icanhaze.c OpenSSH exploit?

2014-05-06 Thread Dustin Lundquist 
Does anyone have any information that can share?

http://pastebin.com/raw.php?i=gjkivAf3


Thanks,


Dustin Lundquist

Re: Actual BIND error - Patching OpenBSD 4.3 named ?

2008-07-23 Thread Dustin Lundquist 
Anthony Roberts wrote:
 I don't think this actually accomplishes much.  It still lets poisoned
 replies back in on the previous port number.
 
 hm... I don't think it does. BIND would, but it's going through PF.
 Without an additional rule to pass in to user named, the UDP reply has to
 be to the new NATed port. That's the only thing the state associated with
 the pass out on egress rule is going to be aware of. Eg, I applied the PF
 rule to one of my machines and checked, here's one of the states:
 
 all udp x.y.z.201:42001 - x.y.z.201:60538 - 68.142.196.63:53
 MULTIPLE:MULTIPLE
 
 I don't care that someone can forge a packet from 68.142.196.63:53 to
 x.y.z.201:60538, the goal of the NAT rule in this case is to prevent the
 attacker from finding out what local port I'm using with anyone else.
 Without that NAT rule, everyone sees 42001. With that NAT rule, the
 attacker won't discover what local port I'm using for other DNS servers
 like google or yahoo or whatever. The lookup they get me to do against
 their domain doesn't have the same local port as the others.
 
 If the local port is known, there's apparently some other attacks that can
 build on that.
 
You can use PF to randomize the source port on a standalone DNS server,
but using the loopback as your query source and a NAT rule, you will
need to enable IP forwarding for this to work.:
/var/named/etc/named.conf:
query-source address 127.0.0.1 port *;
/etc/pf.conf:
nat on $ext_if from 127.0.0.0/8 to any - $ext_if

# pfctl -s s| grep 127.0.0
all udp 127.0.0.1:44954 - x.x.x.x:62246 - 207.46.66.126:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 - x.x.x.x:60491 - 65.55.238.126:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 - x.x.x.x:56006 - 198.170.241.130:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 - x.x.x.x:56851 - 198.170.241.131:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 - x.x.x.x:62635 - 192.43.172.30:53
MULTIPLE:SINGLE
all udp 127.0.0.1:44954 - x.x.x.x:56918 - 216.211.140.226:53
MULTIPLE:SINGLE
all udp 127.0.0.1:44954 - x.x.x.x:57970 - 209.128.76.101:53
MULTIPLE:MULTIPLE
all udp 127.0.0.1:44954 - x.x.x.x:53076 - 209.128.76.102:53
MULTIPLE:MULTIPLE


Dustin Lundquist

Re: OpenSSL On Openbsd help

2008-06-14 Thread Dustin Lundquist 
Khalid Schofield wrote:
 So do I have to use pass phrases when generating the certificate? If I
 use a pass phrase why? How does it effect the certificate and it's use?
 
 Also if I use a pass phrase do I have to tell apache about it? Does it
 go in a config or do I have to enter it when reloading apache?
You do not need a pass phrase, in fact usually a pass phrase will
prevent apache from starting until you respond to the prompt to enter
the pass phrase. If your server is going to be somewhere where there
might be a power outage, or rebooted by someone who does not have the
pass phrase it's generally a big headache.

That being said, if there is a risk that someone could read your private
key off your webserver, either by physically stealing the server or an
untrusted admin, a pass phrase isn't a bad idea. But in this case you
have to consider what else would be compromised, and if it's easier just
to revoke that cert and get another one.

My recommendation would be to not use a pass phrase for SSL services,
but use a passphrase for a certificate that you use to sign other
certificates: i.e. VPN user authentication, authenticating SSL users by
issuing them each their own certificate, or similar.

The process of setting up signed cert is as follows:
1. Generate your private key and secure file permissions (you want to do
this in a secure fashion, i.e. on the box directly as a root or a
private user). Guard this file: if it is compromised the security SSL
provides is compromised.:
openssl genrsa -out secure.example.com.key 4096
chmod 400 secure.example.com.key

2. Generate your certificate signing request (CSR), you will be prompted
to answer a bunch of questions country, state, location, organization,
organization unit, common name and email address, answer these accuratly
or else the certificate authority will not sign your key, there is one
of special note: Common Name (CN) needs to be the exact domain name of
your SSL site i.e. secure.example.com in this example:
openssl req -new -nodes -key secure.example.com.key -out
secure.example.com.csr

3. Send the CSR (you can open the file and copy and paste the contents
into an email, or the certificate authority's website) to the
certificate authority along with what ever other documentation they
require (there job is to verify you are who you are requesting a
certificate for before signing the key, they usally require some proof
of domain ownership and everything else you entered in step 2).

4. You will then receive your signed certificate, you can either keep
the certificate in a separate file from your private key, or cat them
together to make a .pem file: cat secure.example.com.key
secure.example.com.cert  secure.example.com.pem; chmod 400
secure.example.com.pem
Configure apache to use your new cert and key:
SSLCertificateFile /etc/ssl/secure.example.com.cert
SSLCertificateKeyFile /etc/ssl/secure.example.com.key
 - or -
SSLCertificateFile /etc/ssl/secure.example.com.key

Since apache is chrooted, have to restart it to read the new key and
certificate.



Dustin Lundquist

Re: snmp MIB variables

2008-06-10 Thread Dustin Lundquist 
HOST-RESOURCES-MIB was added after the 4.3 release: 
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/snmpd/mib.c#rev1.20
While not supported, I've had luck building snmpd from -current on 4.3 
release.



Dustin Lundquist


(private) HKS wrote:

Hello,

Reyk Floeter mentioned in his ONLamp interview (link below) that snmpd
currently
supports
most of the SNMPv1/v2c MIBs, IP-MIB, BRIDGE-MIB, HOST-RESOURCES-MIB, IF-MIB,
and
the OPENBSD-SENSORS-MIB

http://www.onlamp.com/pub/a/bsd/2008/04/29/puffy-and-the-crytonauts-whats-new-in-openbsd-43.html

I have a 4.3 installation that lacks the vast majority of these MIBs. The
most relevant for me is
HOST-RESOURCES-MIB - 1.3.6.1.2.1.25.1.

# snmpctl -n show mib | grep 1.3.6.1.2.1.25.1
#

Are these MIBs planned releases, or is my installation missing something?

Thanks in advance for the help.
-HKS

Re: Server room temperature sensors

2008-02-06 Thread Dustin Lundquist 

In the past I've used Enviromux devices, polling them via SNMP with MRTG.
   http://www.networktechinc.com/enviro-mini.htm


Dustin Lundquist

Joe wrote:
Can anyone recommend a server room temperature sensor that I can use 
with openbsd?


I want to monitor temperature and humidity.

I hope to graph the data from the sensor.

The sensor can be connected to my openbsd via usb, serial, or even network.

Re: Asus Striker Extreme does not support 4GB memory

2007-08-31 Thread Dustin Lundquist 
Sam Fourman Jr. wrote:
 OpenBSD 4.2 (GENERIC.MP) #252: Tue Aug 28 10:53:04 MDT 2007
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Core(TM)2 Quad CPU @ 2.40GHz (GenuineIntel 686-class) 2.41 
 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
 real mem  = 3488116736 (3326MB)
 avail mem = 3384631296 (3227MB)
   
That looks normal for 32bit operating system trying to address 4GB, the
OS still needs address space to PCI devices. I'm not sure of the status
but the amd64 port might support of 4GB.


Dustin Lundquist

Re: Back again with funny network interfaces

2007-04-18 Thread Dustin Lundquist 

Manuel Ravasio wrote:

A friend of mine gave me a pcmcia card with no recognizable brand/model on
it.
I plugged it in and OpenBSD told me it's a Realtek 8139 card, and called it
rl0.
I can use the card, but apparently it works at 10Mbps instead of 100.
I tried to force the card's speed and duplex adding suitable entries in
/etc/hostname.rl0:
inet 10.42.42.1 255.255.255.0 10.42.42.255 media 100baseTX mediaopt
full-duplex

ifconfig -a shows a 100Mbps link speed, but the card's and the switch's led
show 10Mbps.
If you hard set one side of an Ethernet link it disables the auto 
negotiation pulse so the other side defaults to 10baseT half duplex. I 
would suggest using media autoselect or media 10baseT unless you can 
configure the port on the switch. If you have another switch available, 
test the card on it and see what it negotiates to, also check that the 
dongle (if there is one) is fully connected.



Dustin Lundquist

Limiting root ssh without limiting other users

2007-03-09 Thread Dustin Lundquist 
I'm looking for a way to limit ssh access by root to public key
authentication from a single network without affecting other users ssh
access. So far the best solution I've come up with is to run two instances
of sshd, is there are more elegant way?

Thanks,


Dustin Lundquist

Re: OpenBGPd Looking Glass?

2006-12-06 Thread Dustin Lundquist 
I've also put one together that runs in apache's chroot although it 
requires a few binaries from the base system: ping, traceroute and a 
static version of bgpctl.

http://null-ptr.net/sw/lg/


Dustin Lundquist


Reyk Floeter wrote:

On Wed, Dec 06, 2006 at 02:53:15PM -0600, [EMAIL PROTECTED] wrote:

Has anyone as of yet written, or know of, a looking glass script that
can be used with OpenBGPd to act as a looking glass/route server?  I
need to deploy a semi-public looking glass, don't really want to use
zebra/quagga, and don't really have the time (or the programming
chops, I'll admit it) to hack up a script.

Here's the latest info I've been able to find based on one of
Henning's presentations:

BGPd has a second, restricted, control socket now; I coded that two
weeks ago. It only allows certain messages - namely those behind the
BGPd show operations. While running httpd in a chroot environment,
which is default on OpenBSD, a cgi can call the bgpctl binary placed
inside the chroot, passing the path to this restricted socket. Then,
you just need the cgi to call that, and the looking glass is done.

The cgi... yeah, someone needs to sit down and hack that, but it
should be easy.



i actually requested the restricted socket when i implemented bgplg.
it may need some more work and i haven't really decided where and how
to release it. anyway, download a working snapshot from:

http://team.vantronix.net/~reyk/bgplg.tar.gz

it includes the cgi (bgplg) and a very simple looking glass cli
(bgplgsh) for restricted shell access.

cheers,
reyk

Re: OpenBGPD issue 250000 prefix limit reached

2006-11-02 Thread Dustin Lundquist 
I've done some more digging and I believe it is an issue that AS path
updates are added added to the RIB rather than replacing the current
entry in the RIB. When I dump the RIB from one neighbor:
 $ bgpctl show rib neighbor $ciscoip  cisco
Then count the entries with and without duplicate prefixes I get
different prefix counts:
 $ cat cisco | wc -l
   212066
 $ cat cisco | sort -u -k2 | wc -l
   179908
Any insight would be appreciated.

Thanks,


Dustin Lundquist


Dustin Lundquist wrote:
 We have a rather mysterious issue with our OpenBGPD box. We use it to
 inject a bogon BGP feed and as a router monitor. We recently upgrade
 from 3.6 to 4.0 and bgpd keeps closing the session because max-prefix
 has been reached. I configured MRTG to generate graphs of prefixes on
 each of our BGP session and can see the prefix count slowly growing from
 about 16 to 25 over an 18 hour period. The Cisco router in
 question would hit hardware limitations before it could announce 250k
 prefixes, so I'm wondering if this could be an incompatibility or bug.
 The same configuration was working under 3.6.
 
 Cisco config except:
  neighbor --openbsdbox-- remote-as --ourasn--
  neighbor --openbsdbox-- description iBGP with OpenBGPD
  neighbor --openbsdbox-- password 7 --md5 password removed--
  neighbor --openbsdbox-- version 4
  neighbor --openbsdbox-- next-hop-self
  neighbor --openbsdbox-- route-map bogons in
  neighbor --openbsdbox-- maximum-prefix 1000 70
 
 /etc/bgpd.conf except:
 group iBGP {
 remote-as --ourasn--
 announce all
 max-prefix 25 restart 5
 multihop 3
 
 neighbor --cisco-- {
 descr iBGP with cisco
 tcp md5sig password --md5 password removed--
 }
 neighbor --anothercisco-- {
 descr iBGP with anothercisco
 tcp md5sig password --md5 password removed--
 }
 }

OpenBGPD issue 250000 prefix limit reached

2006-10-31 Thread Dustin Lundquist 
We have a rather mysterious issue with our OpenBGPD box. We use it to
inject a bogon BGP feed and as a router monitor. We recently upgrade
from 3.6 to 4.0 and bgpd keeps closing the session because max-prefix
has been reached. I configured MRTG to generate graphs of prefixes on
each of our BGP session and can see the prefix count slowly growing from
about 16 to 25 over an 18 hour period. The Cisco router in
question would hit hardware limitations before it could announce 250k
prefixes, so I'm wondering if this could be an incompatibility or bug.
The same configuration was working under 3.6.

Cisco config except:
 neighbor --openbsdbox-- remote-as --ourasn--
 neighbor --openbsdbox-- description iBGP with OpenBGPD
 neighbor --openbsdbox-- password 7 --md5 password removed--
 neighbor --openbsdbox-- version 4
 neighbor --openbsdbox-- next-hop-self
 neighbor --openbsdbox-- route-map bogons in
 neighbor --openbsdbox-- maximum-prefix 1000 70

/etc/bgpd.conf except:
group iBGP {
remote-as --ourasn--
announce all
max-prefix 25 restart 5
multihop 3

neighbor --cisco-- {
descr iBGP with cisco
tcp md5sig password --md5 password removed--
}
neighbor --anothercisco-- {
descr iBGP with anothercisco
tcp md5sig password --md5 password removed--
}
}

Thanks,


Dustin Lundquist


 $ dmesg
 console is /[EMAIL PROTECTED],0/[EMAIL PROTECTED],1/[EMAIL PROTECTED]/[EMAIL 
 PROTECTED],3803f8
 Copyright (c) 1982, 1986, 1989, 1991, 1993
 The Regents of the University of California.  All rights reserved.
 Copyright (c) 1995-2006 OpenBSD. All rights reserved.  http://www.OpenBSD.org
 
 OpenBSD 4.0 (GENERIC) #953: Sun Sep 17 00:56:22 MDT 2006
 [EMAIL PROTECTED]:/usr/src/sys/arch/sparc64/compile/GENERIC
 total memory = 536870912
 avail memory = 479199232
 using 3276 buffers containing 26836992 bytes of memory
 bootpath: /[EMAIL PROTECTED],0/[EMAIL PROTECTED],1/[EMAIL PROTECTED],0/[EMAIL 
 PROTECTED],0
 mainbus0 (root): Netra t1 (UltraSPARC-IIi 440MHz)
 cpu0 at mainbus0: SUNW,UltraSPARC-IIi @ 440.012 MHz, version 0 FPU
 cpu0: physical 32K instruction (32 b/l), 16K data (32 b/l), 2048K external 
 (64 b/l)
 psycho0 at mainbus0 addr 0xfffc: SUNW,sabre, impl 0, version 0, ign 7c0
 psycho0: bus range 0-3, PCI bus 0
 psycho0: dvma map c000-dfff, iotdb 26a8000-2728000
 pci0 at psycho0
 ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x13
 pci1 at ppb0 bus 1
 ebus0 at pci1 dev 1 function 0 Sun PCIO Ebus2 rev 0x01
 auxio0 at ebus0 addr 726000-726003, 728000-728003, 72a000-72a003, 
 72c000-72c003, 72f000-72f003
 power0 at ebus0 addr 724000-724003 ipl 37
 SUNW,pll at ebus0 addr 504000-504002 not configured
 com0 at ebus0 addr 3803f8-3803ff ipl 28: ns16550a, 16 byte fifo
 com0: console
 com1 at ebus0 addr 3602f8-3602ff ipl 20: ns16550a, 16 byte fifo
 lpt0 at ebus0 addr 340278-340287, 30015c-30015d, 70-7f ipl 34: polled
 fdthree at ebus0 addr 3203f0-3203f7, 706000-70600f, 72-720003 ipl 39 
 not configured
 clock1 at ebus0 addr 0-1fff: mk48t59
 flashprom at ebus0 addr 0-f not configured
 watchdog at ebus0 addr 20-20003f ipl 4 not configured
 display7seg at ebus0 addr 200040-200040 not configured
 beeper0 at ebus0 addr 722000-722003
 flashprom at ebus0 addr 40-5f not configured
 flashprom at ebus0 addr 80-9f not configured
 pcfiic0 at ebus0 addr 60-63 ipl 40
 iic0 at pcfiic0
 pcfadc0 at iic0 addr 0x4f
 i2cpcf,8574a at iic0 addr 0x38 not configured
 i2cpcf,8574a at iic0 addr 0x39 not configured
 pcfiic1 at ebus0 addr 10-13 ipl 27
 iic1 at pcfiic1
 SUNW,lom at ebus0 addr 40-400063 not configured
 hme0 at pci1 dev 1 function 1 Sun HME rev 0x01: ivec 0x7e1, address 
 08:00:20:c1:d6:12
 luphy0 at hme0 phy 0: LU6612 10/100 PHY, rev. 1
 siop0 at pci1 dev 2 function 0 Symbios Logic 53c875 rev 0x03: ivec 0x7e0, 
 using 4K of on-board RAM
 scsibus0 at siop0: 16 targets
 sd0 at scsibus0 targ 0 lun 0: IBM, DDRS39130SUN9.0G, S98E SCSI2 0/direct 
 fixed
 sd0: 8637MB, 4926 cyl, 27 head, 133 sec, 512 bytes/sec, 17689267 sec total
 sd1 at scsibus0 targ 1 lun 0: FUJITSU, MAJ3182M SUN18G, 0804 SCSI2 0/direct 
 fixed
 sd1: 17274MB, 7508 cyl, 19 head, 248 sec, 512 bytes/sec, 35378533 sec total
 hme1 at pci1 dev 3 function 1 Sun HME rev 0x01: ivec 0x7da, address 
 08:00:20:c1:d6:13
 luphy1 at hme1 phy 0: LU6612 10/100 PHY, rev. 1
 ppb1 at pci0 dev 1 function 0 Sun Simba PCI-PCI rev 0x13
 pci2 at ppb1 bus 2
 ppb2 at pci2 dev 1 function 0 DEC 21150 PCI-PCI rev 0x04
 pci3 at ppb2 bus 3
 pciide0 at pci3 dev 14 function 0 CMD Technology PCI0646 rev 0x03: DMA, 
 channel 0 configured to native-PCI, channel 1 configured to native-PCI
 pciide0: using ivec 0x7c2 for native-PCI interrupt
 pciide0: channel 0 disabled (no drives)
 pciide0: channel 1 disabled (no drives)
 pcons at mainbus0 not configured
 No counter-timer -- using %tick at 440MHz as system clock

Re: /stand still useful?

2006-10-19 Thread Dustin Lundquist 
Martin Schrvder wrote:
 2006/10/19, Nick Guenther [EMAIL PROTECTED]:
 So getting back on topic, what is /stand for then? It's a tricky thing
 to google for, but the hints I've seen make it sound as just a
 secondary /bin. Is that about right?
 
 That's what the man page suggests. But when is it actually used? A
 typical installation just leaves it empty.

I know that IRIX uses it for static binaries like sash and other
programs that can be run for directly from the prom before booting the
kernel.


Dustin Lundquist

Re: Vlans using a trunk device

2006-10-08 Thread Dustin Lundquist 
Two ideas come to mind: Either use one interface for each VLAN, or 
create VLAN interfaces on each ethernet interface and then trunk all the 
VLAN interfaces assigned to the same VLAN.



Dustin Lundquist

Axton Grams wrote:

While working with the trunk and vlan features of OpenBSD, I ran into
one thing that I do not understand.  In order to use a trunk device for
multiple vlan's, the trunk device must have an ip address assigned.

Let me illustrate my configuration (vlan ids do not match, but it's not
relavent, see ifconfig for exact info):

++ +-+  +---+
| router | |modem|  |servers|
++ +-+  +---+
 |  ||
+---+-+-+-+
|   |vlan2|vlan3|vlan4|
| trunk |inet |lan  |dmz  |
+---+-+-+-+
 switch|
  ++
  |workstations|
  ++

ifconfig reads like this:

# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33192
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9
gem0:
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:03:ba:04:b2:1d
trunk: trunkdev trunk0
media: Ethernet 100baseTX full-duplex
status: active
inet6 fe80::203:baff:fe04:b21d%gem0 prefixlen 64 scopeid 0x1
hme0:
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:03:ba:04:b2:1d
trunk: trunkdev trunk0
media: Ethernet 100baseTX full-duplex
status: active
inet6 fe80::a00:20ff:feca:7dc4%hme0 prefixlen 64 scopeid 0x2
hme1:
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:03:ba:04:b2:1d
trunk: trunkdev trunk0
media: Ethernet 100baseTX full-duplex
status: active
inet6 fe80::a00:20ff:feca:7dc5%hme1 prefixlen 64 scopeid 0x3
hme2:
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:03:ba:04:b2:1d
trunk: trunkdev trunk0
media: Ethernet 100baseTX full-duplex
status: active
inet6 fe80::a00:20ff:feca:7dc6%hme2 prefixlen 64 scopeid 0x4
hme3:
flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST
mtu 1500
lladdr 00:03:ba:04:b2:1d
trunk: trunkdev trunk0
media: Ethernet 100baseTX full-duplex
status: active
inet6 fe80::a00:20ff:feca:7dc7%hme3 prefixlen 64 scopeid 0x5
pflog0: flags=141UP,RUNNING,PROMISC mtu 33192
pfsync0: flags=0 mtu 1460
enc0: flags=0 mtu 1536
trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:03:ba:04:b2:1d
trunk: trunkproto roundrobin
trunkport hme0 active
trunkport hme1 active
trunkport hme3 active
trunkport hme2 active
trunkport gem0 master,active
groups: trunk
media: Ethernet autoselect
status: active
inet 10.1.1.1 netmask 0xff00 broadcast 10.1.1.255
inet6 fe80::203:baff:fe04:b21d%trunk0 prefixlen 64 scopeid 0xa
vlan10: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:03:ba:04:b2:1d
vlan: 10 priority: 0 parent interface: trunk0
groups: vlan
inet6 fe80::203:baff:fe04:b21d%vlan10 prefixlen 64 scopeid 0xb
inet 10.180.16.1 netmask 0xff00 broadcast 10.180.16.255
vlan2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:03:ba:04:b2:1d
vlan: 2 priority: 0 parent interface: trunk0
groups: vlan
inet6 fe80::203:baff:fe04:b21d%vlan2 prefixlen 64 scopeid 0xc
inet 10.107.208.1 netmask 0xff00 broadcast 10.107.208.255
vlan3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:03:ba:04:b2:1d
vlan: 3 priority: 0 parent interface: trunk0
groups: vlan egress
inet6 stripped%vlan3 prefixlen 64 scopeid 0xd
inet x.x.x.x netmask 0x broadcast z.z.z.z
vlan30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:03:ba:04:b2:1d
vlan: 30 priority: 0 parent interface: trunk0
groups: vlan
inet6 fe80::203:baff:fe04:b21d%vlan30 prefixlen 64 scopeid 0xe
inet 10.180.17.1 netmask 0xff00 broadcast 10.180.17.255

The switch is configured such that the ports for the nodes are untagged
and every vlan sends tagged packets to the trunk.

When the trunk interface does not have an ip address assigned, no
traffic moves through the vlans.  This is what I am not understanding.

I assigned 10.1.1.1 to the trunk interface since I am not using that
subnet.  How should I handle this subnet in my pf rules?  The route
tables show 10.1.1/24 as a routable subnet because it is assigned to the
trunk interface:

# route -n show
Routing tables
scrubbed to not wrap

Re: Tyan v. Supermicro for Opteron?

2006-08-07 Thread Dustin Lundquist 
I've used both a Tyan S2892 and Supermicro H8SSL and H8DA8, the Tyan
board had a number of weird BIOS issues - some times it would boot,
reset the BIOS 5 times wave a dead chicken over it and then it would
work. The only similar issues I've run into with the Supermicro boards
was with the onboard Adaptec SCSI and an LSI MegaRAID on the H8DA8 and
another MegaRAID in a Supermicro P4SCT, resetting the BIOS and disabling
the onboard Adaptec SCSI via jumper resolved or moving the MegaRAID
resolved these issues. After working with the S2892 and several older
Tyan dual P3 and dual Athlon boards, my option of them is: quirky.


Dustin Lundquist


Darrin Chandler wrote:
 Ok, I've got it narrowed down a bit. Anyone have experiences good or bad
 to report with Tyan versus Supermicro mobos? I find archives for people
 using one or the other, so they both seem workable. Anyone used both and
 prefer one for some reason? I'm looking at 2xCPU, and maybe dual-core in
 addition.
 
 Any help *greatly* appreciated!

Re: sokeris output

2006-07-25 Thread Dustin Lundquist 
I'm running flashdist on my Net4801 with a GENERIC kernel, it works fine
- uses about 4MB extra flash space, but not a problem with the price of
CF cards today. I just SSH in, remount / rw, edit pf.conf, run pfctl and
remount / ro. dmesg below.


Dustin Lundquist

Lars Hansson wrote:
 On Monday 24 July 2006 13:33, Gustavo Rios wrote:
 PS: If you have a kernel configuration file for exact that hardware, i
 would enjoy too.
 
 Save yourself a loft of pain and frustration and get a CF large enough 
 (256Mb) 
 for the base system and use the GENERIC kernel.
 
 ---
 Lars Hansson
 



OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC
586-class) 267 MHz
cpu0: FPU,TSC,MSR,CX8,CMOV,MMX
cpu0: TSC disabled
real mem  = 133799936 (130664K)
avail mem = 115474432 (112768K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840
pcibios0 at bios0: rev 2.0 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0x9000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00
sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00: DP83816A,
irq 10, address 00:00:24:c5:8e:18
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00: DP83816A,
irq 10, address 00:00:24:c5:8e:19
nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00: DP83816A,
irq 10, address 00:00:24:c5:8e:1a
nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1
gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00
gpio0 at gscpcib0: 64 pins
NS SC1100 SMI/ACPI rev 0x00 at pci0 dev 18 function 1 not configured
pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SanDisk SDCFB-256
wd0: 1-sector PIO, LBA, 245MB, 501760 sectors
wd0(pciide0:0:0): using PIO mode 1
geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6
revision 3 wdstatus 0
ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 11,
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
isa0 at gscpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
gscsio0 at isa0 port 0x15c/2: SC1100 SIO rev 1:
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
biomask fbe5 netmask ffe5 ttymask ffe7
pctr: no performance counters in CPU
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmounted
# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/wd0a  236M   21.6M203M10%/
mfs:25157  7.8M   66.0K7.4M 1%/tmp
#

Routing GigE with a full BGP table

2006-05-04 Thread Dustin Lundquist 
We are looking to terminate a GigE circuit running about 700Mbps during
peak hours. We will be using three interfaces and running iBGP with a
half dozen or so peers and a eBGP session with our upstream with a full
table. Last month Claudio mentioned routing 450kpps, what sort of
performance can we expect in the above situation? Is this do able under
a 3.9 GENERIC i386 kernel? How much a performance hit should we expect
with a full table vs. decoupling the FIB and having a few static routes?


Dustin Lundquist
Optic Fusion

Re: /etc and partitions

2006-02-27 Thread Dustin Lundquist 
Michael Schmidt wrote:
 
 I have seen that /etc cannot be located on a separated partition.
 Why can it be not on an extra partition?

The rc scripts need to be able to read /etc/fstab to know what
filesystems besides / to mount.


Dustin Lundquist

Re: BCM5704 dual port NIC not seen by 3.8 on Thunder K8SRE m/b.

2006-01-06 Thread Dustin Lundquist 
I have the K8SE (non rack mount version) and I verified that the
Broadcom NICs where not seen by either the amd64 or i386 RAMDISK kernels
on the 3.8 release CDs. The Broadcom NIC is attached the the AMD 8131
HT-PCI bridge not the NForce junk. The K8SE has a Intel Pro/100 attached
the the PCI-33 bus of the NForce, so I can get the machine up and run
tests if needed.


Dustin Lundquist


Chris Cappuccio wrote:
 Maybe one of these is really supposed to be a PCI-PCI bridge.
 
 Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
 Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured
 Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured
 
 Kent Ho [EMAIL PROTECTED] wrote:
 
Same with current snapshot as well.  Cannot detect the BCM5704 dual port 
NIC.

Configure the network? [yes]
No more interfaces to initialize.

Here's the dmesg:
OpenBSD 3.8-current (RAMDISK_CD) #627: Thu Jan  5 17:50:36 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 3488182272 (3406428K)
avail mem = 2992111616 (2921984K)
using 22937 buffers containing 349024256 bytes (340844K) of memory
mainbus0 (root)
cpu0 at mainbus0: (uniprocessor)
cpu0: AMD Opteron(tm) Processor 248, 2210.44 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
pci0 at mainbus0 bus 0: configuration mode 1
Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured
Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured
ohci0 at pci0 dev 2 function 0 Nvidia nForce4 USB rev 0xa2: irq 10, 
version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Nvidia OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
pciide0 at pci0 dev 6 function 0 Nvidia nForce4 IDE rev 0xf2: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, CD-ROM GCR-8525B, 1.02 SCSI0 
5/cdrom removable
cd0(pciide0:0:1): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 7 function 0 Nvidia nForce4 SATA 1 rev 0xf3: DMA
pciide1: using irq 11 for native-PCI interrupt
pciide2 at pci0 dev 8 function 0 Nvidia nForce4 SATA 2 rev 0xf3: DMA
pciide2: using irq 10 for native-PCI interrupt
wd0 at pciide2 channel 0 drive 0: WDC WD1200JS-00MHB1
wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
wd0(pciide2:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide2 channel 1 drive 0: WDC WD1200JS-00MHB1
wd1: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
wd1(pciide2:1:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 9 function 0 Nvidia nForce4 PCI-PCI rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 7 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
ppb1 at pci0 dev 14 function 0 Nvidia nForce4 PCIE rev 0xa3
pci2 at ppb1 bus 2
pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00
pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00
pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00
pchb4 at pci0 dev 25 function 0 AMD AMD64 HyperTransport rev 0x00
pchb5 at pci0 dev 25 function 1 AMD AMD64 Address Map rev 0x00
pchb6 at pci0 dev 25 function 2 AMD AMD64 DRAM Cfg rev 0x00
pchb7 at pci0 dev 25 function 3 AMD AMD64 Misc Cfg rev 0x00
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
rd0: fixed, 3584 blocks
dkcsum: wd0 matches BIOS drive 0x80
wd1: no disk label
dkcsum: wd1 matches BIOS drive 0x81
root on rd0a
rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02
erase ^?, werase ^W, kill ^U, intr ^C, status ^T
(I)nstall, (U)pgrade or (S)hell?

thx.

Kent.

Kent Ho wrote:

Hi,

I'm unable to install 3.8 on my remote box.  It can pxeboot fine but 
once 3.8 is booted up(bsd.rd) it cannot detect the BCM5704 dual port 
NICs.  Install via network is the only way for me at the moment.

It has the following in the boot messages:
Nvidia nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
Nvidia nForce4 ISA rev 0xa3 at pci0 dev 1 function 0 not configured
Nvidia nForce4 SMBus rev 0xa2 at pci0 dev 1 function 1 not configured

Could these be related?  I did some search on the list, this may be 
related to PCI-X support issue in Openbsd?  The NIC