bgp routing question
Hi, I have an openbsd router with two ebgp peers. I have serveral prefixes to announce but I would like to know how I could influence outcoming traffic from each of my prefix. I did not understand how to use weight, localpref and metric nor filter rules to do that. any clue or example ? many thanks, FP
Re: File upload/download to https server
Hello, I don't know Python but cURL provide several APIs to do that from various programming languages (check http://curl.haxx.se/libcurl/bindings.html ). curl (CLI version) can be found in ports. Regards On 30/01/2008, Stuart VanZee [EMAIL PROTECTED] wrote: Hello everyone. I have an upcoming project where I need to be able to automate the upload and download of files to/from an HTTPS server (not owned by me). The server says it requires 128 bit encryption. I would like to be able to do this using python because it is the language that I know the best and it is available on the OpenBSD box that I would like to do this all from. (please note I am not a real great programmer, but I get by). I have done some research and found py-OpenSSL in ports, and on another project have used ClientForm for python although I haven't figured out how to get them to work together. Am I going in the right direction? Is what I need to do even possible? Thank you for any help. Stuart van Zee [EMAIL PROTECTED]
Re: HP Raid hardware
What do you mean with full compliant ? The hardware compatibility (http://www.openbsd.org/i386.html) gives the list of supported HP SmartArray RAID devices. It had worked or currently works for me on DL360G1, DL360G2 and DL360G4p. ex on DL360G4 # sysctl hw.product ; bioctl ciss0 hw.product=ProLiant DL360 G4p Volume Status Size Device ciss0 0 Online 146804797440 sd0 RAID1 0 Online 146811543552 0:0.0 noencl COMPAQ BD14688278 1 Online 146811543552 0:1.0 noencl COMPAQ BD14688278 ex on DL360G2 # sysctl hw.product ; bioctl ciss0 hw.product=ProLiant DL360 G2 Volume Status Size Device ciss0 0 Online72833679360 sd0 RAID1 0 Invalid 0 0:0.0 noencl 1 Invalid 0 0:1.0 noencl 2 Invalid 0 0:2.0 noencl 3 Invalid 0 0:3.0 noencl 4 Invalid 0 0:4.0 noencl 5 Invalid 0 0:5.0 noencl 6 Invalid 0 0:6.0 noencl 7 Invalid 0 0:7.0 noencl 8 Invalid 0 0:8.0 noencl 9 Invalid 0 0:9.0 noencl 10 Invalid 0 0:10.0 noencl 11 Invalid 0 0:11.0 noencl 12 Invalid 0 0:12.0 noencl 13 Invalid 0 0:13.0 noencl 14 Invalid 0 0:14.0 noencl 15 Invalid 0 0:15.0 noencl 16 Online72834973696 1:0.0 noencl COMPAQ BD0726459C 17 Online72834973696 1:1.0 noencl COMPAQ BD07287B4C 18 Invalid 0 1:2.0 noencl 19 Invalid 0 1:3.0 noencl 20 Invalid 0 1:4.0 noencl 21 Invalid 0 1:5.0 noencl 22 Invalid 0 1:6.0 noencl 23 Invalid 0 1:7.0 noencl COMPAQ PROLIANT 6L2I 24 Invalid 0 1:8.0 noencl 25 Invalid 0 1:9.0 noencl 26 Invalid 0 1:10.0 noencl 27 Invalid 0 1:11.0 noencl 28 Invalid 0 1:12.0 noencl 29 Invalid 0 1:13.0 noencl 30 Invalid 0 1:14.0 noencl 31 Invalid 0 1:15.0 noencl Regards On 22/01/2008, Max [EMAIL PROTECTED] wrote: Hello all, I have to set up an OpenBSD getaway on an HP Proliant server but I must be sure about hardware compatibilities, in particular, for RAID controller. Which HP controller could you advice to me for full compatibility with OpenBSD, on HP Proliant ? Thanks for your answers. Max
Re: Problems installing 4.2 from CD
Hello, Did you check errata 003 ? http://openbsd.org/errata42.html regards On 11/01/2008, T. Ribbrock [EMAIL PROTECTED] wrote: Hello, I just tried installing OpenBSD 4.2 on an older PIII box I got a while back - but I can't get the install to boot from CD. Here's what I have so far: - The PC has an Intel server board, L440GX+, with two PIII/550 (Slot 1) on it. This board has both IDE and SCSI (Dual channel U2W, Adaptec AIC-7896) on-board. - The CD-ROM is SCSI and connected to channel B of the U2W controller. - There are two IDE disks - a 20GB connected to IDE1 (master) and a 160GB on IDE2 (master). - The SCSI controller is set to support bootable CDs and the OpenBSD CD is recognised as such. If I try to boot from CD, the only lines I get are: CR-ROM: 9F Loading /4.2/I386/CDBOOT probing: pc0 com0 com1 mem[635K 638M a20=on] disk: At this point, the machine hangs hard, i.e. neither keyboard, nor reset/power buttons work anymore. I litterally have to pull the plug. If I disable *both* IDE drives in the BIOS, booting from CD-ROM works (or at least I get to the 'boot' prompt, haven't tested further yet). Disabling only one of them doesn't help, though. As a test, I also tried to boot from an OpenBSD 3.9 CD, but that showed the same symptoms. Same goes for a Kubuntu 7.04 live CD - got stuck right after the boot menu. The odd thing is: I *have* installed OpenBSD on this PC in the past (must have been 4.0 or 4.1). The changes I have made since then were - as far as I can remember: - I removed a second 20GB IDE drive that was slave on IDE1. - I added the 160GB drive on IDE2 - I think I removed a PCI VGA card and a sound card, but I'm not 100% whether they were actually in there when I installed OpenBSD the last time. - I added a 3C509B(?) NIC. Any insight on this would be most welcome. I saw one related thread in the archives, but that seemed to deal with PCI cards rather than on-board devices. One of the solutions offered there was to remove the boot-eeprom from one of those cards - but I don't thinks I have that option in this case... :-} Regards, Thomas -- ** PLEASE: NO Cc's to me privately, I do read the list - thanks! ** - Thomas Ribbrockhttp://www.ribbrock.orgICQ#: 15839919 You have to live on the edge of reality - to make your dreams come true!
ALTQ : HTB packet scheduler
Hello, Does anybody knows if an HTB packet scheduler is available on OpenBSD ? Regards,
Re: CARP + MS NLB Multicast Traffic
Hello, I have quite the same problem on an OpenBSD (4.1) router connected to a pair of firewalls using MAC multicast address (but unicast IP addresses) for redundancy. As soon as I used a second OpenBSD router and CARP for openbsd redundancy, Ethernet traffic growed and I had perfomance problems. I watched at traffic with tcpdump and I saw a strange ethernet behaviour with openbsd : when OpenBSD receives an Ethernet frame on an device using CARP and Ethernet destination address of this frame is a MAC multicast address (01:xx:xx ...), OpenBSD does not drop it and re-generates new Ethernet frames : this behavious causes an Ethernet storm ! Did you try to tcpdump on the interface that support CARP interface too ? I chekout Ethernet layer source code and I saw that OpenBSD is correctly controlling that the MAC destination address is registred on the host. If not, frame is dropped ! My analyzis (not yet confirmed by openBSD gurus) is : When carp is enabled on an network device, it gets PROMISC and ALLMULTI properties. So, I guess any ingoing traffic on this interface is going from ETHERNET layer to IP layer. As IP forwarding is enabled on my openbsd routers, openbsd IP layer routes this traffic and push back to the ethernet layer and a new frame is sent. The dirty workaround I found is to filter with pf incoming traffic going to networks behind the firewalls on my both openbsd routers (this traffic should be received only by the firewall boxes). I thought about modify openbsd Ethernet layer to drop incoming packets with the firewall mac multicast as destination address but that is a really silly way to do. I would be interested in any clue to apply a proper fix to this problem. Fred On 23/12/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm having an issue, maybe someone has seen before or can help me with. Scenario: I have 2 firewall boxes with carp on the outer and inner interfaces of our network and pfsync running between them. On the inner side of the firewalls they drop into 2 cisco 3750G switches that are stacked using stackwise. There is a cluster of web servers sitting behind the firewalls running Micosoft IIS and NLB in Multicast mode with IGMP. When packets come in destined for the web cluster they are broadcast across all ports on the switch due to the MAC being sent out multiple ports. The cisco's don't like this and spit out the packet on all ports and igmp snooping doesnt work due to the ms implementation. Cisco wont help us because they say that Microsoft isnt following the RFC correctly and Microsoft says there is a patch for this in the works but its been like this for years so I'm not holding my breath. I'm not too concerned with this. We know how to deal with it by mapping the multicast mac address to the static ports the webservers are on. Situation: The problem came into play when we needed to replace some of our cisco switches and had to delete the static mac addresses on the ciscos in order not to blackhole webservers during the transition. After we deleted the mac addresses on the cisco's all ports were once again flooded with inbound web traffic during the maintenance. This we expected. The Problem: However what we didn't expect was our carp devices to go haywire. They were flapping back and forth and we had intermittent connectivity issues until we unplugged one of the boxes and our connection was stable again. It didnt matter witch one we unplugged. As soon as we unplugged the opposite device the connection was stable again. At the time there may have been about 25mb of traffic to our webservers. The only thing that makes sense to me is some sort of race condition with the broadcast messages. Does this make sense to anyone? Currently we have an advbase of 1. Now I havent attempted to bump that up. Should I? I just wanted to get some opinions on this before I make any changes. Has anyone seen this behavior before? and know how to solve it correctly? Thanks.
MAC multicast address
Hello,
Is there a way to control which multicast MAC address an ethernet interface
should handle ?
I have problem with a server running OpenBSD4.1-rel (A) with a pcn and carp
interface.
On the same Ethernet network, there is another server (B) and a
hi-availability cluster of firewalls (commercial product) (F composed of F1
and F2) reached via unicast IP address (IPADDR{F}) over multicast MAC
address (MAC{F}).
When B wants to communicate to a service behind F (IP route is known via
IPADDR{FW} ) this appens :
- B send ARP request to ff:ff:ff:ff:ff:ff from MAC{B} Who has IPADDR{FW}?
tell IPADDR{B}
- B receive ARP response from MAC{F1} to MAC{B} IPADDR{FW} is at MAC{F}
- B receive ARP response from MAC{F2} to MAC{B} IPADDR{FW} is at MAC{F}
- B send an ethernet frame to F from MAC{B} IPADDR{B} to MAC{F} IPADDR{F}
- A receive this ethernet frame
- A send a new frame from MAC{A} IPADDR{B} to MAC{?} (this MAC is a
multicast mac that is not used by any of my openbsd server)
This mean the one initial frame is duplicated and by cascade, huge of
ethernet frames are transmitted.
This behavour makes the performance of the firewall decreasing.
Ethernet frames sent by another sever (SERVER2) to a multicast mac address
that is handled by a cluster of firewall (commercial product) are received
and resent to another multicast mac address.
Thanks for help,
Fred
