Re: OpenBSD-capable, fanless, diskful computer with ECC RAM
Damien Miller skrev 2010-10-30 02.14: Hi, Can anyone recommend a small, fanless computer that will accept a HD (perhaps a 2.5" drive) that uses ECC RAM? Needless to say, it must run OpenBSD. Being 64 bit, having accellerated crypto and/or supporting multiple drives would be bonus points, but are not required. Although I've got no experience with it, the VIA ART-3000 might take ECC: according to Wikipedia the Via Nano CPU supports it, however I can't find anything official on that. I'd be interested to hear back if anyone tries this system, as it looks impressive. /Kami
Re: smtpd support DIGEST MD5 AUTH ?
a bit longer answer: smtpd is interfaced to bsdauth (see authenticate(3)). so if you want you can implement authentication method, just like I did to authenticate smtpd client to pop3 server. authenticate(3) makes my head spin, it would be awesome if you shared how you did that! Has anybody else tried in general to interface with other virtual authentication databases, and wish to share some experiences? Thnx! Kami
Re: spamd - nixspam list, September 30, 2009
On 2009-10-01 14:39, Toni Mueller wrote: I didn't check whether the stale file gets removed, but thought about using a different source instead. If spamd(8) could use RBLs in addition to static tables, that would ease the problem, too. The concept of RBLs aren't in line with the idea that spamd should use little of your resources and many resources for the spammer. Add RBL functionality between spamd and your smtp server, if you need.
Re: Bridge wireless and wired networks.
Jan Johansson skrev: kami petersen <[EMAIL PROTECTED]> wrote: well, it should work. however, you should set an address on either of the interfaces that constitutes the bridge, not the bridge itself. but you don't say exactly where you are unsuccessful... It works, I just thought there might be a cleaner solution. For example both ral0 and fxp1 needs an IP address or dhcpd just refuses to work on the interface. on the router: assign 192.168.13.1 to fxp1 and none to ral0, put both fxp1 and ral0 in the bridge, putting both ral0 and fxp1 in dhcpd.interfaces. a similar solution is working here. this is the basically the same as having only one interface with the above ip on it, that is wired to a switch with an antenna and two ethernet jacks. also, failover trunk ought to work, A failover trunk will work for one laptop. But if a friend and I are sharing the wireless the friend will be cut off when the wired interfaces goes active. but i wouldn't know how a bridge pair directly hooked up against let's say a round robin trunk would behave. Don't understand this. i'm talking about trunking on the clients. if using failover mode, only one interface is used at a time, but in round robin mode all interfaces are used 'simultaneously', with chances of confusing the bridge at the router by creating a loop in the network topology. if this is the case have a look at the spanning tree options of brconfig(8). however, i haven't been there, so this is just where i'd start. plus, i can't see the point of a trunk on the router. /k
Re: Bridge wireless and wired networks.
Jan Johansson skrev: Hello. On my laptop I use trunk(4) failover to switch between wired and wireless networks. It works great. But I think my solution for the "router" is a bit dirty. Is there a better way? The "router" has one interface connected to the internet (fxp0) and two interfaces for the internal network (ral0 and fxp1). When I get tired of waiting for a download to complete I wish to switch from wireless to a crossover cable (I rather not use a switch) without interruption. The solution I have: :; ifconfig fxp1: flags=8943 mtu 1500 lladdr 00:02:b3:2b:b2:89 media: Ethernet autoselect (none) status: no carrier inet6 fe80::202:b3ff:fe2b:b289%fxp1 prefixlen 64 scopeid 0x2 inet 192.168.13.2 netmask 0xff00 broadcast 192.168.13.255 ral0: flags=8943 mtu 1500 lladdr 00:0e:2e:86:7b:14 media: IEEE802.11 autoselect hostap status: active ieee80211: nwid NAH chan 1 bssid 00:0e:2e:86:7b:14 nwkey Nope 100dBm inet 192.168.13.1 netmask 0xff00 broadcast 192.168.13.255 inet6 fe80::20e:2eff:fe86:7b14%ral0 prefixlen 64 scopeid 0x3 bridge0: flags=41 mtu 1500 groups: bridge :; brconfig bridge0 bridge0: flags=41 Configuration: priority 32768 hellotime 2 fwddelay 15 maxage 20 Interfaces: fxp1 flags=3 port 2 ifpriority 128 ifcost 55 ral0 flags=3 port 3 ifpriority 128 ifcost 55 Addresses (max cache: 100, timeout: 240): And then I start dhcpd with '/usr/sbin/dhcpd ral0 fxp1'. For me it would be beutifull to set the 192.168.13.1 address on "bridge0" and have dhcpd listen only on bridge0 or maybe use trunk(4) in some mode for this but I have been unsuccessfull at that. well, it should work. however, you should set an address on either of the interfaces that constitutes the bridge, not the bridge itself. but you don't say exactly where you are unsuccessful... also, failover trunk ought to work, but i wouldn't know how a bridge pair directly hooked up against let's say a round robin trunk would behave. maybe then the finer options of brconfig(8) would be worth trying. /kami
Re: using queues to limit bandwidth
Chris Cameron skrev: On Mon, 2006-05-01 at 13:02 -0400, Chris Bullock wrote: Can queues be used to queue overall bandwidth? We have a project where we will be sharing an Internet connection with another company, we will have an IP and they will have an IP each company providing their own firewall. I understand that queuing is able to queue based on protocol, etc on the same box but lets say there is a T1 shared between the companies, The company tells us, you can have one of our IP addresses but you can only use 100k of our bandwidth, can pf do this? I guess this is more bandwitdh throttling more so than queuing. TIA, Chris No one mentioned it, but this'll only work in one direction. It won't stop you from saturating the pipe with incoming traffic. so you'd have to set up queueing on the interior interface of your firewall as well... tcp will throttle back to this cap, but ordering up a fat udp stream will always get you in trouble. /k
Re: svnd security
It sounds scary,specially for those of us who do not understand too much about computers, I basically wanted to know if there is any truth in all this or it just another persorn trying to sell his product well by undermining others. say hello to the archives.
Re: -stable or -current kernel error
Paul Barbeau skrev: I am trying to move from the base install from the CD/FTP to either stable or current. I get the same error regardless of what version I try with and regardless of what machine (different components inside). Below is the steps I am doing to rebuild the kernel and the error I am getting. Anyone have and ideas on how to correct this problem? Am I doing it wrong and forgetting something? cd /usr; cvs -q checkout -rOPENBSD_3_8 -P src cd /usr/src find . -type l -name obj |xargs rm make cleandir rm -rf /usr/obj/* make obj cd /usr/src/etc && make DESTDIR=/ distrib-dirs cd /usr/src/sys/arch/i386/conf config GENERIC cd ../compile/GENERIC make clean make depend make you need to follow the faq sequentially. now, wipe src and obj and start over from the top of the page. /kami
Re: slow network performance
... wd0(pciide0:0:0): timeout type: ata c_bcount: 512 c_skip: 0 wd0e: DMA error writing fsbn 2651200 of 2651200-2651211 (wd0 bn 3819472; cn 3789 tn 2 sn 34), retrying wd0: soft error (corrected) wd0(pciide0:0:0): timeout type: ata c_bcount: 0 c_skip: 0 wd0(pciide0:0:0): timeout type: ata c_bcount: 512 c_skip: 0 wd0(pciide0:0:0): timeout type: ata c_bcount: 8192 c_skip: 0 wd0e: device timeout writing fsbn 2651200 of 2651200-2651215 (wd0 bn 3819472; cn 3789 tn 2 sn 34), retrying wd0: soft error (corrected) wd0(pciide0:0:0): timeout type: ata c_bcount: 512 c_skip: 0 did you look into this? anyway, test disk io and network separately. /kami
Re: 3.8-STABLE :cvs/XF4 seems to be broken.
J.C. Roberts skrev: Can anyone confirm or deny if XF4-STABLE is broken? I've updated source twice and have had two failed builds of X while following FAQ5. can you confirm that you actually have XF4-STABLE? a *clean* checkout usually cures a non-compiling tree. /kami
Re: Pet-grub.com a cia front?
Dave Feustel wrote: It looks like there may still be a few security holes to be dealt with. no, they are called backdoors, through which all who are sick of you play their dirty tricks. I've started running apache webserver. My web address (until the next power failure) is 71.97.182.5. Feel free to try to hack it. seems like somebody got to it. > -- > Lose, v., experience a loss, get rid of, "lose the weight" > Loose, adj., not tight, let go, free, "loose clothing" Lost, adj., beyond reach, communication, or influence, "get lost, dave" /kami
Re: RAIDframe stability and reliability
Dave Diller skrev: The main reason RAIDframe is not in GENERIC, I seem to recall, is that it makes the kernel quite a bit bigger for no gain in the average case. Yeah, 20% or so, with RAIDframe being the only change: -rw-r--r-- 1 root wheel 5281094 Sep 16 21:30 bsd-stock-3.8-install -rwxr-xr-x 1 root wheel 6072989 Jan 22 10:28 bsd-raid-38stab-012206 no, that's 15%. but still strange, mine is only: -rwxr-xr-x 1 root wheel 5668267 Jan 28 01:25 bsd which is just 7% up. stabile i386 build, with pseudo-device raid4 optionRAID_AUTOCONFIG /kami
Re: SSH publickey authentication - identity logging
Spruell, Darren-Perot skrev: From: Joachim Schipper [mailto:[EMAIL PROTECTED] Our situation is that we have a user account that multiple people have access to log into to retrieve files. Each user authenticates to that account with their own SSH key. Current log entry shows: Jan 24 11:01:20 sftp sshd[23555]: Accepted publickey for transfers from 10.2.58.44 port 1420 ssh2 Would be useful to have information logged for the connection identifying the key used to authenticate, by the key comment if possible. Does sshd already have this capability? Would anyone consider this a useful feature addition? Only if you can provide a good reason this can not be implemented as a couple of users and a shared group, combined with a group-writable directory. We require that the users be chroot'd to the home directory, so we'd probably have to break the chroot to have a commonly writable directory...? sharing user accounts should be avoided if possible. i can't see why your situation would demand parting with good practices, if there aren't more particularities that you have left out. tips: * use permissions and directory structuring creatively. * you don't have to chroot all the way to the actual homedir. * users don't even have to have separate homedirs. * contenmplate what user privileges don't mix with chrooting. * test, test, test.
Re: CGD
Ted Unangst wrote: On 1/2/06, Travers Buda <[EMAIL PROTECTED]> wrote: You've made it very clear that CGD won't be imported into OpenBSD, yet you've never explained why, or why you ported it in the first place. Care to let us in on why? I expect your reply will be a short "no" just like a few of your replys to this subject. For what it is worth, I'm asking. Because, like everyone else, you've failed to pass the articulation test. http://marc.theaimsgroup.com/?l=openbsd-misc&m=112534721521131&w=2 on a related subject: what's keeping that diff you did to add salting to vnconfig from hitting the tree? (or something like it) /kami
Re: multi-port NIC cards
Daniel Ouellet skrev: May be good, but the bus is PCI only if I am not mistaken looking at the spec. Not even PCI Express or PCI X, so it would be interesting to see, but if you are concern about congestions with the Intel one, may be this would be saturating the bus at 33MHz, or may be it might go at 66, but sure not 100 or 133 however. I saw some others, but none that support PCI Express as a minimum however. So, I discarded them. i haven't tested any 4 port nic's whatsoever yet, and don't know much about these things, but isn't the theoretical throughput of the 33 MHz 32-bit pci bus around ~1 Gbit/s? so, assuming the system is dedicated to routing, why would a theoretical maximum of ~0.4 Gbit/s be so hard to handle, especially as most of it should stay on the internal pci bus of the nic? kindly kami petersen
Re: ccd mirroring and ccdxc
Nick Holland skrev: (hint: you can do a CCD of just one disk). (hint 2: you can't use the same partition twice, it will generate an error). (hint 3: Errors can be your friend, they are not always to be avoided) warning, spoiler below: # # /etc/ccd.conf # Configuration file for concatenated disk devices # # ccd ileave flags component devices ccd016 CCDF_MIRROR /dev/sd2e /dev/sd3e ccd016 none/dev/sd2e ccd016 none/dev/sd3e now shut down, unplug sd2 and boot. at your own risk. regards, kami petersen
Re: Trying to understand iostat output
Markus Wernig skrev: I have a system (obsd3.8/sparc64) with 2 identical scsi drives (4 partitions + 1 swap each). The largest partition (10G) is mirrored over the 2 drives as a ccd with interleave factor 16. And 1.2M/s is rather less that what I'd have expected, is this figure really the disk transfer rate? my personal experience is that 16 is way too small. spend a few hours benchmarking at increasing interleaves, and then make your decision. for a 2 scsi disk system i ended up with an interleave of 312, judged on the basis of bonnie benchmarking, wich lets you trade off raw speed, small writes and cpu load. /kami
ccd mirroring usefulness?
hi misc, according to the ccd man pages, which seems to include pretty much as much on this technology as can be found elsewhere, ccd has mirroring capability, but this is not further elaborated. after all this is in GENERIC (as opposed to raidframe), and most things in GENERIC is adequately documented. it seems trivial to set up, but what kind of functionality can be expected as a disk fails? will the system continue working? how is failure reported? what is the procedure to replace the disk and rebuild a mirrored ccd? - dd? /kami petersen
Re: openbsd 10 yrs old and nobody puts a story on undeadly?
frantisek holop skrev: (what's the deal?) stop whining and write it yourself ;) /kami
Re: HP Proliant ML350 G4
Uwe Dippel skrev: For some this might be boring, but for others encouraging: Box off-shelf as above boots properly with cd37.iso Broadcom NC7761 Gigabit Server Adapter is recognized LSI 53c1030 Duplex U320 is recognized The 146 GB 15k drive is recognized I'll come back later as usual when the problems start to show up Uwe good to hear! from the particular machine running generic do something like this: # dmesg | mail -s "HP Proliant ML350 G4 works OK" [EMAIL PROTECTED] /kami
dynamic ip aliases?
what are the chances of getting multiple dynamic ip's assigned to one dhclient interface, as can be done with aliases for static ip's? there's an alias specification in dhclient.conf(5) but it's not really clear whether you would be able to use it to get more than one dynamic ip (assuming that the dhcpd in the other end is willing to provide more). the reason for all this is that my dsl provider says they are providing up to 5 dynamic ip's, and that could be useful for separating different services behind the firewall without nat. /kami
Re: sensorsd and mail alert
Antoine Jacoutot skrev: How can I make sensorsd or syslog to mail me this, without running a parser every minute on /var/log/messages which looks overkill. man 5 sensorsd.conf /kami
Re: Disable/Passprotect single user mode
Dave Feustel skrev: On Saturday 27 August 2005 09:08, kami petersen wrote: Did you miss the line "If someone has physical access to my OpenBSD box"? With physical access, all of your suggestions are easily bypassed with a bios reset. as you are sure you know, that, along with matt's tip, is about as reasonable advice you can get if you can't physically secure your box, and that's why you can't come up with anything better, smart ass. /kami Also, Kami is unfamiliar with the details of the disk password. man atactl /secsetpass Dave Feustel dave, what are you smoking? please carefully note how i edited out _your_ text so as to indicate _who_ i was addressing and whom i additionally consider being a smartass. let me rephrase: dear frank. your response is unneccesary and non constructive. provided that the box in question cannot be physically secured there is little you can practically do other than applying the above methods put forward by dave and matt in order to prevent single user root access. /kami ps. except tying your german shepherd to it...
Re: Disable/Passprotect single user mode
Did you miss the line "If someone has physical access to my OpenBSD box"? With physical access, all of your suggestions are easily bypassed with a bios reset. as you are sure you know, that, along with matt's tip, is about as reasonable advice you can get if you can't physically secure your box, and that's why you can't come up with anything better, smart ass. /kami
Re: uh oh promise card problems
What would be the best way to use OpenBSD on these systems? obviously you need to get other controllers (http://openbsd.org/i386.html). then offer to donate the surplus cards to the developers, and maybe someone will do some work on it, i.e. porting it from freebsd. /kami
Re: Queueing on two interfaces
Fridtjof Busse skrev: Hi Since I didn't get any reply to my initial question, I'll try to be a bit more specific: I've got a machine with three interfaces: One is my SDSL-link and the other two are internal. One of the internal interfaces is wired, the other one wireless, using OpenVPN (i.e. tun0). Queueing of traffic leaving the machine is easy, but is there any way to queue incoming traffic without cutting the available bandwidth in half (50% for each interface)? I found a suggestion about using lo1 and binat, but I don't really know how to do that. E.g., I need to make sure that VOIP-traffic arriving via the wired interface is priorised over all other traffic, even the one that is going to the wireless network. Otherwise, I get heavy distortions if the wireless-net uses much bandwidth. Any way to do this? Maybe bridging? I prefer routing, but I'm grateful for anythin... :) Thanks. since nobody else seems to have an answer i'll suggest one thing to try: maybe you could think of it as three separate steps, where arriving traffic from the outside: a) is deprioritized if not voip, then b) gets routed/NATed, then c) can be queued again individually for the internal nets according to other demands. how? you can't queue arriving traffic on the outside interface since it is already there. this means you might want to think of it as two systems where the most exterior does (a) on it's inside interface and the more interior one does (b) and (c) on the two internal network interfaces. now maybe you could do this within one box using the outside interface and lo1 as a bridge, thus doing step (a) on lo1. then do routing/NAT between lo1 (as the new "exterior" interface) and the internal interfaces like you probably already do, as well as other miscellaneous queueing. please report back if you succeed. /kami
Re: notice: layered mounts are gone
null and union mounts have been deleted. cool. why?
Re: OpenBSD 3.7 Torrents are now available
andrew fresh skrev: You can get OpenBSD 3.7 from the torrent site here: cool, how about making torrents for the ports and src trees? /k
Re: File system mirroring for SMTP/POP Servers
but when it comes to the mail repository, as far as i know maildir storage is *not* the choice for replication. Why? Or are you implying that mbox storage is? no Or that neither is? neither, it's not a problem with maildir, it's a general problem of maintaining files synchronized. Basis for the theory? ok, unison seems to be an option (as in: somebody on google seems to have gotten it to work reasonably). however i prefer to think of replicated instances as being constantly and correctly synchronized. the whole point of qmail and maildirs are that there is never any doubt about what messages exist or not. having something go off on cron even once every five minutes will negate this as well as piss off this particular sysop's overdemanding users. imagine, getting the same spam, twice! this guy uses pop, a imap/webmail service would be even worse off. i regard reliability more important than availability as it comes to my mail, userland arrangements like these give me the creeps. i'm suggesting that he should try mitigating the reasons for his unavailability first. users should get used to 99.9% availability, and that's a reasonable figure for a non-replicated system. or look into some database system with built-in replication functionality. anyway, have you any good examples to throw back at me? /k
Re: File system mirroring for SMTP/POP Servers
Mario Lopez skrev: I'm sorry I didn't mention it earlier, we use NetQMAIL + VPOPMAIL + mysql centralized auth. with this kind of setup you should be able to get insane availability figures using standard tricks like ups, quality hardware (no ata), conservative time-proven settings, raid... (i do) having two cheaper boxes setup with some fancy replication clustering between them will likely to be more trouble than one expensive. my guess is that your weakest point is mysql. you shouldn't find it too hard to have the auth part replicated, but when it comes to the mail repository, as far as i know maildir storage is *not* the choice for replication. /k