Re: OpenBSD-based ISP
Have you raised states? 10K is the default I believe, the most likely culprit. On 8/16/2017 12:55 PM, Juan Guillermo Narvaez wrote: > Hello everyone! > > I'm relative new using OpenBSD, I have just 4 years using this OS for dhcp > servers. > Today I have the mission of implement this OS in a cablemodem headend, in > my first try I get negative results with this rules: > > *pass all flags S/SA* > > *#LAN* > *match out log on bge0 inet from 192.168.254.0/24 <http://192.168.254.0/24> > to any nat-to 200.91.35.55* > *pass on bge0 inet from 192.168.254.0/24 <http://192.168.254.0/24> to any > flags S/SA* > *#CPE Network* > *match out on bge0 inet from 172.21.0.0/19 <http://172.21.0.0/19> to any > nat-to 200.91.35.55* > *pass on bge0 inet from 172.21.0.0/19 <http://172.21.0.0/19> to any flags > S/SA* > > This is a basic PF that I use for this try, the CPE network has 900 active > customers. > When I put the whole customer network traffic through my OpenBSD router the > traffic tend to fall slowly and the LAN network is really slow too. I read > about a lot of 'tweaks' the high performance configurations but I think > that OpenBSD can handle 400mbps without tweaking. > > I'm wrong? > What am I doing bad? > > Thank you! > > > > -- James Shupe, HermeTek developer/ engineer BSD/ Linux support & hosting jsh...@hermetek.com | www.hermetek.com Office 5127922525 | Mobile 5122846350
support update
0 C USA P Texas T Pflugerville Z 78691 O HermeTek Network Solutions I James Shupe A P.O. Box 2264 M sa...@hermetek.com U https://www.hermetek.com/bsd-linux-support B 512.792.2525 X 512.888.9889 N We provide open infrastructure design, development, deployment, maintenance and training. We specialize in OpenBSD routing and firewall platforms utilizing OpenBGPD, OpenOSPFD, PF, and other included technologies.
Re: OpenBSD 5.8 on VMware 5.5
On 2015-12-01 09:50, Felipe Gomes wrote: Folks, I've been trying to search for more information on OpenBSD as a VMWare guest, but I wasn't able to find much... and the information is pretty much outdated. What are the recommendations for OpenBSD 5.8 (amd64) as a guest on VMware 5.5? Guest Operating System: should I pick "Other (64bit)" or FreeBSD? How does OpenBSD work with "virtual sockets" and "cores per virtual socket"? What is the best NIC? E1000, E1000E, VMXNET2 ENHANCED or VMXNET3? What is the recommended SCSI Controller? LSI Logic Parallel, LSI Logic SAS or VMware Paravirtual? I'd believe that all of these options work... I just don't know which is more stable or perform better. Any other tips on fine tunning or special setting? I'm planning on migrating a few Soekris boxes to virtual machines. Is this reliable? Is anyone running production OpenBSD servers on VMware? Thanks in advance! It runs just fine for me. I use "Other (64bit)" and change the NICs to vmxnet3. Everything else remains the default. -- James Shupe
Re: pf vs mp
On 9/1/2015 3:40 PM, Joseph Borg wrote: > Maybe this webpage would help you make an informed choice? > > https://calomel.org/pf_config.html > You must be new around here. -- James Shupe
Re: per-vlan traffic control
On 8/19/2015 3:39 PM, Paulo Coimbra wrote: hi, This is my first mail to the list. It's possible limit traffic by Vlan with openbsd? For example I would like to limit 50mb for Vlan 100. Br, Paulo Coimbra http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man5/pf.conf.5?query=pf.confarch=i386 Read the QUEUEING section.
Re: Mapping pf syslog rule numbers to lines in pf.conf
On 1/26/2015 2:42 PM, Alan McKay wrote: Hey folks, This one seems to be difficult to google - not coming up with much. I have some firewall blocks I want to investigate and of course they are reported as matching a specific rule number - but I am not sure how to map that back to a line in my pf.conf Could someone enlighten me? thanks, -Alan pfctl -sr -R rulenum Further details can be found in the man page. -- James Shupe
Re: Donations to OpenBSD
Why not just set up a recurring Paypal donation? Even $20/mo should help, if enough people do it. -James Shupe
Re: reload isakmpd
Note that this doesn't clear old config, so you can't use it to tear down sessions that you no longer want - you can paste the relevant config lines to ipsecctl -df - to delete them though. As an added note for ipsecctl -df, you can break all your peers into their own files and include them from the main ipsec.conf. Then you can ipsecctl -df /etc/ipsec/peer.conf... When you have several dozen peers, it makes troubleshooting individual ones a bit easier. -- James Shupe
Re: OpenBSD email provider
On 3/15/2014 11:54 AM, Jean-Francois Simon wrote: Hello all, I'm looking for a secure mail provider, i fpossible using OpenBSD, also wondering if OpenBSD itself provides it for interested people. If anybody has informations thanks would be interesting to share. Regards Jeff Get an inexpensive OpenBSD VPS and do it yourself. You don't have to muck with your ISP at that point. -- James Shupe
Does anybody know if suspend/resume works on Lenovo X1C?
It's time for a new laptop and I can't find this specific bit of information online. Can anybody tell me if suspend/resume works properly on the Lenovo X1C? -- James Shupe
Re: OpenBSD VPS Providers
On 12/11/2013 10:45 AM, James Records wrote: Hi, Take a look at www.hermetek.com I've used them for OpenBSD hosting, they were great and very flexible. Best Thanks for the mention; we always appreciate it. We don't offer the APIs or host control the op is looking for, and we're not likely to in the near future. That being said, this is decision we made because virtulization and shared hardware already present risks of their own; no need to add to them with APIs and unmonitored hypervisor and/or network operations. Anybody wanting to run OpenBSD in the cloud should remember that a secure OS is not enough; the platform is runs on must be trustworthy as well. This has been discussed, or at least virtualization has, many times over the years on this mailing list. We do our best to mitigate the risks and still have the benefits of virtualzation - it's a fine line that different opinions may draw at different points. plugIf anybody from this list needs a VM, contact me and I'll see what kind of deal I can make you./plug -- James Shupe, HermeTek developer/ engineer BSD/ Linux support hosting jsh...@hermetek.com | www.hermetek.com Office 8662351288 | Mobile 9035223425
Re: Sorry: Facebook again
On 10/21/2013 9:08 PM, Chris Cappuccio wrote: I wrote up a guide for all you fascists to exercise your power with relayd. Here's the early, unedited version: http://www.nmedia.net/chris/url.blacklist.txt FYI: 403 forbidden -- James Shupe
[OT] OpenBSD Network Specialist wanted in Kilgore, Texas
I know this is off topic, but I'm looking to help fill my old position after moving away from East Texas. The company is located in Kilgore, Texas and runs a WAN based heavily on OpenBSD (over a hundred OpenBSD boxes in router/firewall/VPN roles) and Cisco/ Netgear Prosafe switches. They are looking for somebody who is experienced with OpenBSD and capable of designing, implementing, and maintaining OpenBSD infrastructure as well as supporting FreeBSD, Linux, and Windows servers. The company is stable, has been around for several decades, and has a few hundred full time employees. A few highlights of what you will need to know: - i386/amd64 hardware (Alix, Soekris, Supermicro, HP, Dell) - OpenBSD/ FreeBSD/ CentOS/ VMware ESXi - BGP/ OSPF/ EIGRP - LACP/ VLANs, subnetting, etc - PF/ iptables/ Cisco ACLs - IPv6 (the deployment is dual stack, so this is a huge plus) - ZFS - Perl There is an existing employee who is still there and has a good understanding of the existing infrastructure, so you wouldn't be working alone. Not everything is necessarily expected right away, but the ability and willingness to learn is. Salary is DOE and ranges from 52-72K for this specific position, but any applicants would unfortunately be expected to cover their own relocation costs because of the way funding is distributed. This is an on site position and telecommuting is off the table. Email me privately for more information. -- James Shupe, HermeTek developer/ engineer BSD/ Linux support hosting jsh...@hermetek.com | www.hermetek.com Office 8662351288 | Mobile 9035223425
Re: OpenBSD not forwarding to specific sites
On 2013-09-30 08:18, John Tate wrote: I am having trouble with IP forwarding to specific sites on a very typical configuration. The router itself can access these sites but clients can not. I have looked in obvious places on the clients, but I cannot find a cause. I reinstalled OpenBSD on the router after getting SSL errors where SSL servers could not be reached from clients, and I bought a cheap Netgear router to use which works fine ruling out that my ISP is causing problems. Have you tried setting your max-mss to something like 1440 or 1400? Usually that's necessary with DSL... or else you end up with very selective browsing.
Re: OpenBSD not forwarding to specific sites
On 2013-09-30 11:12, John Tate wrote: This part of the manual is out of date and the syntax does not work with pf in OpenBSD 5.3: While pppoe(8) has an internal option, ``mssfixup'', which is enabled by default and takes care of this, pppoe users have to rely on other methods. Using a packet filter, the maximum segment size (MSS) can be set (clamped) to the required value. The following rule in pf.conf(5) would set the MSS to 1440: match on pppoe0 scrub (max-mss 1440) It works fine for me on several boxes with 5.3. $ uname -smr OpenBSD 5.3 amd64 $ sudo pfctl -sr | grep 'max-mss 1440' match on pppoe0 all scrub (max-mss 1440) -- James Shupe
Re: OpenBSD not forwarding to specific sites
set reassemble yes no-df match in on pppoe0 scrub (max-mss 1440 no-df reassemble tcp) match in on? You need to match both directions. Also, stop top posting. -- James Shupe
Re: OpenBSD not forwarding to specific sites
Try just match on pppoe0 scrub (max-mss 1400 no-df) and remove the reassemble line. -- James Shupe
Re: Attn. VMware users / OpenBSD 5.3 kernel panic on boot
I just tried to upgrade a VMware machine from OpenBSD 5.2 to OpenBSD 5.3. Sadly with the new 5.3 kernel it panics when it gets to the CPUs. http://s10.postimg.org/v50muwvqx/crash1.png http://s9.postimg.org/4wjed57rj/crash2.png For now I was able to boot the system with the old 5.2 kernel. Any help would be appreciated. What VMware version? Works fine in my environment so far. -- James Shupe
Re: 5.2 amd64 php and apache problem
Why is that in the cgi-bin directory to begin with? Do you have shorttags enabled in php.ini? -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Running OpenBSD on Raspberry Pi
On 1/4/2013 2:58 PM, Dan Shechter wrote: You have all failed to mention that the ALIX devices come with Swiss chocolates in the package! Best regards, Dan Ours didn't! I was unaware of that! NETGATE?!! -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Running OpenBSD on Raspberry Pi
On 1/3/2013 1:08 PM, Gene wrote: On Tue, Jan 1, 2013 at 1:31 AM, Bruno Flückiger inform...@gmx.net wrote: On 12/31/12 14:17, BARDOU Pierre wrote: I would be very interested by an OpenBSD port too. Usage : home router with firewall, DNS and DHCP. I am looking into FreeBSD and NetBSD ports, but I would prefer to have the latest PF and OpenSSH versions... plus I am more used to OpenBSD and I like using it If somebody knows X86 hardware able to do the same (routing/firewlling 20 mbps traffic, VLAN, fits in a tiny box, power consumption below 5W, price around 50$) as the raspberry I am interested BTW. A lot of different embedded devices which base on x86 cpus, just ask the web search engine of your trust. It will be hard to get it for only $50. But paying some more bucks for a system which fits the needs is justified in my opinion. My personal favorites are the boxes from this small company in Switzerland: http://www.pcengines.ch Regards, Bruno The ALIX hardware is incredible. I own two of the ALIX boards (2d3 and 2d13), the second one I picked up recently on eBay for $150 with case and power supply, I added a CF card for an additional ~$10. I already have a serial cable on hand, but that would be at most another $10-$20 to procure. The ALIX.2d13 has three full fast ethernet (10/100) NICs that aren't USB devices on a headless x86 compatible system that will utilise ~5W at high to full load for under $200. All in one enclosure and rock solid. Sure, that may sound expensive, but after purchasing a Raspberry Pi with a powered USB hub, one or two USB fast ethernet adapters, an SD card, and whatever other accessories you need it isn't that much of a price difference. Or, you can buy a cheap Atom box, throw in some storage and RAM, and have a much more powerful system at the expense of higher energy usage. http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007 That one costs $130 (+taxes and shipping) and has two gig-e NICs. I own a couple of the Raspberry Pi units. They're fantastic little devices, but you'll have to use Linux and have a hodge-podge of accessories to go with it. -Gene (if you see this message twice please forgive me, I'm bad at mailing lists) Alix hardware is great. I just felt the need to share this photo of my office around this time last year... http://i.imgur.com/c528h.jpg -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Running OpenBSD on Raspberry Pi
On 1/3/2013 8:26 PM, Aaron Mason wrote: On Fri, Jan 4, 2013 at 11:52 AM, James Shupe jsh...@hermetek.com wrote: On 1/3/2013 1:08 PM, Gene wrote: On Tue, Jan 1, 2013 at 1:31 AM, Bruno Flückiger inform...@gmx.net wrote: On 12/31/12 14:17, BARDOU Pierre wrote: I would be very interested by an OpenBSD port too. Usage : home router with firewall, DNS and DHCP. I am looking into FreeBSD and NetBSD ports, but I would prefer to have the latest PF and OpenSSH versions... plus I am more used to OpenBSD and I like using it If somebody knows X86 hardware able to do the same (routing/firewlling 20 mbps traffic, VLAN, fits in a tiny box, power consumption below 5W, price around 50$) as the raspberry I am interested BTW. A lot of different embedded devices which base on x86 cpus, just ask the web search engine of your trust. It will be hard to get it for only $50. But paying some more bucks for a system which fits the needs is justified in my opinion. My personal favorites are the boxes from this small company in Switzerland: http://www.pcengines.ch Regards, Bruno The ALIX hardware is incredible. I own two of the ALIX boards (2d3 and 2d13), the second one I picked up recently on eBay for $150 with case and power supply, I added a CF card for an additional ~$10. I already have a serial cable on hand, but that would be at most another $10-$20 to procure. The ALIX.2d13 has three full fast ethernet (10/100) NICs that aren't USB devices on a headless x86 compatible system that will utilise ~5W at high to full load for under $200. All in one enclosure and rock solid. Sure, that may sound expensive, but after purchasing a Raspberry Pi with a powered USB hub, one or two USB fast ethernet adapters, an SD card, and whatever other accessories you need it isn't that much of a price difference. Or, you can buy a cheap Atom box, throw in some storage and RAM, and have a much more powerful system at the expense of higher energy usage. http://www.newegg.com/Product/Product.aspx?Item=N82E16856205007 That one costs $130 (+taxes and shipping) and has two gig-e NICs. I own a couple of the Raspberry Pi units. They're fantastic little devices, but you'll have to use Linux and have a hodge-podge of accessories to go with it. -Gene (if you see this message twice please forgive me, I'm bad at mailing lists) Alix hardware is great. I just felt the need to share this photo of my office around this time last year... http://i.imgur.com/c528h.jpg -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Bugger me that's a whole lotta ALiX... 2d3 or 2d13? They're the 2D13 boards, with Kingston CFs. Of all of those, the only problems we've had were a few DOA CF cards. They're running OpenBSD + OpenVPN and serving as VPN concatenators (that's what we're calling them, anyway.) We have employees working at third party locations where we do not maintain control of their networks, and need all of our staff's devices -- including network printers (that can't run VPN software, obviously,) etc, to appear as though they are on our local network. We chose OpenVPN over IPsec because of the single port requirement and the fact that most of these sites have outbound traffic blocked by default. We run a few server instances on the other end, on various common ports to increase the chances of success calling home. Each device has between one and six desktops behind it, along with one or two Xerox machines, and some other junk that has to be brought back to us. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: PF block log all and ddos issue
But i still wonder why my firewall freezes when logging all blocked udp 53 requests. The attack is not too heavy. I had seen much worse before. - Check interrupt usage - Check states to make sure the reason it seems unresponsive isn't due to the state table being full Without more information from the machine, we don't have a lot of advice we can really give. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBGPd / Juniper 'bug' / BGP session flapping
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 8/6/2012 4:15 PM, Claudio Jeker wrote: On Mon, Aug 06, 2012 at 10:34:22PM +0200, Laurent CARON wrote: Hi, I'm hit by a rather nasty OpenBGPd 'bug' causing sessions to flap (basically go down/up/...). One of the prefixes is: 81.169.0.0/17 Description of bug https://puck.nether.net/pipermail/juniper-nsp/2012-July/023774.html Is the included fix (((s 0xf0) ~(ATTR_EXTLEN | (m))) == (t)) instead of just (((s) ~(ATTR_EXTLEN | (m))) == (t)) sufficient ? I would prefer something like this. Since then we ensure that we do not forward crap (as in we regard the RFC and send nothing with reserved bits set). AFAIK there is nothing out there that started to use the reserved bits so I'm curious how that happend again. Only compile tested for now. I ran across this today after AboveNET upgraded some routers (I would have appreciated a maintenance notice...) I applied Claudio's patch and the sessions came back up and have been stable for the last half hour. I'll check back in if there are any issues. We have both IPv4 and IPv6 sessions with them, and the IPv6 sessions were unaffected (for what it's worth.) This patch is running on two of our routers. Thank you, - -- James Shupe Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQtwhLAAoJECPibMsISQ9adq0QANQIPOXa7yqyDhRs4poH2Tis AlPZBhRTPHtn54rCVKRMcqGJk/xy0bGHSiwgsZMXj29lxrkFPKG312SXT9VgSMnC XqKfV0c9NDA9NDD57K7z0bFUvmO0MKr6S4v5/jZTDddikpDjcuGzFTdLpbE+8DfN 4VAXEUu/Ug8h6ZuR9TNYSkup78dQP9W7han+cBsW5PNqa40CM3T944D/QiZiTuP2 kpmEWPyALWzQMldPXaVTLoSyaI3ijxu6tC9iEXMKtQ/IEuF5z/xBHtwj7Vkmc/La lkL5muRv862eSONdVPvCf4atbUivSTvV3ZjYyOCldzQiVQlZPUf9XdkfAx8FxIrR ycMMDMCJC0IYtGdjnkJtEP4fgvjGY4/Uxzw2PaYRY6QxWJ09v2mLOfEeA70uZNFy L2+cBouR3l/8fMPfRwTdqR65JEfkke5TRwtsBi6wWsMla7gK3/2Z4vHLp0LdD5Pu sIWirQqoE9tCiDzFLyn49Xpfk+M42kJu3cXiDGvdDep3taE/zSHBbCiimgVMPxK7 9eO6o14W9yZxL0C/NTV2f7z1k3wJCG4tvcGznuw5M5K0LdpW89Wy7uBQ1KZstU3p PlnqVBhBbpcrO+/rOSPiV/AuGMJPfKNnrJSF6Bncdu4dA2i3xWE3taa9JQ7A3JqA 0CojuAbNFQml66wsTJv4 =/Xzi -END PGP SIGNATURE-
Re: Hardware hunting
On 11/15/12 4:06 PM, Joel WirÄmu Pauling wrote: Have Soekris put out a Gbit NIC platform yet? I stopped using them because of this reason. -Joel Yeah, the 6501 series is awesome. A bit pricy, but definitely something I recommend. On another note, I use some old Wyse WT941GL machines I bought of Ebay for my test lab. They're VIA 1Ghz/ 256MB RAM machines that I shoved some cheap HP dual (you could probably find quad) port NICs (also from Ebay) into. I think I have about $100 into each one of them, and they would be great for a non-mission critical environment where you don't mind throwing some used hardware into. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: http/https timeouts with OpenBSD based firewall
On 10/22/12 15:16, Marcin wrote: Hi, I recently upgraded to 5.1, but I was able to reproduce the issue described below with 4.8, 5.0 and 5.2 snapshot. After the upgrade I discovered that workstations behind the OpenBSD firewall experience occasional timeouts while trying to access web servers running IIS 6.0 on Windows 2003 Server. The firewall itself is not affected. The problem is rather intermittent and happens with 30%-50% requests.The workstations are running Windows 7, Windows XP and Linux. I was also able to reproduce the issue by installing Windows 2003 R2 server in default configuration, setting up extremely basic PF rules to redirect port 80 and accessing the server from the Internet. I was unable to expose this issue in LAN, which suggests it might happen only on links slower than 100Mbit. However, it seems to be hardware independent (although all tests were run on i386 arch) as I achieve the same results on three different machines in three different geographic locations connected via independent ISPs. This is how the problem can be exposed with curl: #curl -vI http://www.startvbdotnet.com/ * About to connect() to www.startvbdotnet.com port 80 (#0) * Trying 64.79.160.13... connected HEAD / HTTP/1.1 User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 Host: www.startvbdotnet.com Accept: */* * Recv failure: Connection reset by peer * Closing connection #0 curl: (56) Recv failure: Connection reset by peer I uploaded the tcpdump from machine running curl here: http://pastebin.com/AkqCeQwW As far as I can tell, the Win 2008 and Win 2012 are not affected. Also, the 4.5 seemed to be free from this problem. Thanks in advance for any suggestions / workarounds! -- Regards, Marcin Please post the following things: - output of `pfctl -si` - your pf ruleset - output of `vmstat -m` -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: pfsense and or OpenBSD Home router.
On 9/11/12 8:21 AM, Michel Blais wrote: Le 2012-09-11 05:38, Shaka Nkofo a écrit : http://store.netgate.com/Desktop-Kits-C82.aspx I found this shop while looking for parts to build a home router. Has anyone been through this and can give me links to cheap parts within Europe? Any advise on the pitfalls of this process is welcome Shaka You could also look at soekris : http://www.soekris.eu/shop/index.php Not from within Europe, but we use the Alix machines very heavily and have ordered over a hundred from Netgate. We've had great luck with the 2D13 boards and the vendor. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Hardware/System Question
On 06/23/2012 01:12 PM, Stuart Henderson wrote: On 2012/06/23 11:02, Ben Calvert wrote: Optiplexes have a reputation for spontaneously letting the magic smoke out of their own power supply capacitors. hard to recommend unless you have a good support deal with dell Knowing which way round to hold a soldering iron is a useful skill if you're dealing with cheap hardware :) While on the subject of cheap hardware My test lab is made of a bunch of Wyse 941GXLs I bought on Ebay. http://www.ebay.com/itm/Wyse-Terminals-Lot-of-5-FREE-SHIPPING-/120922782473?p t=US_Thin_Clientshash=item1c278f3b09 Mine specifically have Via C3 1Ghz CPUs (i386 only) with 256MB RAM (with an empty DIMM slot) and I use IDE to CF adapters like these: http://www.ebay.com/itm/Compact-Flash-CF-to-3-5-Female-40-Pin-IDE-Bootable-Ad apter-Converter-Card-/120937687353?pt=US_Drive_Cables_daptershash=item1c2872 a939 ... (with CF cards, of course) for the boot disks. The cards are kind of a tight fit, but you can still add a half-length PCI card to the units, and I have mine populated with these: http://www.ebay.com/itm/Dell-Intel-PRO-100-Dual-Port-Server-Adapter-9213P-/20 0739620019?pt=US_Internal_Network_Cardshash=item2ebd0384b3 I haven't had any issues out of any of them, running at times for weeks on end doing various tasks. They're also silent :) I spent about $100 on each of them a while back, and prices look to have come down a good bit since then. A very good purchase, in my opinion. I don't really think these fit your needs very well, but thought I'd throw these out there while the subject was on cheap hardware. *I'd personally look at* some of the more current and powerful Mini-ITX stuff. You can even get LGA1155 Mini-ITX boards nowdays, with i7 processor support for around $75 (Intel BOXDH61DLB3, for example) and add whatever components you want to it. If you're on a budget, a Celeron G530 should work and would kill an Atom or E-350 at any task. Thank you, -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD is just an OS, not a firewall...
On 06/10/2012 12:58 PM, Ted Unangst wrote: some nitwit hijacked the comment thread. I couldn't resist feeding the troll. This thread can die now, too. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: I need your comeback with reverse-proxy
On 06/09/2012 10:52 AM, hvom .org wrote: Hi For protected my server web, I'm use one reverse-proxy. Two good choice : choice 1 : Varnish choice 2 : Nginx My webserver is Yaws. Depending on your returns, the best couple is Yaws- Varnish or Yaws-Nginx. Actuces and thank you for your feedback. Cordialy Nginx, especially since it's in base and works fine for that. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD is just an OS, not a firewall...
On 06/09/2012 10:52 PM, Lars Hansson wrote: Hmm..I get This post could not be found. Cheers, Lars On Sat, Jun 9, 2012 at 1:55 AM, Chris Smith obsd_m...@chrissmith.org wrote: ... if you really want a firewall you need pfSense. Also if you walk into any security experts convention and claim that raw OpenBSD is a firewall, you will get laughed out of the room for lack of clue. Guess I've been wrong all these years: see the comments to https://plus.google.com/u/0/104027218792812194992/posts/K3NsGE2UrCe Troll posts are often lost... -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD is just an OS, not a firewall...
On 06/08/2012 12:55 PM, Chris Smith wrote: ... if you really want a firewall you need pfSense. Also if you walk into any security experts convention and claim that raw OpenBSD is a firewall, you will get laughed out of the room for lack of clue. Guess I've been wrong all these years: see the comments to https://plus.google.com/u/0/104027218792812194992/posts/K3NsGE2UrCe I was just reading that and cringing. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: More bgpd problems
On 05/30/2012 04:27 AM, Matt Hamilton wrote: James Shupe jshupe at hermetek.com writes: I've been running it to peer with 3 IPv4 peers and 3 IPv6 peers (full views) and another partial IPv4 view with 12k routes (actually: varying amounts of peers over the years, but that's the current setup) since 4.5 without needing any cron jobs to watch over it. It looks like the issue is likely to be bgpd's interaction with ospfd. And/Or CARP. I have CARP configured on two routers that act as gateways to one of our upstream providers. They they speak OSPF and BGP to internal routers and routers that peer with other remote networks. So I think what happens is a CARP failover happens (they are quite regular for some reason, but its never bothered me as it just works) and that causes OSPF to change its metrics which in turn cause routing changes in BGP. Its this propagating of events that I think is causing issues. We've always been running OSPFD and, since 4.7/4.8? or so, OSPF6D (that's when it became usable for us), without issue. We also run CARP, because these routers are installed in pairs and also act as default gateways for machines behind directly them... so neither of those are ruled out in our setup. nrpe and ifstated run to verify the peers are up and react accordingly, but they never trigger unless there is a physical or provider issue. OpenBGPD has been rock solid for us. I'd be very interested to see your ifstated config and how you use that to verify peers being up as we could do with some better monitoring here. I'll get something together when I'm at work later, I'm shooting this email off real quick before I leave the house. -Matt Thank you, -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: More bgpd problems
On 05/29/2012 05:41 AM, Garry Dolley wrote: On Tue, May 29, 2012 at 08:57:54AM +, Matt Hamilton wrote: Hi all, More bgpd problems last night :( This happened last night on two of our routers. One running an old version of OpenBSD (4.3) and one running 5.1. Is there anyone out there actually using bpgd in production? How Yes. For the record I run it on OpenBSD 4.4; IPv6 traffic only. While there have been some quirks over the years, I've never seen it quit. I've been running it to peer with 3 IPv4 peers and 3 IPv6 peers (full views) and another partial IPv4 view with 12k routes (actually: varying amounts of peers over the years, but that's the current setup) since 4.5 without needing any cron jobs to watch over it. nrpe and ifstated run to verify the peers are up and react accordingly, but they never trigger unless there is a physical or provider issue. OpenBGPD has been rock solid for us. -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: mirror.ece.vt.edu syncing
On 05/03/2012 09:03 PM, Matthew Via wrote: Hi, I am the owner of mirror.ece.vt.edu. I had the mirror added about a year ago, and I try (with decent success) to keep it up to date, but both the tier1 mirror I was assigned (ftp5.usa.openbsd.org) and ftp3.usa.openbsd.org will never sync with me at more than 100-200 KB/s, and frequently disconnect after only a few hours of syncing. All other mirrors I've looked at have had 5.1 since it came out, I am still syncing days later. Is there anything that can be done? Was my machine supposed to be whitelisted but didn't? I have a symmetric 100 Mbit connection, so I know it is not me. Thank you, Matthew I run mirror.esc7.net and found the same speeds (200KB/s) from ftp3 and ftp5 over the last couple of days. I finally moved to ftp.ch.openbsd.org and found 1-2MB/s. We're still trying to get into sync after that. We have 1Gbit AboveNet, 1Gbit Cogent, 1Gbit I2, and 1Gbit Cogent/L3 blend through TEA (peering courtesy of OpenBGPD!). I've tried statically routing over specific peers to no avail. Thank you, James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: VLAN on LACP trunk on em
On Thu, 2012-04-19 at 14:08 +0200, Henning Brauer wrote: * Steve Shockley steve.shock...@shockley.net [2012-04-19 05:29]: The machine I'm using is running an old version of OpenBSD, so I suspect it might be a long-fixed bug. Before I continue banging my head against the wall, _should_ my configuration work? I did find a message (http://marc.info/?l=openbsd-miscm=130886074113099w=2, second-to-last paragraph) that implied that it might not, so if someone has multiple VLANs working on an LACP trunk on em that'd be good to know. that is not only supposed to work, it usually does, I use this setup - two ems, trunk, vlans on top of the trunk - a lot. most of the time with trunk in failover mode, but that shouldn't make a difference. You might see a bug in your switch here. I've actually done this - VLAN on LACP on em on that exact switch before. I still have one of those switches laying around to re-test with and check the firmware version, but I know it works. -- James Shupe
Re: VLAN on LACP trunk on em
On 04/18/2012 10:28 PM, Steve Shockley wrote: I'm having some trouble getting multiple VLANs to work between a PowerConnect 5224 switch, an LACP trunk, and two em ports. I'm able to get the LACP trunk working and get one VLAN working, but I can't get any other VLANs working. Traffic for the one VLAN that works seems to arrive both tagged and untagged on the trunk interface. The machine I'm using is running an old version of OpenBSD, so I suspect it might be a long-fixed bug. Before I continue banging my head against the wall, _should_ my configuration work? I did find a message (http://marc.info/?l=openbsd-miscm=130886074113099w=2, second-to-last paragraph) that implied that it might not, so if someone has multiple VLANs working on an LACP trunk on em that'd be good to know. Thanks. Works fine for me, even with the same switch (before upgrading to something newer). $ uname -srm OpenBSD 5.0 amd64 $ ifconfig trunk0 | grep -E trunkproto|trunkport trunk: trunkproto lacp trunkport em3 active,collecting,distributing trunkport em2 active,collecting,distributing $ ifconfig trunk1 | grep -E trunkproto|trunkport trunk: trunkproto lacp trunkport em1 active,collecting,distributing trunkport em0 active,collecting,distributing $ ifconfig vlan | grep parent vlan: 160 priority: 0 parent interface: trunk0 vlan: 161 priority: 0 parent interface: trunk1 vlan: 167 priority: 0 parent interface: trunk0 vlan: 186 priority: 0 parent interface: trunk1 vlan: 2 priority: 0 parent interface: trunk1 vlan: 200 priority: 0 parent interface: trunk0 vlan: 250 priority: 0 parent interface: trunk0 vlan: 255 priority: 0 parent interface: trunk0 vlan: 2857 priority: 0 parent interface: trunk0 vlan: 300 priority: 0 parent interface: trunk0 vlan: 301 priority: 0 parent interface: trunk0 vlan: 904 priority: 0 parent interface: trunk0 vlan: 905 priority: 0 parent interface: trunk0 vlan: 907 priority: 0 parent interface: trunk0 vlan: 918 priority: 0 parent interface: trunk0 vlan: 998 priority: 0 parent interface: trunk1 vlan: 999 priority: 0 parent interface: trunk1 I've been using this config for several releases -- I know for a fact that this specific client has been running that configuration since 4.6. Upgrade and post your configs. -- James Shupe
Re: openbsd / ipsec / hardware
would you mind posting your (sanitized) openvpn configuration, as well as your bandwidth measuring method? i attempted this today and am seeing much less than 14Mbps. i'm probably not measuring the same way, however, as i'm using a simple scp which obviously has its own overhead - but does give me what i believe to be a fair comparison (testing with and without vpn). One end of the VPN is a Celeron E3300 w/ 4GB RAM and no crypto accelerator. There is 20Mbit metro-ethernet connection here that is being shared with about 300 PCs at a school. The other end is a Alix 2d13. The 2d13 has this config: --- /etc/hostname.tun0 --- up !/usr/local/sbin/openvpn --daemon --config /etc/openvpn/client.conf --- --- /etc/openvpn/client.conf --- client float dev tun0 proto udp remote w.x.y.z 1194 resolv-retry infinite nobind persist-key persist-tun ca /etc/openvpn/ca.crt cert /etc/openvpn/client.crt key /etc/openvpn/client.key tls-auth /etc/openvpn/ta.key 0 ns-cert-type server comp-lzo verb 3 engine cryptodev cipher aes-128-cbc --- --- /etc/sysctl.conf --- kern.usercrypto=1 --- --- iperf on vpn client acting as client --- $ iperf -i 2 -t 30 -c 192.168.176.1 Client connecting to 192.168.176.1, TCP port 5001 TCP window size: 16.9 KByte (default) [ 3] local 192.168.176.6 port 4863 connected with 192.168.176.1 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 2.0 sec 2.62 MBytes 11.0 Mbits/sec [ 3] 2.0- 4.0 sec 3.25 MBytes 13.6 Mbits/sec [ 3] 4.0- 6.0 sec 3.12 MBytes 13.1 Mbits/sec [ 3] 6.0- 8.0 sec 3.12 MBytes 13.1 Mbits/sec [ 3] 8.0-10.0 sec 3.25 MBytes 13.6 Mbits/sec [ 3] 10.0-12.0 sec 3.12 MBytes 13.1 Mbits/sec [ 3] 12.0-14.0 sec 3.25 MBytes 13.6 Mbits/sec [ 3] 14.0-16.0 sec 3.25 MBytes 13.6 Mbits/sec [ 3] 16.0-18.0 sec 3.12 MBytes 13.1 Mbits/sec [ 3] 18.0-20.0 sec 3.12 MBytes 13.1 Mbits/sec [ 3] 20.0-22.0 sec 3.25 MBytes 13.6 Mbits/sec [ 3] 22.0-24.0 sec 3.12 MBytes 13.1 Mbits/sec [ 3] 24.0-26.0 sec 3.25 MBytes 13.6 Mbits/sec [ 3] 26.0-28.0 sec 3.12 MBytes 13.1 Mbits/sec [ 3] 28.0-30.0 sec 3.25 MBytes 13.6 Mbits/sec [ 3] 0.0-30.2 sec 47.4 MBytes 13.2 Mbits/sec --- --- iperf on vpn client acting as server --- $ iperf -s Server listening on TCP port 5001 TCP window size: 16.0 KByte (default) [ 4] local 192.168.176.6 port 5001 connected with 192.168.176.1 port 13679 [ ID] Interval Transfer Bandwidth [ 4] 0.0-30.1 sec 51.8 MBytes 14.4 Mbits/sec --- Thank you, James Shupe
Re: openbsd / ipsec / hardware
as well as your bandwidth measuring method? You may also look at tcpbench, which is in base. It's not on the Alix box because I'm using a stripped down flashboot image... I just grabbed the first thing that came to mind and installed it, which happened to be iperf. -- James Shupe
Re: openbsd / ipsec / hardware
On 03/30/2012 03:16 PM, Dewey Hylton wrote: i'm getting ready to implement a few new site-to-site vpns using openbsd, and am on the hunt for appropriate hardware. i have several alix (geode) and lanner (intel atom) boxes working wonderfully as firewalls and routers, but neither type are able to provide enough throughput when ipsec is added to their roles. the lanner boxes can't accept add-in cards. the alix can accept a minipci, and i know that soekris makes a crypto accelerator (hifn?) that may help - but i'm not sure that'll be enough oompf either. our site-to-site link will provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps. can anyone point me to a matrix of hardware types and their crypto performance benchmarks with openbsd, or at least make recommendations based on real-world use? i'm using defaults for my ipsec configuration, so this is what i'm testing with: auth hmac-sha2-256 enc aes thanks for your time. The Alix has a crypto accelerator that supports AES-128-CBC. You should get around 14Mbps using aes-128 and turning on kern.usercrypto. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: openbsd / ipsec / hardware
On 03/30/2012 03:16 PM, Dewey Hylton wrote: i'm getting ready to implement a few new site-to-site vpns using openbsd, and am on the hunt for appropriate hardware. i have several alix (geode) and lanner (intel atom) boxes working wonderfully as firewalls and routers, but neither type are able to provide enough throughput when ipsec is added to their roles. the lanner boxes can't accept add-in cards. the alix can accept a minipci, and i know that soekris makes a crypto accelerator (hifn?) that may help - but i'm not sure that'll be enough oompf either. our site-to-site link will provide up to 20Mbps, but the lanner box is topping out at 3.3Mbps with ipsec and the alix is at 1.5Mbps. can anyone point me to a matrix of hardware types and their crypto performance benchmarks with openbsd, or at least make recommendations based on real-world use? i'm using defaults for my ipsec configuration, so this is what i'm testing with: auth hmac-sha2-256 enc aes thanks for your time. I just send The Alix has a crypto accelerator that supports AES-128-CBC. You should get around 14Mbps using aes-128 and turning on kern.usercrypto. I just realised that won't make a difference for IPSec since that's all in the kernel. My 14Mbps figures were tested using OpenVPN. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: openbsd / ipsec / hardware
I don't see the point with setting kern.usercrypto=1, all support for enc/dec you get already from the hw+kernel. IPSec stack already used the HW if supported, else you get software based enc/dec. //mxb I replied to my original email about 45 seconds after I wrote it, pointing that out. I also mentioned that my speed testing was done with OpenVPN, which is where that is advantageous. I also checked the aes enc type in the man page and found that he was already using aes-128 (I figured it would default to 256).
Re: My OpenBSD 5.0 installation experience (long rant)
So I think a pronounced confirmation question before touching the disk is not a bad thing. It is what many would expect. I didn't know that the devs were in the business of holding hands. OpenBSD has the best installer of any OS, hands down. It's tiny, scriptable, to the point, and does exactly what you tell it to. The OS is by the devs, for the devs, and if you're fortunate enough to be able to use it, good for you. But don't complain about user friendliness being at the bottom of their list. -- James Shupe
Re: installation to (W)hole disk - saner default
I'm not sure about this part, actually. I won't make statements about the OpenBSD community as whole, but in my experience using the whole disk is the most typical action. Every one of the installs I do uses the whole disk. The installer is best left alone because it fits the typical use case -- especially for those of us with mass deployments. Take your one-off, single user PC installs and RTFM. -- James Shupe
Re: Backup Redundancy Etcetera
On 02/06/2012 03:10 AM, David Walker wrote: Hey. Currently my backup regime is woeful. I have years worth of work on a Windows machine and some stuff scattered across OpenBSD machines. You might want to look at Bacula. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Backup Redundancy Etcetera
I'll try scripting NFS maybe in combination with dump on the OpenBSD machines and see how that goes. Best wishes. Seriously, look at Bacula. It'll do a better job and be less headache. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD in a dual stack anycast DNS resolving setup
On 12/16/11 4:57 AM, Kostas Zorbadelos wrote: James Shupe jsh...@osre.org writes: I can't speak for anycast DNS deployments, but I use OSPF heavily in large production environments and have had a great experiences with it. This is very nice to know, thank you. - what is your opinion about using a latest version of BIND from ISC instead of the BIND distribution coming with OpenBSD? The BIND distribution included in the base install is fine. Unless you happen to need a feature that is available only in a later version of BIND. The reason I asked is because I saw no relevant package in ports. - would you consider Java support on OpenBSD production quality? Seems irrelevant but we might utilize some Java tools for measurement/statistics I've never used it, but I wouldn't even bother because there are no native Java builds available for OpenBSD, and thus it's going to be untested and completely unsupported. From the sounds of it, you need to rethink your monitoring strategy and consider using SNMP and a central statistics server running the software of your choice. OK, this was an understatement from my behalf. What I have in mind is more ambitious than just monitoring/alerting. For moniting and graphs, our cacti/nagios solution will do just fine. But storing and analysing DNS query data is a whole different story... Reporting shouldn't be done on your production servers. Set up a centralized syslog server and send your query logs there for analysis. Henning Brauer says that Java works fine on OpenBSD for large deployments and I take his word for it. Still, running local reports on each server is ridiculous when you're talking about multiple servers providing the same services. Regards, Kostas -- James Shupe
Re: OpenBSD in a dual stack anycast DNS resolving setup
On Fri, 2011-12-16 at 21:33 +, Stuart Henderson wrote: On 2011-12-16, James Shupe jsh...@osre.org wrote: Reporting shouldn't be done on your production servers. Set up a centralized syslog server and send your query logs there for analysis. sending dns query logs via syslog to a remote server? oh man... how about mirror ports https://www.dns-oarc.net/tools/dsc Nice looking tool... I was unaware of it. I mentioned the remote syslog option because one of the educational institutions I work for logs all DNS queries to a central server for monitoring student internet usage. Works fine. I reckon the tool you linked is a better fit for the op's use, but assume that they have their own in house software written in Java that uses either pcap or log entries... -- James Shupe
Re: OpenBSD in a dual stack anycast DNS resolving setup
On 12/15/11 6:15 AM, Kostas Zorbadelos wrote: Greetings to all, we are running a project to anycast our DNS resolver infrastructure. The case is a big commercial country-wide IP network. The company uses Linux extensively in the infrastructure but no BSDs. I keep an eye on OpenBSD developments (mostly high level) and use the system personally, but I have no personal experience in larger setups and production services. I find the project a good match for OpenBSD, because of the system's strong networking features and routing support. I will definitely include OpenBSD in our tests and hopefully make a case for it, to introduce it in our infrastructure. The main contenders as you realise are Linux-based setups with either Quagga or BIRD. As for DNS software we will stick with BIND for now and perhaps consider UNBOUND in the future (when the future involves DNSSEC). From what I have seen so far in various sources, people mention Quagga's scalability problems and maybe old architecture while good words are said about BIRD. We are after a solid OSPF implementation both v2 and v3 (IPv6). I have seen OpenBSD's routing software architecture and I like it a lot and I also have a high regard for the system's quality. Of course personal taste is not enough as you understand to support a case of introduction of a new platform in a production, commercial environment with A LOT of contraints mostly non-technical. The questions therefore are: - has anyone done anything similar using OpenBSD that would like to share? I can't speak for anycast DNS deployments, but I use OSPF heavily in large production environments and have had a great experiences with it. - how would you compare with facts and not flamewars OpenOSPFd against Quagga or BIRD implementations? I haven't used BIRD, but Quagga worked well when I used it. On that note, the OpenBSD network stack seems a lot better tuned for production routing services than an out of the box Linux install from any vendor. You also get to run on a code base that was carefully designed and audited rather than hacked together by a bunch of third parties with varying skills and interests when running OpenBSD. - what is your opinion about using a latest version of BIND from ISC instead of the BIND distribution coming with OpenBSD? The BIND distribution included in the base install is fine. - is there any option of commercial support? There are lots of great third party support providers. http://www.openbsd.org/support.html - would you consider Java support on OpenBSD production quality? Seems irrelevant but we might utilize some Java tools for measurement/statistics I've never used it, but I wouldn't even bother because there are no native Java builds available for OpenBSD, and thus it's going to be untested and completely unsupported. From the sounds of it, you need to rethink your monitoring strategy and consider using SNMP and a central statistics server running the software of your choice. Thanks for the very good and hard work on the system. I would be interested to hear any thoughts even off-list. Regards, Kostas -- James Shupe
Re: OpenBSD in a dual stack anycast DNS resolving setup
On 12/15/11 9:40 AM, David Coppa wrote: On Thu, Dec 15, 2011 at 3:49 PM, James Shupe jsh...@osre.org wrote: I've never used it, but I wouldn't even bother because there are no native Java builds available for OpenBSD, and thus it's going to be untested and completely unsupported. Uh?!? # pkg_add -v jdk-1.7.0.00v0.tgz There is a difference between it being in ports, and being a supported platform. Also, that's OpenJDK, which is itself unsupported by a quite a few Java projects (ie, Jira). ciao, David -- James Shupe
Re: What is wrong with this pf config
No. Modifying a general purpose tool for a specific (albeit common) use case is stupid. Any properly implemented warning would cause pfctl to exit non-zero, which would break automated scripts that check the exit code of pfctl. You would have to add a whole new option to ignore your specific use case, and even that would require modifying existing scripts. I wish they would ban you from this list already. I'm sick of seeing your reply to every thread when you never have anything constructive to say. On Mon, 2011-12-12 at 05:43 +1100, John Tate wrote: It's just whining! Perhaps if should only do it if it has an Internet IP address not a LAN or WAN one involved. On Mon, Dec 12, 2011 at 5:17 AM, Janne Johansson icepic...@gmail.comwrote: 2011/12/11 John Tate j...@johntate.org So I have a suggestion worth considering, if the line block in all does not appear pfctl -nf should perhaps spit out a warning. Much like you've done with your pretty compilers over there. There are still lots of reasons to run PF even if you don't want block in all for a default, so whining on all the other uses you couldn't imagine would not be very productive. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: USB to ethernet adapter
The Trentnet, or another from this list: http://www.openbsd.org/cgi-bin/man.cgi?query=axesektion=4 -- James Shupe
Re: packet loss
Run ifconfig carp | grep status on both machines... If they're pre 4.8, do: ifconfig carp | grep 'carp: ' . If both think they're masters, they'll do what you're seeing. Thank you, James Shupe On 11/28/11 12:53 PM, Stuart Henderson wrote: dmesg? On 2011-11-28, rik rikc...@gmail.com wrote: Good day, I'm using 2 openbsd boxes as router firewall with carp in a colo-like setup. In the last few days we saw the packet loss percentuale increase up to 8-10% and it doesn't look like a problem for outside. If I ping from the master firewall one of the server inside I can see something like this: 64 bytes from xx.xx.xx.12: icmp_seq=4 ttl=64 time=-3.-656 ms 64 bytes from xx.xx.xx.12: icmp_seq=5 ttl=64 time=0.794 ms 64 bytes from xx.xx.xx.12: icmp_seq=6 ttl=64 time=0.-491 ms ping: sendto: No route to host ping: wrote xx.xx.xx.12 64 chars, ret=-1 ping: sendto: No route to host ping: wrote xx.xx.xx.12 64 chars, ret=-1 64 bytes from xx.xx.xx.12: icmp_seq=9 ttl=64 time=0.526 ms 64 bytes from xx.xx.xx.12: icmp_seq=10 ttl=64 time=1.415 ms No errors in syslog. Any idea? Thanks Alessandro -- James Shupe, OSRE developer/ engineer BSD/ Linux support hosting jsh...@osre.org | www.osre.org O 9032530140 | F 9032530150 | M 9035223425
Re: packet loss
Your dmesg doesn't show the version you're running. Can you provide that, along with ifconfig output from both machines? You may want to check the physical connectivity (cable/ NIC/ switch) for the internal interface of the carp master... Or just fail over to the secondary box to see if the issue goes away. Also, provide the netstat -i output. On 11/28/11 1:37 PM, rik wrote: Hi James, both carp on the master firewall are in master status (one on the external side, one on the internal side), but as much as I know they've always been like this; on the backup firewall they both are in backup status (and the backup, using the phisical interface, can ping without any packet loss). Thanks Alessandro On Mon, Nov 28, 2011 at 8:08 PM, James Shupe jsh...@osre.org wrote: Run ifconfig carp | grep status on both machines... If they're pre 4.8, do: ifconfig carp | grep 'carp: ' . If both think they're masters, they'll do what you're seeing. Thank you, James Shupe On 11/28/11 12:53 PM, Stuart Henderson wrote: dmesg? On 2011-11-28, rik rikc...@gmail.com wrote: Good day, I'm using 2 openbsd boxes as router firewall with carp in a colo-like setup. In the last few days we saw the packet loss percentuale increase up to 8-10% and it doesn't look like a problem for outside. If I ping from the master firewall one of the server inside I can see something like this: 64 bytes from xx.xx.xx.12: icmp_seq=4 ttl=64 time=-3.-656 ms 64 bytes from xx.xx.xx.12: icmp_seq=5 ttl=64 time=0.794 ms 64 bytes from xx.xx.xx.12: icmp_seq=6 ttl=64 time=0.-491 ms ping: sendto: No route to host ping: wrote xx.xx.xx.12 64 chars, ret=-1 ping: sendto: No route to host ping: wrote xx.xx.xx.12 64 chars, ret=-1 64 bytes from xx.xx.xx.12: icmp_seq=9 ttl=64 time=0.526 ms 64 bytes from xx.xx.xx.12: icmp_seq=10 ttl=64 time=1.415 ms No errors in syslog. Any idea? Thanks Alessandro -- James Shupe, OSRE developer/ engineer BSD/ Linux support hosting jsh...@osre.org | www.osre.org O 9032530140 | F 9032530150 | M 9035223425 -- James Shupe, OSRE developer/ engineer BSD/ Linux support hosting jsh...@osre.org | www.osre.org O 9032530140 | F 9032530150 | M 9035223425
Re: Performance problems with OpenBSD 4.9 under ESXi 5
What's it take to get an actual dmesg around here? Just post the output for us to look at regardless of whether or not you think the messages at boot are important. They're needed to troubleshoot any problem like this.
Routerboard 450G
Has anybody successfully installed and tested OpenBSD on a Routerboard 450G? I searched the archive for a dmesg and/ or confirmation, but couldn't find a definitive answer. http://routerboard.com/RB450G Thank you, James Shupe
Re: Routerboard 450G
Thank you. After doing a bit more research and finding no mention of the RB450G in INSTALL.socppc, I decided to go with the Alix.2D13 board. On 10/17/11 1:31 PM, Christiano F. Haesbaert wrote: On 17 October 2011 16:26, James Shupe jsh...@osre.org wrote: Has anybody successfully installed and tested OpenBSD on a Routerboard 450G? I searched the archive for a dmesg and/ or confirmation, but couldn't find a definitive answer. http://routerboard.com/RB450G Probably no, there is some support for the power pc router boards (arch socppc).
Re: Why I uninstalled OpenBSD…
Today's post: I uninstalled OpenBSD the other day after using it since version 4.0 came out five years ago. Another post, dated 06/03/2010: I was a long-time OpenBSD user since the 3.1 days, and cut my teeth on Unix development there. Of course, this guy lost all credibility here long before this post came along. Thank you, James Shupe
Re: Problem with installing OpenBSD
I'm pretty sure this was just a cheap shot at marketing their website. -James
Re: Problem with installing OpenBSD
If you truly have an issue installing OpenBSD, you need explain the process you're using and the errors you are getting. Don't pointlessly redirect us to your site that doesn't provide the aforementioned information. dmesg output, etc would also be useful. These mailing lists aren't a medium for free advertising. -- Thank you, James Shupe
Re: Problem with NAT and UDP packages.
Forgot to send to the list, twice!
If it's RTP, (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol),
which some quick Googling indicates, your best bet may be to make a table
of sending hosts with a pass ... inet proto udp ... from table to ? port
1024 rule.
quote who=Hugo Osvaldo Barrera
On Thu, Apr 8, 2010 at 00:54, James Shupe professio...@jamesshupe.com
wrote:
Use log (all) and tcpdump to figure out exactly what is being blocked.
On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
I'm using OpenBSD 4.6 at home as an access point, firewall and home
server (with pf).
I've recently had some issues trying to use pidgin's [XMPP] video
support on one of my client computers, yet, if I connect it directly
to the internet it works fine; hence the problem is the firewall
configuration (as one of the pidgin devs pointed out it might have
been).
I THINK UDP packets are being dropped, but I must really say, this
problem is a bit above my level of understanding.
I need to know how to make sure UDP packets don't get dropped on the
way to my PC, but i'm not really sure how.
I think a simple pass in proto udp is a bit extremist (though it
would
work).
Any better suggestions?
My current pf.conf file is:
-
# $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.
# Skip lo
set skip on lo
#
# Variables #
#
extif = re0
intif = ral0
chaos = 172.16.1.7
mamaquina = 172.16.1.12
tcp_services={ 22, 113, 80, 443 }
icmp_types = echoreq
allproto = { tcp, udp, ipv6, icmp, esp, ipencap }
privnets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table intnet { 172.16.0.1/16 }
# Options
set loginterface $extif
match in all scrub (no-df)
###
# NAT #
###
nat on $extif from $intif:network - ($extif)
# TODO Maybe move this down to service ports? Check first.
rdr pass log on $extif proto tcp from any to any port 1022 - $chaos
port
22
block in
pass out keep state
antispoof quick for { lo $intif }
block drop in on $extif from $privnets to any
block drop in on $extif from any to $privnets
#
# SERVICE PORTS #
#
# Open ports for local servicesAbro puerto de servicios locales
pass in on $extif inet proto tcp from any to ($extif) port
$tcp_services flags S/SA keep state
### OTHER PORTS AND OPENINGS
pass in on $extif from any to 172.16.1.7
pass in on $extif from any to 172.16.2.4
pass in on $extif proto {tcp, udp} from any to any port 53
# ICMP Traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# LAN - everything is allow in/out
pass in quick on $intif
pass out quick on $intif
### Block remote connections to the X Server
block in on ! lo0 proto tcp to port 6000:6010
-
Thanks for your time guys!
--
Hugo Osvaldo Barrera
As I had supposed; pf is blocking the UDP packages:
Apr 08 01:31:58.241781 rule 1/(match) block in on re0:
the-other-IP.59789 my-ip.50688: udp 56
Apr 08 01:31:58.363252 rule 1/(match) block in on re0:
the-other-IP.59792 my-ip.52166: udp 56
Apr 08 01:31:58.363991 rule 1/(match) block in on re0:
the-other-IP.59793 my-ip.50688: udp 56
There are several more dozen lines like this one.
However, each one uses a different port, so how can I solve the
problem? I don't even see a predicting which ports I'd need to open
(they ARE random).
--
Thank you,
James M. Shupe
GPG: 9C5C4417
Re: Problem with NAT and UDP packages.
My idea is to maintain a table of RTP servers, if that is possible. RTP
uses any unprivileged port (or a port above 1024) to send traffic on. Your
rule would be a rule that would allow any of that unprivileged UDP traffic
from only those hosts. It's not the perfect solution, but probably is the
most viable one. As far as I know, there is no proxy application that can
handle RTP, but you may want to investigate that further.
pass in log inet proto udp from rtp_servers to $int:network port 1024
Effectively, it uses RTP.
However, I'm not sure I don't quite understand your idea. How would
the table be updated with which ports to redirect? Or do you mean it
to be static with the port range currently in use?
The port used seems to be random between 5 and 6 (something I
have not found a reference to in anything liked to RTP). Redirecting
them with a rule like rdr pass on $extif proto udp from any to $extif
port 5:6 - $mypc should work, but this does not seem like
the proper solution. Or am I wrong? (=
Isn't there a way to have this work so that, in future, MORE than one
PC can use RTP? This isn't a MUST right now, but I would prefer to
find some solution that would work in future.
BTW James: Thank you very much, pointing out that XMPP's
video-conference implementation uses RTP helped me google A LOT more
info on the subject :)
quote who=Hugo Osvaldo Barrera
On Thu, Apr 8, 2010 at 10:21, James Shupe professio...@jamesshupe.com
wrote:
Forgot to send to the list, twice!
If it's RTP,
(http://en.wikipedia.org/wiki/Real-time_Transport_Protocol),
which some quick Googling indicates, your best bet may be to make a
table
of sending hosts with a pass ... inet proto udp ... from table to ?
port
1024 rule.
quote who=Hugo Osvaldo Barrera
On Thu, Apr 8, 2010 at 00:54, James Shupe professio...@jamesshupe.com
wrote:
Use log (all) and tcpdump to figure out exactly what is being
blocked.
On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
I'm using OpenBSD 4.6 at home as an access point, firewall and home
server (with pf).
I've recently had some issues trying to use pidgin's [XMPP] video
support on one of my client computers, yet, if I connect it directly
to the internet it works fine; hence the problem is the firewall
configuration (as one of the pidgin devs pointed out it might have
been).
I THINK UDP packets are being dropped, but I must really say, this
problem is a bit above my level of understanding.
I need to know how to make sure UDP packets don't get dropped on the
way to my PC, but i'm not really sure how.
I think a simple pass in proto udp is a bit extremist (though it
would
work).
Any better suggestions?
My current pf.conf file is:
-
# $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
#
# See pf.conf(5) for syntax and examples; this sample ruleset uses
# require-order to permit mixing of NAT/RDR and filter rules.
# Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between
interfaces.
# Skip lo
set skip on lo
#
# Variables #
#
extif = re0
intif = ral0
chaos = 172.16.1.7
mamaquina = 172.16.1.12
tcp_services={ 22, 113, 80, 443 }
icmp_types = echoreq
allproto = { tcp, udp, ipv6, icmp, esp, ipencap }
privnets = { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
}
table intnet { 172.16.0.1/16 }
# Options
set loginterface $extif
match in all scrub (no-df)
###
# NAT #
###
nat on $extif from $intif:network - ($extif)
# TODO Maybe move this down to service ports? Check first.
rdr pass log on $extif proto tcp from any to any port 1022 - $chaos
port
22
block in
pass out keep state
antispoof quick for { lo $intif }
block drop in on $extif from $privnets to any
block drop in on $extif from any to $privnets
#
# SERVICE PORTS #
#
# Open ports for local servicesAbro puerto de servicios locales
pass in on $extif inet proto tcp from any to ($extif) port
$tcp_services flags S/SA keep state
### OTHER PORTS AND OPENINGS
pass in on $extif from any to 172.16.1.7
pass in on $extif from any to 172.16.2.4
pass in on $extif proto {tcp, udp} from any to any port 53
# ICMP Traffic
pass in inet proto icmp all icmp-type $icmp_types keep state
# LAN - everything is allow in/out
pass in quick on $intif
pass out quick on $intif
### Block remote connections to the X Server
block in on ! lo0 proto tcp to port 6000:6010
-
Thanks for your time guys!
--
Hugo Osvaldo Barrera
As I had supposed; pf is blocking the UDP packages:
Apr 08 01:31:58.241781 rule 1/(match) block in on re0:
the-other-IP.59789 my-ip.50688: udp 56
Apr 08 01:31:58.363252 rule 1/(match) block in on re0:
the-other-IP.59792 my-ip.52166: udp 56
Apr 08 01:31:58.363991 rule 1/(match) block in on re0:
the-other-IP.59793 my-ip.50688: udp 56
Re: routing question: 2 mail servers sending from their own IPs
Check into smtp_bind_address in Postfix. If you're still having issues, binat rather than rdr to internal IPs so connections will originate properly. Without seeing your pf.conf or master.cf, this is a guess, but I think these tips should lead you in the right direction. ...master.cf: smtp ... smtp -o smtp_bind_address=11.22.33.44 On 3/27/10 3:02 AM, Scott McEachern wrote: Hi folks, I'm running into a bit of a routing gotcha getting two mail servers to send mail out using their own respective IP addresses. (While this involves postfix, this is not a postfix support question, it's a routing question) What I'm trying to accomplish is this: - two autonomous domains, each with their own mail server instance (postfix in this case) so that one domain never 'mentions' the other domain. Using one instance of postfix to relay for the 2nd domain is not an option, as domain1.com will be shown in the headers when mail is from domain2.com. The reason is that 2nd domain is a business entity and should not be associated in any way with the first. The setup (which works fine): - the two domains have their own external IPs, dns-wise. - two instances of postfix listen on their respective external IPs taking mail for their domains (set in master.cf) - postfix acts as a mail gateway on the firewall, which shuffles mail to either of two instances of postfix on an internal mail server - 5 (non-contiguous) IPs are assigned to me by ADSL, so I have one physical connection, with 1 'main' IP and 4 aliases. That works fine and dandy: two independent domains. I should mention that (some) internal traffic, depending on its origin, is NAT'd out with pf on those aliases, appearing to come from independent networks. The problem: - mail sent out via either instance of postfix, regardless of the master.cf setting, go out on the 'main' IP, such that mail headers appear like such: Received: from mail.domain2.com (erratic.ca [75.119.251.119]) The goal: I'd prefer it to read .. from mail.domain2.com (domain2.com [a.b.c.d]) The untouched firewall routing table looks like this: Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default206.248.154.122UGS322803 56410450 - 8 tun0 127/8 127.0.0.1 UGRS 00 33200 8 lo0 (snipping a bunch of lo0 stuff) 192.168.0/24 link#1 UC 10 - 4 nfe0 192.168.0.200:0d:60:91:5d:a4 UHLc 143271 - 4 nfe0 192.168.1/24 link#5 UC 20 - 4 sk0 192.168.1.200:19:5b:68:91:20 UHLc 1 7177 - 4 sk0 192.168.1.300:10:c6:b5:c1:72 UHLc 4 136762 - 4 sk0 192.168.2/24 link#5 UC 10 - 4 sk0 192.168.2.1127.0.0.1 UGHS 00 33200 8 lo0 192.168.3/24 link#5 UC 00 - 4 sk0 192.168.3.1127.0.0.1 UGHS 00 33200 8 lo0 206.248.154.12275.119.251.119 UH 10 1492 4 tun0 224/4 127.0.0.1 URS00 33200 8 lo0 I've tried this: # route add 206.248.154.122 a.b.c.d but my routing-fu is not strong. That command gives all of the above, plus this: 206.248.154.122a.b.c.dUGHS 00 - 8 tun0 Of course, sending mails from domain2.com still appears from erratic.ca. Any suggestions? Clear as mud? The firewall does not have an /etc/mygate set, and is OpenBSD 4.6-current (GENERIC) #7: Sat Jan 23 16:34:02 EST 2010, but I don't think a dmesg is of much use here. Unrelated question: can smtpd handle this kind of funkiness? I'd like to switch to smtpd eventually if it can, but that's another project for another day. Thanks! -- James M. Shupe shu...@gridexec.com RHCE Certified Plain text preferred 1.903.522.3425 This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone 1.903.522.3425 and destroy the original message. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
ALTQ Gigabit performance
at pci0 dev 3 function 0 Intel 82975X PCIE rev 0xc0: apic 4 int 16 (irq 7) pci5 at ppb4 bus 6 ppb5 at pci5 dev 0 function 0 PLX PEX 8518 rev 0xac pci6 at ppb5 bus 7 ppb6 at pci6 dev 1 function 0 PLX PEX 8518 rev 0xac: apic 4 int 17 (irq 11) pci7 at ppb6 bus 8 em4 at pci7 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic 4 int 17 (irq 11), address 00:25:90:00:1e:bc em5 at pci7 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic 4 int 18 (irq 5), address 00:25:90:00:1e:bd ppb7 at pci6 dev 2 function 0 PLX PEX 8518 rev 0xac: apic 4 int 18 (irq 5) pci8 at ppb7 bus 9 em6 at pci8 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic 4 int 18 (irq 5), address 00:25:90:00:1e:be em7 at pci8 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic 4 int 19 (irq 11), address 00:25:90:00:1e:bf ppb8 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 4 int 17 (irq 11) pci9 at ppb8 bus 10 ppb9 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 4 int 17 (irq 11) pci10 at ppb9 bus 13 em8 at pci10 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: apic 4 int 16 (irq 7), address 00:25:90:01:76:2a ppb10 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: apic 4 int 16 (irq 7) pci11 at ppb10 bus 14 em9 at pci11 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 17 (irq 11), address 00:25:90:01:76:2b uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 4 int 23 (irq 10) uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 4 int 19 (irq 11) uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 4 int 18 (irq 5) uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 4 int 16 (irq 7) ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 4 int 23 (irq 10) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb11 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1 pci12 at ppb11 bus 15 vga1 at pci12 dev 0 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 4 int 16 (irq 7) drm0 at radeondrm0 pcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using apic 4 int 19 (irq 11) for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST9160511NS wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: ST9160511NS wd1: 16-sector PIO, LBA48, 152627MB, 312581808 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: apic 4 int 19 (irq 11) iic0 at ichiic0 lm1 at iic0 addr 0x2d: W83627HF wbng0 at iic0 addr 0x2f: w83793g spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-6400CL5 spdmem1 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-6400CL5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41 lm2 at wbsio0 port 0x290/8: W83627HF lm1 detached fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 mtrr: Pentium Pro MTRR support Kernelized RAIDframe activated raid0 at root: (RAID Level 1) total number of sectors is 312046464 (152366 MB) as root softraid0 at root root on raid0a swapmount: no device Thank you, James Shupe
Re: Intel Gigabit ET NIC Quad Port
We've only had these for a week, but we use two (each, with two ports each in a trunk(4) in failover mode) of the Supermicro UIO derivatives based on the same chipset in our core firewalls which route approximately 120Mbps of traffic and they have worked great. We put them through a ton of production simulation before deploying them, and they passed with flying colors. Running 4.6-stable. Thanks, James Shupe On 3/10/10 9:22 AM, Brad Tilley wrote: We're considering this card for an OpenBSD Snort box. I think em supports it well. It uses the 82576EB controller. Has anyone used the card much? If so, are you satisfied with it? http://ark.intel.com/Product.aspx?id=36796 Thanks, Brad -- James M. Shupe shu...@gridexec.com RHCE Certified Plain text preferred 1.903.522.3425 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Hardware recomendations please
I'd recommend building some Supermicro boxes on the 512L-260B/PDSBM-LN2+ (1u, s775, 946gz) platform. You can build a very nice box and pair it with riser card and a quad port DFE-570TX NIC and come in well under your $1500 budget. If you need exact part numbers, I can get you the ones we use. On Tue, 2008-12-02 at 17:43 +1100, nuffnough wrote: Hey there. My firewalls are getting old, so I thought it would be a great idea to replace them. I figured that a budget of around $1500 would be more than adequate, but because no one makes mobos with 5 pci slots anymore I am struggling to get these under $2800. I have requirements for 6 legs plus the carp sync (which I could do with a usb nowadays, so that means just 6). The rest of the system is relatively undemanding, so 4 gig RAM is overkill, and it doesn't require huge CPU grunt either. It would be great if I could fit it into a small formfactor case to save rackspace, but this isn't worth $2k to me. Please recommend mobo/NIC combo that would fit within the budget! TIA nuffi -- James Maurice Shupe | HermeTek Network Solutions [EMAIL PROTECTED] | *NIX Consulting and Hosting GPG signed mail preferred | http://www.hermetek.com Plain text mail preferred | 1.866.325.6207 Key fingerprint: D484 EACC 9D0F A2A5 5277 C4A8 5704 1987 A938 DF3A This Email is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521 and is legally privileged. The information contained in this Email is intended only for use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by telephone 1.866.325.6207 and destroy the original message. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: USB CD-ROM support
I know it's not a direct answer to your question, but OpenBSD's PXE installation is extremely easy to implement. It is probably the best option you have at the moment. On Mon, 2008-11-03 at 07:20 -0500, Bob Hope wrote: When (if ever) will support for installing OpenBSD with a USB CD-ROM be added? I have a few servers I'd like to use OpenBSD on, but they are Blade units and the only method of installing the operating system is through USB CD-ROM. Thanks, Tom -- James Maurice Shupe | HermeTek Network Solutions [EMAIL PROTECTED] | *NIX Consulting and Hosting GPG signed mail preferred | http://www.hermetek.com Plain text mail preferred | 1.866.325.6207 Key fingerprint: D484 EACC 9D0F A2A5 5277 C4A8 5704 1987 A938 DF3A [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
