Re: Can't get carp to fail over all interfaces with pfsync
Hi, On Tue, 10.11.2009 at 19:53:40 +1100, Mikel Lindsaar raasd...@gmail.com wrote: To clarify, CARP is working in terms of redundancy, what does not seem to be working is the preempting of the primary firewall interfaces by the backup firewall should _one_ of the primary interfaces be taken off line. Did you set the appropriate sysctl switch? net.inet.carp.preempt=1 Kind regards, --Toni++
IGNORE: Re: Can't get carp to fail over all interfaces with pfsync
On Tue, 10.11.2009 at 13:58:26 +0100, Toni Mueller openbsd-m...@oeko.net wrote: Did you set the appropriate sysctl switch? net.inet.carp.preempt=1 Note to self: Don't write emails when not fully awake. -- Kind regards, --Toni++
Re: http://www.theregister.co.uk/2009/11/03/linux_kernel_vulnerability
Hi, On Fri, 06.11.2009 at 13:41:13 +0200, Lars Nooden lars.cura...@gmail.com wrote: Unless you aren't running shit-for-architecture x86 systems still. It is 2009 and there are sparc, mips, freescale and arm on the market. now you only need to educate us about how such machines can be used in an economic fashion. Blaming people for not running PDA cpus for core routers or not shelling out $40k for Niagara machines (supported by OpenBSD???) when these are even outperformed by $4k PCs in almost all practical scenarios, just doesn't cut it. Much less so if you take the rest of the supply chain into account. It's not like I was in love with x86/amd64, but it's *really*hard* to go for something else. Kind regards, --Toni++
Re: Problems with 4.5 as a KVM guest
Thanks, John and Michiel, On Thu, 29.10.2009 at 14:02:27 +0100, Michiel van Baak mich...@vanbaak.info wrote: On 12:18, Thu 29 Oct 09, Toni Mueller wrote: I'm running kvm 85+dfsg-4~bpo5 and see the following interesting behaviour with OpenBSD 4.6: * /bsd.rd runs just fine, using the ne(4) driver, but * /bsd (the uni-processor kernel) locks up hard during, or just after booting, showing ne3: timeout (or similar) messages white-on-blue in between. Any ideas about what specifically to ask the Linux folks, please? Set the nic to e1000 in KVM but this was not successful, either. I got a bunch of: em0: watchdog timeout -- resetting and No DHCPOFFERS received. After having booted to completion (the login: prompt appears), the machine. I've now run the VM with a VNC display, and on that, I can see that the machine spews out a large number of em0: watchdog timeout -- resetting messages, and then locks up. -- Kind regards, --Toni++
Re: Anyway to force IP to be assigned only if MAC matches?
Hi, On Wed, 28.10.2009 at 17:29:36 -0500, Andres Salazar ndrsslz...@gmail.com wrote: I Have dhcp enabled on my LAN which assigns an IP according to the clients MAC address, however if a user wanted to be malicious he can statically assign any IP to his NIC. he then has root access to the box. Isnt there anyway I can force my ARP tables to only allow IPs to be assigned if the MAC address matches? Some switches offer this kind of functionality, but they're not exactly cheap. Kind regards, --Toni++
Re: Problems with 4.5 as a KVM guest
Hi, On Tue, 14.07.2009 at 11:27:13 -0600, Bob Beck b...@openbsd.org wrote: and/or ask the linux people to fix KVM to make it really a PC. I'm running kvm 85+dfsg-4~bpo5 and see the following interesting behaviour with OpenBSD 4.6: * /bsd.rd runs just fine, using the ne(4) driver, but * /bsd (the uni-processor kernel) locks up hard during, or just after booting, showing ne3: timeout (or similar) messages white-on-blue in between. Any ideas about what specifically to ask the Linux folks, please? -- Kind regards, --Toni++
Re: Script to ping, traceroute a destination and record the time
Hi, On Thu, 29.10.2009 at 16:26:49 +0200, Kasper Adel karim.a...@gmail.com wrote: I am trying to troubleshoot a problem that is totally random and the one idea that would help me is to have a bash script that will ping a few destinations every minute, then do a traceroute to these destinations, record the time and all that output in a file. then the whole process would repeat minute. I don't know what exactly you are going to do with the traceroute, which is both hard to implement, given your timing requirements, and tedious to evaluate, but if you could be content with pings and packet loss, I can recommend using Smokeping with aggressive settings, and/or some other things to trigger a traceroute in case of a problem. Kind regards, --Toni++
Re: Questions for OpenBGPd Developers
Hi, On Tue, 13.10.2009 at 16:41:35 +0200, Igor Sobrado igor.sobr...@gmail.com wrote: requirements come first, then you can choose the best tools to get that work done, not the reverse. why is it so difficult to understand? well... short story: Your definition of better may or may not meet my definition of better, for a large number of reasons. Simple example: I've long wanted to see ISDN support in OpenBSD, but it just has not happened in a number of years (only stating the facts here). So, if I need ISDN + something in one box, OpenBSD is immediately out of the question, and no, external ISDN modems, if still available, don't cut it. See the point? Kind regards, --Toni++ PS: I'm aware of MirOS, but hadn't too much luck last I tried.
Re: Questions for OpenBGPd Developers
Hi, On Tue, 13.10.2009 at 11:33:40 -0400, and...@msu.edu and...@msu.edu wrote: The problem with this is that the interface between the other OS and the OpenBSD based code needs to be correct and secure, else there will be bugs and people will complain that OpenBSD code isn't good, etc and in general, snipe. I expect people who are looking to build a home grown BGP router to be smarter than that. I just don't see the need to move the bgp code to another system, myself. Better hardware support could be an issue. Not everyone can, or wants to, talk over Ethernet, esp. with a BGP router... Kind regards, --Toni++
Re: Forum engine
Hi, On Sun, 11.10.2009 at 22:02:45 -0400, Sean Howard sil...@callysto.com wrote: A good usenet implementation is *closer* to a forum, which is what you want. But forums are a different (more dynamic) use case. With smaller entry barriers to large amounts of content. all other things aside: If you're on a mailing list, and the list is being shut down, you still get to keep your private mailing list archive, whereas, when the forum operator changes his forum software, or shuts down the forum, all past content is simply gone (or as good as). IOW, if you post to a forum, your content (what you submitted) essentially becomes theirs, and you don't even get to keep the pieces. Kind regards, --Toni++
Re: Forum engine
On Mon, 12.10.2009 at 15:23:12 +, Matthew Szudzik mszud...@andrew.cmu.edu wrote: On Mon, Oct 12, 2009 at 04:42:44PM +0200, Toni Mueller wrote: archive, whereas, when the forum operator changes his forum software, or shuts down the forum, all past content is simply gone (or as good as). Not true. Whenever I read an interesting forum post, I save the html file to my hard drive for future reference. Yes and no... finding the interesting forum post needs to be done quickly, before disaster strikes, and it's much more hassle to save the web page in a way that can be read offline with ease and peace of mind (web bugs, broken style sheets, java script hell, IFRAMEs etc.pp., anyone?). With a mailing list, all of this happens automatically, and then there are still MARC and GMANE. Kind regards, --Toni++ PS: I also try to save all interesting posts to my local disks, to be able to re-read these posts later, but it's still a PITA.
Feature request: pf + set-tos, Re: IPSEC ECN: no-go?
Hi,
On Thu, 01.10.2009 at 12:21:19 +0200, Toni Mueller openbsd-m...@oeko.net
wrote:
Searching around, I found that this question was already raised by
Martin Hedenfalk well over a year ago
(http://marc.info/?l=openbsd-miscm=121127258816047w=2), but he got no
answer.
I thought I'd try to solve the situation with 'pf', and cobbled
together these simplistic rules (valid after my 4.5 man page, invalid
after current's man page as found on the web), both of which were
rejected by pfctl:
scrub in all tos 3 set-tos 0
pass in on $extif proto { tcp, udp } from any to any tos 3 set-tos 0
The reason for trying such rules is to selectively kill only this tos
value, to hopefully enable the packets flowing through IPSEC. I need to
preserve other values, therefore I can't simply scrub set-tos 0.
I could make use of a feature, preferably in a scrub or pass rule, that
would allow me to set or clear individual bits in the tos (or other)
field, like:
pass in on $extif proto { tcp, udp } from any to any tos 3 new-tos ~0x3
(meaning: clear these bits only, '~' = 1's complement).
TIA!
--
Kind regards,
--Toni++
OpenBSD + Nehalem: Now or Later?
Hi, I'm considering to purchase Supermicro servers with one or two Nehalem CPUs and a 5520 chipset. Has anyone already tried these, and/or how much breakage should I expect? My reading of /plus.html suggests that it may be too early to jump onto this train, but if some devs want a few weeks play with it, remotely, that may be possible (please contact me off-list). TIA! -- Kind regards, --Toni++
IPSEC ECN: no-go?
Hi, I operate a VPN that has some road warriors who all get a default route attached that points them into the local VPN gateway. With names and IP numbers replaced, this looks like this: # ipsecctl -s all FLOWS: flow esp in from 192.168.1.22 to 0.0.0.0/0 peer 1.1.1.1 srcid 5.5.5.5/32 dstid brokencli...@example.com type use flow esp out from 0.0.0.0/0 to 192.168.1.22 peer 1.1.1.1 srcid 5.5.5.5/32 dstid brokencli...@example.com type require flow esp in from 192.168.1.7 to 0.0.0.0/0 peer 2.2.2.2 srcid 5.5.5.5/32 dstid workingcli...@example.com type use flow esp out from 0.0.0.0/0 to 192.168.1.7 peer 2.2.2.2 srcid 5.5.5.5/32 dstid workingcli...@example.com type require ... SAD: esp tunnel from 1.1.1.1 to 5.5.5.5 spi 0x394587da auth hmac-sha1 enc aes-256 esp tunnel from 5.5.5.5 to 1.1.1.1 spi 0x4792a016 auth hmac-sha1 enc aes-256 esp tunnel from 2.2.2.2 to 5.5.5.5 spi 0x69dc89bb auth hmac-sha1 enc aes-256 esp tunnel from 5.5.5.5 to 2.2.2.2 spi 0xb60d9775 auth hmac-sha1 enc aes-256 ... There are other users with numbers literally one off from brokenclient@, but they all work without a hitch. Using tcpdump, I can see the broken client's traffic on enc0, but it does not leave the LAN interface. I made sure that no packet filters interfere. The only difference that I can see is that the broken client sends all his packets with TOS = 0x3, whereas the working client sends his packets without any (non-default) TOS value. Searching around, I found that this question was already raised by Martin Hedenfalk well over a year ago (http://marc.info/?l=openbsd-miscm=121127258816047w=2), but he got no answer. Kind regards, --Toni++
Re: spamd - nixspam list, September 30, 2009
Hi, On Wed, 30.09.2009 at 09:12:16 -0600, Bob Beck b...@ualberta.ca wrote: Again? sheesh, it wasn't supposed to, we had talked to them. yes, again. I get a 404 all the time. Kind regards, --Toni++
Re: spamd - nixspam list, September 30, 2009
On Thu, 01.10.2009 at 21:16:30 +1000, Rod Whitworth glis...@witworx.com wrote: Me too, but I learned my lesson first time around. Now I have a cronjob that runs a script which attempts to get the file. If that fails the existing local nixspam file is used. I didn't check whether the stale file gets removed, but thought about using a different source instead. If spamd(8) could use RBLs in addition to static tables, that would ease the problem, too. So far, I can only use nixspam in my SpamAssassin configuration, which is a bit late. Kind regards, --Toni++
Re: Ports isn't working for me...
Hi Marc, [ sorry for cross-posting from ports@ ] On Thu, 01.10.2009 at 17:20:05 +0200, Marc Espie es...@nerim.net wrote: Why do you want to do that ? what's wrong with php5-mbstring ? (which is one of the packages compiled in extensions) I didn't check whether it influences this extension, but please add --enable-zend-multibyte to PHP's configuration options. Applications which want to deal with UTF-8 need this, and this option is slated to become the default in PHP6. I can't wait for PHP6, however, so... If there are detrimental effects on other applications, I'm all ears. Btw, I have working 5.2.10 packages with this change for amd64, if anyone wants them (provided as-is). -- Kind regards, --Toni++
Re: IPSEC: Problem with default route
Hi, On Fri, 18.09.2009 at 17:05:51 -0700, Lordsporkton lordspork...@gmail.com wrote: Could you send us some actual details? Interface configs, ipsec.conf, pf.conf, output of route show, maybe a little network diagram? anything so that we actually know what is doing on? this is one instance of this problem, with some IP numbers mangled: $ ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33204 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 44:4d:50:09:12:37 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 172.22.0.3 netmask 0x broadcast 172.22.255.255 inet6 fe80::464d:50ff:fe09:1237%rl0 prefixlen 64 scopeid 0x1 rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 44:40:50:54:44:e5 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet 1.2.3.10 netmask 0xfffc broadcast 1.2.3.11 inet6 fe80::4640:50ff:fe54:44e5%rl1 prefixlen 64 scopeid 0x2 enc0: flags=41UP,RUNNING mtu 1536 priority: 0 pflog0: flags=141UP,RUNNING,PROMISC mtu 33204 priority: 0 groups: pflog $ netstat -rnf inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default1.2.3.9UGS8 989944 - 8 rl1 1.2.3.8/30 link#2 UC 10 - 4 rl1 1.2.3.900:1e:f7:dd:e3:7f UHLc 10 - 4 rl1 127/8 127.0.0.1 UGRS 00 33204 8 lo0 127.0.0.1 127.0.0.1 UH 2 1236 33204 4 lo0 172.22/16 link#1 UC 40 - 4 rl0 172.22.0.1/32 link#1 UC 00 - 4 rl0 172.22.10.2link#1 UHLc 02 - 4 rl0 172.22.20.100:0c:29:3a:70:b0 UHLc 039885 - 4 rl0 172.22.20.10 00:15:17:bc:67:e4 UHLc 0 105415 - 4 rl0 172.22.101.4 00:1a:e8:07:96:6b UHLc 0 134 - 4 rl0 224/4 127.0.0.1 URS00 33204 8 lo0 $ netstat -rnf encap Routing tables Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) default0 172.22/16 0 0 5.5.5.5/esp/use/in 172.22/16 0 default0 0 5.5.5.5/esp/require/out $ route -n get 172.22.10.2 route to: 172.22.10.2 destination: 172.22.0.0 mask: 255.255.0.0 interface: rl0 if address: 172.22.0.3 priority: 4 (connected) flags: UP,DONE,CLONING use mtuexpire 0 0 -336647 $ ping -q -c 10 172.22.10.2 PING 172.22.10.2 (172.22.10.2): 56 data bytes --- 172.22.10.2 ping statistics --- 10 packets transmitted, 0 packets received, 100.0% packet loss # tcpdump -lni enc0 |grep -F icmp tcpdump: listening on enc0, link-type ENC 15:02:32.466598 (authentic,confidential): SPI 0x5152c74d: 172.22.0.3 172.22.10.2: icmp: echo request (encap) 15:02:32.529019 (authentic,confidential): SPI 0x4c36c8fb: 172.22.0.3 172.22.10.2: icmp: echo request (encap) 15:02:33.467128 (authentic,confidential): SPI 0x5152c74d: 172.22.0.3 172.22.10.2: icmp: echo request (encap) 15:02:33.530162 (authentic,confidential): SPI 0x4c36c8fb: 172.22.0.3 172.22.10.2: icmp: echo request (encap) 15:02:34.477035 (authentic,confidential): SPI 0x5152c74d: 172.22.0.3 172.22.10.2: icmp: echo request (encap) The pf rules are mostly saying that all traffic within the private networks should be passed, and none of them should go out to the Internet. The interface config files are also very much straightforward. Example (rl0): # cat /etc/hostname.rl0 inet 172.22.0.3 255.255.0.0 172.22.255.255 What can be seen in the tcpdump output, is that traffic goes out to enc0, and thus out to the WAN side of things, when route get indicated that quite the opposite should happen. Kind regards, --Toni++
Re: IPSEC: Problem with default route
Hi, thank you for your answer! On Sat, 19.09.2009 at 12:11:43 +, Stuart Henderson s...@spacehopper.org wrote: SADB entries are not normal routing table entries, they take priority. This is what I suspected. But even given those IPSEC semantics (they are documented where, please?), the 172.22/16 network lies on the LAN and not on the WAN side of things. I also don't see how traffic from different locations would be able to reach the LAN, if it weren't, and, most confusingly, although I forgot to mention this in my earlier posts, DHCP works. I can make the gateway a DHCP server, and it can deal out leases to the LAN, but it cannot answer a ping, nor an NTP or DNS packet. This leads to the idea that the operating system already knows how to route packets correctly, and therefore, I suspected the observed behaviour to be a bug. Kind regards, --Toni++
IPSEC: Problem with default route
Hi, I tend to a network that locally looks like this: East = 1.2.0.0/15 (central site) West = 1.5.0.0/16 (satellite site) West has a default route across the VPN to East. All gateways are running OpenBSD 4.5-stable. Connectivity between East and West is no problem. The problem is that there is no connectivity between the gateway at West and other hosts at West. After some debugging, I found out that the gateway at West sends packets destined for hosts in the West network to East instead, eventually getting a TTL exceeded from the gateway at East. I'd like the more specific route, ie, the one out the LAN interface which is directly attached to all of West, to prevail over the default route, but it observably doesn't. Any enlightenment on this issue is most welcome, despite my having found a workaround! Kind regards, --Toni++
really strange console message?
Hi, today, one of my servers (4.5-stable/i386) beeped to me, over an SSH connection, and said this, via syslogd: hostname /bsd: 1540? The fact that the message went to a terminal suggests that this should describe a pretty serious error condition. Google turned up nothing, though... Kind regards, --Toni++
Re: shutting down
Hi, On Fri, 11.09.2009 at 22:28:43 +0200, Maurice Janssen maur...@z74.net wrote: Will the master shutdown normally, or will it stall while trying to umount the NFS share? The slaves will shutdown first, so when the master goes down, the NFS server won't be responding. man mount_nfs You can mount NFS shares soft. This means that it becomes less reliable for you, but your clients won't hang if you shut down your NFS server first. Another option could be to somehow notify your NFS clients, so they know that they need to unmount the NFS shares. Kind regards, --Toni++
Re: Very high interrupt load with rl(4)
Hi, On Thu, 13.08.2009 at 19:24:15 +, Stuart Henderson s...@spacehopper.org wrote: - change the nic; almost anything else would be better I'm seeing rl(4) on these small embedded style computers where one can't plug in a regular nic. I don't know how to make vendors ship better interfaces, but can't use very different boxen, either. Kind regards, --Toni++
OT: Rebranding, was: Re: Recommended Switches for Trunking?
Hi, On Thu, 03.09.2009 at 10:06:26 -0700, J.C. Roberts list-...@designtools.org wrote: Getting people at HP to just admit to rebranding is impossible, but getting them to tell what's really inside the box is double impossible. HP is a big enough company that I'd expect to be able to open the chassis and see some chips (the fabric) with either Procurve or HP written on the package, if it's not a re-branded something. Kind regards, --Toni++
Recommended Switches for Trunking?
Hi, I'm looking into getting switches to be used in port-extender style, and found a thread from last year recommending Cisco switches. I need about 20-50 ports atm, and would like to avoid Cisco. My current preference is using Procurve (2810 or 29xx). Do they work? What do you recommend? Any gotchas? TIA! -- Kind regards, --Toni++
Re: Recommended Switches for Trunking?
Hi, thanks for all your answers! -- Kind regards, --Toni++
Fully Automatic (network-based) Installation of OpenBSD?
Hi, I dimly remember seeing a short thread flowing by that mentions someone's hacks to bsd.rd to arrive at an installation system that works w/o human intervention, but can't seem to find it anymore. Pointers are greatly appreciated! -- Kind regards, --Toni++
Re: Automated service/daemon management
Hi, On Tue, 09.06.2009 at 15:52:55 -0400, Bryan Allen b...@mirrorshades.net wrote: My suggestion would be to move all your services to run under runit or daemontools. You can manage both with Puppet. I'm not familiar with runit, really, but I've used daemontools for years, quite happily, on several platforms, including OpenBSD. imho, runit is almost a drop-in replacement for daemontools, only better (eg. more powerful, and easier to handle). Kind regards, --Toni++
Re: Fully Automatic (network-based) Installation of OpenBSD?
Thank you both, Miod and Soeren - I think I was actually after the link Soeren posted, but didn't think that it was that long ago already. -- Kind regards, --Toni++
art(4): how to debug card or line errors?
Hi, I'm experiencing problems with an E1 line, and would very much like to be sure that the other end is to blame, instead of me. Unfortunately, I don't see how to get sufficiently detailed information from the card to find out whether this is a line problem, or a card's problem. The problem set in quite suddenly, causing the failure rate to go from almost zero errors to a lot of errors the next moment, and staying that way thereafter. Running tcpdump on the interface yields this every few seconds: 12:41:47.429298 bad-ip-version 0 And I also see a lot of packets that I can't read at all: 12:41:40.829772 ID-000 8035: 0002 000e 841a a8d2 0091 2d75 12:41:43.084496 ID-000 8035: 0002 a8d3 000e 841a 26c2 f059 fa7c When I wanted to change the encapsulation while the line was running, the machine panicked, and I had to press the reset button. netstat -ain shows a lot of input errors, like 15 in 15 minutes, but I don't know how to interpret this figure. This is OpenBSD 4.4-stable/amd64. -- Kind regards, --Toni++
Re: [SOLVED, sort of] Re: 'ps auwx' and 'top': inconsistent display?
Hi, On Sat, 01.08.2009 at 17:13:43 +0300, Jussi Peltola pe...@pelzi.net wrote: Why should fork touch user id's? I was under the impression that only the effective userid should be inherited by a forked process, not the real user id. Also, the inconsistency in the display of the tools doesn't appear to be reflected in the man pages. http://search.cpan.org/~tlbdk/Privileges-Drop-1.01/lib/Privileges/Drop.pm Thanks for the hint. Not knowing about that, I so far assigned to both uid and gid variables, and that seemed to do the trick. -- Kind regards, --Toni++
[SOLVED, sort of] Re: 'ps auwx' and 'top': inconsistent display?
Hi, On Fri, 24.07.2009 at 15:09:23 +0200, Toni Mueller openbsd-m...@oeko.net wrote: I have a perl script that should work as follows: * check some parameters * drop privileges ( $ = ...; $) = ...;) it turned out that 'top' displayed the real userid which I didn't set, while 'ps' displayed the effective userid, which I set like above. This prompts more questions: Why is the real userid inherited when using 'fork' while being switched to a different user? -- Kind regards, --Toni++
locale support, again
Hi, I know that the subject of what to do in the absense of having locale support has been discussed quite often already. I'd like to know what I need to do to supply full locale support to applications that want to use them. My problem arises from those pesky web applications which simply assume that such complete locale support is present, and (try to) use it to format their output for the user. Not having locale support means a lot of hacking, and/or switching platforms, in every single case. Having it in the base system, or maybe in an optional package like eg. 'miscXY.tgz', could imho provide great relief for many users. The theme has been recurring often enough to (imho) warrant making a stab at it for 4.7, unless there are objections that I'm not aware of. -- Kind regards, --Toni++
Perl: strange mode on libs?
Hello, I've just implemented the patch 007 for 4.5, and found out that the .a libs are chmod 0600, while all other .a libs are chmod 0444. Although the Makefiles evaluated to this (amongst others): install -c -o root -g bin -m 600 libperl.a /usr/lib install -c -o root -g bin -m 600 libperl_pic.a /usr/lib (taken from the typescript) The files I actually find on the file system, have mode 0444. This confuses me quite a bit. The machine in question runs OpenBSD 4.5-stable/i386, and I've just installed it yesterday. Kind regards, --Toni++
Re: Multiple IPSec-tunnels and load balancing
Hi, On Tue, 30.06.2009 at 11:15:21 +0200, u...@o3si.de u...@o3si.de wrote: I try to use an OpenBSD firewall with two ADSL links connected (dynamic addresses!) to the internet. Now I want to establish two IPSec tunnels over each link to a central VPN gateway (OpenBSD too). Is it possible to load balance / failover the traffic over IPSec? If so, should I use GIF for load balancing / routing? failover is possible, and load balancing is said to be possible, but I've not yet tried it. Kind regards, --Toni++
'ps auwx' and 'top': inconsistent display?
Hello, I have a perl script that should work as follows: * check some parameters * drop privileges ( $ = ...; $) = ...;) * fork some other programs Now when I run this script and ps auwx thereafter, I see that the programs I forked are running under the user id that I specified in the script. When I run 'top' on the same machine, these programs appear to be running as root. What gives? The system is an OpenBSD 4.5/amd64 machine. -- Kind regards, --Toni++
Re: AMD64 with 4GB RAM
Hi, On Mon, 22.06.2009 at 17:21:11 +0200, Claudio Jeker cje...@diehard.n-r-g.com wrote: Consider it unsave. Without iommu (e.g. on Intel Boxes) many devices will be unable to talk to memory 4GB bad if that is where your data is. With the amd64 gart acting as iommu it is possible to use the memory but as nobody is using it for real now expect some bugs to be hit. how can Joe Average User (eg. me) help to accelerate progress in this area? I'm keen to get bigmem into production. TIA! -- Kind regards, --Toni++
Re: re-writing RAIDframe parity asynchronously?
Hi, On Wed, 17.06.2009 at 15:55:00 +0200, Raimo Niskanen raimo+open...@erix.ericsson.se wrote: On Wed, Jun 17, 2009 at 03:05:47PM +0200, Toni Mueller wrote: I'm not sure that I understand you correctly, and don't want to make a statement about the merit of having raidctl running in the background while already operating again, but what about having raidctl -P all in /etc/rc? IIRC that works just fine if you are willing to take the risk of getting a broken raid in the event of a crash / power outage during the backgrounded parity re-write. I'm not quite sure about the implications. After having a discussion with a Linux guy, I think I need further insight about how RAIDFRAME works. In this message http://marc.info/?l=openbsd-miscm=118624313311571w=2 , Greg Oster suggests that in a RAID1, one disk is always up-to-date, like in a non-RAID system, and the other is being written to in the background. If that were the case (confirmation or corrections are highly appreciated!), then the risk is only as high as losing the master disk while rebuilding parity. Otherwise, nothing would prevent the system from running correctly, albeit much slower, while parity is being rebuilt. TIA! -- Kind regards, --Toni++
Re: prioritizing carp interfaces
Hi, On Mon, 23.03.2009 at 17:22:55 +0100, Joerg Streckfuss streckf...@dfn-cert.de wrote: In my opinion preemption on both nodes effects that advskew is set to 240 on all interfaces and as a consequence there is no host which could advertise faster then the other host in the carp group. that sounds plauible. Am I right in thinking that no failover should happen regardless of the number of failed carp interfaces? I guess that you could end up with both nodes in MASTER or SLAVE state, then, because it's clearly an undefined situation to have advskew at the same value on several nodes unless you want load balancing using the carpnodes option. In any case, my guess is that in this situation, communication becomes quite lossy (both are MASTER), or stops completely (both are BACKUP). I don't know whether there's some magic (or protocol definition) involved in setting the advskew value to 240, but otherwise, one could expose this value through a sysctl and set individual values on the various hosts. -- Kind regards, --Toni++
CARP: multiple host groups on one network?
Hello, I've decided to make more use of CARP, but I'm not sure that I understand how vhid and carpnodes are supposed to work. So far, my reading of carp(4) and ifconfig(8) is as follows: * If I have a number of aliases bound to a certain interface, I should move them all to individual carp interfaces, each with their own vhid value, and their own password. * On all hosts which are supposed to share one of these IP numbers, I configure similar carp interfaces using that same vhid value. * The numbering of the carp interfaces is only of local significance on a given machine, and has no effect on other machines on the same network. * If I want load balancing, then I'm going to use the carpnodes option, but now with individual vhid numbers for the same IP number on all affected nodes. The failover is now implicit because the non-working hosts simply don't advertise their MAC. * If I want several hosts forming a number of groups on the same LAN, I need to assign vhid values across all hosts, and passwords according to group membership. Example: DNS on hosts dns1 and dns2, and two web servers on hosts web1 and web2, totalling four machines in two groups. -- Kind regards, --Toni++
Re: IPSEC problem after upgrading one side to 4.5
Hello, On Fri, 12.06.2009 at 10:54:56 +0200, Toni Mueller openbsd-m...@oeko.net wrote: I have a VPN running which looks like a hub-and-spoke configuration. For the remainder of the discussion, the spokes are OpenBSD 4.4. Since I've upgraded the hub to 4.5, a connection to one of the spoke starts to fail. After running for well over a week, the connection was not automatically renegotiated. I first reset the spoke, but to no avail. I could see the connection going just up to INFO_PROT encrypted, and then the hub stopped responding to that spoke. Things only returned to normal after I said echo R /var/run/isakmpd.fifo on the hub. I've now determined that the error specifically prevents the 4.5 box to answer incoming connection attempts from the 4.4 box, but has no problems to establish the VPN when itself initiates the connection. Simply reloading the configuration does not appear to help, but was most likely an artifact in conjunction with timing effects. Today, after experiencing the same problem, I had to completely restart isakmpd on the 4.5 box to get things going again. I'm very much interested in ways to debug such kind of a failure. TIA! -- Kind regards, --Toni++
Re: re-writing RAIDframe parity asynchronously?
Hi, On Wed, 17.06.2009 at 10:52:05 +0200, Stefan Unterweger ste...@rg-me.it wrote: I am considering patching rc(8) and commenting out the `raidctl -P all` line, and running it via cron(8) at @reboot, but this seems like a hack to me. So before I venture that way, I'd rather make sure I didn't overlook a switch or option or anything of the like that would make `raidctl -P` return immediately while continuing the rewriting in the background, so that rc would continue it's work. I'm not sure that I understand you correctly, and don't want to make a statement about the merit of having raidctl running in the background while already operating again, but what about having raidctl -P all in /etc/rc? -- Kind regards, --Toni++
Re: amd64 on Xeon X3220
Hi, On Tue, 16.06.2009 at 11:20:35 +0100, Gaby Vanhegan g...@vanhegan.net wrote: I've been googling around for any information about OpenBSD on this hardware. hmmm I can only tell you that it works on an X3230 (Supermicro, though). The machine works for me since a few months now. Getting a test machine that you can keep if it turns out to work is always recommended, imho. YMMV. Kind regards, --Toni++
Re: ipsec config with x509 certificates
Hi Eric, On Fri, 13.03.2009 at 19:16:32 +0100, Eric Belhomme eric.belho...@eve-team.com wrote: - copying my host private key on /etc/isakmpd/private/local.key - copying my host public key on /etc/isakmpd/keynote/my FQDN/credentials I was so far unable to get this keynote-credentials stuff working. Therefore I set up X.509 authentication like this: With the x509 cert consisting of the two parts cert.crt and cert.key, I place the cert.key file in /etc/isakmpd/private and the cert.crt file in /etcisakmpd/certs. The cert has to be issued by a CA a cert of which is present in /etc/isakmpd/ca, and the name of the files has to correspond to the value of the SubjectAlternativeName section, which I mention in my isakmpd.conf and isakmpd.policy files. The thing I can't figure is HOW the x509 certificates are handled, because I'm not sure I did the right things : On OpenBSD, you can watch the negotiation using this command (assuming that fxp0 is your Internet-facing NIC: # tcpdump -s1500 -vvv -ni fxp0 host your_peer and \( port 500 or port 4500 or esp \) Kind regards, --Toni++
IPSEC problem after upgrading one side to 4.5
Hi, I have a VPN running which looks like a hub-and-spoke configuration. For the remainder of the discussion, the spokes are OpenBSD 4.4. Since I've upgraded the hub to 4.5, a connection to one of the spoke starts to fail. After running for well over a week, the connection was not automatically renegotiated. I first reset the spoke, but to no avail. I could see the connection going just up to INFO_PROT encrypted, and then the hub stopped responding to that spoke. Things only returned to normal after I said echo R /var/run/isakmpd.fifo on the hub. How do I debug this, please? TIA! Kind regards, --Toni++
Re: arp table timeout / how to update automatically if foreign MAC changes?
Hi, On Tue, 11.03.2008 at 15:59:24 +0100, smartTERRA NOC n...@smartterra.de wrote: I have found a workaround: heartbeat. Heartbeat uses (like carp on OpenBSD) a virtual MAC address, so there is no problem with the arp cache on the OpenBSD firewall. how do I do this if the remote machines run OpenBSD, but can't run CARP? I tried to ping from the new machine to distribute the new MAC/IP association, but to no avail. The OpenBSD gateway just ignored the change and only learned the new address when I manually deleted the arp entry. TIA! Kind regards, --Toni++
Re: Where's demime?
Hi, On Fri, 29.05.2009 at 09:29:39 +0200, ropers rop...@gmail.com wrote: I know that demime is being used on the misc mailing list. I even tried to see if it's contained in some other package: http://www.google.ie/search?q=demime+inurl%3Aopenbsd.org+inurl%3Acontents.html A Google search for openbsd and demime returns too many archived mails a quick search for 'demime', ie, w/o 'openbsd', returns this near the top of the list: http://www.freshports.org/mail/demime/ Kind regards, --Toni++
Re: multilink VPN
Hi,
On Wed, 27.05.2009 at 22:07:25 -0300, James Mackinnon jmackin...@devantec.com
wrote:
I need to setup redundant VPN's between these locations without the use of
BGP.
I have used sasync in the past, pfsync etc however, I have not tried to setup
a VPN where 2 ISPs are used without the ISPs setup with BGP. Because BGP
convergance can take a bit of time, and the network in this case not being
able to drop for 1 second, I need to determine what option is best.
I heavily doubt that you'll be able to keep the network up at all
times because even CARP failover will take longer than one second.
I have spoke with a cisco guy today and they can do multilink VPN's on cisco
for this,
Did he actually tell you how they make sure that there'll be no
downtime of even one second? Was the explanation technically sound?
How about error conditions in the Internet, between your sites?
FWIW, I've configured semi-multilink VPN in the past (before the
CARP age), with this kind of setup:
LAN1 --- FW{1,2} --- Internet --- FW{3,4} --- LAN2
with
LAN1, FW1, FW2: my end
FW3, FW4, LAN2: other end (not accessible to me)
Manually switching between FW1 and FW2 usually took on the order of
8-15 seconds.
The other side switched between FW3 and FW4 at their leisure, w/o
telling anyone.
The idea to configure this with isakmpd.conf was to have both peers
configured on both of your firewalls, and then add as many IPSEC
connections so that you cover all connection pairs.
That way, you can access LAN2 from LAN1 regardless whether FW3 or FW4
is operational. In my setup, one of the tunnels simply vanished and the
other appeared, if the other side switched their firewalls.
Now, if you can detect your conditions under which you want to fail
over to the other firewall (eg. fiber cut), it should be easy to
cook up a script and fire it on such an event.
But you won't get away without any downtime, and if you find out how to
do this on the IP level, I'm interested to hear about it.
I strongly suspect that if you really want to force less than 1 seconds
of downtime even in the case of error, then you need to swap IP for a
real high-reliability type of connection like telcos use in their long
hauls (eg. SDH).
But if you can weed out duplicate packets, you might be able to create
some magic with bridging and move all packets over both links all the
time, dropping one half at the receiving end(s). But this is only a
shot in the dark - I don't know how to do this.
I'm curious about what kind of application you have that does not
tolerate 1 second of downtime?
If someone has an idea about how to configure this with ipsec.conf, I'm
eager to hear.
Kind regards,
--Toni++
strange performance problem (4.5)
Hi, I've just upgraded a (server) machine to 4.5, and now experience a strange performance problem. The problem itself manifests in about 95-100% CPU usage (0-1% idle), permanently, without being able to see much in top. This is distributed to about 8-25% system and the rest almost exclusively user. The most CPU intensive process, as seen by 'top', consumes between some 0-5% CPU, the second most intensive process consumes 0-1%, and the rest appears to use negligible amounts of CPU. Disk I/O, according to systat, is less than 50KB per second, and network I/O is less than 10KB/s, aggregated (mostly under 1KB/s). In other words, the machine should be 90-100% idle. The machine had no such problems while running 4.4. What gives? Kind regards, --Toni++ OpenBSD 4.5 (GENERIC.MP) #108: Sat Feb 28 14:58:58 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 552 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536424448 (511MB) avail mem = 510390272 (486MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/19/99, BIOS32 rev. 0 @ 0xf06b0, SMBIOS rev. 2.3 @ 0xf1f70 (45 entries) bios0: vendor Award Software, Inc. version ASUS P3B-F ACPI BIOS Revision 1004 date 10/19/1999 bios0: ASUSTeK Computer INC. P3B-F apm0 at bios0: Power Management spec V1.2 (BIOS management disabled) apm0: APM power management enable: unrecognized device ID (9) apm0: APM engage (device 1): power management disabled (1) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xf12 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf0e70/160 (8 entries) pcibios0: PCI Interrupt Router at 000:04:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4c00 0xd/0x1000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe400, size 0x400 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Matrox MGA G400/G450 AGP rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) piixpcib0 at pci0 dev 4 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 4 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, CD-ROM XM-6602B, 1017 ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 4 function 2 Intel 82371AB USB rev 0x01: irq 9 piixpm0 at pci0 dev 4 function 3 Intel 82371AB Power rev 0x02: SMI iic0 at piixpm0 lm1 at iic0 addr 0x2d: AS99127F gdt0 at pci0 dev 10 function 0 Vortex GDT7x18RN rev 0x00: irq 12 dpmem e100 2-bus 2 cache devices gdt0: ver 11b, cache on, strategy 2, writeback on, blksz 32 gdt0: raw feat 1 cache feat 101 scsibus1 at gdt0: 35 targets sd0 at scsibus1 targ 0 lun 0: ICP, Host drive #00, SCSI2 0/direct fixed sd0: 17500MB, 512 bytes/sec, 35841015 sec total sd1 at scsibus1 targ 1 lun 0: ICP, Host drive #01, SCSI2 0/direct fixed sd1: 35236MB, 512 bytes/sec, 72163980 sec total scsibus2 at gdt0: 16 targets, initiator 7 scsibus3 at gdt0: 16 targets, initiator 7 fxp0 at pci0 dev 13 function 0 Intel 8255x rev 0x08, i82559: irq 9, address 00:90:27:8f:88:23 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 isa0 at piixpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb0 at uhci0: USB revision 1.0 uhub0 at usb0 Intel UHCI root hub rev 1.00/1.00 addr 1 biomask ff65 netmask ff65 ttymask mtrr: Pentium Pro MTRR support softraid0 at root root on sd0a swap on sd0b dump on sd0b
UTF-8 on the file system?
Hi, from a discussion around early November last year, I gather that OpenBSD has not much UTF-8 support right now. I am a bit unsure about whether having file names with UTF-8 characters are supported, though. I don't need to type the characters, nor see or print them, but only have a program like fd = open(filename_with_utf8_characters); succeed on a standard OpenBSD disk (FFS, if I'm not mistaken), using open(2) and fopen(3). I'm currently debugging a third-party application that happens to want to use UTF-8 filenames, but doesn't seem to find them, and, FWIW, the file names I get with ls are ISO-Latin-1 encoded, anyway. It would be great if someone could make a definite statement about this issue. -- Kind regards, --Toni++
Re: UTF-8 on the file system?
Hi Otto, thanks for the quick answer. On Wed, 13.05.2009 at 10:50:37 +0200, Otto Moerbeek o...@drijf.net wrote: On Wed, May 13, 2009 at 10:35:25AM +0200, Toni Mueller wrote: fd = open(filename_with_utf8_characters); succeed on a standard OpenBSD disk (FFS, if I'm not mistaken), using open(2) and fopen(3). OpenBSD does not restrict or interpret filenames in any way, apart from the obvious: / and NUL are not allowed in filenames. I guess, but don't know, that NUL is not part of any UTF-8 character... So we accept funny chars in filenames, but do nothing special with them. Ok, that sounds great for a start. It means that the user can do whatever he likes, in terms of weird filenames. I'm currently debugging a third-party application that happens to want to use UTF-8 filenames, but doesn't seem to find them, and, FWIW, the file names I get with ls are ISO-Latin-1 encoded, anyway. I suppose hwta you are seeing depends on your terminal. Erm... I did: ls -al | od -c ls-output.txt and looked at that to determine what was on the file system, because I've been bitten by weird encoding problems often enough already. This way I determined that the special chars were indeed Latin1 encoded. Just saying 'ls -al' would only yield blanks in the offending places, and otherwise only tends to garble my display. The kernel and base utilities encode nothing. Some utilities might protect funny chars being printed on a terminal (e.g. see ls -q). Thanks for the hint. The kernel and libc do not do any encoding or decoding. What third part libs and applications do, who nows. ;) Kind regards, --Toni++
Re: UTF-8 on the file system?
Hi, On Wed, 13.05.2009 at 12:12:31 +0200, Otto Moerbeek o...@drijf.net wrote: show me what filename you constructed (and how you did that) and the contents of ls-output.txt. I prefer hexdump -C, btw. I can't send you a recipe for constructing these filenames because I didn't do it, and I also don't have the recipe. It's even unclear that these filenames were originally generated on the OpenBSD system where I saw the problem - on the application level, that is. Might very well be a bug in one of the associated applications if you say that OpenBSD leaves filenames alone, or a mishandling of data on behalf of the user who asked me to look into the problem. Unless there's a problem handling UTF-8 in one of the applications, eg. the FTP server that I use, the problem rests firmly in the realm of the user, who currently investigates changing his application in this respect to make it more robust, anyway. Nevertheless, I include that listing below, for your information and further reference. You can clearly see that the filenames contain characters in Latin1. Thank you for your effort! Kind regards, --Toni++ 74 6f 74 61 6c 20 32 37 36 0a 64 72 77 78 72 2d |total 276.drwxr-| 0010 78 72 2d 78 20 20 32 20 32 30 33 34 20 20 32 30 |xr-x 2 2034 20| 0020 33 34 20 20 32 30 34 38 20 41 70 72 20 32 32 20 |34 2048 Apr 22 | 0030 31 34 3a 35 34 20 2e 0a 64 72 77 78 72 2d 78 72 |14:54 ..drwxr-xr| 0040 2d 78 20 20 33 20 32 30 33 34 20 20 32 30 33 34 |-x 3 2034 2034| 0050 20 20 20 35 31 32 20 41 70 72 20 32 32 20 31 34 | 512 Apr 22 14| 0060 3a 35 34 20 2e 2e 0a 2d 72 77 2d 72 2d 2d 72 2d |:54 ...-rw-r--r-| 0070 2d 20 20 31 20 32 30 33 34 20 20 32 30 33 34 20 |- 1 2034 2034 | 0080 20 31 30 39 35 20 41 70 72 20 32 32 20 31 34 3a | 1095 Apr 22 14:| 0090 35 34 20 41 75 73 74 72 61 6c 69 65 6e 2e 70 6e |54 Australien.pn| 00a0 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 31 20 |g.-rw-r--r-- 1 | 00b0 32 30 33 34 20 20 32 30 33 34 20 20 20 35 34 37 |2034 2034 547| 00c0 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 42 65 | Apr 22 14:54 Be| 00d0 6c 67 69 65 6e 2e 70 6e 67 0a 2d 72 77 2d 72 2d |lgien.png.-rw-r-| 00e0 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 20 32 30 |-r-- 1 2034 20| 00f0 33 34 20 20 31 31 31 35 20 41 70 72 20 32 32 20 |34 1115 Apr 22 | 0100 31 34 3a 35 34 20 42 72 61 73 69 6c 69 65 6e 2e |14:54 Brasilien.| 0110 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 |png.-rw-r--r-- | 0120 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 34 |1 2034 2034 4| 0130 32 37 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 |27 Apr 22 14:54 | 0140 42 75 6c 67 61 72 69 65 6e 2e 70 6e 67 0a 2d 72 |Bulgarien.png.-r| 0150 77 2d 72 2d 2d 72 2d 2d 20 20 31 20 32 30 33 34 |w-r--r-- 1 2034| 0160 20 20 32 30 33 34 20 20 20 36 30 34 20 41 70 72 | 2034 604 Apr| 0170 20 32 32 20 31 34 3a 35 34 20 43 48 49 4e 41 2e | 22 14:54 CHINA.| 0180 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 |png.-rw-r--r-- | 0190 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 35 |1 2034 2034 5| 01a0 34 37 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 |47 Apr 22 14:54 | 01b0 43 68 69 6c 65 2e 70 6e 67 0a 2d 72 77 2d 72 2d |Chile.png.-rw-r-| 01c0 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 20 32 30 |-r-- 1 2034 20| 01d0 33 34 20 20 20 34 32 38 20 41 70 72 20 32 32 20 |34 428 Apr 22 | 01e0 31 34 3a 35 34 20 43 6f 73 74 61 20 52 69 63 61 |14:54 Costa Rica| 01f0 2e 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 |.png.-rw-r--r-- | 0200 20 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 | 1 2034 2034 | 0210 36 37 33 20 41 70 72 20 32 32 20 31 34 3a 35 34 |673 Apr 22 14:54| 0220 20 43 7a 65 63 68 20 52 65 70 75 62 6c 69 63 2e | Czech Republic.| 0230 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 20 |png.-rw-r--r-- | 0240 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 35 |1 2034 2034 5| 0250 33 39 20 41 70 72 20 32 32 20 31 34 3a 35 34 20 |39 Apr 22 14:54 | 0260 44 6f 6d 69 6e 69 6b 61 6e 69 73 63 68 65 20 52 |Dominikanische R| 0270 65 70 75 62 6c 69 6b 2e 70 6e 67 0a 2d 72 77 2d |epublik.png.-rw-| 0280 72 2d 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 20 |r--r-- 1 2034 | 0290 32 30 33 34 20 20 20 35 33 37 20 41 70 72 20 32 |2034 537 Apr 2| 02a0 32 20 31 34 3a 35 34 20 44 e4 6e 65 6d 61 72 6b |2 14:54 DC$nemark| 02b0 2e 70 6e 67 0a 2d 72 77 2d 72 2d 2d 72 2d 2d 20 |.png.-rw-r--r-- | 02c0 20 31 20 32 30 33 34 20 20 32 30 33 34 20 20 20 | 1 2034 2034 | 02d0 37 37 30 20 41 70 72 20 32 32 20 31 34 3a 35 34 |770 Apr 22 14:54| 02e0 20 45 63 75 61 64 6f 72 2e 70 6e 67 0a 2d 72 77 | Ecuador.png.-rw| 02f0 2d 72 2d 2d 72 2d 2d 20 20 31 20 32 30 33 34 20 |-r--r-- 1 2034 | 0300 20 32 30 33 34 20 20 20 35 38 38 20 41 70 72 20 | 2034 588 Apr
Re: UTF-8 on the file system?
Hi, On Wed, 13.05.2009 at 19:26:59 +0900, Jordi Beltran Creix jbcreix.m...@gmail.com wrote: print '?' or an octal escape sequence on nonprint chars. With a hacked libc and a utf-8 version of multibyte functions as well as a few fixes on apps solve most of these problems, gtk apps and scim will be happy with just being able to set the locale(2). thanks for caring, but ATM I really don't need UTF-8 support in OpenBSD and on level 7. My only problem is that a user creates files with the wrong names, and then can't find them later. It's a (his) web app, so no terminal/scim/...-stuff is reqired here - it's really only the ability to handle UTF-8 filenames properly, and saying that OpenBSD won't interfere with any file names which comply with the rules Otto mentioned, imho amounts to saying that the problem is created somewhere within the application area, starting with his required infrastructure (eg, some apps from the ports tree), or even outside (farter awawy) of that. However, advanced console applications will need the full character support and also support in the console driver for full glitch-less functionality. Your problem is likely 1 or 2. Ummm... Kind regards, --Toni++
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
Hi, On Thu, 30.04.2009 at 11:21:50 -0600, Bob Beck b...@openbsd.org wrote: The best place to get OpenBSD is from an official CD set, produced in a secured location FWIW, I have what I think are official CDs, and they contain OS code dated 2009-02-28 22:41 UTC. This means the official code was produced two months before the release date. -- Kind regards, --Toni++
Re: Samsung HD License Issue
Hi, On Mon, 04.05.2009 at 11:46:51 +0200, David Vasek va...@fido.cz wrote: It seems we are no longer buying hardware products, we are only buying permissions to use them - almost everything contains some form of firmware or microcode now. You never _own_ that code built-in in your hardware, you are only a licensee, thus you are bound by the license to use the firmware. Crazy, really crazy world! I hope that such licenses are illegal, illegal in every country. I also think that such a license should be illegal, the more so as it didn't say on the outside of the box that this product has hidden restrictions attached (however void they may be for other reasons). I'm also not prepared to accept permission to use in lieu of ownership. Kind regards, --Toni++
Re: Samsung HD License Issue
Hi, On Mon, 04.05.2009 at 12:03:15 +0200, Jochem Kossen jkos...@xs4all.nl wrote: On Mon, May 04, 2009 at 11:46:51AM +0200, David Vasek wrote: Possibly, but you need to get the mentioned license _from Microsoft_, as is written in the license: ...may require an additional license from Microsoft. No, the response from EC explicitly mentions that if you don't use an operating system from Microsoft, you don't need a license from Microsoft. that may well be, but it doesn't make the text mentioned any better. This kind of wording imho borders extortion. Kind regards, --Toni++
Re: How do I enable bsd.mp kernel in 4.4/i386?
Hi, On Sat, 02.05.2009 at 19:15:59 -0600, Theo de Raadt dera...@cvs.openbsd.org wrote: I am running the GENERIC OBSD 4.4/i386 'bsd' kernel and would like to set up the bsd.mp kernel instead. cd / mv bsd bsd.sp mv bsd.mp bsd reboot what was wrong with: # echo 'set image /bsd.mp' /etc/boot.conf # reboot Kind regards, --Toni++
Re: How do I enable bsd.mp kernel in 4.4/i386?
Hi, On Sun, 03.05.2009 at 11:00:02 -0700, J.C. Roberts list-...@designtools.org wrote: I never said the boot.conf was not useful. I said the i386\amd64 hack I don't see how 'set image ...' is a hack, nor how it would be specific to i386 and amd64. The new installer (destined for 4.6) in snapshots *already* picks the right kernel (GENERIC or GENERIC.MP) for the system, and installs it as /bsd. This makes it harder to move a set of already-installed disks to a different machine, a facility which I value for fast recovery. On all archs, when you wish to boot to a different on-disk kernel you cab do it either by copying/moving kernel file to /bsd, and/or specifying the kernel file at boot time `boot /mybsd.custom.hack` I dislike moving kernels around, but editing boot.conf is ok. When you treat i386\amd64 differently with the boot.conf kernel designation feature, you are not only making things less portable, but worse, you're showing a bias towards what many consider to be a flawed system design. Hmmm... Can you please point me to some reading about the upcoming non-flawed system design? Now, let's say you are using the /etc/boot.conf hack to boot to bsd.mp, and you go to update your stable system running an MP kernel. You read the FAQ and follow the directions for installing a new kernel and rebooting before building the whole system. When you do `make install` in your ../compile/GENERIC.MP/ directory, the newly built kernel gets installed as /bsd You supposedly reboot to your new kernel... and guess what? --Due to your boot.conf hack you're still running your *old* /bsd.mp kernel rather than your newly built /bsd kernel. This problem imho *only* arises as a consequence due to installing the new kernel in the wrong place. Would it have been installed in /bsd.mp, nothing would have gone wrong. You could even opt to overwrite /bsd.mp in that case, too, to make sure that you are backwards-compatible. Kind regards, --Toni++
Re: How do I enable bsd.mp kernel in 4.4/i386?
Hi Otto, On Mon, 04.05.2009 at 12:33:53 +0200, Otto Moerbeek o...@drijf.net wrote: Summary: changes in the OpenBSD 4.6 install script, plus: after building a new kernel 'make install' copies it to /bsd. In both cases you end up running and old kernel. I agree to be guilty of posting before reading the entire thread, but after doing it, I still miss the reasoning behind this change (ie, *why* you want to install bsd.mp as bsd), and thus create installed disks individually and non-portably, as far as I can see from here. Kind regards, --Toni++
Re: Internet access over Bluetooth; a summary.
On Tue, 28.04.2009 at 07:12:34 +0200, Otto Moerbeek o...@drijf.net wrote: Caching only reduces load on the DNS system if the caches get used a lot. Lots of caches that are virtually unused increase the load. Imagine every laptop owner would do this, and the resulting load of root and other authorative namerservers. That may all well be true, but currently, bypassing your ISP's DNS cache looks like the best short-term workaround to getting manipulated answers while lawmakers around the globe move towards erecting more and more great firewalls as we speak. Yes, I'm fully aware of the fact that technology can't provide a solution to a social problem, but otoh, the already-deployed multicast roots should already scale quite a bit more than 13 simple hosts could. IOW, I'm not sure that the load argument still holds. -- Kind regards, --Toni++
Re: build fails on 4.5
Hi, On Mon, 27.04.2009 at 16:19:39 -0400, Ted Unangst ted.unan...@gmail.com wrote: That's what I remembered from the last time it happened, but I just double checked. It seems rsync only does this when -C cvs-exclude is passed. The problem is that it ignores directories, not just files. that sounds broken, indeed. FWIW, to avoid such side effects, I don't use -C because it leads to the exclusion of .your-scm-here-style directories as well, and use --include and --exclude instead. Clumsy, but at least, I'm in control then. Kind regards, --Toni++
Re: build fails on 4.5
On Mon, 27.04.2009 at 14:14:07 -0400, Ted Unangst ted.unan...@gmail.com wrote: The mirror is broken because rsync, in its infinite wisdom, doesn't copy directories named *.so. And since the mirror doesn't have that directory, you don't have it either. Get it from somewhere else. dtalk has given the right answer already, but you can easily verify this for yourself: $ mkdir -p a/some.so b $ rsync -a a b $ find a b a a/some.so b b/a b/a/some.so $ Kind regards, --Toni++
Re: T1 card compatible with 4.4
On Fri, 24.04.2009 at 11:26:42 -0400, (private) HKS hks.priv...@gmail.com wrote: I'm looking for a T1 card compatible with 4.4. ;) There were a fair number of recommendations for Sangoma's a101 a few years ago, followed by threads describing major problems and Sangoma yanking support for OpenBSD. What alternatives work decently under OpenBSD? A while back Accoom cards were very fine, and if you can get them, do it. I'm very much interested in getting two or three more, although they should be available only used by now. Please send me your offers off-list. Thank you! Kind regards, --Toni++
Re: Recipient Validation Design Opinions
Hi, On Fri, 24.04.2009 at 08:47:00 -0400, Mario Vega mario.j.v...@gmail.com wrote: The two internal servers use several different domains and accept a variety of different name formats. In addition, some users have one or more aliases. Furthermore, only the primary address is published in LDAP. One server serves approximately 1k users and the other approximately 20. would it be possible to list all users in LDAP? Then you can easily verify against that list. day, 115k of which are rejected as invalid. Does anyone have experience with scam-backscatter or are there other solutions we should be investigating? If you are able to weed out illegitimate recipients, this may go a long way to reduce spam, or at least it did for us. Looking the email address up in LDAP is *much* cheaper than doing a call-out to the backend server(s). Greylisting helps us, too, but seems to cost mail from broken servers (there are imho more than enough of these out there). running Postfix, amavis, clamav and spamassassin. Due to the nature of the store and scan system, we've noticed a tendency for the system to become swamped under heavy load and take several hours to clear out. Imho, the bulk of the load should be consumed by spamassassin which could esp. lead to trashing if you can't restrict the parallelism of spamassassin runs. FWIW, I think that Postfix should generally be preferable to sendmail, and you also seem to have more Postfix experience already. Furthermore, we're quarantining viruses and and obvious spam in the neighborhood of 89k a day, which I would rather leave at the door. This you can only do if you don't accept the email, then scan and/or quarantine it. To do this, there are several possibilities, but I suggest taking a look at this program: http://smtpd.develooper.com/ You need to keep the connection with your clients open as long as you have decided on the fate of any given message, then you can emit a 5xx code at anytime, thus leaving part of the burden at the sender's side. The OpenBSD system would be running spamd, the base sendmail, smtp-vilter, clamav and spamassassin. Imho, both clamav and spamassassin are very heavyweight. If you can devise heuristics to weed out messages early, using these before feeding these two programs should reduce your load. Kind regards, --Toni++
Re: Problem with slow disk I/O
On Thu, 23.04.2009 at 19:40:34 +0200, Thomas Pfaff tpf...@tp76.info wrote: On Thu, 23 Apr 2009 17:25:57 +0200 Jan Stary h...@stare.cz wrote: On Apr 23 18:09:55, Thomas Pfaff wrote: First on Ubuntu: /dev/sda2 on / type ext3 (rw,relatime,errors=remount-ro) ~$ time (tar -zxf ports.tar.gz sync) real 0m47.784s user 0m1.576s sys 0m5.024s 47.78 seconds wall clock time Then the same commands on OpenBSD: /dev/wd0k on /home type ffs (local, nodev, nosuid, softdep) $ time (tar -zxf ports.tar.gz sync) 1m2.62s real 0m1.15s user 0m7.15s system ~ 1 minute 2.5 seconds wall clock time So you have ~52 seconds on ext3 mounted 'realtime' (whatever that means), versus ~63 seconds on ffs mounted with 'softdep'. What was the problem again? That I cannot get the job done in less than a minute on OpenBSD while on Linux it takes only 18 seconds. This is a misconception, imho. Your test above shows that the performance difference is about 15 seconds, or roughly 25%. I can't see the 18 seconds anywhere except in your first email about your perceived performance for the task. It is imho useful to remember that Linux caches disk access much more aggressively than OpenBSD. So, in reality, you don't write that much faster to disk, but to RAM, and the OS flushes the buffers at it's own leisure, while you are working on something else. Which reminds me to ask what the state of having a UBC in OpenBSD is, please? -- Kind regards, --Toni++
Re: Is there any particular reason to not have RAIDFrame on RAMDISK_CD
Hi, On Mon, 20.04.2009 at 11:55:05 +0200, Henning Brauer lists-open...@bsws.de wrote: and in any case this is less about ramdisk size but more about raidframe which we're going to get rid off eventually (when marco ever gets softraid upt o a usable level, read rebuild working) please also wait for in-place conversion before ripping raidframe out, so users can say something like raidctl upgrade raid0 or similar, if at all possible. Thank you! Kind regards, --Toni++
Re: spam from chrooted CMSes
Hi, On Fri, 10.04.2009 at 09:42:21 +0800, Uwe Dippel udip...@uniten.edu.my wrote: I'm running postfix as MTA on a machine with several CMS, on a chrooted Apache. Recently, there is a huge number of spam being sent from there, alas. When I scan the postfix-logs, all those come from 'root', meaning they don't come through port 25. I run OpenBSD with mini-sendmail, and now I wonder how I could find out from which CMS they are sent. Is there any chance to find out from which CMS they are sent? I don't know whether you have a chance to do so in the wake of your recent spam wave, but you can prepare to recognize - and more easily block - the offenders the next time by enforcing authenticated SMTP submission for those applications, each with their own username/password pair. You probably need to modify or reconfigure those CMS installations, though. Kind regards, --Toni++
Re: Anyone using munin?
Hi, On Sat, 04.04.2009 at 12:15:35 +0200, Cezary Morga c...@therek.net wrote: I think munin comes with a bunch of plugins already. If not you can grab some Linux package (like Debian's munin-node) and extract them from it. These are simple scripts (shell, perl, python) so they might run on OpenBSD even without any modifications. I think that this is very optimistic, since a lot of Linux specific facilities are being used. Eg. several scripts parse the output of iptables, or read /proc... Kind regards, --Toni++
Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Hi, On Sun, 05.04.2009 at 15:24:09 -0400, System Administrator ad...@bitwise.net wrote: device with most of the processing happening on the host. If you stick to real hardware printers that provide built-in Postscript (or at least PCL) language and fonts, you will have no problems with OpenBSD. these will imho easily bust a small budget, but are also the only viable choice if you intend to keep the device for some time. For the longest time I used to be a fan of HP, although I have also always liked Lexmark. I was also a fan of HP printers, especially after having bad experience with a medium-sized Lexmark printer, due to massive mechanical problems which looked like designed-to-break, and very pricey replacement parts. learned from a reseller that HP's cartridges include a page counter and stop operating at the prescribed number of pages regardless of actual utilization, which is in stark contrast to Lexmark whose cartridges are guaranteed for at least a certain number of pages and the company will replace it free of charge if it runs out sooner but does not prevent you using it past that many pages. The page count mechanisms seem to be very common in many printers' cartridges, esp. in the lower price range. Try to ask your dealer about page counters in other printers' cartridges. I guess that you'll find them in more than half the models across the board. On 5 Apr 2009 at 19:44, ropers wrote: I'm looking for a colour laser printer that's so cheap that I can I don't know what exactly you want to do, but you might be interested in reading some reports about the printing quality and operating cost, too. Eg. a good ink jet printer should deliver better quality printouts than a bad laser printer. If all you're doing is printing a few easy charts from your spread sheet, then this may be irrelevant to you. Kind regards, --Toni++
Re: VPN client-to-site over IPSec
Hi, On Fri, 03.04.2009 at 18:26:45 -0300, Marcello Cruz marcello.c...@globo.com wrote: Do you mean a VPN where only a HOST will access an entire NETWORK? If so, then the answer is YES. I don't need anything specifically right now which would fit into this thread, but asked questions to better understand what the original poster wanted to achieve. For instance, I have some OpenBSD servers acting as VPN Server and they allow me to connect from home to the networks behind those OpenBSD servers. Me too. PC -- Internet -- OpenBSD LAN PC IPSec Tunnel -- LAN I also have other situations where I need an entire LAN communicate with other LAN, like: LAN -- OpenBSD/Other -- Internet --- OpenBSD -- LAN LAN --- IPSec Tunnel --- LAN I just wanted to say that, network-wise, configuring the first scenario, assuming that you mean transport mode, almost never makes sense, or at least not to me, and that the the second scenario should be the default configuration, even if LAN and OpenBSD/Other might collapse into only one computer. Kind regards, --Toni++
Re: Wim
Hi Kili, On Thu, 02.04.2009 at 22:15:13 +0200, Matthias Kilian k...@outback.escape.de wrote: Wim *does* filter traffic from cvs.openbsd.org. At least on ports 25 and 80: $ telnet www.kd85.com 25 Trying 62.116.6.182... [nothing] Silly. So silly. I've seen many kinds of breakage, but right now, I can telnet to his server to port 25 from here. If you can't, then I tend to agree that port 25 is filtered. I also think that such kind of filtering - for policy reasons - is a stupid idea. -- Kind regards, --Toni++
Re: where to order now ?
Hi, On Fri, 03.04.2009 at 00:56:16 +0200, Martin SchrC6der mar...@oneiros.de wrote: 30 is 60% of 50. :-) I seriously doubt that other european resellers donate the 20 profit they make. can we agree that you shouldn't make such blanket assumptions about other people's books, please? Btw, the mentioned international shipping cannot cover much more than the stamp, and, only with some luck, the envelope in which the CD set arrives. Kind regards, --Toni++
Re: VPN client-to-site over IPSec
Hi, On Fri, 03.04.2009 at 12:43:33 -0300, JoC#o Salvatti salva...@gmail.com wrote: Is it possible to implement a client-to-site VPN over IPSec? I have searched on the web, but only found site-to-site models. what exactly do you mean by client to site? You can distinguish between transport mode, where you use the IP that you actually use, as an endpoint, and tunnel mode, where you assign an IP of your chosing for use inside the tunnel, and then use that IP for all of your connections. Usually, site-to-site is associated with tunnel mode, and I currently see no reason, and much less any advantage, in using transport mode. Kind regards, --Toni++
Re: Wim
Hi, On Thu, 02.04.2009 at 00:17:35 -0600, Theo de Raadt dera...@cvs.openbsd.org wrote: This guy some of you think is so honest. He's filtering port 25 from cvs.openbsd.org. did you try sending from a different server thereafter? I've seen a failure mode where a machine appears to be up, but slowly stops accepting ever more tcp connections over time, until the system comes to a grinding halt, the last thing being becoming unresponsive to ping and finally, console lockup, on several machines. They are all different hardware, but are intel or AMD CPUs. I've seen this for a long time (years), but have no way to reproduce it, and also no way to catch debug info in the actual cases (eg. boot crash doesn't do anything), and therefore not reported it, since you don't want incomplete bug reports. I was so far unable to detect a pattern. A machine usually runs fine for months, then takes a few hours or up to 2-3 days, to get into that state. If it happens, I can usually only press the reset button. If I may have a wish granted, then please, pretty please, try to keep USB, and especially USB keyboards, alive for as long as possible, because otherwise, I can't do anything in most cases of such a lockup. For what reason would he do that? I don't know, either, but since he's allegedly on the road, it might be difficult for him to fix it soonish, if it is a problem like the one described above. Kind regards, --Toni++
Re: OpenBSD mta with postfix
Hi, [ I don't yet see how this is related to Postfix, or OpenBSD ] On Sat, 28.03.2009 at 11:47:41 +0200, Lars NoodC)n larsnoo...@openoffice.org wrote: I run into it a lot. My guess is that it's to distract from the IT team having selected software which doesn't work reliably. So if they make enough extra problems, no one will take the time to get to the real cause: MS Exchange. there are other instances of this as well, as other mail server software packages tend to break, too. I've just encountered a competing product simply eating emails it doesn't understand (closed source, of course). Kind regards, --Toni++
Re: European orders
Hello, On Wed, 01.04.2009 at 08:58:40 +0200, Artur Grabowski a...@blahonga.org wrote: Where do they come from? Suddenly there's this astroturfing campaign about... what? forcing Theo to do business with someone he has no intention of doing business with anymore? this is a bit besides the issue, methinks. There are several issues being discussed, and alluded to, here: 1. Theo not wanting to do business with Wim anymore. 2. The reasons(s) given why Theo does not want to do business with Wim anymore. 3. Theo's handling of the case. 4. Wim's handling of the case. 5. People voicing opinions about the case. 6. Fairness [ Sidebar: ] While not strictly required by law, fairness in business is of utmost importance to me. I'm going to discuss mainly the second issue. If a business relationship breaks up for whatever reason, one mainly has two options: * Declare the relationship terminated, and give no reason. XOR... * declare the relationship terminated, and give a lengthy explanation. It is certainly Theo's prerogative to choose to do business with whomever he wants to (ignoring any potential contract issues for the moment), but if he gives a reason in the first place, the reason has to be sound and verifiable, like with any other statement, too. This is currently not the case. I can only see two statements on the table which (at least) I can't reconcile: Theo's statement that Wim hasn't paid for a very long time, and Wim's statement that he has paid in full, and in a timely manner (sometimes in advance, too). Wim has published his version of this story on his homepage, decorated with numbers, but I haven't seen anything comparable from Theo, except for these messages on this mailing list. Without having audited both side's paperwork, there is no way to say what actually happened, or should have happened, unless one declares one set of arguments void. I have no reason to believe that Theo or Wim have pulled their stories entirely out of thin air, and I also don't believe in both person's attempts to feed me their respective Fox News style opinion and demand exclusive truth for it, too. If I have missed something important, please point it out to me. I'd like to note that I don't want to take sides, but I am very interested in getting some sanity back into this discussion. So, I'd say that everyone interested reads through Wim's statement and then thinks about how much sense this all makes to him, or her. Leaving out most if not all of the moral discussion about how to use, or not use, the disputed money, and instead concentrate on contract and accounting issues would imho help. My current personal assessment is that this story is far from being as black and white as it's being painted by the protagonists, and some of the audience, too. And last but not least, please keep in mind that believing something is the opposite of knowing something. I'd rather know and not believe (because I have no way to know). Kind regards, --Toni++
Re: persistent bios infection paper and openbsd
Hi, On Thu, 26.03.2009 at 12:21:31 -0600, Theo de Raadt dera...@cvs.openbsd.org wrote: I wrote: I'd say that, at least for running machines, some precautionary measures should be possible to take to thwart hackers that try to rob your machine from under your fingertips. Eg. a driver that wipes sensitive kernel memory areas after forcefully halting most tasks and doing a basic flushing of disk buffers... That won't help. I messed up a bit, sorry. I did not want to say that this would help with the specific problem of someone attacking a flashable BIOS or by other machines that can't be readily observed by the user. But what I think such a program *will* help with, is the problem when you're happily hacking away at your computer, and the doorbell rings unexpectedly (or rather, the window shatters). Sort of an emercency halt for the machine, specifically taking this nasty RAM in liquid nitrogen-problem into account. Kind regards, --Toni++
Re: European orders
Hi, On Wed, 25.03.2009 at 17:37:54 +0200, Ross Cameron abal...@gmail.com wrote: On Wed, Mar 25, 2009 at 4:51 PM, frantisek holop min...@obiit.org wrote: Theo has made some serious allegations and i hope he has evidence to back it up. Theo may be many things,... but a liar I have never found him to be. I don't have personal experience with Theo, only with Wim, so I'd say that he's (also) not a liar. But Wim's story diverges from Theo's story in a way which is probably beyond reconciliation. All in all, this is a very sad event from my point of view. Kind regards, --Toni++
Re: persistent bios infection paper and openbsd
Hi, On Wed, 25.03.2009 at 10:05:13 -0600, Theo de Raadt dera...@cvs.openbsd.org wrote: The operating systems are not vulnerable. The *machines* are. this begs the question: Which machines are NOT vulnerable? There really is absolutely nothing we can do about it. I'd say that, at least for running machines, some precautionary measures should be possible to take to thwart hackers that try to rob your machine from under your fingertips. Eg. a driver that wipes sensitive kernel memory areas after forcefully halting most tasks and doing a basic flushing of disk buffers... Kind regards, --Toni++
Re: intel 5400 chipset support, was: Re: raidframe and hotplugd on 4.4
Hi David, On Mon, 23.03.2009 at 09:48:36 +0100, David Vasek va...@fido.cz wrote: On Sun, 22 Mar 2009, Toni Mueller wrote: isa0 at mainbus0 com0 at isa0 port 0x3f8/0 irq4: ns8240, .. fifo Not that I would be able to help with this, just note that these two lines are very different from the dmesg you posted previously. My guess is you should prepare yourself for retyping the full dmesg. yesterday, I typed from a blurry handset photo. Anyway, I re-did the experiment and managed to write down the exact error message. As far as I can see, booting proceeds as normal to this point: pciide0: channel 1 ignored (disabled) Then, AHCI is detected and immediately followed by a crash: ahci0 at pci0 dev 31 function 2 Intel 6321ESD AHCI rev 0x09: irq 11, AHCI 1.1 fatal protection fault in supervisor mode trap type 4 mode 18b rip 802ba2f8 cs8 rflags 10202 cr2 0 cpi e rsp 80b21b20 The operating system has halted. ... While poking around in the BIOS, I also saw an option which suggested that the machine can do something called EFI OS booting (or similar). Should I enable this? Kind regards, --Toni++
intel 5400 chipset support, was: Re: raidframe and hotplugd on 4.4
Hi, [ hijacking my own thread in order to avoid posting the dmesg twice... ] I tried to enable AHCI mode on this computer with the intel 5400 chipset on board. This resulted in the kernel not finding the disks, after they were registered fine with the BIOS. So I thought, I'd peek at the disks using the CD, but running bsd.rd caused a hard crash which required me to press the reset button. This is the error message that I got (typed from a blurred image): ... isa0 at mainbus0 com0 at isa0 port 0x3f8/0 irq4: ns8240, .. fifo fatal integer divide fault in supervisor mode trap type 8 code 0 rip 88291c53 cs 0 rflags 286 cr2 0 cpi e rsp f8960725e0 The operating system has halted. Please press any key to reboot. rebooting... At that point, the machine requires me to press the reset button. I don't know if this has something to do with the fact that I'm using an USB keyboard or not (legacy support is enabled). The machine runs fine when I have AHCI support switched off. Kind regards, --Toni++
Re: prioritizing carp interfaces
Hi, On Fri, 20.03.2009 at 14:28:46 +0100, Joerg Streckfuss streckf...@dfn-cert.de wrote: How does CARP behaves when on the master node two unimportantly interfaces fail and on the backup node only the uplink interface fails? Does CARP failover to the backup node and as consequence the whole network will be disconnected from the internet? my reading of carp(4) is that the behaviour depends on the setting of net.inet.carp.preempt If set to 1, then firewalls only fail over as a whole, while if set to 0, interfaces fail over individually. With interfaces failing over individually, and with appropriate routing between your firewalls, traffic should flow through the remaining interfaces. Please note that having interfaces fail over individually makes playing with pfsync and sasync *quite* interesting. Please also note that you could have more than two firewalls running CARP, so maybe the third (fourth, ...) firewall will keep you online. I guess that the real solution is to have a known-good hardware that you can bring up in minutes sitting on the shelf, and yes, to live with some downtime. Kind regards, --Toni++
Re: openbsd in virtualization
Hi, On Wed, 18.03.2009 at 23:10:01 +0100, Marc Balmer m...@msys.ch wrote: Machines that are exposed to the internet run on real hardware, for security reasons. I don't trust the underlying virtualization software to be secure/stable/good. I generally second that, but have a nagging doubt that one still needs to plug the blue pill hole. Unfortunately, I don't see the how, but only the need. If OpenBSD could do something to thwart such attacks, and side-channel attacks like those created by Intel's management platform (AMT), that would be great! Kind regards, --Toni++
Re: openbsd in virtualization
Hi, On Thu, 19.03.2009 at 10:23:18 +0100, Julian Leyh jul...@vgai.de wrote: Pehr Svderman schrieb: Let me put it this way: I don't mind creating 60 virtual instances to give each student in a course a server to mess around with. I can wipe them and reinstall them in a matter of minutes if a student messes up a server. I would love those servers to be OpenBSD. Installing 60 physical servers to give the students something to play with is not fun :( You could do it just as easy, using netboot. wiping/reinstalling would have to take place only on one server, probably not much more as restoring the exported filesystems or boot images from a previous backup. but it still increases the cost considerably: With virtualization, it suffices to give a thin client to each student, or maybe even less if not all 60 students are expected to work simultanously. With physical machines, this still creates much more hassle, and cost. Also, if one of the students decides to work somewhere else (eg. at home), he could, in theory, simply copy the VM to his computer and carry it away. I highly doubt that someone wants to manage lending out physical machines... Kind regards, --Toni++
Re: openbsd in virtualization
Hi, On Wed, 18.03.2009 at 09:33:38 +, Stuart Henderson s...@spacehopper.org wrote: how does one increase efficiency and reduce IT costs by making things more complicated? sorry, but this is the wrong question. Using virtual machines makes some things more complicated, but it also enables simplification of other things. Eg. I use some virtual machines for things I need only occasionally where using physical machines would just be a great waste, and I'm aware of other outfits who use virtual machines to avoid having to tend to a zoo of underutilized servers, but where putting everything into one server was impractical, too. Now they have a few servers running this stuff as virtual machines, while at the same time providing automatic failover in case one of the physical carrier machines goes down. So, these guys now have better overall utilization of (much) better hardware, plus increased reliability, plus reduced cost because their hosts and the management suite on top of that provides them with much better facilities and flexibility than having said zoo of individual tin boxes could provide. Kind regards, --Toni++
Re: raidframe and hotplugd on 4.4
Hi,
On Tue, 17.03.2009 at 00:16:20 -0700, Philip Guenther guent...@gmail.com
wrote:
On Mon, Mar 16, 2009 at 4:46 AM, Toni Mueller openbsd-m...@oeko.net wrote:
... B hotplugd[7128]: waitpid: Error 10
I didn't yet find out what that means.
Hmm, 10 == ECHILD.
ok.
After you see that, do the attach or detach scripts show in the output
of ps xauww? If so, what does it show for them?
I see no traces of these scripts in the 'ps' output, and also nothing
in the way of command line mangling of hotplugd, like eg. sendmail
does.
The scripts themselves run fine, though:
/etc/hotplug/attach:
#!/bin/sh
DEVCLASS=$1
DEVNAME=$2
case $DEVCLASS in
2)
# disk devices
disklabel=`/sbin/disklabel $DEVNAME 21 | \
sed -n '/^label: /s/^label: //p'`
logger -p kern.info Disk ${DEVNAME} attached: $disklabel
;;
esac
/etc/hotplug/detach:
#!/bin/sh
DEVCLASS=$1
DEVNAME=$2
case $DEVCLASS in
2)
# disk devices
logger -p kern.info Disk ${DEVNAME} detached
;;
esac
Kind regards,
--Toni++
Re: altq incoming vpn connections
Hi, On Mon, 16.03.2009 at 16:31:12 +0200, Eugeni Akmuradov e.akmura...@gmail.com wrote: is out there any possibility to load queues from separate file and/or via anchors. I don't know what you want to achieve, but look at # pfctl -A -f some-queue-definitions-in-this-file (man pfctl) Kind regards, --Toni++
raidframe and hotplugd on 4.4
Hi, while trying to repair a 4.4 machine, I recently added two SATA disks to the two SATA disks already there (dmesg below), which were only detected after reboot, contrary to my expectations. The first thing to note after reboot was that the formerly second disk (wd1) has now become wd2, although the physical arrangement looks like this (1HE): front view: (left side) | disk1 disk2 disk3 disk4 | (right side) In the process, I found out that there is hotplugd, but hotplugd didn't find the disks also before I rebooted the machine. The next issue is that hotplugd logs this immediately after pushing out a few initial attach xxx messages: ... hotplugd[7128]: waitpid: Error 10 I didn't yet find out what that means. Last but not least, when I wanted to configure a RAIDFRAME type raid on the two new disks, it said: /bsd: Hosed component: /dev/wd3d and: /bsd: raid1: Ignoring /dev/wd3d. When I unconfigured the raid and tried again, literally using the same commands from the shell's history, I got no such error message. The kernel used is a custom kernel which is GENERIC.MP with RAIDFRAME enabled. Kind regards, --Toni++ OpenBSD 4.4-stable (GENERIC.MPR) #0: Mon Dec 15 14:29:41 CET 2008 r...@localhost:/usr/src/sys/arch/amd64/compile/GENERIC.MPR real mem = 3474718720 (3313MB) avail mem = 3371180032 (3215MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcff66000 (52 entries) bios0: vendor Phoenix Technologies LTD version 1.2 date 11/04/2008 bios0: Supermicro X7DWU acpi0 at bios0: rev 2 acpi0: tables DSDT FACP _MAR TCPA APIC MCFG HPET BOOT SPCR ERST HEST BERT EINJ SLIC SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices P0P1(S5) BPD0(S5) BPD1(S5) P0P5(S5) P0P7(S5) P0P9(S5) PEX0(S5) USB1(S5) USB2(S5) USB3(S5) EUSB(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.38 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 6MB 64b/line 16-way L2 cache cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.09 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu1: 6MB 64b/line 16-way L2 cache cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.09 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu2: 6MB 64b/line 16-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2500.09 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG cpu3: 6MB 64b/line 16-way L2 cache ioapic0 at mainbus0 apid 4 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0 apid 5 pa 0xfec89000, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 1 (P0P1) acpiprt1 at acpi0: bus 2 (P0P3) acpiprt2 at acpi0: bus 3 (BMF0) acpiprt3 at acpi0: bus 4 (BPD0) acpiprt4 at acpi0: bus -1 (BPD1) acpiprt5 at acpi0: bus 6 (P0P5) acpiprt6 at acpi0: bus 7 (P0P7) acpiprt7 at acpi0: bus 8 (P0P9) acpiprt8 at acpi0: bus 0 (PCI0) acpiprt9 at acpi0: bus -1 (PEX0) acpiprt10 at acpi0: bus 9 (PCIB) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpibtn0 at acpi0: PWRB ipmi at mainbus0 not configured cpu0: unknown i686 model 7, can't get bus clockcpu0: EST: unknown system bus clock pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 vendor Intel, unknown product 0x4003 rev 0x20 ppb0 at pci0 dev 1 function 0 Intel E4500 PCIE rev 0x20: apic 5 int 0 (irq 11) pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 Intel E4500 PCIE rev 0x20 pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci3 dev 0 function 0 Intel 6321ESB PCIE rev 0x01 pci4 at ppb3 bus 4 ppb4 at pci2 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01 pci5 at ppb4 bus 5 ppb5 at pci0 dev 5 function 0 Intel E4500 PCIE rev 0x20: apic 5 int 4 (irq 11) pci6 at ppb5 bus 6 em0 at pci6 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic 5 int 4 (irq 11), address 00:15:17:95:07:62 em1 at pci6 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic 5 int 12 (irq 11), address 00:15:17:95:07:63 ppb6 at pci0 dev 7 function 0 Intel E4500 PCIE rev 0x20: apic 5 int 6 (irq 11) pci7 at ppb6 bus 7 ppb7 at pci0 dev 9 function 0 Intel E4500 PCIE rev 0x20: apic 5 int 8 (irq 11) pci8 at ppb7 bus 8 Intel
Re: IPSEC: certificate ignored
Hi, thanks for answering to Mitja and you. On Sat, 07.03.2009 at 19:28:09 +0100, Heinrich Rebehn reb...@ant.uni-bremen.de wrote: Am 06.03.2009 um 22:56 schrieb Toni Mueller: 223644.842092 Plcy 30 keynote_cert_obtain: failed to open /etc/ isakmpd/keynote//u...@road-warrior/credentials 223644.842516 Default get_raw_key_from_file: monitor_fopen (/etc/ isakmpd/pubkeys//ufqdn/u...@road-warrior, r) failed: Permission denied ?? Permission denied? Could this be the problem? No, it couldn't. These files don't exist. I was able to find my own errors so far, as that now the correct certificate gets used. This is what I have, and had, for several years now. The problem was a missing semicolon in isakmpd.policy. I still get no policy errors while in state INFO encrypted, which are imho hard to debug. If anyone has tips to share, I'd be very grateful. What I want to achieve (from my isakmpd.policy): Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg == aes phase_1 == main phase1_group_desc == 5 esp_encapsulation == tunnel ah_present == no esp_auth_alg == hmac-sha2-512 esp_key_length == 256 pfs == yes some-checks-on-the-remote-ids - true; But I don't know if Linux supports them all. OpenBSD - OpenBSD worked just fine... Kind regards, --Toni++
IPSEC: certificate ignored
Hi,
I'm trying to get a VPN connection to work which should actually be a
no-brainer (and I have quite similar things out there, for years):
network 1
|
Linux w/ isakmpd (u...@road-warrior)
|
|
Internet
|
|
OpenBSD w/ isakmpd (office-router)
|
network 2
Authentication should be done with X.509 certificates. I have my small
CA that issues these certificates. On startup, OpenBSD reads all
required certificates from /etc/isakmpd/{certs,ca} plus its key from
/etc/isakmpd/private just fine (I double-checked using openssl and
grep), but when it comes to checking the client's incoming cert, it goes
like this:
223644.842092 Plcy 30 keynote_cert_obtain: failed to open
/etc/isakmpd/keynote//u...@road-warrior/credentials
223644.842516 Default get_raw_key_from_file: monitor_fopen
(/etc/isakmpd/pubkeys//ufqdn/u...@road-warrior, r) failed: Permission denied
223644.842707 Default rsa_sig_decode_hash: no public key found
223644.842903 Default dropped message from 1.2.3.4 port 500 due to notification
type INVALID_ID_INFORMATION
In isakmpd.policy(5), I read:
When X509-based authentication is performed in Main Mode, any X509 cer-
tificates received from the remote IKE daemon are converted to very sim-
ple KeyNote credentials. The conversion is straightforward: the issuer
of the X509 certificate becomes the Authorizer of the KeyNote credential,
the subject becomes the only Licensees entry, while the Conditions field
simply asserts that the credential is only valid for IPsec policy use
(see the app_domain action attribute below).
Please note that the Linux box can identify the OpenBSD box just fine,
too. It's only that the OpenBSD box (various 4.5 snapshots, actually,
the latest being 4.5 GENERIC.MP#63 i386 of Feb 10th, don't seem to do
this conversion of certificates to credentials anymore, or I'm making
some stupid mistake that I'm too blind to see.
Any help is much appreciated!
--
Kind regards,
--Toni++
Re: NAT, Firewall pf
Hi, On Mon, 23.02.2009 at 17:58:20 -0800, Hilco Wijbenga hilco.wijbe...@gmail.com wrote: c. How can I get pflog to flush immediately? I noticed I have to wait a minute or so before logged lines show up. you don't need to. Listen on pflog0 instead. Kind regards, --Toni++
STM-1 connectivity (OT?)
Hi, I'm looking into ways to handle STM-1 connections. I dimly remember that there were Marconi cards, that were supported, but can't find them anymore. What would be the recommended method these days to terminate STM-1 circuits, possibly on an OpenBSD based router, please? What alternatives do you suggest? TIA! Kind regards, --Toni++
Re: request for package: Distributed Checksum Clearinghouses (DCC)
Hi, On Thu, 19.02.2009 at 20:55:09 -0500, Juan Miscaro jmisc...@gmail.com wrote: Are there any plans to package DCC for anti-spam gateways? Thanks. once upon a time I converted the Debian package for pyzor to OpenBSD, which is tedious, but otherwise rather straightforward. It never never hit the ports tree, though. If there is demand, I can probably put it online (again). Kind regards, --Toni++
Re: OpenBSD AMD64 4.4 install hangs at boot (softraid0 at root) on Intel Q9550, 8GB RAM, 1TB WD
Hi, On Fri, 20.02.2009 at 00:24:28 -0500, David Heinrich dh0...@gmail.com wrote: sd0 - sd3 are because of my CF card reader. However, I don't want to install the latest beta-versin of OpenBSD; those of us who have hardware that is not, or not well supported by the release version of OpenBSD, get to check out the latest and greatest in OpenBSD to see if it works better. It's also part of what we usually can, and generally should, contribute back to the project, imho. The alternative is to try work around the problem somehow, eg. by reconfiguring the hardware (eg. less memory, different nics, whatever). I suggest that you go with the 'beta'. Kind regards, --Toni++
Re: STM-1 connectivity (OT?)
Hi, On Fri, 20.02.2009 at 11:49:19 -0600, tico tico-o...@raapid.net wrote: Toni Mueller wrote: I'm looking into ways to handle STM-1 connections. I dimly remember that there were Marconi cards, that were supported, but can't find them anymore. What would be the recommended method these days to terminate STM-1 circuits, possibly on an OpenBSD based router, please? I don't ever remember hearing about a (OpenBSD-supported) PCI card that would handle an STM-1 -- there are a couple that will handle T1/E1, but I believe that the biggest TDM circuit that OpenBSD can terminate directly is perhaps a DS3, via a lmc(4) card, though I have yet to find/use one myself. in hindsight, I may have confused support in FreeBSD with support in OpenBSD for an STM-1 ATM card, a few years ago. Sorry. You can find a number of vendors that supply DS3-to-100BaseT or STM1-to-GigE media converter, STM-1-offerings seem to be much less frequent than DS3-offerings. but you have to run in them in pairs on both ends of your point-to-point circuit of course. For DS3, that would be true, but I've been told that this would not be true for STM-1 circuits. If you're getting a transit from an upstream provider you're screwed unless the provider will deliver ethernet to you (which is increasingly the case, since TDM circuits are super expensive per megabit compared to [metro-] ethernet). Perceived cost is one of the reasons why I'm looking into operating an STM-1 circuit instead of a Fast-Ethernet Circuit. But I don't have hard numbers yet. If you go with the media converter on both ends option, be sure to find one that drops the link on the ethernet side when the STM1 side goes down, and vice versa, so your routing protocols can take appropriate action and not continue to blackhole traffic during outages. Right. That's another issue with the Ethernet I currently have: It does _not_ drop link when the fibre goes down. There is even no ETA as to when this will be fixed - the carrier only talked about wait for a fix from vendor, but don't know when it will be available. Imagestream (proprietary+linux based) works for a good+cheap solution that can talk iBGP to your other ethernet-only routers. Or just get a used Juniper/Crisco/whatever. See also Sangoma's Wanpipe offerings (FreeBSD/linux). Thanks for your advice, but I want a solution centered around OpenBSD. I've been burned by vendor lock-in often enough to try hard to avoid doing it again. FWIW, I've talked to Imagestream a few years ago, and was really not impressed with their offering, in several respects. Kind regards, --Toni++
Re: Backup strategies
Hi, On Sat, 31.01.2009 at 14:04:32 +, Dieter open...@sopwith.solgatos.com wrote: ISO files have a 2 GB filesize limit, so large files don't fit. are you sure? I can fetch files that are well over 4GB and burn them on DVD. These files are called as ISO files, but I don't know exactly what's inside of these files. Sample file: ftp://ftp.gwdg.de/linux/knoppix/dvd/KNOPPIX_V5.3.1DVD-2008-03-26-EN.iso (4342594 KB) I never tried to burn a CD or DVD under OpenBSD, though. Backing up the big stuff is problematic. Right. Kind regards, --Toni++
Re: Backup strategies
On Sun, 01.02.2009 at 13:01:52 +, Matthew Szudzik mszud...@andrew.cmu.edu wrote: See http://en.wikipedia.org/wiki/ISO_9660#The_4_GiB_.28or_2_GiB_depending_on_implementation.29_file_size_limit Thanks for the heads-up, but Some operating systems can handle files up to 4GB on an ISO 9660 filesystem, and other operating systems can handle more than 4GB. But if you want your ISO 9660 filesystem to be fully portable, you should stick to the 2GB limit. if I'm not mistaken, quite a bit of software today comes on DVDs, crammed to the brim. So I wonder whether the standard has been extended, whether there's a convention about how to deal with larger files, or whether it's sheer accident that it works. Besides, having media types that can't be fully utilized is neither useful nor acceptable, imho, but the solution can't be make only smaller media. Kind regards, --Toni++
Re: Backup strategies
Hi, On Sun, 01.02.2009 at 18:34:31 +0100, Pierre Riteau pierre.rit...@gmail.com wrote: You seem to be mistaken. yes. Thanks to all of you, and note to self: Don't post when tired and distracted... Kind regards, --Toni++
altq problem: how to correctly borrow in hfsc?
Hi,
I'd like to have both the most bandwidth and the most throughput for
fast, if traffic classified as eligible for fast needs to be
transferred, and otherwise most of the bandwidth available for slow,
but leaving 100Kb free for fast at any one time, and, preferably,
also leaving a bit of free capacity for slow, and for some other
tasks, open, at any one time. Eg, I'd like to reserve 10% for 'fast',
and 5% each for all other tasks which can't be assigned to any other
queues, but share the rest according to priority and demand.
I have a topology like this:
netA gwA --- Internet gwB netB
On gwA I configured altq like this:
altq on $ext_if bandwidth 1800Kb qlimit 2500 hfsc (linkshare 1800Kb upperlimit
1800Kb) queue { otheroffice, some other queues }
queue otheroffice priority 5 bandwidth 970Kb qlimit 500 hfsc (linkshare 970Kb
upperlimit 970Kb) { fast, slow }
queue fast priority 7 bandwidth 20% qlimit 500 hfsc (realtime 100Kb upperlimit
50%)
queue slow priority 6 bandwidth 10% qlimit 500 hfsc (upperlimit 80%)
This results in traffic in the slow queue being limited to 97000 bits
per second, which is _awfully_ slow. But when I read the queue
definition of slow, it says that the queue should be able to use up
to 80% of 970Kb (= 776Kb), only that it doesn't.
Any ideas, please?
Kind regards,
--Toni++
Re: OpenBGPD Flaps, 32bit ASn in the wild.
Hi, On Fri, 30.01.2009 at 04:08:34 -0800, OpenBSD User gb10hkzo-open...@yahoo.co.uk wrote: Just to add my vote. I'm with Claudio on this one. me too. Validate the input yes, but don't tamper with what's not yours After reading the thread on idr, I'm under the impression that the suggested fix is suggested in order to cope for a bug in some versions of JunOS. Some people don't seem to have any interest in standardized interoperations, as it seems. It seems to be just too convenient for the big guys to strongarm their way into the standards, at the expense of at least everyone else. Kind regards, --Toni++
