dhclient implementation
Hi all users and developers I simply noticed what I would call a weird behaviour on my 32 bit 4.9 GENERIC#671 box's dhclient, which I hope is not the expected behavior. While reading RFC2131, I didnt find any sentence stating or implying that is the desired behavior, as in a "server MUST...". Say I run a local instance of named on my machine. I dont want dhcp to overwrite my resolv.conf, so I add the classical prepend dns-name-servers to my dhclient.conf. I capture the traffic while asking for an IP address (no prior leases) and I can see how DHCP packets do not request DNS servers. However, which I am afraid happens more often than not, my crappy Comtrend domestic router ignores the request and simply decides to always answer including my ISPs DNS servers. I could check this with Wireshark also. The result is resolv.conf has 3 nameserver entries, instead of the only one I want to prepend. I also tried not prepending my localhost named entry, just in case that would trigger something weird in the code and eventually nameservers got appended. No luck. dhclient.conf(5) states the following: "The protocol also allows the client to reject offers from servers if they don't contain information the client needs, or if the information provided is not satisfactory." So, shouldnt dhclients just keep track of what they requested and just accept that specific set of properties, instead of all it was sent by the router? I am not talking about whether RFCs or the implementation is correct or not. I am no authority of course. It simply seems reasonable to me to implement it as I just mentioned. I understand clients can ask for parameters that would lead to an invalid network configurations. Still, Unix doesnt let you shoot yourself in the foot for a good reason? Am I missing the obvious? Any comment would be highly appreciated. Thanks for your time and have a nice day
Re: dhclient implementation
"Supersede" gives me what I want. It just felt weird those entries ended up on resolv.conf when I had not requested them. Thanks and sorry for the noise. 2011/8/27 IC1igo Ortiz de Urbina : > Hi all users and developers > > I simply noticed what I would call a weird behaviour on my 32 bit 4.9 > GENERIC#671 box's dhclient, which I hope is not the expected behavior. > While reading RFC2131, I didnt find any sentence stating or implying > that is the desired behavior, as in a "server MUST...". > > Say I run a local instance of named on my machine. I dont want dhcp to > overwrite my resolv.conf, so I add the classical prepend > dns-name-servers to my dhclient.conf. > > I capture the traffic while asking for an IP address (no prior leases) > and I can see how DHCP packets do not request DNS servers. However, > which I am afraid happens more often than not, my crappy Comtrend > domestic router ignores the request and simply decides to always > answer including my ISPs DNS servers. I could check this with > Wireshark also. The result is resolv.conf has 3 nameserver entries, > instead of the only one I want to prepend. > > I also tried not prepending my localhost named entry, just in case > that would trigger something weird in the code and eventually > nameservers got appended. No luck. > > dhclient.conf(5) states the following: > > "The protocol also allows the client to reject offers > B B from servers if they don't contain information the client needs, or if > B B the information provided is not satisfactory." > > So, shouldnt dhclients just keep track of what they requested and just > accept that specific set of properties, instead of all it was sent by > the router? I am not talking about whether RFCs or the implementation > is correct or not. I am no authority of course. It simply seems > reasonable to me to implement it as I just mentioned. I understand > clients can ask for parameters that would lead to an invalid network > configurations. Still, Unix doesnt let you shoot yourself in the foot > for a good reason? Am I missing the obvious? > > Any comment would be highly appreciated. > > Thanks for your time and have a nice day > > -- IC1igo Ortiz de Urbina Cazenave http://www.twitter.com/ioc32
Re: dhclient implementation
On Sat, Aug 27, 2011 at 1:01 AM, Jona Joachim wrote: > On 2011-08-26, I??igo Ortiz de Urbina wrote: >> "Supersede" gives me what I want. It just felt weird those entries >> ended up on resolv.conf when I had not requested them. >> >> Thanks and sorry for the noise. > > This is expected behaviour for the "prepend" option, it does just that: > request the name servers and prepend the one(s) you supplied. That way > by default the system will use the name server you supplied in the > configuration file but will fall back to the ones given by your router > in case the first name server is not reachable. As I said Jona offlist, yes, I understand that behavior. My line is prepended and then anything else goes after it. Still, what I do not understand is why two nameserver entries appear on my resolv.conf, if I have never requested them. > Best regards, > Jona > > -- IC1igo Ortiz de Urbina Cazenave http://www.twitter.com/ioc32
Re: developing openbsd?
I'd love to see such a document available. Depending on the scope of this documentation effort, it could even be bundled as a package. On 8/8/10, Tomas Vavrys wrote: > It would be great if anybody could share whole .vim/ && .vimrc. I > could write OpenBSD Vim C Programming manual once and for all. > > 2010/8/8 Darrin Chandler : >> On Sun, Aug 08, 2010 at 04:39:56PM +0200, Tomas Vavrys wrote: >>> Does any developer use c.vim plugin? I can't get it working properly >>> according to STYLE(9). I would appreciate your settings. What other >>> Vim plugins do you use? >> >> I have this in ~/.vim/after/ftplugin/c.vim: >> >> set cinoptions=t0,+4,(4,u4,w1 >> set shiftwidth=8 >> set softtabstop=8 >> let c_space_errors=1 >> >> That gets me somewhat close. Anyone want to share other ways or >> refinements? >> >> -- >> Darrin Chandler B B B B B B | B Phoenix BSD User Group B | B MetaBUG >> dwchand...@stilyagin.com B | B http://phxbug.org/ B B B | > B http://metabug.org/ >> http://www.stilyagin.com/ B | B Daemons in the Desert B | B Global BUG > Federation
Re: which monitoring do you use (on OpenBSD)
Mainstream open source monitoring is pretty much about munin, cacti, nagios, zabbix. You can make any of these run on openbsd, AFAIK. Even though they serve different purposes, my favourite (if no custom, tailored solution is crafted) between these is cacti. However, its pretty disappointing the lack of support for alternative (see psql) backends :( On 8/10/10, Eugene Yunak wrote: > On 10 August 2010 02:28, Jiri B. wrote: >> Hello, >> >> I'm thinking to choose a monitoring tool which would run on OpenBSD >> of course. >> >> I have been working with Tivoli and Netview for couple of years so my >> idea is: >> >> * clients >> >> - heartbeats of course >> - simple interface to give a client some input as alert >> - text configuration on client node (can be pushed from central repo) >> - light >> >> * infrastructure nodes >> >> - proxy feature for far networks or dmz >> - filtering rules (thresholds, time filters ...) >> - text configuration >> - light >> >> * main server(s) >> >> - good filtering >> - surveillance console for monitoring center >> - be able to change status of an alert (acknowledge, closed, solved...) >> - be able to have some categories of clients based on roles >> >> I'm watching zabbix... not sure... >> >> If I wouldn't want event console I would probably check snmp -> sec -> >> snmptt. >> >> jirib >> >> > > Definitely nagios/cacti pair or zabbix. Having used nagios for a year > or so, i would never want to get back to Tivoli. It also gives you > lots of flexibility in how you setup your monitoring, and can neatly > work with snmp as well. > > Eugene > > -- > The best the little guy can do is what > the little guy does right
Re: high Ierrs in netstat -ni
Maybe u can set debug on iwn using ifconfig. That would help troubleshooting.
Also, show output of ifconfig
On 10/17/10, frantisek holop wrote:
> hi there,
>
> i am runing -current with iwn and i notice a high
> number of Ierr's in netstat -ni.
> 0 would be ideal, right?
>
>
> i am using the latest firmware from iwn(4)
>
> $ netstat -ni
> NameMtu Network Address Ipkts IerrsOpkts Oerrs
> Colls
> lo0 3320015262 015262 0
> 0
> lo0 33200 127/8 127.0.0.115262 015262 0
> 0
> lo0 33200 ::1/128 ::1 15262 015262 0
> 0
> lo0 33200 fe80::%lo0/ fe80::1%lo0 15262 015262 0
> 0
> lii0* 1500fe:e1:ba:d0:6b:b30 00 0
> 0
> iwn0150000:21:5c:04:9e:19 7670 429 6903 0
> 0
> iwn01500 fe80::%iwn0 fe80::221:5cff:fe 7670 429 6903 0
> 0
> iwn01500 10.13.37/24 10.13.37.30 7670 429 6903 0
> 0
> enc0* 00 00 0
> 0
> pflog0 332000 00 0
> 0
>
> this is just 20m after reboot. with heavy traffic,
> it increases by the second..
>
>
> OpenBSD 4.8-current (GENERIC) #435: Thu Oct 14 13:37:41 MDT 2010
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Celeron(R) M processor 900MHz ("GenuineIntel" 686-class) 631
> MHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF
> real mem = 527527936 (503MB)
> avail mem = 508899328 (485MB)
> mainbus0 at root
> bios0 at mainbus0: AT/286+ BIOS, date 03/11/09, BIOS32 rev. 0 @ 0xf0010,
> SMBIOS rev. 2.5 @ 0xf06e0 (37 entries)
> bios0: vendor American Megatrends Inc. version "1302" date 03/11/2009
> bios0: ASUSTeK Computer INC. 701
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC OEMB MCFG
> acpi0: wakeup devices P0P3(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) MC97(S4)
> USB1(S3) USB2(S3) USB3(S3) USB4(S3) EUSB(S3)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: apic clock running at 70MHz
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 5 (P0P3)
> acpiprt2 at acpi0: bus 3 (P0P5)
> acpiprt3 at acpi0: bus 1 (P0P6)
> acpiec0 at acpi0
> acpicpu0 at acpi0: C3, C2
> acpitz0 at acpi0: critical temperature 90 degC
> acpibat0 at acpi0: BAT0 model "701" serial type LION oem "ASUS"
> acpiac0 at acpi0: AC unit offline
> acpiasus0 at acpi0
> acpibtn0 at acpi0: LID_
> acpibtn1 at acpi0: SLPB
> acpibtn2 at acpi0: PWRB
> acpivideo0 at acpi0: VGA_
> acpivout0 at acpivideo0: CRTD
> acpivout1 at acpivideo0: TVOD
> acpivout2 at acpivideo0: LCDD
> bios0: ROM list: 0xc/0xf800!
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82915GM Host" rev 0x04
> vga1 at pci0 dev 2 function 0 "Intel 82915GM Video" rev 0x04
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> intagp0 at vga1
> agp0 at intagp0: aperture at 0xd000, size 0x1000
> inteldrm0 at vga1: apic 1 int 16 (irq 5)
> drm0 at inteldrm0
> "Intel 82915GM Video" rev 0x04 at pci0 dev 2 function 1 not configured
> azalia0 at pci0 dev 27 function 0 "Intel 82801FB HD Audio" rev 0x04: apic 1
> int 16 (irq 5)
> azalia0: codecs: Realtek ALC662
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 82801FB PCIE" rev 0x04: apic 1 int 16
> (irq 5)
> pci1 at ppb0 bus 4
> ppb1 at pci0 dev 28 function 1 "Intel 82801FB PCIE" rev 0x04: apic 1 int 17
> (irq 11)
> pci2 at ppb1 bus 3
> lii0 at pci2 dev 0 function 0 "Attansic Technology L2" rev 0xa0: apic 1 int
> 17 (irq 11), address 71:ec:da:32:72:24
> ukphy0 at lii0 phy 1: Generic IEEE 802.3u media interface, rev. 2: OUI
> 0x001374, model 0x0002
> ppb2 at pci0 dev 28 function 2 "Intel 82801FB PCIE" rev 0x04: apic 1 int 18
> (irq 10)
> pci3 at ppb2 bus 1
> iwn0 at pci3 dev 0 function 0 "Intel Wireless WiFi Link 4965" rev 0x61: apic
> 1 int 18 (irq 10), MIMO 2T3R, MoW2, address 00:21:5c:04:9e:19
> uhci0 at pci0 dev 29 function 0 "Intel 82801FB USB" rev 0x04: apic 1 int 23
> (irq 3)
> uhci1 at pci0 dev 29 function 1 "Intel 82801FB USB" rev 0x04: apic 1 int 19
> (irq 7)
> uhci2 at pci0 dev 29 function 2 "Intel 82801FB USB" rev 0x04: apic 1 int 18
> (irq 10)
> uhci3 at pci0 dev 29 function 3 "Intel 82801FB USB" rev 0x04: apic 1 int 16
> (irq 5)
> ehci0 at pci0 dev 29 function 7 "Intel 82801FB USB" rev 0x04: apic 1 int 23
> (irq 3)
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
> ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xd4
> pci4 at ppb3 bus 5
> ichpcib0 at pci0 dev 31 funct
Re: OpenBSD virtualization
Err... do the homework first. On Thu, Apr 1, 2010 at 2:45 PM, Digital Edge wrote: > Dear List, > > I am very much new to OpenBSD. I have two Sun UltraSparcT2( Niagara2) > servers. > I have install OpenBSD4.6 on that. But my intention is to install KVM/XEN > on > those box. > > Can anyone help me to do so > > > Thanks, > dE > > _ > The world in moving pictures > http://news.in.msn.com/gallery/archive.aspx
Re: time based rules on pf
On Mon, May 17, 2010 at 5:03 PM, Leonardo Carneiro - Veltrac < lscarne...@veltrac.com.br> wrote: > There is a way to do time-based rules on pf? Something like "this packet > will /pass/ from 10h to 13h" or "this packet will /pass/ until 22h, 13 > june". I mean, there is a built-in mechanic to do this in pf or i'll > need to write a script in cron to add and remove rules? > > Tks in advance > -- > > As nobody jumps in here to -kind of- state the obvious, I dont think there's such a thing already *built-in*. For the archive and newcomers, you achieve this kind of things, though, with anchors and some duct tape scripting.
Re: portrange with tcpdump
On Tue, May 25, 2010 at 7:26 PM, Daniel Bareiro wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi all! > > I'm trying to use tcpdump in OpenBSD 4.6 with a syntax similar to the > following: > > # tcpdump -vvv udp and port 5060 or portrange 1-2000 -s0 \ > -i eht0 -w eavesdropping_ulaw.dump > > In this case, the interface is em0, but I see that with this tcpdump > version there is no parameter 'portrange'. I'm using a version compiled > with the source code obtained by anoncvs, because I wanted to install > with pkg_add but was not available. I tried as follows, but without > success: > No pkg_add needed, its part of the base install: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/tcpdump/ > > # tcpdump -vv udp and port 5060 or "port >= 1 and port <= 2" -s0 \ > > -i em0 -w eavesdropping_ulaw.dump > tcpdump: syntax error > > > Thanks in advance for your reply. > > Regards, > Daniel > iEYEARECAAYFAkv7+mYACgkQZpa/GxTmHTdQ2wCeLsz+Zv0ad6I+IMr7S+NgBBZU > oAAAn2C2eLJyhqS0KHN1rHZiHK2kbWHy > =Pbeq > -END PGP SIGNATURE- > Also, does -s0 work on OpenBSD? I thought it was a GNU/Linux and FreeBSDish hack. On OpenBSD, shouldnt it manually be set to whatever your MTU is?
Re: sendmail vs. other MTAs
On Sun, May 10, 2009 at 2:48 PM, FRLinux wrote: > On Sun, May 10, 2009 at 1:34 PM, Felipe Alfaro Solana > wrote: >> Why isn't Postfix included? >> The license is not free, and thus can not be considered. >> >> And anyways, I found that switching from sendmail to postfix is >> extremely easy in OpenBSD. > > Yay, another 20k long thread for nothing... > > Consider reading Gille's implementation of smtpd : > http://undeadly.org/cgi?action=article&sid=20081112084647 > > Steph I am really excited towards seeing Gille's implementation stable enough to make its way to base. One of the things I like most about OpenBSD is that it always gets better with each release, and his smtpd would bring us an even more compact, feature rich and easy to configure OS (with sane defaults ;) Keep up the great work!
Re: sendmail vs. other MTAs
On Tue, May 12, 2009 at 12:54 AM, Dan wrote: > Daniel Ouellet(dan...@presscom.net)@2009.05.11 18:08:02 -0400: >>> This new smtpd better be at least as good as qmail, otherwise - what's >>> the point? >> >> For fun and learning dammit. It's been explain on undeadly before and in >> the list. And because it's smaller, easier to maintain, clean and works! > Apart from fun and learning, as Daniel says, the point is pretty much the same to assigning developer resources to opencvs or openntpd for example: having things done how they think have to be done, and trust me Dan, I learnt long ago (and you should) that in most scenarios, they are in the right track and we have nothing to do but learn from their skills and ideas, and THANK them (at least showing a thankful attitude). Have a nice day
Re: Why so cool OS doesn't have vuln database?
I wonder if he is after something similar to portaudit[1] on OpenBSD?
[1]: http://www.freebsd.org/doc/en/books/handbook/security-portaudit.html
2009/5/16 Toma( Bod8ar
>
> I think that you are looking for tool which isn't available under
> OpenBSD.Here you must know what you are doing.Do you read FAQ part of
> pages?
>
> 2009/5/16 Yuriy Grishin :
> > J Sisson wrote:
> >>
> >> Sorry, I meant your_last_post.[your configuration].
> >>
> >> In other words, it'd help people make recommendations if we knew the
> >> hardware you were running and what changes you'd made to the base
system.
> >
> > Here you are the output of dmesg
> >
>
-
> ---
> > # dmesg
> > OpenBSD 4.5 (GENERIC) #1749: Sat Feb 28 14:51:18 MST 2009
> > B dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
> > cpu0: AMD-K6(tm) 3D processor ("AuthenticAMD" 586-class) 361 MHz
> > cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX
> > real mem B = 267939840 (255MB)
> > avail mem = 250789888 (239MB)
> > mainbus0 at root
> > bios0 at mainbus0: AT/286+ BIOS, date 07/21/99, BIOS32 rev. 0 @ 0xfb3c0,
> > SMBIOS rev. 2.2 @ 0xf0800 (32 entries)
> > bios0: vendor Award Software International, Inc. version "4.51 PG" date
> > 07/21/99
> > apm0 at bios0: Power Management spec V1.2 (slowidle)
> > apm0: AC on, battery charge unknown
> > acpi at bios0 function 0x0 not configured
> > pcibios0 at bios0: rev 2.1 @ 0xf/0xb848
> > pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfddc0/128 (6 entries)
> > pcibios0: PCI Exclusive IRQs: 10 11 12
> > pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371SB ISA" rev 0x00)
> > pcibios0: PCI bus #0 is the last bus
> > bios0: ROM list: 0xc/0x8000 0xc8000/0x800 0xc9000/0x800
> > cpu0 at mainbus0: (uniprocessor)
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > pchb0 at pci0 dev 0 function 0 "Intel 82439TX System" rev 0x01
> > piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x01
> > pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel
> > 0 wired to compatibility, channel 1 wired to compatibility
> > wd0 at pciide0 channel 0 drive 0:
> > wd0: 16-sector PIO, LBA, 4100MB, 8397686 sectors
> > wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> > wd1 at pciide0 channel 1 drive 0:
> > wd1: 16-sector PIO, LBA, 19092MB, 39102336 sectors
> > wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> > uhci0 at pci0 dev 7 function 2 "Intel 82371AB USB" rev 0x01: irq 10
> > piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x01: SMBus
> > disabled
> > xl0 at pci0 dev 9 function 0 "3Com 3c905C 100Base-TX" rev 0x74: irq 11,
> > address 00:04:79:67:c3:ec
> > bmtphy0 at xl0 phy 24: 3C905C internal PHY, rev. 6
> > xl1 at pci0 dev 11 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq 10,
> > address 00:01:02:0a:60:2f
> > bmtphy1 at xl1 phy 24: 3C905C internal PHY, rev. 7
> > vga1 at pci0 dev 12 function 0 "S3 ViRGE" rev 0x06
> > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> > wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> > isa0 at piixpcib0
> > isadma0 at isa0
> > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> > pckbc0 at isa0 port 0x60/5
> > pckbd0 at pckbc0 (kbd slot)
> > pckbc0: using irq 1 for kbd slot
> > wskbd0 at pckbd0: console keyboard, using wsdisplay0
> > pcppi0 at isa0 port 0x61
> > midi0 at pcppi0:
> > spkr0 at pcppi0
> > lpt0 at isa0 port 0x378/4 irq 7
> > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> > usb0 at uhci0: USB revision 1.0
> > uhub0 at usb0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
> > biomask f765 netmask ff65 ttymask
> > mtrr: K6-family MTRR support (2 registers)
> > softraid0 at root
> > root on wd0a swap on wd0b dump on wd0b
> > WARNING: / was not properly unmounted
> >
>
-
> ---
> >
> > ...and what the "custom_options"?
> > Where can I find them?
> >
> > --
> > Code cheap ($3 for an application)
> >
> >
>
>
>
> --
> http://www.openbsd.org/lyrics.html
Re: old and new pf tandem test ---help
Mehma, You can find more info on the performance boost, and how developers achieved it, in this article. You can go through all of it as its really interesting IMHO: http://www.onlamp.com/pub/a/bsd/2007/11/01/whats-new-in-bsd-42.html Hope it helps you feel the need of trying pf _at home_ :) On Tue, May 19, 2009 at 7:20 AM, mehma sarja wrote: > > Otto, Henning and Stuart to-the-point answers. Thanks guys. I have taken > the post over to FreeBSD list. However, Henning, I am curious why you call > pf on anything but OpenBSD a "starter drug?" Is the performance difference > that huge? pf on FreeBSD 7.2 is version 4.1. > > You have piqued my interest and may convince me to switch to OpenBSD. Keep > the posts coming. > > Yudhvir
Re: old and new pf tandem test ---help
On Tue, May 19, 2009 at 2:37 PM, Stuart Henderson wrote: > On 2009-05-19, Iqigo Ortiz de Urbina wrote: >> Mehma, >> >> You can find more info on the performance boost, and how developers >> achieved it, in this article. You can go through all of it as its >> really interesting IMHO: >> >> http://www.onlamp.com/pub/a/bsd/2007/11/01/whats-new-in-bsd-42.html >> >> Hope it helps you feel the need of trying pf _at home_ :) > > That is a good start, but there have been other changes since. > Not only pf, but also pfsync, nic drivers, and more. > > -current has some nice extras (added after 4.5) for ruleset sanity > too. For example, "match" rules, which are absolutely great when > combined with tags. > > Indeed, and the active-active setup. For those interested, here's more info on the subject: Lecture: http://www.youtube.com/watch?v=cBxDgevQpCg Paper, part1 : http://undeadly.org/cgi?action=article&sid=20090220014805
Re: OpenBSD and VPN 1411 Criptographic Card
On Wed, May 20, 2009 at 10:15 PM, Stuart Henderson wrote: > On 2009-05-20, Joco Salvatti wrote: >> Hi misc, >> >> I bought a Soekris Net5501 with a cryptographic card VPN1411 >> (Authentication, SHA-1 and MD5, Public Key, RSA, DSA, SSL, IKE and DH, >> Hardware random number generator) and I would like to know if any >> configuration is needed in OpenBSD kernel to use this card when >> cryptography is necessary. >> >> eg. When a VPN IPSec is done. > > You might want to check that it's not actually slower when you use the card. > > Some basic benchmarking would be appreciated, for the sake of the list. As a newcomer I am really interested in understanding the cryptohardware framework. I would have never said accelerated hardware could perform any worse. Interesting point Stuart.
Re: pf, altq, packet rate
On Mon, May 25, 2009 at 10:35 PM, Philip Guenther wrote: > 2009/5/25 irix : >> And it will be added to the main tree? > > Let's see, no code, no mention of license, and no demonstration that > it actually solves a/your problem. How can your question possibly be > answered? > > > Philip Guenther > Probably you are right but I'd recommend him style(9), inspite of not being a developer at all. Just in case (s)he feels in the mood.
Re: Maximizing File/Network I/O
On Tue, Jan 5, 2010 at 9:13 AM, Tomas Bodzar wrote: > There is much more to do. You can find some ideas eg. here > http://www.openbsd.org/papers/tuning-openbsd.ps . It's good idea to > follow outputs of systat, vmstat and top for some time to find > bottlenecks. > > I recall a message in misc (which I am not able to find on the archives) about someone posting here the results of his research on optimizing and improving OpenBSD overall performance (fs, network, etc). Among the links he posted on his comprehensive compilation, he sent tuning-openbsd.ps. I remember one reply of a developer stating that some of those tuning measures are not needed anymore as OpenBSD has grown quite a bit since that time. Which are the recommended -always working- directions, then, to tune a system for its particular needs? My point is we all have to be careful and not follow guides or try values on sysctls blindly (although experimenting is welcome and healthy) as we can harm more than benefit we can get. Still, some enviroments will need adjustment to push much more traffic than GENERIC can, and this is a really hard task to accomplish unless you are a @henning or @claudio :) > On Tue, Jan 5, 2010 at 9:04 AM, nixlists wrote: > > On Tue, Jan 5, 2010 at 1:45 AM, Bret S. Lambert > wrote: > >> Start with mount_nfs options, specifically -r and -w; I assume that > >> you would have mentioned tweaking those if you had already done so. > > > > Setting -r and -w to 16384, and jumbo frames to 9000 yields just a > > couple of MB/s more. Far from 10 MB/s more the network can do ;( > > > > > > > > -- > http://www.openbsd.org/lyrics.html
Re: OpenSMTPd actual development and integration
On Thu, Jan 14, 2010 at 6:50 PM, Jean-Francois wrote: > Hi All, > > Could you please inform about the actual state of OpenSMTPd and when it shall > be fully integrated into OpenBSD ? > > Thanks. You can keep an eye on its development by tracking commits on the CVS repository. I cant tell as I am not using it currently but I would say its already integrated and pretty usable for common scenarios, not yet fully, if at all, ready for production. calomel.org has an article that can give you an idea of its actual state. gilles@ or jacek@ can add more insight into this anyway. Have a nice day Iqigo
Re: strange (?) ssh user
On Fri, Aug 21, 2009 at 7:19 AM, Uwe Dippel wrote: > Recently, I noticed an ssh user on one of my machines, who never logged on, > is not visible with 'last', seems to have no terminal active, and is back > immediately after a reboot. > Hmm. > root 13415 0.0 0.9 3280 2420 ?? Ss12:04PM0:00.08 sshd: > isuser > isuser 702 0.0 0.7 3280 1824 ?? S 12:04PM0:00.00 sshd: > isuser > Whatever I do with finger, w, last, no trace of any activity; not even a > login. > I tried to kill the processes, and they are gone, but the next second > another pair is up. > > Could anyone help me to explain what is going on here? > > Uwe > > As its not clear to me if isuser is a user you trust, created or needed for your services, I would say your machine might have been compromised. What kind of traffic is isuser generating? Is it just a reverse ssh shell? Can you shutdown his account or set his/her/its shell to nologin(8)? Next install you might consider following the advices of mtree(8) as the output of previous and current `mtree -cK sha1digest` would be really usefeul here.
Re: Use memory as disk
On Fri, Aug 21, 2009 at 2:03 PM, obvvbooo obvvbooo wrote: > Hi, > > Is there a way to use memory as a disk/partition? Such as mount it to > /mnt/mem or such things. I can't find information of this in the man pages > and after googled, Havent tried this before but you should be able to create your own ramdisks with rdconfig(8). > I found "rd" for OpenBSD, which seems similar with "md" > in FreeBSD. But still not useful. Anybody help? > > Thanks > > Just wondering, how come it is not useful? Is it because your fresh ramdisk is not immediately usable right after creating it?
Re: Accessing lan from internet
On Thu, Sep 3, 2009 at 8:08 AM, Dorian B|ttner wrote: > halcon schrieb: > > El miC), 02-09-2009 a las 18:48 +, Daniel Bolgheroni escribiC3: >> >> >>> On Wed, 2 Sep 2009, halcon wrote: >>> >>> >>> Hello I am administering a small linux/windows lan from my laptop/OpenBSD-4.5 base, without any problem, using # ssh u...@192.168.0.xxx; how could i accesss the lan from internet? u...@hostname? u...@external ip? I have read many docs without success, thanks in advance. francisco >>> Are you using these cheap routers available everywhere? >>> >>> "Port forwarding", "forwarding", "virtual server", etc. >>> >>> >> >> Yes, i am, my gateway is 192.168.0.1 it is a cheap D-Link, behind, there >> are 2 Linux boxes (Ubuntu and Slackware), and 2 windows boxes (Windows >> Pro 2000 and Windows XP Home). >> >> If i understood well; it could be: >> >> >> >>> ssh [hostname|IP] -- log into hostname as current username >>> >> ssh Slackware|192.168.0.1 >> >> >> >>> ssh au...@[hostname|IP] --log into hostname as auser >>> >> or ssh j...@slackware|192.168.0.1 >> >> >> >>> where IP is the current gateway to your lan. >>> >> Is it correct, Dhu? >> >> > I use ssh -l > > Me too, I find it faster to type. @halcon: if you still plan to access the LAN from the Internet without DMZ be sure to at least read any of the "ssh best practices" thread or articles out there, AND man sshd and the like.
Re: Supporting OpenBSD
On Wed, Sep 9, 2009 at 11:54 AM, Jordi Espasa Clofent < jordi.esp...@opengea.org> wrote: > People, it is time to get your browsers over to >> http://www.openbsd.org/orders.html >> and start running some money into the project. >> > > Done. > +1 > > ;) > > -- > Thanks, > Jordi Espasa Clofent > > +2 from Euskadi and Catalunya, Spain, so to speak :)
Re: 4.6 arriving
On Tue, Oct 20, 2009 at 1:08 PM, Dennis Davis wrote: > On Fri, 9 Oct 2009, Martin Schrvder wrote: > > > From: Martin Schrvder > > To: OpenBSD general usage list > > Date: Fri, 9 Oct 2009 13:07:01 > > Subject: Re: 4.6 arriving > > X-Spam-Score: 0.0 (/) > > > > 2009/10/9 Bret S. Lambert : > > > On Fri, Oct 09, 2009 at 09:30:07AM +0200, Lukas Ratajski wrote: > > >> Oh man, I'd LOVE to give the 2.1 version a boot opportunity on > > >> i386. Just for the sake of curiosity. Anyone offering a copy? > > > > > > Yes, but it's a collectible at this point: > > > https://https.openbsd.org/cgi-bin/order > > > > Indeed. But 2.4 is the real collectible. :-) > > I'm rich! I'm rich!! I'm rich!!! > > I'm rich because OpenBSD4.6 arrived last week. > > I'm also rich because I found all my early OpenBSD releases, > that's release 2.1 to 3.1. Which includes the pricey OpenBSD2.1, > OpenBSD2.2, OpenBSD2.3 & OpenBSD2.4 CDs. > > Now this is a problem. The cardboard-box-under-the-bed bank is > possibly a little too insecure for such great treasures. I'll have > to place them in a hermetically-sealed, lead-lined box and bury them > in the garden. Sigh, and then forget where they are. Leaving some > future fortunate to find this treasure trove long after I'm gone. > Damn, I'll be worrying about this for some time. > > ...with great wealth comes great responsibilty... > > Discs arrived to Donostia-San Sebastian, Basque Country, Spain, just some minutes ago. Thanks a lot to Theo and assorted developers and OpenBSD Europe for their impeccable work on delivering this wonderful OS just on time. Muchisimas gracias!
Re: allow dhcp in pf
On Tue, Nov 24, 2009 at 3:45 PM, Otto Moerbeek wrote:
>
> On Tue, Nov 24, 2009 at 03:37:58PM +0100, Andreas Mueller wrote:
>
> > open...@e-solutions.re wrote:
> > > Hello
> > >
> > > i added theses lines :
> > > pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 67
> > > pass in on $int_if inet proto { tcp, udp } from any to $gw_obsd port 68
> > Clients most certainly don't send dhcp request packets to your gateway
> > but to multicast, so set destination to 255.255.255.255.
> >
> > >
> > > my dhcpd.conf is a standard config...
> > > my hostname.bge0 :
> > > inet 192.168.0.1 255.255.255.0 NONE
> > >
> > > if i configure a machine with static ip address, all works fine.
> > > Using DHCP is not possible, pf block it, and i don't understand why...
> > > Can you help me please ?
> >
> > Andreas
>
> No no no, listen to what claudio wrote. dhcp packets are grabbed by
> dhclient or dhcpd before pf sees them.
>
>-Otto
>
Otto is right, dont keep suggesting things and listen to Claudio's words.
I came across this issue some time ago, i was quite confused on why pf
and dhcpd or dhclient are both on top of bpf device, however after
some thinking everything made sense.
http://onlamp.com/lpt/a/4839 can help inspite being an interview from
2004. Design hasnt changed that much, as far as I know.
