Re: pf in 4.0 not honoring nat rule with table for vlan tagged interface
Very bizarre. The only advice I can offer is that maybe it's getting confused on - $nat_if instead of the more-pragmatic - ($nat-if). Perhaps the parse code is trying too hard to resolve $nat_if in the former, and thus finding the underlying interface instead of the logical upper layer vlan interface? Give it a shot. If not, we'll turn up debugging and log ~BAS On Tue, 19 Jun 2007, Albert Chin wrote: I have a perfectly-working 4.0 firewall and decided to move one of the physical interfaces to a new vlan tagged interface. I changed the interface name in pf.conf and noticed that NAT wasn't working. The NAT rule is: nat_if = vlan109 table tww_nets const { 192.168.1.0/24, 192.168.4.0/24, 10.191.57.0/24 } nat pass log on $nat_if from tww_nets to any - $nat_if If nat_if is a physical interface, like fxp0, the above nat rule works. I can get the nat rule to work if I omit the use of the table: nat pass log on $nat_if from { 192.168.1.0/24, \ 192.168.4.0/24, \ 10.191.57.0/24 } to any - $nat_if So: 1. If the only change I make to pf.conf is a global search/replace from fxp0 to vlan109, why doesn't pf behave as if using a physical interface? 2. Why the workaround above to get pf working with the vlan tagged interface? Bug in pf? -- albert chin ([EMAIL PROTECTED]) l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
CARP interface state change logging patch
The OpenBSD PF-MIB stuff is incredibly useful -- especially the PF-MIB:CarpIFTable objects. Thanks to all involved with that. I've also had success with Net-SNMP 5.4 (opti@'s version) with those patches; will try to port them to other PF-enabled OSs soon. In the mean time, I want to keep going with additional debugging and monitoring functionality in CARP. Here is a small patch that is incredibly useful for troubleshooting and debugging cumbersome issues. Silence is killer, especially when you turn on logging and receive nothing: This adds functionality similar to debug standby in Cisco-land: *Mar 1 02:56:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3/0, changed state to up *Mar 1 02:56:14: SB0: FastEthernet3/0 state Listen - Init *Mar 1 02:56:20: SB0: FastEthernet3/0 state Init - Listen *Mar 1 02:56:30: SB0: FastEthernet3/0 state Listen - Speak *Mar 1 02:56:40: SB0: FastEthernet3/0 state Speak - Standby *Mar 1 02:56:41: SB0: FastEthernet3/0 state Standby - Active With this patch: # ifconfig carp40 vhid 40 carpdev pcn0 pass foo up Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: MASTER - to: INIT Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT - to: BACKUP Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP - to: INIT Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT - to: BACKUP Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP - to: INIT Jun 20 03:05:46 vmware-openbsd-lab /bsd: carp40: state transition from: INIT - to: BACKUP Jun 20 03:05:49 vmware-openbsd-lab /bsd: carp40: state transition from: BACKUP - to: MASTER I think there are probably ~20 other CARP_LOG() calls that could improve the experience, but this is a good place to start and we'll move on from there. Against the OPENBSD_4_1 tree (rev 1.132.2.1): # cvs diff -u ip_carp.c Index: ip_carp.c === RCS file: /cvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.132.2.1 diff -u -r1.132.2.1 ip_carp.c --- ip_carp.c 2007/04/30 20:39:44 1.132.2.1 +++ ip_carp.c 2007/06/20 07:03:15 @@ -2111,6 +2111,8 @@ void carp_set_state(struct carp_softc *sc, int state) { + static const char *carp_states[] = { CARP_STATES }; + CARP_LOG(sc, (state transition from: %s - to: %s, carp_states[sc-sc_state], carp_states[state])); if (sc-sc_state == state) return; l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
Re: [Nagiosplug-devel] nagios check_carp for OpenBSD carp(4)
Just to follow-up: I have written a plugin that uses the somewhat complete PHP Net-SNMP bindings (no getsnmptable() ?!) and the new PF-MIB::CARP Agent Extensions to Net-SNMP snmpd(8). I'll post it on NagiosExchange for review if/when I can deploy a production 4.1-stable system. ~BAS On Fri, 2006-12-15 at 19:15 -0500, Brian A. Seklecki wrote: Thoughts? Strategies? Ideas? --- IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: max number of connections through the firewall
From previous discussions (search the archives) this has nothing to do with userland memory available but to kernel data structures. Also read pf.conf(5) man page: OPTIONS pf(4) may be tuned for various situations using the set command. interval Interval between purging expired states and [...snip...] set limit states 1 ~BAS On Wed, 20 Jun 2007, Florin Andrei wrote: I am trying to approximate the maximum number of open TCP connections that an OpenBSD firewall can support at any given time. The scenario here is a firewall with 2 interfaces, a bunch of Web servers behind it on private IP addresses, a fairly simple set of rules (NAT each server on a public IP address on the external interface, allow HTTP in, deny the rest). How much memory is used by every new TCP connection that the firewall needs to keep track of? Will the firewall run into other problems before it runs out of memory? Will NAT use memory in the scenario described above? -- Florin Andrei http://florin.myip.org/ l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
Re: OBSD 4.1 drops to ddb with cdd0: error 22 on component 0 (and 1 (mirror))
This is the expected behavior for a failure on a CCD component. Try cutting the SATA cable to a live system some time; watch the kernel panic there as well. Suddenly it cant stat() / or read/write from swap. You're playing with fire with CCD anyway: RAID0. The stuff in 4.1 wasn't touched for months...6, 10, 11, 11, look at the time between commits. There's some new recent activity. Try RAIDFrame w/ raid0 for a little-more-active development. ~BAS On Thu, 2007-06-14 at 15:56 +0200, Marius Hooge wrote: Hi, I don't know how to handle this: My OpenBSD 4.1 Generic i386 box occasionally freezes completely, without any warning. No Ctrl+Mod1+F1 or any other key-combination, no ssh or ping works. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Kernel MINIROOTSIZE 8192 = No Boot
On Fri, 2007-06-15 at 16:51 +, Tobias Weingartner wrote: And no information about the machines beyond that? No dmesg, no information option NKPTP=16 ...fixed it. I wasn't going to burn 200k and 30 minutes on an e-mail about an issue that likely someone already knows about and has a quick one-line fix such as this. (only to get a you're not running GENERIC response) I know there are people out there running embedded environments who were testing 4.1 during -current. ~BAS -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: vlan configuration: off-topic
maybe and *BSD vlan(1) wont transmit VLAN 1 as tagged (per spec) Correct -- Thank you. I misspoke. It _will_ transmit it tagged as VLAN1 (if vlan1 interface is defined), but whether the receiving VLAN1 interface on the PowerConnect can ever receive is anyone's guess. I suppose it depends on whether the OpenBSD system is directly connected to the PowerConnect, what the configurations in the powerconnect for that switchport are, if there is an intermediary switches between the two (possibly from other vendors), what that vendor's VLAN1 behavior is, etc. ~BAS sure it will. ifconfig vlan1 vlan 1 vlandev something
Re: vlan configuration: off-topic
On Sun, 2008-01-20 at 00:11 +, Mike wrote: Hey Brian, I read your post about removing dell switches from your network. Just curious which models are you referring to? PowerConnect 27xx Managed Entry-Level. Everything else is a re-branded Cisco with a crippled ISO version. ~BAS
Re: Remote syslog
syslog-ng + transport mode IPSec (or tunnel, if you have infrastructure on either end). use pf(4) to ensure that only IPSec peers can write. ~BAS On Tue, 2008-02-19 at 21:42 -0700, Steve B wrote: and whether you are doing it over SSH or IPSEC? I have looked at various
Re: Projector/external monitor not working on OpenBSD 4.2-current on Thinkpad X60
read the man page i810(4): Option MonitorLayout anystr Allow different monitor configurations. e.g. CRT,LFP will configure a CRT on Pipe A and an LFP on Pipe B. Regardless of the primary headsb pipe it is always configured as PIPEA,PIPEB. Additionally you can add different configurations such as CRT+DFP,LFP which would put a digital flat panel and a CRT on pipe A, and a local flat panel on pipe B. For single pipe configurations you can just specify the monitors types on Pipe A, such as CRT+DFP which will enable the CRT and DFP on Pipe A. Valid monitors are CRT, LFP, DFP, TV, CRT2, LFP2, DFP2, TV2 and NONE. NOTE: Some configurations of monitor types may fail, this depends on the Video BIOS and system configuration. Default: Not configured, and will use the current headbs pipe and monitor. On Thu, 2008-02-21 at 15:41 +0530, Amarendra Godbole wrote: I am unable to move the display to a projector or an external monitor on my Thinkpad X60, which is running OpenBSD 4.2-current. Fn-F7 is the keycombination to be used to switch displays, but it does not work. Now, I am not too sure if this is a function of the OS, or Thinkpad's firmware. Search engines turned up nothing. Can someone suggest a way by which I can make use of an external monitor? Any software package to control this? Thanks. -Amarendra
Re: libc.so.39.3
It would be in the base.tgz in release 3.9 You may have upgraded and an old binary may be linked against the old version. Try making a symlink. On Sat, 2008-02-23 at 14:07 -0500, Jay Hart wrote: On base OpenBSD 4.2. What package should I install to get the above library? Thanks, Jay
Re: libc.so.39.3
On Sat, 2008-02-23 at 12:30 -0700, Theo de Raadt wrote: No, do not make a symbolic link. Right, for the record and mail archives, a symlink would only be a temp solution and is not guaranteed (likely even) to solve the problem. Obviously, Jay is not working on in a production environment, otherwise he would have staged his upgrade process in a lab environment :} Let us know if you have any ports recompile problems, but read the entire FAQ, and search the list archives, before posting! ~BAS
Re: Watching the prgress of dd if=drive1 of=drive2
On Sat, 2008-02-23 at 12:15 -0800, Jon wrote: I'm using dd to clone a drive. How can I watch the progress of this or see the transfer rate in real time? http://www.openbsd.org/cgi-bin/cvsweb/src/bin/dd/dd.c?rev=1.15content-type=text/x-cvsweb-markup main(int argc, char *argv[]) (void)signal(SIGINFO, summaryx);
Re: openbsd router hardware
On Sun, 2008-03-02 at 09:04 +0100, Joerg Zinke wrote: This will be my first VIA Board, will see how it works... That's great news. I run some VIA -- not at all bad. But they've still got a long way to go before they re-earn the community's trust. A decade of problems doesn't just go away overnight. ~BAS
Re: openbsd router hardware
On Wed, 2008-03-05 at 09:55 -0800, Joe wrote: Perhaps you got a bad board in your past? I've had 10 years of bad VIA chipsets (pciide(4), etc.) Anyone who has been on the lists for a few years knows the same old story. Results 1-10 of about 3,170 for bsd VIA ATA dma error ~BAS
Re: PF and application level firewall
On Tue, 2008-03-11 at 09:51 -0700, Rami Sik wrote: Hi All, You can transparently re-write any application (TCP port) to a localhost security proxy and/or other system using pf(4)' RDR. ~BAS I currently have PF in place with CARP, and quite happy with them. I need to implement application level firewalling in front of my apache servers as PCI requirement by the end of June this year. So, my question is, do we have any application level firewalling support on openBSD? Or, which third part tool/application would you suggest for that purpose? Thanks, Rami -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Vlan tagging and Carp
On Wed, 2008-03-26 at 09:32 -0400, G 0kita wrote: Hello all! I'm having some trouble with getting an OpenBSD box to properly tag packets via 802.1Q. I'm setting up an OpenBSD4.2 router pulling data off a trunk port on a Cisco 2960 switch. I can see the packets traverse the stack upwards but they are The two physical/vlan interfaces on each unit should have an IP address in the subnet (.2 and .3 respectively, normally). The CARP interface on each system on each box should have the same address (.1 normally) [EMAIL PROTECTED]:/root# grep -i vlan42 /etc/rc.conf ifconfig_vlan42=inet 192.168.7.2 netmask 255.255.255.0 vlan 42 vlanif wm1 ifconfig_carp42=inet 192.168.7.1 netmask 255.255.255.0 pass password vhid 42 advskew 99 [EMAIL PROTECTED]:/root# grep -i vlan42 /etc/rc.conf ifconfig_vlan42=inet 192.168.7.3 netmask 255.255.255.0 vlan 42 vlanif wm1 ifconfig_carp42=inet 192.168.7.1 netmask 255.255.255.0 pass password vhid 42 advskew 101 Adjust your syntax for ifconfig.if(5) in 4.2 ~BAS
Re: Vlan tagging and Carp
On Wed, 2008-03-26 at 10:01 -0400, G 0kita wrote: --- Nah, a /29 is the smallest WAN space you can use for a CARP - CARP (or HSRP/VRRP) Ethernet WAN transport. If you have that budget and business need, then you can afford the hardware and IP space. Remember, you can always use _RFC1918 private IP space_ for transit WANs (a la Comcast.net), but you're on your own when the users with pitchforks come. ~BAS
Re: configuration tweaks for CF-based systems?
On Thu, 2008-04-03 at 13:05 -0700, Fred Snurd wrote: There was mention a few days back that the following still contains useful information when it comes to reducing the amount of writing done to CF-like systems: Send mea dmesg(8) and I'll send you a 4.3-current CF image built using bsd-appliance(*) *1: Name changing soon *2: code.google.com/p/bsd-appliance ~BAS http://blog.innerewut.de/2005/05/14/openbsd-3-7-on-wrap Yet I'm puzzled by the desire/need to move /dev into mfs. The timestamp on the files within /dev don't change, so what is the reason for moving the device nodes into memory? Are there parameters which are frequently changed residing in this directory? Any information shared would be appreciated. You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc.
Re: Sendmail security problem
On Fri, 24 Mar 2006, Joachim Schipper wrote: On Fri, Mar 24, 2006 at 02:14:50PM +, Stuart Henderson wrote: On 2006/03/24 14:12, Alexander Bochmann wrote: ...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote: P gnu/usr.sbin/sendmail/libsm/refill.c P gnu/usr.sbin/sendmail/sendmail/collect.c P gnu/usr.sbin/sendmail/sendmail/conf.c P gnu/usr.sbin/sendmail/sendmail/deliver.c P gnu/usr.sbin/sendmail/sendmail/headers.c P gnu/usr.sbin/sendmail/sendmail/mime.c P gnu/usr.sbin/sendmail/sendmail/parseaddr.c P gnu/usr.sbin/sendmail/sendmail/savemail.c P gnu/usr.sbin/sendmail/sendmail/sendmail.h P gnu/usr.sbin/sendmail/sendmail/sfsasl.c P gnu/usr.sbin/sendmail/sendmail/sfsasl.h P gnu/usr.sbin/sendmail/sendmail/srvrsmtp.c P gnu/usr.sbin/sendmail/sendmail/usersmtp.c P gnu/usr.sbin/sendmail/sendmail/util.c I am pretty certain a fix was imported for 3.7-stable, too. Yep. Why was there no Security Advisory or entry in the Daily Changelog for this? There's an errata entry, but no announcement =/ ~BAS Joachim
Re: Microsoft SP1 RPC traffic (Active Directory issues)
On Thu, 20 Apr 2006, James Mackinnon wrote: Good day everyone Recently, I installed SP1 on some domain controllers and ran into an issue where microsoft changed rpc data with SP1 and firewalls such as microsofts own ISA server as well as checkpoint have started to randomly block this data. ...look at the pflog(4), correlate hits with the source address of servers having problems with the blocks, generate a pf.conf(5) rule to match, and move on. ~BAS
Re: Panic: biodone already
On Thu, 20 Apr 2006, Pedro Martelletto wrote: The raid(4) codebase is old, unmaintained, and known to have issues. That's one of the reasons it's not in the stock kernel. Oh I thought the OpenBSD team was silently discouraging people from the practice of using software RAID. :} That sounds like the service of a friend. Focusing efforts on better universal hardware RAID mgmnt interface support. ~BAS
Override errno EBUSY on rd(4) device after boot in mount(2)?
Is there any way to override the flag on a device that permits it from being mounted twice?MNT_FORCE isn't it. I've got an embedded environment I'm setting up where I want to transfer the root (/) file system from an rd(4) to an MFS. To do this, I have to add some customizations to copy() in sbin/newfs/newfs.c. This is because as soon as a I call mount_mfs(8) from my RD's /etc/rc, all of / goes away, so I have to accomplish thing in C functions until I can get the previous (/) re-mounted as /rescue. I can call mount(2) manually from newfs::copy(), but /dev/rd0a refuses to unmount from it's previous ubiquitous root_device. Even if I explicitly mount /dev/rd0a as /, it refuses to dis-mount after I mount a new memfs at /, even with MNT_FORCE to unmount(2). Is it possible that rd(4)'s simply can't be unmounted? I'm assuming they can be, and that unlike their MFS counter-part, their contents do not reset (well, they would reset to whatever the contents of the RD image in the kernel is, assuming changes had been made). This is truly a chicken-and-egg scenario. Any thoughts would be appreciated. ~BAS
Re: 3.7: weird IP address problem
On Mon, 24 Apr 2006, Toni Mueller wrote: Hello, I have a box that once had two IP addresses on one interface. I deconfigured one of them using ifconfig -alias. I'd rather not reboot only to make a change in IP numbers effective... Check netstat -rn and arp -an for hangers-on lingering about. ~BAS Best, --Toni++ l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
Re: isakmpd - DPD stops working
On Fri, 21 Apr 2006, Mitja Mu?eni? wrote: I'm debbuging something weird here. Before I put together a full and sanitized error report, just a quick question: is anybody else seeing DPD to just stop working after a couple of hours, or is it just me my setup? I have some pre-3.9 -current (mid March or so) machines running some IPsec tunnels, and from the IKE dump it appears that after two hours both ends suddenly stop sending DPD R_U_THERE requests, even if the tunnel is totally idle (for example, if I down the interface connecting the hosts). The The lack of reponses suggest you'll need to post verbose tcpdump(8) output and up the bebugging greatly on isakmpd(8). Have you tested basic IP connectivity for problems? ~BAS
Re: Tape drive DLT VS160
On Mon, 24 Apr 2006, Planck wrote: Hello. I have tape drive Quantum DLT VS160 (part of dmesg bellow) connected to Adaptec AHA-2940. Everything work fine, but i dont know how to enable hardware compresion on that drive. There aren't any jumpers on enclosure, and mt(1) or st(4) dont say anytging about that. Yea it would normally be mt comp on or mt compress on ~BAS
Re: 3.7: weird IP address problem
On Mon, 24 Apr 2006, Toni Mueller wrote: Hello, I have a box that once had two IP addresses on one interface. I deconfigured one of them using ifconfig -alias. Now, when I want to use any (?) program on that box to go over this interface, it wants to use the addresses which is no longer present. I double-checked to ensure that there is no NAT in the way, and also used Also, is it still ARP'ing for the old address (tcpdump(8) will show). ~BAS
Alter root FS device after boot?
All: Would it be hypothetical possible to change the device mounted as (/) after the system has booted (possibly during the bootstrapping phase)? This of course overriding the checks in src/sys/kern/sys_vfs* ~BAS
Re: Alter root FS device after boot?
you can't ever unount the first / mount after init starts, because that would mean revoking init's vnode. Yes after disabling the kernel checks I've tried to do this and it seems to cause a complete halt of the system. If only I could bypass the check that disallows a device from becoming mounted twice. When an RD kernel boots, /dev/rd0a is not explicitly mounted as /, instead root_device is. However, if I try to mount(2) /dev/rd0a under a fresh MFS /, I get errno 16 Device busy. So somewhere in the kernel outside of the fstab(5) a the device is being flagged as in-use. I'm half-tempted to find that code and disable it. ~BAS
Building bsd.rd in cdrom39.fs with RAIDFrame
One of the big problems with RAIDFrame support absence in GENERIC is that it's also lacking in RAMDISK and RAMDISK_CD. This prevents RAIDFrame users from doing binary updates off boot media. This can be fixed with a few tweaks in src/distrib/i386/: First, create a bsd.rd within cdrom39.fs (note, NOT cd39.iso!) with RAIDFrame support: Because src/distrib/i386/ramdisk_cd/Makefile simply includes ${.CURDIR}/../common/Makefile.inc, appends list.local with a couple hundred extra-Kb or utilities, sets the floppy imagage to 2.8mb size, then declares $RAMDISK. (Which is a *very* ambiguous name, mind you, a better name would be something like $KERNERLCONF, etc.), one can simply adjust RAMDISK= to point to a src/sys/arch/i386/conf/$foo kernel conf file which will get automatically build on 'make release' in src/etc/ as 'bsd.rd'. Simply copy src/sys/arch/i386/conf/RAMDISK_CD to conf/RAMDISK_CD+RAIDFrame append the following: pseudo-device raid 4 # RAIDframe disk driver options RAID_AUTOCONFIG Then set the following in distrib/i386/ramdisk_cd/Makefile: RAMDISK=RAMDISK_CD+RAIDFrame Next, make another kernel package available to the install script (GENERIC+RAIDFrame) as an option. Follow the same instructions for RAMDISK_CD for GENERIC. Add the following to src/etc/etc.i386/Makefile.inc: bsd.mp+raidframe: cd ${.CURDIR}/../sys/arch/i386/conf config GENERIC.MP+RAIDFRAME cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME \ ${MAKE} clean ${MAKE} depend exec ${MAKE} Then add the following to src/distrib/notes/m4.common: define({:-OpenBSDbsdmp+raidframe-:}, {:- bsd.mp+raidframe A stock GENERIC.MP MACHINE kernel, with support for multiprocessor machines, which can be used instead of the GENERIC kernel after the install. Also features CMU RAIDFrame support for upgrading exisint RAIDFrames.-:})dnl dnl Then clean out your obj and src and rebuild. Your $RELEASDIR/cdrom39.fs (2.88mb Floppy image for use with mkisofs(1)) will contain a gzip(1)'d bsd.rd with RAIDFrame support). Run mkisofs(8) on your $DESTIDR with cdrom39.fs as your '-B'. You may now safely burn a CD-R for binary upgrades of existing RAIDFrame enabled OpenBSD systems, or use your .ISO with your DRAC card via remote media. l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Re: Building bsd.rd in cdrom39.fs with RAIDFrame
Proper src/etc/etc.i386/Makefile.inc patch: -- $ diff -u Makefile.inc Makefile.inc-patched --- Makefile.incSun Sep 10 15:46:33 2006 +++ Makefile.inc-patchedSun Sep 10 15:46:06 2006 @@ -2,11 +2,13 @@ # etc.i386/Makefile.inc -- i386-specific etc Makefile targets .ifdef DESTDIR -snap_md: bsd bsd.mp notes bootblocks distrib +snap_md: bsd bsd.mp bsd.mp+raidframe notes bootblocks distrib cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC/bsd \ ${DESTDIR}/snapshot/bsd cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP/bsd \ ${DESTDIR}/snapshot/bsd.mp + cp ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME/bsd \ + ${DESTDIR}/snapshot/bsd.mp+raidframe bsd: cd ${.CURDIR}/../sys/arch/i386/conf config GENERIC @@ -16,6 +18,11 @@ bsd.mp: cd ${.CURDIR}/../sys/arch/i386/conf config GENERIC.MP cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP \ + ${MAKE} clean ${MAKE} depend exec ${MAKE} + +bsd.mp+raidframe: + cd ${.CURDIR}/../sys/arch/i386/conf config GENERIC.MP+RAIDFRAME + cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME \ ${MAKE} clean ${MAKE} depend exec ${MAKE} notes: -- On Fri, 8 Sep 2006, Brian A. Seklecki wrote: One of the big problems with RAIDFrame support absence in GENERIC is that it's also lacking in RAMDISK and RAMDISK_CD. This prevents RAIDFrame users from doing binary updates off boot media. This can be fixed with a few tweaks in src/distrib/i386/: First, create a bsd.rd within cdrom39.fs (note, NOT cd39.iso!) with RAIDFrame support: Because src/distrib/i386/ramdisk_cd/Makefile simply includes ${.CURDIR}/../common/Makefile.inc, appends list.local with a couple hundred extra-Kb or utilities, sets the floppy imagage to 2.8mb size, then declares $RAMDISK. (Which is a *very* ambiguous name, mind you, a better name would be something like $KERNERLCONF, etc.), one can simply adjust RAMDISK= to point to a src/sys/arch/i386/conf/$foo kernel conf file which will get automatically build on 'make release' in src/etc/ as 'bsd.rd'. Simply copy src/sys/arch/i386/conf/RAMDISK_CD to conf/RAMDISK_CD+RAIDFrame append the following: pseudo-device raid 4 # RAIDframe disk driver options RAID_AUTOCONFIG Then set the following in distrib/i386/ramdisk_cd/Makefile: RAMDISK=RAMDISK_CD+RAIDFrame Next, make another kernel package available to the install script (GENERIC+RAIDFrame) as an option. Follow the same instructions for RAMDISK_CD for GENERIC. Add the following to src/etc/etc.i386/Makefile.inc: bsd.mp+raidframe: cd ${.CURDIR}/../sys/arch/i386/conf config GENERIC.MP+RAIDFRAME cd ${.CURDIR}/../sys/arch/i386/compile/GENERIC.MP+RAIDFRAME \ ${MAKE} clean ${MAKE} depend exec ${MAKE} Then add the following to src/distrib/notes/m4.common: define({:-OpenBSDbsdmp+raidframe-:}, {:- bsd.mp+raidframe A stock GENERIC.MP MACHINE kernel, with support for multiprocessor machines, which can be used instead of the GENERIC kernel after the install. Also features CMU RAIDFrame support for upgrading exisint RAIDFrames.-:})dnl dnl Then clean out your obj and src and rebuild. Your $RELEASDIR/cdrom39.fs (2.88mb Floppy image for use with mkisofs(1)) will contain a gzip(1)'d bsd.rd with RAIDFrame support). Run mkisofs(8) on your $DESTIDR with cdrom39.fs as your '-B'. You may now safely burn a CD-R for binary upgrades of existing RAIDFrame enabled OpenBSD systems, or use your .ISO with your DRAC card via remote media. l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were. l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
carp(4) debugging
I'm building -current right now. I'm looking forward to improvements between vlan(4) and carp(4) post 3.7. I'm curious: Are there any new debugging mechanisms for carp(4) in -current/4.x ? I was looking at ip_carp.{c,h} changelog. It doesn't seem obvious if there are. I.e., does ifconfig(8)'ing the DEBUG flag onto the interface generate any helpful output to log(9)? Something along the lines of what you would get from debug standby error, debug standby event, debug standby terse in an IOS environment? Anything to help debug the decision making algorithm used in master/standy/backup election process. Certainly a way to log events (interfaces, etc.) and the resulting actions taken by the code would be useful in mission critical environments. Anything beats tcpdump 'proto carp' and making guesses from there. TIA, -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/
Re: carp(4) debugging
Exciting stuff; totally missed the log sysctl. The netstat(8) reveals some interesting info about a persistent failover condition: $ netstat -sp carp carp: 7731906 packets received (IPv4) 0 packets received (IPv6) 0 packets discarded for bad interface 0 packets discarded for wrong TTL 0 packets shorter than header 0 discarded for bad checksums 0 discarded packets with a bad version 0 discarded because packet too short 0 discarded for bad authentication 0 discarded for bad vhid 0 discarded because of a bad address list 118961 packets sent (IPv4) 0 packets sent (IPv6) ** 152 send failed due to mbuf memory error But yet: $ netstat -m [...snip...] 290/558/6144 mbuf clusters in use (current/peak/max) 1224 Kbytes allocated to network (53% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines Which is interesting because an identical backup unit does not exhibit these errors at all, even when running as MASTER for weeks at end. MBuf isn't getting exhausted; MRTG does show interfaces getting staturated either. The machine has an absurd ammount of RAM for a Router, too. Also interesting how it is printed out, as well, as if it is under the IPv6 statistics; however these systems have a userland and kernel compiled without IPv6 support. But since this is 3.7-era code, it's hard to imagine troubleshooting this further. Certainly a 4x upgrade is in order before I go chasing down an mbuf exhaustion problem. This is most likely related somehow to the absurdley high number of max states (set limit states 20, etc.) ~BAS On Wed, 11 Oct 2006, Ryan McBride wrote: On Tue, Oct 10, 2006 at 05:50:50PM -0400, Brian A. Seklecki wrote: Certainly a way to log events (interfaces, etc.) and the resulting actions taken by the code would be useful in mission critical environments. Anything beats tcpdump 'proto carp' and making guesses from there. Nothing new to 4.0, but a few of the things you can do besides using tcpdump are: route monitor - see interface link state change sysctl net.inet.carp.log=1 - generates primarily protocol error messages netstat -sp carp - display a number of relevant counters If you want to do more complicated things, like run commands when carp interfaces change state, you can have a look at ifstated. -Ryan l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Re: ports question
PKG_INFO(1)OpenBSD Reference Manual NAME pkg_info - a utility for displaying information on software packages [...] -D Show the install-message file (if any) for each package (depre- cated option). -M Show the install-message file (if any) for each package. On Wed, 11 Oct 2006, Bryan Irvine wrote: Sometimes ports have helpful messages that tell you the proper way to start it from rc.local or some other set of instructions that shoudl be your next step etc... Sometimes these get installed as a dependency of another app though and so the screen just keeps right on trucking and you don't have time to read it. Is there some command or somewhere you can go to see what the message was? --Bryan l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Re: nagios monitoring of a remote openntp service
On Thu, 2008-05-08 at 14:33 +0200, Pete Vickers wrote: that works fine: $ ~/usr/local/libexec/nagios/check_ntp_time -H ntp1 NTP OK: Offset 0.0008395434124 secs|offset=0.000840s; 60.00;120.00; but, I'm trying to verifty the NTP server's health, not that my monitoring host is sync'd to it. Nagios checks almost never have sufficient debugging mechanisms, and UDP services dont send RST+ICMP. You an always: $ sudo ntpdate -qdv [host to check] ~BAS Notes: This plugin checks the clock offset between the local host and a remote NTP server. It is independent of any commandline programs or external libraries. If you'd rather want to monitor an NTP server, please use check_ntp_peer. but that doesn't work (for me) : $ ~/usr/local/libexec/nagios/check_ntp_peer -H ntp1 -t 3 CRITICAL - Socket timeout after 3 seconds /Pete On 8 May 2008, at 1:55 PM, Stuart Henderson wrote: On 2008-05-08, Pete Vickers [EMAIL PROTECTED] wrote: Has anybody gotten Nagois' check_ntp_* to play nicely with a remote openntp service ? It appears to rely upon services not implemented in openntp ? this is against an OpenNTP server; [EMAIL PROTECTED]:12$ /usr/local/libexec/nagios/check_ntp_time -H ntp NTP OK: Offset -0.002711469308 secs|offset=-0.002711s; 60.00;120.00; so, it can work. -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc.
Re: snmpd
On Thu, 2008-05-08 at 15:22 -0700, Tim Kuijsten wrote: It looks like there is no info about disk usage, memory usage, load and other sensor stuff. I have no clue where to find the mibs (locate mib or locate .txt | grep snmp have no results) or how to load them.. That's all in HOST-RESOURCES-MIB and UCD-DISKIO-MIB Try: $ snmptable -v2c -c [comm] [host] HOST-RESOURCES-MIB::hrStorageTable $ snmptable -v2c -c [comm] [host] UCD-DISKIO-MIB::diskIOTable The sensor stuff should be committed into the Ports version of Net-SNMP by now. I can get it committed to Pkgsrc if not. Its just not been at the top of my priority list. -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc.
Re: snmpd
I get: SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2 SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.3 = OID: SNMPv2-MIB::snmp SNMPv2-MIB::sysORID.4 = OID: SNMPv2-SMI::mib-2.17 SNMPv2-MIB::sysORID.5 = OID: IF-MIB::ifMIB SNMPv2-MIB::sysORID.6 = OID: SNMPv2-SMI::enterprises.30155.2 Or more importantly, are HOST-RESOURCES-MIB and UCD-DISKIO-MIB supported? Also, PF-MIB. ~BAS I gues this means HOST-RESOURCES-MIB::hrStorageTable and UCD-DISKIO-MIB::diskIOTable are not loaded? How can i load them? Tnx in advance, Tim - Original Message From: Brian A. Seklecki [EMAIL PROTECTED] To: Tim Kuijsten [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Friday, May 9, 2008 1:35:46 AM Subject: Re: snmpd On Thu, 2008-05-08 at 15:22 -0700, Tim Kuijsten wrote: It looks like there is no info about disk usage, memory usage, load and other sensor stuff. I have no clue where to find the mibs (locate mib or locate .txt | grep snmp have no results) or how to load them.. That's all in HOST-RESOURCES-MIB and UCD-DISKIO-MIB Try: $ snmptable -v2c -c [comm] [host] HOST-RESOURCES-MIB::hrStorageTable $ snmptable -v2c -c [comm] [host] UCD-DISKIO-MIB::diskIOTable The sensor stuff should be committed into the Ports version of Net-SNMP by now. I can get it committed to Pkgsrc if not. Its just not been at the top of my priority list. -- Brian A. Seklecki Collaborative Fusion, Inc. Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc.
sshd_config(5) PermitRootLogin yes
Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, On Soekris, does the first boot console access not function properly until ttys(5) or boot.conf(5) are edited? Do you need to run headless, but with stored network configuration from the installer? ~BAS edit the sudoers file.. and disable root logins in sshd_config. I believe the developers decision is the best one in this case, it's one of the first thing I disable though.
Re: sshd_config(5) PermitRootLogin yes
afterboot(8) covers this Works for me, I guess. =/ ~BAS http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma npath=OpenBSD+Currentarch=i386format=html
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had I didn't want to rehash it all again. Everyone knows the issues. However, with respect to the right to disagree, if Marco's and Darrin's belief that if remote-network-postinstall configuration is the standing reason, then I consider myself in disagreement. Also, I think there is a false premise to the argument by Marco and Jacob that disabling remote root login by default does not provide real security, only a false illusion. That sounds like a slippery slope. We all know that security is a process. There is a security risk / attack vector here, however remote, without password quality and failed-login tarpid/delay mechanisms, a remote root password is subject to brute force. Plus, hypothetically, how strong is a temporary root password going to be? Its not going to be the one that you use in production, so likely you're going to recycle the same one after every install. - Yes qualified administrators filter sshd(8) w/ pf(4) - Yes qualified administrators choose strong passwords - Yes qualified administrators disable PermitRootLogin afterboot - Yes qualified administrators always use sudo(8) and never use root shells I propose, as a compromise, wrapping PermitRootLogin around a Match statement, limited to the default local subnet gleaned during the install network config (no LocalSubnets macro exists in sshd_config(5), afaik, but that would be best) Its just the right thing to do; and we should be leading by example. Either way, its a healthy discussion worth having. ~~BAS PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
Re: contact info for PC Weasel?
On Wed, 2008-08-06 at 13:58 -0700, Chris Cappuccio wrote: spend your money on a motherboard with serial console. like a supermicro board or something. you'll be happier. No offense but: No. No you wont. Unless you have IPMI or something like Dell's DRAC (4, not 5 -- 5 sux big time). The AMI/Award BIOS serial console features on the market are _really_ bad. No hot-key sequences, no watchdog timer, and they don't actually simulate a VGA-Serial conversion (so the OS _still_ needs to know about the serial console) -- redirection after boot almost never works for kernels that draw the framebuffer instead of using BIOS calls to write kernel messages. Its bad out there. PC Weasel needs to sell off/lease that technology to MB vendors. ~BAS
OpenBSD 4.0/i386 w/ raid(4) ISO (-stable w/ RAIDFrame)
All: I just wanted to take a moment thank the OpenBSD community and dev team. Great tools such as pf(4), pfsync(4), etc. enabled me to perform a zero-downtime upgrade of a very large core router last week. Per my original patch set to enable this raid(4) RAIDFrame enabled upgrade, there are few notes to share regarding actual usage: 1) When booting from the CD, it is important to interrupt the 2nd stage boot loader sequence and: boot bsd -a This will prompt you for the root device, which should be rd0a, otherwise the RAID_AUTOCONFIG will take it as raid0a Or: Just before your last shutdown before upgrading, use raidctl(8) to modify the raidset to -A yes dev instead of -A root dev. 2) There is one more additional patch that needs to occur in install.sub I ran into a small bug src/distrib/miniroot/install.sub http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub?rev=1.406content-type=text/x-cvsweb-markup DKDEVS=$(scan_dmesg ${MDDKDEVS:-/^[sw]d[0-9][0-9]* /s/ .*//p}) This can be overridden (I'm only realizing now) by EXPORT'ing MDDKDEVS= at run time. However, the long term fix (if/when raid(4) is updated), is to fix the regex. Unfortunately, I'm having some trouble updating this BRE REGEX. re_format(7) hackers feel free to pitch in. OpenBSD sed(1) doesn't support ERE (Extended Regular Expressions), but egrep(1) of course does. Normally I would switch this to: /^(rai|[sw])d[0-9][0-9]* /s/ .*//p And with E grep I would get: $ egrep '^(rai|[wd])d[0-9][0-9]* ' /var/run/dmesg.boot wd0 at pciide1 channel 0 drive 0: WDC WD800JD-75LSA0 wd1 at pciide1 channel 1 drive 0: WDC WD800JD-75LSA0 raid0 (root): (RAID Level 1) total number of sectors is... raid1 (root): (RAID Level 1) total number of sectors is But apparently the start(thisString|[thatCharActerClass])rest syntax doesn't work in non-ERE mode. Maybe someone can help out there. Also, updating the kernel (/bsd), the 2nd stage boot (/boot) is tricky and a manual process when using this CD to upgrade: 3) To make bsd.mp+raidframe a Install Set option, declare / export: MDSETS=bsd.mp+raidframe to have install.sub suck it into the $THESETS append list. According to the upgrade.sh, this will install it into your root dir (raid0a?) / path; which is wrong (I use a symlink for my kernel), but at least you'll be able to copy it to wd0a:/antiraid/bsd and wd0b:/antiraid/bsd ... or: Wait for upgrade.sh to finish up and remount /dev/cd0a manually again against /mnt2. I have updated this image to the latest OpenBSD 4.0-stable sources. Tags: -r OPENBSD_4_0, -D 11/06/06 10:58:26 EST. http://people.collaborativefusion.com/~seklecki/openbsd_4.0_stableUpdate_wRAIDFrame.iso SHA1: b7e33764ab96e1a2db0d125d07e9628367680858 Size: 175331328 -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. Subject: If you please: OpenBSD 4.0/i386 ISO (-stable w/ RAIDFrame) From: Brian A. Seklecki [EMAIL PROTECTED] To: [EMAIL PROTECTED] Organization: Collaborative Fusion, Inc. Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.2.3-10mdk Date: Sat, 11 Nov 2006 05:28:53 -0500 SHA1 (public_html/obsdcd_4.0_updateWRAID.iso) = 36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf 36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf obsdcd_4.0_updateWRAID.iso -rw-r--r-- 1 lavalamp lavalamp 175319040 Nov 11 05:25 public_html/obsdcd_4.0_updateWRAID.iso
Re: OpenBSD 4.0/i386 w/ raid(4) ISO (-stable w/ RAIDFrame)
On Wed, 13 Dec 2006, Brian A. Seklecki wrote: All: BTW, it is far from optimal, but the following BRE works: DKDEVS=$(scan_dmesg ${MDDKDEVS:-/^\(rai\)*[sw]*d[0-9][0-9]* /s/ .*//p}) ...because saying: may contain one \(rai\)* or more, but not either, and (or?)... may contain one of either [sw]* or more, but not either... Is sort of like (rai|[sd]) Strange daysfull src patches on my site. ~BAS Subject: If you please: OpenBSD 4.0/i386 ISO (-stable w/ RAIDFrame) From: Brian A. Seklecki [EMAIL PROTECTED] To: [EMAIL PROTECTED] Organization: Collaborative Fusion, Inc. Message-Id: [EMAIL PROTECTED] Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit X-Mailer: Evolution 2.2.3-10mdk Date: Sat, 11 Nov 2006 05:28:53 -0500 SHA1 (public_html/obsdcd_4.0_updateWRAID.iso) = 36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf 36c5fe6cb3cd0af6ded8e25a24e2f70f4faaa6cf obsdcd_4.0_updateWRAID.iso -rw-r--r-- 1 lavalamp lavalamp 175319040 Nov 11 05:25 public_html/obsdcd_4.0_updateWRAID.iso
Re: openbsd 4.0 snmpd core dumps with vlan interface number higher as 9
That's awesome! BTW, I submitted a PR on this yesterday but haven't gotten the automated response. Will forward to you if I do. ~BAS On Wed, 13 Dec 2006, [EMAIL PROTECTED] wrote: Hi List, openbsd 4.0 i've vlan interfaces from vlan1 to vlan9 i can start snmpd -x localhost without any problems if i create vlan10 snmpd core dumps Bus error (core dumped) the last lines from the debug are trace: netsnmp_send_traps(): agent_trap.c, 603: trap: send_trap 0 0 NET-SNMP-MIB::netSnmpAgentOIDs.255trace: netsnmp_send_traps(): agent_trap.c, 605: trap: Bus error (core dumped) if i destroy vlan10 it works again. the core dump is here http://www.tbits.org/snmpd.core.gz Have everyone an idea ? Thx Thomas l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Master ${SKIPDIR} manifest
Is anyone maintaining a ${SKIPDIR} manifest? A master list of source directories, organized logically by subsystem? Something to match the variety of make.conf(5)/mk.conf(5) knobs in other systems? l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/
Re: searching a good MRTG/SNMP configuration
You still need a list of valid SNMP OIDs that the agent is capable of mapping from real-world values into vendor-independent MIBs. Good speed you my son. ~BAS On Mon, 5 Feb 2007, AstraSerg wrote: What about cacti (http://cacti.net/)? On Sunday 04 February 2007 15:06, Andreas Bihlmaier wrote: Hello misc@, hosting a lan party yesterday I started to play around with MRTG and SNMP, but I didn't quite get where I wanted. I guess somebody using OpenBSD already has a nice MRTG configuration showing: IN/OUT traffic [CPU] load memory usage some stuff about pf (states, blocks/pass) (using this patch: http://www.packetmischief.ca/openbsd/snmp/) Something similar to this: http://www.erde.co.jp/mrtg/index.html would be what I'm looking for. But with a better traffic report. Would this person be willing to share the configuration files (mrtg/snmp[/rrdtool]) with me and the rest of the OpenBSD community? While we are at it, how do you make the MRTG output accessible? My idea was to let every host create its own statistics and upload those to my central webserver, using pub-key scp/sftp with an unprivileged user account. The webserver would move all those reports to its www-chroot. If I need to I'll create one myself, but after fiddeling around with it for a couple of hours I thought about the reinvention of the wheel and its waste of time. Regards, ahb -- PONEDELXNIK, 5 FEWRALQ 2007 G. 10:45:05 (MSK) l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Re: External 250Gb USB Disk with three FAT32 partitions, device not configured
dmesg output of the disk that runs correctly: umass0 at uhub2 port 2 configuration 1 interface 0 umass0: Cypress Semiconductor USB2.0 Storage Device, rev 2.00/0.01, addr 2 umass0: using SCSI over Bulk-Only sd0 at scsibus1 targ 1 lun 0: ST315323, A, SCSI0 0/direct fixed sd0: 14652MB, 14652 cyl, 64 head, 32 sec, 512 bytes/sec, 30008475 sec total Are you running GERNERIC? So , uhub* - umass* - scsibus* - sd* But scsius* isn't attaching. Do you have scsibus* at umass? or just static scsibus1 at umass0 ? ~BAS dmesg output of other disk: umass1 at uhub2 port 3 configuration 1 interface 0 umass1: Iomega External HD, rev 2.00/0.00, addr 3 umass1: using SCSI over Bulk-Only As you can see, the system don't link it with any device (sdX, etc), can i link it manually? Obviously, with no device linked to it, the output of fdisk and disklabel with any sdX device (except of sd0 with are the device of the external usb box that runs ok) is Device not configured. A lot of thanks -- Angel Sancho Alvarez l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ ...from back in the heady days when helpdesk meant nothing, diskquota meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were.
Re: Speedtouch modem and PPPoA
On Mon, 5 Feb 2007, Luca wrote: Hi all, I installed for the first time the Speedtouch 330, compiled the source code (http://speedtouch.sourceforge.net/index.php?/index.en.html), installed the firmware...launched the script...it takes about 10 minutes to bring up the tun0 interface and get a valid ip but it's connected. After 20 minutes I got this error into the messages log Ask this guy what it means. He seems to have written it? http://www.mail-archive.com/speedtouch@ml.free.fr/msg03593.html Also, try pppoa3 instead since it's a 330? I dunno. ~BAS Feb 4 22:01:00 Typhoon pppoa2[9969]: pusb_set_interface Feb 4 22:01:03 Typhoon pppoa2[24786]: pusb_set_interface Feb 4 22:01:06 Typhoon pppoa2[23598]: pusb_set_interface Feb 4 22:01:09 Typhoon pppoa2[24414]: pusb_set_interface Feb 4 22:01:12 Typhoon pppoa2[238]: pusb_set_interface Feb 4 22:01:15 Typhoon pppoa2[29868]: pusb_set_interface Feb 4 22:01:18 Typhoon pppoa2[1043]: pusb_set_interface Feb 4 22:01:21 Typhoon pppoa2[2254]: pusb_set_interface Feb 4 22:01:24 Typhoon pppoa2[22178]: pusb_set_interface Feb 4 22:01:27 Typhoon pppoa2[8043]: pusb_set_interface Feb 4 22:01:30 Typhoon pppoa2[10104]: pusb_set_interface Feb 4 22:01:33 Typhoon pppoa2[20981]: pusb_set_interface Feb 4 22:01:36 Typhoon pppoa2[23161]: pusb_set_interface The log file is filled with this and the connection is gone... I made a reboot. Connected again (10 minutes waiting) and now it has been connected for about 6 hours but the speed is very very low, about 1K using ftp o http. PF is disabled for now. Protocol is PPPoA
mk.conf(5) note about ${SKIPDIR}
This entry should probably reflect/note that the space-separated paths should be relative to ${BSDSRCDIR}, e.g.,: SKIPDIR+=lib/libossaudio usr.sbin/httpd games But I'm a realist, and I know examples aren't normal practice, so I'll settle for the note w/o. :} I'll sendbug(1) l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/
Re: SSH client (putty) hangs after name/password login
I tried the above (see link) but still it won't work... Does the privsep sshd(8) process spawn on the server? Does that spawn a login shell of the associated user? pstree(8) will show. Also, fire up debugging levels? #LogLevel INFO - DEBUG, DEBUG1, DEBUG3 etc. ~BAS help ! regards Willem
Re: SSH client (putty) hangs after name/password login
Hello Brian, Not quite sure what you mean with pstree...don't know the command and no 'man pstree' on my 3.8 system..? It's in the psmisc/ package Note that I no problems logging into the system while on the local network (doing this via a PC that I remotely manage). When I do a SSH session (via the VPN tunnel) on the INSIDE of the OBSD box, I get the same problem(using the same account). Okay I must be asleep again. I thought we eliminated pf(4) as the problem. Technically if you can negotiate a 3-way handshake and establish the TCP socket, MTU should be a non-issue. What about netstat -s. Anything suspicious (grep -i drop) for sections esp: tcp: ip: icmp: etherip: If you have access via the LAN, what about tcpdump(8) on the tun(4) interface? is not the case locaclly Problem here is that this system is 900Km away...if I would stop the SSHD (so i could Normally I'd say to you Oh you're fine with pkill -HUP sshd; but that's because I'm accustomed to out-of-band management like DRAC and mgetty :} ~BAS restart it with debug options) I will not be able to reach it anymore :-(
Re: SSH client (putty) hangs after name/password login
On Tue, 6 Feb 2007, forums wrote: Hello, That was my first guess as well...For that reason I set the option UseDNS NO Yea. When DNS times occur, the login process never completes. In fact, before the prompt appears the timeour occurs. AS
Master ${SKIPDIR} manifest (fwd)
Here's an initial attempt: http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir.txt And w/o comments: http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir_nc.txt This initial (and far from comprehensive) attempt reduces build sizes: # du -hs /usr/obj/ /usr/destdir /usr/releasedir/ 475M/usr/obj/ 243M/usr/destdir 104M/usr/releasedir/ (Down from the usual 850m+ obj/, etc.) ~BAS -- Forwarded message -- Date: Mon, 5 Feb 2007 01:06:07 -0500 (EST) From: Brian A. Seklecki [EMAIL PROTECTED] To: misc@openbsd.org Subject: Master ${SKIPDIR} manifest Is anyone maintaining a ${SKIPDIR} manifest? A master list of source directories, organized logically by subsystem? Something to match the variety of make.conf(5)/mk.conf(5) knobs in other systems? l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/
Re: Mbufs tunning
On Fri, 2007-03-16 at 18:30 -0300, Gustavo Rios wrote: Dear gentleman, when i execute some command on my server box, i got a complain about not enough buffer available. For instance. $ rusers rusers: can't send broadcast packet: No buffer space available $ netstat(8) -m gives some variety of historical data from which to base your decision making. ~BAS I don't how to perform tunning on mbufs. Rather than simply reasing its limits i wonder which parameters should i choose to guide a tunning effort on this regard. Thank you for your time and cooperation. Best regards.
Re: sshd configure howto
From an architecture standpoint, It wouldn't be within the mandate of sshd(8) anyway. You'd accomplish this using some userland resource quota enforcement policy (max number of processes, max instances of a shell). Hell you could do it in /etc/profile or ~/.cshrc I don't know of one OTTMH, but I'm sure that one probably exists out there. PS this sounds like a perfectly good idea for embedded platforms. ~BAS On Sun, 2007-03-18 at 13:49 +0800, Jay Jesus Amorin wrote: im using this set-up for pf/authpf authentication gateway, all i'm concern of is i dont want my user use other users account.
Re: isakmpd
On Sat, 2008-08-23 at 13:30 +0200, Daniel Rapp wrote: Hi, i am looking for example configs on isakmpd where there is more then one tunnel.. I have a openbsd (4.2) firewall with a tunnel config in isakmpd.conf and i want to add a roadwarrior tunnel to.. There should be a wiki somewhere with lots of known-good-working isakmpd(8) / isakmpd.conf(5) examples. ~BAS I think i have seen some sample config before but i cant seem to find any now.. Any help would be appreciated.. /Daniel -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: recommendation for router (COMMELL)
What *would* you recommend? In addition to the listed duties, I am looking for stability, For a mail server appliance, Axiomtek units are the only way to fly. Try the NA-820. We've been nothing but pleased, and of all the cheap Award/AMI BIOS's, theirs has been the best performing so far, and priced well http://axiomtek.com/products/ViewProduct.asp?view=429 Also thanks for pointing out Commell. I'll try to have them scare up a demo unit so that I can extract a dmesg(8): http://code.google.com/p/bsd-appliance/wiki/HardwareVendors ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: LDAP and OpenBSD
On Fri, 2008-10-10 at 19:52 +0200, raven wrote: I'm thinking how my users into an ldap db can login into my openbsd One would need NSS_LDAP and PAM_LDAP, which requires PAM and NSS infrastructure in-tree. Likely you'd want to sponsor development for something like that. ~BAS -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: PF Queue on a GROUP of nics?
On Mon, 2008-10-06 at 16:39 +1100, Sunnz wrote: Is it possible? Say I have a few nics of the same group... dc0 dc1 dc2 dc3... which all belong to a group dc. Sunnz Do you mean a shared queue where downstream bandwidth from a single upstream interface is proportionally divided into two downstream subnets as it egresses two separate interfaces? I was just revisiting that from2006? Ping me back if so. ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Advanced Queuing: Host-Only Stateful Inspection and Queues
[Long Message Disclaimer] All: I was just looking over Peter Hansteen's PF book -- It's a great reference, but the coverage on QUEUING is limited (6 pages of ~150). I was hoping to find an answer to a question there-in, that I had back in 2006 when I filed system/4574 -- but with behind me, I wanted to revisit a ALTQ design question: - What is the relationship between stateful pass rules and queue behavior? - Does the original direction of the initial SYN packet that creates a state affect the Golden Rule(R) behavior? The FAQ states: You can't queue incoming traffic once that it has arrived at an interface (Golden Rule): Which is reasonable. - If it's passing through your ALTQ packet forwarding engine, you could in theory queue it leaving an egress interface. - But, in most scenarios, you would be working with a queue sized for the media of the downstream / egress interface, not the incoming/wan interface that you likely wish to traffic shape. - Or queue it at an adjacent upstream router (likely if you have traffic shaping on one router, you have it on all but your core/ border router) General rules: - Queuing happens _mostly_ on pass rules, so even if you you have a default-pass policy, stateless even, you still have to explicitly pass (and probably keep state, unless core/border) on traffic to be queued. - Consider that the presence of a state prevents re-evaluation of rules when traffic matching a known state ingresses/egresses an interface on which the state was initially created - Potentially alternate interfaces as well, depending on state policy floating There are four example TCP connection scenarios / packet flow disciplines outlined below. To help explain my question, I put together a quick diagram with a greatly simplified network configuration and pf(4) rule set featuring queues -- but I've tried to use four real-world traffic flow permutations. Diagram: http://people.collaborativefusion.com/~seklecki/images/cf_OpenBSD_PF.png - 1) Workstation A initiates TCP connection to Server Y port 5999 (ephemeral source port) - TCP SYN from WS A ingress $ext_if, creates state - TCP SYN+ACK from SRV A egresses $ext_if back to WS A - Traffic is 5/95 ratio server-client (5% being all acks) - TCP data transfer from SRV A to to WS A is queued at specified rate Example: Passive FTP data channel stream of download from SRV A to WS A 2) Workstation A initiates TCP connection to Server Y on port 22 (ephemeral source port) - TCP SYN from WS A ingresses $ext_if, creates state - TCP SYN+ACK from SRV A egresses $ext_if back to WS A - Traffic is 95/5 ratio client-server (5% being all ACKs) - TCP data transfer from WS A to SRV Y is _not_ queued at specified rate because of Golden Rule(R) Example: SCP file, initiated on Client A, from Client A send to Server Y (B pushes to Y) 3) Server Y initiates TCP connection to Workstation A on negotiated FTP receiver port (src port 20) - TCP SYN from SRV Y egresses $ext_if, creates state - TCP SYN+ACK from WS A ingresses $ext_if back to SRV Y - Traffic is 95/5 ratio client-server (SRV Y as 'tcp client' - 5% acks from WS A) - TCP data transfer from SRV Y to WS A is queued at specified rate Example: Active FTP data connection (client specified data receiver port 1024, SrvY src was P20) 4) Server Y initiates TCP connection to Workstation A on port 22 (ephemeral source port) - TCP SYN from SRV Y egresses $ext_if, create state - TCP SYN+ACK from WS A ingresses $ext_if back to SRV Y - Traffic is 5/95 ratio client-server sends (95% being TCP server sends, 5 being client ACKs from Y) - TCP data transfer from WS A to SRV Y Example: SCP file, initiated on Server Y, src Client A dst Server Y (Y pulls from B) - Here are my questions / comments: - Should pass in keep state queue(foo) be valid syntax? - If pass in on $ext_if from any to $private queue(foo) is valid, and the traffic flow discipline (DATA, non-ACK) is in the direction of the TCP client initiator, does traffic egressing the $exit_if get queued? My testing says Yes. - Conversely, if pass in on $exit_if from any to $private queue(foo) is valid, and the traffic discipline (DATA, non-ACK) is in the direction of the TCP server receiver, does traffic ingressing the interface get queued? My testing says No -- as expected. - Does this mean, then, that only traffic, ACK or DATA, egressing an
Re: Can't SSH into CARP'd system from the outside
On Mon, 2008-10-20 at 14:19 -0700, Vivek Ayer wrote: So far, I can't ssh into the carp from the outside, can't ntp from the Try: % sudo tcpdump -ttt -e -vvv -n -i pflog0 -s 1024 -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: 4.3-stable panics on a Soekris net-5501
Today I was dumping files from a wd0 disk to a mountpoint on sd0 disk (external USB). I accidently unplugged the power cable of sd0 disk and That is generally considered the proper / pragmatic behavior. FreeBSD Foundation is sponsoring development to change this behavior to to some sort of user-configurable transient failure. See their announcement list. ~BAS my system paniced. I think this should not happen, so here are some more details: [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Transport Mode ipsec(4) and inet6(4) gre(4) (WAS: isakmpd + gre crashing)
All: Back in 01/2006, circa 3.8, there was a thread related to the use of gre(4) and Transport Mode ipsec(4) in isakmpd(8) to protect v4 tunnels. There was a repeatable kernel panic related to gre(4) packets needing a smaller MTU as they are encapsualted in ipsec(4) packets, before being transmited. I haven't looked if we have support, but gre(4) w/ ipv6 address and stf(4) seem to be best options out there for secure v6 tunnels. That is, explicitly, gre(4) inside ipv6, since we dont' have stf(4). I can revisit that bug in our lab, except with a slightly larger encapsulation packet overhead :) I'm wondering if a tranditional ipv6 isakmp(8) ipsec tunnel (using IPv4 enpoints?!) is a safe alternative, or what other solutions people are cooking up on OpenBSD for tunneling IPv6 security. Thanks for your feedback and safe holidays to all! ~BAS On Mon, 9 Jan 2006, Jason Taylor wrote: Hi Brian, I did a few more tests this evening and I think you are right about the MTU issue. In OpenBSD 3.8, you can set the MTU of a GRE interface. I set the mtu of the GRE tunnel on one end (Perspex, which runs 3.8) and transferred a large file. It worked wonderfully and I am now in the process of updating my soekri to the latest 3.8. I think what is happening is the GRE tunnel sets its MTU according to the MTU of the physical interface, in my case fxp0 and sis0 and does not take into account the added overhead of IPsec... Cheers, /Jason On Jan 9, 2006, at 4:41 PM, Brian A. Seklecki wrote: But as soon as I start an scp from Perspex to Soekris, Perspex reboots after a few hundred kb. Unfortunately, Perspex is in a datacenter and I do not have console access to it to see what the heck is happening at that exact moment. I don't recall. But for the record (IPSEC inside GRE): If the Transport IPSEC connection is negotiated between two hosts inside the GRE tunnel private subnet and the IPSEC connection goes down, the data flows in cleartext. *bad* The opposite would be (GRE-inside-IPSEC-Transport): If the Transport IPSEC tunnel is built between the two hosts` public interfaces and the GRE tunnel is built normally and thus encrypted, things should work. Of course, we run into the crash. The trick was I tried it on OpenBSD/Sparc where there is no-such-thing as Flash back to the BIOS and it turns out a Sun watchdog timer is getting hit. Watchdog timers on i386 must cause the BIOS to reset. So the problem is in-kernel and the config is probably too obscure for developers to spend time on. My solution was to re-IP my network properly, and use IP Supernets/ summarization/ subnet aggregation thus consolidating the need for so many spokes on a hub-and-spoke VPN config. ~~BAS I noticed that there were no responses to your thread, but I was wondering if you had worked out your problem or if you decided to go the ipsec encapsulated in gre. Cheers, /Jason -- Jason Taylor e: j...@jtaylor.ca m: 514-815-8204 l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8 l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Show me a young conservative and I'll show you someone with no heart. Show me an old liberal and I'll show you someone with no brains. ~ Winston Churchill
Re: Transport Mode ipsec(4) and inet6(4) gre(4)
I haven't looked if we have support, but gre(4) w/ ipv6 address and stf(4) seem to be best options out there for secure v6 tunnels. That sounds... bizarre. According to ipv6book.ca, M. Blanchet. It's a good read, except OpenBSD/NetBSD are neglected (probably becase of the stf(4)/6to4(4) absence). He also doesn't talk about _securing_ GRE tunnels, altough the logical assumption would be transport mode ipsec between v4 endpoints ~BAS
Re: logging smtp connections
On Sat, 2009-05-02 at 05:06 -0500, Robson Caetano wrote: Hi I would like to log From:, To: and Subject: fields of every SMTP connection to my internal SMTP server that is passed by the openbsd firewall. You're better off doing that within your MTA. Courier has a Big Brother feature: etc/courier/courierd:# ARCHIVEDIR=/usr/lib/courier/bigbrother ~BAS
Re: unable to redirect port 443 from the internet to an internal server
On Wed, 2009-06-10 at 09:24 -0700, Journey Man wrote: Yet another rule that redirects port 1443 to port 443 works: Try tcpdump: % sudo tcpdump -i $ext_if 'port 443' Then try to re-create the TCP socket from a 3rd party remote host. See if the syn packet comes in. If not, then your ISP could be blocking inbound 443. You should punish them, if so. Or use IPSEC/ESP ~BAS
Re: Multiple IPSec-tunnels and load balancing
On Tue, 2009-06-30 at 11:15 +0200, u...@o3si.de wrote: Is it possible to load balance / failover the traffic over IPSec? If so, should I use GIF for load balancing / routing? That's what Cisco DMVPN is, as far as I can tell. Was just reading about it. You're talking about GRE tunnels to two intermediary facilities on the way to a common 4th facility? Assign the routes equal cost path routing? ~BAS Thanks in advance for anyones advice!
Re: LaCie
On Tue, 2009-08-04 at 13:53 -0300, Marcos Laufer wrote: Hello, has anyone had any experience with LaCie Raid and Storage very Feng shui ~BAS I'm the kind of Mac-using sociopath that looks at an external NAS and asks: 'What kind of RAID array defines me as a person?'
Re: cell card on vaio p
On Fri, 2009-10-30 at 12:01 -0700, Lawrence-Sporkton wrote: I believe its the Gobi 1000 or Gobi UNDP-1 which appear to be the same device Very odd. This is a CDMA/3G/GSM/EVDO modem? Normally they show up as PCMICIA, USB, or PCI Serial devices. A lot of times the PCMCIA ones present a USB Host Controller which presents a UCOM and UMASS (with the drivers). I was just reading that the Cricket USB one has to have a special GNU/Linux driver that switches it from UMASS to UCOMM for PPP: http://www.ubuntugeek.com/how-to-setup-cricket-wireless-a600-broadband-modem-in-ubuntu.html Anyway, you may be a pilgrim on unholy lands. ~BAS
Re: Starting a Radius / Nas in openbsd
On Fri, 2009-10-30 at 22:08 +0100, C. Diego Raffaelli A. wrote: Any idea? Am i right using OpenBSD and trying to use Radius and/or NAS?? RADIUS Authentication and RADIUS Accounting are what you want, but that's off-topic for this list. Look in ports for RADIUS servers. Good luck. ~BAS
Re: Server trouble shooting
Since I can't connect successfully via ssh is there anything else I could be doing remotely? ...you could be researching a Lights-out-Management solution for your server (Dell DRAC, Sun LOM). Best all-around solution is a PC-Weasel (realweasel.com) connected to the system next to it (Or a RAS concentrator) If the system is completing 3-way TCP handshake, then you're dead in the water. Consider making the system highly available. ~BAS
Re: OpenBSD 4.2 hardware recommendation
On Sat, 3 Nov 2007, Martin Schrvder wrote: You don't need one computer with two discs and two psus; instead get two systems and use carp to get HA. Also 2GB for a firewall is overkill. Spend the money on the NICs instead. If he's going to be doing local processing of pcap(4) data into some sort of SNORT+ACID+PostgreSQL, he's going to want RAID and all that jazz. But I think we can all agree that its best admin practice to move that data off to a remote system for archival/processing. He's also going to draw 8 AMPs :} ~BAS
Re: OpenBSD 4.2 hardware recommendation
If he's going to be doing local processing of pcap(4) data into some pcap(3), of course, is what I meant :}
Re: OS not seeing all RAM (1GiB less)
On Mon, 2007-11-12 at 22:40 -0500, C Thala wrote: What would cause an 4.1 machine running on a Dell PowerEdge 1950 to see only 3,220,439,040 bytes of RAM as opposed to the 4GB that it really has (confirmed by BIOS)? A little something-something called PAE. You're probably running 4.1/i386? What you want to do is install the amd64 release on the 9th gen. ~BAS
Re: snmpd on current
On Wed, 21 Nov 2007, Insan Praja SW wrote: Date: Wed, 21 Nov 2007 18:45:47 +0700 From: Insan Praja SW [EMAIL PROTECTED] To: misc@openbsd.org misc@openbsd.org Subject: snmpd on current Hi all, I'm currently running 4.2-current and installing net-snmp-5.4.1 from ports (updated). Something is wrong, when I run snmpd, it seem to eat all CPU and memory keep getting bigger.. is there anything wrong? thanks.. Run it in foreground w/ verbose debugging. Worst case scenario, result to ktrace/kdump. http://linux.die.net/man/1/snmpcmd -DALL -Lo -f looks promsign. ~~BAS
Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E
On Thu, 22 Nov 2007, Shohrukh Shoyoqubov wrote: Date: Thu, 22 Nov 2007 09:46:54 +0500 From: Shohrukh Shoyoqubov [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E From which machine do I have to do ping -I A.B.C.D E.F.G.H pf has default config and allows everything forwarding is enabled What does netstat -rn -f encap look like? ~bas Christoph Leser wrote: you could try ping -I A.B.C.D E.F.G.H
Update RAIDFrame-Enabled ISO for 4.2
Updated diff, ISO image, build instructions. http://people.collaborativefusion.com/~seklecki/obsd_wRAIDFrame.html Note: There's a small problem with my regex in install.sub that prevents scanning of RAIDFrame boot lines in dmesg.boot. The work-around from the bsd.rd shell is to: $ export MDDKDEVS=/^raid[0-9]/p $ ./upgrade Its ugly but it works. Also, don't forget to: $ cd /dev $ sh MAKEDEV raid0 $ sh MAKEDEV raid1 ...beforehand. Tested a 4.0-stable to 4.2-stable upgrade (2x) ~BAS
Re: VPN Concentrator
On Fri, 30 Nov 2007, Khalid Schofield wrote: Hi, I'd like to make a VPN Concentrator using openbsd. I want users to be able to authenticate using usernames and passwords and to either nat the users or give them an ip from our main dhcp server via a bridge. That's a tall order. In Cisco-land a VPNC3000k will run you $5k plus SMARTNet. You'll need isakmpd(8) policies. You'll need dhclient-server relay support. You'll need XAuth authentication (Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all together with LDAP and PKI.
Re: pflog filling up /var mount every 2-3 days!
On Fri, 30 Nov 2007, Jake Conk wrote: Hello, I have my /var partitioned out to be 150mb which I thought was a You're probably getting a lot of log hits on a default block log all at the end of your rules. You can prevent a lot of crud by doing block quicks w/o log statements for the following: -) Multicast crud (Apple users) -) Windows NetBIOS/CIFS Broadcast crap -) IPv6 Good examples can be found. ~BAS
Re: no 4.2-stable package updates??
There's a vulnxml feed for OpenBSD ports. It should be updated with critical patches, and those should be pulled into 4.2-stable. If your business depends on OpenBSD ports, maybe you can sponsor a 4.2-stable build sandbox. I know mine does, and I'm happy to host it. We're talking at-most 30 minutes a day of TLC. ~BAS On Wed, 2007-12-12 at 17:06 +0100, Antoine Jacoutot wrote: On Wed, 12 Dec 2007, ico wrote: How do you gents keep your 4.2 stable OpenBSD server ( read packages, not system ) bug free? If I remember correctly, I'm not supposed to use 4.2 stable system with current ports. Personnaly, I use -current (base+packages) everywhere. But this is just me. -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: no 4.2-stable package updates??
critical patches, and those should be pulled into 4.2-stable. Unfortunately, it isn't that easy. Some updates imply updates of depending ports (e.g. poppler and evince), which may imply further updates of dependencies. So you'll end up with -current -- more or less, including more updates... Mattias: Making that distinction the critical thinking responsibility of the system administrator. No vulnxml syntax exists for describing ranges of vulnerable versions compatible with every projects versioning and release engineering scheme, as they all differ. That should not stop us from doing the best we can with the existing limitations. ~BAS
Re: Had a strange problem with CARP preemption
On Thu, 2007-12-20 at 15:31 +1100, Dave Harrison wrote: Because carp doesn't log it's state changes etc, I've been writing the Over Christmas, I may backport the FreeBSD carp(4) logging improvements and submit them with kernel/5512. ~BAS
Re: Trouble Installing OpenBSD 4.2 stable
On Fri, 2007-12-28 at 17:16 -0600, Alan Hamlett wrote: Currently running OpenBSD i386 3.8 with one 20GB IDE drive at wd0a and one 250gb IDE drive all partitioned for bsd. Trying to install OpenBSD i386 4.2 from install42.iso by trading the 250gb drive for a cd-rom drive. I keep getting this error message and I believe it has to do with the missing 250gb drive: /dev/rwd0a: file system is clean; not checking Can't open /dev/rwd1d: Device not configured CAN'T CHECK FILE SYSTEM. /dev/rwd1d: UNEXPECTED INCONSISTENCY; RUN fsck_ffs MANUALLY. The upgrade script tries to read your old fstab(5) and fsck(8) your existing file systems. wd1* is attached when your drive is there. when you replace it with a ROM it goes away. The same error would happen if you booted the system w/o the 250 attached in 3.8. Just comment out wd1* entries in your fstab(8) before you boot into the install CD. We're assuming here that wd1* contains data-only and no system partitions. ~BAS Automatic file system check failed; help! My dmesg output: OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Celeron (GenuineIntel 686-class, 128KB L2 cache) 498 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 199860224 (195176K) avail mem = 175497216 (171384K) using 2465 buffers containing 10096640 bytes (9860K) of memory
sudo 1.6.9p20 patch in OPENBSD_4_3 and OPENBSD_4_4
All: Do we want to slip this into presently supported branches containing 1.6.9p17? It's a quick patch: http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c.diff?r1=1.160.2.21r2=1.160.2.22only_with_tag=SUDO_1_6_9 I tested it on -rOPENBSD_4_3. Just be sure to nuke the version string. $ more sudo_p20.patch === RCS file: /home/anoncvs/cvs/sudo/parse.c,v retrieving revision 1.160.2.21 retrieving revision 1.160.2.22 diff -u -p -r1.160.2.21 -r1.160.2.22 --- sudo/parse.c2008/11/02 14:35:53 1.160.2.21 +++ sudo/parse.c2009/01/28 00:50:01 1.160.2.22 @@ -651,9 +651,11 @@ usergr_matches(group, user, pw) /* * If the user has a supplementary group vector, check it first. */ -for (i = 0; i user_ngroups; i++) { - if (grp-gr_gid == user_groups[i]) - return(TRUE); +if (strcmp(user, user_name) == 0) { + for (i = 0; i user_ngroups; i++) { + if (grp-gr_gid == user_groups[i]) + return(TRUE); + } } if (grp-gr_mem != NULL) { for (cur = grp-gr_mem; *cur; cur++) { sekle...@seawing:/usr/src/usr.bin$ sudo patch -p0 sudo_p20.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -- |=== |RCS file: /home/anoncvs/cvs/sudo/parse.c,v |retrieving revision 1.160.2.21 |retrieving revision 1.160.2.22 |diff -u -p -r1.160.2.21 -r1.160.2.22 |--- sudo/parse.c 2008/11/02 14:35:53 1.160.2.21 |+++ sudo/parse.c 2009/01/28 00:50:01 1.160.2.22 -- Patching file sudo/parse.c using Plan A... Hunk #1 succeeded at 606 (offset -45 lines). done
Re: ipsec(4) routing for a branch offices
On Thu, 2007-10-18 at 09:35 +0200, Mitja MuEeniD wrote: This is the correct behaviour, as ipsec tunnel selection happens earlier in the process than route selection, the traffic for 192.168.64.0/24 enters the tunnel because it matches the remote subnet 192.168.0.0/16. Use this on the 192.168.64.1 machine to create a bypass flow in ipsec.conf: This works exceptionally well! Thank very much. Beers on us. As for correct behavior, that may be accurate from a pragmatic source code ip_output()/ip_output() standpoint, but very few IP stacks give Directly Connected routes lower priority than IPSec SAs. IMHO, it is important to follow the precedent set. ~BAS flow esp from 192.168.64.0/24 to 192.168.64.0/24 type bypass This will prevent the traffic from 192.168.64.0/24 to 192.168.64.0/24 from entering the tunnel. Mitja -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. Seklecki Sent: Thursday, October 18, 2007 2:02 AM To: misc@openbsd.org Subject: ipsec(4) routing for a branch offices On a variety of 3rd party platforms, I often establish an SA between two IPSec devices with a /16 of RFC 1918 space on one side and a /24 on the other (sometimes as much as a /19). This uneven size subnet arrangement prevents the need for full-mesh in a large corporate network. It allows for hub spoke. I remember an OpenBSD 3.6-era bug, which I was certain was PR'd and fixed, that caused this configuration to fail. On a remote branch office policy router, I have the following ENCAP family routes (below) Here's the problem: 1) Traffic sourced from the internal interface (192.168.64.1/24) for the directly connected subnet 192.168.64.0/24 is transmitted accross the tunnel in ESP 2) Traffic from the locally connected subnet reaches the interface of the internal (64.1/24), but reply packets are attempted to forward accross the tunnel instead of back out of the physical interface Routing tables # netstat -rn -rf encap Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 192.168/16 0 192.168.64/24 0 0 206.210.89.200/esp/use/in 192.168.64/24 0 192.168/16 0 0 206.210.89.200/esp/require/out # netstat -rn -f inet Internet: DestinationGatewayFlagsRefs Use Mtu Interface default71.166.xxx.xxx UGS11 173981 - em2 71.166.245/24 link#3 UC 10 - em2 192.168.64/24 link#1 UC 40 - em0 Strange as hell $ sudo tcpdump -i em0 -s 256 !port 22 $ ping 192.168.64.100 PING 192.168.64.100 (192.168.64.100): 56 data bytes [but, what is seen on another terminal] [1] sudo tcpdump -i em2 -s 256 !port 22 20:00:28.610672 esp x.east.verizon.net vpncxxx.pub.collaborativefusion.com spi 0x0ACAEE17 seq 89 len 116 ICMP packets giving me the old slip-a-roo out the back door :} -- Brian A. Seklecki [EMAIL PROTECTED] IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)
On Mon, 2007-10-22 at 00:12 +0100, Tony Sarendal wrote: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: I'll throw this out there since its been something on my mind for a while: Hardware VLAN tagging, TOE offload, IP/UDP/TCP Checksum offload, interface polling are all ways to accelerate packet forwarding. How about a standards-based hardware-software API equivalent to Cisco's CEF or MLS? The basics: - layer 3 or layer 4 state (flow) is identified and established using software IP-forwarding. - the software dynamically programs the switching hardware backplane ASIC to accelerate forwarding the flow w/o software further inspection (Including Fragment Reassembly, etc.) There is probably a huge market out there for a commodity standards based hardware (if it could be done) ~BAS
Re: Installing the latest snapshot freezes on i386
On Tue, 2007-10-23 at 01:42 -0700, Reza Muhammad wrote: Hi all, I just recently purchased a brand new HP Pavilion G3035L Desktop PC (spec: http://www.anugrahpratama.com/product/21/1092/HP-Pavilion-G3035L-Desktop-PC). It's using Intel Core Duo processor. I tried to install OpenBSD's latest snapshot to this machine last night. The thing is it freezes and it wouldn't install. Here's the messages I got from my screen: Try interrupting boot and booting into the real-time kernel config [OpenBSD banner] boot boot -c ukc verbose ukc enable apci0 ukc disable apm0 ukc exit ~BAS ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 Does anyone know what the problem is? Are some of the hardware aren't supported by OpenBSD? What should I do so this machine can run OpenBSD? Thanks for the help. I appreciate it. -Reza Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: SUMMARY: Still unable to get Cyclades Z serial ports working with OpenBSD
On Thu, 2007-10-25 at 14:39 -0700, Don Jackson wrote: no channels at tached Well, no channels attached tells me its a hardware issue (cables`n`shit), or the software failing to properly probe the hardware. Does it work in another system under another platform (Linux LiveCD, etc.). I use the Y-Series on NetBSD and its finiky. There are times when my systems refuse to post the BIOS until I re-seat the card. cy0 at pci0 dev 15 function 0: Cyclades-Y multiport serial cy0: interrupting at irq 7 cy0: 16 channels (ttyCY000..ttyCY015) -- !!! NOTE THIS !!! ~BAS
Re: CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)
On Mon, 2007-10-22 at 12:04 +0200, Henning Brauer wrote: * Claudio Jeker [EMAIL PROTECTED] [2007-10-22 08:17]: Fragment Reassembly does not happen in the forwarding plane, it happens on the end system. By doing flow based forwarding on the router you're no longer able to do all the additional checks that pf(4) is doing in its stateful forwarding path. and we don't actually need these on a non-edge router. I'd go so far to say they hurt in that case. I agree. Just to confirm... you do not encourage the use of fragment reassembly at forwarding points other than the network periphery? We recently ran into some intermittent TCP connection stalls in a network where end point systems were behind as many a three PF systems end-point to end-point. pfctl -x loud had a direct correlation to the stalls and reassemble debug activity output. We didn't debug it too much because there was a mix of 3.7, 3.9, and 4.1 systems and we wanted to standardize on 4.2 before filing any superfluous bug reports. ~BAS There is probably a huge market out there for a commodity standards based hardware (if it could be done) I doubt it, the necessary HW is just to expensive and complex. I totlly agree with the statement that there is a huge market for that - but getting supported, fully working hardware at reasonable prices for it is indeed a gigantic challenge.
Re: Problem with MP on 4.2
first try to enable acpi and see what happens. Thanks. Enabling acpi did not make a difference, but then I disabled apm and it's working. Right -- all of the example ukc output shows how to enable acpi0 but no one ever shows how to disable apm0. ~BAS Abdul HTH, Stijn
Re: OpenBSD 4.2 RAIDFrame mirror
On Thu, 2007-10-25 at 10:50 +0200, Dominik Zalewski wrote: Dear All, I have a machine with two Maxtor 160GB hard disks. I've installed OpenBSD 4.2 on first one and I would like to use second one as a mirror. If you really want to kick as the dead horse, I can probably roll a 4.2 install image that has RAIDFrame in the RD, so you can set it up property at install time. You best bet is an entry-level bio(4) manageable hardware RAID Controller. ~BAS As far as I understood I will have to repartition and reinstall whole system to enable second disk as a mirror. All I want is to have software RAID 1.
Re: vlan configuration: off-topic
On Fri, 2008-01-18 at 11:49 -0200, John Nietzsche wrote: Dear gentleman, i am starting with vlan topic right now. I am in need to get two dell powerconnect 2724 switches to implement 3 vlan. I know how to The Dee PC2724 cant move its mgmnt vlan from VLAN1, and *BSD vlan(1) wont transmit VLAN 1 as tagged (per spec). The work around is to assign VLAN1's IP on your *BSD gear to the physical interface of your VLAN trunk. I'm about to remove the last of any/all Dell switches from my network -- an announcement which I'm sure Dell will censure from their forums. Ass - Holes. ~BAS
Re: Watching the prgress of dd if=drive1 of=drive2
On Sat, 2008-02-23 at 12:15 -0800, Jon wrote: I'm using dd to clone a drive. How can I watch the progress of this or see the transfer rate in real time? It should accept SIGINFO (control+G) on most terminals. You may also be able to compile progress(1) ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Thank you: Re: Watching the prgress of dd if=drive1 of=drive2
On Sat, 2008-02-23 at 13:46 -0800, Jon wrote: on some learning paths here. This mailing list is awesome. Thank you. just remember that when 4.3 CD pre-release-sales are announced :) IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: openbsd router hardware
On Mon, 2007-12-24 at 13:29 +0100, Joerg Zinke wrote: Hi, I'm looking for hardware to install an openbsd based dsl-router. I already searched the list archives and looked at WRAP and Soekris, but it seems that they do not match my requirements: - fanless - as small as possible - Soekris - Routerboard - Axiomtek - ARInfotek - Nexcom - Advantech - Acrosser - Win Enterprises I think that we can agree that you really want to avoid VIA-anything. You really get what you pay for. Some set top models I've looked at: http://www.axiomtek.com/products/ViewProduct.asp?view=470 http://www.nexcom.com/product/productshow.jsp?iid=11pid=919 http://www.advantech.com/products/Tabletop-Intel-Pentium-MProcessor-based-Platformwith-4-PCIe-LAN-Ports-MINIPCI-Expansion-Onboard/mod_1-2JKJKY.aspx http://www.acrosser.com/Product/Networking% 20applicance/VPN-V-Series/Firewall_eden_m9923.html http://www.arinfotek.com/product/product.asp?idx=2002pid=11 ~BAS - at least 2, better 3 ethernet ports - a wlan-card (as access point in hostap mode) - mainboard and other hardware should work with openbsd of course, would be nice to see output from hw.sensors* - storage should have at least 10GB, I think this leads to a real ide/sata-disk (maybe 2.5) - vga-output (because I have no other machine with a serial port to do the installation) - lcd-display (something that is supported by lcdproc, which seems to work fine on openbsd) Not a requirement, but nice-to-have: usb-2.0 port(s). Does anyone know a company or vendor which builds such an (openbsd-)ready system fulfilling the above requirements? Or did I need to start buying all pieces (maybe mini-itx based?) and assembly them on my own? Any hints? Regards, Joerg IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Simple OBSD/Samba sharing/restart question
On Mon, 2008-03-31 at 12:36 -0400, Dan Brosemer wrote: But should you need to stop and start it, just kill off the [sn]mbd processes and fire them off manually. Use /etc/rc.local as your command line flag/switch reference point. ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: make build fails for OPENBSD_4_4 on i386
On Fri, 2008-08-08 at 13:59 +0200, Miod Vallat wrote: Until the cd-rom are actually created and the release is announced, tags are Just trying to be helpful in reporting a build-problem during the releng cycle. If there's a better venue for such reports, lets have it :) ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Routing issue with VPN tunnel
On Mon, 2008-12-15 at 00:06 +, Danial wrote: I don't like responding to my own thread but I really need help with this one, so I'll try to rephrase the question: Just about every userland utility has the ability to specify source transmit addresses (bind(4) function) If not, we can add it. It's probably the second-most-asked question on the Net-SNMP mailing lists (because of all of the embedding, likely) ~BAS The remote tunnel endpoint expects traffic originating from IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.