icanhaze.c OpenSSH exploit?
Does anyone have any information that can share? http://pastebin.com/raw.php?i=gjkivAf3 Thanks, Dustin Lundquist
Re: Actual BIND error - Patching OpenBSD 4.3 named ?
Anthony Roberts wrote: I don't think this actually accomplishes much. It still lets poisoned replies back in on the previous port number. hm... I don't think it does. BIND would, but it's going through PF. Without an additional rule to pass in to user named, the UDP reply has to be to the new NATed port. That's the only thing the state associated with the pass out on egress rule is going to be aware of. Eg, I applied the PF rule to one of my machines and checked, here's one of the states: all udp x.y.z.201:42001 - x.y.z.201:60538 - 68.142.196.63:53 MULTIPLE:MULTIPLE I don't care that someone can forge a packet from 68.142.196.63:53 to x.y.z.201:60538, the goal of the NAT rule in this case is to prevent the attacker from finding out what local port I'm using with anyone else. Without that NAT rule, everyone sees 42001. With that NAT rule, the attacker won't discover what local port I'm using for other DNS servers like google or yahoo or whatever. The lookup they get me to do against their domain doesn't have the same local port as the others. If the local port is known, there's apparently some other attacks that can build on that. You can use PF to randomize the source port on a standalone DNS server, but using the loopback as your query source and a NAT rule, you will need to enable IP forwarding for this to work.: /var/named/etc/named.conf: query-source address 127.0.0.1 port *; /etc/pf.conf: nat on $ext_if from 127.0.0.0/8 to any - $ext_if # pfctl -s s| grep 127.0.0 all udp 127.0.0.1:44954 - x.x.x.x:62246 - 207.46.66.126:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 - x.x.x.x:60491 - 65.55.238.126:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 - x.x.x.x:56006 - 198.170.241.130:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 - x.x.x.x:56851 - 198.170.241.131:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 - x.x.x.x:62635 - 192.43.172.30:53 MULTIPLE:SINGLE all udp 127.0.0.1:44954 - x.x.x.x:56918 - 216.211.140.226:53 MULTIPLE:SINGLE all udp 127.0.0.1:44954 - x.x.x.x:57970 - 209.128.76.101:53 MULTIPLE:MULTIPLE all udp 127.0.0.1:44954 - x.x.x.x:53076 - 209.128.76.102:53 MULTIPLE:MULTIPLE Dustin Lundquist
Re: OpenSSL On Openbsd help
Khalid Schofield wrote: So do I have to use pass phrases when generating the certificate? If I use a pass phrase why? How does it effect the certificate and it's use? Also if I use a pass phrase do I have to tell apache about it? Does it go in a config or do I have to enter it when reloading apache? You do not need a pass phrase, in fact usually a pass phrase will prevent apache from starting until you respond to the prompt to enter the pass phrase. If your server is going to be somewhere where there might be a power outage, or rebooted by someone who does not have the pass phrase it's generally a big headache. That being said, if there is a risk that someone could read your private key off your webserver, either by physically stealing the server or an untrusted admin, a pass phrase isn't a bad idea. But in this case you have to consider what else would be compromised, and if it's easier just to revoke that cert and get another one. My recommendation would be to not use a pass phrase for SSL services, but use a passphrase for a certificate that you use to sign other certificates: i.e. VPN user authentication, authenticating SSL users by issuing them each their own certificate, or similar. The process of setting up signed cert is as follows: 1. Generate your private key and secure file permissions (you want to do this in a secure fashion, i.e. on the box directly as a root or a private user). Guard this file: if it is compromised the security SSL provides is compromised.: openssl genrsa -out secure.example.com.key 4096 chmod 400 secure.example.com.key 2. Generate your certificate signing request (CSR), you will be prompted to answer a bunch of questions country, state, location, organization, organization unit, common name and email address, answer these accuratly or else the certificate authority will not sign your key, there is one of special note: Common Name (CN) needs to be the exact domain name of your SSL site i.e. secure.example.com in this example: openssl req -new -nodes -key secure.example.com.key -out secure.example.com.csr 3. Send the CSR (you can open the file and copy and paste the contents into an email, or the certificate authority's website) to the certificate authority along with what ever other documentation they require (there job is to verify you are who you are requesting a certificate for before signing the key, they usally require some proof of domain ownership and everything else you entered in step 2). 4. You will then receive your signed certificate, you can either keep the certificate in a separate file from your private key, or cat them together to make a .pem file: cat secure.example.com.key secure.example.com.cert secure.example.com.pem; chmod 400 secure.example.com.pem Configure apache to use your new cert and key: SSLCertificateFile /etc/ssl/secure.example.com.cert SSLCertificateKeyFile /etc/ssl/secure.example.com.key - or - SSLCertificateFile /etc/ssl/secure.example.com.key Since apache is chrooted, have to restart it to read the new key and certificate. Dustin Lundquist
Re: snmp MIB variables
HOST-RESOURCES-MIB was added after the 4.3 release: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/snmpd/mib.c#rev1.20 While not supported, I've had luck building snmpd from -current on 4.3 release. Dustin Lundquist (private) HKS wrote: Hello, Reyk Floeter mentioned in his ONLamp interview (link below) that snmpd currently supports most of the SNMPv1/v2c MIBs, IP-MIB, BRIDGE-MIB, HOST-RESOURCES-MIB, IF-MIB, and the OPENBSD-SENSORS-MIB http://www.onlamp.com/pub/a/bsd/2008/04/29/puffy-and-the-crytonauts-whats-new-in-openbsd-43.html I have a 4.3 installation that lacks the vast majority of these MIBs. The most relevant for me is HOST-RESOURCES-MIB - 1.3.6.1.2.1.25.1. # snmpctl -n show mib | grep 1.3.6.1.2.1.25.1 # Are these MIBs planned releases, or is my installation missing something? Thanks in advance for the help. -HKS
Re: Server room temperature sensors
In the past I've used Enviromux devices, polling them via SNMP with MRTG. http://www.networktechinc.com/enviro-mini.htm Dustin Lundquist Joe wrote: Can anyone recommend a server room temperature sensor that I can use with openbsd? I want to monitor temperature and humidity. I hope to graph the data from the sensor. The sensor can be connected to my openbsd via usb, serial, or even network.
Re: Asus Striker Extreme does not support 4GB memory
Sam Fourman Jr. wrote: OpenBSD 4.2 (GENERIC.MP) #252: Tue Aug 28 10:53:04 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR real mem = 3488116736 (3326MB) avail mem = 3384631296 (3227MB) That looks normal for 32bit operating system trying to address 4GB, the OS still needs address space to PCI devices. I'm not sure of the status but the amd64 port might support of 4GB. Dustin Lundquist
Re: Back again with funny network interfaces
Manuel Ravasio wrote: A friend of mine gave me a pcmcia card with no recognizable brand/model on it. I plugged it in and OpenBSD told me it's a Realtek 8139 card, and called it rl0. I can use the card, but apparently it works at 10Mbps instead of 100. I tried to force the card's speed and duplex adding suitable entries in /etc/hostname.rl0: inet 10.42.42.1 255.255.255.0 10.42.42.255 media 100baseTX mediaopt full-duplex ifconfig -a shows a 100Mbps link speed, but the card's and the switch's led show 10Mbps. If you hard set one side of an Ethernet link it disables the auto negotiation pulse so the other side defaults to 10baseT half duplex. I would suggest using media autoselect or media 10baseT unless you can configure the port on the switch. If you have another switch available, test the card on it and see what it negotiates to, also check that the dongle (if there is one) is fully connected. Dustin Lundquist
Limiting root ssh without limiting other users
I'm looking for a way to limit ssh access by root to public key authentication from a single network without affecting other users ssh access. So far the best solution I've come up with is to run two instances of sshd, is there are more elegant way? Thanks, Dustin Lundquist
Re: OpenBGPd Looking Glass?
I've also put one together that runs in apache's chroot although it requires a few binaries from the base system: ping, traceroute and a static version of bgpctl. http://null-ptr.net/sw/lg/ Dustin Lundquist Reyk Floeter wrote: On Wed, Dec 06, 2006 at 02:53:15PM -0600, [EMAIL PROTECTED] wrote: Has anyone as of yet written, or know of, a looking glass script that can be used with OpenBGPd to act as a looking glass/route server? I need to deploy a semi-public looking glass, don't really want to use zebra/quagga, and don't really have the time (or the programming chops, I'll admit it) to hack up a script. Here's the latest info I've been able to find based on one of Henning's presentations: BGPd has a second, restricted, control socket now; I coded that two weeks ago. It only allows certain messages - namely those behind the BGPd show operations. While running httpd in a chroot environment, which is default on OpenBSD, a cgi can call the bgpctl binary placed inside the chroot, passing the path to this restricted socket. Then, you just need the cgi to call that, and the looking glass is done. The cgi... yeah, someone needs to sit down and hack that, but it should be easy. i actually requested the restricted socket when i implemented bgplg. it may need some more work and i haven't really decided where and how to release it. anyway, download a working snapshot from: http://team.vantronix.net/~reyk/bgplg.tar.gz it includes the cgi (bgplg) and a very simple looking glass cli (bgplgsh) for restricted shell access. cheers, reyk
Re: OpenBGPD issue 250000 prefix limit reached
I've done some more digging and I believe it is an issue that AS path updates are added added to the RIB rather than replacing the current entry in the RIB. When I dump the RIB from one neighbor: $ bgpctl show rib neighbor $ciscoip cisco Then count the entries with and without duplicate prefixes I get different prefix counts: $ cat cisco | wc -l 212066 $ cat cisco | sort -u -k2 | wc -l 179908 Any insight would be appreciated. Thanks, Dustin Lundquist Dustin Lundquist wrote: We have a rather mysterious issue with our OpenBGPD box. We use it to inject a bogon BGP feed and as a router monitor. We recently upgrade from 3.6 to 4.0 and bgpd keeps closing the session because max-prefix has been reached. I configured MRTG to generate graphs of prefixes on each of our BGP session and can see the prefix count slowly growing from about 16 to 25 over an 18 hour period. The Cisco router in question would hit hardware limitations before it could announce 250k prefixes, so I'm wondering if this could be an incompatibility or bug. The same configuration was working under 3.6. Cisco config except: neighbor --openbsdbox-- remote-as --ourasn-- neighbor --openbsdbox-- description iBGP with OpenBGPD neighbor --openbsdbox-- password 7 --md5 password removed-- neighbor --openbsdbox-- version 4 neighbor --openbsdbox-- next-hop-self neighbor --openbsdbox-- route-map bogons in neighbor --openbsdbox-- maximum-prefix 1000 70 /etc/bgpd.conf except: group iBGP { remote-as --ourasn-- announce all max-prefix 25 restart 5 multihop 3 neighbor --cisco-- { descr iBGP with cisco tcp md5sig password --md5 password removed-- } neighbor --anothercisco-- { descr iBGP with anothercisco tcp md5sig password --md5 password removed-- } }
OpenBGPD issue 250000 prefix limit reached
We have a rather mysterious issue with our OpenBGPD box. We use it to inject a bogon BGP feed and as a router monitor. We recently upgrade from 3.6 to 4.0 and bgpd keeps closing the session because max-prefix has been reached. I configured MRTG to generate graphs of prefixes on each of our BGP session and can see the prefix count slowly growing from about 16 to 25 over an 18 hour period. The Cisco router in question would hit hardware limitations before it could announce 250k prefixes, so I'm wondering if this could be an incompatibility or bug. The same configuration was working under 3.6. Cisco config except: neighbor --openbsdbox-- remote-as --ourasn-- neighbor --openbsdbox-- description iBGP with OpenBGPD neighbor --openbsdbox-- password 7 --md5 password removed-- neighbor --openbsdbox-- version 4 neighbor --openbsdbox-- next-hop-self neighbor --openbsdbox-- route-map bogons in neighbor --openbsdbox-- maximum-prefix 1000 70 /etc/bgpd.conf except: group iBGP { remote-as --ourasn-- announce all max-prefix 25 restart 5 multihop 3 neighbor --cisco-- { descr iBGP with cisco tcp md5sig password --md5 password removed-- } neighbor --anothercisco-- { descr iBGP with anothercisco tcp md5sig password --md5 password removed-- } } Thanks, Dustin Lundquist $ dmesg console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED],1/[EMAIL PROTECTED]/[EMAIL PROTECTED],3803f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0 (GENERIC) #953: Sun Sep 17 00:56:22 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC total memory = 536870912 avail memory = 479199232 using 3276 buffers containing 26836992 bytes of memory bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],1/[EMAIL PROTECTED],0/[EMAIL PROTECTED],0 mainbus0 (root): Netra t1 (UltraSPARC-IIi 440MHz) cpu0 at mainbus0: SUNW,UltraSPARC-IIi @ 440.012 MHz, version 0 FPU cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 2048K external (64 b/l) psycho0 at mainbus0 addr 0xfffc: SUNW,sabre, impl 0, version 0, ign 7c0 psycho0: bus range 0-3, PCI bus 0 psycho0: dvma map c000-dfff, iotdb 26a8000-2728000 pci0 at psycho0 ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x13 pci1 at ppb0 bus 1 ebus0 at pci1 dev 1 function 0 Sun PCIO Ebus2 rev 0x01 auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003, 72c000-72c003, 72f000-72f003 power0 at ebus0 addr 724000-724003 ipl 37 SUNW,pll at ebus0 addr 504000-504002 not configured com0 at ebus0 addr 3803f8-3803ff ipl 28: ns16550a, 16 byte fifo com0: console com1 at ebus0 addr 3602f8-3602ff ipl 20: ns16550a, 16 byte fifo lpt0 at ebus0 addr 340278-340287, 30015c-30015d, 70-7f ipl 34: polled fdthree at ebus0 addr 3203f0-3203f7, 706000-70600f, 72-720003 ipl 39 not configured clock1 at ebus0 addr 0-1fff: mk48t59 flashprom at ebus0 addr 0-f not configured watchdog at ebus0 addr 20-20003f ipl 4 not configured display7seg at ebus0 addr 200040-200040 not configured beeper0 at ebus0 addr 722000-722003 flashprom at ebus0 addr 40-5f not configured flashprom at ebus0 addr 80-9f not configured pcfiic0 at ebus0 addr 60-63 ipl 40 iic0 at pcfiic0 pcfadc0 at iic0 addr 0x4f i2cpcf,8574a at iic0 addr 0x38 not configured i2cpcf,8574a at iic0 addr 0x39 not configured pcfiic1 at ebus0 addr 10-13 ipl 27 iic1 at pcfiic1 SUNW,lom at ebus0 addr 40-400063 not configured hme0 at pci1 dev 1 function 1 Sun HME rev 0x01: ivec 0x7e1, address 08:00:20:c1:d6:12 luphy0 at hme0 phy 0: LU6612 10/100 PHY, rev. 1 siop0 at pci1 dev 2 function 0 Symbios Logic 53c875 rev 0x03: ivec 0x7e0, using 4K of on-board RAM scsibus0 at siop0: 16 targets sd0 at scsibus0 targ 0 lun 0: IBM, DDRS39130SUN9.0G, S98E SCSI2 0/direct fixed sd0: 8637MB, 4926 cyl, 27 head, 133 sec, 512 bytes/sec, 17689267 sec total sd1 at scsibus0 targ 1 lun 0: FUJITSU, MAJ3182M SUN18G, 0804 SCSI2 0/direct fixed sd1: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total hme1 at pci1 dev 3 function 1 Sun HME rev 0x01: ivec 0x7da, address 08:00:20:c1:d6:13 luphy1 at hme1 phy 0: LU6612 10/100 PHY, rev. 1 ppb1 at pci0 dev 1 function 0 Sun Simba PCI-PCI rev 0x13 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 DEC 21150 PCI-PCI rev 0x04 pci3 at ppb2 bus 3 pciide0 at pci3 dev 14 function 0 CMD Technology PCI0646 rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x7c2 for native-PCI interrupt pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pcons at mainbus0 not configured No counter-timer -- using %tick at 440MHz as system clock
Re: /stand still useful?
Martin Schrvder wrote: 2006/10/19, Nick Guenther [EMAIL PROTECTED]: So getting back on topic, what is /stand for then? It's a tricky thing to google for, but the hints I've seen make it sound as just a secondary /bin. Is that about right? That's what the man page suggests. But when is it actually used? A typical installation just leaves it empty. I know that IRIX uses it for static binaries like sash and other programs that can be run for directly from the prom before booting the kernel. Dustin Lundquist
Re: Vlans using a trunk device
Two ideas come to mind: Either use one interface for each VLAN, or create VLAN interfaces on each ethernet interface and then trunk all the VLAN interfaces assigned to the same VLAN. Dustin Lundquist Axton Grams wrote: While working with the trunk and vlan features of OpenBSD, I ran into one thing that I do not understand. In order to use a trunk device for multiple vlan's, the trunk device must have an ip address assigned. Let me illustrate my configuration (vlan ids do not match, but it's not relavent, see ifconfig for exact info): ++ +-+ +---+ | router | |modem| |servers| ++ +-+ +---+ | || +---+-+-+-+ | |vlan2|vlan3|vlan4| | trunk |inet |lan |dmz | +---+-+-+-+ switch| ++ |workstations| ++ ifconfig reads like this: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 gem0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1 hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc4%hme0 prefixlen 64 scopeid 0x2 hme1: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3 hme2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4 hme3: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkdev trunk0 media: Ethernet 100baseTX full-duplex status: active inet6 fe80::a00:20ff:feca:7dc7%hme3 prefixlen 64 scopeid 0x5 pflog0: flags=141UP,RUNNING,PROMISC mtu 33192 pfsync0: flags=0 mtu 1460 enc0: flags=0 mtu 1536 trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d trunk: trunkproto roundrobin trunkport hme0 active trunkport hme1 active trunkport hme3 active trunkport hme2 active trunkport gem0 master,active groups: trunk media: Ethernet autoselect status: active inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255 inet6 fe80::203:baff:fe04:b21d%trunk0 prefixlen 64 scopeid 0xa vlan10: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 10 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan10 prefixlen 64 scopeid 0xb inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255 vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 2 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan2 prefixlen 64 scopeid 0xc inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255 vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 3 priority: 0 parent interface: trunk0 groups: vlan egress inet6 stripped%vlan3 prefixlen 64 scopeid 0xd inet x.x.x.x netmask 0x broadcast z.z.z.z vlan30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:03:ba:04:b2:1d vlan: 30 priority: 0 parent interface: trunk0 groups: vlan inet6 fe80::203:baff:fe04:b21d%vlan30 prefixlen 64 scopeid 0xe inet 10.180.17.1 netmask 0xff00 broadcast 10.180.17.255 The switch is configured such that the ports for the nodes are untagged and every vlan sends tagged packets to the trunk. When the trunk interface does not have an ip address assigned, no traffic moves through the vlans. This is what I am not understanding. I assigned 10.1.1.1 to the trunk interface since I am not using that subnet. How should I handle this subnet in my pf rules? The route tables show 10.1.1/24 as a routable subnet because it is assigned to the trunk interface: # route -n show Routing tables scrubbed to not wrap
Re: Tyan v. Supermicro for Opteron?
I've used both a Tyan S2892 and Supermicro H8SSL and H8DA8, the Tyan board had a number of weird BIOS issues - some times it would boot, reset the BIOS 5 times wave a dead chicken over it and then it would work. The only similar issues I've run into with the Supermicro boards was with the onboard Adaptec SCSI and an LSI MegaRAID on the H8DA8 and another MegaRAID in a Supermicro P4SCT, resetting the BIOS and disabling the onboard Adaptec SCSI via jumper resolved or moving the MegaRAID resolved these issues. After working with the S2892 and several older Tyan dual P3 and dual Athlon boards, my option of them is: quirky. Dustin Lundquist Darrin Chandler wrote: Ok, I've got it narrowed down a bit. Anyone have experiences good or bad to report with Tyan versus Supermicro mobos? I find archives for people using one or the other, so they both seem workable. Anyone used both and prefer one for some reason? I'm looking at 2xCPU, and maybe dual-core in addition. Any help *greatly* appreciated!
Re: sokeris output
I'm running flashdist on my Net4801 with a GENERIC kernel, it works fine - uses about 4MB extra flash space, but not a problem with the price of CF cards today. I just SSH in, remount / rw, edit pf.conf, run pfctl and remount / ro. dmesg below. Dustin Lundquist Lars Hansson wrote: On Monday 24 July 2006 13:33, Gustavo Rios wrote: PS: If you have a kernel configuration file for exact that hardware, i would enjoy too. Save yourself a loft of pain and frustration and get a CF large enough (256Mb) for the base system and use the GENERIC kernel. --- Lars Hansson OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 133799936 (130664K) avail mem = 115474432 (112768K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 10, address 00:00:24:c5:8e:18 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 10, address 00:00:24:c5:8e:19 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00: DP83816A, irq 10, address 00:00:24:c5:8e:1a nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI/ACPI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: SanDisk SDCFB-256 wd0: 1-sector PIO, LBA, 245MB, 501760 sectors wd0(pciide0:0:0): using PIO mode 1 geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 11, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered isa0 at gscpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1: npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask fbe5 netmask ffe5 ttymask ffe7 pctr: no performance counters in CPU dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 WARNING: / was not properly unmounted # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 236M 21.6M203M10%/ mfs:25157 7.8M 66.0K7.4M 1%/tmp #
Routing GigE with a full BGP table
We are looking to terminate a GigE circuit running about 700Mbps during peak hours. We will be using three interfaces and running iBGP with a half dozen or so peers and a eBGP session with our upstream with a full table. Last month Claudio mentioned routing 450kpps, what sort of performance can we expect in the above situation? Is this do able under a 3.9 GENERIC i386 kernel? How much a performance hit should we expect with a full table vs. decoupling the FIB and having a few static routes? Dustin Lundquist Optic Fusion
Re: /etc and partitions
Michael Schmidt wrote: I have seen that /etc cannot be located on a separated partition. Why can it be not on an extra partition? The rc scripts need to be able to read /etc/fstab to know what filesystems besides / to mount. Dustin Lundquist
Re: BCM5704 dual port NIC not seen by 3.8 on Thunder K8SRE m/b.
I have the K8SE (non rack mount version) and I verified that the Broadcom NICs where not seen by either the amd64 or i386 RAMDISK kernels on the 3.8 release CDs. The Broadcom NIC is attached the the AMD 8131 HT-PCI bridge not the NForce junk. The K8SE has a Intel Pro/100 attached the the PCI-33 bus of the NForce, so I can get the machine up and run tests if needed. Dustin Lundquist Chris Cappuccio wrote: Maybe one of these is really supposed to be a PCI-PCI bridge. Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured Kent Ho [EMAIL PROTECTED] wrote: Same with current snapshot as well. Cannot detect the BCM5704 dual port NIC. Configure the network? [yes] No more interfaces to initialize. Here's the dmesg: OpenBSD 3.8-current (RAMDISK_CD) #627: Thu Jan 5 17:50:36 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 3488182272 (3406428K) avail mem = 2992111616 (2921984K) using 22937 buffers containing 349024256 bytes (340844K) of memory mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 248, 2210.44 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured ohci0 at pci0 dev 2 function 0 Nvidia nForce4 USB rev 0xa2: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered pciide0 at pci0 dev 6 function 0 Nvidia nForce4 IDE rev 0xf2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, CD-ROM GCR-8525B, 1.02 SCSI0 5/cdrom removable cd0(pciide0:0:1): using PIO mode 4, DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 7 function 0 Nvidia nForce4 SATA 1 rev 0xf3: DMA pciide1: using irq 11 for native-PCI interrupt pciide2 at pci0 dev 8 function 0 Nvidia nForce4 SATA 2 rev 0xf3: DMA pciide2: using irq 10 for native-PCI interrupt wd0 at pciide2 channel 0 drive 0: WDC WD1200JS-00MHB1 wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors wd0(pciide2:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide2 channel 1 drive 0: WDC WD1200JS-00MHB1 wd1: 16-sector PIO, LBA48, 114473MB, 234441648 sectors wd1(pciide2:1:0): using PIO mode 4, Ultra-DMA mode 5 ppb0 at pci0 dev 9 function 0 Nvidia nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 7 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ppb1 at pci0 dev 14 function 0 Nvidia nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 pchb4 at pci0 dev 25 function 0 AMD AMD64 HyperTransport rev 0x00 pchb5 at pci0 dev 25 function 1 AMD AMD64 Address Map rev 0x00 pchb6 at pci0 dev 25 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb7 at pci0 dev 25 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 rd0: fixed, 3584 blocks dkcsum: wd0 matches BIOS drive 0x80 wd1: no disk label dkcsum: wd1 matches BIOS drive 0x81 root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 erase ^?, werase ^W, kill ^U, intr ^C, status ^T (I)nstall, (U)pgrade or (S)hell? thx. Kent. Kent Ho wrote: Hi, I'm unable to install 3.8 on my remote box. It can pxeboot fine but once 3.8 is booted up(bsd.rd) it cannot detect the BCM5704 dual port NICs. Install via network is the only way for me at the moment. It has the following in the boot messages: Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured Could these be related? I did some search on the list, this may be related to PCI-X support issue in Openbsd? The NIC