www.surfutopia.net/openbsd/

The logs are separated by the boot log, an install log not
including the install of the sets, and two passes of the install
of the sets, all dying in the comp set install.

I have two drives in the server.  I only installed on one (wd0).
I have had the same types of errors when only installing on the
second (wd1).  So, it is most likely not a problem with the
specific drive.  However, the probability could exist.

So, based on these logs, from different openbsd cd versions,
my hypothesis is there is some weird sort of hardware problem.
My question is, what tools do you all use to determine where
the hardware problem could be?

I have already ran the memory through the memtests.  There is
not a problem there.

I am willing to try (almost) anything to play around with
this.  I would like to get the server up and running so I
can move on to the next one.  No time pressure, though.

Thank you in advance for any pointers you can provide.

Thanks!

JohnM

--
john mendenhall
[EMAIL PROTECTED]
surf utopia
internet services




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: multiple ldap servers with mod_auth_ldap

[Brian A. Seklecki]

You can make a single service host address a highly available 
(active-standby, load-balancing) using a number of mechanisms (hardware, 
network devices, pf(4) w/ NAT) as opposed to trying to do it for every 
protocol in software.


check out bob beck's talk(s) on pf(4)

~BAS

On Tue, 12 Jun 2007, Thierry Lacoste wrote:


Hello,

I'm using mod_auth_ldap-1.6.0p3 on OpenBSD 4.1
and I'd like to make it authenticate on 2 ldap servers
in case one is down.

I fought with the AuthLDAPURL directive but with no success.

Any help would be appreciated.

Regards,
Thierry.




l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: RAIDFrame root autoconfig fails in -current

[Brian A. Seklecki]

On Mon, 11 Jun 2007, Otto Moerbeek wrote:



Please contact krw@, he has been searching testers for RAIDframe root
autoconfig on [EMAIL PROTECTED] There's even a diff posted there, iirc.


I'm your point-man there.  A while back I wrote 3 pages of 
technical detritus on making it work in 3.9/4.0.  ISOs w/ install.sh 
patches, too.


So we're changing the software raid subsystems eh?

~BAS



-Otto



The disklabel is correct, and if I use a non-RAID boot drive, raid0a can

Re: MINIROOTSIZE query

[Brian A. Seklecki]

There was a thread discussing this and proposing the solution less then 72 
hours before you sent this.  The list archives tell all!


http://marc.info/?l=openbsd-misc&w=2&r=1&s=MINIROOTSIZE&q=b

On Mon, 11 Jun 2007, mgb wrote:


List,

I have a question regarding the value given to MINIROOTSIZE in a kernel 
configuration file.

I have a working ramdisk build (4.1) which has a MINIROOTSIZE of 23000.
Howeverr I try a MINIROOTSIZE of 32768 and the boot stalls at the "entry 
point" part.  Please see below:


PC Engines WRAP.2B/2C v1.11
640 KB Base Memory
130048 KB Extended Memory

01F0 - no drive found !
ROM segment 0xe000 length 0x8000 reloc 0x
Etherboot 5.4.3 (GPL) http://etherboot.org
Drivers: NATSEMI   Images: NBI ELF Multiboot a.out PXE   Exports: PXE
Protocols: DHCP TFTP
Relocating _text from: [0008bb80,0009fd90) to [07eebdf0,07f0)
Boot from (N)etwork (D)isk or (Q)uit?

Probing pci nic...
[dp83815]
natsemi_probe: MAC addr 00:0D:B9:04:47:F8 at ioaddr 0X1000
natsemi_probe: Vendor:0X100B Device:0X0020
dp83815: Transceiver default autoneg. enabled, advertise 100 full duplex.
dp83815: Transceiver status 7869 advertising 05E1
dp83815: Setting half-duplex based on negotiated link capability.
Searching for server (DHCP).
Me: 192.168.1.201, DHCP: 192.168.1.1, TFTP: 192.168.1.1, Gateway 192.168.1.1
Loading 192.168.1.1:pxeboot ...(PXE)done
probing: pc0 com0 pci pxe![2.1] mem[640K 125M a20=on]
disk:
net: mac 00:0d:b9:04:47:f8, ip 192.168.1.201, server 192.168.1.1

OpenBSD/i386 PXEBOOT 1.11

switching console to com0

OpenBSD/i386 PXEBOOT 1.11
com0: changing speed to 38400 baud in 5 seconds, change your terminal to 
match!


com0: 38400 baud
booting tftp:bsd.rd: 18742548+237116 [52+117504+107223]=0x1250ad0
dp83815: Setting half-duplex based on negotiated link capability.
entry point at 0x200120

Any ideas why this is and what needs to be done to stop the stalling?
My board has the following memory, if that helps.
real mem  = 132657152 (129548K)
avail mem = 106545152 (104048K)

Thanks for your time




l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: Sometime NAT, sometimes NOT?

[Brian A. Seklecki]

On Fri, 8 Jun 2007, Geraerts Andy wrote:


We have an OpenBSD firewall running for a while now. Since a few days we
encounter some sort of selective natting. I try to ping a host, I get reply,
and 2 minutes later I try to ping the same host and I dont get replies.


So despite the state being created in both instances, you see a packet 
egress your external interface with the source address of the internal 
host instead of the external interface of the NAT box?


~BAS

Re: Kernel MINIROOTSIZE > 8192 = No Boot

[Brian A. Seklecki]

It works; free beer on me for all on me ... (Columbia maybe)

Thanks again,

~BAS

On Thu, 7 Jun 2007, mickey wrote:


On Thu, Jun 07, 2007 at 11:52:24AM -0400, Brian A. Seklecki wrote:

Just recompiled with:

#define NKPTP_MIN 8
#define NKPTP_MAX 191

Same result.  Thank you though.  We'll revisit it in the future when the
money is available?


i said NKPTP. if 8 is not enough -- try 16
cu


On Thu, 7 Jun 2007, mickey wrote:

On Wed, Jun 06, 2007 at 01:39:47PM -0400, Brian A. Seklecki wrote:

The 1st stage loader just resets the prom before the kernel load.

Can anyone else confirm this?  You don't even need to elfrdsetroot(8) to
test.  Just compile bsd.rd with MINIROOTSIZE=16384.  I've been using 32768
on my 4.0 systems for the bsd-appliance project.

I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine.


you need to raise NKPTP also to say 8...

cu
--
  paranoic mickey   (my employers have changed but, the name has
  remained)



l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan



--
   paranoic mickey   (my employers have changed but, the name has remained)



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: Problem installing 4.1/sparc64 on Sun Blade 100

[Brian A. Seklecki]

Could it be memory ? hard disk ? Box has a 256mb + 512mb , and i don't

know

a way to test this memory without os on the box. Smth like memconf


There should be a memtest_obp_sparc whatever -- there's already one for 
the OBP platform on the Apple PowerPC platform.  Most Sun shops have 
everything deployed HA and have a $4000/month support contract, though, so 
I've never actually had to test for bad ram on a Sparc.


Memoryx.net says the Blade100/150 uses PC133 ECC, so you should be able to 
test it in an i386 machine w/ memtest.


~BAS


http://myweb.cableone.net/4schmidts/memconf.html or memtest for sparc

Re: Kernel MINIROOTSIZE > 8192 = No Boot

[Brian A. Seklecki]

Just recompiled with:

#define NKPTP_MIN 8
#define NKPTP_MAX 191

Same result.  Thank you though.  We'll revisit it in the future when the 
money is available?


~BAS

On Thu, 7 Jun 2007, mickey wrote:


On Wed, Jun 06, 2007 at 01:39:47PM -0400, Brian A. Seklecki wrote:

The 1st stage loader just resets the prom before the kernel load.

Can anyone else confirm this?  You don't even need to elfrdsetroot(8) to
test.  Just compile bsd.rd with MINIROOTSIZE=16384.  I've been using 32768
on my 4.0 systems for the bsd-appliance project.

I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine.


you need to raise NKPTP also to say 8...

cu
--
   paranoic mickey   (my employers have changed but, the name has remained)



l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: AMD64 raid setup SATA - dmesg error/warning

[Brian A. Seklecki]

e0:81:59:6d:eb

brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb4 at pci0 dev 14 function 0 "NVIDIA nForce4 PCIE" rev 0xa3
pci5 at ppb4 bus 5
pchb0 at pci0 dev 24 function 0 "AMD AMD64 HyperTransport" rev 0x00
pchb1 at pci0 dev 24 function 1 "AMD AMD64 Address Map" rev 0x00
pchb2 at pci0 dev 24 function 2 "AMD AMD64 DRAM Cfg" rev 0x00
pchb3 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
spkr0 at pcppi0
Kernelized RAIDframe activated
raid0 (root): (RAID Level 1) total number of sectors is 232338816 (113446 MB) 
as root

umass0 at uhub1 port 1 configuration 1 interface 0
umass0: PHILIPS SPD3000CC, rev 2.00/2.40, addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets
cd0 at scsibus0 targ 1 lun 0:  SCSI0 5/cdrom 
removable

uhidev0 at uhub0 port 5 configuration 1 interface 0
uhidev0: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 2, iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 5 configuration 1 interface 1
uhidev1: Logitech Logitech USB Keyboard, rev 1.10/15.00, addr 2, iclass 3/0
uhidev1: 3 report ids
uhid0 at uhidev1 reportid 1: input=2, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0
ums0 at uhidev1 reportid 3: 0 buttons and Z dir.
wsmouse0 at ums0 mux 0
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
swapmount: no device
raid0: Device already configured!




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: Kernel MINIROOTSIZE > 8192 = No Boot

[Brian A. Seklecki]

I'm hoping to actually go smaller once FreeBSD has a funtional 
pivot_root() in the VFS layer (we can steal it from them)  Then I can do a 
512k RD/MD image (init, tar, gzip, mount_mfs(8), sh, etc.), then 
transition to a 64 to 96 meg MFS root.


I'm talking to a consultant tomorrow about some kernel work.  If 
pivot_root() discussion goes no where, I'll bounty it here.


On another system, I can have a full userland (/bin, /sbin) with as little 
as a 8 MB RD/MD (with dynamic linking + crunchgen + some pruning).


It's tougher on OpenBSD, but I want it to work with my bsd-appliance 
framework.


~BAS

On Wed, 6 Jun 2007, Theo de Raadt wrote:


It can't be that big.  And in our tree, it isn't that big.

You're doing things on your own, hitting constraints that exist in the
code.   You get to fix those things, since you've gone outside OpenBSD
parameters.

Not everything can work, you know.


The 1st stage loader just resets the prom before the kernel load.

Can anyone else confirm this?  You don't even need to elfrdsetroot(8) to
test.  Just compile bsd.rd with MINIROOTSIZE=16384.  I've been using 32768
on my 4.0 systems for the bsd-appliance project.

I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine.


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

 "Guilty? Yeah. But he knows it. I mean, you're guilty.
 You just don't know it. So who's really in jail?"
 ~James Maynard Keenan

PS:
Also, am I imagining this:

   .if !${IDENT:M-DI386_CPU}
 CMACHFLAGS= -march=i486
   .else
 CMACHFLAGS=
   .endif

Somewhere this logic must be getting short-circuited in my config.  I'm
seeting "-march=i486".






l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Kernel MINIROOTSIZE > 8192 = No Boot

[Brian A. Seklecki]

The 1st stage loader just resets the prom before the kernel load.

Can anyone else confirm this?  You don't even need to elfrdsetroot(8) to 
test.  Just compile bsd.rd with MINIROOTSIZE=16384.  I've been using 32768 
on my 4.0 systems for the bsd-appliance project.


I've tested it on an AMD Athalon, an AMD Geode, and a VMWare machine.


l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

PS: 
Also, am I imagining this:


  .if !${IDENT:M-DI386_CPU}
CMACHFLAGS= -march=i486
  .else
CMACHFLAGS=
  .endif

Somewhere this logic must be getting short-circuited in my config.  I'm 
seeting "-march=i486".

Re: OpenBSD router playing up

[Brian A. Seklecki]

"pfctl -x loud" when the SHTF

pfctl -s and netstat -s

Net-SNMP + MRTG on your interfaces?

Any errors on "netstat -i" ?

~BAS

On Tue, 5 Jun 2007, Open Phugu wrote:


On 6/5/07, Karl Kopp <[EMAIL PROTECTED]> wrote:

Hi All,

I have a strange issue. We are using a OpenBSD 3.9 box running on an
AMD64 CPU. Its doing BGP with our upstream provider and has some basic
pf rules.

Occasionally, the network slows to a crawl. I setup some external
monitoring, and while a few simple HTTP checks of boxes on our network
normally take a second or 2 (from 2 separate locations outside our
network), this just went up to over 100 seconds and was only resolved
by restarting the box.

I'm learning this stuff, so am super keen if a) this is normal
behavior (I'm guessing not) and b) how can I work out what is causing
the problems? I've checked messages, and there is nothing strange in
there (just some ftp-proxy 'client reset connection' and 'server
refused connection' messages) and daemon (a few BGP updates not many).
On restart, I get a flood of BGP updates.

Where should I be looking? Should I just restart bgpd next time or
does this seem like something else?? Any advice would be greatly
appreciated!

Post your dmesg, the contents of /etc/pf.conf and your BGP configuration
file. Doing so will not solve your issue but it will give other members of
the list more information about your setup.




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: Media Proxy In OpenBSD

[Brian A. Seklecki]

Do you mean this:

http://en.wikipedia.org/wiki/Media_Transfer_Protocol  ?

~BAS

On Fri, 2007-05-18 at 14:16 +0100, [EMAIL PROTECTED] wrote:
> Hi,
> 
> Just a taught. If there is proxying of FTP, is there any in existence what 
> they called
> MEDIA proxying in OpenBSD?
> 
> 
> Regards,
> Demuel
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: keep state in pf

[Brian A. Seklecki]

That seems logical.  A little bit of "pfctl -s state | egrep [regex]" 
should be revealing.  Also pfctl -x loud if you can test during a 
low-volume timeframe ~BAS


On Wed, 9 Jun 2004, Lawren Quigley-Jones wrote:


I recently tracked down the cause of a problem we have been having in our
building with file transfers that travel out of our OpenBSD firewall and
then back in.  The tcp transfer would time out if and only if the transfer
went cross subnet, and therefor had to pass the firewall twice as it went
to the building's router and then back in to the receiving machine.  This
occurred on both our old 3.3 system and our replacement 3.5 system with
the same pf rules and net configuration.

It didn't seem to drop all transfers.  SMTP transfers with mail
attachments would fail every time.  Transfers of certain files via FTP and
SCP would fail every time and yet most files had not problems.  Because
most of our traffic isn't cross-subnet, we didn't see enough of the errors
to track down exactly what the variables were.

In the pf rules, our default action was to pass everything, "pass all keep
state".  The solution was to remove the keep state from this rule.  Once
removed it read "pass all" and the time outs stopped occurring.

Not surprisingly, the following rules produced the timeouts as well:
pass out on $ext_if all keep state
pass in on $ext_if all keep state
pass out on $int_if all
pass in on $int_if all

A hypothesis is that because the "keep state" rules are seeing two
transfers with the same session IDs (the transfer as it exits and then the
identical transfer as it enters again), at some point during the transfer
PF balks at the sequence as if there was an intruding packet trying to
hijack the transfer.  This is not substantiated at all though.

Has anyone else experienced this problem or seen documentation on it?

If there is no documentation, I'm going to submit it as a bug.

Thanks...

-Lawren



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: PF set state-policy

[Brian A. Seklecki]

On Sun, 16 May 2004, Tim Kornau wrote:


On Fri, 14 May 2004 at 14:50 -0400, Roy Morris wrote:

I am working with a simple two interface route/pf and block in and out packets
on all interfaces. It makes sense that you would have to have a rule to allow
the packet in on if-a, but I would have thought the state would carry across
to if-b, without having to place another rule that said let the packet out. I
have tried the 'set state-policy', although floating is the default and should
be passing this along??


Hello Roy,

Without your pf.conf this Mail cannot be completely answered but
mybe there is a hint that i can give you that might resolve the
situation. The "state" is kept with the default setting of floating


Presumably because, with a default block in/out, the traffic ingresses one 
interface, the state is create, but when it egresses another interface it 
is "re-evaluated" ?


This is where I always get confused:

If the OpenBSD pf(4) stateful firewall is acting as an intermediary 
forwarding device for a 3-way TCP handshake, shouldn't the re-evaluation 
of the initial the initial packet (S/SA) matching a "pass in" rule on an 
ingress interface punch a hole "back out of" the original ingress 
interface, _as well as_ punch a hole *in* and *out* of the egress 
interrace.


Come to think of it, that sounds like pretty agressive for "keep state", 
maybe that's my nasty assumption?


~BAS


but if your ruleset explicitly denies outgoing packets on the
interface then in my understanding these will be dropped.

Tim

--
Darksun rising over blood red sea



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: About pf states

[Brian A. Seklecki]

I just ran into this same problem.  Trying to accomplish Cisco ASA style 
reflexive stateful rules(r):


- Default block in
- Trust no subnets / interface
- Pass in rules which ingress/egress an interface pair
- Inbound tcp syn on any interface shoud create relfexsive outbound
  equivilant on the egress interface

~~BAS

On Wed, 17 Jan 2007, Brian Candler wrote:


On Tue, Jan 16, 2007 at 08:03:52PM +0100, Samuel Mo?ux wrote:

With this config, I can't access "dmz hosts" from lan or internet. The
state gets created:

all tcp $dmz_ip:25 <- 192.168.1.161:19399   CLOSED:SYN_SENT

but the response is blocked:

Jan 16 19:32:59.627083 rule 0/(match) block in on xl2: $dmz_ip.25 >
192.168.1.161.19399: [|tcp] (DF)

So, there's something I don't understand from pf.conf  man page
"
If a packet matches a pass ... keep state rule, the filter creates a
state for this connection and automatically lets pass all subsequent
packets of that connection.
"

If just someone could show me what's wrong here, and why


Someone please correct me if I'm wrong, but I believe that the 'keep state'
only applies to the opposite packets through the same interface. For
example:

pkt1++   pkt1'
   ---> | ext_if  int_if | -->
   <--- || <--
pkt2++   pkt2'

A rule which matches pkt1 inbound on ext_if with "keep state" will also
match pkt2 outbound on ext_if.

But I believe you will need another rule to permit pkt1' outbound via
int_if. If that rule has "keep state" then it will also match pkt2' inbound
via int_if.

If you look at the example at
http://www.openbsd.org/faq/pf/example1.html
you will see that they deal with this by a global "pass out keep state"
rule. Try adding this to your ruleset after your "block in log all"

If you were to argue that pf.conf(5) is unclear on this point, especially
where it it says

By default, packets coming in and out of any interface can match a state

then I would not disagree with you :-)

HTH,

Brian.




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: PF keep state does'nt like Mandriva2007

[Brian A. Seklecki]

Could be sliding windows, selective ack (SACK), MTU/MTU Disc/MSS issues, 
any of the RFC extensions.  Check sysctl on linux v.s. scrub on OpenBSD 
~BAS


On Mon, 29 Jan 2007, Marco Peereboom wrote:


Nobody likes Mandriva.

On Sun, Jan 28, 2007 at 07:56:04PM -0800, Reza Muhammad wrote:

Dear Lists.

I have one bridge PF machine for packet queue and
prio,
and few  new install Mandriva2007 (linux kernel) that
couldn not browse the web (the other protocol work OK)
if the rules keep state in PF machine is activated.
but the others hosts (WinXP, BSD, Mac, Others Linux)
work fine.
Why PF (OpenBSD-3.9) doesnt like Mandriva2007 
Plese help

regards
Reza




Never Miss an Email
Stay connected with Yahoo! Mail on your mobile.  Get started!
http://mobile.yahoo.com/services?promote=mail





l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: pf state limits

[Brian A. Seklecki]

Wild guess: The limitiation is the max value that the variable size of 
the counter can contain, followed secondly by physical memory.


~BAS

On Mon, 5 Mar 2007, Bill Marquette wrote:


I know this has come up in the past but I haven't been able to track
down a definitive answer (I'm sure there's a reason why), so I'll ask
the question again.

Given a i386 kernel, assume I can toss as much RAM at the box as
needed (I know this isn't the limitation, it's a kernel memory issue),
what's the maximum I can set the state table size to?  I have a couple
boxes that are running around 200K states with the limit set at 256K.
I expect that I will see a growth in that state table size as the
traffic to the servers behind these machines increases during our peak
season.  I can tune the tcp.closed parameter a bit on the external
rules as 75% of these states are fin_wait_2:fin_wait_2, but before I
start messing with that I'd rather increase the state limit some more.
I can also try adaptive timeouts on those rules, but I'm more than a
little paranoid about having the system dynamically change timeout
values.

Any suggestions on what the max might be and how I can monitor the
system to see where I'm at in relationship to the max (if there's no
hard number, I'm guessing the number depends on hardware and other
system options that affect kernel memory).

--Bill




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~James Maynard Keenan

Re: dual g4 needed for hackathon

[Brian A. Seklecki]

How about a dual G5?  PowerMac Dual G5 7,3 2.2 Open Firmware 4.

I don't follow Apple hardware, so I don't know what the difference
between a G4 and a G5 is architecture wise; but I do know that OS/X has
to come off of this thing with a quickness. ~BAS

On Fri, 2007-05-11 at 20:31 +0200, Mark Kettenis wrote:
> the Calgary or Edmonton area that can loan us a dual g4 machine end
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: 4 port router card

[Brian A. Seklecki]

http://xorg.freedesktop.org/archive/X11R6.8.0/doc/scanpci.1.html


On Mon, 2007-04-30 at 14:14 -0400, Bret Lambert wrote:
> On Mon, 2007-04-30 at 14:03 -0400, Brian A. Seklecki wrote:
> > Full lspci(8) / pciconf(8) and dmesg(8) output would help us answer the
> > question.
> > 
> > ~~BAS
> 
> >From www.openbsd.org/cgi-bin/man.cgi:
> 
> No manual entry for lspci.
> No manual entry for pciconf.
> 
> 
> 
> 
> 
> 
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: 4 port router card

[Brian A. Seklecki]

Full lspci(8) / pciconf(8) and dmesg(8) output would help us answer the
question.

~~BAS


On Mon, 2007-04-30 at 13:30 -0400, Steve Glaus wrote:
> nterface. Is it possible this is just a 'switching' card and I 
> cant route traffic across the ports?
> 
> It has a realtek RTL8305SC controller chip on it - which according to 
> what I've read has 5 MAC's - Maybe I'm not understanding what this
> card 
> is supposed to do correctly.
> 
> Shouldn't OpenBSD provide four ral interfaces when you boot with this 
> card? Is there something I need to change to get openbsd to recognize 
> the additional ports.
> 
> I've read that there may be problems with 'older' computers. I have
> this 
> in a PIII - perhaps that would qualify as 'older' ?
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: lsi logic sparc64 config?

[Brian A. Seklecki]

megarc(8) has been ported to some non-Linux platforms.  MegaCli runs in
emulation mode in others (dirty dirty hack).  The best bet is a bio(4)
interface or a hardware raid that has a non-BIOS/proprietary CLI
management interface.

~BAS

On Sat, 2007-03-31 at 14:37 +1000, David Gwynne wrote:
> On 31/03/2007, at 8:16 AM, Bryan Irvine wrote:
> 
> > This might be a little off-topic, but I can't find the answer  
> > anywhere.
> >
> > Since the LSI logic sata 150-4 cards need to be configured via the
> > cards bios (at bootup on i386)  I can't figure out if there is a way
> > to configure a RAID when using a sparc64 platform.
> >
> > Is this possible?
> 
> the ami(4) driver isn't enabled on sparc64, so aside from not being  
> able to configure the card in the machine, we're not sure you'll be  
> able to use it either. we have taken care to make it as portable as  
> possible, but i doubt it will work too well.
> 
> dlg

Re: Ralink pci on spark64?

[Brian A. Seklecki]

It would help to see the dmesg(8) output of the card on a supported
platform.  Do you mean ral(4)? Many PCI drivers will just-work.

~BAS

On Sat, 2007-03-31 at 16:12 +0200, Maxim Belooussov wrote:
> Hi,
> 
> I plan to turn my Sun Ultra 10 into a firewall/access point using a
> supported Ralink PCI card. But I see on this page
> http://www.openbsd.org/sparc64.html#hardware that Ralink PCI is not
> supported by the port.
> 
> ral man page says that some cards are fuzzy about PCI 2.2, and my Sun
> Ultra with psycho bus probably doesn't have PCI 2.2. Is this the
> reason?
> 
> Maxim

Re: Widescreen flat panel

[Brian A. Seklecki]

DDC/EDID can be a killjoy.  I want to say that there was an

Option "NoEDID" "true"

~~BAS

On Sat, 2007-03-31 at 21:09 +0200, Eric Dillenseger wrote:
> (II) NV(0): Supported VESA Video Modes:
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]
> (II) NV(0): [EMAIL PROTECTED]

Re: Widescreen flat panel

[Brian A. Seklecki]

xinit -- -logverbose 9 -verbose 9 && send the EDID info?  Try a liveCD
that that has the 'nvidia' binary driver and see if they have support
yet, it may be a simple hack.

~BAS

On Sat, 2007-03-31 at 18:46 +0200, Eric Dillenseger wrote:
> Hi,
> 
> I just bought a 22 inches 16/10 flat panel.
> Saddly, I can't get in the native resolution (1680x1050).
> 
> I was wondering if a recent (4.1 snapshot of March 23rd) nv driver of X
> is already able to handle such mode, as I found out it may be the
> bottleneck.
> 
> I tried different ModeLine generators from the net, and tried to do it
> myself using Xorg' logfile. Not helping me out.

Re: GRE over IPsec

[Brian A. Seklecki]

I ran into some kernel panics (watchdog reset) with GRE + ESP/Transport
(or ESP+GRE) back in the day.  It was related to MTU assumptions etc.
There was a sendbug(8) related to it.   Google "seklecki gre ipsec
openbsd"

http://archives.neohapsis.com/archives/openbsd/2006-01/0623.html

etc...


On Sun, 2007-03-25 at 09:55 -0700, Chris Jones wrote:
> Hey all,
> 
> I know that it's possible to run GRE over and IPsec tunnel but I am
> wondering if anyone here has seen some good documentation (besides the man
> pages) or a howto on setting this up. I'm trying to config my OpenBSD
> 4.0firewall to interop with a route-based VPN network with a mix of
> Fortigate
> and Netscreen firewalls. Fortigates and Netscreens both use GRE interaces as
> "tunnel interfaces" when creating route-based VPN tunnels. Right now all
> endpoints are using un-numbered (0.0.0.0/0) GRE interfaces and so I would
> like to use a similar configuration on the OpenBSD side but I am just
> wondering how to accomplish this as I am uncertain how to bind the GRE
> interface to a tunnel.
> 
> Right now I have a hub-and-spoke VPN network using static routes to route
> traffic across the VPN. Each spoke endpoint has a static destination route
> of 10.1.0.0/16 which is sent over GRE interface. The only exception to the
> hub-and-spoke VPN is my OpenBSD firewall which I have to create VPN tunnels
> to every spoke network I need access to (quite painfull). On my OpenBSD box
> I would like to be able to use a single static destination route of
> 10.1.0.0/16 to send this traffic over a GRE interface to get to the rest of
> the VPN network. Here's a snippet of the hub-and-spoke VPN network:
> 
> 1.1.1.1
> 
> OpenBSD
> 10.1.1.0/24
> 
> |
> |
> |
> |
> 2.2.2.2
> 
> Fortigate (Hub)
> 10.1.2.0/24
> 
> |
> |
> |
> |
> 3.3.3.3
> 
> Juniper
> 10.1.3.0/24
> 
> 
> Thanks in advance for your help.
> 
> Cheers,
> -Chris

Re: OpenBGPD MIB

[Brian A. Seklecki]

The proper method is to use AgentX;  Have bgpd(8) popualte directly data
directly.  I'm thinking about writing one for pf(4).  I also need one
for Slony and PostgreSQL.

Gotta fix these 4.0 segfaults in snmpd(8) first.  No time no time.

~BAS

On Sat, 2007-03-24 at 18:41 -0700, Aaron Glenn wrote:
> On 3/24/07, Sylwester S. Biernacki <[EMAIL PROTECTED]> wrote:
> > Hi guys,
> >
> >   I've looked over for importing bgpd status to snmp to use with
> >   'sofisticated' monitoring system. Hope somebody has similar problem.
> >   Can you give me some links or tell the way you do such things ?
> >
> >   ps. yeah, I know I can write my own, but I hope not to be
> >   Christopher Columbus :)
> 
> dirty hack would be net-snmpd and lots of 'exec' OIDS
> 
-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

[EMAIL PROTECTED] list archives in file format?

[Brian A. Seklecki]

Does anyone have a personal archive that they can export via MUA and 
share?  Is there a way to ask Majordomo for it (playing with the 'get' 
command now)


I'm doing some number crunching and analysis and I'd like a few year-long 
data sample.



TIA,

l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: sshd configure howto

[Brian A. Seklecki]

>From an architecture standpoint, It wouldn't be within the mandate of
sshd(8) anyway.  You'd accomplish this using some userland resource
quota enforcement policy (max number of processes, max instances of a
shell).

Hell you could do it in /etc/profile or ~/.cshrc  

I don't know of one OTTMH, but I'm sure that one probably exists out
there.

PS this sounds like a perfectly good idea for embedded platforms.

~BAS 

On Sun, 2007-03-18 at 13:49 +0800, Jay Jesus Amorin wrote:
> im using this set-up for pf/authpf authentication gateway, all i'm
> concern of is i dont want my user use other users account.

Re: Mbufs tunning

[Brian A. Seklecki]

On Fri, 2007-03-16 at 18:30 -0300, Gustavo Rios wrote:
> Dear gentleman,
> 
> when i execute some command on my server box, i got a complain about
> not enough buffer available. For instance.
> 
> $ rusers
> rusers: can't send broadcast packet: No buffer space available
> $

netstat(8) -m gives some variety of historical data from which to base
your decision making.

~BAS

> 
> I don't how to perform tunning on mbufs. Rather than simply reasing
> its limits i wonder which parameters should i choose to guide a
> tunning effort on this regard.
> 
> Thank you for your time and cooperation.
> 
> Best regards.

Master ${SKIPDIR} manifest (fwd)

[Brian A. Seklecki]

Here's an initial attempt:

http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir.txt

And w/o comments:

http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir_nc.txt

This initial (and far from comprehensive) attempt reduces build sizes:

# du -hs /usr/obj/ /usr/destdir /usr/releasedir/
475M/usr/obj/
243M/usr/destdir
104M/usr/releasedir/


(Down from the usual 850m+ obj/, etc.)

~BAS

-- Forwarded message --
Date: Mon, 5 Feb 2007 01:06:07 -0500 (EST)
From: Brian A. Seklecki <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Master ${SKIPDIR} manifest

Is anyone maintaining a ${SKIPDIR} manifest?  A master list of source 
directories, organized logically by subsystem?  Something to match the variety 
of make.conf(5)/mk.conf(5) knobs in other systems?


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: SSH client (putty) hangs after name/password login

[Brian A. Seklecki]

On Tue, 6 Feb 2007, forums wrote:


Hello,

That was my first guess as well...For that reason I set the option UseDNS NO


Yea.  When DNS times occur, the login process never completes.  In fact, 
before the prompt appears the timeour occurs.


AS

Re: SSH client (putty) hangs after name/password login

[Brian A. Seklecki]

Hello Brian,

Not quite sure what you mean with pstree...don't know the
command and no 'man pstree' on my 3.8 system..?


It's in the psmisc/ package


Note that I no problems logging into the system while on the local network
(doing this
via a PC that I remotely manage). When I do a SSH session (via the VPN
tunnel) on the INSIDE
of the OBSD box, I get the same problem(using the same account).


Okay I must be asleep again.  I thought we eliminated pf(4) as the 
problem.  Technically if you can negotiate a 3-way handshake and 
establish the TCP socket, MTU should be a non-issue.


What about "netstat -s".  Anything suspicious (grep -i drop) for sections 
esp: tcp: ip: icmp: etherip:


If you have access via the LAN, what about tcpdump(8) on the tun(4) 
interface?



is
not the case locaclly




Problem here is that this system is 900Km away...if I would stop the SSHD
(so i could


Normally I'd say to you "Oh you're fine with pkill -HUP sshd"; but that's 
because I'm accustomed to out-of-band management like DRAC and mgetty >:}


~BAS


restart it with debug options) I will not be able to reach it anymore
:-(

Re: SSH client (putty) hangs after name/password login

[Brian A. Seklecki]

I tried the above (see link) but still it won't work...


Does the privsep sshd(8) process spawn on the server?  Does that spawn a 
login shell of the associated user?  pstree(8) will show.  Also, fire up 
debugging levels?


#LogLevel INFO

  -> DEBUG, DEBUG1, DEBUG3 etc.

~BAS




help !

regards
Willem

mk.conf(5) note about ${SKIPDIR}

[Brian A. Seklecki]

This entry should probably reflect/note that the "space-separated paths 
should be relative to ${BSDSRCDIR}, e.g.,: SKIPDIR+=lib/libossaudio 
usr.sbin/httpd games"


But I'm a realist, and I know examples aren't normal practice, so I'll 
settle for the note w/o. >:}


I'll sendbug(1)

l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: Speedtouch modem and PPPoA

[Brian A. Seklecki]

On Mon, 5 Feb 2007, Luca wrote:


Hi all,
I installed for the first time the Speedtouch 330, compiled the source
code (http://speedtouch.sourceforge.net/index.php?/index.en.html),
installed the firmware...launched the script...it takes about 10
minutes to bring up the tun0 interface and get a valid ip but it's
connected. After 20 minutes I got this error into the "messages" log


Ask this guy what it means.  He seems to have written it?

http://www.mail-archive.com/speedtouch@ml.free.fr/msg03593.html

Also, try "pppoa3" instead since it's a 330? I dunno.

~BAS




Feb  4 22:01:00 Typhoon pppoa2[9969]: pusb_set_interface
Feb  4 22:01:03 Typhoon pppoa2[24786]: pusb_set_interface
Feb  4 22:01:06 Typhoon pppoa2[23598]: pusb_set_interface
Feb  4 22:01:09 Typhoon pppoa2[24414]: pusb_set_interface
Feb  4 22:01:12 Typhoon pppoa2[238]: pusb_set_interface
Feb  4 22:01:15 Typhoon pppoa2[29868]: pusb_set_interface
Feb  4 22:01:18 Typhoon pppoa2[1043]: pusb_set_interface
Feb  4 22:01:21 Typhoon pppoa2[2254]: pusb_set_interface
Feb  4 22:01:24 Typhoon pppoa2[22178]: pusb_set_interface
Feb  4 22:01:27 Typhoon pppoa2[8043]: pusb_set_interface
Feb  4 22:01:30 Typhoon pppoa2[10104]: pusb_set_interface
Feb  4 22:01:33 Typhoon pppoa2[20981]: pusb_set_interface
Feb  4 22:01:36 Typhoon pppoa2[23161]: pusb_set_interface


The log file is filled with this and the connection is gone...

I made a reboot. Connected again (10 minutes waiting) and now it
has been connected for about 6 hours but the speed is very very low,
about 1K using ftp o http.

PF is disabled for now. Protocol is PPPoA

Re: External 250Gb USB Disk with three FAT32 partitions, device not configured

[Brian A. Seklecki]

dmesg output of the disk that runs correctly:
umass0 at uhub2 port 2 configuration 1 interface 0
umass0: Cypress Semiconductor USB2.0 Storage Device, rev 2.00/0.01,
addr 2
umass0: using SCSI over Bulk-Only
sd0 at scsibus1 targ 1 lun 0:  SCSI0 0/direct fixed
sd0: 14652MB, 14652 cyl, 64 head, 32 sec, 512 bytes/sec, 30008475 sec
total


Are you running GERNERIC?

So , uhub* -> umass* -> scsibus* -> sd*

But scsius* isn't attaching.  Do you have "scsibus* at umass?" or just 
static "scsibus1 at umass0" ?


~BAS



dmesg output of other disk:
umass1 at uhub2 port 3 configuration 1 interface 0
umass1: Iomega External HD, rev 2.00/0.00, addr 3
umass1: using SCSI over Bulk-Only

As you can see, the system don't link it with any device (sdX, etc),
can i link it manually?

Obviously, with no device linked to it, the output of fdisk and
disklabel with any sdX device (except of sd0 with are the device of
the external usb box that runs ok) is Device not configured.

A lot of thanks

--
Angel Sancho Alvarez




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."

Re: searching a good MRTG/SNMP configuration

[Brian A. Seklecki]

You still need a list of valid SNMP OIDs that the agent is capable of 
mapping from real-world values into vendor-independent MIBs.


Good speed you my son.

~BAS


On Mon, 5 Feb 2007, AstraSerg wrote:


What about cacti (http://cacti.net/)?

On Sunday 04 February 2007 15:06, Andreas Bihlmaier wrote:

Hello misc@,

hosting a lan party yesterday I started to play around with MRTG and
SNMP, but I didn't quite get where I wanted.

I guess somebody using OpenBSD already has a nice MRTG configuration
showing:
IN/OUT traffic
[CPU] load
memory usage
some stuff about pf (states, blocks/pass)
(using this patch: http://www.packetmischief.ca/openbsd/snmp/)

Something similar to this:
http://www.erde.co.jp/mrtg/index.html
would be what I'm looking for. But with a better "traffic report".

Would this person be willing to share the configuration files
(mrtg/snmp[/rrdtool]) with me and the rest of the OpenBSD community?

While we are at it, how do you make the MRTG output accessible?
My idea was to let every host create its own statistics and upload those
to my central webserver, using pub-key scp/sftp with an unprivileged
user account. The webserver would move all those reports to its
www-chroot.


If I need to I'll create one myself, but after fiddeling around with it
for a couple of hours I thought about the "reinvention of the wheel" and
its waste of time.

Regards,
ahb


--
PONEDELXNIK,  5 FEWRALQ 2007 G. 10:45:05 (MSK)




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."

Master ${SKIPDIR} manifest

[Brian A. Seklecki]

Is anyone maintaining a ${SKIPDIR} manifest?  A master list of source 
directories, organized logically by subsystem?  Something to match the 
variety of make.conf(5)/mk.conf(5) knobs in other systems?


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

nagios check_carp for OpenBSD carp(4)

[Brian A. Seklecki]

Thoughts? Strategies? Ideas?
---

Ask the machine directly? Ask an adjacent machine?

Adjacent machine strat:

If the monitoring machine is directly connected to the same ethernet
segment, one could use pcap(3) to examine multicast packets.  There are
no utils I know of that do this, so a few lines of C probably.

If the monitoring machine is more than one layer-3 device away or in a
separate broadcast domain, an agent would have to be installed directly
on the device or a device on the same segment.

Machine directly:

Agent Options:

- Net-SNMP via PF-MIB (possibly via AgentX) - use check_snmp
- Net-SNMP via pass through MIB and script  - use check_snmp (maybe
  return an Integer as a boolean w/:   -c "0:0" -w "0:0")
- NRPE2 w/ SSL and - use check_nrpe (NRPE2 isn't in OpenBSD Ports)
- SSH (via check_ssh and passphrase-less RSA/DSA Keys)

Options for On-system:

- Shell/Perl script to parse ifconfig(8)
- C utility to ask /dev/pf pf(4)
- Examine klog(9) for net.inet.carp.log=



Other thoughts:

Preempt: Unlike "HSRP Groups" where interfaces can preempt can apply to
select group of interfaces, it is safe to assume that if preempt is
enabled and one interface in a SLAVE state; all other are in that
state.  

Perhaps 4.0 features such as interface groups and multi-routing tables
will change that.

Other ideas?

-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.

Re: OpenBSD 4.0/i386 w/ raid(4) ISO (-stable w/ RAIDFrame)

[Brian A. Seklecki]

On Wed, 13 Dec 2006, Brian A. Seklecki wrote:

> All:
>

BTW, it is far from optimal, but the following BRE works:

DKDEVS=$(scan_dmesg "${MDDKDEVS:-/^\(rai\)*[sw]*d[0-9][0-9]* /s/ .*//p}")

...because saying:

"may contain one \(rai\)* or more, but not either, and (or?)..."
"may contain one of either [sw]* or more, but not either..."

Is sort of like "(rai|[sd])"

Strange daysfull src patches on my site.

~BAS
Subject: If you please: OpenBSD 4.0/i386 ISO (-stable w/ RAIDFrame)
From: "Brian A. Seklecki" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Organization: Collaborative Fusion, Inc.
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer: Evolution 2.2.3-10mdk 
Date: Sat, 11 Nov 2006 05:28:53 -0500

SHA1 (public_html/obsdcd_4.0_updateWRAID.iso) =
36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf

36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf  obsdcd_4.0_updateWRAID.iso

-rw-r--r--  1 lavalamp  lavalamp  175319040 Nov 11 05:25
public_html/obsdcd_4.0_updateWRAID.iso

Re: openbsd 4.0 snmpd core dumps with vlan interface number higher as 9

[Brian A. Seklecki]

That's awesome!

BTW, I submitted a PR on this yesterday but haven't gotten the automated 
response.  Will forward to you if I do.


~BAS


On Wed, 13 Dec 2006, [EMAIL PROTECTED] wrote:


Hi List,

openbsd 4.0

i've vlan interfaces from vlan1 to vlan9
i can start
snmpd -x localhost
without any problems

if i create vlan10
snmpd core dumps
Bus error (core dumped)

the last lines from the debug are
trace: netsnmp_send_traps(): agent_trap.c, 603:
trap: send_trap 0 0 NET-SNMP-MIB::netSnmpAgentOIDs.255trace:
netsnmp_send_traps(): agent_trap.c, 605:
trap:
Bus error (core dumped)

if i destroy vlan10 it works again.

the core dump is here
http://www.tbits.org/snmpd.core.gz

Have everyone an idea ?

Thx

Thomas




l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."

OpenBSD 4.0/i386 w/ raid(4) ISO (-stable w/ RAIDFrame)

[Brian A. Seklecki]

All:

I just wanted to take a moment thank the OpenBSD community and dev team.
Great tools such as pf(4), pfsync(4), etc. enabled me to perform a
zero-downtime upgrade of a very large core router last week.

Per my original patch set to enable this raid(4) RAIDFrame enabled
upgrade, there are few notes to share regarding actual usage:

1) When booting from the CD, it is important to interrupt the 2nd stage
boot loader sequence and:

"boot bsd -a"

This will prompt you for the root device, which should be "rd0a",
otherwise the RAID_AUTOCONFIG will take it as raid0a  

Or:

Just before your last shutdown before upgrading, use raidctl(8) to
modify the raidset to "-A yes dev" instead of "-A root dev".

2) There is one more additional patch that needs to occur in install.sub
I ran into a small bug src/distrib/miniroot/install.sub

http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub?rev=1.406&content-type=text/x-cvsweb-markup

DKDEVS=$(scan_dmesg "${MDDKDEVS:-/^[sw]d[0-9][0-9]* /s/ .*//p}")

This can be overridden (I'm only realizing now) by EXPORT'ing
MDDKDEVS="" at run time.  However, the long term fix (if/when raid(4) is
updated), is to fix the regex.

Unfortunately, I'm having some trouble updating this BRE REGEX.
re_format(7) hackers feel free to pitch in.

OpenBSD sed(1) doesn't support ERE (Extended Regular Expressions), but
egrep(1) of course does.  Normally I would switch this to:

/^(rai|[sw])d[0-9][0-9]* /s/ .*//p

And with "E" grep I would get:

$ egrep '^(rai|[wd])d[0-9][0-9]* ' /var/run/dmesg.boot 
wd0 at pciide1 channel 0 drive 0: 
wd1 at pciide1 channel 1 drive 0: 
raid0 (root): (RAID Level 1) total number of sectors is...
raid1 (root): (RAID Level 1) total number of sectors is

But apparently the "start(thisString|[thatCharActerClass])rest" syntax
doesn't work in non-ERE mode.  Maybe someone can help out there.

Also, updating the kernel (/bsd), the 2nd stage boot (/boot) is tricky
and a manual process when using this CD to upgrade:

3) To make bsd.mp+raidframe a "Install Set" option, declare /  export:
MDSETS="bsd.mp+raidframe" to have install.sub suck it into the $THESETS
append list.  

According to the upgrade.sh, this will install it into your root dir
(raid0a?) "/" path; which is wrong (I use a symlink for my kernel), but
at least you'll be able to copy it to wd0a:/antiraid/bsd and
wd0b:/antiraid/bsd ... or:

Wait for upgrade.sh to finish up and remount /dev/cd0a manually again
against /mnt2.

I have updated this image to the latest OpenBSD 4.0-stable sources.
Tags: -r "OPENBSD_4_0", -D "11/06/06 10:58:26 EST".

http://people.collaborativefusion.com/~seklecki/openbsd_4.0_stableUpdate_wRAIDFrame.iso

SHA1: b7e33764ab96e1a2db0d125d07e9628367680858
Size: 175331328

-- 
Brian A. Seklecki <[EMAIL PROTECTED]>
Collaborative Fusion, Inc.
Subject: If you please: OpenBSD 4.0/i386 ISO (-stable w/ RAIDFrame)
From: "Brian A. Seklecki" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Organization: Collaborative Fusion, Inc.
Message-Id: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer: Evolution 2.2.3-10mdk 
Date: Sat, 11 Nov 2006 05:28:53 -0500

SHA1 (public_html/obsdcd_4.0_updateWRAID.iso) =
36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf

36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf  obsdcd_4.0_updateWRAID.iso

-rw-r--r--  1 lavalamp  lavalamp  175319040 Nov 11 05:25
public_html/obsdcd_4.0_updateWRAID.iso

Re: ports question

[Brian A. Seklecki]

PKG_INFO(1)OpenBSD Reference Manual

NAME
 pkg_info - a utility for displaying information on software packages

[...]
 -D  Show the install-message file (if any) for each package 
(depre-

 cated option).


 -M  Show the install-message file (if any) for each package.




On Wed, 11 Oct 2006, Bryan Irvine wrote:


Sometimes ports have helpful messages that tell you the proper way to
start it from rc.local or some other set of instructions that shoudl
be your next step etc...

Sometimes these get installed as a dependency of another app though
and so the screen just keeps right on trucking and you don't have time
to read it.  Is there some command or somewhere you can go to see what
the message was?

--Bryan




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."

Re: carp(4) debugging

[Brian A. Seklecki]

Exciting stuff; totally missed the log sysctl.

The netstat(8) reveals some interesting info about a persistent failover 
condition:


$ netstat -sp carp
carp:
7731906 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
0 discarded for bad authentication
0 discarded for bad vhid
0 discarded because of a bad address list
118961 packets sent (IPv4)
0 packets sent (IPv6)

** 152 send failed due to mbuf memory error


But yet:

$ netstat -m

[...snip...]

290/558/6144 mbuf clusters in use (current/peak/max)
1224 Kbytes allocated to network (53% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

Which is interesting because an identical backup unit does not exhibit 
these errors at all, even when running as MASTER for weeks at end.


MBuf isn't getting exhausted; MRTG does show interfaces getting staturated 
either.  The machine has an absurd ammount of RAM for a Router, too.


Also interesting how it is printed out, as well, as if it is under the 
IPv6 statistics; however these systems have a userland and kernel compiled 
without IPv6 support.


But since this is 3.7-era code, it's hard to imagine troubleshooting this 
further.  Certainly a 4x upgrade is in order before I go chasing down an 
mbuf exhaustion problem.


This is most likely related somehow to the absurdley high number of max 
states (set limit states 20, etc.)


~BAS

On Wed, 11 Oct 2006, Ryan McBride wrote:


On Tue, Oct 10, 2006 at 05:50:50PM -0400, Brian A. Seklecki wrote:

Certainly a way to log events (interfaces, etc.) and the resulting actions
taken by the code would be useful in mission critical environments.

Anything beats "tcpdump 'proto carp'" and making guesses from there.


Nothing new to 4.0, but a few of the things you can do besides using
tcpdump are:

route monitor
- see interface link state change
sysctl net.inet.carp.log=1
- generates primarily protocol error messages
netstat -sp carp
- display a number of relevant counters

If you want to do more complicated things, like run commands when carp
interfaces change state, you can have a look at ifstated.

-Ryan



l8*
    -lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."

carp(4) debugging

[Brian A. Seklecki]

I'm building -current right now.  I'm looking forward to improvements 
between vlan(4) and carp(4) post 3.7.


I'm curious: Are there any new debugging mechanisms for carp(4) in 
-current/4.x ?  I was looking at ip_carp.{c,h} changelog.  It doesn't seem 
obvious if there are.


I.e., does ifconfig(8)'ing the DEBUG flag onto the interface generate any 
helpful output to log(9)?  Something along the lines of what you would get 
from "debug standby error", "debug standby event", "debug standby terse" 
in an IOS environment?


Anything to help debug the decision making algorithm used in 
master/standy/backup election process.


Certainly a way to log events (interfaces, etc.) and the resulting actions 
taken by the code would be useful in mission critical environments.


Anything beats "tcpdump 'proto carp'" and making guesses from there.

TIA,

-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: Building bsd.rd in cdrom39.fs with RAIDFrame

[Brian A. Seklecki]

Proper src/etc/etc.i386/Makefile.inc patch:

--

$ diff -u Makefile.inc Makefile.inc-patched
--- Makefile.incSun Sep 10 15:46:33 2006
+++ Makefile.inc-patchedSun Sep 10 15:46:06 2006
@@ -2,11 +2,13 @@
 #  etc.i386/Makefile.inc -- i386-specific etc Makefile targets

 .ifdef DESTDIR
-snap_md: bsd bsd.mp notes bootblocks distrib
+snap_md: bsd bsd.mp bsd.mp+raidframe notes bootblocks distrib
cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC/bsd \
${DESTDIR}/snapshot/bsd
cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP/bsd \
${DESTDIR}/snapshot/bsd.mp
+   cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME/bsd \
+   ${DESTDIR}/snapshot/bsd.mp+raidframe

 bsd:
cd ${.CURDIR}/../sys/arch/i386/conf && config GENERIC
@@ -16,6 +18,11 @@
 bsd.mp:
cd ${.CURDIR}/../sys/arch/i386/conf && config GENERIC.MP
cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP && \
+   ${MAKE} clean && ${MAKE} depend && exec ${MAKE}
+
+bsd.mp+raidframe:
+   cd ${.CURDIR}/../sys/arch/i386/conf && config GENERIC.MP+RAIDFRAME
+   cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME && \
${MAKE} clean && ${MAKE} depend && exec ${MAKE}

 notes:

--

On Fri, 8 Sep 2006, Brian A. Seklecki wrote:



One of the big problems with RAIDFrame support absence in GENERIC is that 
it's also lacking in RAMDISK and RAMDISK_CD.  This prevents RAIDFrame users 
from doing binary updates off boot media.


This can be fixed with a few tweaks in src/distrib/i386/:

First, create a bsd.rd within cdrom39.fs (note, NOT cd39.iso!) with RAIDFrame 
support:


Because src/distrib/i386/ramdisk_cd/Makefile simply includes 
${.CURDIR}/../common/Makefile.inc, appends "list.local" with a couple hundred 
extra-Kb or utilities, sets the floppy imagage to 2.8mb size, then declares 
$RAMDISK. (Which is a *very* ambiguous name, mind you, a better name would be 
something like $KERNERLCONF, etc.), one can simply adjust RAMDISK= to point 
to a src/sys/arch/i386/conf/$foo kernel conf file which will get 
automatically build on 'make release' in src/etc/ as 'bsd.rd'.


Simply copy src/sys/arch/i386/conf/RAMDISK_CD to conf/RAMDISK_CD+RAIDFrame 
append the following:


pseudo-device   raid 4   # RAIDframe disk driver
options RAID_AUTOCONFIG

Then set the following in distrib/i386/ramdisk_cd/Makefile:

RAMDISK=RAMDISK_CD+RAIDFrame

Next, make another kernel package available to the install script 
(GENERIC+RAIDFrame) as an option.  Follow the same instructions for 
RAMDISK_CD for GENERIC.


Add the following to src/etc/etc.i386/Makefile.inc:

bsd.mp+raidframe:
 cd ${.CURDIR}/../sys/arch/i386/conf && config GENERIC.MP+RAIDFRAME
 cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME && \
   ${MAKE} clean && ${MAKE} depend && exec ${MAKE}

Then add the following to src/distrib/notes/m4.common:

define({:-OpenBSDbsdmp+raidframe-:},
	{:- bsd.mp+raidframe A stock GENERIC.MP MACHINE kernel, with 
support
			 	 for multiprocessor machines, which can be 
used
 instead of the GENERIC kernel after the 
install.

 Also features CMU RAIDFrame support for
 upgrading exisint RAIDFrames.-:})dnl dnl

Then clean out your obj and src and rebuild.  Your $RELEASDIR/cdrom39.fs
(2.88mb Floppy image for use with mkisofs(1)) will contain a gzip(1)'d
bsd.rd with RAIDFrame support).

Run mkisofs(8) on your $DESTIDR with cdrom39.fs as your '-B'. You may now 
safely burn a CD-R for binary upgrades of existing RAIDFrame enabled OpenBSD 
systems, or use your .ISO with your DRAC card via remote media.


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."

Building bsd.rd in cdrom39.fs with RAIDFrame

[Brian A. Seklecki]

One of the big problems with RAIDFrame support absence in GENERIC is that 
it's also lacking in RAMDISK and RAMDISK_CD.  This prevents RAIDFrame 
users from doing binary updates off boot media.


This can be fixed with a few tweaks in src/distrib/i386/:

First, create a bsd.rd within cdrom39.fs (note, NOT cd39.iso!) with 
RAIDFrame support:


Because src/distrib/i386/ramdisk_cd/Makefile simply includes 
${.CURDIR}/../common/Makefile.inc, appends "list.local" with a couple 
hundred extra-Kb or utilities, sets the floppy imagage to 2.8mb size, then 
declares $RAMDISK. (Which is a *very* ambiguous name, mind you, a better 
name would be something like $KERNERLCONF, etc.), one can simply adjust 
RAMDISK= to point to a src/sys/arch/i386/conf/$foo kernel conf file which 
will get automatically build on 'make release' in src/etc/ as 'bsd.rd'.


Simply copy src/sys/arch/i386/conf/RAMDISK_CD to conf/RAMDISK_CD+RAIDFrame 
append the following:


pseudo-device   raid 4   # RAIDframe disk driver
options RAID_AUTOCONFIG

Then set the following in distrib/i386/ramdisk_cd/Makefile:

RAMDISK=RAMDISK_CD+RAIDFrame

Next, make another kernel package available to the install script 
(GENERIC+RAIDFrame) as an option.  Follow the same instructions for 
RAMDISK_CD for GENERIC.


Add the following to src/etc/etc.i386/Makefile.inc:

 bsd.mp+raidframe:
 cd ${.CURDIR}/../sys/arch/i386/conf && config GENERIC.MP+RAIDFRAME
 cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME && \
${MAKE} clean && ${MAKE} depend && exec ${MAKE}

Then add the following to src/distrib/notes/m4.common:

define({:-OpenBSDbsdmp+raidframe-:},
{:- bsd.mp+raidframe A stock GENERIC.MP MACHINE kernel, with support
 for multiprocessor machines, which can be used
 instead of the GENERIC kernel after the 
install.
 Also features CMU RAIDFrame support for
 upgrading exisint RAIDFrames.-:})dnl dnl

Then clean out your obj and src and rebuild.  Your $RELEASDIR/cdrom39.fs
(2.88mb Floppy image for use with mkisofs(1)) will contain a gzip(1)'d
bsd.rd with RAIDFrame support).

Run mkisofs(8) on your $DESTIDR with cdrom39.fs as your '-B'. You may now 
safely burn a CD-R for binary upgrades of existing RAIDFrame enabled 
OpenBSD systems, or use your .ISO with your DRAC card via remote media.


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."

Re: Alter root FS device after boot?

[Brian A. Seklecki]

> you can't ever unount the first / mount after init starts, because
> that would mean revoking init's vnode.

Yes after disabling the kernel checks I've tried to do this and it seems
to cause a complete halt of the system.

If only I could bypass the check that disallows a device from becoming
mounted twice.  When an RD kernel boots, /dev/rd0a is not explicitly
mounted as /, instead "root_device" is.

However, if I try to mount(2) /dev/rd0a under a fresh MFS /, I get errno
16 Device busy.  So somewhere in the kernel outside of the fstab(5) a
the device is being flagged as in-use.

I'm half-tempted to find that code and disable it. 

~BAS

Alter root FS device after boot?

[Brian A. Seklecki]

All:

Would it be hypothetical possible to change the device mounted as (/) 
after the system has booted (possibly during the bootstrapping phase)?


This of course overriding the checks in src/sys/kern/sys_vfs*

~BAS

Re: 3.7: weird IP address problem

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Toni Mueller wrote:


Hello,

I have a box that once had two IP addresses on one interface. I
deconfigured one of them using ifconfig -alias.

Now, when I want to use any (?) program on that box to go over this
interface, it wants to use the addresses which is no longer present. I
double-checked to ensure that there is no NAT in the way, and also used


Also, is it still ARP'ing for the old address (tcpdump(8) will show).

~BAS

Re: Tape drive DLT VS160

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Planck wrote:


Hello.
I have tape drive Quantum DLT VS160 (part of dmesg bellow) connected to
Adaptec AHA-2940. Everything work fine, but i dont know how to enable
hardware compresion on that drive. There aren't any jumpers on
enclosure, and mt(1) or st(4) dont say anytging about that.



Yea it would normally be "mt comp on" or "mt compress on"

~BAS

Re: isakmpd - DPD stops working

[Brian A. Seklecki]

On Fri, 21 Apr 2006, Mitja Mu?eni? wrote:


I'm debbuging something weird here. Before I put together a full and
sanitized error report, just a quick question: is anybody else seeing DPD to
just stop working after a couple of hours, or is it just me & my setup?

I have some pre-3.9 -current (mid March or so) machines running some IPsec
tunnels, and from the IKE dump it appears that after two hours both ends
suddenly stop sending DPD R_U_THERE requests, even if the tunnel is totally
idle (for example, if I down the interface connecting the hosts). The


The lack of reponses suggest you'll need to post verbose tcpdump(8) output 
and up the bebugging greatly on isakmpd(8).


Have you tested basic IP connectivity for problems?

~BAS

Re: 3.7: weird IP address problem

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Toni Mueller wrote:


Hello,

I have a box that once had two IP addresses on one interface. I
deconfigured one of them using ifconfig -alias.





I'd rather not reboot only to make a change in IP numbers effective...



Check "netstat -rn" and "arp -an" for hangers-on lingering about.

~BAS



Best,
--Toni++




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Override errno EBUSY on rd(4) device after boot in mount(2)?

[Brian A. Seklecki]

Is there any way to override the flag on a device that permits it from
being mounted twice?MNT_FORCE isn't it.

I've got an embedded environment I'm setting up where I want to transfer
the root (/) file system from an rd(4) to an MFS.

To do this, I have to add some customizations to copy() in
sbin/newfs/newfs.c.  This is because as soon as a I call mount_mfs(8)
from my RD's /etc/rc, all of / goes away, so I have to accomplish thing
in C functions until I can get the previous (/) re-mounted as /rescue.

I can call mount(2) manually from newfs::copy(), but /dev/rd0a refuses
to unmount from it's previous ubiquitous "root_device".

Even if I explicitly mount /dev/rd0a as /, it refuses to dis-mount after
I mount a new memfs at /, even with MNT_FORCE to unmount(2).

Is it possible that rd(4)'s simply can't be unmounted?  I'm assuming
they can be, and that unlike their MFS counter-part, their contents do
not reset (well, they would reset to whatever the contents of the RD
image in the kernel is, assuming changes had been made).

This is truly a chicken-and-egg scenario.  Any thoughts would be
appreciated.

~BAS

Re: Panic: biodone already

[Brian A. Seklecki]

On Thu, 20 Apr 2006, Pedro Martelletto wrote:


The raid(4) codebase is old, unmaintained, and known to have issues.

That's one of the reasons it's not in the stock kernel.


Oh I thought the OpenBSD team was silently discouraging people from the 
practice of using software RAID. >:}


That sounds like the service of a friend.

Focusing efforts on better universal hardware RAID mgmnt interface 
support.


~BAS

Re: Microsoft SP1 RPC traffic (Active Directory issues)

[Brian A. Seklecki]

On Thu, 20 Apr 2006, James Mackinnon wrote:


Good day everyone

Recently, I installed SP1 on some domain controllers and ran into an issue
where microsoft changed rpc data with SP1 and firewalls such as microsofts own
ISA server as well as checkpoint have started to randomly block this data.



...look at the pflog(4), correlate hits with the source address of servers 
having problems with the blocks, generate a pf.conf(5) rule to match, and 
move on.


~BAS

Re: Wireless NIC for soekris 4801

[Brian A. Seklecki]

On Thu, 20 Apr 2006, Lasse Bach wrote:


Hi all,




Does anyone have any HW recommendations on that and should it be PCI or 
MiniPCI?




Moreover, can any one recommend a PCI NIC with dual antennas?

The Cisco theoretically supports it since it's a glorified cardbus->PCI 
expander on a stick.


~BAS

Re: Panic: biodone already

[Brian A. Seklecki]

2) is there a command where I can entirely erase my drives so I can start 
from scratch?  This is a sparc64 build and I can't use fdisk - is newfs


use dd(1) to blow away any trace of raidframe from your disks:

dd if=/dev/zero of=/dev/rsd0{a,c} bs=1024k count=1


That will write a meg of null to the front of the disk and erase the MBR, 
Disk Label, Boot Blocks, whatever crud.


~BAS

Re: Sendmail security problem

[Brian A. Seklecki]

On Fri, 24 Mar 2006, Joachim Schipper wrote:


On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote:

On 2006/03/24 14:12, Alexander Bochmann wrote:

...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:


P gnu/usr.sbin/sendmail/libsm/refill.c
P gnu/usr.sbin/sendmail/sendmail/collect.c
P gnu/usr.sbin/sendmail/sendmail/conf.c
P gnu/usr.sbin/sendmail/sendmail/deliver.c
P gnu/usr.sbin/sendmail/sendmail/headers.c
P gnu/usr.sbin/sendmail/sendmail/mime.c
P gnu/usr.sbin/sendmail/sendmail/parseaddr.c
P gnu/usr.sbin/sendmail/sendmail/savemail.c
P gnu/usr.sbin/sendmail/sendmail/sendmail.h
P gnu/usr.sbin/sendmail/sendmail/sfsasl.c
P gnu/usr.sbin/sendmail/sendmail/sfsasl.h
P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c
P gnu/usr.sbin/sendmail/sendmail/usersmtp.c
P gnu/usr.sbin/sendmail/sendmail/util.c



I am pretty certain a fix was imported for 3.7-stable, too.



Yep.

Why was there no Security Advisory or entry in the Daily Changelog for 
this?


There's an errata entry, but no announcement =/

~BAS


Joachim

Re: IPMI / SNMP / MRTG (WAS: RE: ipmi(4) (IPMI MIB?))

[Brian A. Seklecki]

On Fri, 3 Feb 2006, Marco Peereboom wrote:


What's wrong with?
# sysctl hw | grep ipmi
hw.sensors.0=ipmi0, Temp, OK, temp, 43.00 degC / 109.40 degF
hw.sensors.1=ipmi0, Planar Temp, OK, temp, 30.00 degC / 86.00 degF
hw.sensors.2=ipmi0, CMOS Battery, OK, volts_dc, 3.12 V
hw.sensors.3=ipmi0, Front Fan, OK, fanrpm, 1258 RPM
hw.sensors.4=ipmi0, Back Fan, OK, fanrpm, 2052 RPM
hw.sensors.5=ipmi0, Intrusion, OK, indicator, Off


Like I said, that's preferable.  Other *BSD platforms should import the 
OpenBSD code, and we should endeavor to map those sysctl()s into an IPMI 
MIB.  I think Linux has its own IPMI kernel layer.


~lava



How is this any harder to parse?

And it does not take 35 seconds either.

IPMI / SNMP / MRTG (WAS: RE: ipmi(4) (IPMI MIB?))

[Brian A. Seklecki]

On Thu, 26 Jan 2006, Bruce Shaw wrote:


We've actually got several different problems here.


Specifically, the OpenBSD implementation we're seeing here seems to
provide sysctl style access to Sensor data, watchdog info, etc., but what
about other IPMI functions?


I've been working on better sensor information for openBSD but lack reliable
access to a platform to develop on (a friend has been doing what he can).


On any number of occasions, I've offered personally to donate VMWare 
licenses to Net-SNMP developers to help bring *BSD support back into the 
mainstream >:} ... That's a standing offer and I'm sure there are plenty 
of corporations that wouldn't mind contributing either.


I will say this, though.  It takes about 35 seconds to do an "ipmitool sdr 
list full".  Thus, for every two values you would like to graph in MRTG,
you can add 35 seconds to the job's run time.  The time it takes to do an 
"ipmi sensor get 'blah'" is marginally different than a list.


$ time ipmitool -U netadmin -E -H sys-lom.priv -c sdr list full
Temp,43,degrees C,ok
Temp,40,degrees C,ok
[...]
real0m34.618s
user0m0.017s
sys 0m0.017s

Thus...a in-kernel IPMI<-->SNMP gateway interface would be optimal (Such 
as OpenBSD's) to relying on the Hardware/LOM/BMC Functionality, at least 
for the sensor related data.


The hardware interface on the BMC/NIC is infinitely useful.  You can VLAN 
it off into a management/out of band subnet and do hard-power resets, etc, 
from there.


Regarding MRTG, there are 8 sets of values to graph out from the sensor 
results on Dell PE 1850s/2850s that I have access to:


Set 1: CPU0 Temp, CPU1 Temp
Set 2: MB Ambient, MB Planar Temp
Set 3: Riser Temp && [Riser Temp]
Set 4: PS#0 Temp, PS#1 Temp
Set 5: CMOS Battery Volt && [CMOS Battery Volts]
Set 6: Fan 1A, Fan 1B
Set 7: Fan 2A, Fan 2B
Set 8: Fan 3A, Fan 3B
Set 9: Fan 4A, Fan 4B

I modified version of Chris Wilson's NAGIOS IPMI plugin can be used to 
poll the data into MRTG in a very ...VERY suboptimal, but functional, 
manor.


http://digitalfreaks.org/~lavalamp/ipmi_mrtg.pl

(this script lacks any kind of sanity checking)

MRTG Configs might look something like:


Target[SYSNAME.fan3]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com f3`

PageTop[SYSNAME.fan3]: Fan Set 3 RPMs
Title[SYSNAME.fan3]: Fan Set 3 RPMs
Options[SYSNAME.fan3]: nopercent,gauge,growright
#Legend3[SYSNAME.fan3]: Fan Set 3, Fan A RPMs
#Legend2[SYSNAME.fan3]: Fan Set 3, Fan b RPMs
YLegend[SYSNAME.fan3]: RPMs
ShortLegend[SYSNAME.fan3]: RPMs 
LegendI[SYSNAME.fan3]:  Fan Set 3, Fan A RPMs: 
LegendO[SYSNAME.fan3]:  Fan Set 3, Fan A RPMs: 
MaxBytes[SYSNAME.fan3]: 1


Target[SYSNAME.risertemp]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com ri`

PageTop[SYSNAME.risertemp]: Motherboard Riser(s)
Title[SYSNAME.risertemp]: Motherboard Riser(s)
Options[SYSNAME.risertemp]: nopercent,gauge,growright
#Legend1[SYSNAME.risertemp]: Motherboard Riser
#Legend2[SYSNAME.risertemp]: Motherboard Riser
YLegend[SYSNAME.risertemp]: Degrees Celcius
ShortLegend[SYSNAME.risertemp]: Degrees C 
LegendI[SYSNAME.risertemp]:  Degrees C Motherboard Riser: 
#LegendO[SYSNAME.risertemp]:  Degrees C Motherboard Riser: 
MaxBytes[SYSNAME.risertemp]: 100


Target[SYSNAME.pstemp]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com ps`

PageTop[SYSNAME.pstemp]: Power Supply Temperature(s)
Title[SYSNAME.pstemp]: Power Supply Temperature(s)
Options[SYSNAME.pstemp]: nopercent,gauge,growright
#Legend1[SYSNAME.pstemp]: Temperature Power Supply #0
#Legend2[SYSNAME.pstemp]: Temperature Power Supply #1
YLegend[SYSNAME.pstemp]: Degrees Celcius
ShortLegend[SYSNAME.pstemp]: Degrees C 
LegendI[SYSNAME.pstemp]:  Degrees C PS#0: 
LegendO[SYSNAME.pstemp]:  Degrees C PS#1: 
MaxBytes[SYSNAME.pstemp]: 100

Target[SYSNAME.batvolt]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com cb`

PageTop[SYSNAME.batvolt]: CMOS Battery Voltage
Title[SYSNAME.batvolt]: CMOS Battery Voltage
Options[SYSNAME.batvolt]: nopercent,gauge,growright
#Legend1[SYSNAME.batvolt]: Temperature CPU#0
#Legend2[SYSNAME.batvolt]: Temperature CPU#1
YLegend[SYSNAME.batvolt]: Volts DC
ShortLegend[SYSNAME.batvolt]: Volts C 
LegendI[SYSNAME.batvolt]:  Volts CMOS Battery: 
#LegendO[SYSNAME.batvolt]:  Degrees C CPU#1: 
MaxBytes[SYSNAME.batvolt]: 6

Target[SYSNAME.cputemp]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativefusion.com cpu`

PageTop[SYSNAME.cputemp]: CPU Temperature(s)
Title[SYSNAME.cputemp]: CPU Temperature(s)
Options[SYSNAME.cputemp]: nopercent,gauge,growright
#Legend1[SYSNAME.cputemp]: Temperature CPU#0
#Legend2[SYSNAME.cputemp]: Temperature CPU#1
YLegend[SYSNAME.cputemp]: Degrees Celcius
ShortLegend[SYSNAME.cputemp]: Degrees C 
LegendI[SYSNAME.cputemp]:  Degrees C CPU#0: 
LegendO[SYSNAME.cputemp]:  Degrees C CPU#1: 
MaxBytes[SYSNAME.cputemp]: 100

Target[SYSNAME.mbtemp]: `/usr/local/cf/ipmi_mrtg.pl 
SYSNAME-lom.pgh.priv.collaborativ

Re: ipmi(4) (IPMI MIB?)

[Brian A. Seklecki]

All:

Regarding the future of IPMI and SNMP, where do they intersect in the 
evolution of enterprise free software (aka, BSD) ?


Specifically, the OpenBSD implementation we're seeing here seems to 
provide sysctl style access to Sensor data, watchdog info, etc., but what 
about other IPMI functions?


For those, you still need the ipmitool(8) from Sourceforge.  A kernel 
interface is nice, but "ipmitool -H 1.2.3.4 chassis reset" or "off" are 
obviously beyond the scope of this implementation.


The problem is that the data is useless unless you can collect using 
something like SNMP.  From there you can feed to MRTG for simple graphing, 
SNMP Traps for from the agent for events (case intrusion detection, etc.) 
Perl modules for data archiving, etc.


What about more-practicle examples of IPMI -> Net-SNMP integration.  Two 
come to mind: Platform independent environmental sensor data and chassis 
information.  The latter isn't available via the kernel on any OS that I 
know of, and the former isnt unified (various ways of talking to W83781D, 
W83782D, W83783S, LM78, LM79 and the AS99127F) chips.  But IPMI, could 
standardize that.


For example, the ipmitool(8) values of "chassis status" or "sensor":

$ ipmitool -E sensor
[temperature, fans, voltages ommited]

Then 4 or 5 values that you simply cannot get from ISA based environmental
ICs are available:
OS Watchdog|0x0|discrete|0x0080|na|na|na|na|na|na
SEL
Intrusion
PSRedundancy
FanRedundancy

Also, these aren't showing up in my hardware, but:

Error reading sensor PCI Parity Err (#04)
Error reading sensor PCI System Err (#05)
Error reading sensor SCSI Connector A (#02)
Error reading sensor Drive (#01)
Error reading sensor ECC Corr Err (#01)
Error reading sensor ECC Uncorr Err (#02
Error reading sensor Memory Mirrored (#12)
Error reading sensor Memory RAID (#13)
Error reading sensor Memory Added (#14)
Error reading sensor Memory Removed (#15)

If that information was populated, that would be very exciting (For
example, Drive failure notificat via IPMI? Perhaps in RAID?)

Also:

$ ipmitool -E chassis status
System Power : on
Power Overload   : false
Power Interlock  : inactive
Main Power Fault : false
Power Control Fault  : false
Power Restore Policy : always-off
Last Power Event :
Chassis Intrusion: inactive
Front-Panel Lockout  : inactive
Drive Fault  : false
Cooling/Fan Fault: false
Sleep Button Disable : allowed
Diag Button Disable  : allowed
Reset Button Disable : allowed
Power Button Disable : allowed
Sleep Button Disabled: true
Diag Button Disabled : true
Reset Button Disabled: true
Power Button Disabled: true

It would be extremely useful to be able to map these values directly into
a Net-SNMP MIB's values as booleans then use "defaultMonitor" /
DISMAN-EVENT-MIB for the event-style bits and other integers for the
traditional sensor data (fan RPMs, thermometer).

In the mean time, it maybe possible to use Net-SNMP's built in Perl 
support to read sysctl(2) data from OpenBSD and parse the output of 
ipmitool(8) (ipmitool(8) has a "-c" flag to CSV output, but it doesn't 
seem to work in combination with the 'sensor' command -- suks) on other 
BSD's, but I'm not sure how that process would begin (an OID tree would 
need to be assigned to IPMI?)


~BAS

Re: Annoying echoes in console DRAC III/XT on DELL Poweredge

[Brian A. Seklecki]

On Fri, 13 Jan 2006, Xavier Millihs-Lacroix wrote:

> Sorry for the delay.
>
> In the BIOS I have found, 'USB Controller' with 3 options :
>    Sets the USB controller to On with BIOS Support, On Without BIOS
> Support, or Off. If you have a PS/2 keyboard attached, On Without BIOS
> Support disables BIOS USB support. If you do not have a PS/2 keyboard
> attached and select On Without BIOS Support, USB mouse and keyboard devices
> function only during the boot process. When set to On With BIOS Support, USB
> mouse and keyboard devices are controlled by the BIOS until an operating
> system driver is loaded.
>
> But none are working.
>
> Any other ideas ?

Wscons may not be available during the initial install if that's what 
you're trying to do; otherwise all new USB keyboards connected while
the system is running should get MUX'd in.

Compile a kernel w/o wscons or wskbd? I dunno.  I'd really have to play 
with it.  All that I can personally attest to is: It works fine with 
Drac/4 on FreeBSD 5.x =/

~BAS

>
> -Message d'origine-
> De : Brian A. Seklecki [mailto:[EMAIL PROTECTED]
> Envoyi : lundi 5 dicembre 2005 02:11
> @ : Xavier Millihs-Lacroix
> Cc : misc@openbsd.org
> Objet : Re: Annoying echoes in console DRAC III/XT on DELL Poweredge
>
> The thing emulates a USB keyboard.  Trying toggling legacy emulation mode in
> the BIOS.
>
> ~BAS
>
> On Thu, 2005-12-01 at 03:55, Xavier Millihs-Lacroix wrote:
>> Hello,
>>
>> I 'm trying to install OBSD 3.8 on a Dell Poweredge 750 server using
>> the Card DRAC III/XT (provides remote console/screen).
>> But each time a ket is pushed I have the letter repetead on the console.
>> I have put the last firmware for the DRAC Card.
>>
>> I have search by didn't find any answer 
>>
>> I can't install remotely OBSD !
>>
>> Do you have already met this issue ?
>>
>> Is it a java problem (the remote access is done via http and a java
>> virtual
>> machine) ?
>>
>> Xavier.
>>
>
>
>
>

l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: isakmpd + gre crashing on OpenBSD 3.8

[Brian A. Seklecki]

But as soon as I start an scp from Perspex to Soekris, Perspex reboots
after a few hundred kb.  Unfortunately, Perspex is in a datacenter and I
do not have console access to it to see what the heck is happening at that
exact moment.


I don't recall.  But for the record (IPSEC inside GRE):

If the Transport IPSEC connection is negotiated between two hosts inside the 
GRE tunnel private subnet and the IPSEC connection goes down, the data flows in 
cleartext.  *bad*


The opposite would be (GRE-inside-IPSEC-Transport):

If the Transport IPSEC tunnel is built between the two hosts` public interfaces 
and the GRE tunnel is built normally and thus encrypted, things should work. 
Of course, we run into the crash.


The trick was I tried it on OpenBSD/Sparc where there is no-such-thing as 
"Flash back to the BIOS" and it turns out a Sun "watchdog timer" is getting 
hit.  Watchdog timers on i386 must cause the BIOS to reset. So the problem is 
in-kernel and the config is probably too obscure for developers to spend time 
on.


My solution was to re-IP my network properly, and use IP Supernets/ 
summarization/ subnet aggregation thus consolidating the need for so many 
spokes on a hub-and-spoke VPN config.


~~BAS



I noticed that there were no responses to your thread, but I was wondering
if you had worked out your problem or if you decided to go the ipsec
encapsulated in gre.

Cheers,

/Jason
--
Jason Taylor
e: [EMAIL PROTECTED]
m: 514-815-8204




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: OpenBSD beep

[Brian A. Seklecki]

PC speaker beep (something action on the console?)

Or possibly hardware alarm?

~BAS

On Sat, 2005-12-17 at 09:12, dimaz wrote:
> I've installed OpenBSD on my small server, before on server was linux, 
> and 2-3 times a day my server beeps (3 times)...
> What does it mean? And how I can control this beeps?

Re: RAIDframe issues on 3.8

[Brian A. Seklecki]

> started filing PR's for RAIDframe stuff in OpenBSD -- there have been 
> a lot of changes/fixes to RAIDframe in the last 5 years that aren't 

I have $100 via Paypal for the person who commits RAID enabled boot
blocks for Sparc[64] and i386/amd64 on OpenBSD.

I have an $100 additional via Paypal for the person who makes an initial
effort re-sync the RAIDFrame codebase.

~BAS

> reflected in the code in OpenBSD, and I wouldn't know where to begin 
> :)
> 
> Later...
> 
> Greg Oster

Re: UltraSparc documentation

[Brian A. Seklecki]

> There is the (expensive) Real Weasel for x86 kit, Dell's crappy lights

DRAC/4 isn't that bad >:}

You can always use serial console redirection on the 1850s/2850s; it
works well until OS boot (BIOS menus works, RAID, IPMI menus), when you
have to setup serial console redirection on the boot loader/kernel, and
then start a getty on the com.

Plus you have hardware level IPMI (cold boots, etc.) which you can tag
with a VLAN.

It's not Sun, though.

~BAS

> out card isn't a reliable option. 
> 
> Any thoughts welcome.

Re: *STUPID* IPSEC Routing Bug - No Default Gateway?!

[Brian A. Seklecki]

> no, you just need a route to the destination, this is a known

a route to the destination of the tunnel...(that overlaps with the encap
route...)...

> but and there's no simple fix.  however, just create a network
> route for the peer that points back to the sender. this way

...or a route to the isakmpd peer?  because techncially one gets added
to the route table by ARP:

192.168.1.50  0:11:43:e8:2b:c6   UHLc 0   679672  -   vlan30

...this of course would differ if there were multiple hops between the
isakmpd peers.

~BAS

> you avoid sending out unencrypted traffic if the ipsec tunnels
> are down.
> 
> -m

*STUPID* IPSEC Routing Bug - No Default Gateway?!

[Brian A. Seklecki]

All:

I'm CC'ing everyone who has previously posted the "destination host 
unreachable" behavior when setting up a generic 4-host IPSec VPN tunnel 
config per the template in vpn(8) / isakmpd.conf(5).


NOTE: This is not the "I can't ping the other side of the tunnel from the 
remote gateway because I forgot to specify the source IP flag to ping(8)" 
bug.


In the template, gateway A and B share a "WAN" circuit, normally an 
ethernet segment (a /30 for example).  Each has a CIDR of RFC1918 Space on 
a second interface (a /24 for example)


The tunnel(s) comes up, netstat -rn -f encap shows the ipsec routes, 
ipsecadm(8) shows the flows.


However:

If gateway A sends an ICMP packet using ping(8)'s "-I" with a source 
address of the private subnet on its second interface to the IP on the 
private/second interface on gateway B, the packet gets properly 
encapsualted and transmitted per pflog0.


However, if the destination of the ICMP ping is an IP in the subnet 
assigned to the Ethernet segment on Gateway B's private/second interface, 
the packet:

- crosses the tunnel
- leaves the private interface, hits host X
- host X returns the packet to Gateway B
- Gateway B drops the packet, and returns Host X an ICMP "host 
unreachable" for Gateway A 


As crazy as that sounds, it happens?

And after hours of troubleshooting, the problem turns out to be??!?!

[*drumroll*]

OpenBSD requires that gateway A and gateway B have a default route 
declared


*EVEN THOUGH ONE IS NOT REQUIRED IN THE LAB CONFIGURATION*

1) If gateway A and gateway B have "WAN" interfaces on an ethernet segment 
such as a /30, they know the route to their respective WAN networks via 
"directly connected route".


2) isakmpd/ipsec traffic can flow across that WAN network with no 
addtional routing assistance.


3) Once the phase 2 negotiation is complete, both boxes know a new special 
"ipsec route" for a /24 "via the ipsec peer".


4) TRAFFIC EGRESSING THE TUNNEL MUST HAVE A SOURCE ADDRESS THAT MATCHES 
THE ACL.


So why in the world would a default gateway be required?  A default 
gateway is only required to reach subnets for which routes do not exist.


Try it.  >:}

This is the second time I've been bitten by these "psuedo" routes .

See PR 4314/system.

~BAS

Re: OpenBSD 3.8 and Dell 1850 with PERC4/DC controller

[Brian A. Seklecki]

I've only had the priv. to run OpenBSD on the 750 and 850 1Us from Dell.

However I have a number of FreeBSD 5.3x hosts on single and dual-proc 1850 
models, some with RAID and some with standard SCSI.


The standard SCSI config (on which I run software RAID) probes as:


NAME
 mpt(4) -- LSI Fusion-MPT SCSI/Fibre Channel driver

mpt0:  port 0xec00-0xecff mem 
0xdfde-0xdfde,0xdfdf-0xdfdf irq 34 at device 5.0 on pci2

mpt0: [GIANT-LOCKED]
ses0 at mpt0 bus 0 target 6 lun 0
da0 at mpt0 bus 0 target 0 lun 0
da1 at mpt0 bus 0 target 1 lun 0


The hardware RAID (with cache and battery and all) probes as:

NAME
 amr(4) -- AMI MegaRAID PCI-SCSI RAID driver

amr0:  mem 0xdfde-0xdfdf,0xd80f-0xd80f 
irq 46 at device 14.0 on pci2

amr0: [GIANT-LOCKED]
amr0:  Firmware 521S, BIOS H430, 256MB RAM
amrd0:  on amr0
amrd0: 69880MB (143114240 sectors) RAID 1 (optimal)

Maybe check your invoice?


~BAS

On Mon, 5 Dec 2005, shane mullins wrote:


We have a Dell 1850 with a PERC4/DC controller.  When I try installing OpenBSD
3.8, I am having some troubles.  3.8 will sees the card as with the mpt0
driver.  Which will not recognize my RAID1 config.  The hardware compatibility
guide tells me the mpt0 is support for a standard scsi card.  According to the
hardware guide, the correct driver for RAID support is ami.  When I boot with
the, boot -cs and add the ami driver support, I get a no disk drive support.
To check the drive config I installed and booted another OS.  Any
help/comments would be greatly appreciated.

Thanks
Shane




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

PF NAT Address Pool Source Interface

[Brian A. Seklecki]

All:

It may seem rudimentary, but no where in the FAQ or man pages is it 
explicitly stated that the source address or address pool of a NAT 
translation must be assigned to an interface.


Obviously it can be either be a primary address (such as 99.9% of the PAT 
configurations on the Internet) or a series of IP Aliases assigned.


Further more, It doesn't actually state or recommend which interface the 
translated addresses should be assigned.  Technically, it's irrelevant. 
In practice, it depends greatly on the overall network configuration 
(specifically, routing).  As long as other hosts in the network know a 
discrete route to the subnet of the translated hosts via any interface on 
the device doing the translation.


The translation occurs to the packet's source address as it leaves the 
outbound interface (the one explicitly defined to the right of the "->" in 
the pf.conf(5) rule), so one might casually assume to assign the 
pool/address there; however in my tests, I've found that It can be 
assigned to the same interface as the subnet being translated.


However, if a translation rule in pf.conf(5) exists but the destination 
address/pool (the address to be translated to, not the optional 
destination CIDR mask),  OpenBSD will still happily transmit a translated 
packet out an interface with a source address foreign to that segment / 
whatever media.


Even if other hosts receive a packet and reply to it, they won't be able 
to ARP for it, and if they could, the original OpenBSD box will drop the 
reply with destination host/network unreachable (obviously).


Wouldn't a better behavior to prevent the transmission of the packet in 
the same way the a socket cannot bind to a source port/ip if it is not 
assigned to an interface?


Thoughts?

TIA,
BAS

Re: multiple Local-IDs for isakmpd

[Brian A. Seklecki]

I opened a PR on this earlier this year.  Seach my last name in
query-pr.

The Cisco 3000 supports SA Proposals with multiple discontiguous
subnets.

~BAS

On Tue, 2005-06-07 at 20:54, Tamas TEVESZ wrote:
> hi,
> 
> i have a situation where a branch office with multiple,
> non-overlapping, non-aggregatable local networks need to connect to
> the head office, via an ipsec tunnel. "of course", the security
> gateway is also acting as a gateway to the internet (nat and the usual
> collateral stuff), and, as a matter of fact, some of the "local"
> networks are connected to it via openvpn (that is, it itself is a vpn
> concentrator of sorts, for openvpn tunnels).
> 
> rough sketch:
> 
>   -- branch office --  | | -- head office --
>| |
> 172.16.187.0/24 -  | |
> 172.19.47.0/24   \   +---+ | | +---+
>   +- |security gw| - (ipsec tun) - |security gw| - ...
> 192.168.114.0/24 /   ++--+ | | +---+
> 192.168.2.0/24  - |
>   \
> (internet etc..)
> 
> it may also be the case that at the head office end, there will be
> more than one hosts/networks to be accessed, this is not clarified
> yet. i am not in control of the head office's concentrator, but i know
> that they are using a cisco 3060.
> 
> how is this realized within isakmpd's configuration? i already have
> tried putting more than one ipv4_addr_subnets into the ipsec-id
> section, and even more than one ipsec-id section, but isakmpd throw
> them out (not surprise).
> 
> if this cannot be realized within isakmpd, what other options do i
> have? pf route-tos/reply-tos are about the only thing i can think
> of... anything else?
> 
> tia,

Re: Annoying echoes in console DRAC III/XT on DELL Poweredge

[Brian A. Seklecki]

The thing emulates a USB keyboard.  Trying toggling legacy emulation
mode in the BIOS.

~BAS

On Thu, 2005-12-01 at 03:55, Xavier MilliC(s-Lacroix wrote:
> Hello,
> 
> I 'm trying to install OBSD 3.8 on a Dell Poweredge 750 server using the Card
> DRAC III/XT (provides remote console/screen).
> But each time a ket is pushed I have the letter repetead on the console.
> I have put the last firmware for the DRAC Card.
> 
> I have search by didn't find any answer 
> 
> I can't install remotely OBSD !
> 
> Do you have already met this issue ?
> 
> Is it a java problem (the remote access is done via http and a java virtual
> machine) ?
> 
> Xavier.

Re: Tyan Thunder LE SMP issues

[Brian A. Seklecki]

As far as I know, this is UP, and does not use SMP.  Chances are you
have some sort of SMP issue... maybe with the 2nd CPU.


He indicated that he swapped them up.



--Toby.



l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

On Thu, 17 Nov 2005, Simon Morgan wrote:


On 17/11/05, Brian A. Seklecki <[EMAIL PROTECTED]> wrote:


I had a U5 270? 330? Mhz for a year or two; the only way to get into
1280x1024 (the max res of the monitor that it shipped with) was to drop
into 8bpp.  At 16/24 bpp, with the 8mb integrated ATI Rage 64 something
something garbag, you had to use m64config(8) and put the frambuffer in
...1152x1024?  1152x768? Something like that.  Your X.log shows those
available...try them.

I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

On Thu, 17 Nov 2005, Simon Morgan wrote:


On 17/11/05, Brian A. Seklecki <[EMAIL PROTECTED]> wrote:






I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp


I've now managed to get a display up. Many thanks to you and everyone
else who offered advice. Unfortunately the mouse is still completely



Errr jumped the gun...was it the resolution at 1152 something...or was it 
something else?

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

I had a U5 270? 330? Mhz for a year or two; the only way to get into 
1280x1024 (the max res of the monitor that it shipped with) was to drop 
into 8bpp.  At 16/24 bpp, with the 8mb integrated ATI Rage 64 something 
something garbag, you had to use m64config(8) and put the frambuffer in 
...1152x1024?  1152x768? Something like that.  Your X.log shows those 
available...try them.


I just dont see 8mb video cards making it to 1280x1024 at 24/16bpp

Also, doe the log really stop at:

(EE) xf86OpenSerial: Cannot open device /dev/mouse
Operation not permitted.
(EE) Mouse0: cannot open input device
(EE) PreInit failed for input device "Mouse0"

...is it possible X is crashing/core'ing at this state?  Normally it will 
passively fail to open the mouse device, but who knows.


Try:

-allowNonLocalModInDev allow changes to keyboard and mouse settings
-allowMouseOpenFailstart server even if the mouse can't be initialized

Also 2:

(--) Using wscons driver
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be 
created.
_XSERVTransSocketUNIXCreateListener: mkdir(/tmp/.X11-unix) failed, errno = 
2

_XSERVTransMakeAllCOTSServerListeners: failed to create listener for local

Is /tmp mounted MFS or so?  Is it mode 777?

~BAS

On Thu, 17 Nov 2005, Simon Morgan wrote:


On 17/11/05, Brian A. Seklecki <[EMAIL PROTECTED]> wrote:

Wait...1280x1024 or 1600x1200 w/ 8MB of RAM?  Is that right? Onboard
video only occupies 8MB?


Sorry, yes. AFAIK the onboard video is 8MB.



l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: Problem with ISAKMPD

[Brian A. Seklecki]

Are you expiring lifetime on bandwidth or time?  Probably the defaults
of whatever transforms suite you're using.

Try manually defining it?  If you expire on time, say...10 minutes, you
can tcpdump for udp 500 on either side at the expected time and watch
the renegotiation.

Maybe UDP packets are getting lost at renegotiation time.  I had that
problem once with pf where i was exhausing the max default states at
10,000 and new states were being refused with ICMP.

~BAS

On Sun, 2005-11-13 at 20:45, James Mackinnon wrote:
> Hey everyone
> 
> I am hoping I am posting this to the correct list
> 
> I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main
> location.
> 
> I have 14 other locations connecting back to this 1 location and each location
> creates 3 tunnels to this system as I have
> 3 internal network segments I want available via VPN
> 
> Platforms are:
> 
> Main system: OpenBSD 3.7 Stable
> Remote locations: OpenBSD 3.5 and some OpenBSD 3.7
> 
> at first, all locations come up fine, but then in approx 1 hour, 3 units stop
> communicating to the main firewall.
> 
> They all have the same config (minor changes based on location and assigned
> ips of course).
> 
> I was planning to finally get rid of my main checkpoint box and complete my
> migration to BSD but I had to revert back do to lack of time i had left to go
> back in case of an issue.
> 
> 
> My Main location is on Fiber
> All branches on DSL (pretty much same provider)
> 
> My main location has approx 50VPN Connection entries in it.
> My Branches connect to 3 VPN's.
> 
> Example branch isakmpd.conf file
> 
> [Phase 1]
> 12.12.12.12= peer-loc1
> 13.13.13.13= peer-loc2
> 14.14.14.14= peer-loc3
> 
> 
> [Phase 2]
> Connections=LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1
> 
> [peer-loc1]
> Phase=  1
> Transport=  udp
> Address=12.12.12.12
> Configuration=  Default-main-mode
> Authentication= MYSUPERPASS
> 
> [peer-loc2]
> Phase=  1
> Transport=  udp
> Address=13.13.13.13
> Configuration=  Default-main-mode
> Authentication= MYSUPERPASS
> 
> [peer-loc3]
> Phase=  1
> Transport=  udp
> Address=14.14.14.14
> Configuration=  Default-main-mode
> Authentication= MYSUPERPASS
> 
> [LOC1-SEG1]
> Phase=  2
> ISAKMP-peer=peer-loc1
> Configuration=  Default-quick-mode
> Local-ID=   Loc-Network
> Remote-ID=  loc1-seg1-Network
> 
> [LOC1-SEG2]
> Phase=  2
> ISAKMP-peer=peer-loc1
> Configuration=  Default-quick-mode
> Local-ID=   Loc-Network
> Remote-ID=  loc1-seg2-Network
> 
> [LOC1-SEG3]
> Phase=  2
> ISAKMP-peer=peer-loc1
> Configuration=  Default-quick-mode
> Local-ID=   Loc-Network
> Remote-ID=  loc1-seg3-Network
> 
> [LOC2-SEG1]
> Phase=  2
> ISAKMP-peer=peer-loc2
> Configuration=  Default-quick-mode
> Local-ID=   Loc-Network
> Remote-ID=  loc2-seg1-Network
> 
> [LOC3-SEG1]
> Phase=  2
> ISAKMP-peer=peer-loc3
> configuration=  Default-quick-mode
> Local-ID=   Loc-Network
> Remote-ID=  loc3-seg1-Network
> 
> [loc1-seg1-Network]
> ID-type=IPV4_ADDR_SUBNET
> Network=10.20.22.0
> Netmask=255.255.255.0
> 
> [loc1-seg2-Network]
> ID-type=IPV4_ADDR_SUBNET
> Network=10.20.23.0
> Netmask=255.255.255.0
> 
> [loc1-seg3-Network]
> ID-type=IPV4_ADDR_SUBNET
> Network=10.20.24.0
> Netmask=255.255.255.0
> 
> [loc2-seg1-Network]
> ID-type=IPV4_ADDR_SUBNET
> Network=10.20.21.0
> Netmask=255.255.255.0
> 
> [loc3-seg1-Network]
> ID-type=IPV4_ADDR_SUBNET
> Network=10.20.20.0
> Netmask=255.255.255.0
> 
> 
> [Loc-Network]
> ID-type=IPV4_ADDR_SUBNET
> Network=10.20.25.0
> Netmask=255.255.255.0
> 
> [Default-main-mode]
> DOI=IPSEC
> EXCHANGE_TYPE=  ID_PROT
> Transforms= 3DES-SHA
> 
> [Default-quick-mode]
> DOI=IPSEC
> EXCHANGE_TYPE=  QUICK_MODE
> Suites= QM-ESP-3DES-SHA-SUITE
> 
> 
> My isakmpd.policy file
> 
> Keynote-version: 2
> Authorizer: "POLICY"
> Conditions: app_domain == "IPsec policy" &&
> esp_present == "yes" &&
> esp_enc_alg != "null" -> "true";
> 
> 
> 
> 
> I have run isakmpd -L , which I am still reviewing but most errors are below
> 
> Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on
> message 0x3c066800, exchange fw01
> Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this
> message did not reach the other peer
> Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the
> responsemessage did not reach us back
> 
> Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
> notification type PAYLOAD_MALFORMED
> Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field
> non-zero: ca
> Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to
> notification type PAYLOAD_MALFORMED
> Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid coo

Re: RAIDFrame, failed component

[Brian A. Seklecki]

> I'm not sure what to make of 'component1'.  It's not an explicit

For some reason, RAIDFrame refers to a missing drive "component1"
whenever the RAID device is initialized and the drive is absent. 

~BAS

> device, did you use that string your raid0.conf?  The first slot in
> these commands should refer to an explicit device.

Re: Tyan Thunder LE SMP issues

[Brian A. Seklecki]

Why were they given to you? Something wrong with them perhaps.  Try
booting Memtest86+ ISO and let it ride for a while?

Try another kernel from another OS?  Try a non MP kernel?

~BAS

On Wed, 2005-11-16 at 22:01, Lokkju wrote:
> Hey all, hoping someone might be able to point me in some sort of direction...
> 
> I recently was given two BOXX brand 1u servers, both of which are the
> exact same - Tyan Thunder LE 2510 dual proc motherboards, with two
> 867Mhz chips per board, and 4 256MB ram sticks per board.  The rest
> you can get from the dmesg.
> 
> Anyway, I have been trying to get OpenBSD to run on them, and I
> continuously have problems on processor 1 - and no, it does not matter
> WHICH processor is in slot 1.  I usually get an apm error, but
> sometimes I get tcp related, or copyout related, or other errors - all
> ending up with me dumped into ddb.  These are usually "stopped"
> errors, not panics.  In this case, the error is a apm_cpu_idle stopped
> error.
> 
> So, here it goes - the dmesg, the trace on each processor, and the ps
> - as I side note, I can almost always instigate this crash by trying
> to untar something big - especially is I use verbose mode.
> 
> PANIC
> 
> # Stopped at  apm_cpu_idle+0x4a:  leal0xfff4(%ebp),%esp
> ddb{0}> show panic
> the kernel did not panic
> 
> DMESG
> *
> OpenBSD 3.8 (GENERIC.MP) #298: Sat Sep 10 15:51:54 MDT 2005
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
> cpu0: Intel Pentium III ("GenuineIntel" 686-class) 864 MHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,S
> ER,MMX,FXSR,SSE
> real mem  = 1073324032 (1048168K)
> avail mem = 972730368 (949932K)
> using 4278 buffers containing 53768192 bytes (52508K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(00) BIOS, date 10/31/00, BIOS32 rev. 0 @ 0xfdba0
> apm0 at bios0: Power Management spec V1.2
> apm0: AC on, battery charge unknown, estimated 0:00 hours
> apm0: APM get event: interface not connected (3)
> apm0: APM get event: interface not connected (3)
> apm0: disconnected
> apm0: flags 30102 dobusy 0 doidle 0
> pcibios0 at bios0: rev 2.1 @ 0xf/0x1
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5200/192 (10 entries)
> pcibios0: PCI Interrupt Router at 000:15:0 ("ServerWorks ROSB4 SouthBridge" 
> rev
>  0x00)
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xc/0x8000 0xc8000/0x1000
> ainbus0: Intel MP Specification (Version 1.4) (AMI  CNB30LE )
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 132 MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel Pentium III ("GenuineIntel" 686-class) 864 MHz
> cpu1: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,S
> ER,MMX,FXSR,SSE
> mainbus0: bus 0 is type PCI
> mainbus0: bus 1 is type PCI
> mainbus0: bus 2 is type ISA
> ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 16 pins
> ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 11, 16 pins
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "ServerWorks CNB20LE Host" rev 0x06
> pchb1 at pci0 dev 0 function 1 "ServerWorks CNB20LE Host" rev 0x06
> pci1 at pchb1 bus 1
> vga1 at pci0 dev 1 function 0 "ATI Rage XL" rev 0x27
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> fxp0 at pci0 dev 4 function 0 "Intel 82557" rev 0x08, i82559: apic 5 int 4 
> (irq
>   11), address 00:e0:81:01:cb:ca
> inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
> pcib0 at pci0 dev 15 function 0 "ServerWorks ROSB4 SouthBridge" rev 0x50
> pciide0 at pci0 dev 15 function 1 "ServerWorks OSB4 IDE" rev 0x00: DMA
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA, 58644MB, 120103200 sectors
> wd0(pciide0:0:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2
> ohci0 at pci0 dev 15 function 2 "ServerWorks OSB4/CSB5 USB" rev 0x04: apic 4 
> in
> t 10 (irq 10), version 1.0, legacy support
> usb0 at ohci0: USB revision 1.0
> uhub0 at usb0
> uhub0: ServerWorks OHCI root hub, rev 1.00/1.00, addr 1
> uhub0: 4 ports with 4 removable, self powered
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pmsi0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pmsi0 mux 0
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: 
> spkr0 at pcppi0
> sysbeep0 at pcppi0
> npx0 at isa0 port 0xf0/16: using exception 16
> pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pccom0: console
> pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> biomask 0 netmask 0 ttymask 0
> pctr: 686-class user-level performance counters enabled
> mtrr: Pentium Pro MTRR support
> dkcsum: wd0 matches BIOS drive 0x80
> root on wd0a
>

Re: OpenBSD 3.8 X.org on Sun Blade 100

[Brian A. Seklecki]

Wait...1280x1024 or 1600x1200 w/ 8MB of RAM?  Is that right? Onboard
video only occupies 8MB?

(II) ATI(0): Using Block 1 MMIO aperture at 0x00426000.
(II) ATI(0): MMIO write caching enabled.
(--) ATI(0): 8192 kB of SDRAM (1:1) detected (using 8191 kB).
(WW) ATI(0): Cannot shadow an accelerated frame buffer.
(II) ATI(0): Engine XCLK 115.000 MHz;  Refresh rate code 10.
(--) ATI(0): Internal programmable clock generator detected.
(--) ATI(0): Reference clock 29.500 MHz.

Try adding "DefaultDepth24"  to your "Screen" section?

It doesn't seem to automatically be picking a modeline.

Xorg/XFree don't shine.

~BAS

On Wed, 2005-11-16 at 18:35, Simon Morgan wrote:
> Hi,
> 
> I have a Sun Blade 100 and have just installed OpenBSD 3.8 on it and so far 
> I'm
> very impressed. NetBSD, the supposed king of multi-platform, doesn't
> even support the keyboard! This is 5 year old hardware!
> 
> Anyway, the problem I'm having is with X.org. Whenever I try and run it my
> monitor spits out an "out of sync" error and the only way (AFAIK to regain a
> usable console is to shutdown the machine and boot it up again. Depending
> on the settings I use I'll either get a sub-error bitching about the 
> frequencies
> or about the resolution (it complains that it's "> 1280x1024", which it 
> isn't).
> 
> I've trawled the mailing list archives and tried all the suggestions (mainly
> setting reference_clock) to no avail and was hoping that somebody here who
> knows more about X and/or Sun hardware could offer some insight.
> 
> I've uploaded my xorg.conf and Xorg.0.log to
> http://16hz.net/~simon/SunBlade100/ in the hope that it will be of some use.
> If I've neglected to mention any pertinent information then please do say
> and I'll be happy to give it.
> 
> Many thanks.
> 
> Simon

Re: isakmpd(8) + gre(4) reproducible crash

[Brian A. Seklecki]

The behavior does not exist when I setup IPSEC TRANSPORT mode across the 
GRE tunnel.


I'll send-pr(1).

~BAS

On Fri, 28 Oct 2005, Brian A. Seklecki wrote:

per some previous remarks(1), i was able to get two i386 boxes in a lab to 
crash but not panic and core out, makit it impossible to debug this problem. 
two i386 machines in the config below would just "reset back to the bios", as 
if the reset button had been tapped.


the problem occurs when two hosts with TRANSPORT mode isakmpd/ipsec tunnels 
attempt to run GRE tunnels



# netstat -rn -f encap
Routing tables

Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)


192.168.100.3/32 0 192.168.100.2/32 0 0 192.168.100.3/50/use/in
192.168.100.2/32 0 192.168.100.3/32 0 0 192.168.100.3/50/require/out

# ifconfig le0
le0: flags=8863 mtu 1500
   address: 08:00:20:73:90:35
   media: Ethernet 10baseT
   inet 192.168.100.2 netmask 0xff00 broadcast 192.168.100.255
   inet6 fe80::a00:20ff:fe73:9035%le0 prefixlen 64 scopeid 0x

# sysctl -w net.inet.gre.allow=1
net.inet.gre.allow: 0 -> 1
# ifconfig gre0 create
# ifconfig gre0 192.168.101.1 192.168.101.2 0x up
# ifconfig gre0 tunnel 192.168.100.2 192.168.100.3
# ifconfig gre0
gre0: flags=9011 mtu 1450
   physical address inet 192.168.100.2 --> 192.168.100.3
   inet 192.168.101.1 --> 192.168.101.2 netmask 0xff00

Over the IF packets are encrypted:

# tcpdump -i le0 -n
tcpdump: listening on le0, link-type EN10MB
[1] + Suspendedtcpdump -i le0 -n
# bg
[1] tcpdump -i le0 -n
# ping 192.168.100.3
PING 192.168.100.3 (192.168.100.3): 56 data bytes
10:40:09.441390 esp 192.168.100.2 > 192.168.100.3 spi 0x05C4ED0D seq 61 len 
100
10:40:09.442129 esp 192.168.100.3 > 192.168.100.2 spi 0x8F8702D4 seq 61 len 
100
10:40:10.451353 esp 192.168.100.2 > 192.168.100.3 spi 0x05C4ED0D seq 62 len 
100
10:40:10.451929 esp 192.168.100.3 > 192.168.100.2 spi 0x8F8702D4 seq 62 len 
100
10:40:11.461126 esp 192.168.100.2 > 192.168.100.3 spi 0x05C4ED0D seq 63 len 
100
10:40:11.461685 esp 192.168.100.3 > 192.168.100.2 spi 0x8F8702D4 seq 63 len 
100


# tcpdump -i enc0
10:42:25.892085 (authentic,confidential): SPI 0x05c4ed0d: 192.168.100.2 > 
192.168.100.3: icmp: echo request
10:42:25.894848 (authentic,confidential): SPI 0x8f8702d4: 192.168.100.3 > 
192.168.100.2: icmp: echo reply
10:42:26.900524 (authentic,confidential): SPI 0x05c4ed0d: 192.168.100.2 > 
192.168.100.3: icmp: echo request
10:42:26.902842 (authentic,confidential): SPI 0x8f8702d4: 192.168.100.3 > 
192.168.100.2: icmp: echo reply



Ping accross the tunnel:

# ping 192.168.101.2
PING 192.168.101.2 (192.168.101.2): 56 data bytes

10:47:26.360653 (authentic,confidential): SPI 0xc6d4bb1c: 192.168.101.1 > 
192.168.101.2: icmp: echo request (gre encap)
10:47:26.363170 (authentic,confidential): SPI 0xfccf9bc3: 192.168.101.2 > 
192.168.101.1: icmp: echo reply (gre encap)
10:47:25.357196 (authentic,confidential): SPI 0xc6d4bb1c: 192.168.101.1 > 
192.168.101.2: icmp: echo request (gre encap)
10:47:25.360282 (authentic,confidential): SPI 0xfccf9bc3: 192.168.101.2 > 
192.168.101.1: icmp: echo reply (gre encap)



# jobs
[1] + Running  tcpdump -i le0 -n
[3] - Running  tcpdump -i gre0
[2]   Running  tcpdump -i enc0
# ping 192.168.101.2
PING 192.168.101.2 (192.168.101.2): 56 data bytes
64 bytes from 192.168.101.2: icmp_seq=0 ttl=255 time=4.205 ms
10:51:07.288550 192.168.101.1 > 192.168.101.2: icmp: echo request
10:51:07.291951 192.168.101.2 > 192.168.101.1: icmp: echo reply
10:51:07.289951 esp 192.168.100.2 > 192.168.100.3 spi 0xC6D4BB1C seq 7 len 
124
10:51:07.290752 esp 192.168.100.3 > 192.168.100.2 spi 0xFCCF9BC3 seq 7 len 
124
10:51:07.288743 (authentic,confidential): SPI 0xc6d4bb1c: 192.168.101.1 > 
192.168.101.2: icmp: echo request (gre encap)
10:51:07.291813 (authentic,confidential): SPI 0xfccf9bc3: 192.168.101.2 > 
192.168.101.1: icmp: echo reply (gre encap)

64 bytes from 192.168.101.2: icmp_seq=1 ttl=255 time=3.182 ms
10:51:08.300596 192.168.101.1 > 192.168.101.2: icmp: echo request
10:51:08.303353 192.168.101.2 > 192.168.101.1: icmp: echo reply
10:51:08.301695 esp 192.168.100.2 > 192.168.100.3 spi 0xC6D4BB1C seq 8 len 
124
10:51:08.302351 esp 192.168.100.3 > 192.168.100.2 spi 0xFCCF9BC3 seq 8 len 
124
10:51:08.300743 (authentic,confidential): SPI 0xc6d4bb1c: 192.168.101.1 > 
192.168.101.2: icmp: echo request (gre encap)
10:51:08.303242 (authentic,confidential): SPI 0xfccf9bc3: 192.168.101.2 > 
192.168.101.1: icmp: echo reply (gre encap)

64 bytes from 192.168.101.2: icmp_seq=2 ttl=255 time=3.137 ms
10:51:09.310326 192.168.101.1 > 192.168.101.2: icmp: echo request
10:51:09.313051 192.168.101.2 > 192.168.101.1: icmp: echo reply
10:51:09.311399 esp 192.168.100.2 > 192.168.100.3 spi 0xC6D4BB1C seq 9 len 
124
10:51:09.312051 esp 192.168.100.3 > 1