Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface

[Brian A. Seklecki]

Very bizarre.  The only advice I can offer is that maybe it's getting 
confused on - $nat_if instead of the more-pragmatic - ($nat-if).


Perhaps the parse code is trying too hard to resolve $nat_if in the 
former, and thus finding the underlying interface instead of the logical 
upper layer vlan interface?


Give it a shot.  If not, we'll turn up debugging and log

~BAS

On Tue, 19 Jun 2007, Albert Chin wrote:


I have a perfectly-working 4.0 firewall and decided to move one of the
physical interfaces to a new vlan tagged interface. I changed the
interface name in pf.conf and noticed that NAT wasn't working. The NAT
rule is:
 nat_if = vlan109
 table tww_nets const { 192.168.1.0/24, 192.168.4.0/24, 10.191.57.0/24 }
 nat pass log on $nat_if from tww_nets to any - $nat_if

If nat_if is a physical interface, like fxp0, the above nat rule
works. I can get the nat rule to work if I omit the use of the table:
 nat pass log on $nat_if from { 192.168.1.0/24, \
192.168.4.0/24, \
10.191.57.0/24 } to any - $nat_if

So:
 1. If the only change I make to pf.conf is a global search/replace
from fxp0 to vlan109, why doesn't pf behave as if using
a physical interface?
 2. Why the workaround above to get pf working with the vlan tagged
interface? Bug in pf?

--
albert chin ([EMAIL PROTECTED])




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~Maynard James Keenan

CARP interface state change logging patch

[Brian A. Seklecki]

The OpenBSD PF-MIB stuff is incredibly useful -- especially the 
PF-MIB:CarpIFTable objects.  Thanks to all involved with that.  I've also 
had success with Net-SNMP 5.4 (opti@'s version) with those patches; will 
try to port them to other PF-enabled OSs soon.


In the mean time, I want to keep going with additional debugging and 
monitoring functionality in CARP.  Here is a small patch that is 
incredibly useful for troubleshooting and debugging cumbersome issues. 
Silence is killer, especially when you turn on logging and receive 
nothing:


This adds functionality similar to debug standby in Cisco-land:

*Mar 1 02:56:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface 
FastEthernet3/0, changed state to up

*Mar 1 02:56:14: SB0: FastEthernet3/0 state Listen - Init
*Mar 1 02:56:20: SB0: FastEthernet3/0 state Init - Listen
*Mar 1 02:56:30: SB0: FastEthernet3/0 state Listen - Speak
*Mar 1 02:56:40: SB0: FastEthernet3/0 state Speak - Standby
*Mar 1 02:56:41: SB0: FastEthernet3/0 state Standby - Active

With this patch:

# ifconfig carp40 vhid 40 carpdev pcn0 pass foo up

Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: MASTER 
- to: INIT
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT - 
to: BACKUP
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP 
- to: INIT
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT - 
to: BACKUP
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP 
- to: INIT
Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT - 
to: BACKUP
Jun 20 03:05:49 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP 
- to: MASTER


I think there are probably ~20 other CARP_LOG() calls that could improve 
the experience, but this is a good place to start and we'll move on from 
there.


Against the OPENBSD_4_1 tree (rev 1.132.2.1):

# cvs diff -u ip_carp.c
Index: ip_carp.c
===
RCS file: /cvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.132.2.1
diff -u -r1.132.2.1 ip_carp.c
--- ip_carp.c   2007/04/30 20:39:44 1.132.2.1
+++ ip_carp.c   2007/06/20 07:03:15
@@ -2111,6 +2111,8 @@
 void
 carp_set_state(struct carp_softc *sc, int state)
 {
+   static const char *carp_states[] = { CARP_STATES };
+   CARP_LOG(sc, (state transition from: %s - to: %s, 
carp_states[sc-sc_state], carp_states[state]));

if (sc-sc_state == state)
return;



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~Maynard James Keenan

Re: [Nagiosplug-devel] nagios check_carp for OpenBSD carp(4)

[Brian A. Seklecki]

Just to follow-up:

I have written a plugin that uses the somewhat complete PHP Net-SNMP
bindings (no getsnmptable() ?!) and the new PF-MIB::CARP Agent
Extensions to Net-SNMP snmpd(8).

I'll post it on NagiosExchange for review if/when I can deploy a
production 4.1-stable system.

~BAS

On Fri, 2006-12-15 at 19:15 -0500, Brian A. Seklecki wrote:
 Thoughts? Strategies? Ideas?
 ---





IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: max number of connections through the firewall

[Brian A. Seklecki]

From previous discussions (search the archives) this has nothing to do 

with userland memory available but to kernel data structures.

Also read pf.conf(5) man page:

OPTIONS
 pf(4) may be tuned for various situations using the set command.

   interval   Interval between purging expired states and

[...snip...]
 set limit states 1


~BAS

On Wed, 20 Jun 2007, Florin Andrei wrote:

I am trying to approximate the maximum number of open TCP connections that an 
OpenBSD firewall can support at any given time.


The scenario here is a firewall with 2 interfaces, a bunch of Web servers 
behind it on private IP addresses, a fairly simple set of rules (NAT each 
server on a public IP address on the external interface, allow HTTP in, deny 
the rest).


How much memory is used by every new TCP connection that the firewall needs 
to keep track of? Will the firewall run into other problems before it runs 
out of memory? Will NAT use memory in the scenario described above?


--
Florin Andrei

http://florin.myip.org/




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~Maynard James Keenan

Re: OBSD 4.1 drops to ddb with cdd0: error 22 on component 0 (and 1 (mirror))

[Brian A. Seklecki]

This is the expected behavior for a failure on a CCD component.  Try
cutting the SATA cable to a live system some time; watch the kernel
panic there as well.  Suddenly it cant stat() / or read/write from swap.

You're playing with fire with CCD anyway: RAID0.  The stuff in 4.1
wasn't touched for months...6, 10, 11, 11, look at the time between
commits.  There's some new recent activity.

Try RAIDFrame w/ raid0 for a little-more-active development.

~BAS

On Thu, 2007-06-14 at 15:56 +0200, Marius Hooge wrote:
 Hi, I don't know how to handle this:
 
 My OpenBSD 4.1 Generic i386 box occasionally freezes completely,
 without any warning.
 No Ctrl+Mod1+F1 or any other key-combination, no ssh or ping works.





IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: Kernel MINIROOTSIZE 8192 = No Boot

[Brian A. Seklecki]

On Fri, 2007-06-15 at 16:51 +, Tobias Weingartner wrote:
 And no information about the machines beyond that?  No dmesg, no
 information

option  NKPTP=16


...fixed it.  I wasn't going to burn 200k and 30 minutes on an e-mail
about an issue that likely someone already knows about and has a quick
one-line fix such as this. (only to get a you're not running GENERIC
response)

I know there are people out there running embedded environments who were
testing 4.1 during -current.

~BAS

-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: vlan configuration: off-topic

[Brian A. Seklecki]

 maybe
 
  and *BSD vlan(1) wont transmit VLAN 1 as tagged (per spec)

Correct -- Thank you.  I misspoke.  

It _will_ transmit it tagged as VLAN1 (if vlan1 interface is defined),
but whether the receiving VLAN1 interface on the PowerConnect can ever
receive is anyone's guess. 

I suppose it depends on whether the OpenBSD system is directly connected
to the PowerConnect, what the configurations in the powerconnect for
that switchport are, if there is an intermediary switches between the
two (possibly from other vendors), what that vendor's VLAN1 behavior
is, etc.

~BAS

 
 sure it will.
 ifconfig vlan1 vlan 1 vlandev something

Re: vlan configuration: off-topic

[Brian A. Seklecki]

On Sun, 2008-01-20 at 00:11 +, Mike wrote:
 Hey Brian,
 
 I read your post about removing dell switches from your network.  
 
 Just curious which models are you referring to?

PowerConnect 27xx Managed Entry-Level.  Everything else is a
re-branded Cisco with a crippled ISO version. ~BAS 

Re: Remote syslog

[Brian A. Seklecki]

syslog-ng + transport mode IPSec (or tunnel, if you have infrastructure
on either end). 

use pf(4) to ensure that only IPSec peers can write.

~BAS

On Tue, 2008-02-19 at 21:42 -0700, Steve B wrote:
 and whether you are doing it over SSH or IPSEC? I have looked at
 various

Re: Projector/external monitor not working on OpenBSD 4.2-current on Thinkpad X60

[Brian A. Seklecki]

read the man page i810(4):


   Option MonitorLayout anystr
  Allow different monitor configurations. e.g. CRT,LFP
will configure a CRT on Pipe A and an LFP on Pipe  B.  Regardless  of
the  primary  headsb  pipe  it  is  always  configured  as
  PIPEA,PIPEB.   Additionally you can add different
configurations such as CRT+DFP,LFP which would put a digital flat
panel and a CRT on pipe A, and a local flat panel on pipe B.
  For single pipe configurations you can just specify the
monitors types on Pipe A, such as CRT+DFP which will enable the CRT
and DFP on Pipe A.  Valid monitors are CRT, LFP, DFP,  TV,
  CRT2,  LFP2,  DFP2,  TV2 and NONE.  NOTE: Some
configurations of monitor types may fail, this depends on the Video BIOS
and system configuration.  Default: Not configured, and will use
  the current headbs pipe and monitor.



On Thu, 2008-02-21 at 15:41 +0530, Amarendra Godbole wrote:
 I am unable to move the display to a projector or an external monitor
 on my Thinkpad X60, which is running OpenBSD 4.2-current. Fn-F7 is the
 keycombination to be used to switch displays, but it does not work.
 Now, I am not too sure if this is a function of the OS, or Thinkpad's
 firmware. Search engines turned up nothing. Can someone suggest a way
 by which I can make use of an external monitor? Any software package
 to control this? Thanks.
 
 -Amarendra

Re: libc.so.39.3

[Brian A. Seklecki]

It would be in the base.tgz in release 3.9

You may have upgraded and an old binary may be linked against the old
version.  Try making a symlink.

On Sat, 2008-02-23 at 14:07 -0500, Jay Hart wrote:
 On base OpenBSD 4.2.
 
 What package should I install to get the above library?
 
 Thanks,
 
 Jay

Re: libc.so.39.3

[Brian A. Seklecki]

On Sat, 2008-02-23 at 12:30 -0700, Theo de Raadt wrote:
 No, do not make a symbolic link.

Right, for the record and mail archives, a symlink would only be a temp
solution and is not guaranteed (likely even) to solve the problem.

Obviously, Jay is not working on in a production environment, otherwise
he would have staged his upgrade process in a lab environment :}

Let us know if you have any ports recompile problems, but read the
entire FAQ, and search the list archives, before posting!

~BAS

Re: Watching the prgress of dd if=drive1 of=drive2

[Brian A. Seklecki]

On Sat, 2008-02-23 at 12:15 -0800, Jon wrote:
 I'm using dd to clone a drive. How can I watch the progress of this or
 see the transfer rate in real time?
 

http://www.openbsd.org/cgi-bin/cvsweb/src/bin/dd/dd.c?rev=1.15content-type=text/x-cvsweb-markup


main(int argc, char *argv[])

   (void)signal(SIGINFO, summaryx);

Re: openbsd router hardware

[Brian A. Seklecki]

On Sun, 2008-03-02 at 09:04 +0100, Joerg Zinke wrote:
 This will be my first VIA Board, will see how it works...

That's great news.  I run some VIA -- not at all bad.  But they've still
got a long way to go before they re-earn the community's trust.  A
decade of problems doesn't just go away overnight.

~BAS

Re: openbsd router hardware

[Brian A. Seklecki]

On Wed, 2008-03-05 at 09:55 -0800, Joe wrote:
 Perhaps you got a bad board in your past?

I've had 10 years of bad VIA chipsets (pciide(4), etc.)

Anyone who has been on the lists for a few years knows the same old
story.  Results 1-10 of about 3,170 for bsd VIA ATA dma error

~BAS

Re: PF and application level firewall

[Brian A. Seklecki]

On Tue, 2008-03-11 at 09:51 -0700, Rami Sik wrote:
 Hi All,
 
 
 

You can transparently re-write any application (TCP port) to a localhost
security proxy and/or other system using pf(4)' RDR.

~BAS

 I currently have PF in place with CARP, and quite happy with them. I
 need to implement application level firewalling in front of my apache
 servers as PCI requirement by the end of June this year.  So, my
 question is, do we have any application level firewalling support on
 openBSD? Or, which third part tool/application would you suggest for
 that purpose?
 
 
 
 Thanks,
 
 
 
 
 
 Rami
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: Vlan tagging and Carp

[Brian A. Seklecki]

On Wed, 2008-03-26 at 09:32 -0400, G 0kita wrote:
 Hello all!  I'm having some trouble with getting an OpenBSD box to properly
 tag packets via 802.1Q.
 I'm setting up an OpenBSD4.2 router pulling data off a trunk port on a Cisco
 2960 switch.  I can see the packets traverse the stack upwards but they are

The two physical/vlan interfaces on each unit should have an IP address
in the subnet (.2 and .3 respectively, normally).  The CARP interface on
each system on each box should have the same address (.1 normally)

[EMAIL PROTECTED]:/root# grep -i vlan42 /etc/rc.conf

ifconfig_vlan42=inet 192.168.7.2 netmask 255.255.255.0 vlan 42 vlanif
wm1

ifconfig_carp42=inet 192.168.7.1 netmask 255.255.255.0 pass password
vhid 42 advskew 99


[EMAIL PROTECTED]:/root# grep -i vlan42 /etc/rc.conf

ifconfig_vlan42=inet 192.168.7.3 netmask 255.255.255.0 vlan 42 vlanif
wm1

ifconfig_carp42=inet 192.168.7.1 netmask 255.255.255.0 pass password
vhid 42 advskew 101

Adjust your syntax for ifconfig.if(5) in 4.2


~BAS

Re: Vlan tagging and Carp

[Brian A. Seklecki]

On Wed, 2008-03-26 at 10:01 -0400, G 0kita wrote:
---

Nah, a /29 is the smallest WAN space you can use for a CARP - CARP (or
HSRP/VRRP) Ethernet WAN transport.

If you have that budget and business need, then you can afford the
hardware and IP space.

Remember, you can always use _RFC1918 private IP space_ for transit WANs
(a la Comcast.net), but you're on your own when the users with
pitchforks come.

~BAS

Re: configuration tweaks for CF-based systems?

[Brian A. Seklecki]

On Thu, 2008-04-03 at 13:05 -0700, Fred Snurd wrote:
 There was mention a few days back that the following still contains useful 
 information when it comes to reducing the amount of writing done to CF-like 
 systems:


Send mea  dmesg(8) and I'll send you a 4.3-current CF image built using
bsd-appliance(*)

*1: Name changing soon
*2: code.google.com/p/bsd-appliance

~BAS

 
 http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap
 
 
 Yet I'm puzzled by the desire/need to move /dev into mfs.  The timestamp on 
 the files within /dev don't change, so what is the reason for moving the 
 device nodes into memory?  Are there parameters which are frequently changed 
 residing in this directory?  Any information shared would be appreciated.
 
 
 
 
   
 
 You rock. That's why Blockbuster's offering you one month of Blockbuster 
 Total Access, No Cost.  
 http://tc.deals.yahoo.com/tc/blockbuster/text5.com
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

Re: Sendmail security problem

[Brian A. Seklecki]

On Fri, 24 Mar 2006, Joachim Schipper wrote:


On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote:

On 2006/03/24 14:12, Alexander Bochmann wrote:

...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote:


P gnu/usr.sbin/sendmail/libsm/refill.c
P gnu/usr.sbin/sendmail/sendmail/collect.c
P gnu/usr.sbin/sendmail/sendmail/conf.c
P gnu/usr.sbin/sendmail/sendmail/deliver.c
P gnu/usr.sbin/sendmail/sendmail/headers.c
P gnu/usr.sbin/sendmail/sendmail/mime.c
P gnu/usr.sbin/sendmail/sendmail/parseaddr.c
P gnu/usr.sbin/sendmail/sendmail/savemail.c
P gnu/usr.sbin/sendmail/sendmail/sendmail.h
P gnu/usr.sbin/sendmail/sendmail/sfsasl.c
P gnu/usr.sbin/sendmail/sendmail/sfsasl.h
P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c
P gnu/usr.sbin/sendmail/sendmail/usersmtp.c
P gnu/usr.sbin/sendmail/sendmail/util.c



I am pretty certain a fix was imported for 3.7-stable, too.



Yep.

Why was there no Security Advisory or entry in the Daily Changelog for 
this?


There's an errata entry, but no announcement =/

~BAS


Joachim

Re: Microsoft SP1 RPC traffic (Active Directory issues)

[Brian A. Seklecki]

On Thu, 20 Apr 2006, James Mackinnon wrote:


Good day everyone

Recently, I installed SP1 on some domain controllers and ran into an issue
where microsoft changed rpc data with SP1 and firewalls such as microsofts own
ISA server as well as checkpoint have started to randomly block this data.



...look at the pflog(4), correlate hits with the source address of servers 
having problems with the blocks, generate a pf.conf(5) rule to match, and 
move on.


~BAS

Re: Panic: biodone already

[Brian A. Seklecki]

On Thu, 20 Apr 2006, Pedro Martelletto wrote:


The raid(4) codebase is old, unmaintained, and known to have issues.

That's one of the reasons it's not in the stock kernel.


Oh I thought the OpenBSD team was silently discouraging people from the 
practice of using software RAID. :}


That sounds like the service of a friend.

Focusing efforts on better universal hardware RAID mgmnt interface 
support.


~BAS

Override errno EBUSY on rd(4) device after boot in mount(2)?

[Brian A. Seklecki]

Is there any way to override the flag on a device that permits it from
being mounted twice?MNT_FORCE isn't it.

I've got an embedded environment I'm setting up where I want to transfer
the root (/) file system from an rd(4) to an MFS.

To do this, I have to add some customizations to copy() in
sbin/newfs/newfs.c.  This is because as soon as a I call mount_mfs(8)
from my RD's /etc/rc, all of / goes away, so I have to accomplish thing
in C functions until I can get the previous (/) re-mounted as /rescue.

I can call mount(2) manually from newfs::copy(), but /dev/rd0a refuses
to unmount from it's previous ubiquitous root_device.

Even if I explicitly mount /dev/rd0a as /, it refuses to dis-mount after
I mount a new memfs at /, even with MNT_FORCE to unmount(2).

Is it possible that rd(4)'s simply can't be unmounted?  I'm assuming
they can be, and that unlike their MFS counter-part, their contents do
not reset (well, they would reset to whatever the contents of the RD
image in the kernel is, assuming changes had been made).

This is truly a chicken-and-egg scenario.  Any thoughts would be
appreciated.

~BAS

Re: 3.7: weird IP address problem

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Toni Mueller wrote:


Hello,

I have a box that once had two IP addresses on one interface. I
deconfigured one of them using ifconfig -alias.





I'd rather not reboot only to make a change in IP numbers effective...



Check netstat -rn and arp -an for hangers-on lingering about.

~BAS



Best,
--Toni++




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8

Re: isakmpd - DPD stops working

[Brian A. Seklecki]

On Fri, 21 Apr 2006, Mitja Mu?eni? wrote:


I'm debbuging something weird here. Before I put together a full and
sanitized error report, just a quick question: is anybody else seeing DPD to
just stop working after a couple of hours, or is it just me  my setup?

I have some pre-3.9 -current (mid March or so) machines running some IPsec
tunnels, and from the IKE dump it appears that after two hours both ends
suddenly stop sending DPD R_U_THERE requests, even if the tunnel is totally
idle (for example, if I down the interface connecting the hosts). The


The lack of reponses suggest you'll need to post verbose tcpdump(8) output 
and up the bebugging greatly on isakmpd(8).


Have you tested basic IP connectivity for problems?

~BAS

Re: Tape drive DLT VS160

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Planck wrote:


Hello.
I have tape drive Quantum DLT VS160 (part of dmesg bellow) connected to
Adaptec AHA-2940. Everything work fine, but i dont know how to enable
hardware compresion on that drive. There aren't any jumpers on
enclosure, and mt(1) or st(4) dont say anytging about that.



Yea it would normally be mt comp on or mt compress on

~BAS

Re: 3.7: weird IP address problem

[Brian A. Seklecki]

On Mon, 24 Apr 2006, Toni Mueller wrote:


Hello,

I have a box that once had two IP addresses on one interface. I
deconfigured one of them using ifconfig -alias.

Now, when I want to use any (?) program on that box to go over this
interface, it wants to use the addresses which is no longer present. I
double-checked to ensure that there is no NAT in the way, and also used


Also, is it still ARP'ing for the old address (tcpdump(8) will show).

~BAS

Alter root FS device after boot?

[Brian A. Seklecki]

All:

Would it be hypothetical possible to change the device mounted as (/) 
after the system has booted (possibly during the bootstrapping phase)?


This of course overriding the checks in src/sys/kern/sys_vfs*

~BAS

Re: Alter root FS device after boot?

[Brian A. Seklecki]

 you can't ever unount the first / mount after init starts, because
 that would mean revoking init's vnode.

Yes after disabling the kernel checks I've tried to do this and it seems
to cause a complete halt of the system.

If only I could bypass the check that disallows a device from becoming
mounted twice.  When an RD kernel boots, /dev/rd0a is not explicitly
mounted as /, instead root_device is.

However, if I try to mount(2) /dev/rd0a under a fresh MFS /, I get errno
16 Device busy.  So somewhere in the kernel outside of the fstab(5) a
the device is being flagged as in-use.

I'm half-tempted to find that code and disable it. 

~BAS

Building bsd.rd in cdrom39.fs with RAIDFrame

[Brian A. Seklecki]

One of the big problems with RAIDFrame support absence in GENERIC is that 
it's also lacking in RAMDISK and RAMDISK_CD.  This prevents RAIDFrame 
users from doing binary updates off boot media.


This can be fixed with a few tweaks in src/distrib/i386/:

First, create a bsd.rd within cdrom39.fs (note, NOT cd39.iso!) with 
RAIDFrame support:


Because src/distrib/i386/ramdisk_cd/Makefile simply includes 
${.CURDIR}/../common/Makefile.inc, appends list.local with a couple 
hundred extra-Kb or utilities, sets the floppy imagage to 2.8mb size, then 
declares $RAMDISK. (Which is a *very* ambiguous name, mind you, a better 
name would be something like $KERNERLCONF, etc.), one can simply adjust 
RAMDISK= to point to a src/sys/arch/i386/conf/$foo kernel conf file which 
will get automatically build on 'make release' in src/etc/ as 'bsd.rd'.


Simply copy src/sys/arch/i386/conf/RAMDISK_CD to conf/RAMDISK_CD+RAIDFrame 
append the following:


pseudo-device   raid 4   # RAIDframe disk driver
options RAID_AUTOCONFIG

Then set the following in distrib/i386/ramdisk_cd/Makefile:

RAMDISK=RAMDISK_CD+RAIDFrame

Next, make another kernel package available to the install script 
(GENERIC+RAIDFrame) as an option.  Follow the same instructions for 
RAMDISK_CD for GENERIC.


Add the following to src/etc/etc.i386/Makefile.inc:

 bsd.mp+raidframe:
 cd ${.CURDIR}/../sys/arch/i386/conf  config GENERIC.MP+RAIDFRAME
 cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME  \
${MAKE} clean  ${MAKE} depend  exec ${MAKE}

Then add the following to src/distrib/notes/m4.common:

define({:-OpenBSDbsdmp+raidframe-:},
{:- bsd.mp+raidframe A stock GENERIC.MP MACHINE kernel, with support
 for multiprocessor machines, which can be used
 instead of the GENERIC kernel after the 
install.
 Also features CMU RAIDFrame support for
 upgrading exisint RAIDFrames.-:})dnl dnl

Then clean out your obj and src and rebuild.  Your $RELEASDIR/cdrom39.fs
(2.88mb Floppy image for use with mkisofs(1)) will contain a gzip(1)'d
bsd.rd with RAIDFrame support).

Run mkisofs(8) on your $DESTIDR with cdrom39.fs as your '-B'. You may now 
safely burn a CD-R for binary upgrades of existing RAIDFrame enabled 
OpenBSD systems, or use your .ISO with your DRAC card via remote media.


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.

Re: Building bsd.rd in cdrom39.fs with RAIDFrame

[Brian A. Seklecki]

Proper src/etc/etc.i386/Makefile.inc patch:

--

$ diff -u Makefile.inc Makefile.inc-patched
--- Makefile.incSun Sep 10 15:46:33 2006
+++ Makefile.inc-patchedSun Sep 10 15:46:06 2006
@@ -2,11 +2,13 @@
 #  etc.i386/Makefile.inc -- i386-specific etc Makefile targets

 .ifdef DESTDIR
-snap_md: bsd bsd.mp notes bootblocks distrib
+snap_md: bsd bsd.mp bsd.mp+raidframe notes bootblocks distrib
cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC/bsd \
${DESTDIR}/snapshot/bsd
cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP/bsd \
${DESTDIR}/snapshot/bsd.mp
+   cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME/bsd \
+   ${DESTDIR}/snapshot/bsd.mp+raidframe

 bsd:
cd ${.CURDIR}/../sys/arch/i386/conf  config GENERIC
@@ -16,6 +18,11 @@
 bsd.mp:
cd ${.CURDIR}/../sys/arch/i386/conf  config GENERIC.MP
cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP  \
+   ${MAKE} clean  ${MAKE} depend  exec ${MAKE}
+
+bsd.mp+raidframe:
+   cd ${.CURDIR}/../sys/arch/i386/conf  config GENERIC.MP+RAIDFRAME
+   cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME  \
${MAKE} clean  ${MAKE} depend  exec ${MAKE}

 notes:

--

On Fri, 8 Sep 2006, Brian A. Seklecki wrote:



One of the big problems with RAIDFrame support absence in GENERIC is that 
it's also lacking in RAMDISK and RAMDISK_CD.  This prevents RAIDFrame users 
from doing binary updates off boot media.


This can be fixed with a few tweaks in src/distrib/i386/:

First, create a bsd.rd within cdrom39.fs (note, NOT cd39.iso!) with RAIDFrame 
support:


Because src/distrib/i386/ramdisk_cd/Makefile simply includes 
${.CURDIR}/../common/Makefile.inc, appends list.local with a couple hundred 
extra-Kb or utilities, sets the floppy imagage to 2.8mb size, then declares 
$RAMDISK. (Which is a *very* ambiguous name, mind you, a better name would be 
something like $KERNERLCONF, etc.), one can simply adjust RAMDISK= to point 
to a src/sys/arch/i386/conf/$foo kernel conf file which will get 
automatically build on 'make release' in src/etc/ as 'bsd.rd'.


Simply copy src/sys/arch/i386/conf/RAMDISK_CD to conf/RAMDISK_CD+RAIDFrame 
append the following:


pseudo-device   raid 4   # RAIDframe disk driver
options RAID_AUTOCONFIG

Then set the following in distrib/i386/ramdisk_cd/Makefile:

RAMDISK=RAMDISK_CD+RAIDFrame

Next, make another kernel package available to the install script 
(GENERIC+RAIDFrame) as an option.  Follow the same instructions for 
RAMDISK_CD for GENERIC.


Add the following to src/etc/etc.i386/Makefile.inc:

bsd.mp+raidframe:
 cd ${.CURDIR}/../sys/arch/i386/conf  config GENERIC.MP+RAIDFRAME
 cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME  \
   ${MAKE} clean  ${MAKE} depend  exec ${MAKE}

Then add the following to src/distrib/notes/m4.common:

define({:-OpenBSDbsdmp+raidframe-:},
	{:- bsd.mp+raidframe A stock GENERIC.MP MACHINE kernel, with 
support
			 	 for multiprocessor machines, which can be 
used
 instead of the GENERIC kernel after the 
install.

 Also features CMU RAIDFrame support for
 upgrading exisint RAIDFrames.-:})dnl dnl

Then clean out your obj and src and rebuild.  Your $RELEASDIR/cdrom39.fs
(2.88mb Floppy image for use with mkisofs(1)) will contain a gzip(1)'d
bsd.rd with RAIDFrame support).

Run mkisofs(8) on your $DESTIDR with cdrom39.fs as your '-B'. You may now 
safely burn a CD-R for binary upgrades of existing RAIDFrame enabled OpenBSD 
systems, or use your .ISO with your DRAC card via remote media.


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.

carp(4) debugging

[Brian A. Seklecki]

I'm building -current right now.  I'm looking forward to improvements 
between vlan(4) and carp(4) post 3.7.


I'm curious: Are there any new debugging mechanisms for carp(4) in 
-current/4.x ?  I was looking at ip_carp.{c,h} changelog.  It doesn't seem 
obvious if there are.


I.e., does ifconfig(8)'ing the DEBUG flag onto the interface generate any 
helpful output to log(9)?  Something along the lines of what you would get 
from debug standby error, debug standby event, debug standby terse 
in an IOS environment?


Anything to help debug the decision making algorithm used in 
master/standy/backup election process.


Certainly a way to log events (interfaces, etc.) and the resulting actions 
taken by the code would be useful in mission critical environments.


Anything beats tcpdump 'proto carp' and making guesses from there.

TIA,

-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: carp(4) debugging

[Brian A. Seklecki]

Exciting stuff; totally missed the log sysctl.

The netstat(8) reveals some interesting info about a persistent failover 
condition:


$ netstat -sp carp
carp:
7731906 packets received (IPv4)
0 packets received (IPv6)
0 packets discarded for bad interface
0 packets discarded for wrong TTL
0 packets shorter than header
0 discarded for bad checksums
0 discarded packets with a bad version
0 discarded because packet too short
0 discarded for bad authentication
0 discarded for bad vhid
0 discarded because of a bad address list
118961 packets sent (IPv4)
0 packets sent (IPv6)

** 152 send failed due to mbuf memory error


But yet:

$ netstat -m

[...snip...]

290/558/6144 mbuf clusters in use (current/peak/max)
1224 Kbytes allocated to network (53% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines

Which is interesting because an identical backup unit does not exhibit 
these errors at all, even when running as MASTER for weeks at end.


MBuf isn't getting exhausted; MRTG does show interfaces getting staturated 
either.  The machine has an absurd ammount of RAM for a Router, too.


Also interesting how it is printed out, as well, as if it is under the 
IPv6 statistics; however these systems have a userland and kernel compiled 
without IPv6 support.


But since this is 3.7-era code, it's hard to imagine troubleshooting this 
further.  Certainly a 4x upgrade is in order before I go chasing down an 
mbuf exhaustion problem.


This is most likely related somehow to the absurdley high number of max 
states (set limit states 20, etc.)


~BAS

On Wed, 11 Oct 2006, Ryan McBride wrote:


On Tue, Oct 10, 2006 at 05:50:50PM -0400, Brian A. Seklecki wrote:

Certainly a way to log events (interfaces, etc.) and the resulting actions
taken by the code would be useful in mission critical environments.

Anything beats tcpdump 'proto carp' and making guesses from there.


Nothing new to 4.0, but a few of the things you can do besides using
tcpdump are:

route monitor
- see interface link state change
sysctl net.inet.carp.log=1
- generates primarily protocol error messages
netstat -sp carp
- display a number of relevant counters

If you want to do more complicated things, like run commands when carp
interfaces change state, you can have a look at ifstated.

-Ryan



l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.

Re: ports question

[Brian A. Seklecki]

PKG_INFO(1)OpenBSD Reference Manual

NAME
 pkg_info - a utility for displaying information on software packages

[...]
 -D  Show the install-message file (if any) for each package 
(depre-

 cated option).


 -M  Show the install-message file (if any) for each package.




On Wed, 11 Oct 2006, Bryan Irvine wrote:


Sometimes ports have helpful messages that tell you the proper way to
start it from rc.local or some other set of instructions that shoudl
be your next step etc...

Sometimes these get installed as a dependency of another app though
and so the screen just keeps right on trucking and you don't have time
to read it.  Is there some command or somewhere you can go to see what
the message was?

--Bryan




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.

Re: nagios monitoring of a remote openntp service

[Brian A. Seklecki]

On Thu, 2008-05-08 at 14:33 +0200, Pete Vickers wrote:
 that works fine:
 
 $ ~/usr/local/libexec/nagios/check_ntp_time  -H ntp1
 NTP OK: Offset 0.0008395434124 secs|offset=0.000840s; 
 60.00;120.00;
 
 but, I'm trying to verifty the NTP server's health, not that my  
 monitoring host is sync'd to it.


Nagios checks almost never have sufficient debugging mechanisms, and UDP
services dont send RST+ICMP.

You an always: $ sudo ntpdate -qdv [host to check]

~BAS

 Notes:
   This plugin checks the clock offset between the local host and a
   remote NTP server. It is independent of any commandline programs or
   external libraries.
 
   If you'd rather want to monitor an NTP server, please use
   check_ntp_peer.
 
 
 but that doesn't work (for me) :
 
 $ ~/usr/local/libexec/nagios/check_ntp_peer -H ntp1 -t 3
 CRITICAL - Socket timeout after 3 seconds
 
 
 
 /Pete
 
 
 
 On 8 May 2008, at 1:55 PM, Stuart Henderson wrote:
 
  On 2008-05-08, Pete Vickers [EMAIL PROTECTED] wrote:
  Has anybody gotten Nagois' check_ntp_* to play nicely with a remote
  openntp service ? It appears to  rely upon services not implemented
  in openntp ?
 
  this is against an OpenNTP server;
 
  [EMAIL PROTECTED]:12$ /usr/local/libexec/nagios/check_ntp_time -H ntp
  NTP OK: Offset -0.002711469308 secs|offset=-0.002711s; 
  60.00;120.00;
 
  so, it can work.
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

Re: snmpd

[Brian A. Seklecki]

On Thu, 2008-05-08 at 15:22 -0700, Tim Kuijsten wrote:
 It looks like there is no info about disk usage, memory usage, load
 and other sensor stuff. I have no clue where to find the mibs (locate
 mib or locate .txt | grep snmp have no results) or how to load them..

That's all in HOST-RESOURCES-MIB and UCD-DISKIO-MIB

Try:

$ snmptable -v2c -c [comm] [host] HOST-RESOURCES-MIB::hrStorageTable
$ snmptable -v2c -c [comm] [host] UCD-DISKIO-MIB::diskIOTable

The sensor stuff should be committed into the Ports version of Net-SNMP
by now.  I can get it committed to Pkgsrc if not.  Its just not been at
the top of my priority list.


-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

Re: snmpd

[Brian A. Seklecki]

 I get:
 SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2
 SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip
 SNMPv2-MIB::sysORID.3 = OID: SNMPv2-MIB::snmp
 SNMPv2-MIB::sysORID.4 = OID: SNMPv2-SMI::mib-2.17
 SNMPv2-MIB::sysORID.5 = OID: IF-MIB::ifMIB
 SNMPv2-MIB::sysORID.6 = OID: SNMPv2-SMI::enterprises.30155.2
 

Or more importantly, are HOST-RESOURCES-MIB and UCD-DISKIO-MIB
supported?  Also, PF-MIB.

~BAS

 I gues this means HOST-RESOURCES-MIB::hrStorageTable and 
 UCD-DISKIO-MIB::diskIOTable are not loaded? How can i load them?
 
 Tnx in advance,
 
 Tim
 
 - Original Message 
  From: Brian A. Seklecki [EMAIL PROTECTED]
  To: Tim Kuijsten [EMAIL PROTECTED]
  Cc: misc@openbsd.org
  Sent: Friday, May 9, 2008 1:35:46 AM
  Subject: Re: snmpd
  
  
  On Thu, 2008-05-08 at 15:22 -0700, Tim Kuijsten wrote:
   It looks like there is no info about disk usage, memory usage, load
   and other sensor stuff. I have no clue where to find the mibs (locate
   mib or locate .txt | grep snmp have no results) or how to load them..
  
  That's all in HOST-RESOURCES-MIB and UCD-DISKIO-MIB
  
  Try:
  
  $ snmptable -v2c -c [comm] [host] HOST-RESOURCES-MIB::hrStorageTable
  $ snmptable -v2c -c [comm] [host] UCD-DISKIO-MIB::diskIOTable
  
  The sensor stuff should be committed into the Ports version of Net-SNMP
  by now.  I can get it committed to Pkgsrc if not.  Its just not been at
  the top of my priority list.
  
  
  -- 
  Brian A. Seklecki 
  Collaborative Fusion, Inc.
 
 
 
   
 
 Be a better friend, newshound, and 
 know-it-all with Yahoo! Mobile.  Try it now.  
 http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.

sshd_config(5) PermitRootLogin yes

[Brian A. Seklecki]

Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

I dont have a fresh install anywhere -- but I want to say that it doesnt 
default to PermitRootLogin yes after the install.


I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get 
this changed, but Redhat Support is giving some some noise about:


Well the source vendor doesn't disable it by default ...

~BAS

Re: sshd_config(5) PermitRootLogin yes

[Brian A. Seklecki]

On Thu, 10 Jul 2008, Brynet wrote:


The keyword here is *default*.

Say you installed OpenBSD on a soekris, it's nice having root enabled 
temporarily.


That way you can login at a later time, create a lesser privledged account,


On Soekris, does the first boot console access not function properly until 
ttys(5) or boot.conf(5) are edited?  Do you need to run headless, but with 
stored network configuration from the installer?


~BAS


edit the sudoers file.. and disable root logins in sshd_config.

I believe the developers decision is the best one in this case, it's one of 
the first thing I disable though.

Re: sshd_config(5) PermitRootLogin yes

[Brian A. Seklecki]

afterboot(8) covers this



Works for me, I guess. =/

~BAS


http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma
npath=OpenBSD+Currentarch=i386format=html

Re: sshd_config(5) PermitRootLogin yes

[Brian A. Seklecki]

On Thu, 10 Jul 2008, Marco Peereboom wrote:


Of course it is enabled by default.  Why do I want a box that is
freshly installed and unreachable?


No -- I just find that most of afterboot(8) can be done from the console; 
even serial console, at first boot, configure the network, add a non-root 
user, add them to wheel, enable sshd.


I guess I'm just having trouble imagining the situation where you have 
console access, but need to do basic post-install configuration via the 
network, as root, remotely.


Even with CF/Embedded, you ship out master.passwd prepopualted.

And this is likely the rationel why the rest of the projects changed it.

~~BAS


On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:

Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

I dont have a fresh install anywhere -- but I want to say that it doesnt
default to PermitRootLogin yes after the install.

I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this
changed, but Redhat Support is giving some some noise about:

Well the source vendor doesn't disable it by default ...

~BAS

Re: sshd_config(5) PermitRootLogin yes

[Brian A. Seklecki]

On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote:
maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish 
this mailing list had


I didn't want to rehash it all again.  Everyone knows the issues.

However, with respect to the right to disagree, if Marco's and Darrin's 
belief that if remote-network-postinstall configuration is the standing 
reason, then I consider myself in disagreement.


Also, I think there is a false premise to the argument by Marco and Jacob 
that disabling remote root login by default does not provide real 
security, only a false illusion.


That sounds like a slippery slope.  We all know that security is a 
process.


There is a security risk / attack vector here, however remote, without 
password quality and failed-login tarpid/delay mechanisms, a remote root 
password is subject to brute force.


Plus, hypothetically, how strong is a temporary root password going to be? 
Its not going to be the one that you use in production, so likely you're 
going to recycle the same one after every install.


- Yes qualified administrators filter sshd(8) w/ pf(4)
- Yes qualified administrators choose strong passwords
- Yes qualified administrators disable PermitRootLogin afterboot
- Yes qualified administrators always use sudo(8) and never use
  root shells

I propose, as a compromise, wrapping PermitRootLogin around a Match 
statement, limited to the default local subnet gleaned during the install 
network config (no LocalSubnets macro exists in sshd_config(5), afaik, 
but that would be best)


Its just the right thing to do; and we should be leading by example.

Either way, its a healthy discussion worth having.

~~BAS




PermitStupidEmails No

as the default.

i really fail to see how this setting does anything other than make mgmt 
types worry because they don't really understand security.




On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote:


On Thu, 10 Jul 2008, Marco Peereboom wrote:



Of course it is enabled by default.  Why do I want a box that is
freshly installed and unreachable?

No -- I just find that most of afterboot(8) can be done from the console; 
even serial console, at first boot, configure the network, add a non-root 
user, add them to wheel, enable sshd.


I guess I'm just having trouble imagining the situation where you have 
console access, but need to do basic post-install configuration via the 
network, as root, remotely.


Even with CF/Embedded, you ship out master.passwd prepopualted.

And this is likely the rationel why the rest of the projects changed it.

~~BAS



On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:


Am I reading this right?

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup

I dont have a fresh install anywhere -- but I want to say that it doesnt
default to PermitRootLogin yes after the install.

I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get 
this

changed, but Redhat Support is giving some some noise about:

Well the source vendor doesn't disable it by default ...

~BAS





l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?
~Maynard James Keenan

Re: contact info for PC Weasel?

[Brian A. Seklecki]

On Wed, 2008-08-06 at 13:58 -0700, Chris Cappuccio wrote:
 spend your money on a motherboard with serial console.  like a supermicro
 board or something.  you'll be happier.

No offense but: No.  No you wont.  Unless you have IPMI or something
like Dell's DRAC (4, not 5 -- 5 sux big time).

The AMI/Award BIOS serial console features on the market are _really_
bad.  No hot-key sequences, no watchdog timer, and they don't actually
simulate a VGA-Serial conversion (so the OS _still_ needs to know about
the serial console) -- redirection after boot almost never works for
kernels that draw the framebuffer instead of using BIOS calls to write
kernel messages.

Its bad out there.  PC Weasel needs to sell off/lease that technology to
MB vendors.

~BAS

OpenBSD 4.0/i386 w/ raid(4) ISO (-stable w/ RAIDFrame)

[Brian A. Seklecki]

All:

I just wanted to take a moment thank the OpenBSD community and dev team.
Great tools such as pf(4), pfsync(4), etc. enabled me to perform a
zero-downtime upgrade of a very large core router last week.

Per my original patch set to enable this raid(4) RAIDFrame enabled
upgrade, there are few notes to share regarding actual usage:

1) When booting from the CD, it is important to interrupt the 2nd stage
boot loader sequence and:

boot bsd -a

This will prompt you for the root device, which should be rd0a,
otherwise the RAID_AUTOCONFIG will take it as raid0a  

Or:

Just before your last shutdown before upgrading, use raidctl(8) to
modify the raidset to -A yes dev instead of -A root dev.

2) There is one more additional patch that needs to occur in install.sub
I ran into a small bug src/distrib/miniroot/install.sub

http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub?rev=1.406content-type=text/x-cvsweb-markup

DKDEVS=$(scan_dmesg ${MDDKDEVS:-/^[sw]d[0-9][0-9]* /s/ .*//p})

This can be overridden (I'm only realizing now) by EXPORT'ing
MDDKDEVS= at run time.  However, the long term fix (if/when raid(4) is
updated), is to fix the regex.

Unfortunately, I'm having some trouble updating this BRE REGEX.
re_format(7) hackers feel free to pitch in.

OpenBSD sed(1) doesn't support ERE (Extended Regular Expressions), but
egrep(1) of course does.  Normally I would switch this to:

/^(rai|[sw])d[0-9][0-9]* /s/ .*//p

And with E grep I would get:

$ egrep '^(rai|[wd])d[0-9][0-9]* ' /var/run/dmesg.boot 
wd0 at pciide1 channel 0 drive 0: WDC WD800JD-75LSA0
wd1 at pciide1 channel 1 drive 0: WDC WD800JD-75LSA0
raid0 (root): (RAID Level 1) total number of sectors is...
raid1 (root): (RAID Level 1) total number of sectors is

But apparently the start(thisString|[thatCharActerClass])rest syntax
doesn't work in non-ERE mode.  Maybe someone can help out there.

Also, updating the kernel (/bsd), the 2nd stage boot (/boot) is tricky
and a manual process when using this CD to upgrade:

3) To make bsd.mp+raidframe a Install Set option, declare /  export:
MDSETS=bsd.mp+raidframe to have install.sub suck it into the $THESETS
append list.  

According to the upgrade.sh, this will install it into your root dir
(raid0a?) / path; which is wrong (I use a symlink for my kernel), but
at least you'll be able to copy it to wd0a:/antiraid/bsd and
wd0b:/antiraid/bsd ... or:

Wait for upgrade.sh to finish up and remount /dev/cd0a manually again
against /mnt2.

I have updated this image to the latest OpenBSD 4.0-stable sources.
Tags: -r OPENBSD_4_0, -D 11/06/06 10:58:26 EST.

http://people.collaborativefusion.com/~seklecki/openbsd_4.0_stableUpdate_wRAIDFrame.iso

SHA1: b7e33764ab96e1a2db0d125d07e9628367680858
Size: 175331328

-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.
Subject: If you please: OpenBSD 4.0/i386 ISO (-stable w/ RAIDFrame)
From: Brian A. Seklecki [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Organization: Collaborative Fusion, Inc.
Message-Id: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer: Evolution 2.2.3-10mdk 
Date: Sat, 11 Nov 2006 05:28:53 -0500

SHA1 (public_html/obsdcd_4.0_updateWRAID.iso) =
36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf

36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf  obsdcd_4.0_updateWRAID.iso

-rw-r--r--  1 lavalamp  lavalamp  175319040 Nov 11 05:25
public_html/obsdcd_4.0_updateWRAID.iso

Re: OpenBSD 4.0/i386 w/ raid(4) ISO (-stable w/ RAIDFrame)

[Brian A. Seklecki]

On Wed, 13 Dec 2006, Brian A. Seklecki wrote:

 All:


BTW, it is far from optimal, but the following BRE works:

DKDEVS=$(scan_dmesg ${MDDKDEVS:-/^\(rai\)*[sw]*d[0-9][0-9]* /s/ .*//p})

...because saying:

may contain one \(rai\)* or more, but not either, and (or?)...
may contain one of either [sw]* or more, but not either...

Is sort of like (rai|[sd])

Strange daysfull src patches on my site.

~BAS
Subject: If you please: OpenBSD 4.0/i386 ISO (-stable w/ RAIDFrame)
From: Brian A. Seklecki [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Organization: Collaborative Fusion, Inc.
Message-Id: [EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Mailer: Evolution 2.2.3-10mdk 
Date: Sat, 11 Nov 2006 05:28:53 -0500

SHA1 (public_html/obsdcd_4.0_updateWRAID.iso) =
36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf

36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf  obsdcd_4.0_updateWRAID.iso

-rw-r--r--  1 lavalamp  lavalamp  175319040 Nov 11 05:25
public_html/obsdcd_4.0_updateWRAID.iso

Re: openbsd 4.0 snmpd core dumps with vlan interface number higher as 9

[Brian A. Seklecki]

That's awesome!

BTW, I submitted a PR on this yesterday but haven't gotten the automated 
response.  Will forward to you if I do.


~BAS


On Wed, 13 Dec 2006, [EMAIL PROTECTED] wrote:


Hi List,

openbsd 4.0

i've vlan interfaces from vlan1 to vlan9
i can start
snmpd -x localhost
without any problems

if i create vlan10
snmpd core dumps
Bus error (core dumped)

the last lines from the debug are
trace: netsnmp_send_traps(): agent_trap.c, 603:
trap: send_trap 0 0 NET-SNMP-MIB::netSnmpAgentOIDs.255trace:
netsnmp_send_traps(): agent_trap.c, 605:
trap:
Bus error (core dumped)

if i destroy vlan10 it works again.

the core dump is here
http://www.tbits.org/snmpd.core.gz

Have everyone an idea ?

Thx

Thomas




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.

Master ${SKIPDIR} manifest

[Brian A. Seklecki]

Is anyone maintaining a ${SKIPDIR} manifest?  A master list of source 
directories, organized logically by subsystem?  Something to match the 
variety of make.conf(5)/mk.conf(5) knobs in other systems?


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: searching a good MRTG/SNMP configuration

[Brian A. Seklecki]

You still need a list of valid SNMP OIDs that the agent is capable of 
mapping from real-world values into vendor-independent MIBs.


Good speed you my son.

~BAS


On Mon, 5 Feb 2007, AstraSerg wrote:


What about cacti (http://cacti.net/)?

On Sunday 04 February 2007 15:06, Andreas Bihlmaier wrote:

Hello misc@,

hosting a lan party yesterday I started to play around with MRTG and
SNMP, but I didn't quite get where I wanted.

I guess somebody using OpenBSD already has a nice MRTG configuration
showing:
IN/OUT traffic
[CPU] load
memory usage
some stuff about pf (states, blocks/pass)
(using this patch: http://www.packetmischief.ca/openbsd/snmp/)

Something similar to this:
http://www.erde.co.jp/mrtg/index.html
would be what I'm looking for. But with a better traffic report.

Would this person be willing to share the configuration files
(mrtg/snmp[/rrdtool]) with me and the rest of the OpenBSD community?

While we are at it, how do you make the MRTG output accessible?
My idea was to let every host create its own statistics and upload those
to my central webserver, using pub-key scp/sftp with an unprivileged
user account. The webserver would move all those reports to its
www-chroot.


If I need to I'll create one myself, but after fiddeling around with it
for a couple of hours I thought about the reinvention of the wheel and
its waste of time.

Regards,
ahb


--
PONEDELXNIK,  5 FEWRALQ 2007 G. 10:45:05 (MSK)




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.

Re: External 250Gb USB Disk with three FAT32 partitions, device not configured

[Brian A. Seklecki]

dmesg output of the disk that runs correctly:
umass0 at uhub2 port 2 configuration 1 interface 0
umass0: Cypress Semiconductor USB2.0 Storage Device, rev 2.00/0.01,
addr 2
umass0: using SCSI over Bulk-Only
sd0 at scsibus1 targ 1 lun 0: ST315323, A,  SCSI0 0/direct fixed
sd0: 14652MB, 14652 cyl, 64 head, 32 sec, 512 bytes/sec, 30008475 sec
total


Are you running GERNERIC?

So , uhub* - umass* - scsibus* - sd*

But scsius* isn't attaching.  Do you have scsibus* at umass? or just 
static scsibus1 at umass0 ?


~BAS



dmesg output of other disk:
umass1 at uhub2 port 3 configuration 1 interface 0
umass1: Iomega External HD, rev 2.00/0.00, addr 3
umass1: using SCSI over Bulk-Only

As you can see, the system don't link it with any device (sdX, etc),
can i link it manually?

Obviously, with no device linked to it, the output of fdisk and
disklabel with any sdX device (except of sd0 with are the device of
the external usb box that runs ok) is Device not configured.

A lot of thanks

--
Angel Sancho Alvarez




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

...from back in the heady days when helpdesk meant nothing, diskquota
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were.

Re: Speedtouch modem and PPPoA

[Brian A. Seklecki]

On Mon, 5 Feb 2007, Luca wrote:


Hi all,
I installed for the first time the Speedtouch 330, compiled the source
code (http://speedtouch.sourceforge.net/index.php?/index.en.html),
installed the firmware...launched the script...it takes about 10
minutes to bring up the tun0 interface and get a valid ip but it's
connected. After 20 minutes I got this error into the messages log


Ask this guy what it means.  He seems to have written it?

http://www.mail-archive.com/speedtouch@ml.free.fr/msg03593.html

Also, try pppoa3 instead since it's a 330? I dunno.

~BAS




Feb  4 22:01:00 Typhoon pppoa2[9969]: pusb_set_interface
Feb  4 22:01:03 Typhoon pppoa2[24786]: pusb_set_interface
Feb  4 22:01:06 Typhoon pppoa2[23598]: pusb_set_interface
Feb  4 22:01:09 Typhoon pppoa2[24414]: pusb_set_interface
Feb  4 22:01:12 Typhoon pppoa2[238]: pusb_set_interface
Feb  4 22:01:15 Typhoon pppoa2[29868]: pusb_set_interface
Feb  4 22:01:18 Typhoon pppoa2[1043]: pusb_set_interface
Feb  4 22:01:21 Typhoon pppoa2[2254]: pusb_set_interface
Feb  4 22:01:24 Typhoon pppoa2[22178]: pusb_set_interface
Feb  4 22:01:27 Typhoon pppoa2[8043]: pusb_set_interface
Feb  4 22:01:30 Typhoon pppoa2[10104]: pusb_set_interface
Feb  4 22:01:33 Typhoon pppoa2[20981]: pusb_set_interface
Feb  4 22:01:36 Typhoon pppoa2[23161]: pusb_set_interface


The log file is filled with this and the connection is gone...

I made a reboot. Connected again (10 minutes waiting) and now it
has been connected for about 6 hours but the speed is very very low,
about 1K using ftp o http.

PF is disabled for now. Protocol is PPPoA

mk.conf(5) note about ${SKIPDIR}

[Brian A. Seklecki]

This entry should probably reflect/note that the space-separated paths 
should be relative to ${BSDSRCDIR}, e.g.,: SKIPDIR+=lib/libossaudio 
usr.sbin/httpd games


But I'm a realist, and I know examples aren't normal practice, so I'll 
settle for the note w/o. :}


I'll sendbug(1)

l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: SSH client (putty) hangs after name/password login

[Brian A. Seklecki]

I tried the above (see link) but still it won't work...


Does the privsep sshd(8) process spawn on the server?  Does that spawn a 
login shell of the associated user?  pstree(8) will show.  Also, fire up 
debugging levels?


#LogLevel INFO

  - DEBUG, DEBUG1, DEBUG3 etc.

~BAS




help !

regards
Willem

Re: SSH client (putty) hangs after name/password login

[Brian A. Seklecki]

Hello Brian,

Not quite sure what you mean with pstree...don't know the
command and no 'man pstree' on my 3.8 system..?


It's in the psmisc/ package


Note that I no problems logging into the system while on the local network
(doing this
via a PC that I remotely manage). When I do a SSH session (via the VPN
tunnel) on the INSIDE
of the OBSD box, I get the same problem(using the same account).


Okay I must be asleep again.  I thought we eliminated pf(4) as the 
problem.  Technically if you can negotiate a 3-way handshake and 
establish the TCP socket, MTU should be a non-issue.


What about netstat -s.  Anything suspicious (grep -i drop) for sections 
esp: tcp: ip: icmp: etherip:


If you have access via the LAN, what about tcpdump(8) on the tun(4) 
interface?



is
not the case locaclly




Problem here is that this system is 900Km away...if I would stop the SSHD
(so i could


Normally I'd say to you Oh you're fine with pkill -HUP sshd; but that's 
because I'm accustomed to out-of-band management like DRAC and mgetty :}


~BAS


restart it with debug options) I will not be able to reach it anymore
:-(

Re: SSH client (putty) hangs after name/password login

[Brian A. Seklecki]

On Tue, 6 Feb 2007, forums wrote:


Hello,

That was my first guess as well...For that reason I set the option UseDNS NO


Yea.  When DNS times occur, the login process never completes.  In fact, 
before the prompt appears the timeour occurs.


AS

Master ${SKIPDIR} manifest (fwd)

[Brian A. Seklecki]

Here's an initial attempt:

http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir.txt

And w/o comments:

http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir_nc.txt

This initial (and far from comprehensive) attempt reduces build sizes:

# du -hs /usr/obj/ /usr/destdir /usr/releasedir/
475M/usr/obj/
243M/usr/destdir
104M/usr/releasedir/


(Down from the usual 850m+ obj/, etc.)

~BAS

-- Forwarded message --
Date: Mon, 5 Feb 2007 01:06:07 -0500 (EST)
From: Brian A. Seklecki [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Master ${SKIPDIR} manifest

Is anyone maintaining a ${SKIPDIR} manifest?  A master list of source 
directories, organized logically by subsystem?  Something to match the variety 
of make.conf(5)/mk.conf(5) knobs in other systems?


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Re: Mbufs tunning

[Brian A. Seklecki]

On Fri, 2007-03-16 at 18:30 -0300, Gustavo Rios wrote:
 Dear gentleman,
 
 when i execute some command on my server box, i got a complain about
 not enough buffer available. For instance.
 
 $ rusers
 rusers: can't send broadcast packet: No buffer space available
 $

netstat(8) -m gives some variety of historical data from which to base
your decision making.

~BAS

 
 I don't how to perform tunning on mbufs. Rather than simply reasing
 its limits i wonder which parameters should i choose to guide a
 tunning effort on this regard.
 
 Thank you for your time and cooperation.
 
 Best regards.

Re: sshd configure howto

[Brian A. Seklecki]

From an architecture standpoint, It wouldn't be within the mandate of
sshd(8) anyway.  You'd accomplish this using some userland resource
quota enforcement policy (max number of processes, max instances of a
shell).

Hell you could do it in /etc/profile or ~/.cshrc  

I don't know of one OTTMH, but I'm sure that one probably exists out
there.

PS this sounds like a perfectly good idea for embedded platforms.

~BAS 

On Sun, 2007-03-18 at 13:49 +0800, Jay Jesus Amorin wrote:
 im using this set-up for pf/authpf authentication gateway, all i'm
 concern of is i dont want my user use other users account.

Re: isakmpd

[Brian A. Seklecki]

On Sat, 2008-08-23 at 13:30 +0200, Daniel Rapp wrote:
 Hi, i am looking for example configs on isakmpd where there is more then one
 tunnel..
 
 I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i
 want to add a roadwarrior tunnel to..

There should be a wiki somewhere with lots of known-good-working
isakmpd(8) / isakmpd.conf(5) examples. 

~BAS

 I think i have seen some sample config before but i cant seem to find any
 now..
 
 Any help would be appreciated..
 
 /Daniel
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: recommendation for router (COMMELL)

[Brian A. Seklecki]

 What *would* you recommend?
 
 In addition to the listed duties, I am looking for stability,


For a mail server appliance, Axiomtek units are the only way to fly.

Try the NA-820.  We've been nothing but pleased, and of all the cheap
Award/AMI BIOS's, theirs has been the best performing so far, and priced
well

http://axiomtek.com/products/ViewProduct.asp?view=429

Also thanks for pointing out Commell.  I'll try to have them scare up a
demo unit so that I can extract a dmesg(8):

http://code.google.com/p/bsd-appliance/wiki/HardwareVendors

~BAS




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: LDAP and OpenBSD

[Brian A. Seklecki]

On Fri, 2008-10-10 at 19:52 +0200, raven wrote:
 I'm thinking how my users into an ldap db can login into my openbsd 

One would need NSS_LDAP and PAM_LDAP, which requires PAM and NSS
infrastructure in-tree.

Likely you'd want to sponsor development for something like that.

~BAS

-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: PF Queue on a GROUP of nics?

[Brian A. Seklecki]

On Mon, 2008-10-06 at 16:39 +1100, Sunnz wrote:
 Is it possible?
 
 Say I have a few nics of the same group... dc0 dc1 dc2 dc3... which
 all belong to a group dc.

Sunnz

Do you mean a shared queue where downstream bandwidth from a single
upstream interface is proportionally divided into two downstream
subnets as it egresses two separate interfaces?

I was just revisiting that from2006?

Ping me back if so.

~BAS




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Advanced Queuing: Host-Only Stateful Inspection and Queues

[Brian A. Seklecki]

[Long Message Disclaimer]

All:

I was just looking over Peter Hansteen's PF book -- It's a great
reference, but the coverage on QUEUING is limited (6 pages of ~150).

I was hoping to find an answer to a question there-in, that I had back
in 2006 when I filed system/4574  -- but with behind me, I wanted to
revisit a ALTQ design question:

  - What is the relationship between stateful pass rules and queue
  behavior?

  - Does the original direction of the initial SYN packet that creates
  a state affect the Golden Rule(R) behavior?

The FAQ states: You can't queue incoming traffic once that it has
   arrived at an interface (Golden Rule):

   Which is reasonable.

  - If it's passing through your ALTQ packet forwarding engine, you
could in theory queue it leaving an egress interface.
- But, in most scenarios, you would be working with a queue sized
  for the media of the downstream / egress interface, not the  
  incoming/wan interface that you likely wish to traffic shape.

  - Or queue it at an adjacent upstream router (likely if you have
traffic shaping on one router, you have it on all but your core/
border router)

General rules:

  - Queuing happens _mostly_ on pass rules, so even if you you have a
default-pass policy, stateless even, you still have to explicitly
pass (and probably keep state, unless core/border) on traffic to
be queued.

  - Consider that the presence of a state prevents re-evaluation of
rules when traffic matching a known state ingresses/egresses an
interface on which the state was initially created 
- Potentially alternate interfaces as well, depending on state
  policy floating

There are four example TCP connection scenarios / packet flow
disciplines outlined below.

To help explain my question, I put together a quick diagram with a
greatly simplified network configuration and pf(4) rule set featuring
queues -- but I've tried to use four real-world traffic flow
permutations.

Diagram:

http://people.collaborativefusion.com/~seklecki/images/cf_OpenBSD_PF.png

-

1) Workstation A initiates TCP connection to Server Y port 5999
   (ephemeral source port)
- TCP SYN from WS A ingress $ext_if, creates state
- TCP SYN+ACK from SRV A egresses $ext_if back to WS A
- Traffic is 5/95 ratio server-client (5% being all acks)
- TCP data transfer from SRV A to to WS A is queued at
  specified rate

Example:  Passive FTP data channel stream of download from SRV A
  to WS A

2) Workstation A initiates TCP connection to Server Y on port 22
   (ephemeral source port)
- TCP SYN from WS A ingresses $ext_if, creates state
- TCP SYN+ACK from SRV A egresses $ext_if back to WS A
- Traffic is 95/5 ratio client-server (5% being all ACKs)
- TCP data transfer from WS A to SRV Y is _not_ queued at
  specified rate because of Golden Rule(R)

Example: SCP file, initiated on Client A, from Client A send to
 Server Y (B pushes to Y)

3) Server Y initiates TCP connection to Workstation A on negotiated FTP
   receiver port (src port 20)
- TCP SYN from SRV Y egresses $ext_if, creates state
- TCP SYN+ACK from WS A ingresses $ext_if back to SRV Y
- Traffic is 95/5 ratio client-server (SRV Y as 'tcp client' -
  5% acks from WS A)
- TCP data transfer from SRV Y to WS A is queued at specified
  rate

Example: Active FTP data connection (client specified data
 receiver port  1024, SrvY src was P20)

4) Server Y initiates TCP connection to Workstation A on port 22
   (ephemeral source port)
- TCP SYN from SRV Y egresses $ext_if, create state
- TCP SYN+ACK from WS A ingresses $ext_if back to SRV Y
- Traffic is 5/95 ratio client-server sends (95% being TCP
   server sends, 5 being client ACKs from Y)
- TCP data transfer from WS A to SRV Y

Example: SCP file, initiated on Server Y, src Client A dst
 Server Y (Y pulls from B) 


-

Here are my questions / comments:


  - Should pass in keep state queue(foo) be valid syntax?
- If pass in on $ext_if from any to $private queue(foo) is valid,
  and the traffic flow discipline (DATA, non-ACK) is in the
  direction of the TCP client initiator, does traffic egressing the
  $exit_if get queued? 
 
My testing says Yes.
   
- Conversely, if pass in on $exit_if from any to $private
  queue(foo) is valid, and the traffic discipline (DATA, non-ACK)
  is in the direction of the TCP server receiver, does traffic
  ingressing  the interface get queued?

My testing says No -- as expected.


 - Does this mean, then, that only traffic, ACK or DATA, egressing
   an 

Re: Can't SSH into CARP'd system from the outside

[Brian A. Seklecki]

On Mon, 2008-10-20 at 14:19 -0700, Vivek Ayer wrote:
 So far, I can't ssh into the carp from the outside, can't ntp from the

Try:

% sudo tcpdump -ttt -e -vvv -n -i pflog0 -s 1024


-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: 4.3-stable panics on a Soekris net-5501

[Brian A. Seklecki]

 Today I was dumping files from a wd0 disk to a mountpoint on sd0 disk
 (external USB). I accidently unplugged the power cable of sd0 disk and

That is generally considered the proper / pragmatic behavior.

FreeBSD Foundation is sponsoring development to change this behavior to
to some sort of user-configurable transient failure.  See their
announcement list.

~BAS

 my system paniced. I think this should not happen, so here are some more
 details:

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Transport Mode ipsec(4) and inet6(4) gre(4) (WAS: isakmpd + gre crashing)

[Brian A. Seklecki]

All:

Back in 01/2006, circa 3.8, there was a thread related to the use of 
gre(4) and Transport Mode ipsec(4) in isakmpd(8) to protect v4 tunnels.


There was a repeatable kernel panic related to gre(4) packets needing a 
smaller MTU as they are encapsualted in ipsec(4) packets, before being 
transmited.


I haven't looked if we have support, but gre(4) w/ ipv6 address and stf(4) 
seem to be best options out there for secure v6 tunnels.


That is, explicitly, gre(4) inside ipv6, since we dont' have stf(4).

I can revisit that bug in our lab, except with a slightly larger 
encapsulation packet overhead :)


I'm wondering if a tranditional ipv6 isakmp(8) ipsec tunnel (using IPv4 
enpoints?!) is a safe alternative, or what other solutions people are 
cooking up on OpenBSD for tunneling IPv6 security.


Thanks for your feedback and safe holidays to all!

~BAS

On Mon, 9 Jan 2006, Jason Taylor wrote:


Hi Brian,

I did a few more tests this evening and I think you are right about the MTU 
issue. In OpenBSD 3.8, you can set the MTU of a GRE interface. I set the mtu 
of the GRE tunnel on one end (Perspex, which runs 3.8) and transferred a 
large file. It worked wonderfully and I am now in the process of updating my 
soekri to the latest 3.8. I think what is happening is the GRE tunnel sets 
its MTU according to the MTU of the physical interface, in my case fxp0 and 
sis0 and does not take into account the added overhead of IPsec...



Cheers,

/Jason

On Jan 9, 2006, at 4:41 PM, Brian A. Seklecki wrote:




But as soon as I start an scp from Perspex to Soekris, Perspex reboots
after a few hundred kb.  Unfortunately, Perspex is in a datacenter and I
do not have console access to it to see what the heck is happening at that
exact moment.


I don't recall.  But for the record (IPSEC inside GRE):

If the Transport IPSEC connection is negotiated between two hosts inside the 
GRE tunnel private subnet and the IPSEC connection goes down, the data flows 
in cleartext.  *bad*


The opposite would be (GRE-inside-IPSEC-Transport):

If the Transport IPSEC tunnel is built between the two hosts` public 
interfaces and the GRE tunnel is built normally and thus encrypted, things 
should work.  Of course, we run into the crash.


The trick was I tried it on OpenBSD/Sparc where there is no-such-thing as 
Flash back to the BIOS and it turns out a Sun watchdog timer is getting 
hit.  Watchdog timers on i386 must cause the BIOS to reset. So the problem 
is in-kernel and the config is probably too obscure for developers to spend 
time on.


My solution was to re-IP my network properly, and use IP Supernets/ 
summarization/ subnet aggregation thus consolidating the need for so many 
spokes on a hub-and-spoke VPN config.


~~BAS



I noticed that there were no responses to your thread, but I was wondering
if you had worked out your problem or if you decided to go the ipsec
encapsulated in gre.

Cheers,

/Jason
--
Jason Taylor
e: j...@jtaylor.ca
m: 514-815-8204




l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8




l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Show me a young conservative and I'll show you someone with no heart.
Show me an old liberal and I'll show you someone with no brains.
~ Winston Churchill

Re: Transport Mode ipsec(4) and inet6(4) gre(4)

[Brian A. Seklecki]

I haven't looked if we have support, but gre(4) w/ ipv6 address and stf(4)
seem to be best options out there for secure v6 tunnels.


That sounds... bizarre.



According to ipv6book.ca, M. Blanchet.  It's a good read, except 
OpenBSD/NetBSD are neglected (probably becase of the stf(4)/6to4(4) 
absence).


He also doesn't talk about _securing_ GRE tunnels, altough the logical 
assumption would be transport mode ipsec between v4 endpoints


~BAS

Re: logging smtp connections

[Brian A. Seklecki]

On Sat, 2009-05-02 at 05:06 -0500, Robson Caetano wrote:
 Hi
 
 I would like to log From:, To: and Subject: fields of
 every SMTP connection to my internal SMTP server
 that is passed by the openbsd firewall.
 

You're better off doing that within your MTA.  Courier has a Big Brother
feature:

etc/courier/courierd:#  ARCHIVEDIR=/usr/lib/courier/bigbrother

~BAS

Re: unable to redirect port 443 from the internet to an internal server

[Brian A. Seklecki]

On Wed, 2009-06-10 at 09:24 -0700, Journey Man wrote:
 Yet another rule that redirects port 1443 to port 443 works:

Try tcpdump:

% sudo tcpdump -i $ext_if 'port 443'

Then try to re-create the TCP socket from a 3rd party remote host.  See
if the syn packet comes in.  If not, then your ISP could be blocking
inbound 443.

You should punish them, if so.  Or use IPSEC/ESP

~BAS

Re: Multiple IPSec-tunnels and load balancing

[Brian A. Seklecki]

On Tue, 2009-06-30 at 11:15 +0200, u...@o3si.de wrote:
 Is it possible to load balance / failover the traffic over IPSec? If
 so,
 should I use GIF for load balancing / routing?

That's what Cisco DMVPN is, as far as I can tell.  Was just reading
about it.

You're talking about GRE tunnels to two intermediary facilities on the
way to a common 4th facility?  Assign the routes equal cost path
routing?

~BAS

 
 Thanks in advance for anyones advice!

Re: LaCie

[Brian A. Seklecki]

On Tue, 2009-08-04 at 13:53 -0300, Marcos Laufer wrote:
 Hello, has anyone had any experience with LaCie Raid and Storage

very Feng shui

~BAS 
 
  I'm the kind of Mac-using sociopath that looks at an external
   NAS and asks: 'What kind of RAID array defines me as a person?'

Re: cell card on vaio p

[Brian A. Seklecki]

On Fri, 2009-10-30 at 12:01 -0700, Lawrence-Sporkton wrote:
 I believe its the Gobi 1000 or Gobi UNDP-1 which appear to be the same
 device

Very odd.  This is a CDMA/3G/GSM/EVDO modem?

Normally they show up as PCMICIA, USB, or PCI Serial devices.

A lot of times the PCMCIA ones present a USB Host Controller which
presents a UCOM and UMASS (with the drivers).

I was just reading that the Cricket USB one has to have a special
GNU/Linux driver that switches it from UMASS to UCOMM for PPP:

http://www.ubuntugeek.com/how-to-setup-cricket-wireless-a600-broadband-modem-in-ubuntu.html

Anyway, you may be a pilgrim on unholy lands.

~BAS

Re: Starting a Radius / Nas in openbsd

[Brian A. Seklecki]

On Fri, 2009-10-30 at 22:08 +0100, C. Diego Raffaelli A. wrote:
 Any idea? Am i right using OpenBSD and trying to use Radius and/or
 NAS??

RADIUS Authentication and RADIUS Accounting are what you want, but
that's off-topic for this list.

Look in ports for RADIUS servers.

Good luck.  

~BAS

Re: Server trouble shooting

[Brian A. Seklecki]

 Since I can't connect 
 successfully via ssh is there anything else I could be doing remotely?

...you could be researching a Lights-out-Management solution for your
server (Dell DRAC, Sun LOM).  Best all-around solution is a  PC-Weasel
(realweasel.com) connected to the system next to it (Or a RAS
concentrator)

If the system is completing 3-way TCP handshake, then you're dead in the
water.  Consider making the system highly available.

~BAS

Re: OpenBSD 4.2 hardware recommendation

[Brian A. Seklecki]

On Sat, 3 Nov 2007, Martin Schrvder wrote:


 You don't need one computer with two discs and two psus; instead get
 two systems and use carp to get HA. Also 2GB for a firewall is
 overkill. Spend the money on the NICs instead.

If he's going to be doing local processing of pcap(4) data into some sort 
of SNORT+ACID+PostgreSQL, he's going to want RAID and all that jazz.

But I think we can all agree that its best admin practice to move that 
data off to a remote system for archival/processing.

He's also going to draw 8 AMPs :}

~BAS

Re: OpenBSD 4.2 hardware recommendation

[Brian A. Seklecki]

If he's going to be doing local processing of pcap(4) data into some


pcap(3), of course, is what I meant :}

Re: OS not seeing all RAM (1GiB less)

[Brian A. Seklecki]

On Mon, 2007-11-12 at 22:40 -0500, C Thala wrote:
 What would cause an 4.1 machine running on a Dell PowerEdge 1950 to see only
 3,220,439,040 bytes of  RAM as opposed to the 4GB that it really has
 (confirmed by BIOS)?

A little something-something called PAE.

You're probably running 4.1/i386? 

What you want to do is install the amd64 release on the 9th gen.  

~BAS

Re: snmpd on current

[Brian A. Seklecki]

On Wed, 21 Nov 2007, Insan Praja SW wrote:


Date: Wed, 21 Nov 2007 18:45:47 +0700
From: Insan Praja SW [EMAIL PROTECTED]
To: misc@openbsd.org misc@openbsd.org
Subject: snmpd on current

Hi all,
I'm currently running 4.2-current and installing net-snmp-5.4.1 from ports
(updated). Something is wrong, when I run snmpd, it seem to eat all CPU
and memory keep getting bigger.. is there anything wrong?
thanks..



Run it in foreground w/ verbose debugging.  Worst case scenario, result to 
ktrace/kdump.


http://linux.die.net/man/1/snmpcmd

-DALL -Lo -f  looks promsign.

~~BAS

Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E

[Brian A. Seklecki]

On Thu, 22 Nov 2007, Shohrukh Shoyoqubov wrote:


Date: Thu, 22 Nov 2007 09:46:54 +0500
From: Shohrukh Shoyoqubov [EMAIL PROTECTED]
To: misc@openbsd.org
Subject: Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E

From which machine do I have to do ping -I A.B.C.D  E.F.G.H

pf has default config and allows everything

forwarding is enabled


What does netstat -rn -f encap look like?

~bas



Christoph Leser wrote:

you could try

ping -I A.B.C.D  E.F.G.H

Update RAIDFrame-Enabled ISO for 4.2

[Brian A. Seklecki]

Updated diff, ISO image, build instructions.

http://people.collaborativefusion.com/~seklecki/obsd_wRAIDFrame.html

Note:  There's a small problem with my regex in install.sub that prevents 
scanning of RAIDFrame boot lines in dmesg.boot.


The work-around from the bsd.rd shell is to:

$ export MDDKDEVS=/^raid[0-9]/p
$ ./upgrade

Its ugly but it works.  Also, don't forget to:

$ cd /dev
$ sh MAKEDEV raid0
$ sh MAKEDEV raid1

...beforehand.  Tested a 4.0-stable to 4.2-stable upgrade (2x)

~BAS

Re: VPN Concentrator

[Brian A. Seklecki]

On Fri, 30 Nov 2007, Khalid Schofield wrote:


Hi,
I'd like to make a VPN Concentrator using openbsd. I want users to be
able to authenticate using usernames and passwords and to either nat
the users or give them an ip from our main dhcp server via a bridge.


That's a tall order.  In Cisco-land a VPNC3000k will run you $5k plus 
SMARTNet.  You'll need isakmpd(8) policies.  You'll need dhclient-server 
relay support.  You'll need XAuth authentication (Possibly via PAM). 
You'll need IPSEC NAT-T.  Maybe tie it all together with LDAP and PKI.

Re: pflog filling up /var mount every 2-3 days!

[Brian A. Seklecki]

On Fri, 30 Nov 2007, Jake Conk wrote:


Hello,

I have my /var partitioned out to be 150mb which I thought was a


You're probably getting a lot of log hits on a default block log all at 
the end of your rules.  You can prevent a lot of crud by doing block 
quicks w/o log statements for the following:


-) Multicast crud (Apple users)
-) Windows NetBIOS/CIFS Broadcast crap
-) IPv6

Good examples can be found.

~BAS

Re: no 4.2-stable package updates??

[Brian A. Seklecki]

There's a vulnxml feed for OpenBSD ports.  It should be updated with
critical patches, and those should be pulled into 4.2-stable.

If your business depends on OpenBSD ports, maybe you can sponsor a
4.2-stable build sandbox.  I know mine does, and I'm happy to host it.

We're talking at-most 30 minutes a day of TLC.

~BAS


On Wed, 2007-12-12 at 17:06 +0100, Antoine Jacoutot wrote:
 On Wed, 12 Dec 2007, ico wrote:
  How do you gents keep your 4.2 stable OpenBSD server ( read packages,
  not system ) bug free?
  If I remember correctly, I'm not supposed to use 4.2 stable system
  with current ports.
 
 Personnaly, I use -current (base+packages) everywhere.
 But this is just me.
 
-- 
Brian A. Seklecki [EMAIL PROTECTED]
Collaborative Fusion, Inc.




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.

Re: no 4.2-stable package updates??

[Brian A. Seklecki]

  critical patches, and those should be pulled into 4.2-stable.
 
 Unfortunately, it isn't that easy. Some updates imply updates of
 depending ports (e.g. poppler and evince), which may imply further
 updates of dependencies. So you'll end up with -current -- more or
 less, including more updates...

Mattias:  

Making that distinction the critical thinking responsibility of the
system administrator.  

No vulnxml syntax exists for describing ranges of vulnerable versions
compatible with every projects versioning and release engineering
scheme, as they all differ.

That should not stop us from doing the best we can with the existing
limitations. 

~BAS

Re: Had a strange problem with CARP preemption

[Brian A. Seklecki]

On Thu, 2007-12-20 at 15:31 +1100, Dave Harrison wrote:
 Because carp doesn't log it's state changes etc, I've been writing the

Over Christmas, I may backport the FreeBSD carp(4) logging improvements
and submit them with kernel/5512.

~BAS

Re: Trouble Installing OpenBSD 4.2 stable

[Brian A. Seklecki]

On Fri, 2007-12-28 at 17:16 -0600, Alan Hamlett wrote:
 Currently running OpenBSD i386 3.8 with one 20GB IDE drive at wd0a and
 one 250gb IDE drive all partitioned for bsd.
 
 Trying to install OpenBSD i386 4.2 from install42.iso by trading the
 250gb drive for a cd-rom drive.
 
 I keep getting this error message and I believe it has to do with the
 missing 250gb drive:
 
 /dev/rwd0a: file system is clean; not checking
 Can't open /dev/rwd1d: Device not configured
 CAN'T CHECK FILE SYSTEM.
 /dev/rwd1d: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY.

The upgrade script tries to read your old fstab(5) and fsck(8) your
existing file systems.

wd1* is attached when your drive is there.  when you replace it with a
ROM it goes away.

The same error would happen if you booted the system w/o the 250
attached in 3.8.

Just comment out wd1* entries in your fstab(8) before you boot into the
install CD.

We're assuming here that wd1* contains data-only and no system
partitions.

~BAS

 Automatic file system check failed; help!
 
 My dmesg output:
 
 OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
 cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 498 MHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
 real mem  = 199860224 (195176K)
 avail mem = 175497216 (171384K)
 using 2465 buffers containing 10096640 bytes (9860K) of memory

sudo 1.6.9p20 patch in OPENBSD_4_3 and OPENBSD_4_4

[Brian A. Seklecki]

All:

Do we want to slip this into presently supported branches containing
1.6.9p17?  It's a quick patch:

http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c.diff?r1=1.160.2.21r2=1.160.2.22only_with_tag=SUDO_1_6_9

I tested it on -rOPENBSD_4_3.  Just be sure to nuke the version string.


$ more sudo_p20.patch 
===
RCS file: /home/anoncvs/cvs/sudo/parse.c,v
retrieving revision 1.160.2.21
retrieving revision 1.160.2.22
diff -u -p -r1.160.2.21 -r1.160.2.22
--- sudo/parse.c2008/11/02 14:35:53 1.160.2.21
+++ sudo/parse.c2009/01/28 00:50:01 1.160.2.22
@@ -651,9 +651,11 @@ usergr_matches(group, user, pw)
 /*
  * If the user has a supplementary group vector, check it first.
  */
-for (i = 0; i  user_ngroups; i++) {
-   if (grp-gr_gid == user_groups[i])
-   return(TRUE);
+if (strcmp(user, user_name) == 0) {
+   for (i = 0; i  user_ngroups; i++) {
+   if (grp-gr_gid == user_groups[i])
+   return(TRUE);
+   }
 }
 if (grp-gr_mem != NULL) {
for (cur = grp-gr_mem; *cur; cur++) {


sekle...@seawing:/usr/src/usr.bin$ sudo patch -p0  sudo_p20.patch 
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--
|===
|RCS file: /home/anoncvs/cvs/sudo/parse.c,v
|retrieving revision 1.160.2.21
|retrieving revision 1.160.2.22
|diff -u -p -r1.160.2.21 -r1.160.2.22
|--- sudo/parse.c   2008/11/02 14:35:53 1.160.2.21
|+++ sudo/parse.c   2009/01/28 00:50:01 1.160.2.22
--
Patching file sudo/parse.c using Plan A...
Hunk #1 succeeded at 606 (offset -45 lines).
done

Re: ipsec(4) routing for a branch offices

[Brian A Seklecki (Mobile)]

On Thu, 2007-10-18 at 09:35 +0200, Mitja MuEeniD
 wrote:
 This is the correct behaviour, as ipsec tunnel selection happens earlier in
 the process than route selection, the traffic for 192.168.64.0/24 enters the
 tunnel because it matches the remote subnet 192.168.0.0/16. 
 
 Use this on the 192.168.64.1 machine to create a bypass flow in
 ipsec.conf:

This works exceptionally well!  Thank very much.  Beers on us.

As for correct behavior, that may be accurate from a pragmatic source
code ip_output()/ip_output() standpoint, but very few IP stacks give
Directly Connected routes lower priority than IPSec SAs.

IMHO, it is important to follow the precedent set. 

~BAS

 flow esp from 192.168.64.0/24 to 192.168.64.0/24 type bypass
 
 This will prevent the traffic from 192.168.64.0/24 to 192.168.64.0/24 from
 entering the tunnel.
 
 Mitja
 
  -Original Message-
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Brian A. Seklecki
  Sent: Thursday, October 18, 2007 2:02 AM
  To: misc@openbsd.org
  Subject: ipsec(4) routing for a branch offices
  
  On a variety of 3rd party platforms, I often establish an SA 
  between two IPSec devices with a /16 of RFC 1918 space on one 
  side and a /24 on the other (sometimes as much as a /19).
  
  This uneven size subnet arrangement prevents the need for 
  full-mesh in a large corporate network.  It allows for hub  spoke.
  
  I remember an OpenBSD 3.6-era bug, which I was certain was 
  PR'd and fixed, that caused this configuration to fail.  On a 
  remote branch office policy router, I have the following 
  ENCAP family routes (below)
  
  Here's the problem:
  
  1) Traffic sourced from the internal interface 
  (192.168.64.1/24) for the directly connected subnet 
  192.168.64.0/24 is transmitted accross the tunnel in ESP
  
  2) Traffic from the locally connected subnet reaches the 
  interface of the internal (64.1/24), but reply packets are 
  attempted to forward accross the tunnel instead of back out 
  of the physical interface
  
  Routing tables
  
  # netstat -rn -rf encap
  Encap:
  Source Port  DestinationPort  Proto 
  SA(Address/Proto/Type/Direction)
  192.168/16 0 192.168.64/24  0 0 
  206.210.89.200/esp/use/in
  192.168.64/24  0 192.168/16 0 0 
  206.210.89.200/esp/require/out
  
  # netstat -rn -f inet
  Internet:
  DestinationGatewayFlagsRefs  Use  
Mtu  Interface
  default71.166.xxx.xxx  UGS11   173981 
   -   em2
  71.166.245/24  link#3 UC  10  
  -   em2
  192.168.64/24  link#1 UC  40  
  -   em0
  
  Strange as hell
  
  $ sudo tcpdump -i em0 -s 256 !port 22 
  $ ping 192.168.64.100 
  PING 192.168.64.100 (192.168.64.100): 56 data bytes
  
  [but, what is seen on another terminal]
  
  [1] sudo tcpdump -i em2 -s 256 !port 22 
  20:00:28.610672 esp x.east.verizon.net  
  vpncxxx.pub.collaborativefusion.com spi 0x0ACAEE17 seq 89 len 116
  
  ICMP packets giving me the old slip-a-roo out the back door :}
  
  -- 
  Brian A. Seklecki [EMAIL PROTECTED]
  
  
  
  IMPORTANT: This message contains confidential information and 
  is intended only for the individual named. If the reader of 
  this message is not an intended recipient (or the individual 
  responsible for the delivery of this message to an intended 
  recipient), please be advised that any re-use, dissemination, 
  distribution or copying of this message is prohibited.  
  Please notify the sender immediately by e-mail if you have 
  received this e-mail by mistake and delete this e-mail from 
  your system.

CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)

[Brian A Seklecki (Mobile)]

On Mon, 2007-10-22 at 00:12 +0100, Tony Sarendal wrote:
 On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote:

I'll throw this out there since its been something on my mind for a
while:

Hardware VLAN tagging, TOE offload, IP/UDP/TCP Checksum offload,
interface polling are all ways to accelerate packet forwarding.  How
about a standards-based hardware-software API equivalent to Cisco's
CEF or MLS?

The basics:  
 - layer 3 or layer 4 state (flow) is identified and established using
   software IP-forwarding.  
 - the software dynamically programs the switching hardware backplane
   ASIC to accelerate forwarding the flow w/o software further
   inspection (Including Fragment Reassembly, etc.)

There is probably a huge market out there for a commodity standards
based hardware (if it could be done)

~BAS

Re: Installing the latest snapshot freezes on i386

[Brian A Seklecki (Mobile)]

On Tue, 2007-10-23 at 01:42 -0700, Reza Muhammad wrote:
 Hi all,
 
 I just recently purchased a brand new HP Pavilion
 G3035L Desktop PC (spec:
 http://www.anugrahpratama.com/product/21/1092/HP-Pavilion-G3035L-Desktop-PC).
  It's using Intel Core Duo processor.  I tried to
 install OpenBSD's latest snapshot to this machine last
 night.  The thing is it freezes and it wouldn't
 install.   Here's the messages I got from my screen:

Try interrupting boot and booting into the real-time kernel config 

[OpenBSD banner]
boot boot -c

ukc verbose
ukc enable apci0
ukc disable apm0
ukc exit

~BAS

 ehci0: timed out waiting for BIOS
 usb0 at ehci0: USB revision 2.0
 
 Does anyone know what the problem is?  Are some of the
 hardware aren't supported by OpenBSD? What should I do
 so this machine can run OpenBSD?
 
 Thanks for the help.  I appreciate it. 
 
 -Reza
 Tired of spam?  Yahoo! Mail has the best spam protection around 
 http://mail.yahoo.com 

Re: SUMMARY: Still unable to get Cyclades Z serial ports working with OpenBSD

[Brian A Seklecki (Mobile)]

On Thu, 2007-10-25 at 14:39 -0700, Don Jackson wrote:
 no channels at
 tached 

Well, no channels attached tells me its a hardware issue
(cables`n`shit), or the software failing to properly probe the hardware.

Does it work in another system under another platform (Linux LiveCD,
etc.).


I use the Y-Series on NetBSD and its finiky.  There are times when my
systems refuse to post the BIOS until I re-seat the card.

cy0 at pci0 dev 15 function 0: Cyclades-Y multiport serial
cy0: interrupting at irq 7
cy0: 16 channels (ttyCY000..ttyCY015) -- !!! NOTE THIS !!!


~BAS

Re: CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)

[Brian A Seklecki (Mobile)]

On Mon, 2007-10-22 at 12:04 +0200, Henning Brauer wrote:
 * Claudio Jeker [EMAIL PROTECTED] [2007-10-22 08:17]:
  Fragment Reassembly does not happen in the forwarding plane, it happens on
  the end system. By doing flow based forwarding on the router you're no
  longer able to do all the additional checks that pf(4) is doing in its
  stateful forwarding path.
 
 and we don't actually need these on a non-edge router. I'd go so far
 to say they hurt in that case.

I agree.

Just to confirm... you do not encourage the use of fragment reassembly
at forwarding points other than the network periphery?

We recently ran into some intermittent TCP connection stalls in a
network where end point systems were behind as many a three PF systems
end-point to end-point.  pfctl -x loud had a direct correlation to the
stalls and reassemble debug activity output.

We didn't debug it too much because there was a mix of 3.7, 3.9, and 4.1
systems and we wanted to standardize on 4.2 before filing any
superfluous bug reports.

~BAS

   There is probably a huge market out there for a commodity standards
   based hardware (if it could be done)
  I doubt it, the necessary HW is just to expensive and complex.
 
 I totlly agree with the statement that there is a huge market for 
 that - but getting supported, fully working hardware at reasonable 
 prices for it is indeed a gigantic challenge.

Re: Problem with MP on 4.2

[Brian A Seklecki (Mobile)]

  first try to enable acpi and see what happens.
 
 
 Thanks. Enabling acpi did not make a difference, but then I disabled  
 apm and it's working.

Right -- all of the example ukc output shows how to enable acpi0 but no
one ever shows how to disable apm0.  

~BAS

 
 Abdul
 
  HTH,
  Stijn

Re: OpenBSD 4.2 RAIDFrame mirror

[Brian A Seklecki (Mobile)]

On Thu, 2007-10-25 at 10:50 +0200, Dominik Zalewski wrote:
 Dear All,
 
 I have a machine with two Maxtor 160GB hard disks. I've installed OpenBSD 4.2 
 on first one and I would like to use second one as a mirror.

If you really want to kick as the dead horse, I can probably roll a 4.2
install image that has RAIDFrame in the RD, so you can set it up
property at install time.

You best bet is an entry-level bio(4) manageable hardware RAID
Controller.

~BAS

 As far as I understood I will have to repartition and reinstall whole system 
 to enable second disk as a mirror. All I want is to have software RAID 1.

Re: vlan configuration: off-topic

[Brian A. Seklecki (Mobile)]

On Fri, 2008-01-18 at 11:49 -0200, John Nietzsche wrote:
 Dear gentleman,
 
 i am starting with vlan topic right now. I am in need to get two dell
 powerconnect 2724 switches to implement 3 vlan. I know how to

The Dee PC2724 cant move its mgmnt vlan from VLAN1, and *BSD vlan(1)
wont transmit VLAN 1 as tagged (per spec).

The work around is to assign VLAN1's IP on your *BSD gear to the
physical interface of your VLAN trunk.

I'm about to remove the last of any/all Dell switches from my network --
an announcement which I'm sure Dell will censure from their forums.

Ass - Holes.

~BAS

Re: Watching the prgress of dd if=drive1 of=drive2

[Brian A. Seklecki (Mobile)]

On Sat, 2008-02-23 at 12:15 -0800, Jon wrote:
 I'm using dd to clone a drive. How can I watch the progress of this or
 see the transfer rate in real time?

It should accept SIGINFO (control+G) on most terminals.  

You may also be able to compile progress(1)

~BAS




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: Thank you: Re: Watching the prgress of dd if=drive1 of=drive2

[Brian A. Seklecki (Mobile)]

On Sat, 2008-02-23 at 13:46 -0800, Jon wrote:
  on some learning paths here. This mailing list is awesome. Thank you.

just remember that when 4.3 CD pre-release-sales are announced :)




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: openbsd router hardware

[Brian A. Seklecki (Mobile)]

On Mon, 2007-12-24 at 13:29 +0100, Joerg Zinke wrote:
 Hi,
 
 I'm looking for hardware to install an openbsd based dsl-router.
 I already searched the list archives and looked at WRAP and Soekris,
 but it seems that they do not match my requirements:
 
 - fanless
 - as small as possible

- Soekris
- Routerboard
- Axiomtek
- ARInfotek
- Nexcom
- Advantech
- Acrosser
- Win Enterprises

I think that we can agree that you really want to avoid VIA-anything.
You really get what you pay for.  Some set top models I've looked at:

http://www.axiomtek.com/products/ViewProduct.asp?view=470

http://www.nexcom.com/product/productshow.jsp?iid=11pid=919

http://www.advantech.com/products/Tabletop-Intel-Pentium-MProcessor-based-Platformwith-4-PCIe-LAN-Ports-MINIPCI-Expansion-Onboard/mod_1-2JKJKY.aspx


http://www.acrosser.com/Product/Networking%
20applicance/VPN-V-Series/Firewall_eden_m9923.html


http://www.arinfotek.com/product/product.asp?idx=2002pid=11


~BAS

 - at least 2, better 3 ethernet ports
 - a wlan-card (as access point in hostap mode)
 - mainboard and other hardware should work with openbsd of course,
   would be nice to see output from hw.sensors*
 - storage should have at least 10GB, I think this leads to a real
   ide/sata-disk (maybe 2.5)
 - vga-output (because I have no other machine with a serial port to do
   the installation)
 - lcd-display (something that is supported by lcdproc, which seems to
   work fine on openbsd)
 
 Not a requirement, but nice-to-have: usb-2.0 port(s).
 
 Does anyone know a company or vendor which builds such an
 (openbsd-)ready system fulfilling the above requirements?
 
 Or did I need to start buying all pieces (maybe mini-itx based?) and
 assembly them on my own?
 
 Any hints?
 
 Regards,
 
 Joerg
 
 
 
 
 
 
 




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: Simple OBSD/Samba sharing/restart question

[Brian A. Seklecki (Mobile)]

On Mon, 2008-03-31 at 12:36 -0400, Dan Brosemer wrote:
 But should you need to stop and start it, just kill off the [sn]mbd
 processes and fire them off manually.

Use /etc/rc.local as your command line flag/switch reference point.

~BAS




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: make build fails for OPENBSD_4_4 on i386

[Brian A. Seklecki (Mobile)]

On Fri, 2008-08-08 at 13:59 +0200, Miod Vallat wrote:
 Until the cd-rom are actually created and the release is announced,
 tags are

Just trying to be helpful in reporting a build-problem during the releng
cycle.

If there's a better venue for such reports, lets have it :)

~BAS




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.

Re: Routing issue with VPN tunnel

[Brian A. Seklecki (Mobile)]

On Mon, 2008-12-15 at 00:06 +, Danial wrote:
 I don't like responding to my own thread but I really need
 help with this one, so I'll try to rephrase the question:

Just about every userland utility has the ability to specify source
transmit addresses (bind(4) function)

If not, we can add it.  

It's probably the second-most-asked question on the Net-SNMP mailing
lists (because of all of the embedding, likely)

~BAS

 
 The remote tunnel endpoint expects traffic originating from




IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system.