Re: OpenOSPFd and multipath routing questions...
On 29/11/05, Claudio Jeker <[EMAIL PROTECTED]> wrote: > On Mon, Nov 28, 2005 at 11:46:56PM -0800, David Ulevitch wrote: > > Misc, > > > > I'd like to hear how people are using OpenOSPFd and how it's working > > out. > > > > It works for most setups. It is not optimal for big ABRs. > > > Are people using it in any sort of a local-cluster load balancing > > method? For example: rtr1 servers area 1 and has three NTP servers > > attached all announcing the same /32 over OSPF with some logic on the > > server to withdraw the OSPF announcement if the service goes down? > > > > Nope. There is no kernel support for multipath routing. First we need to > have working multipath routing before making ospfd multipath aware. > > > Also, are people having any issues with the fact that ospfd and bgpd > > each hold a copy of the routing table (at least) and are doing > > inserts into the kernel's table, without any sort of preference for > > multipath routing or metrics? (http://www.openbsd.org/papers/ven05- > > henning/mgp00026.html) > > > > In most cases this is a non issue because bgpd and ospfd are inserting > different routes into the kernel. bgpd should announce the aggregated > prefix (e.g. a /19 or so) and for that no real route is needed. ospfd on > the other hand will add more specifc networks of that /19 and so the two > should not interfere with each other. > I would disagree a bit. Most(All ?) bigger network use bgp to carry internal routing info, we just filter the internal stuff away on our peerings. Seeing the same prefix via multiple protocols is pretty common, especially when migrating from protocol x to protocol y. One thing I noticed when testing with openbsd was that I wasn't able to add xxx/yy on an interface if the same prefix already was known via bgp. /Tony
Re: #define failure opportunity
> It is very important that we educate people about what the choice > of open source software means. > >From a business perspective I don't see this being very important =) If the competition is willing to give me an edge on them, be my guests. /Tony
Re: openbsd web site design proposals (from HOTO write bad docs)
Jacob Meuser wrote: > > this is how the world works: ignore the whiners, they offer nothing > useful. Some irresistable "straight lines"?
RE: Re: openbsd web site design proposals (from HOTO write bad docs)
[EMAIL PROTECTED] wrote: >I'm using a mozilla 1.7 browser, with CSS on, >JavaScript off. And it doesn't run javascript. Outside my area of expertise, but that seems normal somehow. >The menus on the referenced cerealport.com web-site >don't expand at http://cerealport.com does not answer http://www.cerealport.com does answer, but how is it supposed to be related to OpenBSD. Looks like another attempt to look good and succeeds only in being disfunctional. >End of discussion. Promises, promises.
RE: Re: openbsd web site design proposals (from HOTO write bad docs)
[EMAIL PROTECTED] wrote: > >On Mon, Nov 28, 2005 at 10:53:45AM -0800, the unit >calling itself J.C. Roberts wrote: I would assume that J.C. Roberts is a human, not a "unit", whatever that is supposed to imply. >> On Mon, 28 Nov 2005 11:27:56 -0600, J Moore ><[EMAIL PROTECTED]> wrote: >> >> >I did think - I actually thought pretty >carefully about what I said. I >> >tried to avoid actually *calling* Nick the >OpenBSD bitch; instead I >> >asked him if he was. Yeah - it's kind of a fine >line... >> > >> >> Have you given up molesting children? > >Ummm - I'm sorry, but you score no points with that >boinked analogy here Are you now the official representative of stupid and useless tolls? Better analogy? >because you've changed context. If you care to read >the opening salvo >again, you should see clearly that Nick threw the >first punch... he >simply couldn't let the other thread go; he simply >couldn't let the OP >try to organize something; he had to jump in and >start trashing the >whole idea. > >You may have lost the whole point of this by now. > >Jay There never was a point. Nick just called it earlier that most everybody else.
Re: #define failure opportunity
On 28/11/05, Theo de Raadt <[EMAIL PROTECTED]> wrote: > This is why OpenBSD/OpenSSH does not need to hire a spin doctor. > > Other people do it for us ;) > > http://www.ssh.com/company/newsroom/article/684/ > --- The improved compatibility features will be beneficial for enterprises that are in the process of migrating their OpenSSH environments to SSH Tectia... "The large installed base of the OpenSSH code on Linux and Unix servers today is a major opportunity for SSH," --- Wow, I think I'll keep my money and let them hump that dead dog in peace ? -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
RE: Re: openbsd web site design proposals (from HOTO write bad docs)
[EMAIL PROTECTED] wrote: > >On 11/28/05, Nick Holland ><[EMAIL PROTECTED]> wrote: > >> NAME ONE. >> Name one person. >> Name one browser. >> Name one problem. >> OR SHUT UP. > >I believe I've mentioned several problems in this >thread which occur >with several browsers. Said problems are not worth the effort of repeating here. >I suppose that I had hoped >that the OpenBSD >team would greet new ideas with respect when >respectfully discussed. I would hope they would greet nay good iedas I had, if I had any, regarless of my respect or lack thereof. >I didn't expect anyone to automatically agree with >me, but I was hoping >for a civil conversation, not from list members at >large, but at least >from the OpenBSD team. I guess that was too much to >hope for. This >conversation, at least on my end, is over. One down. > >No wonder people hate OpenBSD nerds. Why would you think that? I assure you I am NOT an OpenBSD nerd. >Really. What >were you expecting >me to say? "Your status as an OpenBSD team leader >and your ALL CAPS >have convinced me? > >I expected that kind of behavior from random list >members, but if this >is the kind of nonsensical, childing thinking and >behavior that goes >on in the OpenBSD team, I don't know what to think >about the quality >of the product right now. > You don't know what to think. Probably don't know how. >- Jeremy
RE: Re: openbsd web site design proposals (from HOTO write bad docs)
misc@openbsd.org wrote: > >hmm, on Mon, Nov 28, 2005 at 12:35:57PM -0501, Nick >Holland said that >> NAME ONE. >> Name one person. >> Name one browser. >> Name one problem. >> OR SHUT UP. > >so small problems or "quirks" are not problems >anymore? >honestly Nick, go compare the code to the pages and >you >should blush. > Well, that's one. But I don't find THAT on the web site.
RE: Re: openbsd web site design proposals (from HOTO write bad docs)
[EMAIL PROTECTED] wrote: > >hmm, on Mon, Nov 28, 2005 at 05:32:54PM +0100, Otto >Moerbeek said that >> It's even a FAQ: >http://www.openbsd.org/faq/faq8.html#wwwnotstd > >at least remove >"We welcome new contributors," >because that is clearly not true. > They welcome contributers. You are not a contributor.
RE: Re: openbsd web site design proposals (from HOTO write bad docs)
[EMAIL PROTECTED] wrote: > >hmm, on Mon, Nov 28, 2005 at 05:32:54PM +0100, Otto >Moerbeek said that >> It's even a FAQ: >http://www.openbsd.org/faq/faq8.html#wwwnotstd > >doesn't mean it's right, does it? > Certainlly doesn't mean it's wrong. Almost certainly means it's OpenBSD What system were you talking about?
RE: sent some www diffs, your one and last chance to flame me
[EMAIL PROTECTED] wrote: [snip] >all or nothing. >make the pages match the quality of the code and >the cd's. >even if you don't care, other people do. I PAID for my CDs. I am happy with artwork, particularly the smirk on that puffer fish. I did not pay for the website. If I can stumble into the FAQ and packages and figure out where -current lives, I am more than satisfied. The mirrors probably have more than enough to keep up with. Adding anything just to be cutesy seems counterproductive.
Re: Updated CCD Mirroring HOWTO
Robbert Haarman wrote: [snip] > As it stands, OpenBSD is the only operating system I am aware of that > has had the full base system completely audited and has buffer overrun > and other protections enabled for all software on it. This, by itself, > makes it more secure than other systems, regardless of what users do > with it. Even in the worst case, where users actively degrade the > security of the system, I would imagine OpenBSD's security would at > least not be _worse_ than that of another system. Somehow I don't think that really fits OpenBSD's objectives. The full base system has been audited. The full base system plus something stuck on has NOT been audited. Security is one of those thingees where it's not what you did right that matters. It's any and everything you did wrong that matters. I am not an OpenBSD fanboy. I am typing this on an XP laptop at home via some vintage of VNC redirected via rinetd to a very old laptop running 98 sitting on my desk at work. Secure? Hardly. I lurk on this list because it is entirely possible that i find myself in a situation where security actually matters. In that case, knowing what and why and digging through everything will be essential. If security matters, just running on OpenBSD will hardly be enough. Security requires getting all the edges right. And so they stay right.
Re: Updated CCD Mirroring HOWTO
Daniel Ouellet wrote: > In all these: > > >>I'm going to take this thread for what I think it is... the old guard > >>telling us youngin's that our efforts are appreciated, but we've got a > >>bit more to learn about how things work, and how to write good > >>documentation, before we're really ready to jump into these things the > >>way we have been lately. I've noticed a decent drop in the number of > >>"How do I get PPPoE working" and "How do I get Apache+MySQL+PHP working" > >>questions on the list, which is what prompted Daniel to create > >>openbsdsupport in the first place, so in a way, we've been successful in > >>what we set out to do. > > > > > > I may seem overly critical in debate but I still believe the work of > > Daniel Ouellet and the HOWTO writers has been a worthwhile experiment. > > Though it has opened the door for the blind leading blind, only by > > experimenting with new ideas will one be able to prove or disprove their > > validity and in the process, you might learn something unexpected. > > > or > quote "Are you subscribed to newbies? We don't do the bullshit like the > HOWTOs or openbsdsupport.org. We teach you how to help yourself. The > answers come with learning, so you can be a better admin." > > There is many sad facts and true factors from both sides. Users have to > and should look for informations and the proper way of doing things. > Hopefully the fact that they decide to switch their OS to OpenBSD may > open the light a bit and may have become a bit more critical to security > anyway, so one would think they wouldn't jump on the first document they > find and just do cut and paste. But the fact of life is also that you > can be sure some will for sure just do that! > > Other may read some documents and see something in it that haven't seen > before and pick their curiously to go look why that is and actually > improve their learning. Not the majority I agree! > > So, nothing is perfect and never will be! > > Is it better to provide some help to some users to get them started, or > does it hurt them for not forcing them to dig in vain to fine something > they would get easier. Will the results favor the laziness, or the > curiosity! I wish I knew that answer! Who are lazy, most likely will > stay that way. Some that are incline to change, may well see it as > useful and change, who are doing their homework will take it for what it > is, an other source of information and grab anything, or nothing they > see fit from it, and finally who ever know it all, will see it as a > waist and not look at it, why should they anyway! So, where you fit, > will dictate your point of view on the subject I guess. > > Does it mean it shouldn't exists as a side track? I still don't know for > sure yet... > > But, I think the best way might be to provide the informations in a cons > ice matter WITH reference (URL) to more details and ALWAYS warn the > users NOT to do simply cut and paste as this hurt them for sure, but to > seek the understanding of what is suggested in the documents. Not the > stage of things now of almost all side documents at this time and may > well be never either. > > But who never start walking will never be running either! > > So, it's like, providing knobs to a monkey and he will turn them, that's > why OpenBSD doesn't have knobs like many other OS, or very few knobs > anyway! Generic default is best, so how to provide more informations and > make it easier for users that are not use to do their research and help > them use a better system and at the same time try to trigger them to > learn it without aliening them! I wish I knew the solution for that! > > But, I do believe this however, if a brain dead user switch from a less > secure OS ( take your pick of OS here ) and comes to OpenBSD for > security, documentations, curiosity, stability, what ever else, and stop > using the less secure OS, what ever that might be, and in the process > use what some would call "bullshit and stupid brain dead HOWTOs for > monkeys", and never learn more about it, and in the process, may even > hurt it's own setup and making it less secure in the process by using > the brain dead HOWTOs, wouldn't the system in the end still be more > secure then the same setup in any other OS? Don't forget the common > factor here. Brain dead setup to start with, so very likely to be miss > configure in the first place and joint many other less secure system on > the Internet and continue to pollute it. > > I guess that's really the questions isn't it? > > Sadly there will always be brain dead users that cut and paste without > thinking, or knowing, or even wanted to know or learn, what ever you > want to describe it, in the end the resulting system in use by the same > brain dead users is still more secure then an other system setup in the > same matter by the same brain dead users, so the facts remain that in a > small matter, the Internet at large become a bit safer for all of us! > > Isn't it
Re: Updated CCD Mirroring HOWTO
J.C. Roberts wrote: > To the rest of list users; Please pardon another long email from me on > this. Helping reasonable people like Robbert understand why many people > consider "HOWTO's" to be harmful is hopefully worth the added noise and > bandwidth. > > > On Sat, 26 Nov 2005 10:57:12 +0100, Robbert Haarman > <[EMAIL PROTECTED]> wrote: > [snip] > >> If end-users are lazy and want to take the easy way out, they should > >> go back to using linux and MS-Windows. They are not welcome here. > > > >That's a pity. I personally think OpenBSD is the _only_ operating system > >that takes security as seriously as it should be taken, and it would be > >in everybody's (well, almost everybody's) best interest if they used it. > >There is nothing wrong with the project not wanting certain users, but > >it leaves these users with a choice among evils, which is a pity. > > > > Both security and reliability are really nothing more than a byproduct > of correctness and well informed decisions. That's the point. Note the "nothing more". And the "byproduct". If you throw away the correctness, and the effort it requires, the security and reliability won't be around for long. Yes, OpenBSD is the _only_ operating system that takes security as seriously as it should be taken. Consider the why of OpenBSD's accomplishments. Remove the why and you remove what they accomplished. Use OpenBSD and think like Windows and get Windows security.
Re: "FileSystem" versus "File System"
J.C. Roberts wrote: > I went looking for HIER(7) but didn't know it's name, so I stuffed the > words "file system" into an Apropos keyword search and got nothing. > > http://www.openbsd.org/cgi-bin/man.cgi?query=file+system&sektion=0 > &manpath=OpenBSD+Current&arch=i386&apropos=1&format=html > > Damn, I _KNOW_ the darn thing exists because I've read it before. After > think about it, I tried an Apropos search for the keyword "layout" and > finally found HIER(7). > > The think I found interesting is that HIER(7) uses the term "filesystem" > without a space, while other man pages use "file system" with a space. > > Other documentation on the OpenBSD.org web site also shows both > spellings are used in fairly equal measure: > > Google: > Results 1 - 100 of about 347 from www.openbsd.org for filesystem. > Results 1 - 45 of about 534 from www.openbsd.org for "file system" > > My question are: > (1) Are patches even wanted to standardize on one of the two? > (2) Which do you think is more correct? > > There's no sense in me spending the time to create and send > documentation patches if the discrepancy is a considered non-issue. > > Kind Regards, > JCR man 2 mount claims filesystem man 8 mount claims file systems man fstab claims filesystems man fsck claims file system man growfs claims file system man hier claims filesystems man tunefs claims file system man newfs claims file system man mount_ffs claims File System man mount_xfs claims filesystem The distinctions do not look accidental. There is a fine line between one-word, low-emphasis "filesystem" and the two-word higher emphasis "file system". mount_ffs belongs in a class by itself with "Berkeley Fast File System" "Berkeley Fast Filesystem" -- does NOT feel the same. Similarly, hier - layout of File Systems -- looks WRONG A sketch of the File System hierarchy. -- worse? Looks like any attempt to use one spelling for all forms would make a number of things worse.
Re: Redundant links with BGP and VPN
On 23/11/05, Kor Boerema <[EMAIL PROTECTED]> wrote: > Ok, > > I'm glad that it's possible, I just don't know how to put it all > together yet. > > So I would have to create 2 gif tunnels at each branch office. One going > over the leased lines and the other over internet. > > Over these GIF tunnels I would run ipsec to encrypt the data? > > Could you give some more information how to set this up? Just a > overview. > > It's all a bit overwhelming to be honest. > 1. You create the gif tunnels (firewall-firewall) 2. you encrypt the gif tunnels (firewall-firewall traffic, or leave this for last) 3. You integrate it with your current routing setup and just treat the tunnels as another leased line. Without knowing how your network routing is setup it's hard to be more specific on this part. Read the man page for gif and ifconfig and do a bit of trial and error. The feeling of the head spinning will go away pretty quickly and you will have a solution you feel confident with. If you don't get that feeling don't use it. This works the same with or without IPsec. The gif setup is one ifconfig command on each end, I doubt you'll need help with that.man page, tcpdump, trial/error. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Community policy in openbgpd
On 23/11/05, Dennis S.Davidoff <[EMAIL PROTECTED]> wrote: > Hello all! > > Could someone show examples of complex community policy in openbgpd? > I gave it a quick try a few months ago and faced some problems. 1. bgpctl show did not display the communities (and some other attributes) 2. I failed with adding multiple communities I also belive I ran into some problem like adding communities on top of existing ones, or maybe it was clearing some communities but not all... can't remember. Another problem I faced was how to refresh things like connected/statics when I modified which communies they were being tagged with. Some of this may have changed since. Hopefully I will be able to spend some real time on how I can use bsd/bgpd in a service provider network, it depends on what I will be doing in the future. If you do any testing on this, feel free to let me know how it goes. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Redundant links with BGP and VPN
On 23/11/05, Kor Boerema <[EMAIL PROTECTED]> wrote: > Hi Tony, > > Thanks for the reply. > > In what ways do the GIF tunnels differ from a normal ipsec tunnel? > By using a tunneling protocol your traffic will from an ipsec point of view always have the same source/destination. You also avoid fragmentation of packets if the hosts talking support PMTU discovery, unless your tunnel mtu is too big of course.
Re: Redundant links with BGP and VPN
Fully possible. Just use a tunneling protocol (man gif) for the point-to-points and encrypt them, then use the tunnels for dynamic routing. You even get the bonus of working path-mtu-discovery wiithin your network. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: bridge and Spanning Tree, WAS Re: Help with bridging firewall failover w/ CARP, OpenBSD 3.7
On 21/11/05, Camiel Dobbelaar <[EMAIL PROTECTED]> wrote: > On Sun, 20 Nov 2005, Ramsey Tantawi wrote: > > I set up failover of two redundant bridging firewalls using the > > Spanning Tree Protocol options in bridge, and it worked great. > > > > However, when testing failover, it takes between 45 seconds to more > > than 3 minutes for traffic to start flowing again. The interfaces > > themselves change state in the expected timeframe, though. The entire > > network is unmanged switches, and my guess is that the delay is due to > > waiting for all the ARP caches to clear. Does this sound reasonable? > > Definitely the MAC (not ARP) caches of the bridges and the switches. STP > devices can help speed up transitions by timing out entries sooner when > a topology change is detected. > > I'm not sure if the OpenBSD bridge does that, the unmanaged switches > definitely don't. In this case you'd be better off with hubs... > > > To help, I set the bridge cache to flush every 20 seconds instead of > > the default 240. It seems to help somewhat. I'm concerned though--is > > this too frequent? > > With a two port bridge it won't really hurt. > I had a problem in my 3.7 openbsd bridges that they did not re-learn mac-addresses while they still were in the table. In my case something happened in the network and when things stabilized the openbsd bridge had incorrect info in the mac-address table and did no re-learn until I cleared the table. I wasn't able to troubleshoot more due to the thing being live. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: timekeeping on Soekris net4801 w/ ntpd. 3.8
Ted Unangst: > [i was trying to stay away, but can't.] I've never really trusted prepositions ;) By and by, stand by that clock and adjust it by 30 minutes, by whatever means and by whatever rubric you deem appropriate. By which direction, I wonder. > On 11/18/05, J Moore <[EMAIL PROTECTED]> wrote: > > On Wed, Nov 16, 2005 at 09:58:28AM -0800, the unit calling > itself Greg Thomas wrote: > > > What part of adjusting do you not understand? Nowhere in the > log message > > > does it say that that adjusting is finished. You are just > being obnoxious > > > for obnoxious' sake because you didn't get your way. > > > > > > Greg > > > > No, Greg - I'm not trying to be obnoxious for obnoxious' sake - are you? > > What part of the definition of the word "by" to you not understand? > > > > Have you looked the word up in a dictionary? Have you imagined yourself > > in a situation where you were standing in front of a clock, and someone > > said to you, "adjust that clock by 30 minutes, Greg." > > the log message says "adjusting". that's the present participle (not > to be confused with gerunds). it means "not done yet." > > q: "what are you doing in front of the clock?" > a1: "i adjust the time (this instant only)" -- no > a2: "i adjusted the time" -- no > a3: "i will adjust the time" -- no > a4: "i'm adjusting the time" -- we have a winner. will you be done > adjusting the time the instant that the sentence is out of your mouth? > or will the adjusting [gerund form here] continue for some time after > the statement is issued?
RE: Re: slightly OT: TCP checksum and RFC conformity
[EMAIL PROTECTED] wrote: >Hi, > >Damien Miller wrote: >... >> [EMAIL PROTECTED] djm]$ netstat -sp ip | grep -E >'(bad.*checksum|total packets)' >> 61092730 total packets received >> 0 bad header checksums >> > >wouldn't netstat -sp tcp | grep -E >'(bad.*checksum|total packets)' give >the output of interest? > >(uptime 10 days on my slow ADSL link) >netstat -sp ip | grep -E '(bad.*checksum|total >packets)' > 2448320 total packets received > 0 bad header checksums >netstat -sp tcp | grep -E '(bad.*checksum|total >packets)' > 23 discarded for bad checksums > 0 bad/missing md5 checksums > >Doesn't this mean that 23 errors were not detected >by the link layer >(probably because the errors were introduced some >hops away from me) and >only the TCP checksum catched them? > >I hope you're right and it's not a reliability >problem in practice. > >regards, >Andreas Flames invited if I'm wrong, but I think that it means that 23 packets were discarded for bad checksums Those 23 packets were discarded BEFORE being seen by the next layer up. Of course that may be just wishful thinking. One easy stunt would be to generate correct checksums going out for whatever garbage seems to have been received. Repeat. Flames invited. Who/what do you trust?
RE: Re: timekeeping on Soekris net4801 w/ ntpd. 3.8
[EMAIL PROTECTED] Tue, 15 Nov 2005 08:20:07 > >On Tue, Nov 15, 2005 at 10:23:00AM +0100, the unit >calling itself Henning Brauer wrote: >> > >> > 'adjusting local clock by XXs' >> > >> > The word 'by' is a preposition with a specific >meaning in the context of >> > its use... it means "in the amount of"... but >that's not what it means >> > here, is it? No, it does not. Therefore, the >log entry is *inaccurate*. >> >> it is perfectly accurate. it says "adjusting by", >and that is what it >> does. >> it does not say "hard setting" or anything. >> I won't change the log message, case closed. > >It *is* an inaccurate statement of what ntpd is >doing to the system's >time. ntpd is your product - if you're happy with >this little flaw, then >that's fine - leave it as is. But again, "The >emperor has no clothes!" > >Jay > >PS - It would seem "mind closed" would be more >accurate description of >this situation than "case closed", eh? The message is 'adjusting local clock by XXs' The message is NOT 'adjusted local clock by XXs' It's been a long time since English classes, but seems like 'adjusted' refers to something that has been done, while 'adjusting' refers to an ongoing operation. There is no reason to assume that something that 'adjustinjg' refers to a completed operation.
Re: nsswitch
probably not -- but we use ldap here at work, and the auth_ldap in the ports tree works great. Aiko Barz wrote: I googled, but I couldn't figure out the current status. My problem: I tried to move my mailservers from Linux to OpenBSD. It's a qmail-ldap system with its users stored in OpenLDAP. Each of my users has its own UID. There is only one troublemaker: maildrop. It depends on getpwuid and getpwnam. But OpenBSD doesn't know anything about my LDAP-users. Solution: There are some solutions. maildrop could lookup the account data directly before invoking getpwuid and getpwnam. (I prefer not to write this patch. It ends up in courier-authlib and so on.) The dirty hack is to use the environment variables which are provided by qmail-local ($USER, $HOME). (This is safe for me because chuid gets called before executing maildrop. I'm not happy with this solution.) Another solution would be something like nsswitch. Are there any plans to implement something like this? Bye, Aiko
Re: Cannot boot version 3.8 on HP pavilion 422
Try: boot -c disable fdc Lionel Vidal wrote: I tried to boot the new 3.8 version on a (rather old) PC, a HP pavilion 422.fr. I tried both to boot from cdrom38.fs and floppy38.fs and the result is the same : OpenBSD i386 BOOT 2.10 boot> booting fd0a:/bsd: 3263620 Entry point at 0x100120 Lots of blue-background infos CD-Rom, DVD-Rom, nvidia cards OK ... Keyboard OK (a logitech wireless) after a while ... fdc0 at ISA port 0x3f0/6 Irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec ... And then nothing... I waited for some time but the PC is frozen, and the only thing to do is to unplug it. Note that the hardware works well : on the 80Go HD, I have an old Win89SE (10Go) and FreeBSD 5.4 (10Go) and I can boot both (my intend was to dedicate that PC to OpenBSD). Sorry to not give the whole log of messages, but I cannot copy them except by writing them fast on paper. I could get some specific part if required though. Any ideas? (Sorry if I did wrong something obvious :-)
Re: pciide: DMA vs. ATA133
It's due to chipset detection, so in the interm, I added this: /usr/src/sys/dev/pci/pciide.c -- line 2650 case PCI_PRODUCT_VIATECH_VT82C571: Or a diff: --- pciide.c.orig Wed Nov 9 10:35:24 2005 +++ pciide.cWed Nov 9 10:35:43 2005 @@ -2648,6 +2648,7 @@ sc->sc_wdcdev.UDMA_cap = 6; break; case PCI_PRODUCT_VIATECH_VT8235_ISA: + case PCI_PRODUCT_VIATECH_VT82C571: printf(": ATA133"); sc->sc_wdcdev.UDMA_cap = 6; break; You can copy/paste that in a file and run patch -p0 < file.diff This isnt correct at all, but it works. Sebastian Dehne wrote Hi Tony, It turns I'm having the same problem and saw you've done some research. # dmesg| grep DMA pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, DMA mode 2 wd2(pciide0:1:1): using PIO mode 4, DMA mode 2 What exact changes did you make to pciide.c in order to enable Ultra-DMA? I see the switch at around line 2610 in pciide.c, but cannot work out how to add PCI_PRODUCT_VIATECH_VT82C571. I'm running 3.8. thanks, Sebastian Tony Lambiris wrote: Man I must need sleep or something... this doesn't fix my problem, I forgot I had the extra case in the switch statement still in pciide.c. That did work, however, adding PCI_PRODUCT_VIATECH_VT82C571 as a case. Like I said before I don't know if this is the right way to do this, but it's a temporary fix for me. Over and out, sorry again for the noise. Tony Lambiris wrote: Sorry for all the noise, this seems to have fixed it (from NetBSD): --- via82c586.c.origMon Sep 12 19:38:35 2005 +++ via82c586.c Mon Sep 12 20:27:28 2005 @@ -256,9 +256,10 @@ reg = pci_conf_read(ph->ph_pc, ph->ph_tag, VP3_CFG_PIRQ_REG); shift = vp3_cfg_trigger_shift[i]; - /* XXX we only upgrade the trigger here */ if (trigger == IST_LEVEL) reg &= ~(VP3_CFG_TRIGGER_MASK << shift); + else + reg |= (VP3_CFG_TRIGGER_EDGE << shift); pci_conf_write(ph->ph_pc, ph->ph_tag, VP3_CFG_PIRQ_REG, reg); break; Tony Lambiris wrote: I forgot to ask, would it be bad practice to just add PCI_PRODUCT_VIATECH_VT82C571 to one of the cases in the switch statement? It seems like this might go a little deeper Tony Lambiris wrote: Well I thought I knew what the problem was (nope).. I found something interesting though... The motherboards that don't setup UDMA properly uses a "VIA VT8237 ISA" for pcib; the one's that setup UDMA properly uses a "VIA VT8235 ISA". I added some debugging in pciide.c in function apollo_chip_map on the switch statement, and the pcib_id it's switching on is 0x0571, which in pcidevs is "VT82C571 IDE". Does that mean somewhere the VT8237 chipset isn't being setup correctly or something? I'm a little confused at this juncture, any light that can be shed would be greatly appriciated. Thanks. Tony Lambiris wrote: I (think I) found the problem... I will be posting a patch shortly if I confirm my suspicions. Thanks. Tony Lambiris wrote: We have some motherboards with (what we think) are the same chips and revisions with the same hard drives, but some drives are being detected as DMA and others as ATA133. Here is an example: pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 As you can see it's the same IDE chipset, same revision, same drives.. the only thing I can think of is it's an IDE ribbon issue, but the ribbons we used (which were mixed from the cases and the motherboard boxes), were brand new. Any suggestions? TIA.
RE: Re: OT: 10 things i hate most on unix
[EMAIL PROTECTED] wrote: > >On Sun, Nov 06, 2005 at 12:40:12AM -0200, Gustavo >Rios wrote: >> Hey folks, >> >> sorry, but i found this on the web. May someone >tell if it is serious, >> i myself could not believe it. >> >> >http://www.informit.com/articles/article.asp?p=4244 >51&seqNum=1 >> > >Looks like a rehash of > >http://research.microsoft.com/~daniel/unix-haters.h >tml > >with its Anti-Foreward by Dennis Ritchie. Whether >you think it is >humurous or not is of course up to you. I thought >it was funny when >I read it '94. > > Ken Looks like a good book. Thanks. from the Preface "Deficient by Design" "Being small and simple is more important than being complete and correct" "You only have to solve 90% of the problem." "Everything is a stream of bytes." "Despite a plethora of fine books on the subject, Unix security remains an elusive goal at best." There is an obvious implication for Windows security. "These attitudes are no longer appropriate for an operating system that hosts complex and important applications" The gripes may be legitimate, but really, are we any closer to finishing that last 10% than we were 40 years ago? Before there even were such things as operating systems and editors and such. Probably the real reason to hate Unix is that it has outlived its betters, and will most likely continue to do so. Somehow the assumption that you have 100% (when only 90% is attainable) seems to be eventually fatal.
Re: 10 things i hate most on unix
Quoth Gustavo Rios Saturday, November 05, 2005 8:40 PM > > Hey folks, > > sorry, but i found this on the web. May someone tell if it is serious, > i myself could not believe it. > > http://www.informit.com/articles/article.asp?p=424451&seqNum=1 "UNIX was a terrific workhorse for its time, but eventually the old nag needs to be put out to pasture." Seems to me that Unix has outlived its betters, notably Multics. The end of Unix has been proclaimed for ages. I think there are many legitimate gripes about Unix. I doubt that you will find any in said article. Unix is deceptively simple. And deceptively powerful.
Re: Large partition
On 24/10/05, Stuart Henderson <[EMAIL PROTECTED]> wrote: > --On 24 October 2005 13:34 +0200, Beck Zoltan Gyula wrote: > > > I must install a file server so I need minimal 2T disk space. So I > > need to choose an other operating system :( > > 2T is a lot of files to put in a single directory. And of course, where > you work with multiple directories, each can be on a separate > partition... > I thought fsck on 300GB was painful. 2TB... -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
RE: Re: Non Developers allowed to ask questions ?
On Wed, 19 Oct 2005 10:07:47 [EMAIL PROTECTED] > >On Wed, 19 Oct 2005 14:06:11 +0100 >"Constantine A. Murenin" <[EMAIL PROTECTED]> >wrote: > >> On 19/10/05, [EMAIL PROTECTED] ><[EMAIL PROTECTED]> wrote: >> > There is a legitimate use for top posting. >> > Deletion and/or answer of message in 10 to 15 >seconds or less. >> >> Nonsense. Just because your MS Outlook does not >support or is not >> configured to support bottom-posting, doesn't >mean that you should >> find some invalid excuses for top-posting. > >With a sig like mine I coudln't resist a resounding >"me too" on this >one;-) My sig concisely demonstrates in a >nutshell why top posting is >problematic, if not an all out pita. > > >Before johnny-come-lately M$ decided to jump on the >interenet bandwagon >w/ their lame software top posting was completely >unheard of. I've >been using Unix since '81 so I think I can say this >w/some certainty. >Top posting is just a lame excuse offered by lame >software developers >who wrote a lame mua w/o bothering to read any >rfc's, research >conventions, etc. prior to doing so. A point >obvious to those who cut >their teeth on *nix rather than M$. > > > >-- >Best regards, > >Ken Gunderson > >Q: Because it reverses the logical flow of >conversation. >A: Why is putting a reply at the top of the message >frowned upon? Ok, OK. This would not work in top posting. And the complexity of this is essentially trivial. Microsoft is good for someone with no knowledge or skill throwing something into Word or Outlook and having something come out looking quite presentable. But woe to anyone who actually cares critically what it looks like. > Yep. If you're stuck on an M$ platform for whatever reason Yep. The question is when and how to jump. Maybe why. To what "should" matter, but I suspect that how you go about it, and the expectations probably matter more. Nasty question. Which works better (or worse depending on your viewpoint), thinking Linux and using OpenBSD, or thinking OpenBSD and using Linux? [rant] Security should be a reason, but I cannot put security mattering in the same universe as five cent compromized computers. My impression of NT4 was that it was unsecurable, so I didn't. My impression of XP is that it is guaranteed insecure. My users do NOT "click on everything". Analogies to babies putting everything into their mouths probably have something to do with it. Hiding stuff from users seems like a fatally bad idea. Hiding error messages from users is maybe not a good idea either. Just because the dumb computer thinks it has a problem does NOT mean that the intelligent user has a problem. Everything I've seen indicates that intelligent user/dumb compuer is the way to play it. Moreso as the computers get bigger, faster, more complicated. Intelligent computer has the fatal flaw that the computer does not know what the computer does not know. A bit like the flat=earth society where the edge is not visible from the inside. [/rant] With a wee bit of editing, bottom posting is quite workable. (I've got too much work related where top posting (like Done.) is necessary. For this list, it is emphatically worth the trouble. As simple and straight-forward as this is, I defy anyone to translate it intelligently into top-posting. Top posting is designed to terminate conversations. Bottom posting encourages continuing and exploring various alternatives. If I were actually talking about something relevant, bottom posting gives many places to attach something. Since I am not distracting with relevant stuff, we can play with the structure of the beasties temselves. FWIW. I LIKE this list. I like the way you all think. Not nearly as concise as your sig ;)
RE: Re: Non Developers allowed to ask questions ?
On Wed, 19 Oct 2005 14:06:11 [EMAIL PROTECTED] wrote: >On 19/10/05, [EMAIL PROTECTED] ><[EMAIL PROTECTED]> wrote: >> There is a legitimate use for top posting. >> Deletion and/or answer of message in 10 to 15 >seconds or less. > >Nonsense. Just because your MS Outlook does not >support or is not >configured to support bottom-posting, doesn't mean >that you should >find some invalid excuses for top-posting. > >Cheers, >Constantine. Since I am replying to your reply, I think I maybe stand corrected. This is lame enough sitting here. It does not work as a top post. Microsoft makes it easy. Easy to do it stupid, I'm beginning to think.
Re: Non Developers allowed to ask questions ?
There is a legitimate use for top posting. Deletion and/or answer of message in 10 to 15 seconds or less. The stunt is essentially the same as stuff in newspapers. The reporter writes. The editor puts as much as will fit in the alloted space and ignores the remainder without even looking. The readers read as far as they like and then stop reading. Top posting totally messes up any attempts at coherent follow-ups. Hmmm, does that expain some of the problems with media? If I had another point to make, I have run out of space in which to make it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kevin . Sent: Tuesday, October 18, 2005 5:41 PM To: misc@openbsd.org Cc: [EMAIL PROTECTED] Subject: Re: Non Developers allowed to ask questions ? >there seems to be some unwritten rule that users (not to be confused >with developers) are not allowed to ask whether certain things are >supported in OpenBSD or when these items are likely to be available, Nope--not at all. Stupid questions that show a lack of research and/or lack of supporting documentation (like a dmesg when required) are seriously frowned upon though. In fact such posts usually just get ignored. The minimal rules (for the record) are: 1) Top posting is nearly always bad. Consider emails you're sending as if they're being published in a book. Books make sense read from top to bottom. This is particularly important for logic-flow in the lists when multiple parties get involved. 2) Check at *very* least the following various resources before posting: http://www.openbsd.com/faq/ ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt (for PF questions) http://www.openbsd.com/plat.html (for your respective hardware) http://www.google.com (do at least the basic research to see if it has been discussed) 3) Holy wars and similar philosophical debates are nearly always useless. In fact aside from those for yanking out crappy software / licenses, I can think of not one instance where one has been anything BUT useless. Messages like that should go to /dev/null instead of the list. You'll feel better and so will we. ;-) 4) Never ask for driver or software support that doesn't include offers to provide: - free or at VERY, VERY least absolutely-no-strings-attached loaner hardware - offer to fund development Most developers have 'day jobs.' This ain't Microsoft where people punch clocks. These guys are doing this because it's fun and because they use it themselves. Asking for development of something complicated like drivers (especially for some old trashy ISA NIC for instance) brings no one joy when they themselves have no use for it. Follow? Most of them--like the rest of us sane folk--would rather be doing something fun and/or useful to *themselves* when finished. Last footnote: when requesting support, include _brief_ reasoning why (particularly in context of it benefitting the entire community) it would be good for all, and it's M-U-C-H more likely to get attention than, "Uh... anyone working on this?" 5) If you get no answer, consider it an implicit "no". For a dozen people to stand up and say, "no," makes no sense, right? It takes time away from coding and just makes noise. 6) Barring that, an off-list note to a developer responsible for something similar **may** also make sense. Particuarly if there's cash and/or hardware attached. >So where does one post questions *after* having read the FAQ etc C'mon. That depends on the question. If it's related to php5 you're probably better off with ports@; alpha specific comments should probably go to alpha@ and so on. >If I was a developer I'd be posting to the tech@ list woudln't I. Maybe. Maybe not. Many developers post things to misc. Think about your audience and who's most likely to benefit from your questions / comments. Any notions that anyone here is somehow beholden to you (that being the universal you, not you specifically) have got to go. By using the list, we're each asking for help from a tremendous resource of hundreds (thousands?) of people including the very developers themselves of your OS. We're getting support for the bargain price of free just for the asking. In exchange one must be reasonable. You'll never, ever get this from Microsoft or Cisco. There you'll get shuffled around on the phone for hours, talk to someone useless, get no answer, and more likely than not be $195 lighter in your loafers for the trip. As I think most fellow misc@ listers will agree, an email with such questions certainly *leans* towards being hostile or at least passive-aggressive / accusatory. I'll afford the courtesy of benefit of the doubt. With that in mind if one doesn't get the response one wants, chances are the answer is "no." Now it's time to look to consider marshalling resources for a hardware/cash donation if you *really* want it done or to begin looking for another solution better suited to your needs. For some people that means
Re: RAID for dummies
Quoth J Moore [snip] >And I'm suggesting that trying to be an expert in everything is not a realistic goal... why pick up a scalpel at all (to "haul your butt out of the fire") if your neighbor has invested years in becoming a thoracic surgeon? If surgery is required, I would choose to let the experienced surgeon haul my butt out of the fire, and concentrate my energy in my field of interest. Sorry if I confused you on that point. If my neighbor has invested years in becoming a thoracic surgeon, I still have the problem of knowing that it is his expertise that I need. If I do need his services, how much knowledge of his field should I know for my own protection and so that I can make rational choices? In the case of RAID, just how effective is the magical incantation? Everything I've seen on this list by people who should know (that's the people who have survived disasters rather than wondering what happened to them) indicates that RAID has become a sales gimmick for customers with more dollars than sense, and unless handled extremely carefully is slower, much more likely to fail catestropically, with marginal gain in accessibility. The main problems are in rebuilding a failed disk and in extremely long downtimes while rebuilding. You don't need to be an expert in everything, but you do need to know enough to know when an expert is needed. Anything that claims that no expertise is needed when in fact expertise is needed is no friend.
Re: 3 VPNs, 3 networks, 2 subnets
On 13/10/05, Chris Cameron <[EMAIL PROTECTED]> wrote: > I'm trying to do something I'm pretty sure I recall reading couldn't be > done. Although I wasn't able to find any information this last time around. > > We're going to be temporarily splitting our data centre, but still want > both data centre halfs connected to our office through our VPN. Everyone > needs to maintain the same subnet as we have software that is licensed > based on the subnet it is on. > > So: > > 192.168.120.x <-> 192.168.121.x <-> 192.168.120.x > > I don't care if the two .120's can talk to one another, I just need to > be able to talk to both .120's from the .121 > > Now, some cursory poking around, using a local ID type of > IPV4_ADDR_SUBNET is no good. Using IPV4_ADDR isn't working for me, as > the .121 firewall (understandably) doesn't know to route the internal > traffic that way. > > > So, immidate question would be, would there be a way to add routing > table entries for the specifc IPs I want going to the second .120 > network? I understand how arp requests work, but obviously not how an > arp proxy works, as I wasn't able to fix "network unreachable" errors. > > > If that's a no go, is this even possible? At all? I'm willing to do > bizarre things. The other thought I've had is to have a .130 subnet on a > vlan and the second .120 on another vlan, and then just translate packets. > > Set ip IPIP (gif) tunnels between the firewalls, encrypt them if you want to, add the statics you wish on the main site pointing at the other end of the tunnel where you want it to go. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: FileSystem Corruptions? Very important Files at stake.
The first thing to do is to copy the drive with the photos to fresh disk space before further damage is done to the originals. Expect recovery to be long and painful even with some tools to make it easier. There are people here that know a lot more about this than I, but the first thing is to get lots of accessible disk space in which to put: 1) the raw image of the original disk 2) the raw images of the disk partitions (dos partitions, that is) 3) the raw images of the disk partitions (obsd partitions, that is) 4) space in which to attemp reconstructions of what was supposed to be there. If you really know what you are doing, you can probably get away with omitting some of the above. Make accurate notes of what is where in what order etc. Good luck. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Justin Wong Sent: Saturday, October 08, 2005 4:46 PM To: misc@openbsd.org Subject: FileSystem Corruptions? Very important Files at stake. Hi, I was wondering if you could help me. After searches on the internet turned up nothing, I found your site about your love for OpenBSD. My problem is that when I boot, I get an error /dev/rwd0a BAD SUPER BLOCK: VALUES IN SUPER BLOCK DISAGREE WITH THOSE IN FIRST ALTERNATE. Then, on the same 13 gig drive, the error," /dev/rwd0a UNEXPECTED INCONSISTENCY RUN fsck_ffs MANUALLY" . Later on, I also get an error from my other HardDRive which is a 200 gig Seagate. This drive is also getting many errors. I did not realise it, but I guess I had formatted it in NTFS. This HardDrive contains many files of which are very important (3 years worth of files and a few thousand family photos). The only thing I can remember that might be related to the error is that the computer would not shut down the previous night. I am relatively new to OpenBSD so I shurgged it off as I held the power button down. I made sure the HDD activity light was off. I am using OpenBSD 3.7. When I type "login" I get a #sh not found error and it seems to continue. >From there I get thousands of errors where the computer tells me to fsck. >From my view, it looks like both filesystems became corrupted. I really need these files. A liveCD of Ubuntu doesn't seem to be working as it can't read the 200 gig drive. The 13 gig drive comes up with a nod error every couple or so nodes with fsck. Ubuntu won't even read the 200 gig drive. Can you please help me at least to recover hte files? Any suggestions would help. THe computer is a 500Mhz K6 with the 13 gig drive run as master and the 200 gig drive as slave. Some of these files are photographs of my now deceased grandfather and are very important. Thank you for your time. Justin Wong. -- $ cat "food in tin cans" cat: cannot open food in tin cans
Re: Two Isp Fault Tollerance Help
On 07/10/05, Roberto Pereyra <[EMAIL PROTECTED]> wrote: > Hi > > Where I can find bgp uses examples (simples, for newbies) ? > > Thanks > > roberto > Unless you know what you are doing here you will not improve on the situation. If you have a bad connection, replace it. With bgp routing you will participate more actively on the internet, it also means the more of the responsibility falls on you, and you will see problems of a different nature, and problems at any of your providers may affect you. Bad connectivity, which provider do you contact ? Those providers will get back to you with an entirely new set of questions for you to answer. And in worst case the providers themselves completely lack a clue. BGP routing and multiple upstreams may a good thing if you have the knowledge and resources to handle it, otherwise it isn't. I recommend the book Internet Routing Architectures from cisco press. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
RE: Re: sh-script executing
The editing is perfectlty safe. It is the reading of a file that is being changed that is unsafe. Of course there's Microsoft Windows. >- --- Original Message --- - >From: [EMAIL PROTECTED] >To: misc@openbsd.org >Sent: Fri, 7 Oct 2005 09:39:47 > >OM> I know this behaviour form every Unix system >I've worked on. Besides, >OM> the nice thing about the current way of doing >things is that you can >OM> read a script form a pipe and have the desired >behaviour without any >OM> special case code. > >This behavior has any advantages for regular files >? Compatibility ? > > If so, do any editor has option to safe editing >for this case ? >(of course, I always can do editor wraparound).
Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?
On 06/10/05, Xavier Beaudouin <[EMAIL PROTECTED]> wrote: > [...] > > > > > The announce keyword is mostly for simple setups. For transit providers > > announce should be set to all and real bgp filtering should be used. > > > > The idea of announce is that small multihomed setups with e.g. two uplinks > > just work in a save manner (defaulting to self and so not the full table > > is reexported). > > > > Thanks Claudio, > > But can you provide me a more detailed example. Because I have some > difficulies to make a filter for such setup... > The best way to make a scalable setup is by using bgp communities. That way your transit/peering routers advertise based on information you can set on origin or ingress into your network, not depending on the prefix/as itself. I have not checked how bgpd and community support looks in -current, but when experimenting a few months back I had some problems with setting multiple communities and I was also forced to use an external route-server to see what was happening in my test network. I intend to give this a new try when I have finished the project I'm currently working on. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
RE: Netgear WG311 v3
Quoth [EMAIL PROTECTED] >These cards don't seem to be ath anymore. > >The relevant bits from my dmesg. > >rl0 at pci1 dev 0 function 0 "D-Link Systems >530TX+" rev 0x10: irq 11 address 00:11:95:24:6a:0d >rlphy0 at rl0 phy 0: RTL internal phy >rl1 at pci1 dev 1 function 0 "D-Link Systems >530TX+" rev 0x10: irq 5 address 00:11:95:24:6a:0c >rlphy1 at rl1 phy 0: RTL internal phy >vendor "Marvell", unknown product 0x1faa (class >network subclass ethernet, rev 0x03) at pci1 dev 2 >function 0 not configured > >Thought you all might like to know. Thrice cursed >vendors. Lucky for me it was an incredibly cheap >impulse buy. > >Ray >-- >BOFH excuse #326: > >We need a licensed electrician to replace the light >bulbs in the computer room. First "Thanks", which you don't hear very often. Second, it seems that this list is the best (best that I know of) available intelligence about the state of hardware. Not as an OpenBSD user, but as a user of most everything else. Anything that gives OpenBSD trouble, it's just a matter of time before it gives me trouble where I care about it. I doubt that I am alone, and most of us tend to keep our yaps shut. I would love to have the information organized and digensted for me, hardware compatibility lists make some attempt to do this, but the intelligence value comes from reading betwen the lines and is based on human reaction and opinion. Anything "organized" is too easily astroturfed. My experience with OpenBSD is limited, however. 3Com NIC on NT Server suddenly decided to work very poorly. Best help I could find was OpenBSD archives. Intel Pro NIC and problems went away. Actually did a repeat performance. Consensus seems to be Peculiar Adaptec SCSI controller (I understand Adaptec used to make good products) card would work with Linux only with SCSI BIOS disabled. Worked with OpenBSD with BIOS enabled. OpenBSD has an attitude, knows quite a bit about hardware, and is probably well worthwhile listening to regardless of OS. There is of course much more that I do not know than I do know, but in a few cases I do know enough that OpenBSD and expecially Theo seems to have a knack for being dead accurate. If security matters, OpenBSD "gets it". If security matters, you do NOT get compromised machines at a nickle each. If security does not matter, there are a number of stupidities which are very ill advised. [ ] Always trust OpenBSD.
Re: Gigabit network measurments with OpenBSD 3.8-beta (long)
On 29/09/05, Schvberle Daniel <[EMAIL PROTECTED]> wrote: > > I hope this proves to be useful to someone, > Daniel > I personally find all network performance/routing info on openbsd interesting. Thanks Daniel. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
RE: Re: Portmap non-local set / unset attempt
Making is a process. Toast is not a process. >- --- Original Message --- - >From: [EMAIL PROTECTED] >To: misc@openbsd.org >Sent: Fri, 23 Sep 2005 02:30:10 > >[EMAIL PROTECTED] wrote: > >>> Security is everything you've ever said, plus a >process. >> >> If it is secure, it doesn't need a process. So >why would security be a >> process again? Because of the vendors making >"mistakes" and fix it later? >> >> Jimmy Scott > >It is a "process" in the same way that "making >toast" is a process. >The purchase of a "bread-crisping solution" that is >UL-certified to not >set your house on fire is the contribution of the >"engineering" and >"product development" stages. In common usage, >using this "solution" >to toast your morning snack will produce crispy >bread and will not >produce a howling conflagration. However, note >that it is still very >much possible to ignite your domicile by soaking a >rag in lighter fluid, >stuffing it into the bread-toasting slot, and >jamming the switch closed >with a butter knife. For a less extreme example, >it _may_ be possible >to cause a fire by leaving a towel too near the >toaster while it is >operating, something which is easy to do and all >too common. > >Having a morning snack and an un-burnt house at the >same time, then, is >contingent upon two things - possessing a toaster >of adequate quality, >and using it properly. You don't get to have the >whole package without >a) looking for a good toaster in the first place, >and b) learning how >to use it. Security operates similarly: one boner >mistake on anybody's >part - coder, engineer or administrator - and your >"security" vaporizes >_instantly_. Go read some of Bruce Schneier's >screeds on the subject, >they're informative. > >So yes, security most certainly _is_ partly a >"process", various >opinions to the contrary notwithstanding. It is >identical to the >process of locking your doors and checking your >windows before you >go to bed at night, or of making sure that you're >not stuffing a paper >towel or a cardboard box top in your toaster in the >morning before >you've had coffee. You could call it "habitual >prudence", I suppose. > >Of course, computers being based on hard-core >determinism and Boolean >logic, a higher standard is possible. I note in >passing that the >security of every operating system in common use >(including OpenBSD) is >_unproven_ [1], with the possible exception of >Coyotos. Asserting >something that is unproven and which may actually >be impossible to prove >("X is more secure than Y") is not a good idea. In >other words, don't >toss shit at the vendors unless you can _prove_, >from a chain of >irrefutable deduction, that your proposed solution >is "more secure" than >theirs. (Something which is likely impossible, due >to OpenBSD's design >and the language in which it is written.) Hint: >the manpower, >brainpower, and computing power needed to >accomplish this task _even if_ >it is possible is probably going to exceed anything >you're willing to >marshal to that end. > >Theo is right about one thing, however: Bugs and >security flaws arise >from mistakes, every one of which is avoidable. >There are no "new" >classes of bugs or design flaws, essentially every >one has been >generally known of and understood for decades. It >is only sloppy >practices - dare I say it, "bad processes" - that >permit these bugs >to creep into various codebases and multiply. The >cure for this >problem is "better processes". The "easy" cure is >for these processes >to entail continuous auditing (the OBSD solution). >The harder cure >is to work on establishing and maintaining a >process that incorporates >rigorous proof as a necessary component. We may >not ever see that, but >hey - it's nice to dream, isn't it? > >-- >(c) 2005 Unscathed Haze via Central Plexus ><[EMAIL PROTECTED]> >I am Chaos. I am alive, and I tell you that you >are Free. -Eris >Big Brother is watching you. Learn to become >Invisible. >| Your message must be this wide to ride >the Internet. | > >[1] Rigorous proof, that is. Anecdotal evidence >does not establish >proof of anything whatsoever.
RE: Re: Portmap non-local set / unset attempt
>Security is everything you've ever said, plus a >process. No. security does not require the process. Attempted security (that doesn't quite work) requires a process. Like the difference between does work and should work.
Re: BGP peering, 2 peers, hardware reqirements & questions
There is nothing simpler and cleaner than IP routing. Avoid all nasty hacks with adress re-writing and ugly stuff is possible. Your own as, two full bgp feeds and just let bgp decide path. Loadsharing is usually pretty good, and if you are looking for better load-sharing then redundancy probably isn't that important. Weekend. /Tony Sorry about the dupicate, Joel. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: pciide: DMA vs. ATA133
Man I must need sleep or something... this doesn't fix my problem, I forgot I had the extra case in the switch statement still in pciide.c. That did work, however, adding PCI_PRODUCT_VIATECH_VT82C571 as a case. Like I said before I don't know if this is the right way to do this, but it's a temporary fix for me. Over and out, sorry again for the noise. Tony Lambiris wrote: Sorry for all the noise, this seems to have fixed it (from NetBSD): --- via82c586.c.origMon Sep 12 19:38:35 2005 +++ via82c586.c Mon Sep 12 20:27:28 2005 @@ -256,9 +256,10 @@ reg = pci_conf_read(ph->ph_pc, ph->ph_tag, VP3_CFG_PIRQ_REG); shift = vp3_cfg_trigger_shift[i]; - /* XXX we only upgrade the trigger here */ if (trigger == IST_LEVEL) reg &= ~(VP3_CFG_TRIGGER_MASK << shift); + else + reg |= (VP3_CFG_TRIGGER_EDGE << shift); pci_conf_write(ph->ph_pc, ph->ph_tag, VP3_CFG_PIRQ_REG, reg); break; Tony Lambiris wrote: I forgot to ask, would it be bad practice to just add PCI_PRODUCT_VIATECH_VT82C571 to one of the cases in the switch statement? It seems like this might go a little deeper Tony Lambiris wrote: Well I thought I knew what the problem was (nope).. I found something interesting though... The motherboards that don't setup UDMA properly uses a "VIA VT8237 ISA" for pcib; the one's that setup UDMA properly uses a "VIA VT8235 ISA". I added some debugging in pciide.c in function apollo_chip_map on the switch statement, and the pcib_id it's switching on is 0x0571, which in pcidevs is "VT82C571 IDE". Does that mean somewhere the VT8237 chipset isn't being setup correctly or something? I'm a little confused at this juncture, any light that can be shed would be greatly appriciated. Thanks. Tony Lambiris wrote: I (think I) found the problem... I will be posting a patch shortly if I confirm my suspicions. Thanks. Tony Lambiris wrote: We have some motherboards with (what we think) are the same chips and revisions with the same hard drives, but some drives are being detected as DMA and others as ATA133. Here is an example: pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 As you can see it's the same IDE chipset, same revision, same drives.. the only thing I can think of is it's an IDE ribbon issue, but the ribbons we used (which were mixed from the cases and the motherboard boxes), were brand new. Any suggestions? TIA. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: pciide: DMA vs. ATA133
Sorry for all the noise, this seems to have fixed it (from NetBSD): --- via82c586.c.origMon Sep 12 19:38:35 2005 +++ via82c586.c Mon Sep 12 20:27:28 2005 @@ -256,9 +256,10 @@ reg = pci_conf_read(ph->ph_pc, ph->ph_tag, VP3_CFG_PIRQ_REG); shift = vp3_cfg_trigger_shift[i]; - /* XXX we only upgrade the trigger here */ if (trigger == IST_LEVEL) reg &= ~(VP3_CFG_TRIGGER_MASK << shift); + else + reg |= (VP3_CFG_TRIGGER_EDGE << shift); pci_conf_write(ph->ph_pc, ph->ph_tag, VP3_CFG_PIRQ_REG, reg); break; Tony Lambiris wrote: I forgot to ask, would it be bad practice to just add PCI_PRODUCT_VIATECH_VT82C571 to one of the cases in the switch statement? It seems like this might go a little deeper Tony Lambiris wrote: Well I thought I knew what the problem was (nope).. I found something interesting though... The motherboards that don't setup UDMA properly uses a "VIA VT8237 ISA" for pcib; the one's that setup UDMA properly uses a "VIA VT8235 ISA". I added some debugging in pciide.c in function apollo_chip_map on the switch statement, and the pcib_id it's switching on is 0x0571, which in pcidevs is "VT82C571 IDE". Does that mean somewhere the VT8237 chipset isn't being setup correctly or something? I'm a little confused at this juncture, any light that can be shed would be greatly appriciated. Thanks. Tony Lambiris wrote: I (think I) found the problem... I will be posting a patch shortly if I confirm my suspicions. Thanks. Tony Lambiris wrote: We have some motherboards with (what we think) are the same chips and revisions with the same hard drives, but some drives are being detected as DMA and others as ATA133. Here is an example: pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 As you can see it's the same IDE chipset, same revision, same drives.. the only thing I can think of is it's an IDE ribbon issue, but the ribbons we used (which were mixed from the cases and the motherboard boxes), were brand new. Any suggestions? TIA. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: pciide: DMA vs. ATA133
I forgot to ask, would it be bad practice to just add PCI_PRODUCT_VIATECH_VT82C571 to one of the cases in the switch statement? It seems like this might go a little deeper Tony Lambiris wrote: Well I thought I knew what the problem was (nope).. I found something interesting though... The motherboards that don't setup UDMA properly uses a "VIA VT8237 ISA" for pcib; the one's that setup UDMA properly uses a "VIA VT8235 ISA". I added some debugging in pciide.c in function apollo_chip_map on the switch statement, and the pcib_id it's switching on is 0x0571, which in pcidevs is "VT82C571 IDE". Does that mean somewhere the VT8237 chipset isn't being setup correctly or something? I'm a little confused at this juncture, any light that can be shed would be greatly appriciated. Thanks. Tony Lambiris wrote: I (think I) found the problem... I will be posting a patch shortly if I confirm my suspicions. Thanks. Tony Lambiris wrote: We have some motherboards with (what we think) are the same chips and revisions with the same hard drives, but some drives are being detected as DMA and others as ATA133. Here is an example: pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 As you can see it's the same IDE chipset, same revision, same drives.. the only thing I can think of is it's an IDE ribbon issue, but the ribbons we used (which were mixed from the cases and the motherboard boxes), were brand new. Any suggestions? TIA. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: pciide: DMA vs. ATA133
Well I thought I knew what the problem was (nope).. I found something interesting though... The motherboards that don't setup UDMA properly uses a "VIA VT8237 ISA" for pcib; the one's that setup UDMA properly uses a "VIA VT8235 ISA". I added some debugging in pciide.c in function apollo_chip_map on the switch statement, and the pcib_id it's switching on is 0x0571, which in pcidevs is "VT82C571 IDE". Does that mean somewhere the VT8237 chipset isn't being setup correctly or something? I'm a little confused at this juncture, any light that can be shed would be greatly appriciated. Thanks. Tony Lambiris wrote: I (think I) found the problem... I will be posting a patch shortly if I confirm my suspicions. Thanks. Tony Lambiris wrote: We have some motherboards with (what we think) are the same chips and revisions with the same hard drives, but some drives are being detected as DMA and others as ATA133. Here is an example: pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 As you can see it's the same IDE chipset, same revision, same drives.. the only thing I can think of is it's an IDE ribbon issue, but the ribbons we used (which were mixed from the cases and the motherboard boxes), were brand new. Any suggestions? TIA. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: pciide: DMA vs. ATA133
I (think I) found the problem... I will be posting a patch shortly if I confirm my suspicions. Thanks. Tony Lambiris wrote: We have some motherboards with (what we think) are the same chips and revisions with the same hard drives, but some drives are being detected as DMA and others as ATA133. Here is an example: pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 As you can see it's the same IDE chipset, same revision, same drives.. the only thing I can think of is it's an IDE ribbon issue, but the ribbons we used (which were mixed from the cases and the motherboard boxes), were brand new. Any suggestions? TIA. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
pciide: DMA vs. ATA133
We have some motherboards with (what we think) are the same chips and revisions with the same hard drives, but some drives are being detected as DMA and others as ATA133. Here is an example: pciide0 at pci0 dev 17 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 As you can see it's the same IDE chipset, same revision, same drives.. the only thing I can think of is it's an IDE ribbon issue, but the ribbons we used (which were mixed from the cases and the motherboard boxes), were brand new. Any suggestions? TIA. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: bgpctl
On 06/09/05, Karl Austin <[EMAIL PROTECTED]> wrote: > tony sarendal wrote: > > >I've started to test bgpd to see if I can use if for a future project. > >Are there any plans to make bgpctl show communities, originator-id and > >cluster-list ? > > > >Any plans of adding route-refresh to bgpctl ? Something like "bgpctl > >nei clear (in|out)" ? > > > >Although I miss a few features it is really nice to use, it is > >starting to give me the same feeling as pf. I got a 10 router bgp-only > >test network up and running in just a few hours, most of the time was > >spent installing the boxes. > > > >/Tony S > > > > > > > You've read my mind, that was going to be my next question if my issue > about having multiple communities per route was addressed (I tried > -current and it doesn't work). Soft reset, and more route information > from bgpctl are sorely needed. > I also ran into the problem with multiple communities but I haven't had time to look closer at it. Have you seen any changes in bgpd since you tried -current ? I was going to give it a go tonight if I manage to stay awake. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
bgpctl
I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like "bgpctl nei clear (in|out)" ? Although I miss a few features it is really nice to use, it is starting to give me the same feeling as pf. I got a 10 router bgp-only test network up and running in just a few hours, most of the time was spent installing the boxes. /Tony S -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: [OT]: good home switch?
I use OpenBSD boxes with a few 4xFE on two sites as switches/routers =) I'm am happier with them than the cheapo switches I replaced. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: sysctl tuning for maximum network performance
> if you want help, your post should start "we have this router and i expect > it to be going that fast, but it only goes this fast." if your router is > already "fast enough", it can't get any faster. there's a only finite > number of clients, porn, and pipe to connect them. > I belive recent studies in internet/universe behaviour shows that there is an infinite amount of porn, you just have to tweak net.inet.somaxporn correctly. /Tony
Re: cheap mini-pci ral(4) cards
On 31/08/05, Ben Hooper <[EMAIL PROTECTED]> wrote: > |The MSI MP54G4 (aka MSI MS-6833) seems to be readily available in > |the US now. I just picked one up from www.thenerds.net but a cheaper > |price can be found at newegg.com. It seems to work fine in my Sony > |SRX77. > | > |The trick is to search for both the model name (MP54G4) and the > |part number (MS-6833) since some stores list the card one way and > |some the other. > > Just be careful which model you pick up. MSI, like many vendors has a habit > of changing chipsets. For instance, the CB54G2 is a RT2500, but the CB54G is > Broadcom. > Is there any vendor that doesn't do that ? -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
i386 branch on amd64
I know this will run fine, but will the dual-core and such be detected and setup correctly, or is this an amd64 specific thing? TIA. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: DELL Latitude D400 without X
I actually hacked an existing util for NetBSD to run flawlessly on OpenBSD (I have a Dell inspiron 700m). You can get it here: http://lysergik.com/~tony/openbsd.phtml Baldur Sigurpsson wrote: hi use this thing: http://damien.bergamini.free.fr/i855vidctl/ just remember to put the command in /etc/rc.securelevel because on openbsd you cannot access some devices you need to, in contrast to linux. works on my dell inspiron 500m with the 855GM crap:) Regards, Baldur Uwe Dippel wrote: ... a continuation of around a year ago ('Warning: Possible Bug in BIOS DELL Latitude D400_A06 !') It is still valid for 3.7. In the meantime, the problem has turned out to be really a problem of crappy DELL BIOSes; now at A08 it still does the same: Any activation of X freezes the machine completely with a yellowish screen. 855wrap on http://www.chzsoft.com.ar/855patch.html solves this. On Linux. There you compile a binary and run it before starting X. On any machine. Now I tried to do the same on OpenBSD with the expected result:'Abort trap'. Not quite so expected was, that the source didn't want to compile on OpenBSD 3.7: make: don't know how to make %.c. Stop in .. I bet quite a few newer DELL notebooks are affected; and I appreciate any suggestion how to make it work on OpenBSD. I read the archives here and googled. No result. Uwe -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: i386 binaries on amd64
In reading some mailing lists, I noticed some people pass in the -m32 flag when compiling to compile 32bit instead of 64bit... I added the flag to the Makefile and everything compiles except when I try to link all the objects into an executable, I get these errors: /usr/bin/ld: warning: i386 architecture of input file `some.o' is incompatible with i386:x86-64 output Is compiling this way possible at all? Ted Unangst wrote: On Mon, 29 Aug 2005, Stuart Henderson wrote: --On 29 August 2005 16:34 -0500, Tony Lambiris wrote: Is there a way to compile something on i386 OpenBSD box to run on amd64? or is there a sysctl option I am missing? Cross-compiling between architectures is not supported, see list archives for reasons why. that's not the question he was asking, but the answer is no anyway. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
i386 binaries on amd64
Is there a way to compile something on i386 OpenBSD box to run on amd64? or is there a sysctl option I am missing? Thanks. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: Shouldn't OpenBSD X11 come out with "-nolisten tcp" as default?
Security is not having to say "how high?" when someone says jump! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Miroslav Kubik Sent: Monday, August 29, 2005 4:54 AM To: misc@openbsd.org Subject: Re: Shouldn't OpenBSD X11 come out with "-nolisten tcp" as default? In my opinion, it is better to have it disabled as default. Nothing is without bugs. So if we want most secure OS we should disable this function. If you need it. Enable it. MK - Original Message - From: "Han Boetes" <[EMAIL PROTECTED]> To: Sent: Monday, August 29, 2005 11:32 AM Subject: Re: Shouldn't OpenBSD X11 come out with "-nolisten tcp" as default? Vladislav Belogrudov wrote: > I thought it would make sence for most secure OS. > One port less listening the World. It's not a security problem to have an open port. It's a security problem to have a bad server listening to an open port. And since nobody knows about a problem with the X server, not even the people who have very deep knowledge about X and about security you can safely assume it's OK to have that port open by default. Now if you don't trust any of all those experts and you want to close that port for your own machine that's fine, but don't ask the experts to trust on your intuition while they are providing the OS in the first place. # Han
Re: 3.8 beta requests
Thanks for not taking the easy route. Changes are always painful, but if they deliver then it's worth it.
vge0 on Abit Av8 (amd64)
64 DRAM Cfg" rev 0x00 pchb9 at pci0 dev 24 function 3 "AMD AMD64 Misc Cfg" rev 0x00 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 sysbeep0 at pcppi0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: Automatic failover of VPN connection when the primary internet connection fails
On 12/08/05, Stoyan Genov <[EMAIL PROTECTED]> wrote: > Good day, > > Short version: > > Any hints/ideas on setting up a fail-over of an isakmpd-maintained VPN > connection through a secondary internet line when the primary internet > line fails, where an autonomous system of IP addresses is not an option? > Hardware on both sides is i386, OS is obsd/3.7. > > Long version: > > In my office, I have two internet connections, I1 and I2, through two > different ISPs, ISP1 and ISP2; I1 and I2 use different IP ranges; AS and > routers are out of the question, unfortunately, as is the possibility of > routing ISP1's IP range through I2 and vice-versa. > > I have two firewall/gateway machines, F1 and F2; each of them has one > interface "attached" to one internet connection, one interface to the > other internet connection, and a third interface for the local network. > F1 and F2 run obsd3.7/i386. > > Default route for F1 is I1; default route for F2 is I2 (this is the > current setup, and it is subject to change if needed; the idea is to > allow people in the LAN manually change their LAN gateway to go > through I2 if something goes wrong with F1 or I1) > > I have a "remote" LAN, let's call it RL, and a VPN connection between > F1 and RL via I1; it's a "routed" connection, not a "bridged" one, > if that matters (that is, the local and the remote LANs are different > IP networks, and no broadcasts are exchanged). The gateway there also > runs obsd3.7/i386, and I have full control over it. > > I want to be able to automatically re-build the VPN connection via I2 > if I1 goes down, using isakmpd if possible (would "fall back" to > openvpn, if I can't do it with isakmpd). I would also like to keep the > ability of people to manually choose their way to the internet through > I2, but if not possible, I am ready to introduce a third firewall with a > default route of I2 just doing NAT for this purpose. > > Any ideas and hints will be appretiated. > Use dynamic routing. Set ipip (gif) tunnels between your firewalls, encrypt them with isakampd, run bgpd so your firewalls(routers) learn where the networks are. Should one path go down, the bgp session will go down and your network will re-route. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Requesting an change in the installer
Alexey E. Suslikov wrote: Nick Holland wrote: > PERSONALLY, I prefer to call the single processor kernel "bsd.sp", bsd.sp is not correct if you crazy about correct terminology :) bsd.up ("uniprocessor") is correct one. Alexey. Maybe it's just me, but everytime I see up I see down as its implicit alternate.
Re: x86 rings?
Rings and segments are pretty much orthogonal concepts. C is hardly unique in not supporting segmentation. The only languages I am aware of that even come close are Burroughs Algol and PL/I (and as always Basic Assembly). (Lisp?) But overriding is the fact that x86 supporting segments does not imply that all the other supported architectures also support. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel Sent: Thursday, August 04, 2005 6:17 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: x86 rings? On Thursday 04 August 2005 04:47 pm, [EMAIL PROTECTED] wrote: > Unless I am very much mistaken, this is Unix not Multics. > To do anything with the rings, you must make userland > into a three-ring circus. That is precisely the point. The C programming language and Unix are incompatible with the x86 segmentation model, including rings, although amazing accommodations were made within C for 286 segments by Intel and Microsoft, et all before 386 flat addressing took hold. While x86 rings and segments were neat and useful, if extremely awkward to use within C, they are rapidly disappearing into the dustbin of history. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Dave Feustel > Sent: Thursday, August 04, 2005 4:05 PM > To: Theo de Raadt > Cc: [EMAIL PROTECTED]; misc@openbsd.org > Subject: Re: x86 rings? > > > Ed, > > Ever read anything about MIT's Multics and the GE 645?
Re: x86 rings?
Unless I am very much mistaken, this is Unix not Multics. To do anything with the rings, you must make userland into a three-ring circus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dave Feustel Sent: Thursday, August 04, 2005 4:05 PM To: Theo de Raadt Cc: [EMAIL PROTECTED]; misc@openbsd.org Subject: Re: x86 rings? Ed, Ever read anything about MIT's Multics and the GE 645?
Re: network adapter order
Rod.. Whitworth wrote: [snip] >We chose to use 0 for outside 1 for internal and 2 for server. I cannot fool anybody into thinking that 2 looks like S, dammit! >From the land "down under": Australia. Do we look from up over? [snicker] try a mirror. But seriously folks, that looks like THE defitive rule. If there is just one interface, that one is to the outside.
Re: no sound on Dell4550 (soundblaster live, emu)
>My solution was: unplug that shit and buy a cheap and supported (REAL) >compatible sb. Doh ! Screwed over again. Good answer though, time to hit the shop. Thanks. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: no sound on Dell4550 (soundblaster live, emu)
emu0 at pci2 dev 0 function 0 "Creative Labs SoundBlaster Live" rev 0x00: irq 10 ac97: codec id 0x83847608 (SigmaTel STAC9708/11) ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D audio0 at emu0 I can't get any sign of life at all from this one. Even cat'ing a file to /dev/audio0 gives me nothing. rev 0x00, is that really correct ? Any ideas on how to get to the bottom of this is appreciated.
Re: no sound on Dell4550 (soundblaster live, emu)
On 28/07/05, Chris Kuethe <[EMAIL PROTECTED]> wrote: > try using mixerctl to turn off all the mutes, turn up all the volumes, > and then test with something simple like mpg123 and one of the release > songs... > Good suggestions, but no luck so far. # mixerctl -a outputs.master=255,255 outputs.master.mute=off outputs.mono=255 outputs.mono.mute=off outputs.mono.source=mixerout outputs.headphones=255,255 outputs.headphones.mute=off outputs.bass=255 outputs.treble=255 inputs.speaker=255 inputs.speaker.mute=off inputs.phone=191 inputs.phone.mute=off inputs.mic=191 inputs.mic.mute=off inputs.mic.preamp=off inputs.mic.source=mic0 inputs.line=191,191 inputs.line.mute=off inputs.cd=191,191 inputs.cd.mute=off inputs.video=191,191 inputs.video.mute=off inputs.aux=191,191 inputs.aux.mute=off inputs.dac=191,191 inputs.dac.mute=off record.source=mic record.volume=255,255 record.volume.mute=off record.mic=0 record.mic.mute=off outputs.loudness=off outputs.spatial=off outputs.spatial.center=0 outputs.spatial.depth=0 outputs.surround=255,255 outputs.surround.mute=off outputs.center=255 outputs.center.mute=off outputs.lfe=255 outputs.lfe.mute=off # mpg123 -vv testfile.mp3 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3. Version 0.59r (1999/Jun/15). Written and copyrights by Michael Hipp. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Audio device type: SB Live! Audio capabilities: | s16 | u16 | u8 | s8 | ulaw | alaw | 8000 | M/S | | M/S | | | | 11025 | M/S | | M/S | | | | 12000 | M/S | | M/S | | | | 16000 | M/S | | M/S | | | | 22050 | M/S | | M/S | | | | 24000 | M/S | | M/S | | | | 32000 | M/S | | M/S | | | | 44100 | M/S | | M/S | | | | 48000 | M/S | | M/S | | | | Title : Track 3 Artist: Album : Untitled - 08-01-00 Year : 2000 Comment: Made with RealJukebox (tm) Genre : Other Playing MPEG stream from testfile.mp3 ... Junk at the beginning 49443303 MPEG 1.0, Layer: III, Freq: 44100, mode: Joint-Stereo, modext: 2, BPF : 417 Channels: 2, copyright: Yes, original: Yes, CRC: No, emphasis: 0. Bitrate: 128 Kbits/s, Extension value: 0 Audio device type: SB Live! Audio device type: SB Live! Audio: 1:1 conversion, rate: 44100, encoding: signed 16 bit, channels: 2 and no more after that.
no sound on Dell4550 (soundblaster live, emu)
Good morning, I have a Dell4550 where which I can't get sound to work on. Both 3.7 and -current gives me the same result, everything looks ok on boot. # vlc VLC media player 0.8.1 Janus [0211] mpeg_audio decoder: MPGA channels:2 samplerate:44100 bitrate:192 SDL: Audio timeout - buggy audio driver? (disabled) audio: Bad file descriptor Any ideas are welcome. I intended to leave the box at my parents house since we currently live in different countries and supporting old windows boxes is no fun. /Tony # dmesg OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.53GHz ("GenuineIntel" 686-class) 2.53 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 535887872 (523328K) avail mem = 482185216 (470884K) using 4278 buffers containing 26898432 bytes (26268K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/12/02, BIOS32 rev. 0 @ 0xffe90 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfeae0/160 (8 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801BA LPC" rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xf800 0xcf800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel 82845G/GL" rev 0x01 ppb0 at pci0 dev 1 function 0 "Intel 82845G/GL/GV/GE/PE AGP" rev 0x01 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "Nvidia GeForce4 MX 420" rev 0xa3 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 9 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 3 ehci0: EHCI version 1.0 ehci0: companion controllers, 2 ports each: uhci0 uhci1 uhci2 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub3: single transaction translator uhub3: 6 ports with 6 removable, self powered ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x81 pci2 at ppb1 bus 2 emu0 at pci2 dev 0 function 0 "Creative Labs SoundBlaster Live" rev 0x00: irq 10 ac97: codec id 0x83847608 (SigmaTel STAC9708/11) ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D audio0 at emu0 "Creative Labs PCI Gameport Joystick" rev 0x00 at pci2 dev 0 function 1 not configured "Texas Instruments TSB12LV26 FireWire" rev 0x00 at pci2 dev 1 function 0 not configured fxp0 at pci2 dev 8 function 0 "Intel PRO/100 VE" rev 0x81: irq 11, address 00:07:e9:d2:84:de inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 "Intel 82801DB LPC" rev 0x01 pciide0 at pci0 dev 31 function 1 "Intel 82801DB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 28610MB, 58593750 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable atapiscsi1 at pciide0 channel 1 drive 1 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 "Intel 82801DB SMBus" rev 0x01 at pci0 dev 31 function 3 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 h
Re: Writes to samba server very, very slow
This *may* help. man mount softdep (FFS only.) Mount the file system using soft dependen- cies. Instead of metadata being written immediately, it is written in an ordered fashion to keep the on-disk state of the file system consistent. This results in significant speedups for file create/delete operations. This option will be ignored when using the -u flag and a file system is already mounted read/write. It requires option FFS_SOFTUPDATES to be enabled in the running ker- nel. There is a tradeoff between speed and safety. A rather large tradeoff I suspect ;) With any disk system, there is the question of what happens when the power fails. What is the speed when you copy the 48MB file locally? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gary Clemans-Gibbon Sent: Tuesday, July 19, 2005 3:45 AM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: Writes to samba server very, very slow Thanks for your reply Tim. If anything it makes me feel worse. I was hoping it was something easily fixed. I just tried transferring a 50 Mb file to the OBSD samba box from win using SCP. Again very slow writes but much faster reads. The 50 Mb file took about 7 mins to transfer to the OBSD box and about 30 seconds to read from the OBSD box. Perhaps this isn't a samba smb issue at all. My fstab... # cat /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd1a /data1 ffs rw 1 2 /dev/wd2a /data2 ffs rw 1 2 same result with either data disk. I've been googling all evening and found many many forum posts with similar problems but no solutions. Some posts date back to 2002! If I have to go back to RH7.3 I'll be bummed. Especially as I spent ages setting up all my families accounts and softlinks for the data store. Waste of a day! Tim Hammerquist wrote: > Gary Clemans-Gibbon wrote: > >>David Gwynne wrote: >> >>>Gary Clemans-Gibbon wrote: >>> Everything is working fine except that when I copy files to the box from a Windows XP box the transfers are very slow, like 9 minutes for a 48 Mb file. Copying the same file back to the win box is quick - a couple of seconds as you'd expect. >>> >>>I would suggest looking at the socket options parameter in >>>/etc/samba/ smb.conf. I have the following in my smb.conf and >>>transfer speeds seem to perform a lot better now: >>> >>>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> >>I just tried that line but it seems to be the same or if anything it >>seems even slower. > > > Gary, > > I've seen this same phenomenon when copying to from my OSX Powerbook and > my fileserver (running both FreeBSD 5 and Gentoo Linux), with the OSX > acting as samba client. > > The transfer speeds are not "slightly" slower, they are slower by orders > of magnitude, with normally 20sec transfers taking 10-20 minutes. > I watch the progress meter slowly incrementing at the rate of 32-64k/sec > over a 100bTX link. Does this sound like your issue? > > In my setup, I had limited success merely unmounting and remounting the > share; that worked maybe 50% of the time. Also, the rate seemed to be > normal more often if I had a simultaneous ssh connection between the > same two machines, even if the ssh connection were idle. I was not able > to find any consistently effective solution. > > After googling many times over several months, finding nothing more than > the same advice you got about TCP_NODELAY and the SO_*BUF settings > (which did not affect performance in my case either), I finally gave up, > switching to NFS and/or scp. > > For what it's worth, I haven't noticed this since I upgraded my > powerbook to OSX 10.4, so it might have something to do with the client > OS, network stack, or Samba version. > > I apologize for not having anything solid to recommend. But I wanted to > let you know that this *has* happened to others; you're not imagining > it. > > Tim Hammerquist > > > .
Re: interrupt comparison
It would be nice to see a comparison between em and sk. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Toshiba laptop 3.7 installation problem
>From a Toshiba Satellite, maybe not too dissimilar: I assume the Q of "pckbc0 ISA Q Port 0x60/5" is a typo Seems to be a pckbc0 and a pckbd0 Beyond that I'm out of my depth. (way out;) Loading... probing: pc0 mem[639K 478M a20=on] disk: fd0 hd0+ >> OpenBSD/i386 BOOT 2.06 boot> booting hd0a:/bsd: 4686240+945680 [52+241338+223324]=0x5d0864 entry point at 0x100120 [snip] isa0 at isa0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 [snip] -dmesg OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.66GHz ("GenuineIntel" 686-class) 2.66 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,AC PI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 502833152 (491048K) avail mem = 451952640 (441360K) using 4278 buffers containing 25243648 bytes (24652K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(63) BIOS, date 05/19/03, BIOS32 rev. 0 @ 0xf98d6 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf01c0/160 (8 entries) pcibios0: PCI Interrupt Router at 000:07:0 ("Acer Labs M1533 ISA" rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xe/0x1! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 vendor "Acer Labs", unknown product 0x1672 rev 0x00 ppb0 at pci0 dev 1 function 0 "Acer Labs M5247 AGP/PCI-PCI" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "Trident CyberBlade XP/Ai1" rev 0x82 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci0 dev 4 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc4: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 57231MB, 117210240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 autri0 at pci0 dev 6 function 0 "Acer Labs M5451 Audio" rev 0x02: irq 11 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at autri0 midi0 at autri0: <4DWAVE MIDI UART> pcib0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 "Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 8 function 0 not configured vendor "Acer Labs", unknown product 0x5457 (class communications subclass modem, rev 0x00) at pci0 dev 9 function 0 not configured rl0 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 11 address 00:08:0d:6d:7f:cb rlphy0 at rl0 phy 0: RTL internal phy ohci0 at pci0 dev 12 function 0 "NEC USB" rev 0x43: irq 11, version 1.0 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NEC OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 12 function 1 "NEC USB" rev 0x43: irq 11, version 1.0 usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: NEC OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ehci0 at pci0 dev 12 function 2 "NEC USB" rev 0x04: irq 11 ehci0: EHCI version 1.0 ehci0: companion controllers, 3 ports each: ohci0 ohci1 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: NEC EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: single transaction translator uhub2: 5 ports with 5 removable, self powered ath0 at pci0 dev 16 function 0 "Atheros AR5212" rev 0x01: irq 11 ath0: mac 80.6 phy 4.1 radio 1.7 2.3, 802.11a/b/g, WOR4W, address 00:90:96:72:6c:12 gpio at ath0 not configured cbb0 at pci0 dev 17 function 0 "Toshiba ToPIC100 CardBus" rev 0x33: irq 11 "Toshiba SD Controller" rev 0x05 at pci0 dev 18 function 0 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x0 pcmcia0 at cardslot0 biomask effd netmask effd ttymask pctr: user-level cycle counter enabled dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Z L Sent: Friday, July 08, 2005 9:29 PM To: Nick Holland Cc: misc Subject: Re: Toshiba laptop 3.7 installation problem On 7/8/05, Nick Holland <[EMAIL PROTECTED]> wrote: > Z L wrote: > > I been trying to install Op
Re: OpenBSD with Linksys WRT54G
The Linksys WRT54g has a 4-port switch, an RJ45 jack labeled "Internet", and an access point which can speak 11Mbps and/or 54Mbps. What I do on our local lan is essentially to use it/them as a bridge. Turn off the Linksys DHCPD, set the internal IP address, set a password, set whatever parameters desired for wireless access, and not use the port labeled "Internet". To effectively show under ifconfig, I think you need a third NIC, and precisely one cable from the OpenBSD box to the Linksys. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alari Kask Sent: Sunday, July 03, 2005 4:16 PM To: misc@openbsd.org Subject: OpenBSD with Linksys WRT54G Hello, my home network consists of 6 machines, one of them runs openbsd, which i used for dhcp, nat, pf, php, mysql, etc. Now i bought a Linksys WRT54g wifi router, at the moment i use the router's configuration utility, which is accessible over the web, i'm not familiar with it and it doesn't feel comfortable for me, i'd still like to use openbsd for serving my home network and use the router for 100Mb LAN and for WiFi, my question is - is it possible to just use the router as an access point and set the firewall rules, dhcpd on my openbsd box, so the router would just show up as an interface under ifconfig ?
Re: boot failure: If i could drop dead right now ...
Just guessing, but it looks like you are at the very fringe of what BIOS can and cannot access. Insignificant differences have large consequences, just like a few inches near the edge of a cliff. If so, any recompile of the kernel would be unbootable. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Gustavo Rios Sent: Thursday, June 30, 2005 6:47 PM To: [EMAIL PROTECTED]; misc Subject: Re: boot failure: If i could drop dead right now ... Hey everybody. I would like to let you know i have "fixed" it. Now i have the disklabel layout i want. I managed to get it working because instead of using 512/4K fragment/block size (using disklabel into expert mode) i tried with 1K/8K for the a partition. Now it works. Although i have no ideia how block size could influence that. Would someone mind commenting it, i.e., why i could not use 512/4K for frag/blk size? thanks. PS: Good work for 3.7, just now i have it installed in my box. On 6/30/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > You'll probably get some better answers from the list, but this may give > you an idea of what is going on. > In olden days BIOS would only be able to handle disk within the first > 1024 cylinders. (That's why you see stuff like 63 sectors/track and 255 > or so heads) Later BIOSes have upped the limit somewhat. > Until enough of the OS gets itself loaded, the bootstrap is dependent on > BIOS functions. Afterwards, the BIOS limitations are irrelevant. > > If I'm doing strange things with disks, I try to put a bunch of small > (DOS partitions) at the front end of the disk, Normally a 2G DOS formatted > C: drive, followed by (or after a few other small partitions) > > If you are brave and daring, (and dead accurate with a calculator) > there are some stunts that can be done with partitions. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Gustavo Rios > Sent: Thursday, June 30, 2005 4:03 PM > To: misc@openbsd.org > Subject: boot failure: If i could drop dead right now ... > > > ... i would be the happiest man in the world! > > I am going crazy. It simply does not boot directly from the partition > when i spare too many of them. > > If someone could, please guys, help me i would send you some bears. > > With the following set up everything works ok: > > fdisk: > > Disk: wd0 geometry: 9726/255/63 [156248190 Sectors] > Offset: 0 Signature: 0xAA55 > Starting Ending LBA Info: > #: idC H S -C H S [ start: size ] > > 0: 070 1 1 - 6399 254 63 [ 63: 102815937 ] HPFS/QNX/AUX > *1: A6 6400 0 1 - 9726 28 46 [ 102816000:53434000 ] OpenBSD > 2: 000 0 0 -0 0 0 [ 0: 0 ] unused > 3: 000 0 0 -0 0 0 [ 0: 0 ] unused > > disklabel: > > # /dev/rwd0c: > type: ESDI > disk: ESDI/IDE disk > label: Maxtor 6Y080M0 > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 16 > sectors/cylinder: 1008 > cylinders: 155009 > total sectors: 15625 > rpm: 7200 > interleave: 1 > trackskew: 0 > cylinderskew: 0 > headswitch: 0 # microseconds > track-to-track seek: 0 # microseconds > drivedata: 0 > > 16 partitions: > # sizeoffset fstype [fsize bsize cpg] > a: 51819264 102816000 4.2BSD 2048 16384 328 # Cyl > 102000 -153407 > b: 1614736 154635264swap # Cyl > 153408 -155009* > c: 15625 0 unused 0 0 # Cyl >0 -155009* > i: 10281593763 unknown # Cyl > 0*-101999 > > > But this one does prevent me from booting. > > fdisk: > > Disk: wd0 geometry: 9726/255/63 [156248190 Sectors] > Offset: 0 Signature: 0xAA55 > Starting Ending LBA Info: > #: idC H S -C H S [ start: size ] > > 0: 070 1 1 - 6399 254 63 [ 63: 102815937 ] HPFS/QNX/AUX > *1: A6 6400 0 1 - 9726 28 46 [ 102816000:53434000 ] OpenBSD > 2: 000 0 0 -0 0 0 [ 0: 0 ] unused > 3: 000 0 0 -0 0 0 [ 0: 0 ] unused > > > disklabel: > > # /dev/rwd0c: > type: ESDI > disk: ESDI/IDE disk > label: Maxtor 6Y080M0 > flags: > bytes/sector: 512 > sectors/track: 63 > tracks/cylinder: 16 > sectors/cylinder: 1008 > cylinders: 155009 > total sectors: 15625 > rpm: 7200 > interleave: 1 > trackskew: 0 > cylinderskew: 0 > headswitch: 0 # microseconds > track-to-track seek: 0 # microseconds > drivedata: 0 > > 16 partitions: > # sizeoffset fstype [fsize bsize cpg] > a:161280 102816000 4.2BSD512 4096 21 # Cyl > 102000 -102159 > b: 1614736 154635264swap # Cyl
openbsd fdisk
is there a way to have fdisk re-inititalize the disk (fdisk -i ) without being prompted to go ahead with the init? thanks. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: SH programming
The following seems to work. $ year=2005 $ foo=$(expr $year - 1900 ) $ dayscount=$(expr $foo \* 365 ) $ echo $dayscount 38325 Problems include an unescaped asterisk man expr indicates that parentheses should work but my playing with them seems to indicate otherwise. ---Correction: $ dayscount=$(expr \( $year - 1900 \) \* 365 ) $ echo $dayscount 38325 Parens that are destined for expr instead of the shell must also be escaped. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Otto Moerbeek Sent: Monday, June 27, 2005 2:08 AM To: Peter Bako Cc: misc@openbsd.org Subject: Re: SH programming On Sun, 26 Jun 2005, Peter Bako wrote: > Ok, so this is not really an OpenBSD question but I am doing this on an > OpenBSD system and I am about to lose my mind... > > I have done some basic shell scripting before but I've not had to deal with > actual integer math before and now it is killing me. The script takes a > parameter in (year number) and is supposed to subtract 1900 from it and then > multiply the result by 365. (This is part of a larger script that deal with > converting dates to a single numeric value, but this one problem is an > example of the problems I am having with this entire script.) So, this is > what I have: > > #!/bin/sh > month=$1 > day=$2 > year=$3 > > dayscount=$(expr ($year - 1900) * 365) > echo $dayscount > exit > > This will generate a "syntax error: `$year' unexpected" error. I have tried > all sorts of variations and I am not getting it!!! HELP!!! When using ksh, you can do: #!/bin/ksh month=$1 day=$2 year=$3 dayscount=$((($year - 1900) * 365)) echo $dayscount exit When using sh, you'll need expr(1), for which all parts of the expression are separate arguments, and you need to escape all special shell chars: #!/bin/sh month=$1 day=$2 year=$3 dayscount=`expr \( $year - 1900 \) \* 365` echo $dayscount exit > BTW, obviously I need a good book on SH programming. Any suggestions? For ksh, the Korn Shell Book by David Korn and (iirc Morris Bolsky) comes to mind. -Otto
Re: Strange df output
Filesystem 512-blocks Used Avail Capacity Mounted on /dev/wd0a 256252180540 6290074%/ 256252 blocks less 5% reserve. This gives 243440 blocks total available for users. less 180540 gives 62900 blocks currently available for users. 180540/243440 gives 74.162% which rounds to 74% For a user to write to the disk, it must be less than 100% full. If root has used up all the reserve, 105% capacity is a fair value, in that the user will need to free up in excess of 5% in order to have ANY free space in which to write stuff. For the above 256252 block partition, the percentages are based on the 243440 blocks of user-usable space rather than the total of 256252 blocks of root-usable space. Probably much kinder on users to run out at 100% than at 95%. Of course this requires that root runs out at something over 100%. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew S Elmore Sent: Saturday, June 25, 2005 11:48 PM To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: Strange df output It was my understanding that this reserved space was not accounted for when using 'df'. Hence, you can sometimes have partitions that are 105% capacity. Am I off base on this? It is very possible, it is very late. ;) From the FAQ sec 14.14: People are sometimes surprised to find they have negative available disk space, or more than 100% of a partition in use, as shown by df(1). When a partition is created with newfs(8), some of the available space is held in reserve from normal users. This provides a margin of error when you accidently fill the disk, and helps keep disk fragmentation to a minimum. Default for this is 5% of the disk capacity, so if the root user has been carelessly filling the disk, you may see up to 105% of the available capacity in use. On Jun 25, 2005, at 11:41 PM, <[EMAIL PROTECTED]> wrote: > 5% or so is reserved for root and is not "available". > > When everybody has run out of disk space, it is very helpful > if the situation does NOT apply to root. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf > Of > Matthew S Elmore > Sent: Saturday, June 25, 2005 11:35 PM > To: misc@openbsd.org > Subject: Strange df output > > > Can anyone explain this math to me? > > 490M - 32.8M != 433M > > Not that it's a big deal but just wondering where that bit of space > went. > > [EMAIL PROTECTED]:/home/matt$ df -h > FilesystemSizeUsed Avail Capacity Mounted on > /dev/wd0a 490M 32.8M433M 7%/
Re: Strange df output
5% or so is reserved for root and is not "available". When everybody has run out of disk space, it is very helpful if the situation does NOT apply to root. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matthew S Elmore Sent: Saturday, June 25, 2005 11:35 PM To: misc@openbsd.org Subject: Strange df output Can anyone explain this math to me? 490M - 32.8M != 433M Not that it's a big deal but just wondering where that bit of space went. [EMAIL PROTECTED]:/home/matt$ df -h FilesystemSizeUsed Avail Capacity Mounted on /dev/wd0a 490M 32.8M433M 7%/
Re: can't find /etc/crontab ?
man crontab (from fresh OBSD 3.7) FILES /var/cron/cron.allow list of users allowed to use crontab /var/cron/cron.deny list of users prohibited from using crontab /var/cron/tabsdirectory of individual crontabs I think there's a reason that they include the man (manual) command. Works much better than playing guessing games. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Neta Sent: Saturday, June 25, 2005 6:02 AM To: misc@openbsd.org Subject: can't find /etc/crontab ? Hello All, I have fresh install machine openbsd 3.7, i couldn't locate any /etc/crontab ? is this crontab disable by default? how i can enable it? Kind regards Neta
Re: mcopy -s foo a:
Dunno if it will help but Writing to a fresh floppy (W98) foo.txt bar.foobar dir > dir.txt The (possibly) long filename take up an extra directory slot and is in the proper case. Floppy should be FAT12 (very limited number of clusters) but this has nothing to do with long file names. The extension is in mucking with directory entries which are invisible to DOS. Sector 19 Af.o.o.. .t. 4294967295 15-31-07 7:63 pm 0 R/O Sys Hid Vol FOO TXT 36 6-21-05 5:10 am 2 Arc Ab.a.r.. .f. 4294967295 0-00-80 12:03 am 0 R/O Sys Hid Vol BAR~1FOO 52 6-21-05 5:11 am 3 Arc Ad.i.r.. .t. 4294967295 15-31-07 7:63 pm 0 R/O Sys Hid Vol DIR TXT 305 6-21-05 5:11 am 4 Arc Unused directory entry Unused directory entry Sector 19 : 41 66 00 6F 00 6F 00 2E - 00 74 00 0F 00 65 78 00 Af.o.o...t.$.ex. 0010: 74 00 00 00 FF FF FF FF - FF FF 00 00 FF FF FF FF t...__.. 0020: 46 4F 4F 20 20 20 20 20 - 54 58 54 20 00 B4 2F 29 FOO TXT .&/) 0030: D5 32 D5 32 00 00 41 29 - D5 32 02 00 24 00 00 00 +2+2..A)+2.$... 0040: 41 62 00 61 00 72 00 2E - 00 66 00 0F 00 52 6F 00 Ab.a.r...f.$.Ro. 0050: 6F 00 62 00 61 00 72 00 - 00 00 00 00 FF FF FF FF o.b.a.r. 0060: 42 41 52 7E 31 20 20 20 - 46 4F 4F 20 00 8B 51 29 BAR~1 FOO .oQ) 0070: D5 32 D5 32 00 00 64 29 - D5 32 03 00 34 00 00 00 +2+2..d)+2.4... 0080: 41 64 00 69 00 72 00 2E - 00 74 00 0F 00 DB 78 00 Ad.i.r...t.$._x. 0090: 74 00 00 00 FF FF FF FF - FF FF 00 00 FF FF FF FF t...__.. 00A0: 44 49 52 20 20 20 20 20 - 54 58 54 20 00 0E 71 29 DIR TXT .q) 00B0: D5 32 D5 32 00 00 72 29 - D5 32 04 00 31 01 00 00 +2+2..r)+2.1.. 00C0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 00D0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 00E0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Juan J. Martmnez Sent: Tuesday, June 21, 2005 4:54 AM To: misc Subject: Re: mcopy -s foo a: El mar, 21-06-2005 a las 11:39 +0200, Juan J. Martmnez escribis: >[..] > May be is related to FAT16 and the extension for long filenames. Well, now I don't know if floppies have FAT16 or FAT12. Anyway I think the problem is related to FAT (no bits :D) and long filename support. regards, Juanjo
Re: No man pages after installing bash
Check /etc/man.conf from fresh 3.7 install (with bash and a few others installed) ?? Did you install the man pages ?? bash-3.00$ cat /etc/man.conf # $OpenBSD: man.conf,v 1.8 2001/04/05 19:05:49 millert Exp $ # Sheer, raging paranoia... _versionBSD.2 # The whatis/apropos database. _whatdb /usr/share/man/whatis.db _whatdb /usr/local/man/whatis.db _whatdb /usr/X11R6/man/whatis.db # Subdirectories for paths ending in '/', IN SEARCH ORDER. _subdir cat1 man1 cat8 man8 cat6 man6 cat2 man2 cat3 man3 cat5 man5 cat7 man7 cat3f man3f cat4 man4 cat9 man9 cat3p man3p # Files typed by suffix and their commands. # Note the order, .Z must come after .[1-9n].Z, or it will match first. _suffix .0 _build .0.Z/usr/bin/zcat %s _build .0.gz /usr/bin/gunzip -c %s _build .[1-9n] /usr/bin/nroff -man %s _build .[1-9n].Z /usr/bin/zcat %s | /usr/bin/nroff -man _build .[1-9n].gz /usr/bin/gunzip -c %s | /usr/bin/nroff -man _build .[1-9][a-z] /usr/bin/nroff -man %s _build .[1-9][a-z].Z /usr/bin/zcat %s | /usr/bin/nroff -man _build .[1-9][a-z].gz /usr/bin/gunzip -c %s | /usr/bin/nroff -man _build .tbl/usr/bin/tbl %s | /usr/bin/nroff -man _build .tbl.Z /usr/bin/zcat %s | /usr/bin/tbl | /usr/bin/nroff -man _build .tbl.gz /usr/bin/gunzip -c %s | /usr/bin/tbl | /usr/bin/nroff -man _build .me /usr/bin/nroff -me %s 2>/dev/null | cat -s # Sections and their directories. # All paths ending in '/' are the equivalent of entries specifying that # directory with all of the subdirectories listed for the keyword _subdir. # default _default/usr/{share,X11R6,X11,contrib,gnu,local}/{man,man/old}/ # Other sections that represent complete man subdirectories. X11 /usr/X11/man/ X11R6 /usr/X11R6/man/ contrib /usr/contrib/man/ local /usr/local/man/ new /usr/contrib/man/ old /usr/share/man/old/ doc /usr/share/doc/{sendmail/op,sendmail/intro} # Specific section/directory combinations. 1 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}1 2 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}2 3 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}3 3F /usr/share/man/cat3f 3f /usr/share/man/cat3f 3P /usr/share/man/cat3p 3p /usr/share/man/cat3p 4 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}4 5 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}5 6 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}6 7 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}7 8 /usr/{share,X11R6,X11,contrib,local}/{man/,man/old/}{cat,man}8 9 /usr/share/man/{cat,man}9 -bash-3.00$ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Timothy Horie Sent: Monday, June 20, 2005 5:31 PM To: misc@openbsd.org Subject: No man pages after installing bash Hello, I can't use man pages for some reason after I installed bash and login using bash. I typed 'man dump' and it says that it can't find a manual page for that. I looked at some help on the web and there's a MANPATH but I'm not sure what to set it to. I also looked at the /etc/man.conf but everything in there should be the same as when I was using sh (csh). I don't know what the problem is. Thanks Tim
Re: Why timezone it is always incorrect??
User A is on the east coast. User B is on the west coast. They both use the same computer. What time is it? UTC is the correct time. User wants to view time in his own time zone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of C. L. Martinez Sent: Saturday, June 18, 2005 3:05 PM To: misc@openbsd.org Subject: Why timezone it is always incorrect?? Hi all, Is not possible to adjust clock under OpenBSD correctly??? I do not understand why cmos clock needs to leave at UTC. why? Do i need to recompile kernel with TIMEZONE option to correct this "bug"?? Is not possible to use sysctl tool to correct this??? Thank you very much. -- C.L. Martinez [EMAIL PROTECTED]
Re: Theo gave an interview to Forbes Mag. about Linux
Correctness is difficult. Actually, security is the easier part. (and it's easier to keep score;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of chefren Sent: Friday, June 17, 2005 6:17 PM To: misc@openbsd.org Subject: Re: Theo gave an interview to Forbes Mag. about Linux http://www.forbes.com/intelligentinfrastructure/2005/06/16/linux-bsd-unix-cz _dl_0616theo.html "Torvalds, via e-mail, says De Raadt is "difficult" and declined to comment further. " ROFL... +++chefren
Re: VPN Remote Services Connetivity
On 17/06/05, Stephen Marley <[EMAIL PROTECTED]> wrote: > On Fri, Jun 17, 2005 at 11:29:03AM -0500, dontek wrote: > > I have just configured a VPN tunnel between two OpenBSD firewalls / > > gateways following the VPN man page nearly word-for-word. All is > > working well... mostly: > > > > On either end, on machines behind the firewall, I can connect to any > > service on any machine on the remote end. > > > > However, if I am on the the firewall machines themselves, I can ping > > machines on the remote end, but service connection fails. > > > > for instance, I can ssh to a box on the remote end from a machine > > behind the firewall, but if i attempt to ssh to the same remote box > > from the firewall itself, i get a "connection refused". This is true > > on both ends. > > > > Are there additional rules I need to put into pf for this type of > > connectivity? What am I missing? > > I'll guess that the ping works because you're using ping -I to specify > the source address as an internal lan address. However your ssh will > have the firewall's external address as its source address and it will > not get encapsulated since there are no flows defined for gateway to > network, only network to network. > > You could define additional SAs for the gateway to network connections, > but I think just adding a route pointing to your inside interface will > work. For example, if your gateway's internal address is 192.168.1.1 and > the remote network is 10.10.10.0/24, on the gateway run: > route add 10.10.10/24 192.168.1.1 > If you use ping -I, how about ssh -b also ? /Tony
Re: OSPFd over IPSEC (enc)?
On 16/06/05, Michael Favinsky <[EMAIL PROTECTED]> wrote: > Can two 3.7 servers running OSPFd talk OSPF to each other over an IPSEC > tunnel, or worded in another way, an enc interface? > > I have two sites with a WAN link and I want to use the Internet (VPN) as a > backup route. The concept is that under normal circumstances, the OSPF > routing table would have valid routes between the two sites over both the > VPN and WAN links. If the WAN link failed, there'd still be a valid route > between the two sites over VPN. > if you want to do things like dynamic routing over IPsec use a tunneling protocol like IPIP(gif) or GRE. Set up the tunnel and the just configure IPsec to encrypt the tunnel. /Tony S
Re: interface groups and pf
pf is the best thing since the 1-litre stella bottle. It's good to see that it continues to improve. This is cool stuff. /Tony S
Dell Inspiron 700m
I've got some good news.. I installed OpenBSD on my Dell Inspiron 700m... so far (with a snapshot of Jun 15th) I am able to get wireless to be functional, and I just finished porting over the the 855resolution hack for the VBIOS to get full widescreen 1280x800 support (broken Dell BIOS workaround). I still have yet to test sound and such (even though it is detected successfully), but once I straighten everything out with this laptop, I will post a dmesg and the code to fix the VBIOS. ROCKIN!! :) -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: GRUB's boot parameter
speaking of GRUB: "The most embarassing comment came from a developer of the GRUB project who went only by the name of 'Gord'. 'This function is truly horrid,' he wrote. 'We try opening the device, then severely abuse the GEOMETRY->flags field to pass a file descriptor to biosdisk. Thank God nobody's looking at this comment, or my reputation would be ruined.'" -- From the OpenSolaris code, h00h0h0h0h0 Bob Beck wrote: This is probably because OpenBSD != NetBSD, and I suspect grub is using whatever it's notion of a netbsd boot block is. You probably have to fix grub somehow to use a current OpenBSD boot block, as opposed to attempting to start a kernel boot as if it were NetBSD. Ask them for a --type=openbsd option would be a start. -Bob * ikesan <[EMAIL PROTECTED]> [2005-06-16 10:23]: Hellow. I'm gonna boot OpenBSD from GRUB in FD. The parameter is following. root (hd2,0,a) kernel --type=netbsd /bsd But unfortunately panic occured. Message is following. panic: /boot too old: upgrade! This is first time that I installed OpenBSD in my PC (Athron CPU). And this PC contains some kind of OSs. So I usualy boot any OS from GRUB in FD. If version of OpenBSD 3.7 's boot parameter changed or parameter I set was wrong, please let me know correct thing. -- [EMAIL PROTECTED] - -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: moving to a bigger disk
its quite simple... boot into single user mode, foreach partition you have, mount the src under /src/X and /dst/X (where src is the old disk and dst is the new disk) and do a: cd /src/X; tar cf - . | (cd /dst/X; tar xpf - ) ive used this before, works great. after that just make sure you install your boot blocks. Mihai IACOB wrote: Hello! I need to move my OpenBSD 3.6 installation to a bigger disk, because the /usr partition is 92% full. And no, I cannot keep both disks. I searched google and found nothing similar to my situation. I think I can partition and label the new disk, dd the / partition, then copy /var and /usr with tar/pax/cpio, switch the disks and pray it works. Do you think the above steps might work or did anyone do this before? Thank you for your time. Mihai IACOB -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: NFS sometime stalls
The only NFS problems I've really ever had w/ OpenBSD, is if our NFS server goes down or is rebooted, the NFS mount never comes back and will essentially hang (especially if you try to unmount the stale link)... I've never tried a mount -u or a unmount -f tho... Federico Giannici wrote: I have an MX mail server that receives email messages and saves them to an email storage server via NFS. Both pc are OpenBSD i386, version 3.7 for the NFS client (MX server) and 3.4 for the NFS server (the storage server). From time to time the connections from the NFS clients seem to freeze (at least the new ones). I applied the famous NFS patch that disables write gathering for v3 (http://marc.theaimsgroup.com/?l=openbsd-misc&m=110676811107986&w=2), but the problem remains (perhaps a little less frequent). I have also raised the number of nfsd processes and "vfs.nfs.iothreads" to 20. The server uses a fxp interface and the client an sk one. From "netstat -i" I have seen that there are no errors or collisions. Here is the nfsstat output for the client and the server after almost a day of uptime: Client Info: Rpc Counts: Getattr SetattrLookup Readlink Read WriteCreate Remove 13640012429651 0 13653178549 25790 25819 Rename Link Symlink Mkdir Rmdir Readdir RdirPlus Access 5415 20016 016 0336388 0 1359316 MknodFsstatFsinfo PathConfCommit 0 27008 1 0 42530 Rpc Info: TimedOut Invalid X Replies Retries Requests 4 0 139 28889 2600564 Cache Info: Attr HitsMisses Lkup HitsMisses BioR HitsMisses BioW Hits Misses 1669083136400 1239823424253 67080 13653632860 178549 BioRLHitsMisses BioD HitsMisses DirE HitsMisses 0 0 0 0 26996 27954 Server Info: Getattr SetattrLookup Readlink Read WriteCreate Remove 90847 0269426 0 8882137000 16908 16947 Rename Link Symlink Mkdir Rmdir Readdir RdirPlus Access 3263 13427 0 0 0197032 0 872760 MknodFsstatFsinfo PathConfCommit 0 16594 0 0 28598 Server Ret-Failed 65447 Server Faults 0 Server Cache Stats: Inprog Idem Non-idemMisses 21 14256 920 1657428 Server Write Gathering: WriteOps WriteRPC Opsaved 136997137000 3 What make me worry is the hight value of the "Ret-Failed" field. Is it normal? I have no experience of NFS, is it normal that sometime ot stalls? What else I could do to prevent this to happen? Thanks. -- Tony Lambiris [ [EMAIL PROTECTED] ] "so if it is really hard for you then perhaps you are just retarded and need treatment w/ electricity and if that does not help then perhaps should not use computers..."
Re: Some Sites Don't Load Behind pf NAT
Dunno if relevant, but a long time ago, routing ethernet over an internal SLIP connection (don't ask, fiber is much better), connections were real flaky until I upped the MTU on the SLIP connection to 1500. Seems Microsoft likes to put a "Don't Fragment" into the TCP/IP setup and silently ignores fragmented packets, or at least did. If both ends like full 1500 byte packets and one end cannot accept fragments (either end?) . -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Javier Villavicencio Sent: Sunday, June 12, 2005 10:28 PM To: Serban Giuroiu Cc: misc@openbsd.org Subject: Re: Some Sites Don't Load Behind pf NAT Serban Giuroiu wrote: > Hello. > > I have an OpenBSD 3.7 box set up as a router and > server for my home network. It connects to the > Internet through the kernel PPPoE driver. Naturally, I > use pf on that box. Everything runs smoothly, but > there are certain websites that do not load properly > from machines behind the NAT router. > > When trying to access http://mail.yahoo.com or > http://linuxhardware.org, an initial connection is > made, but no further data comes in as the web browser > sits and waits. However, if I open those pages in lynx > from the OpenBSD box, they load without any problems. > Most other websites load correctly from all machines > on my network. > Had the very same problem. > Searching Google, I found a similar problem posted to > this list a couple years ago in which an MTU setting > and fragmentation were the cause of the strage > behavior > (http://www.monkey.org/openbsd/archive/tech/0211/msg00163.html). Didn't found this one. > The poster added "scrub out all no-df max-mss 1452" to > his pf configuration and that fixed his problem. > > As recommended in the pppoe(4) man page, I set the MSS > for the pppoe interface to 1440. I played around with > different MSS's and scrubbing out the DF bit, but my > problem remains. Does anyone know what is causing this > strange problem and how to fix it? > [snip] As Shawn says, I installed squid as a transparent proxy trying to solve this, but some of the sites worked, and some didn't. This is what (I think, too much trial and error before everything worked fine) solved that problem: scrub in all fragment reassemble random-id scrub out on pppoe0 max-mss 1452 Just to help you testing, this is what I did with the sites that didn't opened correctly: From the machine behind the nat that isn't working well, *telnet* to that site on port 80, and try to get the same page writing (or pasting) the HTTP GET command, for example: "GET / HTTP/1.0" (without quotes). Trying that you will find that if you type wrong thing on telnet, generally, most sites send you an error page. Funny though, it seems that some error pages aren't big enough to "fill" a tcp packet and you get the error page fine, while the actual page u're trying to see is so big (the html text) that the MTU/MSS screws up. Hope it helps, Salu2. Javier.
Re: heal the world, and misc@ [strictly coffeetime reading]
The gcc thread. The advice is to NOT use strange optimizations. The experience supports that advice. This is similar to people not following a recipe and complaining that the recipe doesn't work. This thread is started by someone with a degree in "teaching computer science", who is afraid to teach. There is an old saying, "When in Rome do as the Romans". Seems incredibly stupid to go to Rome and tell the Romans how they ought to behave. Of course they react. In terms of damaging tender young minds, your "little social experiment", presented as if it had any redeeming virtues, probably does the most damage. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of -f Sent: Saturday, June 11, 2005 7:52 AM To: OpenBSD Subject: Re: heal the world, and misc@ [strictly coffeetime reading] hi there, for those who did not delete another post w/this subject: i am mostly impressed by the answers, positive, negative. my little social experiment reaffirms the following: it is not threads like i started which add too much noise to the list. it's the answers. this thread contains almost all of the archetypal answers one can get: -the fuck off style -i agree but why starting this -i disagree but why starting this -you are a troll -long live anarchy -stop this thread -you are full of shit because you provided only your initials -etc, etc. very few of them actually add anything meaningful. all these people could have flamed me offlist, because they do precisely know how much the others are not interested in it. my very favourites are "stop this thread", adding the most noise w/o any real meaning. some other remarks: -instead of nazis, terrorists are the next favourite target group -there is always someone telling you "run a spelcheker, idiot" (probably never heard of dyslexics) let me try again, because i love you all: please, reread the thread about the gcc stuff. before reading it, forget that you are member of this list, that you know the stuff you know about openbsd. imagine a friend sent it to you for amusement. what would you think about this list in general? i know i can't change people, and don't want to, that's why i do NOT teach (spare me the "you always change people stuff", and go read amok by stefan zweig), all of you who were kind enough to "enlighten" me how pointless my post was, here is a surprise: it wasn't. it shows just how much everyone want to see his/her name in the list, even when adding nothing to the thread. could have told me offlist. be polite, learn to ignore, or do the thing offlist. that was my message most of you missed. anyway, i will now go back and do what i advised. i will answer you offlist, or ignore you. thank you for ignoring me. -f -- you will become rich and famous unless you don't.
Re: heal the world, and misc@ [strictly coffeetime reading]
OpenBSD has an annoying habit of being right. Perhaps if OpenBSD can be civilized into not speaking their minds, OpenBSD won't be so annoying (by not being so right). That seems to be the implicit thrust of these thingees. Flames invited if I've misread the situation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Barter Sent: Friday, June 10, 2005 2:59 PM To: OpenBSD-Misc Subject: Re: heal the world, and misc@ [strictly coffeetime reading] dereck wrote: >>Look, I don't 'act all tough on the net'. I just >>refuse to sit idly >>by while mamby pamby whiners are spouting crap. >>And, in real life, >>I'd say the same thing to him. > > On this I'll have to draw the line - that is plainly > Bullshit. You would not say anything like this to his > or her face, because you are a coward hiding behind > your keyboard. In the "real world" no one would take > what you dish on this list, and that is the plain > fact. No company or government job would put up with > it. We have to because it is a public list. But you > are so full of it that it is painful to watch. You > would not say these things and stay gainfully > employed. Not true. I have spoken my mind many times in-person and at work, to managers and presidents. I have never been fired for anything I've said because I don't attack people personally. I would gladly have a discussion in real-life with anyone on this list. Only a fool or someone as immature as you would actually get so defensive. Rational people can disagree cannot they not? They can argue points without breaking into a fist-fight, can't they? Maybe you don't understand the difference between arguing a point and just arguing. > You are driving people away from trying and using > OBSD, and I (for one) hope that you are at least proud > of yourself. This is the MISC list, for crissakes, > and we should be more helpful to newbies. As a > technical project, Linux is a mess; but it continues > to grow not in small part to the esprit de corps that > the users openly encourage. Newbie questions on Linux > lists are not discouraged, and a "keep at it - it'll > come" encouragement is not at all unusual. They are > even proud of getting their grandmothers to use it! Never once during this thread have I advocated NOT helping new people. Please re-read my response to the original post. I have never once discouraged someone from participating on this list and have helped whenever and wherever I can. > We, by contrast, have to put up with the "better than > you" attitude from the vocal minority on this list > which reminds one unpleasantly of Jerry Fallwell, > Osama bin Liden, and other wacko religious crowds. > Put a sock in it, Rick. Almost everyone met your type > in grade school. Small boys who pick fights with > younger girls, or kick the neighbor's dog, are not > uncommon. You are not "keeping it real," or "setting > the story straight," or "protecting us from assholes." > You ARE the asshole. Hahaha are you saying I'm a wacko, a terrorist? Why, because I have an opinion I feel strongly about, tried to make a point, and am defending my assertions? This is what I'm talking about. The world is being conditioned such that if you argue with someone, you're the enemy. Grow up. Oh, and thanks for calling me an asshole. You made my day. > If you will stop "protecting us" maybe the user base > will expand. [And yes, I'll be glad to answer > questions and help - with money, time, and anything > else.] Haha. Who cares if the user base expands. The OpenBSD team doesn't. Go read some documentation. They code this stuff for their own pleasure/use. I happen to like the system and come along for the ride. And if anyone wants to come to my house and discuss it over tea or coffee or anything let me know and I'll give you my address. rvb
Re: heal the world, and misc@ [strictly coffeetime reading]
Some people on this list seem to have some anger management issues. Some people not on this list seem to have some anger management issues. Both statements true and both statements approximately equally relevant. Overall, this list seems quite a friendly place, and if anything is surprising, it is the reticence of many of the regulars. A degree in "teaching computer science". This is very good for teachers who know some computer science to teach a lot of people something about computer science. In which case it is probably beneficial that this big mass of humanity, who will never even begin to understand the stuff, feel good about themselves. This list cannot serve that purpose. That much is obvious, even if I weren't lurking on the list. Whatever OpenBSD's goals or achievements, mediocrity isn't in the list. Whatever they have achieved, they have achieved with limited resources and according to their own priorities. They are not so stupid as to let some outsiders set their priorities or to tell them how they should behave. Bluntly, at the low to mediocre end, how well the teacher teaches is what matters. At the high end, it's strictly how well the teacher knows the subject that matters. If you are after the high end, you tend to listen to the best teacher, experience, which to the best of my knowledge, has none of the finer social graces. Seems like OpenBSD, quite correctly, caters to the high end. There are plenty of other avenues for the rest. As for anger being expressed, I've seen too many times when the only way that things do get fixed is when somebody gets mad enough to actually do something about it. If a bit leaks around the fringes, seems like a very small price to pay. Certainly nothing that an outsider (myself included) has any right to complain about. During my education I have been probably more fortunate than most in having had a few good teachers. Looking back, seems like the only thing these good teachers had in common was some kind of intensity or drive or belief in what they were teaching. I find the same kind of stuff here, so I lurk here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roy Morris Sent: Friday, June 10, 2005 11:38 AM To: [EMAIL PROTECTED] Cc: -f; OpenBSD Subject: Re: heal the world, and misc@ [strictly coffeetime reading] Bram Van Dam wrote: > > I particularly agree with this bit. Some people on this list seem to > have some anger management issues. damn it!! we don't! we can contain ourselves!!! .. got it !! huh!!! lol
Re: Tuning gigabit bridging firewall for better performance
On Thursday 09 June 2005 22:00, nate wrote: > Tony Sarendal said: > > When it comes to network performance most plattforms have limitations in > > packets per second before bandwidth. Please post the performance in pps > > also, > > as that is more interesting and more relevant, especially in the GigE > > case. > > I don't see a way in iperf to get this stat, I will try to find > another tool, I did a crude test which basically involved clearing > the counters on my switch, using a stop watch and measuring the > time period. the results were approx 43,000 pps (1467476 > packets sent, 718984 recieved during the 1.7GByte test), throughput > was 400Mbit > > > The fastest pc os around according to google is FreeBSD which has broken > > the 1Mpps limit on pc hardware (2.8 GHz Xeon), but that is not wirespeed. > > yeah I remember reading that news when they first broke that > > > If you expect to see wire speed your box has to handle 1.5Mpps, for just > > one direction GigE. What kind of pps numbers are you seeing ? > > not really expecting wire 1Gbit speed, just closer to the wire > speed I am getting (~700Mbit) without the bridge. as-is I am > getting 200-300Mbit less vs going raw over the switch. > > I will try to look for another tool, if you or anyone has any > suggestions let me know > Now about netstat on your openbsd box ? netstat -I -w10 -- --- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Tuning gigabit bridging firewall for better performance
On Thursday 09 June 2005 17:25, nate wrote: > Hello -- > > I am testing out a couple of new firewalls running > openbsd 3.6 (plan to upgrade to 3.7 soon), I did > some searches to see what kind of performance I > can expect and didn't come up with much other > than one posting where a guy got more than > 800Mbit of throughput. > > Currently I am testing with pf disabled, just > bridging the traffic to take pf out of the > picture. > > Without bridging the traffic I get about ~700Mbit > of throughput. When I bridge the traffic it peaks > at ~500Mbit(as measured by iperf between 2 linux > hosts) > > > CPU spends approx 20-40% servicing interrupts > according to top. > > I was expecting similarly good results(at least > closer to wire speed) as the poster who got > 800Mbit+ of throughput as my hardware is approx > twice as fast as his(he had a 1.8Ghz Xeon) > > > system specs: > Supermicro 6034HX8R Motherboard > Intel Xeon EM64T 3.4Ghz 1MB Cache(1 CPU) > 2GB PC3200 Registered ECC DDR-II Memory > ICP Vortex SCSI Raid card with 128MB Cache > - 4 x 36GB U320 10k RPM SCSI disks in raid 10 > > Dual onboard Intel GigE network cards(em driver) > Dual port PCI-X Intel GigE network card(em driver) > Quad port PCI-X Intel GigE network card(em driver) > > > I have both interfaces on the dual port PCI > card bridged, and both pairs of interfaces > on the quad port bridged. Performance does > not vary between the dual port PCI-X and the > quad port PCI-X. > > I was hoping with the dual and quad port > cards that it would reduce interrupt hits > if both ends of the bridge are on the same > card. I haven't tried crossing the bridge > between the two cards yet. > > while this performance is acceptable, I was > hoping for some tips on getting it closer to > wire speed, or reducing interrupt usage. > > Since I don't seem to be CPU bound(~70% idle) > perhaps it is network driver related? Is there > a better driver to use? Or a better network > card? > When it comes to network performance most plattforms have limitations in packets per second before bandwidth. Please post the performance in pps also, as that is more interesting and more relevant, especially in the GigE case. The fastest pc os around according to google is FreeBSD which has broken the 1Mpps limit on pc hardware (2.8 GHz Xeon), but that is not wirespeed. If you expect to see wire speed your box has to handle 1.5Mpps, for just one direction GigE. What kind of pps numbers are you seeing ? Tony -- --- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Gigabit Firewall NIC Interrupt Performance Problem
On Tuesday 07 June 2005 22:39, Sean Knox wrote: > Tony Sarendal wrote: > >>>On Tuesday 07 June 2005 20:17, Sean Knox wrote: > >>>>I installed the NIC to the shared PCI slot and it has helped, but not > >>>> as much as I expected. Now that all NICs are sharing an IRQ, interrupt > >>>> usage has dropped from ~90% to ~70%. I'm pushing about 25 kb/s > >>>> across two NICs, which makes me wonder the max throughput I can expect > >>>> on a firewall on these Intel boxes. > >>> > >>>What is that in packets per second ? > >> > >>Ingress is 16255 packets/sec and egress is 18032 packets/sec. > > > > 16k+18k pps at 70% interrupt cpu ? On a modern PC ? > > That sounds disapointing to say the least. > > > > I checked one of my ancient 600Mhz P3 with a four port dc, it's doing > > 15k+15k at 33% interrupt cpu. I dug through old emails and found that an > > old firewall I had with Athlon850MHz and one ti (netgear) doing 26k+26k > > on it's vlan trunk at 15% interrupt cpu. > > > > Please tell me your box is an old piece of junk like my boxes. > > Nope-- it's a Supermicro 6023P-8 > (http://supermicro.com/products/system/2U/6023/SYS-6023P-8.cfm). Intel > Xeon 2.4, 533mhz bus, onboard dual Intel 82546EB gige nics, 133mhz > PCI-X, etc. etc. I'm running a snapshot from June 3 and as far as I can > tell, apm is not enabled (did a dmesg|grep apm). > > Sean I would expect a box with those specs to be able to handle 40kpps without breaking a sweat. -- --- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Gigabit Firewall NIC Interrupt Performance Problem
On Tuesday 07 June 2005 20:56, Sean Knox wrote: > Tony Sarendal wrote: > > On Tuesday 07 June 2005 20:17, Sean Knox wrote: > >>I installed the NIC to the shared PCI slot and it has helped, but not as > >>much as I expected. Now that all NICs are sharing an IRQ, interrupt > >>usage has dropped from ~90% to ~70%. I'm pushing about 25 kb/s > >>across two NICs, which makes me wonder the max throughput I can expect > >>on a firewall on these Intel boxes. > > > > What is that in packets per second ? > > Ingress is 16255 packets/sec and egress is 18032 packets/sec. 16k+18k pps at 70% interrupt cpu ? On a modern PC ? That sounds disapointing to say the least. I checked one of my ancient 600Mhz P3 with a four port dc, it's doing 15k+15k at 33% interrupt cpu. I dug through old emails and found that an old firewall I had with Athlon850MHz and one ti (netgear) doing 26k+26k on it's vlan trunk at 15% interrupt cpu. Please tell me your box is an old piece of junk like my boxes. -- --- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-
Re: Gigabit Firewall NIC Interrupt Performance Problem
On Tuesday 07 June 2005 20:17, Sean Knox wrote: > I installed the NIC to the shared PCI slot and it has helped, but not as > much as I expected. Now that all NICs are sharing an IRQ, interrupt > usage has dropped from ~90% to ~70%. I'm pushing about 25 kb/s > across two NICs, which makes me wonder the max throughput I can expect > on a firewall on these Intel boxes. > > I haven't tried tuning the em(4) driver yet nor am I sure it's needed at > this point. Does anyone have some guidelines and/or tuning values they use? > What is that in packets per second ? -- --- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, "I couldn't help it, it's my nature" =-