Re: poptop connection problem
Richard P. Koett wrote: I installed -current (i386), downloaded src ports, and installed poptop-1.3.0 and pptp-1.7.1p0. Trying to establish a pptp connection fails, and the following is logged in /var/log/daemon: Oct 5 13:31:58 gateway ppp[25094]: Warning: Label plugin rejected -direct connection: Configuration label not found Answering my own question for archive purposes: The workaround was to delete the logwtmp line in /etc/pptpd.conf.
poptop connection problem
I'd appreciate some advice to sort out a problem using poptop-1.3.0 from ports. If there is a more appropriate forum for asking about this, please excuse my post and point me to the right place. I installed -current (i386), downloaded src ports, and installed poptop-1.3.0 and pptp-1.7.1p0. I compiled a new kernel to add a few more tun devices. No other changes were made to the GENERIC kernel. 'systcl net.inet.gre.allow' shows 'net.inet.gre.allow=1'. Trying to establish a pptp connection fails, and the following is logged in /var/log/daemon: Oct 5 13:31:58 gateway ppp[25094]: Warning: Label plugin rejected -direct connection: Configuration label not found Any advice would be appreciated. Some configuration information is listed below. If I've omitted any information that would help please let me know. /etc/pptpd.conf: option /etc/ppp/options.pptpd logwtmp localip 192.168.191.254 remoteip 192.168.191.240-249 noipparam /etc/ppp/options.pptpd: name pptpsrv lock mtu 1450 mru 1450 proxyarp auth +chapms-v2 ipcp-accept-local ipcp-accept-remote lcp-echo-failure 3 lcp-echo-interval 5 deflate 0 mppe-128 #mppe-40 mppe-stateless /etc/ppp/ppp.conf: pptp: accept dns enable mschapv2 enable proxy disable ipv6cp # set log phase lcp ipcp command set timeout 0 set ifaddr 192.168.191.254 192.168.191.240-192.168.191.249 set dns 192.168.191.5 set nbns 192.168.191.5 Thanks in advance for any pointers. Richard Koett.
Re: PoPToP Vulnerability Question
Joel Sing wrote: Note that that exploit is for versions earlier than 1.1.4.b3 - the previous ports version was 1.1.4.b4, which one would presume is patched for this vulnerability. Obviously this assumes that no other exploits have been found since version 1.1.4.b4. The audit I was shown stated that vulnerable versions are prior to 1.1.4-bs. These version numbers seem to follow a pattern I don't understand. Would I be correct in interpreting bs as later than b3p1?
Re: PoPToP Vulnerability Question
Stuart Henderson wrote: On 2008/01/29 09:20, Richard P. Koett wrote: The audit I was shown stated that vulnerable versions are prior to 1.1.4-bs. These version numbers seem to follow a pattern I don't understand. Would I be correct in interpreting bs as later than b3p1? sure that's bs not b5? I'm beginning to suspect it's a typo and I'm seeking clarification from the auditors. Thanks to all who replied to this thread.
PoPToP Vulnerability Question
Dear Misc: I've been asked to look into an issue on a i386 system running OpenBSD 3.7. I realize this is rather out-of-date, so feel free to ignore this question if it's inappropriate... The machine is running poptop-1.1.4.b4p1. Someone did an audit and declared PoPToP servers prior to version 1.1.4-bs are vulnerable to a buffer overflow. I notice that even the current version of OpenBSD has a package for poptop-1.1.4.b4p1, so I find it hard to believe that this version contains a known buffer overflow. My question is - what information can I provide the auditor to assure them of this? Thanks in advance for any comments. For what it's worth I am aware of alternatives to PoPToP such as OpenVPN. RPK.
Re: PoPToP Vulnerability Question
Axton wrote: On Jan 28, 2008 11:05 PM, Richard P. Koett [EMAIL PROTECTED] wrote: Dear Misc: I've been asked to look into an issue on a i386 system running OpenBSD 3.7. I realize this is rather out-of-date, so feel free to ignore this question if it's inappropriate... The machine is running poptop-1.1.4.b4p1. Someone did an audit and declared PoPToP servers prior to version 1.1.4-bs are vulnerable to a buffer overflow. I notice that even the current version of OpenBSD has a package for poptop-1.1.4.b4p1, so I find it hard to believe that this version contains a known buffer overflow. My question is - what information can I provide the auditor to assure them of this? Thanks in advance for any comments. For what it's worth I am aware of alternatives to PoPToP such as OpenVPN. RPK. http://www.openbsd.org/faq/faq15.html#Intro See the third paragraph in this section. Yes, I understand that packages are not audited as the base system is. It just seemed unlikely to me that the PoPToP version in packages would remain unchanged through 6 different releases of OpenBSD if it was known to have a buffer overflow.
Re: PoPToP Vulnerability Question
Eduardo Tongson wrote: Did you look at ports if it has patch applied for the vulnerability? The administrator of that OpenBSD machine should already be aware the installed software. It is not an automagical secure system after all. I don't mean to imply that I expect ports to be automagically secure. I'm merely trying to find out if the package in use (poptop-1.1.4.b4p1) requires patching or replacement. I don't see a newer version in the current packages. Thanks, RPK.
dhcpd question
I'm building a firewall/router for a small private network. The external network interface uses dhclient. The internal interface will run dhcpd. Rather than hard-coding 'option domain-name-servers' in dhcpd.conf I'd like dhcpd to pass whatever nameservers were received by the dhclient running on the other interface. Is there a recommended way to accomplish this? Thanks in advance for any thoughts or advice. RPK.
ifconfig question
I received some very useful advice from this list a short while ago when I was having problems with throughput on a Soekris firewall. The issue turned out to be a problem with Ethernet autoselect and I thought I had worked around it effectively. The problem has now reappeared, however, and I would appreciate some further advice. Background: My OS version is: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC My original problem showed up when sis0 was configured like this: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 media: Ethernet autoselect (100baseTX full-duplex) I changed /etc/hostname.sis0 from dhcp NONE NONE NONE to dhcp media 10baseT. This resulted in ifconfig showing this: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 media: Ethernet 10baseT With these settings things were working great. Yesterday we had to reboot a few things and users later reported throughput problems again. I checked ifconfig and found the following: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 media: Ethernet 10baseT (100baseTX full-duplex) I thought that my hostname.sis0 would prevent 100baseTX full-duplex but apparently not. The man page says to use ifconfig -m to see the available options: # ifconfig -m sis0 sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:df:34 groups: egress media: Ethernet 10baseT (100baseTX full-duplex) status: active supported media: media none media 10baseT media 10baseT mediaopt full-duplex media 100baseTX media 100baseTX mediaopt full-duplex media autoselect There is no option for media 10baseT mediaopt half-duplex so tried to correct the settings by doing ifconfig sis0 media 10baseT. The settings didn't change, however: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 media: Ethernet 10baseT (100baseTX full-duplex) Then I did ifconfig sis0 media 100baseTX followed by ifconfig sis0 10baseT and things went back to normal: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 media: Ethernet 10baseT What I don't understand is how I ended up getting 100baseTX full- duplex to begin with having DHCP media 10baseT in hostname.sis0. Is there something else I can do to ensure that the correct setting is always applied? Thanks, RPK.
Re: ifconfig question
Stuart Henderson wrote: On 2006/10/27 09:44, Richard P. Koett wrote: I received some very useful advice from this list a short while ago when I was having problems with throughput on a Soekris firewall. The issue turned out to be a problem with Ethernet autoselect and I thought I had worked around it effectively. The problem has now reappeared, however, and I would appreciate some further advice. smells like http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=4139 Smells a LOT like that :) Thanks for the pointer. RPK.
Soekris network problems - 48 hour deadline
I'm having throughput problems using a Soekris net4801 as a firewall running OpenBSD 3.9. This is replacing a SonicWALL device that was working fine from the user's perspective. (I want to replace it because, among other things, I abhor SonicWALL's licensing). I won't post a dmesg unless requested because I think this platform is pretty well known. Hosts on the internal network are able to access the Internet but report that access seems slow. Some operations fail consistently. For example, users can send and receive e-mail e-mails but can't send e-mail with attachments larger than about 20K. I ran a browser-based ADSL speed test from an internal host and found download speeds to be quite good but upload tests fail to complete. I found a few similar problems in the archives but the posted solutions haven't worked for me. I can't see that pf is blocking anything I want passed. At the moment I am running a stripped down pf.conf as follows: # DECLARATIONS: Ext_If=sis0 Int_If=sis1 DMZ_If=sis2 Int_Net=192.168.5.0/24 # OPTIONS: set loginterface $Ext_If # NAT / REDIRECTION: nat on $Ext_If from $Int_Net to any - ($Ext_If) rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3391 \ - 192.168.5.1 port 3391 rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3392 \ - 192.168.5.2 port 3392 I think I can rule out things like speed and duplex problems between the Soekris and the local switch because the problem only affects outbound traffic. I tried a few scrub options to no avail but may not have been doing the right thing. I would really appreciate any suggestions on how to troubleshoot this. If I can't get this resolved by Monday morning I'm going to take some heat. Thanks, RPK.
Re: Soekris network problems - 48 hour deadline
Matthew Closson wrote: On Sat, 14 Oct 2006, Richard P. Koett wrote: I'm having throughput problems using a Soekris net4801 as a firewall running OpenBSD 3.9. This is replacing a SonicWALL device that was working fine from the user's perspective. (I want to replace it because, among other things, I abhor SonicWALL's licensing). I won't post a dmesg unless requested because I think this platform is pretty well known. Hosts on the internal network are able to access the Internet but report that access seems slow. Some operations fail consistently. For example, users can send and receive e-mail e-mails but can't send e-mail with attachments larger than about 20K. I ran a browser-based ADSL speed test from an internal host and found download speeds to be quite good but upload tests fail to complete. I found a few similar problems in the archives but the posted solutions haven't worked for me. I can't see that pf is blocking anything I want passed. At the moment I am running a stripped down pf.conf as follows: # DECLARATIONS: Ext_If=sis0 Int_If=sis1 DMZ_If=sis2 Int_Net=192.168.5.0/24 # OPTIONS: set loginterface $Ext_If # NAT / REDIRECTION: nat on $Ext_If from $Int_Net to any - ($Ext_If) rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3391 \ - 192.168.5.1 port 3391 rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3392 \ - 192.168.5.2 port 3392 I think I can rule out things like speed and duplex problems between the Soekris and the local switch because the problem only affects outbound traffic. I tried a few scrub options to no avail but may not have been doing the right thing. I would really appreciate any suggestions on how to troubleshoot this. If I can't get this resolved by Monday morning I'm going to take some heat. Thanks, RPK. What kind of link is sis0 on? Do you know what your interface MTU was set to on the SonicWall? -Matt- sis0 is connected to a D-Link ADSL modem - not sure of the exact model. ifconfig shows the following details: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:df:34 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::200:24ff:fec6:df34%sis0 prefixlen 64 scopeid 0x1 inet xxx.xxx.xxx.xxx netmask 0xfe00 broadcast xxx.xxx.xxx.xxx sis1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:df:35 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.5.254 netmask 0xff00 broadcast 192.168.5.255 inet6 fe80::200:24ff:fec6:df35%sis1 prefixlen 64 scopeid 0x2 sis2: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:24:c6:df:36 media: Ethernet autoselect (none) status: no carrier pflog0: flags=141UP,RUNNING,PROMISC mtu 33224 pfsync0: flags=0 mtu 1460 enc0: flags=0 mtu 1536 I don't know what MTU the SonicWALL was using but I'm sure it would have been whatever the default setting is on a SonicWALL SOHO3.
Re: Soekris network problems - 48 hour deadline
Adriaan wrote: On 10/14/06, Richard P. Koett [EMAIL PROTECTED] wrote: I'm having throughput problems using a Soekris net4801 as a firewall running OpenBSD 3.9. This is replacing a SonicWALL device that was working fine from the user's perspective. (I want to replace it because, among other things, I abhor SonicWALL's licensing). I won't post a dmesg unless requested because I think this platform is pretty well known. Hosts on the internal network are able to access the Internet but report that access seems slow. Some operations fail consistently. For example, users can send and receive e-mail e-mails but can't send e-mail with attachments larger than about 20K. I ran a browser-based ADSL speed test from an internal host and found download speeds to be quite good but upload tests fail to complete. I found a few similar problems in the archives but the posted solutions haven't worked for me. I can't see that pf is blocking anything I want passed. At the moment I am running a stripped down pf.conf as follows: # DECLARATIONS: Ext_If=sis0 Int_If=sis1 DMZ_If=sis2 Int_Net=192.168.5.0/24 # OPTIONS: set loginterface $Ext_If # NAT / REDIRECTION: nat on $Ext_If from $Int_Net to any - ($Ext_If) rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3391 \ - 192.168.5.1 port 3391 rdr on $Ext_If inet proto tcp from any to ($Ext_If) port 3392 \ - 192.168.5.2 port 3392 I think I can rule out things like speed and duplex problems between the Soekris and the local switch because the problem only affects outbound traffic. I tried a few scrub options to no avail but may not have been doing the right thing. I would really appreciate any suggestions on how to troubleshoot this. If I can't get this resolved by Monday morning I'm going to take some heat. Do netstat -in, netstat -s or netstat -ss give any clues? netstat -in lists no errors or collisions. Below is the output from netstat -ss and netstat -s. I'm not sure what to make of it: # netstat -ss ip: 241379 total packets received 3302 packets for this host 1 packet for unknown/unsupported protocol 236784 packets forwarded 3 packets not forwardable 3048 packets sent from this host icmp: 495 calls to icmp_error Output packet histogram: echo reply: 180 destination unreachable: 495 Input packet histogram: destination unreachable: 1 echo: 180 180 message responses generated igmp: ipencap: tcp: 1234 packets sent 1017 data packets (161279 bytes) 27 data packets (17252 bytes) retransmitted 153 ack-only packets (775 delayed) 37 control packets 1737 packets received 762 acks (for 151461 bytes) 222 duplicate acks 808 packets (28599 bytes) received in-sequence 9 completely duplicate packets (252 bytes) 10 out-of-order packets (80 bytes) 4 window update packets 1737 packets hardware-checksummed 6 connection requests 26 connection accepts 32 connections established (including accepts) 57 connections closed (including 0 drops) 717 segments updated rtt (of 729 attempts) 26 retransmit timeouts 3 correct ACK header predictions 457 correct data packet header predictions 308 PCB cache misses cwr by fastrecovery: 26 cwr by timeout: 26 26 SYN cache entries added 26 completed 26 SACK recovery episodes 34 segment rexmits in SACK recovery episodes 8552 byte rexmits in SACK recovery episodes 202 SACK options received 1 SACK option sent udp: 1385 datagrams received 5 with no checksum 1380 input packets hardware-checksummed 99 dropped due to no socket 1260 broadcast/multicast datagrams dropped due to no socket 26 delivered 27 datagrams output 100 missed PCB cache esp: ah: etherip: ipcomp: carp: pfsync: ip6: 12 packets sent from this host Mbuf statistics: icmp6: Output packet histogram: multicast listener report: 10 neighbor solicitation: 2 Histogram of error messages to be generated: pim6: rip6: -- # netstat -s (Note: Some parts omitted for brevity where all entries were zeros) ip: 241674 total packets received 0 bad header checksums 0 with size smaller than minimum 0 with data size data length 0 with header length data size 0 with data length header length 0 with bad options 0 with incorrect version number 0 fragments received 0
Re: Soekris network problems - 48 hour deadline
Stuart Henderson wrote: On 2006/10/14 00:56, Richard P. Koett wrote: known. Hosts on the internal network are able to access the Internet but report that access seems slow. Some operations fail consistently. For example, users can send and receive e-mail e-mails but can't send e-mail with attachments larger than about 20K. I ran a browser-based ADSL speed test from an internal host and found download speeds to be quite good but upload tests fail to complete. I tried a few scrub options to no avail which ones, did you try the max-mss I suggested? if 1440 is no good try a bit lower. it sounds very likely that you have MTU problems and max-mss will workaround that (at least for TCP). I tried the following variations: scrub out on sis0 max-mss 1440 scrub out max-mss 1440 scrub max-mss 1440 scrub max-mss 1400 Should I keep going lower, or try some other variation?
Re: Soekris network problems - 48 hour deadline - SOLVED!!
A huge thank you to all who offered advice on my network problem. It appears that the problem has been fixed by changing hostname.sis0 from dhcp NONE NONE NONE to dhcp media 10baseT. Previous output from ifconfig showed: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 media: Ethernet autoselect (100baseTX full-duplex) It now shows: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 media: Ethernet 10baseT I guess it was a stupid autonegotiation problem after all. I didn't know that could affect traffic in only 1 direction. Live and learn :) At this point I have reloaded my full pf rule set. Unless doing so introduces a new problem I believe things are fine. The advice I received from the list has been educational and much appreciated as always. RPK.
Re: Custom kernel for Soekris net4801-50
Laurent Salle wrote: Richard P. Koett wrote: I'm setting up a Soekris net4801-50 (128 Mb RAM) for use as a firewall. For storage it has a 40Gb IDE drive rather than compact flash. For my first attempt I used a generic install of OpenBSD 3.9. The user complained that Internet access seemed slow, however. I'm planning to try again using a custom kernel based on the config file included with Chris Cappuccio's Flashdist installer. (A copy is provided below for reference). Is this a good idea? Are you using PPPOE in your setup ? It may be the culprit of your bad performance. I've setup 4 Soekris 4501 boxes as routers for small offices with an ADSL link to the Internet. For one of this installations, the ADSL link speed was above 1 Mb/s (8Mb/s), and when using the userland PPPOE the CPU load was around 75% and the available bandwith was poor. After modifying the configuration to use the kernel PPPOE instead, the CPU load and the available bandwith became normal. With ADSL links at 512kb/s I've not seen any difference in CPU load or throughputs between userland and kernel PPPOE. I've always used unmodified OpenBSD kernel with Soekris boxes. See: Kernel PPPOE: http://www.openbsd.org/cgi-bin/man.cgi?query=pppoesektion=4 Userland PPPOE: http://www.openbsd.org/cgi-bin/man.cgi?query=pppoesektion=8 Laurent: I'm not using PPPoE but I appreciate the information. I've decided to stick with a generic kernel also. Thanks, RPK.
Custom kernel for Soekris net4801-50
I'm setting up a Soekris net4801-50 (128 Mb RAM) for use as a firewall. For storage it has a 40Gb IDE drive rather than compact flash. For my first attempt I used a generic install of OpenBSD 3.9. The user complained that Internet access seemed slow, however. I'm planning to try again using a custom kernel based on the config file included with Chris Cappuccio's Flashdist installer. (A copy is provided below for reference). Is this a good idea? If I go this route I expect I should comment out the MFS option in the Flashdist config since I'm not using compact flash, and uncomment FFS_SOFTUPDATES. Would anyone care to suggest other changes I should make this config file for my scenario? Any other advice would be appreciated. I have no previous experience with Soekris products and very little experience with custom kernels. I realize that this list is not for supporting people using custom kernels but I hope it's okay to ask a few general questions like this. Thanks, RPK. # OpenBSD config for networking on the Soekris Engineering # net4801 embedded systems- # [EMAIL PROTECTED] machine i386# architecture, used by config; REQUIRED #option NTP # hooks supporting the Network Time Protocol option DDB # in-kernel debugger #option DDB_SAFE_CONSOLE # allow break into ddb during boot #makeoptionsDEBUG=-g # compile full symbol table #makeoptionsPROF=-pg # build profiled kernel #option GPROF # kernel profiling, kgmon(8) option DIAGNOSTIC # internal consistency checks option KTRACE # system call tracing, a la ktrace(1) #option KMEMSTATS # collect malloc(9) statistics option CRYPTO # Cryptographic framework option FFS # UFS option MFS # Memory FS #option FFS_SOFTUPDATES # Soft updates option TCP_SACK# Selective Acknowledgements for TCP #option TCP_FACK# Forward Acknowledgements for TCP option TCP_SIGNATURE # TCP MD5 Signatures, for BGP routing sessions option FDESC # /dev/fd option FIFO# FIFOs; RECOMMENDED option KERNFS # /kern #option NULLFS # loopback file system option PROCFS # /proc #option UMAPFS # NULLFS + uid and gid remapping option INET# IP + ICMP + TCP + UDP option ALTQ# ALTQ base #option ALTQ_NOPCC # We don't have Pentium features on 486 # NOPCC may be necessary if the Geode's TSC is really as buggy as it sounds #option INET6 # IPv6 (needs INET) #option PULLDOWN_TEST # use m_pulldown for IPv6 packet parsing option IPSEC # IPsec #option PPP_BSDCOMP # PPP BSD compression #option PPP_DEFLATE option BOOT_CONFIG # add support for boot -c #option I486_CPU option I586_CPU #option I686_CPU option USER_PCICONF# user-space PCI configuration #option KGDB# Remote debugger support; exclusive of DDB #option KGDB_DEVNAME=\pccom\,KGDBADDR=0x2f8,KGDBRATE=9600 #option DUMMY_NOPS # speed hack; recommended # Work around -current breakage option PTRACE maxusers32 # estimated number of users config bsd root on wd0a mainbus0 at root cpu0at mainbus0 bios0 at mainbus0 apm0at bios0 flags 0x # flags 0x0101 to force protocol version 1.1 pcibios0 at bios0 flags 0x # use 0x30 for a total verbose isa0at mainbus0 isa0at pcib? pci*at mainbus0 ohci* at pci? # Open Host Controller usb*at ohci? # # The MediaGX (Geode) uses a PIT clock at standard frequency so there is # no special setting here like there is for the Elan SC520 # option PCCOMCONSOLE option CONSPEED=19200 option PCIVERBOSE uhub* at usb? # USB Hubs uhub* at uhub?# USB Hubs umodem* at uhub?# USB Modems/Serial ucom* at umodem? #ubsa* at uhub?# Belkin serial adapter #ucom* at ubsa? #uftdi* at uhub?# FTDI FT8U100AX serial adapter #ucom* at uftdi? #uplcom* at uhub? # I/O DATA USB-RSAQ2 serial adapter #ucom* at uplcom? #umct* at uhub?# MCT USB-RS232 serial adapter #ucom* at umct? #uaudio* at uhub? # USB Audio #umidi* at uhub? #ulpt* at uhub?# USB Printers #umass* at uhub?# USB Mass Storage devices #scsibus* at umass? #aue* at uhub?# ADMtek AN986 Pegasus Ethernet #cue* at uhub?# CATC USB-EL1201A based Ethernet #kue* at uhub?# Kawasaki KL5KUSB101B based Ethernet #upl* at uhub?# Prolific
Re: Custom kernel for Soekris net4801-50
Chris Kuethe wrote: Theo builds my custom kernel... it's called GENERIC. I've been running GENERIC on a CF-based soekris (both 4501 and 4801) for about 5 years to no ill effect. CK Chris: I'm a pretty big fan of Theo's kernels as well. I just wasn't sure if this particular device needed special treatment. Are you using the 128M version or the 256M version of the 4801? Thanks, RPK.
Re: Custom kernel for Soekris net4801-50
Bryan Vyhmeister wrote: The Soekris kernel configs from flashdist are the best way to go. You do not need to remove the MFS option but I would add the FFS_SOFTUPDATES option. The MFS option is used for building a file system in virtual memory. It has nothing to do with compact flash cards. Those are still supported using FFS. I would leave MFS support in the kernel. You can find out more from mfs(8). Bryan I thought that since I'm not using compact flash (and don't care about writing to disk) I'd have no need to build a filesystem in virtual memory? That being said I'm sure it won't hurt to leave it in. Based on other people's responses it sounds like no kernel customization is even required on this device. Thanks, RPK.
Re: Custom kernel for Soekris net4801-50
Stuart Henderson wrote: On 2006/10/04 10:42, Richard P. Koett wrote: I'm setting up a Soekris net4801-50 (128 Mb RAM) for use as a firewall. For storage it has a 40Gb IDE drive rather than compact flash. For my first attempt I used a generic install of OpenBSD 3.9. The user complained that Internet access seemed slow, however. I'm planning to try again using a custom kernel based on the config file included with Chris Cappuccio's Flashdist installer. (A copy is provided below for reference). Is this a good idea? I don't think a custom kernel will help internet access speeds. There are some reasons you might want (or need) to use a custom kernel, this isn't one of them... Slow in comparison to what? If you can give some more idea about 'seemed slow' that might help. Quantitative data especially. Collecting that data might give you your own clues too. Any particular sites or everywhere? Any particular protocols? Has the way DNS is being done changed? Are you using PF? Are the network interfaces configured properly (esp. duplex setting)? etc. etc. The device was reported to be slow in comparison to their previous router - a SonicWALL SOHO3. I know that the SonicWALL is a highly optimized device. This led me to think I might need some optimization to compete. I didn't do any quantitative speed measurements at the time. I'm just going on qualitative comments from the users. As for your other questions, there was particular mention of e-mail seeming slow. My first thought was that I was filtering IDENT connections without sending a reset packet (yes, I'm using pf) but that wasn't the case. DNS hasn't changed. I'll check the duplex settings etc. when I reinstall the device. If I continue to have speed problems on my second attempt I'll post some quantitative information. Thanks very much for assisting. RPK.
Re: Alpha Disklabel Question
Martin Reindl wrote: J.C. Roberts [EMAIL PROTECTED] wrote: On Sat, 17 Dec 2005 18:03:21 +0100, Martin Reindl [EMAIL PROTECTED] wrote: J.C. Roberts [EMAIL PROTECTED] wrote: On Fri, 16 Dec 2005 13:50:48 -0800, J.C. Roberts [EMAIL PROTECTED] wrote: (2) When doing the installation disklabel, the suggested starting offset for the 'a' partition is 0? I know using an offset of 0 is discouraged on i386 and other systems (default is 63), so I figured I'd ask if using a 0 offset is the best/correct way for alpha? Just for those searching the misc@ archives... I received info off-list that disklabel is doing the right thing by using an offset of 0 on the alpha architecture. I wonder anyway how you got the impression it was doing wrong and the offset would be 63 for the first slice. FAQ 14.1 only talks about i386 and amd64 under 'Disklabel tricks and tips/Leave first track free'. It's clear imo. There's a difference between thinking disklabel is doing the wrong thing and just making sure it's doing the right thing. ;-) The alpha PSW is a weird beast with it's Dual BIOS where the first AlphaBIOS/ARC is for running WinNT4 with x86 BIOS emulation support and the second, the SRM Console, is for running Tru64 and OpenVMS. The guys I've talked to at Digital/Compaq/HP told me the multitude of alpha SRM's are very much closed source (due to the fact they control VMS licensing/revenue) and obviously, each SRM is specifically built for each machine model. On the weird machines like the PSW where multi/dual-booting NT, VMS and OSF/1 can be done, there *might* be some mad hackery in this particular SRM with a requirement for keeping the first (logical) track free for the MBR. From what I've read, I think the way the linux guys have hacked a way into supporting the use of AlphaBIOS/ARC on the PSW is by having the MBR and a small FAT partition for lilo and such. This same approach is used on the PSW when running WinNT4 with NTFS. In a situation where you are *only* running OpenBSD, using a offset of 0 is probably just fine. On the other hand, if you happen to have WinNT installed someplace (i.e. installed on another disk), the supposedly harmless tag that NT writes on all disks might make a real mess of your OBSD install. The problem is not so much that the OpenBSD docs are unclear, instead, the problem is the setup of particular machine, particularly in muti-boot configs, can be very convoluted. I only asked because I'm just trying to *understand* what the heck I'm doing and what all the possible ramifications are. -In other words, curiosity. ;-) So they only problem now is documenting how to multiboot OpenBSD and WinNT on alpha? Pardon me, but i don't expect Nick to put up a section about this in the FAQ. Especially since it would involve explaining AlphaBIOS fiddling which has nothing to do with OpenBSD and is a major PITA anyway. martin Lighten up a bit man. There is nothing in J.C.'s post that implies he expects a section about this in the FAQ. Maybe there ought to be a section in the FAQ about how even the most tangential reference to it on misc is like kicking a chicken coop.
Re: Trigger on user logout?
Uosis L wrote: Hi, I'm trying to make an encrypted home directory which is mounted/unmounted on login/logout. Mounting it on login was the easy part ( with a custom login style ), but is there any way to unmount it on logout ( short from modifying init ) ? I want to alter the system as little as possible, so I'm kinda reluctant to modify such a key component as init. I hope I missed something, but the only places I see where those 2 function calls (unmount and ioctl) could be inserted are the shell ( ugly ugly ) or the init. If anybody has any ideas, I would really appreciate advice. Thanks. I'm not sure why you say using the shell is ugly. With /bin/sh you could add something like this to your .profile: trap /sbin/umount $HOME EXIT
Re: Trigger on user logout?
Uosis L wrote: Thanks for advices. All these methods would definitely work, but the problem with shell logout file is that vnconfig/umount both need to be executed as root. I think you can work around that requirement with kern.usermount and file permissions. Have a look at: http://www.monkey.org/openbsd/archive/misc/0309/msg01664.html
Re: Anyone tried this hardware raid solution?
Jean-Daniel Beaubien wrote: Hi everyone, I am wondering if anyone tried this (http://www.allmediait.com/html/araid.html) hardware raid solution. It seems to only support PATA. Anyways I was just wondering if anyone had any experiences with this box. Anyone ever compared it to an Accusys 7500? On a side note, anyone knows hardware raid solution similar to this or to Accusys's 7500 solution but SATA? I've been using these in a few places for disk-based backups that we take offsite. Good results so far. There are also SATA versions. Contact me off list for more info.
Re: Etiquette re: unanswered questions
Stuart Henderson wrote: --On 29 September 2005 20:54 -0700, Richard P. Koett wrote: This machine has two interfaces - 'ne3' facing the Internet and 'rl0' facing a small (3 computer) internal network. I am *assuming* that the log entries pertain to the external interface but tcpdump is not broken nic somewhere? bad switch? strange packets coming from adsl-ethernet bridge? ...are there any identifiable words in output with -Xs1500 flags? Well thanks! You just showed me something new. Nothing intelligible in the output though... 10:29:44.788968 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 : 0010: 0002 ..yy 0020: ff7f a249 0100 yyy...cI 0030: 4500 0030 6582 4000 7506 fa7c 40c1 [EMAIL PROTECTED]|@A 0040: 95e3 40b4 8e70 06a0 01bd 85d6 74cf [EMAIL PROTECTED] .?.OtI.. 0050: .. 10:34:10.125979 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 : 0010: 0002 ..yy 0020: ff7f a249 0100 yyy...cI 0030: 4500 0030 f1b4 4000 7006 c61b 43ae [EMAIL PROTECTED] 0040: 4025 40b4 8e70 0eeb 3b0e 2cfd c672 @[EMAIL PROTECTED];.,yAr.. 0050: .. 10:34:10.736761 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 : 0010: 0002 ..yy 0020: ff7f a249 0100 yyy...cI 0030: 4500 0030 f2ae 4000 7006 c521 43ae [EMAIL PROTECTED] 0040: 4025 40b4 8e70 0eeb 3b0e 2cfd c672 @[EMAIL PROTECTED];.,yAr.. 0050: .. I'm going to try reseating the NIC as Darren Tucker suggested and see what happens.
Re: Etiquette re: unanswered questions
L. V. Lammert wrote: On Thu, 29 Sep 2005, Richard P. Koett wrote: What is the accepted thing to do if one posts a question and gets no response after a few days? Should one... a) Politely ask again? b) Rephrase the question? c) Assume nobody wants to answer so stop asking? d) Assume you haven't done you homework, so RTFM. Lee RTFM is an appropriate rebuke when the answer is easy to find. For optimum effect, it demonstrates this ease by including a link to the overlooked information.
Etiquette re: unanswered questions
What is the accepted thing to do if one posts a question and gets no response after a few days? Should one... a) Politely ask again? b) Rephrase the question? c) Assume nobody wants to answer so stop asking?
Re: Etiquette re: unanswered questions
Ingo Schwarze wrote: Dear Mr. Koett, Ted Unangst schrieb am Thu, Sep 29, 2005 at 10:00:01PM -0400: On Thu, 29 Sep 2005, Richard P. Koett wrote: [...] b) Rephrase the question? yes. ask again, include more information In this particular case, you might for example - try tcpdump -er instead of just -r This might tell you whether these are incoming or outgoing or loopback packets. - note which OS version you are running (current?) and include the output of tcpdump -V - tell the list on what kind of network segment the respective interface is and which kind of traffic you would expect on that network I'm sorry i dont know what 33:0:0:0:0:0 3d:2:1:0:6e:65 might mean, either - i cannot remember to have seen such tcpdump output before... So in a way, i'm curious, too... Hope that helps all the same, Ingo Schwarze Okay, I ran 'tcpdump -evvr /var/log/pflog' and saw entries like: 09:37:39.020855 33:0:0:0:0:0 3d:2:1:0:6e:65 108: null I (s=0,r=0,C) len=90 09:49:27.402022 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 09:49:27.946815 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 09:49:28.479792 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:04:16.389863 33:0:0:0:0:0 3d:2:1:0:6e:65 972: null I (s=0,r=0,C) len=954 10:12:52.206911 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:12:52.747479 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:12:53.287096 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:15:46.908598 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:15:47.411027 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:15:47.844158 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:18:42.252439 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:18:42.957580 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:18:43.660591 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:19:37.303808 33:0:0:0:0:0 3d:2:1:0:6e:65 411: null I (s=0,r=0,C) len=393 10:29:43.254878 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 10:29:44.788968 33:0:0:0:0:0 3d:2:1:0:6e:65 112: null I (s=0,r=0,C) len=94 OS version is as follows: OpenBSD 3.7-current (GENERIC) #0: Sat Jun 4 18:58:52 PDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC tcpdump -V shows: tcpdump version 3.4.0 libpcap version 0.5 This machine has two interfaces - 'ne3' facing the Internet and 'rl0' facing a small (3 computer) internal network. I am *assuming* that the log entries pertain to the external interface but tcpdump is not showing some information (such as block in/out, interface name, pf.conf rule number) that it shows with other log entries. As far as I know things are working fine - I'm just curious to know more about what these events mean. As mentioned previously I haven't found much help via Google or archives. If there is anything else I can do to provide better information please let me know.
pf log entries
'tcpdump -r /var/log/pflog' shows a lot of entries like this: 14:31:38.279681 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 14:31:41.794668 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 14:31:42.464382 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 14:31:42.614922 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=98 15:06:10.377268 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=954 15:08:53.601656 33:0:0:0:0:0 3d:2:0:0:6e:65 null I (s=0,r=0,C) len=94 15:23:15.870547 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=86 15:36:11.213396 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=94 15:36:11.798560 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=94 15:36:12.405731 33:0:0:0:0:0 3d:2:1:0:6e:65 null I (s=0,r=0,C) len=94 I'm curious what these mean but Google and misc archives haven't shed much light for me. The MAC addresses (?) don't match anything I know of. Can anyone point me to a reference or explanation? TIA, RPK.
Re: Text editor
You guys are all sissies. Real men use cat(1).
Re: Eric Raymond about GPL and BSD
Alexey E. Suslikov wrote: original article were in portuguese... http://translate.google.com/translate?u=http%3A%2F%2Fwww.myfreebsd.com.b r%2Fmodules.php%3Fname%3DNews%26file%3Darticle%26sid%3D1262langpair=pt% 7Cenhl=ensafe=offie=UTF-8oe=UTF-8prev=%2Flanguage_tools' And what language is that translation in?
Compile time on old i386
I'm running make build on a Pentium 100 with 64M and an old IDE drive. Any guesses as to how long this might take? And, out of curiosity, how fast can a fast i386 box do it?
Looking for info re: IPSec MTU
OpenBSD is working great instead of the Cisco router that our VPN peer recommended. Thanks again to the developers who make it all possible. I notice that we're receiving some fragmented packets, however. It's not a big deal but I'd like to see if things can be better optimized (and learn a bit in the process). I understand the basic concept of MTU but it's not something I usually have to tinker with. I'm hoping someone might care to answer a couple of questions for me: 1) Can anyone recommend some good reference materials on this subject? 2) Given that I only have control over the OpenBSD end of this VPN connection, (the other end being a Cisco 7200 VXR), is it even possible to eliminate fragmentation issues? Thanks for any advice, RPK.
pptpd and GRE support
In the past when using pptpd I used a kernel with GRE disabled because I read that was the thing to do. When installing pptp-1.6.0 on a new i386 system the other day (May 1st snapshot) I saw a note saying to enable GRE so I added this to sysctl.conf: net.inet.gre.allow=1 Everything was working fine for a few days. Then starting today I can no longer establish a connection and GRE-related errors are logged: pptpd[9651]: CTRL: Client X.X.X.X control connection started pptpd[9651]: CTRL: Starting call (launching pppd, opening GRE) ppp[31649]: Phase: Using interface: tun0 ppp[31649]: Phase: deflink: Created in closed state ppp[31649]: Phase: PPP Started (direct mode). ppp[31649]: Phase: bundle: Establish ppp[31649]: Phase: deflink: closed - opening ppp[31649]: Phase: deflink: Connected! ppp[31649]: Phase: deflink: opening - carrier ppp[31649]: Phase: deflink: carrier - lcp ppp[31649]: Phase: deflink: Disconnected! pptpd[9651]: GRE: read(fd=6,buffer=3c004ac0,len=8196) from PTY failed: status = 0 error = No error ppp[31649]: Phase: deflink: Connect time: 17 secs: 0 octets in, 295 octets out ppp[31649]: Phase: deflink: 0 packets in, 5 packets out ppp[31649]: Phase: total 17 bytes/sec, peak 23 bytes/sec on Sun May 8 13:32:39 2005 ppp[31649]: Phase: deflink: lcp - closed ppp[31649]: Phase: bundle: Dead ppp[31649]: Phase: PPP Terminated (normal). pptpd[9651]: CTRL: PTY read or GRE write failed (pty,gre)=(6,5) pptpd[9651]: CTRL: Client X.X.X.X control connection finished Now I'm not sure if I'm doing the right thing. Should I be using a kernel with GRE disabled? Or is this not even the issue here? Thanks for any advice.