Presario 2100 Laptop overheating

[Joe Snikeris]

I just installed 3.7 on a presario 2100 laptop from the openbsd i386
cd.  The laptop is having a problem with overheating and then shutting
off while it isn't doing anything.  top reports that the cpu usage is
practically zero (it is 99.8% idle), and if I just let the laptop sit
there at a console it will slowly get warmer and warmer until it
eventually shuts off.

The fan is running at a constant speed, that sounds like its max speed
(from what I remember it sounding like in windows), but I'm not sure. 
I assume that the power saving features aren't quite working yet, as
the fan starts up immediately when I turn it on after giving it enough
to completely cool down, and never turns back off again.  Usually in
windows, I would power on, the fan would come on initially, and then
in a few seconds the fan would go off, if the computer had been off
long enough for it to cool down beforehand.

The laptop had never overheated (as far as I'm aware) in windows (xp),
so I'm fairly sure this isn't a hardware related problem.  I've spent
the last hour or so searching the archives for overheating related and
fan related problems, but I was unable to find anything relevant. 
Does anyone have any experience with this or have any idea of what the
problem might be?

My dmesg follows:

OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: mobile AMD Athlon(tm) XP2200+ ("AuthenticAMD" 686-class) 1.79 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 736665600 (719400K)
avail mem = 664723456 (649144K)
using 4278 buffers containing 36937728 bytes (36072K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(2c) BIOS, date 10/16/03, BIOS32 rev. 0 @ 0xfd730
pcibios0 at bios0: rev 2.1 @ 0xfd730/0x8d0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf10/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Acer Labs M1533 ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xf000 0xcf000/0x800 0xdb000/0x1000! 0xdc000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "ATI RS100 AGP" rev 0x13
ppb0 at pci0 dev 1 function 0 "ATI RS100 PCI" rev 0x01
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ATI Radeon IGP 320M" rev 0x00
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ohci0 at pci0 dev 2 function 0 "Acer Labs M5237 USB" rev 0x03: irq 9,
version 1.0, legacy support
ohci0: SMM does not respond, resetting
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: Acer Labs OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
autri0 at pci0 dev 6 function 0 "Acer Labs M5451 Audio" rev 0x02: irq 5
ac97: codec id 0x43585429 (Conexant CX20468 rev 1)
ac97: codec features reserved, headphone, 18 bit DAC, 18 bit ADC, No 3D Stereo
audio0 at autri0
midi0 at autri0: <4DWAVE MIDI UART>
pcib0 at pci0 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00
vendor "Acer Labs", unknown product 0x5457 (class communications
subclass modem, rev 0x00) at pci0 dev 8 function 0 not configured
"Broadcom BCM4306" rev 0x02 at pci0 dev 9 function 0 not configured
cbb0 at pci0 dev 10 function 0 "O2 Micro OZ69[17]2 CardBus" rev 0x00: irq 5
"Texas Instruments TSB43AB21 FireWire" rev 0x00 at pci0 dev 12
function 0 not configured
pciide0 at pci0 dev 16 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc4:
DMA, channel 0 wired to compatibility, channel 1 wired to
compatibility
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA, 19077MB, 39070080 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
"Acer Labs M7101 Power Mgmt" rev 0x00 at pci0 dev 17 function 0 not configured
sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00: DP83816A,
irq 11, address 00:0d:9d:81:85:a1
nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi1 at pcppi0: 
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20
pcmcia0 at cardslot0
biomask e76d netmask ef6d ttymask ffef
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
WARNING: / was not properly unmou

Re: OpenBSD's 10th birthday

[Stephan A. Rickauer]

On Tue, Oct 18, 2005 at 03:00:12AM -0600, Theo de Raadt wrote:
Now it is really OpenBSD's 10th birthday ;)


Happy birthday from Switzerland! And many thanks to all active 
developers and everyone who participates in Free Software!


--

 Stephan A. Rickauer
 (Associate Member of FSF)

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 http://www.ini.ethz.ch
 

Re: Very high interrupts on a supermicro machine.

[Henning Brauer]

eh, this is really only good for benching, because otherwise we stop 
traversing the pf ruleset for very short amounts of time if we are 
about to exhaust CPU. this allows already established connections to 
live on and the OP to log in to the box via console and take 
countermeasures. if you already ahd an ssh sessionto teh box it has 
good chances to survive and you can even take countermeasures over that.

what you really want to do for high speed routers is increasing
  net.inet.ip.ifq.maxlen
I currently use 250 on some routers which seems good, but I need to do 
more tests before I can make qualified assumptions about good values.

This is the max length of a queue in the input path, and the default of 
50 packets is too small for high speed routers with modern GigE cards 
that can put about that into teh queue with one single int. Or even more.

In the end I think we need a better default based on some factors like 
ip forwarding enabled and summarized link speed and RAM in teh box or 
somesuch. Ryan and I discussed that on the ferry earlier this year and 
have some good ideas, now we just need some time to work on it ;(

* Schvberle Daniel <[EMAIL PROTECTED]> [2005-10-18 18:36]:
> Hi,
> 
> I was trying to bench routing pps with pf on and henning gave me 
> some advice which I think might help you too. For my benching purposes 
> it helped break the 200k pps barrier with current but no guaranties 
> that it'll do you any good or that it won't hurt you.
> 
> 
> The high drop rates 
> are a anti-DDoS measure - yeah, that pretty much makes benching 
> impossible...
> you could change IF_INPUT_ENQUEUE in sys/net/if.h so that it looks like
> 
> #define IF_INPUT_ENQUEUE(ifq, m) {  \
> if (IF_QFULL(ifq)) {\
> IF_DROP(ifq);   \
> m_freem(m); \
> } else  \
> IF_ENQUEUE(ifq, m); \
> }
> 
> i. e. remove these two lines:
> if (!(ifq)->ifq_congestion) \
> if_congestion(ifq); \
> 
> that means the congestion flag will never be set.
> or you add a return; as first statement in if_congestion() in if.c.
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> > On Behalf Of dormando
> > Sent: Monday, October 17, 2005 8:29 PM
> > To: misc@openbsd.org
> > Subject: Very high interrupts on a supermicro machine.
> > 
> > Hey all,
> > 
> > Attached is a dmesg of one of a pair of supermicro based firewalls I
> > recently bought. I had set them up as a CARP/pfsync redundant pair of
> > frontend firewalls for our network. However, after they reached 15,000
> > interrupts per second (~ 110 megabits of our site traffic), 
> > they passed 90%
> > CPU usage through interrupts and stopped being useful.
> > 
> > The machines have two built-in BGE nics. I swapped in an 
> > Intel PRO/1000MT
> > Dual Port Server Nic into a PCI-X 133mhz PCI slot, but it 
> > made absolutely no
> > difference in the interrupt load. The current firewalls in 
> > place are freebsd
> > machines running on supermicro hardware with two em based 
> > built-in nics
> > running past 40k interrupts without passing 50% CPU load on 
> > interrupts. The
> > only error I can see in the dmesg was this:
> > 
> > pcibios0: no compatible PCI ICU found: ICU vendor 0x8086 
> > product 0x2640
> > pcibios0: Warning, unable to fix up PCI interrupt routing
> > pcibios0: PCI bus #5 is the last bus
> > 
> > ... which as far as I can read, is "harmless", but potentially causing
> > higher interrupt load?
> > 
> > Any hints as to where I should look next would be great. I'm about to
> > install the latest -current snapshot on the machine to see if 
> > there's a
> > recent fix.
> > 
> > I'm about 95% sure this is the motherboard we're using:
> > http://www.supermicro.com/products/motherboard/P4/E7221/P8SCT.
> > cfm I'll check
> > with the order guy and confirm the PO.
> > 
> > There's a 3.4ghz P4 CPU in it, the two built-in nics, and a 
> > single PCI-X
> > 133mhz PCI port which I used for the dual port server nic 
> > from intel. SATA
> > harddrive for what it's worth. Running OpenBSD 3.7 as a PF 
> > firewall. I've
> > tried changing a bunch of BIOS options, disabling interrupts, 
> > etc. I haven't
> > compiled my own kernel or built the OS or anything.
> > 
> > Thanks,
> > -Dormando
> 

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: Guruness (was the bug report thread)

[Henning Brauer]

* Wolfpaw - Dale Corse <[EMAIL PROTECTED]> [2005-10-19 05:13]:
> you, BSD does not stand up to it .. Now I admit - it was years ago,
> and it was FreeBSD that we tried

yeah yeah, and we all know that OpenBSD is just ErsatzFreiBSD with 
another name on it, right?
sheesh.

> > http://openbsd.rt.fm/query-pr.html
> Nice :) See.. This is what I'm talking about - perhaps it
> Should be linked off the main site too? (Or is it, and I
> Can't read?)
> Where is the submission system?

my name shall be melinda if report.html, which you apparently STILL 
didn't read (I miss words for that level of ignorance. really.) doesn't 
mention sendbug.

Re: Presario 2100 Laptop overheating

[Gordon Willem Klok]

Joe Snikeris wrote:


OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: mobile AMD Athlon(tm) XP2200+ ("AuthenticAMD" 686-class) 1.79 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

Hello Joe,
The good news is that your processor should feature AMDs powernow technology,
if it does you can scale the CPUs frequency and voltage back by adjusting the
hw.setperf sysctl (takes an integer value between 0 and 100 and adjusts the
fid/vid to the closest pair compatible with your processor). With a dmesg
form a newer snapshot you can identify support for this feature by looking for 
e.g.
cpu0: AMD Powernow FID VID
There are other flags FID and VID are the ones your interested in.

The bad news is that some of the early systems have a bug that prevents powernow
from being detected there is a dirty hack that can deal with this I suspect it 
is
what you need rather then repost this rather verbose thread I will
direct your attention too
http://marc.theaimsgroup.com/?l=openbsd-misc&m=28007522174&w=2

hmmm ... just spotted another bug in powernow-k7.c
/* On bootup the frequency should be at it's max */ is wrong true for desktop
processors "Cool n' Quiet" but not the mobile ones "Powernow" thats how you
tell them apart in any case there are more than a few people who reported that
thread as helpful so  give it a shot.

Anyway hope this was helpful,
GWK

Re: OpenBSD's 10th birthday -- how about a present?

[Keith Richardson]

STeve Andre' wrote:


On Tuesday 18 October 2005 21:07, Paul Greene wrote:
 


STeve Andre' wrote:
   


 Seeing all sorts of good wishes to the project, but I haven't
seen any gifts, yet. ;-)

 I just paypaled $25 to the project, as a birthday present.  Given
what we all get from this OS, OpenBSD deserves something.

 Can I get 10 others to make some kind of donation?  It doesn't
have to be a lot...

--STeve Andre'
 


Well, I finally got out the credit card and actually paid for some CD's.

Does that count?

Paul
   



Sure it does.  It helps the project.  Thank you.

So, four people donating money and one buying a CD set.

...Do I hear more?

--STeve Andre'


 

CD + shirt + $100 donation... and I am still getting the better end of 
the deal.


Buono complianno OBSD

-Keith

"Perished Nations" by Harun Yahya

[Arda Ozdemir]

If you cannot view this page, please click here

PERISHED NATIONS
Harun Yahya







The news of previous peoples is certainly one of the matters people ought to
contemplate. In history, many societies have been wiped off of the face of the
earth because of their denial and perversions. God tells us that these cases
of destruction should be a warning for succeeding generations.

Indeed, there are examples in the stories of past communities for people
endowed with understanding. Having perished because of their rebellion against
God and their rejection of His commands, those communities reveal to us how
weak and impotent mankind is with respect to God. Here are the true stories of
these societies

All of them were destroyedsome by a volcanic eruption, some by a disastrous
flood, and some by a sand storm... Nearly all the incidents of destruction
related by God have become "observable" and "identifiable" thanks to the
current archive studies and archaeological finds. In this study, the traces of
some of the cases of destruction are dealt with.

We sent none before you but men inspired with revelation from among the people
of the cities. Have they not travelled in the land and seen the final fate of
those before them? The abode of the hereafter is better for those who guard
against evil. So will you not use your intellect? (The Koran: 12:109)

Perished Nations examines these examples in a chronological order and in light
of archaeological discoveries. Perished Nations is available in French,
Portuguese, Spanish, Russian, German, Dutch, Albanian, Arabic, Malay and
Indonesian.




Profile on Harun Yahya:

A leading Muslim intellectual from Turkey, Harun Yahya is the author of many
books concerning the world of Islam such as the relationship of science and
Islam, interfaith dialogue, and the importance of unity among believers of all
faiths. Harun Yahya enjoys a wide readership from all nations, languages and
religions, and many of his books have been translated into more than 40
languages. His works have also been received with interest by Western
scientific circles, and some of his scientific texts have been reviewed in
various scientific journals as the most important expositions of Islamic
creationism. These journals include The New Scientist, Science, NCSE (National
Center for Science Education) Reports, and The Cladistics.

Routing issue with BIND9 and IPsec

[Arrigo Triulzi]

Dear all,

I have a very strange interaction between BIND9 and IPsec which I can't 
understand and I hope someone here can shed some light.


An OpenBSD primary DNS server, running BIND9 with a simple named.conf 
(single view, etc.) also has an IPsec connection over which a tunnel 
runs connecting two RFC1918 networks.  Both endpoints run OpenBSD 
3.7-stable (CVS updated yesterday), the hardware is also identical (HP 
Compaq Proliant DL320):


	<192.168.160/24>--[DNS box]--- IPsec ---[other 
endpoint]--<192.168.1/24>

X.Y.142.162 
X.Y.143.226

the IPsec setup is trivial (from /usr/share/ipsec/vpn simply modifying 
the values in the script).


The IPsec tunnel works perfectly but BIND9 occasionally (apparently 
when a reload is issued to load a new zone or when an AXFR takes place 
from the other nameservers for the zones held) starts routing all 
responses to *any* DNS query via the IPsec tunnel.


That is to say that any external query from the routable Internet is 
responded to by sending packets down the IPsec link to the other 
endpoint where PF rejects the packet.


Any other traffic (traceroute, SSH, ICMP) works perfectly and does not 
suffer from this issue.


When blocks start appearing on the endpoint's logs the fix is simple:  
on the DNS box "ipsecadm flush" and re-run the VPN script.  Obviously 
this is not too good for a production system since these sudden "DNS 
via IPsec" changes occur at unpredictable times (diagnostic: dig 
@nameserver primary.zone.com fails).


The details:

DNS box:OpenBSD 3.7-stable, /usr/src CVS as of Tuesday evening,
			BIND9 with trivial modification of named.conf from the OpenBSD 
distro simply loading the

master zones and adding a listen-on restriction,
IPsec setup from /usr/share/ipsec/vpn

endpoint:   OpenBSD 3.7-stable, /usr/src CVS as of Tuesday evening,
IPsec setup from /usr/share/ipsec/vpn,
PF

Example traffic:

dns-box# traceroute -n 192.168.1.18
traceroute to 192.168.1.18 (192.168.1.18), 64 hops max, 40 byte packets
1  X.Y.143.226  1.214 ms  1.236 ms  1.272 ms
2  192.168.1.18  1.418 ms  1.415 ms  1.420 ms

vpn-endpoint# traceroute -n 192.168.161.162
traceroute to 192.168.161.162 (192.168.161.162), 64 hops max, 40 byte 
packets

 1  X.Y.142.162  1.315 ms  1.322 ms  1.370 ms
 2  192.168.161.162  2.399 ms  1.947 ms  1.961 ms

vpn-endpoint# netstat -rn -f encap
Encap:Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)
X.Y.142.162/32 0 X.Y.143.226/32  0 0 
X.Y.142.162/50/require/in
X.Y.142.162/32 0 X.Y.143.226/32  0 50
X.Y.142.162/50/permit/in
X.Y.142.162/32 0 192.168.1/240 0 
X.Y.142.162/50/require/in
192.168.161/24 0 X.Y.143.226/32  0 0 
X.Y.142.162/50/require/in
192.168.161/24 0 192.168.1/240 0 
X.Y.142.162/50/require/in
X.Y.143.226/32 0 X.Y.142.162/32  0 0 
X.Y.142.162/50/require/out
X.Y.143.226/32 0 X.Y.142.162/32  0 50
X.Y.142.162/50/permit/out
X.Y.143.226/32 0 192.168.161/24  0 0 
X.Y.142.162/50/require/out
192.168.1/24   0 X.Y.142.162/32  0 0 
X.Y.142.162/50/require/out
192.168.1/24   0 192.168.161/24  0 0 
X.Y.142.162/50/require/out


the entries for dns-box are symmetrical to the above.

Example snafu from a DNS query to the dns-box:

(on vpn-endpoint)
Oct 19 11:19:44.884586 rule 80/(match) block out on bge0: 
X.Y.142.162.53 > 213.207.142.101.3861:

  [udp sum ok] 31987*- q: SOA? example.com. 1/5/5 example.com.
SOA dns.example.com. hostmaster.example.com.
[...]

Any suggestions more than welcome,

Thanks,

Arrigo

Re: Non Developers allowed to ask questions ?

[Tony]

There is a legitimate use for top posting.
Deletion and/or answer of message in 10 to 15 seconds or less.

The stunt is essentially the same as stuff in newspapers.
The reporter writes. The editor puts as much as will fit in the alloted
space and ignores the remainder without even looking. The readers read
as far as they like and then stop reading.

Top posting totally messes up any attempts at coherent follow-ups.
Hmmm, does that expain some of the problems with media?

If I had another point to make, I have run out of space in which to make it.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
Kevin .
Sent: Tuesday, October 18, 2005 5:41 PM
To: misc@openbsd.org
Cc: [EMAIL PROTECTED]
Subject: Re: Non Developers allowed to ask questions ?


>there seems to be some unwritten rule that users (not to be confused
>with developers) are not allowed to ask whether certain things are
>supported in OpenBSD or when these items are likely to be available,

Nope--not at all. Stupid questions that show a lack of research and/or lack
of supporting documentation (like a dmesg when required) are seriously
frowned upon though. In fact such posts usually just get ignored.

The minimal rules (for the record) are:

1) Top posting is nearly always bad. Consider emails you're sending as if
they're being published in a book.

Books make sense read from top to bottom.  This is particularly important
for logic-flow in the lists when multiple parties get involved.

2) Check at *very* least the following various resources before posting:
http://www.openbsd.com/faq/
ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt (for PF questions)
http://www.openbsd.com/plat.html (for your respective hardware)
http://www.google.com (do at least the basic research to see if it has
been discussed)

3) Holy wars and similar philosophical debates are nearly always useless. In
fact aside from those for yanking out crappy software / licenses, I can
think of not one instance where one has been anything BUT useless. Messages
like that should go to /dev/null instead of the list. You'll feel better and
so will we. ;-)

4) Never ask for driver or software support that doesn't include offers to
provide:

- free or at VERY, VERY least absolutely-no-strings-attached loaner
hardware
- offer to fund development

Most developers have 'day jobs.' This ain't Microsoft where people punch
clocks.  These guys are doing this because it's fun and because they use it
themselves.

Asking for development of something complicated like drivers (especially for
some old trashy ISA NIC for instance) brings no one joy when they themselves
have no use for it. Follow?

Most of them--like the rest of us sane folk--would rather be doing something
fun and/or useful to *themselves* when finished.

Last footnote: when requesting support, include _brief_ reasoning why
(particularly in context of it benefitting the entire community) it would be
good for all, and it's M-U-C-H  more likely to get attention than, "Uh...
anyone working on this?"

5) If you get no answer, consider it an implicit "no". For a dozen people to
stand up and say, "no," makes no sense, right? It takes time away from
coding and just makes noise.

6) Barring that, an off-list note to a developer responsible for something
similar **may** also make sense. Particuarly if there's cash and/or hardware
attached.

>So where does one post questions *after* having read the FAQ etc
C'mon. That depends on the question. If it's related to php5 you're probably
better off with ports@; alpha specific comments should probably go to alpha@
and so on.

>If I was a developer I'd be posting to the tech@ list woudln't I.
Maybe. Maybe not. Many developers post things to misc. Think about your
audience and who's most likely to benefit from your questions / comments.

Any notions that anyone here is somehow beholden to you (that being the
universal you, not you specifically) have got to go.

By using the list, we're each asking for help from a tremendous resource of
hundreds (thousands?) of people including the very developers themselves of
your OS. We're getting support for the bargain price of free just for the
asking. In exchange one must be reasonable. You'll never, ever get this from
Microsoft or Cisco. There you'll get shuffled around on the phone for hours,
talk to someone useless, get no answer, and more likely than not be $195
lighter in your loafers for the trip.

As I think most fellow misc@ listers will agree, an email with such
questions certainly *leans* towards being hostile or at least
passive-aggressive / accusatory. I'll afford the courtesy of benefit of the
doubt. With that in mind if one doesn't get the response one wants, chances
are the answer is "no."

Now it's time to look to consider marshalling resources for a hardware/cash
donation if you *really* want it done or to begin looking for another
solution better suited to your needs. For some people that means 

isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

[Kim Nielsen]

Hi $misc

I have a problem with isakmpd and the greenbow vpn client (actually all 
windows vpn clients I have tried except freeswan and racoon)


The problem is that I specify the protocols that the clients use but it 
seems that it's ignoring that I have specified


A dump from tcpdump -vr /var/run/isakmpd.pcap says that the client is 
trying with these protocols:


[SNIP]
...
attribute ENCRYPTION_ALGORITHM = AES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute KEY_LENGTH = 128
...

my log from isakmpd says

Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute ENCRYPTION_ALGORITHM 
value 7

Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute HASH_ALGORITHM value 2
Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute AUTHENTICATION_METHOD 
value 1

Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute GROUP_DESCRIPTION value 2
Oct 19 13:15:56 tefnut isakmpd[32614]: Attribute KEY_LENGTH value 128
Oct 19 13:15:56 tefnut isakmpd[32614]: message_validate_vendor: vendor 
ID seen
Oct 19 13:15:56 tefnut isakmpd[32614]: nat_t_check_vendor_payload: NAT-T 
capable peer detected
Oct 19 13:15:56 tefnut isakmpd[32614]: message_validate_vendor: vendor 
ID seen
Oct 19 13:15:56 tefnut isakmpd[32614]: ipsec_responder: phase 1 exchange 
2 step 0
Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: transform 0 
proto 1 proposal 1 ok

Oct 19 13:15:56 tefnut isakmpd[32614]: ike_phase_1_validate_prop: failure
Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: proposal 1 
failed
Oct 19 13:15:56 tefnut isakmpd[32614]: message_negotiate_sa: no 
compatible proposal found
Oct 19 13:15:56 tefnut isakmpd[32614]: dropped message from 
62.242.xxx.xxx port 488 due to notification type NO_PROPOSAL_CHOSEN


my isakmpd.conf:
[General]
Retransmits=5
Exchange-max-time=  120
Shared-SADB=Defined
Default-phase-1-lifetime=   3600,60:86400
Default-phase-2-lifetime=   1200,60:86400
NAT-T-Keepalive=10

[Phase 1]
Default=ISAKMP-clients

[Phase 2]
Passive-connections=IPsec-clients

[ISAKMP-clients]
Phase=  1
Transport=  udp
Configuration=  greenbow-main-mode
Authentication= mekmitasdigoat

[IPsec-clients]
Phase=  2
Configuration=  greenbow-quick-mode
Local-ID=   default-route
Remote-ID=  dummy-remote

[default-route]
ID-type=IPV4_ADDR_SUBNET
Network=0.0.0.0
Netmask=0.0.0.0

[dummy-remote]
ID-type=IPV4_ADDR
Address=0.0.0.0

[greenbow-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= AES-SHA-GRP2

[greenbow-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE

[AES-SHA-GRP2]
ENCRYPTION_ALGORITHM=   AES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=  MODP_1024
Life=   LIFE_1_DAY


Basiclly its taken from http://www.allard.nu/openbsd/greenbow/ since I 
googled for an answer but even though I take a copy of the isakmpd.conf 
on that page I still don't get though phase1


Hope someone has an answer

Best regards
Kim

Ps. I'm using OpenBSD 3.7

Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

[Hans-Joerg Hoexer]

On Wed, Oct 19, 2005 at 01:34:45PM +0200, Kim Nielsen wrote:
> [greenbow-quick-mode]
> DOI=IPSEC
> EXCHANGE_TYPE=  QUICK_MODE
> Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE

it's GRP2, not GR2

> 
> [AES-SHA-GRP2]
> ENCRYPTION_ALGORITHM=   AES_CBC
> HASH_ALGORITHM= SHA
> AUTHENTICATION_METHOD=  PRE_SHARED
> GROUP_DESCRIPTION=  MODP_1024
> Life=   LIFE_1_DAY
> 
> 
> Basiclly its taken from http://www.allard.nu/openbsd/greenbow/ since I 
> googled for an answer but even though I take a copy of the isakmpd.conf 
> on that page I still don't get though phase1
> 
> Hope someone has an answer
> 
> Best regards
> Kim
> 
> Ps. I'm using OpenBSD 3.7

Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

[Kim Nielsen]

Hans-Joerg Hoexer wrote:

On Wed, Oct 19, 2005 at 01:34:45PM +0200, Kim Nielsen wrote:


[greenbow-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE



it's GRP2, not GR2



[AES-SHA-GRP2]
ENCRYPTION_ALGORITHM=   AES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=  MODP_1024
Life=   LIFE_1_DAY



Thanks but the problem I have is in phase1 but now once I get to phase2 
it should work :)


/Kim

Re: Non Developers allowed to ask questions ?

[Constantine A. Murenin]

On 19/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> There is a legitimate use for top posting.
> Deletion and/or answer of message in 10 to 15 seconds or less.

Nonsense. Just because your MS Outlook does not support or is not
configured to support bottom-posting, doesn't mean that you should
find some invalid excuses for top-posting.

Cheers,
Constantine.

Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

[Kim Nielsen]

Rogier Krieger wrote:



Last time I dealt with the NO_PROPOSAL_CHOSEN issue, it was due to an
error in my keynote(4) policy. After re-creating it from scratch using
the example files, things worked like a charm for me.

Hope this helps,




I wish that was it .. I even tried to wget 
http://www.allard.nu/openbsd/openbsd/isakmpd.policy and use that but 
still the same problem


Regards
Kim

Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

[Hans-Joerg Hoexer]

Hi,

On Wed, Oct 19, 2005 at 01:34:45PM +0200, Kim Nielsen wrote:
> [greenbow-main-mode]
> DOI=IPSEC
> EXCHANGE_TYPE=  ID_PROT
> Transforms= AES-SHA-GRP2
> 
> [greenbow-quick-mode]
> DOI=IPSEC
> EXCHANGE_TYPE=  QUICK_MODE
> Suites= QM-ESP-AES-SHA-PFS-GR2-SUITE
> 
> [AES-SHA-GRP2]
> ENCRYPTION_ALGORITHM=   AES_CBC
> HASH_ALGORITHM= SHA
> AUTHENTICATION_METHOD=  PRE_SHARED
> GROUP_DESCRIPTION=  MODP_1024
> Life=   LIFE_1_DAY

LIFE_1_DAY is not defined

Re: isakmpd, greenbow vpn client and NO PROPOSAL CHOSEN

[Kim Nielsen]

Hans-Joerg Hoexer wrote:

[AES-SHA-GRP2]
ENCRYPTION_ALGORITHM=   AES_CBC
HASH_ALGORITHM= SHA
AUTHENTICATION_METHOD=  PRE_SHARED
GROUP_DESCRIPTION=  MODP_1024
Life=   LIFE_1_DAY



LIFE_1_DAY is not defined



Hi  :)

I added

[LIFE_1_DAY]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,79200:93600

but still same problem

Regards
Kim

pf w/ squid reroute traffic howto ?

[Stefan Sczekalla-Waldschmidt]

Hi,

i'm facing a problem where I need to reroute requests made by a
squid-cache.

I already tried to add a route-to statement to my pf.conf:

pass out on ep2 route-to ep0:192.168.110.241 from any to any
port 80 flags S/SA keep state
( where ep2 is the "external" interface, ep0 is the internal
"if" )

but I received a syntax error ...

my expectation was that the outgoing traffic to any-ip:port 80 will be
catched by the above rule and routed to 192.168.110.241 - which is a
second  gateway to the "internet" using an el-cheapo-dsl-connection.

therefor - is it possbile to "reroute" traffic at the outgoing
(externel) interface to destinations at networks reachable only via the
internal interface ?

In any case - where is the mistkake in my thought ?

Thanks in advance,

Stefan

Re: Non Developers allowed to ask questions ?

[Diana Eichert]

On Tue, 18 Oct 2005, STeve Andre' wrote:
SNIP
> You can determine to nearly 100% the support of something by
> looking at the suported hardware pages.  I'm guessing you are
> using some i386 machine, and there is a *great deal* of information
> on the cards and devices supported.  Looking there has just about
> always told me what I needed to know.  Subscribing to the CVS
> change list tells me what new stuff is going into the tree, which
> also helps.

Can I make a suggestion to ANYONE who wants to track OpenBSD development
either do as STeve suggested above, subscribe to the cvs@ list.  The
information available via the cvs@ list is invaluable in following what's
occurring in OpenBSD development.  If you don't want to be inundated by
YME (yet more e-mail) do what I do, read the submissions at MARC.
http://marc.theaimsgroup.com/?l=openbsd-cvs&r=1&b=200510&w=2

diana

ospf issues

[stan]

I've set up a machine using a snapshot of ospfd from last week. It's
neighbor router is an Alcatel box. 

The data interchange between these 2 has never really benn totaly happy.
For instnace I'm getting invalid checksum message relating to packets
coming from this machine. Nevertheless, I was able to get this workign, and
it worked OK for a couple of days.

Last night however I started loosing the route to the network
intermitatnly. The Alcatel seem to think that the LS que is filling up. I;m
getting this in /var/log/messages:

Oct 19 07:16:57 phfw1 ospfd[14254]: lsa_del: LSA no longer in table

Which I think is related.

What's really troubling about this, is that this router is function quite
well with it's Cisco neghbors. It serves as the router for a whole handful
of netwokrs, and so far we have seen no problems with that. But it and the
OpenBSD machine are having problems.

Any sugestions as to things I might could tweak to make this more robust?

Would a tcpdump of the traffic between these 2 be of any ise to a
developer?

-- 
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong 
Terror 
- New York Times 9/3/1967

"keep state" and PF Queues

[Brian A. Seklecki]

Would anyone like to elaborate on the impacts of using "keep state" on 
conjunction with pass rules that assign traffic to queues?


One might assume that inverted traffic flows would also be queued, however 
that would break the "traffic can only be queued egress an interface" 
rule...


There should be some remarks on this in pf.conf(5)

TIA,

~BAS

Re: BSD RSS Feeds

[Linaria vulgaris]

Strangely enough, I'm also in the process of constructing a BSD-related RSS
feed. You can subscribe to my current efforts at
http://feeds.feedburner.com/bsdfeeds

The feed is presented in publication date order, so items at the top are the
freshest.

On 18/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Hello!
>
> Am emailing to let you guys know of a small site I have put
> to together:
>
> http://metawire.org/~liamfoy/bsdportal/
>
> It contains most BSD related RSS feeds I can find (although I never
> looked hard).
>
> The initial idea behind the site was for all BSD related RSS feeds to be
> able to be seen in one location. I wanted this for in University.
> It saved valuable time which would be otherwise spent by browsing
> each and every site.
>
> If you know of any other BSD related RSS feeds you would wish to
> see, please email me. However, make sure the RSS are of good quality
> and are reliable. All the RSS feeds are grabbed roughly every 3
> hours.
>
> Just thought I'd let you guys know =)
>
> PS. I'd like more OpenBSD Feeds.
>
> Cheers,
> Liam
>
>


--
L. vulgaris

Re: Guruness (was the bug report thread)

[Wolfpaw - Dale Corse]

Heya :)

> 
> well, I don't know about BSD in general, but just try it with 
> OpenBSD. If the machine is generally capable of this task 
> (has the mem and power to suppert n sessions in parallel), 
> it's just your task as admin to make it happen. The means are 
> there. If your users bring down your machine it's most 
> probably your own fault.

You may well be right, though I would say that the amount of
Code changes users would be required to do, to make it work
Would end up in my lap, seeing as there are some things OpenBSD's
Kernel does not have, or has fairly out of date versions of

One example I can think of is libpcap - and it seems to be
Lagging behind more because some folks are upset that the devs
There won't accept their commits, then actually fixing the software.

Perhaps I will port it .. And see how many people yell at me for
That. :)

Resource use in general was the problem - you can't lock them down
entirely, because the progs use 99.9 CPU when starting, then settle
to 2 or 4.. So using something like lshell, or equiv. Doesn't work
very well. I use a prog that simple snaps a picture of the proc
table every half hour, and kills things that are over their limit
for 2 runs. Problem comes into play when a user starts say .. 50
Copies of the same thing, because it didn't boot.. They just keep
hitting the button .. :( .. Something Kernel level has saved the
box from dying many times.

-D.

Re: Guruness (was the bug report thread)

[Wolfpaw - Dale Corse]

> * Wolfpaw - Dale Corse <[EMAIL PROTECTED]> [2005-10-19 05:13]:
> > you, BSD does not stand up to it .. Now I admit - it was years ago, 
> > and it was FreeBSD that we tried
> 
> yeah yeah, and we all know that OpenBSD is just ErsatzFreiBSD with 
> another name on it, right?
> sheesh.

Correct me if I am wrong, but its still a monolithic kernel, based on
the same thing as the other BSD's .. Hence the BSD in the name, is it
not?

And since it is specifically the kernel that presents the problem, I
felt the comment was somewhat relevant. Please don't turn it into a
'Holy War' comment.. It wasn't. See my other (recent) post for a
specific reason justifying it.

> > > http://openbsd.rt.fm/query-pr.html
> > Nice :) See.. This is what I'm talking about - perhaps it Should be 
> > linked off the main site too? (Or is it, and I Can't read?)
> > Where is the submission system?
> 
> my name shall be melinda if report.html, which you apparently STILL 
> didn't read (I miss words for that level of ignorance. 
> really.) doesn't 
> mention sendbug.

Yes, it does. Can you please explain, seeing my apparent level of
ignorance, how it is that someone not seeing something at 1AM, or
perhaps not reading and archiving in ones mind, by means of memorization,
OpenBSD's entire set of documentation .. Makes a person Ignorant? Ignorant
of certain things perhaps, but you would think by half the folks here,
that failing to remember any single line of docs makes someone equal
with the IQ level of a dead rat. It's fairly silly really.

The topic being discussed there, was a web based GUI. Well I have had
some interesting feedback privately on this email - some of which argues
(likely correctly, I would have to now agree) that sendbug is a better 
option due to not getting second party information. So no, I don't find
the comment ignorant, considering sendbug is a unix command line utility,
and a web gui was the subject of the discussion.

You guys need to work on your hostility level - the email in question
was simply a subject for discussion. You get too worked up about the
little things ;) I admitted I was wrong about the bug report - I didn't
read the screen, is that not enough for you?

By the way.. Are you aware that OpenOSPFd under about 5-7MB's of load
consumes the majority of the CPU and drops a whole lot of bug logs?
I'm scared to submit a bug report here, but if you want me to send you
the info, I can try to dig it up :)

-D.

Re: Guruness (was the bug report thread)

[Otto Moerbeek]

On Wed, 19 Oct 2005, Wolfpaw - Dale Corse wrote:

> Heya :)
> 
> > 
> > well, I don't know about BSD in general, but just try it with 
> > OpenBSD. If the machine is generally capable of this task 
> > (has the mem and power to suppert n sessions in parallel), 
> > it's just your task as admin to make it happen. The means are 
> > there. If your users bring down your machine it's most 
> > probably your own fault.
> 
> You may well be right, though I would say that the amount of
> Code changes users would be required to do, to make it work
> Would end up in my lap, seeing as there are some things OpenBSD's
> Kernel does not have, or has fairly out of date versions of
> 
> One example I can think of is libpcap - and it seems to be
> Lagging behind more because some folks are upset that the devs
> There won't accept their commits, then actually fixing the software.

Either submit complete bug reports or diffs, but stop whining.

> Perhaps I will port it .. And see how many people yell at me for
> That. :)

We have good reasons not to blindly follow changes in libpcap.

> Resource use in general was the problem - you can't lock them down
> entirely, because the progs use 99.9 CPU when starting, then settle
> to 2 or 4.. So using something like lshell, or equiv. Doesn't work
> very well. I use a prog that simple snaps a picture of the proc
> table every half hour, and kills things that are over their limit
> for 2 runs. Problem comes into play when a user starts say .. 50
> Copies of the same thing, because it didn't boot.. They just keep
> hitting the button .. :( .. Something Kernel level has saved the
> box from dying many times.

I don't know lshell, but did you try the standard resource limit
facilities that can be set up using login.conf? 

Again, submit complete bug reports and please stop talking vague. If
you find something is wrong supply us with hard facts, so we have some
clue what your problem is.

-Otto

Re: Guruness (was the bug report thread)

[Wolfpaw - Dale Corse]

> > You may well be right, though I would say that the amount of Code 
> > changes users would be required to do, to make it work 
> Would end up in 
> > my lap, seeing as there are some things OpenBSD's Kernel does not 
> > have, or has fairly out of date versions of
> > 
> > One example I can think of is libpcap - and it seems to be Lagging 
> > behind more because some folks are upset that the devs There won't 
> > accept their commits, then actually fixing the software.
> 
> Either submit complete bug reports or diffs, but stop whining.

I wasn't whining - again - how the hell is justifying what I said
whining?

> > Perhaps I will port it .. And see how many people yell at 
> me for That. 
> > :)
> 
> We have good reasons not to blindly follow changes in libpcap.

>From what I understand they are security related reasons.. Would anyone
care to expand a bit on that, so that I may know what to look for
when doing so?

> > Resource use in general was the problem - you can't lock them down 
> > entirely, because the progs use 99.9 CPU when starting, 
> then settle to 
> > 2 or 4.. So using something like lshell, or equiv. Doesn't 
> work very 
> > well. I use a prog that simple snaps a picture of the proc 
> table every 
> > half hour, and kills things that are over their limit for 2 runs. 
> > Problem comes into play when a user starts say .. 50 Copies of the 
> > same thing, because it didn't boot.. They just keep hitting 
> the button 
> > .. :( .. Something Kernel level has saved the box from dying many 
> > times.
> 
> I don't know lshell, but did you try the standard resource 
> limit facilities that can be set up using login.conf? 

Sometimes that works, but again it's a hard limit - then we get
users bitching about it being 'slow' when they compile. Thank
you for the suggestion though :) I remember on 'the other bsd'
we tried - the box actually just couldn't take the abuse it seemed,
and kept crashing.. Plus you mix the code differences in software
which was written mostly on linux, with BSD, and you get a bunch
of changes required to each one. Gets heavy on the support queue :)

> Again, submit complete bug reports and please stop talking 
> vague. If you find something is wrong supply us with hard 
> facts, so we have some clue what your problem is.

I have taken that point - and apologized for not doing so - I
would appreciate it the hostility would dissipate - as stated,
this email here was simply for discussion.
 
-D.

Re: Guruness (was the bug report thread)

[Otto Moerbeek]

On Wed, 19 Oct 2005, Wolfpaw - Dale Corse wrote:

> 
> > > You may well be right, though I would say that the amount of Code 
> > > changes users would be required to do, to make it work 
> > Would end up in 
> > > my lap, seeing as there are some things OpenBSD's Kernel does not 
> > > have, or has fairly out of date versions of
> > > 
> > > One example I can think of is libpcap - and it seems to be Lagging 
> > > behind more because some folks are upset that the devs There won't 
> > > accept their commits, then actually fixing the software.
> > 
> > Either submit complete bug reports or diffs, but stop whining.
> 
> I wasn't whining - again - how the hell is justifying what I said
> whining?

You are saying our libpcap is buggy, but you fail to justify that claim.

> > > Perhaps I will port it .. And see how many people yell at 
> > me for That. 
> > > :)
> > 
> > We have good reasons not to blindly follow changes in libpcap.
> 
> >From what I understand they are security related reasons.. Would anyone
> care to expand a bit on that, so that I may know what to look for
> when doing so?

This sums it up:

http://archives.neohapsis.com/archives/openbsd/2004-04/0971.html

-Otto

Re: Guruness (was the bug report thread)

[Henning Brauer]

* Wolfpaw - Dale Corse <[EMAIL PROTECTED]> [2005-10-19 17:28]:
> > * Wolfpaw - Dale Corse <[EMAIL PROTECTED]> [2005-10-19 05:13]:
> > > you, BSD does not stand up to it .. Now I admit - it was years ago, 
> > > and it was FreeBSD that we tried
> > 
> > yeah yeah, and we all know that OpenBSD is just ErsatzFreiBSD with 
> > another name on it, right?
> > sheesh.
> 
> Correct me if I am wrong, but its still a monolithic kernel, based on
> the same thing as the other BSD's .. Hence the BSD in the name, is it
> not?
> 
> And since it is specifically the kernel that presents the problem, I
> felt the comment was somewhat relevant. Please don't turn it into a
> 'Holy War' comment.. It wasn't. See my other (recent) post for a
> specific reason justifying it.

of course 10 years of distinct development make no difference, no, how 
could they?

> > > > http://openbsd.rt.fm/query-pr.html
> > > Nice :) See.. This is what I'm talking about - perhaps it Should be 
> > > linked off the main site too? (Or is it, and I Can't read?)
> > > Where is the submission system?
> > 
> > my name shall be melinda if report.html, which you apparently STILL 
> > didn't read (I miss words for that level of ignorance. 
> > really.) doesn't 
> > mention sendbug.
> Yes, it does. Can you please explain, seeing my apparent level of
> ignorance, how it is that someone not seeing something at 1AM, or
> perhaps not reading and archiving in ones mind, by means of memorization,
> OpenBSD's entire set of documentation .. Makes a person Ignorant? Ignorant
> of certain things perhaps, but you would think by half the folks here,
> that failing to remember any single line of docs makes someone equal
> with the IQ level of a dead rat. It's fairly silly really.

the proper way to deal with that then is to go to bed, catch some sleep 
and file a proper report the next day.
expecting us to wade through insufficient reports that do not even 
contain the most basic information is extremely rude.

Re: ospf issues

[Claudio Jeker]

On Wed, Oct 19, 2005 at 09:41:22AM -0400, stan wrote:
> I've set up a machine using a snapshot of ospfd from last week. It's
> neighbor router is an Alcatel box. 
> 

OK that explains a few things.

> The data interchange between these 2 has never really benn totaly happy.
> For instnace I'm getting invalid checksum message relating to packets
> coming from this machine. Nevertheless, I was able to get this workign, and
> it worked OK for a couple of days.
> 
> Last night however I started loosing the route to the network
> intermitatnly. The Alcatel seem to think that the LS que is filling up. I;m
> getting this in /var/log/messages:
> 

What do you mean by "the LS que is filling up"? Do you have logs from the
alcatel thingy?

> Oct 19 07:16:57 phfw1 ospfd[14254]: lsa_del: LSA no longer in table
> 
> Which I think is related.
> 

Could be. At least that error should normally not happen.

> What's really troubling about this, is that this router is function quite
> well with it's Cisco neghbors. It serves as the router for a whole handful
> of netwokrs, and so far we have seen no problems with that. But it and the
> OpenBSD machine are having problems.
> 

The difference between ospfd and a cisco box is almost 13 years more time
to find all those bugs in others implementations of OSPF. The hard thing
about OSPF is not implementing the RFC it's adding all the workarounds for
broken implementations out there.

> Any sugestions as to things I might could tweak to make this more robust?
> 

Sorry there is no magic knob that will make it behave.

> Would a tcpdump of the traffic between these 2 be of any ise to a
> developer?
> 

Yes please. Don't forget to set the snaplen to your MTU.
Additionally add the ospfd -dvv output to the dump. You can send me the
stuff privatly.

-- 
:wq Claudio

Re: Guruness (was the bug report thread)

[Wolfpaw - Dale Corse]

> > I wasn't whining - again - how the hell is justifying what I said 
> > whining?
> 
> You are saying our libpcap is buggy, but you fail to justify 
> that claim.

No I didn't, I said it was out of date. You want me to justify it?
Here.

Making all in .
/bin/sh ./libtool --mode=link gcc -g -DIPV4_ONLY -O2 -pipe -g -DIPV4_ONLY -O2
-pipe-o nprobe  nprobe-nprobe.o libnprobe.la -lresolv -lc -lpthread -lz
-lpcap
gcc -g -DIPV4_ONLY -O2 -pipe -g -DIPV4_ONLY -O2 -pipe -o .libs/nprobe
nprobe-nprobe.o  -L./.libs -lnprobe -lresolv -lpthread -lz -lpcap
-Wl,-rpath,/usr/local/lib
nprobe-nprobe.o(.text+0x153d): In function `usage':
/root/nProbe/nprobe.c:921: warning: strcpy() is almost always misused, please
use strlcpy()
nprobe-nprobe.o(.text+0xa0f): In function `processPacket':
/root/nProbe/nprobe.c:449: warning: sprintf() is often misused, please use
snprintf()
nprobe-nprobe.o(.text+0x4ac8): In function `fetchPackets':
/root/nProbe/nprobe.c:2874: undefined reference to `pcap_next_ex'
nprobe-nprobe.o(.text+0x4c27):/root/nProbe/nprobe.c:2886: undefined reference
to `pcap_next_ex'
nprobe-nprobe.o(.text+0x4c96):/root/nProbe/nprobe.c:2901: undefined reference
to `pcap_next_ex'
collect2: ld returned 1 exit status
*** Error code 1

You should know its out of date, it's a fairly well known fact appearently.
Please stop accusing me of being a dumbass, when you argue a point without
knowing the details of it.

> > > > Perhaps I will port it .. And see how many people yell at
> > > me for That.
> > > > :)
> > > 
> > > We have good reasons not to blindly follow changes in libpcap.
> > 
> > >From what I understand they are security related reasons.. Would 
> > >anyone
> > care to expand a bit on that, so that I may know what to 
> look for when 
> > doing so?
> 
> This sums it up:
> 
> http://archives.neohapsis.com/archives/openbsd/2004-04/0971.html

So.. In his opinion, which wasn't really well justified - the code is
full of stuff that makes it compatible, and they add things that, in
his opinion, don't belong there?

How is that a security issue? Its an opinion. So really, bugs in the
code aside.. which are in all code.. There is nothing 'wrong' with it,
its just fine to be ported, assuming someone wants to take on the 
(potentially) massive amount of work to fix the bugs all the time.

-D.

FW: Guruness (was the bug report thread)

[Wolfpaw - Dale Corse]

> -Original Message-
> From: Wolfpaw - Dale Corse [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, October 19, 2005 9:58 AM
> To: 'Henning Brauer'
> Subject: RE: Guruness (was the bug report thread)
> 
> 
> > > 
> > > Correct me if I am wrong, but its still a monolithic
> > kernel, based on
> > > the same thing as the other BSD's .. Hence the BSD in the
> > name, is it
> > > not?
> > > 
> > > And since it is specifically the kernel that presents the
> > problem, I
> > > felt the comment was somewhat relevant. Please don't turn 
> it into a
> > > 'Holy War' comment.. It wasn't. See my other (recent) post for a 
> > > specific reason justifying it.
> > 
> > your comment is as relevant as this year's chinese rice
> > quality. start to use your brain, dammit. 10 years of 
> > seperate development make 
> > no difference, no, how could it?
> 
> Of course it makes a bloody difference. How could it not - 
> Jesus man, look at this? Do you not see a problem with every 
> single line someone says being ripped apart, with fairly 
> stupid motivations at that. Your most interested in touting 
> that OpenBSD is different - can we stop stating what is 
> freaking obvious, and go with the - ok .. It's a general 
> comment, not an insult.. And perhaps there are valid reasons for it?
> 
> They are still based around the same thing - very different 
> in the end, but it was a general comment.
> 
> > > > > > http://openbsd.rt.fm/query-pr.html
> > > > > Nice :) See.. This is what I'm talking about - perhaps
> > it Should
> > > > > be
> > > > > linked off the main site too? (Or is it, and I Can't read?) 
> > > > > Where is the submission system?
> > > > 
> > > > my name shall be melinda if report.html, which you
> > apparently STILL
> > > > didn't read (I miss words for that level of ignorance.
> > > > really.) doesn't 
> > > > mention sendbug.
> > > 
> > > Yes, it does. Can you please explain, seeing my apparent level of
> > > ignorance, how it is that someone not seeing something at 1AM, or 
> > > perhaps not reading and archiving in ones mind, by means of 
> > > memorization, OpenBSD's entire set of documentation .. 
> > Makes a person
> > > Ignorant? Ignorant of certain things perhaps, but you would
> > think by
> > > half the folks here, that failing to remember any single
> > line of docs
> > > makes someone equal with the IQ level of a dead rat. It's
> > fairly silly
> > > really.
> > 
> > the proper way to deal with that is to go to bed then and
> > file a proper 
> > report the next day instead of expecting developers to waste 
> > their time 
> > on unuseable reports. that is extremely rude.
> 
> Yes, I've already admitted that. Keep bringing it up though, 
> it really helps.
> 
> > 
> > > By the way.. Are you aware that OpenOSPFd under about
> > 5-7MB's of load
> > > consumes the majority of the CPU and drops a whole lot of 
> bug logs?
> > > I'm scared to submit a bug report here, but if you want me 
> > to send you
> > > the info, I can try to dig it up :)
> > 
> > if you get it in a usable form, sendbug it...
> > the devs in question would be claudio and norby, but I 
> doubt they are
> > willing to deal with reports not having the required 
> information, so 
> > the guidelines still count. sendbug is best in any case.
> 
> Ok - I just wanted to be sure sendbug was the proper place, 
> as not to get This bullshit all over again.
> 
> -D.

Re: Non Developers allowed to ask questions ?

[Ken Gunderson]

On Wed, 19 Oct 2005 14:06:11 +0100
"Constantine A. Murenin" <[EMAIL PROTECTED]> wrote:

> On 19/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > There is a legitimate use for top posting.
> > Deletion and/or answer of message in 10 to 15 seconds or less.
> 
> Nonsense. Just because your MS Outlook does not support or is not
> configured to support bottom-posting, doesn't mean that you should
> find some invalid excuses for top-posting.

With a sig like mine I coudln't resist a resounding "me too" on this
one;-)   My sig concisely demonstrates in a nutshell why top posting is
problematic, if not an all out pita.


Before johnny-come-lately M$ decided to jump on the interenet bandwagon
w/ their lame software top posting was completely unheard of.  I've
been using Unix since '81 so I think I can say this w/some certainty.
Top posting is just a lame excuse offered by lame software developers
who wrote a lame mua w/o bothering to read any rfc's, research
conventions, etc. prior to doing so.  A point obvious to those who cut
their teeth on *nix rather than M$.



-- 
Best regards,

Ken Gunderson

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?

Re: em(4) problems with -current

[Brian A. Seklecki]

The Intel IPMI on the motherboard may be to blame.  It's always up/on and 
listening.


Also, see my thread in freebsd-questions@ about Dells with Intel em(4) and 
Dell PowerEdge switches w/ NIC Teaming, 802.3ad, ng_many2_one, etc.


For example, traffic sent from the IPMI IP/MAC of the interface is visible 
from the OS via tcpdump(8), which is kind of spooky.


~BAS

On Tue, 18 Oct 2005, Jon Hart wrote:


I've got a snapshot from October 6, 2005 running on a Dell PE 1850.
Nothing overly special.  3.2Ghz Xeon, 2G RAM, dual onboard Intel
PRO/1000MT, Intel PRO/1000QP in the 64-bit/133mhz PCI-X slot, and a 36G
U320/15K RPM SCSI disk.  dmesg at the end of the email.  The most
relevant bits from the dmesg are as follows:

em0 at pci3 dev 4 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01:
em1 at pci3 dev 4 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01:
em2 at pci3 dev 6 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01:
em3 at pci3 dev 6 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01:
em4 at pci7 dev 7 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05:
em5 at pci8 dev 8 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05:

On em4 and em5, if I 'ifconfig em4 down' the interface looks like it is
down to the OS -- tcpdump shows no packets coming in or going out.  As
expected.  However, the link light is still on and any device connected
to em4 (a SMC switch, in this case), sees the interface as UP.  I have
not done the same test with em0-3 (different chipset.  see above), but
I suspect I'll see the same problem.

I'll be downloading a snapshot overnight while I sleep in hopes that the
changes checked in on Oct 7 and beyond from FreeBSD's em driver help,
but I was curious if anyone else has seen or can explain this behavior
of the em driver or others for that matter.  In attempting to debug
this, I was told that the xl driver seems to work as expected.
'ifconfig xl0 down' drops the link.

Any input would be much appreciated.  Thanks!

-jon


dmesg:

OpenBSD 3.8-current (GENERIC) #179: Thu Oct  6 11:32:36 MDT 2005
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.20 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID
real mem  = 2146807808 (2096492K)
avail mem = 1952960512 (1907188K)
using 4278 buffers containing 107442176 bytes (104924K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 01/19/05, BIOS32 rev. 0 @ 0xffe90
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfb460/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82801EB/ER LPC" rev 0x00)
pcibios0: PCI bus #10 is the last bus
bios0: ROM list: 0xc/0xb000! 0xcb000/0x1000 0xcc000/0x4000 0xd/0x1000 
0xec000/0x4000!
ipmi0 at mainbus0: version 1.5 interface kcs ibase 0xca8/8 spacing 4 irq -1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7710 SMCH" rev 0x09
ppb0 at pci0 dev 2 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci2 at ppb1 bus 2
ppb2 at pci2 dev 11 function 0 "IBM PCIX-PCIX" rev 0x02
pci3 at ppb2 bus 3
em0 at pci3 dev 4 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq 3, 
address: 00:04:23:ba:94:88
em1 at pci3 dev 4 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq 7, 
address: 00:04:23:ba:94:89
em2 at pci3 dev 6 function 0 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq 10, 
address: 00:04:23:ba:94:8a
em3 at pci3 dev 6 function 1 "Intel PRO/1000MT QP (82546EB)" rev 0x01: irq 11, 
address: 00:04:23:ba:94:8b
ppb3 at pci1 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci4 at ppb3 bus 4
mpt0 at pci4 dev 5 function 0 "Symbios Logic 53c1030" rev 0x08: irq 7
mpt0: sending FW Upload request to IOC (size: 36, img size: 40048)
mpt0: IM support: 0
scsibus0 at mpt0: 16 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 34732MB, 50824 cyl, 2 head, 699 sec, 512 bytes/sec, 71132959 sec total
sd1 at scsibus0 targ 6 lun 0: <, , > SCSI0 0/direct fixed
sd1(mpt0:6:0): could not get size
sd1: drive offline
mpt0: target 0 Synchronous at 160MHz width 16bit offset 63 QAS 0 DT 1 IU 1
mpt0: target 6 Asynchronous at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
ppb4 at pci0 dev 4 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci5 at ppb4 bus 5
ppb5 at pci0 dev 5 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci6 at ppb5 bus 6
ppb6 at pci6 dev 0 function 0 "Intel PCIE-PCIE" rev 0x09
pci7 at ppb6 bus 7
em4 at pci7 dev 7 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 11, 
address: 00:14:22:16:3b:c8
ppb7 at pci6 dev 0 function 2 "Intel PCIE-PCIE" rev 0x09
pci8 at ppb7 bus 8
em5 at pci8 dev 8 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 3, 
address: 00:14:22:16:3b:c9
ppb8 at pci0 dev 6 function 0 "Intel E7710 MCH PCIE" rev 0x09
pci9 at ppb8 bus 9
uhci0 at p

Wolfpaw - Dale Corse

[Theo de Raadt]

People -- just ignore him.
He may use OpenBSD, but if he can't stop himself from being a beligerant
fool, not submitting the right reports, why bother wasting eveveryone's
time by chit-chatting and arguing with him?  Do what the developers do --
delete his mail and don't respond.

RE: Re: Non Developers allowed to ask questions ?

[tony]

On Wed, 19 Oct 2005 14:06:11 
[EMAIL PROTECTED] wrote:

>On 19/10/05, [EMAIL PROTECTED]
><[EMAIL PROTECTED]> wrote:
>> There is a legitimate use for top posting.
>> Deletion and/or answer of message in 10 to 15
>seconds or less.
>
>Nonsense. Just because your MS Outlook does not
>support or is not
>configured to support bottom-posting, doesn't mean
>that you should
>find some invalid excuses for top-posting.
>
>Cheers,
>Constantine.

Since I am replying to your reply,
I think I maybe stand corrected.

This is lame enough sitting here.
It does not work as a top post.

Microsoft makes it easy.
Easy to do it stupid, I'm beginning to think.

Re: Wolfpaw - Dale Corse

[Wolfpaw - Dale Corse]

Thank you - for making my point.

Its good for people to be that way to someone asking a question,
But not ok when someone returns the favor.

Now I am done being an asshole - but for the record, this was
the point intending to be proven. 

Nice that some of you can give it out, but you can't take it
back. Back in the NetBSD days, you had this very problem yourself
Theo.. You responded to one person that pissed you off, and look
at all the public shit you endured. You should know how it feels
Eh?

Hipocrits.

To those of you who were not rude - sorry about the spam,
and I thank you for that. Most people hate me now .. So 
what - maybe the point will sink in somewhere and stop
some poor newbie from getting a bunch of shit they don't
deserve.

-D.

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> On Behalf Of Theo de Raadt
> Sent: Wednesday, October 19, 2005 10:37 AM
> To: [EMAIL PROTECTED]
> Subject: Wolfpaw - Dale Corse
> 
> 
> People -- just ignore him.
> He may use OpenBSD, but if he can't stop himself from being a 
> beligerant fool, not submitting the right reports, why bother 
> wasting eveveryone's time by chit-chatting and arguing with 
> him?  Do what the developers do -- delete his mail and don't respond.

Re: em(4) problems with -current

[Jon Hart]

On Wed, Oct 19, 2005 at 12:10:35PM -0400, Brian A. Seklecki wrote:
> 
> The Intel IPMI on the motherboard may be to blame.  It's always up/on and 
> listening.
> 
> Also, see my thread in freebsd-questions@ about Dells with Intel em(4) and 
> Dell PowerEdge switches w/ NIC Teaming, 802.3ad, ng_many2_one, etc.
> 
> For example, traffic sent from the IPMI IP/MAC of the interface is visible 
> from the OS via tcpdump(8), which is kind of spooky.

This was something I had thought of and I believe I disabled all traces
of it.  Console redirection, BMC/IPMI, etc, all disabled.  Perhaps
"disabled" simply means "don't accept connections to IPMI but keep the
link up".

I'll double check this today and verify.  Will the IPMI on the
motherboard only work with the onboard ethernet controllers, or will it
get its grubby little hands on any/all controllers it finds?  If it only
works with the onboard, then maybe switching to the PCI card ports will
be a sufficient workaround.

Thanks!

-jon

Re: Wolfpaw - Dale Corse

[Greg Thomas]

On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
>
>
> To those of you who were not rude - sorry about the spam,
> and I thank you for that. Most people hate me now .. So
> what - maybe the point will sink in somewhere and stop
> some poor newbie from getting a bunch of shit they don't
> deserve.


Clearly nothing sunk in for you. Especially the fact that you have no point.

Greg

Re: "keep state" and PF Queues

[William Bloom]

The PF queueing FAQ page at http://www.openbsd.org has a wealth of info that 
seems to nicely clarify the pf.conf man page.  I recall that the FAQ contains 
an 
example much as you describe (as I recall, specifying a queue for -incoming- 
traffic will indeed cause that traffic to be processed through the named queue 
as it is -outgoing-).


Bill

Brian A. Seklecki wrote:
> Would anyone like to elaborate on the impacts of using "keep state" on 
> conjunction with pass rules that assign traffic to queues?
> 
> One might assume that inverted traffic flows would also be queued, 
> however that would break the "traffic can only be queued egress an 
> interface" rule...
> 
> There should be some remarks on this in pf.conf(5)
> 
> TIA,
> 
> ~BAS
> 

-- 
William Bloom| Snr Systems Engineer|M P H A S I S Architecting Value | Eldorado 
Computing
5353 North 16th Street, Suite 400 Phoenix, Az 85016 | Direct: +11-602-604-3100 
| 
Fax: +11-602-604-3115| http://www.eldocomp.com

-- CONFIDENTIALITY NOTICE --

Information transmitted by this e-mail is proprietary to MphasiS and/or its 
Customers and is intended for use only by the individual or entity to which it 
is addressed, and may contain information that is privileged, confidential or 
exempt from disclosure under applicable law. If you are not the intended 
recipient or it appears that this mail has been forwarded to you without proper 
authority, you are notified that any use or dissemination of this information 
in any manner is strictly prohibited. In such cases, please notify us 
immediately at [EMAIL PROTECTED] and delete this mail from your records.

Re: em(4) problems with -current

[Brian A. Seklecki]

I'll double check this today and verify.  Will the IPMI on the
motherboard only work with the onboard ethernet controllers, or will it
get its grubby little hands on any/all controllers it finds?  If it only


The IPMI configuration screen gives you the option of configuring which 
Interface to bind to, at least on some models, and on others it defaults 
to the the first onboard.


Like I said, you can use tcpdump(8) with an "address" or "host" syntax of 
the IPv4 of the IPMI address.  Trying enabling it and pinging it, watch 
for the ICMP to/from the IPMI host, which will strangely and bizzarely 
appear to be on the same ethernet segment as the interface visible to the 
OS.


It's like having a IP Alias configured that you can't see >:}}}

I like to VLAN tag my IMPI stuff.  God hates the BOFH.

~BAS


works with the onboard, then maybe switching to the PCI card ports will
be a sufficient workaround.

track release cycle by mumber of whiny posts to misc@

[Diana Eichert]

I just had a major AhHa moment while I was deleting whiny posts from
[EMAIL PROTECTED]  The number of whiny posts increases dramatically right 
before,
during and shortly after the release of a new version.

Perhaps I should post a URL for a plot of whiny posts vs. worthwhile
posts over time.

Shrug, probably not.

diana

Re: track release cycle by mumber of whiny posts to misc@

[Emilio Perea]

On Wed, Oct 19, 2005 at 12:04:33PM -0600, Diana Eichert wrote:
> I just had a major AhHa moment while I was deleting whiny posts from
> [EMAIL PROTECTED]  The number of whiny posts increases dramatically right 
> before,
> during and shortly after the release of a new version.
> 
> Perhaps I should post a URL for a plot of whiny posts vs. worthwhile
> posts over time.

I think you should.  Do posts whining about the crummy CD cases count,
or are you counting only software related posts?  (You can kick them, so
they are hardware. :-)

Re: track release cycle by mumber of whiny posts to misc@

[shanejp]

Quoting Diana Eichert <[EMAIL PROTECTED]>:

> Perhaps I should post a URL for a plot of whiny posts vs. worthwhile
> posts over time.

A Signal to Noise Ratio of sorts? We could measure it in decitrolls!




This email was sent from Netspace Webmail: http://www.netspace.net.au

Re: track release cycle by mumber of whiny posts to misc@

[Spruell, Darren-Perot]

From: Emilio Perea [mailto:[EMAIL PROTECTED]
> On Wed, Oct 19, 2005 at 12:04:33PM -0600, Diana Eichert wrote:
> > I just had a major AhHa moment while I was deleting whiny posts from
> > [EMAIL PROTECTED]  The number of whiny posts increases dramatically 
> right before,
> > during and shortly after the release of a new version.
> > 
> > Perhaps I should post a URL for a plot of whiny posts vs. worthwhile
> > posts over time.
> 
> I think you should.  Do posts whining about the crummy CD cases count,
> or are you counting only software related posts?  (You can 
> kick them, so
> they are hardware. :-)

Yes, and don't forget the whiny posts about tee shirts too.

"The cotton fibers are .02 microns too thin for my taste, and the package
they came in had a scuff, and my right arm is a little bit longer than my
left and the tee shirt makes me look fat."

DS

Re: OpenBSD's 10th birthday

[Ernedin Zajko]

Stephan A. Rickauer wrote:


On Tue, Oct 18, 2005 at 03:00:12AM -0600, Theo de Raadt wrote:
Now it is really OpenBSD's 10th birthday ;)



Happy birthday from Switzerland! And many thanks to all active 
developers and everyone who participates in Free Software!



Greatings from Bosnia...

Great work people... TheBestOS comes 10...
I hope we all will see it for many more years...

--
-

Ernedin Zajko
University in Sarajevo, Faculty of Electrical Engineering
System / Network Adminstrator
[EMAIL PROTECTED]
Tel: +387 33 250 763
Mob: +387 61 267 559

quote about LIFE, SOURCE and FREEDOM

RE: Re: Non Developers allowed to ask questions ?

[tony]

On Wed, 19 Oct 2005 10:07:47
[EMAIL PROTECTED]
>
>On Wed, 19 Oct 2005 14:06:11 +0100
>"Constantine A. Murenin" <[EMAIL PROTECTED]>
>wrote:
>
>> On 19/10/05, [EMAIL PROTECTED]
><[EMAIL PROTECTED]> wrote:
>> > There is a legitimate use for top posting.
>> > Deletion and/or answer of message in 10 to 15
>seconds or less.
>> 
>> Nonsense. Just because your MS Outlook does not
>support or is not
>> configured to support bottom-posting, doesn't
>mean that you should
>> find some invalid excuses for top-posting.
>
>With a sig like mine I coudln't resist a resounding
>"me too" on this
>one;-)   My sig concisely demonstrates in a
>nutshell why top posting is
>problematic, if not an all out pita.
>
>
>Before johnny-come-lately M$ decided to jump on the
>interenet bandwagon
>w/ their lame software top posting was completely
>unheard of.  I've
>been using Unix since '81 so I think I can say this
>w/some certainty.
>Top posting is just a lame excuse offered by lame
>software developers
>who wrote a lame mua w/o bothering to read any
>rfc's, research
>conventions, etc. prior to doing so.  A point
>obvious to those who cut
>their teeth on *nix rather than M$.
>
>
>
>-- 
>Best regards,
>
>Ken Gunderson
>
>Q: Because it reverses the logical flow of
>conversation.
>A: Why is putting a reply at the top of the message
>frowned upon?

Ok, OK. This would not work in top posting.
And the complexity of this is essentially trivial.

Microsoft is good for someone with no knowledge or 
skill throwing something into Word or Outlook and 
having something come out looking quite presentable. 
But woe to anyone who actually cares critically what 
it looks like. 

> Yep. If you're stuck on an M$ platform for whatever reason 
Yep. The question is when and how to jump. Maybe why.
To what "should" matter, but I suspect that how you
go about it, and the expectations probably matter more.

Nasty question. Which works better (or worse depending
on your viewpoint), thinking Linux and using OpenBSD,
or thinking OpenBSD and using Linux?

[rant]
Security should be a reason, but I cannot put security 
mattering in the same universe as five cent compromized
computers. My impression of NT4 was that it was 
unsecurable, so I didn't. My impression of XP is that
it is guaranteed insecure. My users do NOT "click on
everything". Analogies to babies putting everything into
their mouths probably have something to do with it.
Hiding stuff from users seems like a fatally bad idea.
Hiding error messages from users is maybe not a good idea
either. Just because the dumb computer thinks it has a
problem does NOT mean that the intelligent user has a
problem. Everything I've seen indicates that intelligent
user/dumb compuer is the way to play it. Moreso as the
computers get bigger, faster, more complicated. Intelligent
computer has the fatal flaw that the computer does not
know what the computer does not know. A bit like the
flat=earth society where the edge is not visible from
the inside.
[/rant]

With a wee bit of editing, bottom posting is quite workable.
(I've got too much work related where top posting (like
Done.) is necessary. For this list, it is emphatically worth
the trouble. As simple and straight-forward as this is, I 
defy anyone to translate it intelligently into top-posting.
Top posting is designed to terminate conversations.
Bottom posting encourages continuing and exploring various
alternatives. If I were actually talking about something
relevant, bottom posting gives many places to attach
something. Since I am not distracting with relevant stuff,
we can play with the structure of the beasties temselves.

FWIW. I LIKE this list. I like the way you all think.

Not nearly as concise as your sig ;)

Re: track release cycle by mumber of whiny posts to misc@

[Joseph C. Bender]

On Wed, 19 Oct 2005, Spruell, Darren-Perot wrote:


"The cotton fibers are .02 microns too thin for my taste, and the package
they came in had a scuff, and my right arm is a little bit longer than my
left and the tee shirt makes me look fat."


Worst.  Shirt.  Ever.
"Rest assured I was on the internet within minutes registering my disgust 
throughout the world."





(For those that don't get it, look up "Comic Book Guy" +Simpsons on 
Google.)


--
Signing off,

Joseph C. Bender
<[EMAIL PROTECTED]>
"Does the government fear us?  Or do we fear the government?  When the 
people fear the government, tyranny has found victory. The federal 
government is our servant, not our master."  ---Thomas Jefferson

Re: Guruness (was the bug report thread)

[knitti]

On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
> Try something for me - toss 40 novice programmers on a machine, and
> let them hammer away at it. In this one, I think I have you beat,
> running a shell provider for muds, for almost 10 years - I can tell
> you, BSD does not stand up to it ..

well, I don't know about BSD in general, but just try it with OpenBSD. If
the machine is generally capable of this task (has the mem and power
to suppert n sessions in parallel), it's just your task as admin to make it
happen. The means are there. If your users bring down your machine
it's most probably your own fault.

--knitti

Re: track release cycle by mumber of whiny posts to misc@

[Will H. Backman]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> Spruell, Darren-Perot
> Sent: Wednesday, October 19, 2005 2:26 PM
> To: misc@openbsd.org
> Subject: Re: track release cycle by mumber of whiny posts to misc@
> 
> From: Emilio Perea [mailto:[EMAIL PROTECTED]
> > On Wed, Oct 19, 2005 at 12:04:33PM -0600, Diana Eichert wrote:
> > > I just had a major AhHa moment while I was deleting whiny posts
from
> > > [EMAIL PROTECTED]  The number of whiny posts increases dramatically
> > right before,
> > > during and shortly after the release of a new version.
> > >
> > > Perhaps I should post a URL for a plot of whiny posts vs.
worthwhile
> > > posts over time.
> >
> > I think you should.  Do posts whining about the crummy CD cases
count,
> > or are you counting only software related posts?  (You can
> > kick them, so
> > they are hardware. :-)
> 
> Yes, and don't forget the whiny posts about tee shirts too.
> 
> "The cotton fibers are .02 microns too thin for my taste, and the
package
> they came in had a scuff, and my right arm is a little bit longer than
my
> left and the tee shirt makes me look fat."
> 
> DS

And the people complaining about other's whining.  And then Theo telling
everyone to stop filling his mailbox with troll food.

Re: Guruness (was the bug report thread)

[Matthias Kilian]

On Wed, Oct 19, 2005 at 11:26:46AM +0200, Henning Brauer wrote:
> my name shall be melinda if report.html, which you apparently STILL 
> didn't read (I miss words for that level of ignorance. really.) doesn't 
> mention sendbug.

Please, could someone apply the patch below? Quick!

(SCNR)
Kili


--- report.html.origFri Jun 10 02:15:30 2005
+++ report.html Wed Oct 19 20:56:19 2005
@@ -30,12 +30,6 @@
OpenBSD versions.
 
 
-If nothing looks like it addresses your problem, then please become acquainted
-with
-http://www.openbsd.org/cgi-bin/man.cgi?query=sendbug&sektion=1&format=html";>
-sendbug(1)
-before submitting a bug report.
-
 Read further down for the types of bug reports desired.
 
 Current version problem reports
@@ -146,10 +140,7 @@
 
 Sending in bug reports
 
-If possible, use the http://www.openbsd.org/cgi-bin/man.cgi?query=sendbug&sektion=1&format=html";>sendbug(1)
 command to get the bug into our tracking system.
-You can follow the tracking system at this web 
page.
-Sendbug requires that your system can properly send Internet email.  If you 
-cannot use sendbug on a functional OpenBSD machine, please send your bug report
+Please send your bug report
 to mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED].
 
 Perhaps what you are sending in is a feature request, not necessarily a bug.

pf : know the traffic amount per IP

[Francisco José Nina Rente]

Greetings,

I have this situation.
My ISP limit the amount of traffic that which user can use per month.
I need to log the amount of traffic that which IP generate in my LAN.
I can do this with PF?

tks in advance,
cheers

Re: Non Developers allowed to ask questions ?

[Benjamin Collins]

On Wed, Oct 19, 2005 at 10:07:47AM -0600, Ken Gunderson wrote:
> On Wed, 19 Oct 2005 14:06:11 +0100
> "Constantine A. Murenin" <[EMAIL PROTECTED]> wrote:
>
> > On 19/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> > > There is a legitimate use for top posting.
> > > Deletion and/or answer of message in 10 to 15 seconds or less.
> >
> > Nonsense. Just because your MS Outlook does not support or is not
> > configured to support bottom-posting, doesn't mean that you should
> > find some invalid excuses for top-posting.
>
> With a sig like mine I coudln't resist a resounding "me too" on this
> one;-)   My sig concisely demonstrates in a nutshell why top posting is
> problematic, if not an all out pita.

FWIW, there's a little program called QuoteFix that will make Outlook
quote the email you're replying to and put the cursor and sig
underneath.  Works for me when I'm at work.

bc
--
Benjamin Collins <[EMAIL PROTECTED]>
'Broadly speaking, the short words are the best, and the old
 words best of all.'  --- Sir Winston Churchill

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Guruness (was the bug report thread)

[Benjamin Collins]

On Tue, Oct 18, 2005 at 10:14:19PM -0600, Wolfpaw - Dale Corse wrote:
> > On Tue, Oct 18, 2005 at 09:14:09PM -0600, Wolfpaw - Dale Corse wrote:
> > > Can you please enlighten me as to how this is a web based
> > system? It
> > > looks to me like a page that says.. Use the UNIX command.
> > This is not
> > > what I was suggesting.
> >
> > http://openbsd.rt.fm/query-pr.html
>
> Nice :) See.. This is what I'm talking about - perhaps it
> Should be linked off the main site too? (Or is it, and I
> Can't read?)

Apparently not.  See main page, left column, link text "Bug Tracking".

> Where is the submission system (web based)?
> -D

man sendbug(1).  Browser!=web.

bc
--
Benjamin Collins <[EMAIL PROTECTED]>
'Broadly speaking, the short words are the best, and the old
 words best of all.'  --- Sir Winston Churchill

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Limiting Shell Access Damage (was Guruness)

[Will H. Backman]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
> knitti
> Sent: Wednesday, October 19, 2005 5:23 AM
> To: Wolfpaw - Dale Corse
> Cc: misc@openbsd.org
> Subject: Re: Guruness (was the bug report thread)
> 
> On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
> > Try something for me - toss 40 novice programmers on a machine, and
> > let them hammer away at it. In this one, I think I have you beat,
> > running a shell provider for muds, for almost 10 years - I can tell
> > you, BSD does not stand up to it ..
> 
> well, I don't know about BSD in general, but just try it with OpenBSD.
If
> the machine is generally capable of this task (has the mem and power
> to suppert n sessions in parallel), it's just your task as admin to
make
> it
> happen. The means are there. If your users bring down your machine
> it's most probably your own fault.
> 
> --knitti

Turning this into a learning experience:  Does anyone have any hints or
advice about hardening OpenBSD for shell accounts.  Do people tweak
things other than the login.conf settings?  I have to deal with student
shell accounts where students are learning to program and often create
problems by accident.

Woohoo!!! Order has shipped

[Pierre Groulx]

I just got an email indicating that my 3.8 order has shipped.
Now I have to wait for Canada Post to do deliver...

Thanks Team,
Pierre

Re: pf : know the traffic amount per IP

[Ken Gunderson]

On Wed, 19 Oct 2005 20:17:55 +0100
Francisco Josi Nina Rente <[EMAIL PROTECTED]> wrote:

> Greetings,
> 
> I have this situation.
> My ISP limit the amount of traffic that which user can use per month.
> I need to log the amount of traffic that which IP generate in my LAN.
> I can do this with PF?
> 
> tks in advance,
> cheers
> 

You might want to take a look at mrtg.

-- 
Best regards,

Ken Gunderson

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?

I found your email at http://www.openbsd.org/ports.html

[antispam]

Hello Mister/Madame,

I run a website wich helps people fight spam:
Spammers collect e-mail addresses from websites and mass-mail the found e-
mail addresses.
I tell people where their email adress shown on the web, and tell them about 
it. 
If my mail irritates you and you think this is spam too, you should first check 
my website, and maybe contact me if your still not sure.

I found your e-mail at this website: 
http://www.openbsd.org/ports.html
If you wonder why you get loads of spam every day, this is why. 
I managed to find your e-mail address on this site, spammers would certainly 
find it too.

If you want to receive less spam, please check my website and help fight spam !
www.antispam.m2h.nl

If you got tips to improve my service you can always mail me , if you are angry 
about me mailing you this message you can also tell me and I'll do something 
about it. 
Interested in helping preventing spam and joining me ? Since we just started we 
can use all help we can get !

Dear regards,
Mike 

-I run a 100% free service to fight spam, because I hate spam.
-I am not related to any spammer in any way. I do not use your e-mail 
address for anything else beside this mail and I will not spread your e-mail 
address. 

Re: Limiting Shell Access Damage (was Guruness)

[Tobias Weingartner]

On Wednesday, October 19, "Will H. Backman" wrote:
> 
> Turning this into a learning experience:  Does anyone have any hints or
> advice about hardening OpenBSD for shell accounts.  Do people tweak
> things other than the login.conf settings?  I have to deal with student
> shell accounts where students are learning to program and often create
> problems by accident.

A number of things... login.conf is your best friend.  We used to run
labs of OpenBSD machines here.  They were easily our most stable and
workable platform.

--Toby.

Re: pf : know the traffic amount per IP

[stan]

On Wed, Oct 19, 2005 at 08:17:55PM +0100, Francisco Jos? Nina Rente wrote:
> Greetings,
> 
> I have this situation.
> My ISP limit the amount of traffic that which user can use per month.
> I need to log the amount of traffic that which IP generate in my LAN.
> I can do this with PF?
> 

ntop

-- 
U.S. Encouraged by Vietnam Vote - Officials Cite 83% Turnout Despite Vietcong 
Terror 
- New York Times 9/3/1967

Re: Limiting Shell Access Damage (was Guruness)

[Wolfpaw - Dale Corse]

> If you can port it, you can also use it on your own box, so 
> where is the problem?

No problem there.. Actually looking at the couple of functions I need
here to see how difficult to integrate they would be.

> login.conf (5)
> 
> > Problem comes into play when a user starts say .. 50
> > Copies of the same thing, because it didn't boot.. They just keep 
> > hitting the button .. :(
> 
> login.conf (5)

Right, but login.conf either stops the usage dead, by allocating no
more, or outright kills it (off the top of my head, I am not sure
Which) - I think :( This causes problems with resource allocations
When doing quick intensive tasks, like compiling, tar/gz, etc.

Thank you for the suggestion though, I may try it out and see how
Well it does with some users on it - it may well do just fine now :)

D.

Re: pf : know the traffic amount per IP

[Jason Dixon]

On Oct 19, 2005, at 3:17 PM, Francisco Josi Nina Rente wrote:


Greetings,

I have this situation.
My ISP limit the amount of traffic that which user can use per month.
I need to log the amount of traffic that which IP generate in my LAN.
I can do this with PF?


Other folks are pointing to mrtg, ntop, etc.  To directly answer your  
question, yes... you can do it with PF.  Directly, using PF labels.   
These are easy to setup and quite powerful.  You can also use pfstat,  
which uses PF.


HTH.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: Woohoo!!! Order has shipped

[Gordon Grieder]

On Wed, Oct 19, 2005 at 03:24:06PM -0400, Pierre Groulx wrote:
> I just got an email indicating that my 3.8 order has shipped.
> Now I have to wait for Canada Post to do deliver...

Oh man oh man oh man... where's my order confirmation?! And fwiw I'm
glad I took a leap of faith with the then-unknown shirt design, it
looks pretty cool. 

Thanks man, now I feel like a junkie with the shakes who just heard a
new load of heroin arrived in town. Shoot me up baby...

 gord

-- 
Gordon GriederJoin us, get cracking!
www.grub.net www.distributed.net
[EMAIL PROTECTED]   [EMAIL PROTECTED]

Re: Limiting Shell Access Damage (was Guruness)

[Wolfpaw - Dale Corse]

> Turning this into a learning experience:  Does anyone have 
> any hints or advice about hardening OpenBSD for shell 
> accounts.  Do people tweak things other than the login.conf 
> settings?  I have to deal with student shell accounts where 
> students are learning to program and often create problems by 
> accident.

Well, in a non-disto specific way, I have a couple that we use,
if your interested:

A) Process daemon checking, in 30 minute increments specifically for:
- Processes using 80+% CPU
- Processes over the set quota for that user (config file sets them
  per login)
- Processes spawning 'sleep' consistently
- A process with the same name, but a different ID, using the high
  resources.

   In all cases, the first time it sees the problem, its logged. The
   next time it is run, it loads that array, and if it sees it still
   going on, it sends the process a KILL. So in essence, they must do
   it for more then 30 minutes. Never seems to nail GCC or anything
   like that.. Since it changes ID's and names with each file.

B) Limit outgoing access to IRC servers.. Usually  and 6667 - many
   time someone puts in PHPBB or some such garbage, and it gets cracked.
   The uploaded executables tend to connect to IRC servers to be used
   as DDOS bots, or spam bots.

C) Limit appropriately with login.conf as suggested - specifically
   stack size, coredumpsize, number of processes, and number of
   fd's

D) Put each user it their own group, and make the user, the web server,
   and the email server a member of it. Then you can set it as only user
   and group rwx, and not have folks surfing around in the directories
   grabbing others files. May want to do the same thing with config files.

   We generally as I had said - use linux, which gives us GRSec, and XATTR
   for this .. But a least access policy to system configuration files is
   probably a safe bet, even if only done with the usual user/group
   mechanism.

E) Put it on a 10Mbps port :) Stops too much damage is someone launches an
   attack from it.

F) Implement login.access, and hosts.allow lists, controlled by a unix
   command, to limit specific IP's to accessing the machine at all, on
   priv. Ports, or using other peoples login ID's. Seems to keep unknowns
   from getting on the box mostly (barring social engineering :) because
   they need a user, a password, AND to be from the right ISP.

G) Not sure if OpenBSD might have an equivalent to Linux OOM Killer.. But
   this has saved the box before, when things get out of control very
   quickly. I try not to use limits, because it slows compiling to crap :(

We do some other things too, if you want some details, drop me an offlist
Email :)

-D.

Re: Cards/chips supporting hostap mode

[Steve B]

I'm not having any luck finding something locally. Can anyone recommend an
online dealer that has a PCI based wireless card supprting hostap mode?

Steve

Re: em(4) problems with -current

[Jon Hart]

On Wed, Oct 19, 2005 at 12:56:44PM -0400, Jon Hart wrote:
> On Wed, Oct 19, 2005 at 12:10:35PM -0400, Brian A. Seklecki wrote:
> > 
> > The Intel IPMI on the motherboard may be to blame.  It's always up/on and 
> > listening.
> > 
> > Also, see my thread in freebsd-questions@ about Dells with Intel em(4) and 
> > Dell PowerEdge switches w/ NIC Teaming, 802.3ad, ng_many2_one, etc.
> > 
> > For example, traffic sent from the IPMI IP/MAC of the interface is visible 
> > from the OS via tcpdump(8), which is kind of spooky.
> 
> This was something I had thought of and I believe I disabled all traces
> of it.  Console redirection, BMC/IPMI, etc, all disabled.  Perhaps
> "disabled" simply means "don't accept connections to IPMI but keep the
> link up".

This does appear to be the case.  BMC is disabled and the card still
exhibits the same behavior.


> I'll double check this today and verify.  Will the IPMI on the
> motherboard only work with the onboard ethernet controllers, or will it
> get its grubby little hands on any/all controllers it finds?  If it only
> works with the onboard, then maybe switching to the PCI card ports will
> be a sufficient workaround.Z

Testing these machines shows that only the primary onboard controller
acts dumb.  My secondary onboard controller (em5, in this case) works as
expected.  The only question that remains is... is the fact that
'ifconfig em4 down' put the interface into a "DOWN" state but keeps the
link up a bug?   I guess em did its best to down the interface, but IPMI
brought it back up.  I wonder if its worthwhile for the driver to detect
this?

Anyway, thanks for your insight!  

-jon

Re: Limiting Shell Access Damage (was Guruness)

[Graham Toal]

> Turning this into a learning experience:  Does anyone have any hints or
> advice about hardening OpenBSD for shell accounts.  Do people tweak
> things other than the login.conf settings?  I have to deal with student
> shell accounts where students are learning to program and often create
> problems by accident.

(Firsly, not mentioning restricted shells at all, because we all
hate them, right?  rksh? )

Back in the old days before umls or half a dozen other equally appropriate
technologies which I would use in preference if I were doing it again
today, I used to build a chroot environment with a minimal subset of
commands and relevant data files for just this sort of thing.

If y'all promise not to laugh, I found this code in my archives that
I wrote in 1993.  http://www.gtoal.com/historical/tcsh.c

Obviously the layout of the filesystem will have changed over the
years, but maybe there's something in there that's still salvagable.

No, it's not hackproof, and I certainly would not write something like
this nowadays, but the main reason I used this a dozen years ago was not
to stop advanced hackers but to stop careless naive users (our customers,
actually) doing something dangerous by accident, and to stop casual guest
account visitors from browsing around the filesystem gratuitously.

If you go the chroot route: this is from the linux world but
probably adaptable: http://fakechroot.alioth.debian.org/

Also equally amusing in a historical sense is lsh.c in the same
directory.  Again, better ways exist to do that now (watch/ttysnoop).

As well as full virtualization, you might look at copy-on-write
filing systems to allow users to unwind mistakes.

Nowadays I would use user mode linux or colinux to create a lightweight
virtual machine and let them manage it completely, using c-o-ws as a quick
way to revert if they screw it up.  I don't what what the BSD equivalent
of uml might be.  A quick google search for 'virtual server bsd' shows that
they do exist (http://www.esosoft.com/virtualserver/), at least for FreeBSD.

If there's no specific OpenBSD lightweight virtualization then maybe
you could use a more heavyweight emulation such as qemu
(http://www.erikveen.dds.nl/qemupuppy/index.html) or plex86
(http://sourceforge.net/projects/plex86) or xen (http://www.xensource.com/, 
 http://www.cl.cam.ac.uk/Research/SRG/netos/xen/)
or vserver (http://www.solucorp.qc.ca/miscprj/s_context.hc)
or many commercial products: virtualpc/vmware/openvz/serenity(svista)/
 virtuozzo/parallels  (microsoft, serenity and parallels have all
had beta programs that allowed you to use their latest development
products for an extended period, as opposed to the few weeks you
usually get from a mere eval download.  Of those I think
parallels.com is the only one currently available)

There's a pile of links on various subjects related to virtualization
in my online bookmarks:

http://www.gtoal.com/bookmarks/Computer_stuff/Virtual_PC/index.php
  (+ some misfiled under http://www.gtoal.com/bookmarks/Virtual_PC/index.php)

and a lesser amount of relevant links in
http://www.gtoal.com/bookmarks/Computer_stuff/Unix/index.php
and
http://www.gtoal.com/bookmarks/Computer_stuff/Security_backup_and_admin/index.php

Another option is a live cd: http://www.freesbie.org/ or
http://www.livebsd.com/ ...

Maybe you'll find something of interest in there.  If not, reading
other people's bookmarks is almost as much fun as looking at their
bookshelves :-)

regards

Graham

Re: em(4) problems with -current

[Theo de Raadt]

Someone with one of these problematic cards should put it in the
mail to Brad in Toronto.  That is your best bet.

Re: em(4) problems with -current

[Ken Gunderson]

On Wed, 19 Oct 2005 16:37:29 -0600
Theo de Raadt <[EMAIL PROTECTED]> wrote:

> Someone with one of these problematic cards should put it in the
> mail to Brad in Toronto.  That is your best bet.
> 

Intel support is presently adopting the position that my card is not
"Genuine Intel" product.  Apparenty their stuff could not possibly be
broken.  I just finished driving across town to the closet buddy w/a
digital camera so I could send them "high quality digital images of
both sides of the card".  

Bottom line is that if Intel doesn't RMA the unit then I will send
it Brad's way.  Stay tuned.

 -- Best regards,

Ken Gunderson

Q: Because it reverses the logical flow of conversation.
A: Why is putting a reply at the top of the message frowned upon?

Re: Limiting Shell Access Damage (was Guruness)

[Ted Unangst]

On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
>   quickly. I try not to use limits, because it slows compiling to crap :(

this makes no sense whatsoever.

Re: Limiting Shell Access Damage (was Guruness)

[Wolfpaw - Dale Corse]

> On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
> >   quickly. I try not to use limits, because it slows 
> compiling to crap 
> > :(
> 
> this makes no sense whatsoever.

To clarify, if you limit someone's ram use to a certain point, or
CPU use to a certain point, it will slow down compiling due to
having less resources :) As I said though - I may be wrong on
this one.

-D.

Re: Limiting Shell Access Damage (was Guruness)

[Spruell, Darren-Perot]

From: Wolfpaw - Dale Corse [mailto:[EMAIL PROTECTED]
> > On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
> > >   quickly. I try not to use limits, because it slows 
> > compiling to crap 
> > > :(
> > 
> > this makes no sense whatsoever.
> 
> To clarify, if you limit someone's ram use to a certain point, or
> CPU use to a certain point, it will slow down compiling due to
> having less resources :) As I said though - I may be wrong on
> this one.

Yes, that would be the idea of limiting resources. If I am given the ability
to use 99% of the CPU compiling software, how is that different than me
running a fork bomb and doing the same?

DS

iptables vs pf

[Edy Purnomo]

i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much faster 
to respond the http requests (he had a same configuration on openbsd, pf + 
squid proxy).


is there any program that can proof what he says ?
thanks.

-edy-

Re: Non Developers allowed to ask questions ?

[Marco Peereboom]

blah blah blah

Just stop it with this top post horseshit.  Nobody cares, for fuck's  
sake.



On Oct 19, 2005, at 2:13 PM, Benjamin Collins wrote:


On Wed, Oct 19, 2005 at 10:07:47AM -0600, Ken Gunderson wrote:


On Wed, 19 Oct 2005 14:06:11 +0100
"Constantine A. Murenin" <[EMAIL PROTECTED]> wrote:



On 19/10/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


There is a legitimate use for top posting.
Deletion and/or answer of message in 10 to 15 seconds or less.



Nonsense. Just because your MS Outlook does not support or is not
configured to support bottom-posting, doesn't mean that you should
find some invalid excuses for top-posting.



With a sig like mine I coudln't resist a resounding "me too" on this
one;-)   My sig concisely demonstrates in a nutshell why top  
posting is

problematic, if not an all out pita.



FWIW, there's a little program called QuoteFix that will make Outlook
quote the email you're replying to and put the cursor and sig
underneath.  Works for me when I'm at work.

bc
--
Benjamin Collins <[EMAIL PROTECTED]>
'Broadly speaking, the short words are the best, and the old
 words best of all.'  --- Sir Winston Churchill

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: em(4) problems with -current

[Brian A. Seklecki]

On Wed, 19 Oct 2005, Theo de Raadt wrote:


Someone with one of these problematic cards should put it in the


It isn't so much a bug; more so a caveat of Dell's implenentation.

Maybe you can order PowerEdge 1850s w/o a hardware IPMI implementation, 
but I don't think it's an issue that warrants chewing up precious cycles 
in a developer's schedule.


~BAS


mail to Brad in Toronto.  That is your best bet.

Re: iptables vs pf

[Chris]

Edy Purnomo wrote:
> i suggested to my friend to replace his linux box to openbsd.
> he uses mailnly for internet gateway : pf + squid proxy
> after 2 weeks later he switched it back linux and said : linux much
> faster to respond the http requests (he had a same configuration on
> openbsd, pf + squid proxy).
> 
> is there any program that can proof what he says ?
> thanks.
> 
> -edy-

Some users orefer speed over security
*shrug*


-- 
Best regards,
Chris

Even paranoids have enemies.

Re: pf : know the traffic amount per IP

[James Mackinnon]

IPaudit and IPaudit-web work well for this.



On 10/19/2005, "Jason Dixon" <[EMAIL PROTECTED]> wrote:

>On Oct 19, 2005, at 3:17 PM, Francisco Josi Nina Rente wrote:
>
>> Greetings,
>>
>> I have this situation.
>> My ISP limit the amount of traffic that which user can use per month.
>> I need to log the amount of traffic that which IP generate in my LAN.
>> I can do this with PF?
>
>Other folks are pointing to mrtg, ntop, etc.  To directly answer your
>question, yes... you can do it with PF.  Directly, using PF labels.
>These are easy to setup and quite powerful.  You can also use pfstat,
>which uses PF.
>
>HTH.
>
>--
>Jason Dixon
>DixonGroup Consulting
>http://www.dixongroup.net

Re: Guruness (was the bug report thread)

[knitti]

On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
> > well, I don't know about BSD in general, but just try it with
> > OpenBSD. If the machine is generally capable of this task
> > (has the mem and power to suppert n sessions in parallel),
> > it's just your task as admin to make it happen. The means are
> > there. If your users bring down your machine it's most
> > probably your own fault.
>
> You may well be right, though I would say that the amount of
> Code changes users would be required to do, to make it work
> Would end up in my lap, seeing as there are some things OpenBSD's
> Kernel does not have, or has fairly out of date versions of

well, for most things I'd say you won't need to change any code. If you
mean newb programmers _hacking on the very OpenBSD they share_ this
is generally a bad idea.

> One example I can think of is libpcap - and it seems to be
> Lagging behind more because some folks are upset that the devs
> There won't accept their commits, then actually fixing the software.
>
> Perhaps I will port it .. And see how many people yell at me for
> That. :)
If you can port it, you can also use it on your own box, so where is the
problem?

> Resource use in general was the problem - you can't lock them down
> entirely, because the progs use 99.9 CPU when starting, then settle
> to 2 or 4.. So using something like lshell, or equiv. Doesn't work
> very well. I use a prog that simple snaps a picture of the proc
> table every half hour, and kills things that are over their limit
> for 2 runs.

login.conf (5)

> Problem comes into play when a user starts say .. 50
> Copies of the same thing, because it didn't boot.. They just keep
> hitting the button .. :(

login.conf (5)


--knitti

Re: Rationale for allowing mount_mfs in securelevel 2?

[Roman Rodyakin]

On Wed, Oct 19, 2005 at 08:44:49AM +0200, Otto Moerbeek wrote:
> 
> On Wed, 19 Oct 2005, Roman Rodyakin wrote:
> 
> > I have been recently thinking about trade-offs involved in running
> > servers at the securelevel 2.  In securelevel 2, it is possible to mount
> > a MFS over an arbitrary disk directory and create arbitrary files in it,
> > including those that have system immutable flags set in the original
> > (disk) filesystem.  This would essentially allow an attacker to
> > circumvent the system immutable flag until the reboot.
> > 
> > My question is then this: what is the rationale, if any, for allowing
> > mount_mfs in securelevel 2?  
> > 
> > Not that it is a big deal (as MFS can be disabled in the kernel IIRC), I
> > am just wondering if I am perhaps misunderstanding the concept of
> > securelevel and protections allowed by it.
> > 
> > I searched both mailing list archives and Google, but couldn't find
> > anything relevant.  Feel free to point me to earlier discussions on the
> > subject, if there were any.
> 
> Mounting in general is allowed, so why should mount_mfs be disallowed?

Correct me if I'm wrong, but I thought that, unlike most other mount_XXX
commands, mount_mfs not only mounts a filesystem, but also creates it,
essentially also doing what newfs does on a disk partition.  newfs,
however, fails in securelevel 2.

That said, I can totally see your point though, as singling out one file
system type and disabling mounting it can certainly be viewed as
inconsistent.

Re: Limiting Shell Access Damage (was Guruness)

[Wolfpaw - Dale Corse]

> Yes, that would be the idea of limiting resources. If I am 
> given the ability to use 99% of the CPU compiling software, 
> how is that different than me running a fork bomb and doing the same?

In essanse I suppose it isn't - but if your (as in my case) selling shells,
compiling is legitimate, and required use. When people do a lot of it, you
just find other ways to deal with resource overuse. Not as well done as
using limits.conf - but they work in most cases.

-D.

Re: iptables vs pf

[Wolfpaw - Dale Corse]

> Edy Purnomo wrote:
> > i suggested to my friend to replace his linux box to 
> openbsd. he uses 
> > mailnly for internet gateway : pf + squid proxy after 2 
> weeks later he 
> > switched it back linux and said : linux much faster to respond the 
> > http requests (he had a same configuration on openbsd, pf + squid 
> > proxy).
> > 
> > is there any program that can proof what he says ?
> > thanks.
> > 
> > -edy-
> 
> Some users orefer speed over security
> *shrug*

I will put forward and qualify linux being faster as a bunch
of crap - perhaps he is using low grade hardware? In our application
(~ 30mbps of various traffic - you name it, its there.. And lots
of it is web) .. Linux won't even do it. Try to do connection
tracking, or use the limiting modules for iptables, and it dies
At 50,000 states.. I've personally seen ours do in excess of
540,000 states. Linux just runs out of ram and dies.. Its
really horrible as a network firewall (IMNSHO)

Have you tried tcpblast? That would probably give you an
accurate benchmark. I'd still say if the throughput on
BSD is worse, something is incorrectly configured.

And I would have to echo what was already said - it's a firewall..
It is security your after? :)

D.

Theo, I am truely sorry. You misunderstood me.

[Sophie L]

Hi Theo,

Straight up, I'm very sorry. It was not my intention to be rude and I'm
not a rude person. All I am is desperate to be able to use OpenBSD
again. The fact is I have been a supporter and advocate for OpenBSD for
many years and I admire you for what you've done. I just want to be able
to use OpenBSD again. I've been very patient waiting for support for
over a year now and the more time that passed, the less i could see my
chances of being able to use it. I don't have much in my life that makes
it worth while being here and one of my few sources of pleaseure has
just been cut off.
I'm wheelchair strickened due to a car accident as a child and OpenBSD
was a really great way to pass the time (it's more than that though - I
love it).

Please accept my appology and help me. As I said, I'm not a rude lady
and I'm sorry I may have come accross like that.

Cheers,
SophieL 


On Mon, 2005-10-17 at 23:30 -0600, Theo de Raadt wrote:
> If you don't know why your mail is rude, you better read it a few
> times through.
> 
> Totally sick of doing stuff for people who are rude to us.
> 
> > Return-Path: [EMAIL PROTECTED]
> > Delivery-Date: Mon Oct 17 23:24:57 2005
> > Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163])
> > by cvs.openbsd.org (8.13.4/8.12.1) with ESMTP id j9I5Oul1008985;
> > Mon, 17 Oct 2005 23:24:56 -0600 (MDT)
> > Received: from openbsd.org (localhost.ucar.edu [127.0.0.1])
> > by shear.ucar.edu (8.13.4/8.13.4) with ESMTP id j9I5H5Lq004278;
> > Mon, 17 Oct 2005 23:17:05 -0600 (MDT)
> > Received: from qsrv01ps.mx.bigpond.com (qsrv01ps.mx.bigpond.com
[144.140.82.181])
> > by shear.ucar.edu (8.13.4/8.13.3) with ESMTP id j9I5EcD9029977
> > for ; Mon, 17 Oct 2005 23:14:39 -0600 (MDT)
> > Received: from foo ([144.131.133.235])
> > by omta03ps.mx.bigpond.com with SMTP id
<[EMAIL PROTECTED]>; Tue, 18 Oct 2005
03:52:39 +
> > Message-ID: <[EMAIL PROTECTED]>
> > From: "Sophie" <[EMAIL PROTECTED]>
> > To: "Jonathan Gray" <[EMAIL PROTECTED]>
> > Cc: "Theo de Raadt" <[EMAIL PROTECTED]>, 
> > Subject: Re: "ATI SB200 USB" ports on Toshiba Satellite
> > Date: Tue, 18 Oct 2005 13:52:46 +1000
> > MIME-Version: 1.0
> > Content-Type: text/plain; charset="us-ascii"
> > X-Mailer: Microsoft Outlook Express 6.00.2900.2180
> > X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d
> > X-Converted-To-Plain-Text: Alternative section used was text/plain
> > X-Loop: misc@openbsd.org
> > Precedence: list
> > Sender: [EMAIL PROTECTED]
> > 
> > Hi Jonathan,
> > (please read my message in full and see my desperation - All I want
is 
> > my usb port working - I've got no mouse)
> > 
> > You may not have got my last email. My question was:
> > 
> > If ATI don't release information about their hardware designs, then
how
> > did the OpenBSD developers get the info needed to write the driver
for
> > my dreadfully incompatible ATI IXP soundcard in this system (sound
works
> > under 3.8 snapshots)?
> > Also, USB works under NetBSD 2.0/Linux (FC3-4, SuSe - I've tried
it). 
> > How did they get it working?
> > How come OpenBSD developers can't?
> > It's all I want. I'd even be prepared to pay for it (If you count
all of 
> > the OpenBSD CD releases that I've already bought in the past, I've 
> > already paid for it)
> > 
> > Please, please help me.
> > 
> > Regards,
> > Sophie
> > 
> > - Original Message - 
> > From: "Sophie" <[EMAIL PROTECTED]>
> > To: "Jonathan Gray" <[EMAIL PROTECTED]>
> > Cc: 
> > Sent: Saturday, October 08, 2005 10:53 PM
> > Subject: Re: "ATI SB200 USB" ports on Toshiba Satellite
> > 
> > 
> > > Thanks for the response Jonathan,
> > >
> > > Not questioning you. Just asking for enlightenment!
> > >
> > > If ATI don't release information about their hardware
> > > designs, then how did the OpenBSD developers
> > > get the info needed to write the driver for my dreadfully
incompatible
> > > ATI IXP soundcard in this system (sound works under 3.8
snapshots)?
> > >
> > > Regards,
> > > Soph
> > >
> > > - Original Message - 
> > > From: "Jonathan Gray" <[EMAIL PROTECTED]>
> > > To: "Sophie" <[EMAIL PROTECTED]>
> > > Cc: "Chris Kuethe" <[EMAIL PROTECTED]>; 
> > > Sent: Saturday, October 08, 2005 8:57 PM
> > > Subject: Re: "ATI SB200 USB" ports on Toshiba Satellite
> > >
> > >
> > >> On Sat, Oct 08, 2005 at 05:38:10PM +1000, Sophie wrote:
> > >>> Hi Chris and thanks for the reply.
> > >>>
> > >>> I know that if it's not loudly announced here there's
> > >>> a good chance it won't be looked at but my soundcard
> > >>> was in the same boat as the USB (It's an ATI
> > >>> IXP200 - also an uncommon beast - now works under
> > >>> 3.8 using the auixp driver). I never saw anything
> > >>> mentioned about my difficult soundcard in misc or
> > >>> anywhere else for that matter and yet 3.8 supports
> > >>> it (there are still Linux distros out there that don't).
> > >>>
> > >>> I don't care about anything else other than the USB ports.
> > >>> REALLY: This is making 

Re: Limiting Shell Access Damage (was Guruness)

[Peter Valchev]

> > To clarify, if you limit someone's ram use to a certain point, or
> > CPU use to a certain point, it will slow down compiling due to
> > having less resources :) As I said though - I may be wrong on
> > this one.
> 
> Yes, that would be the idea of limiting resources. If I am given the ability
> to use 99% of the CPU compiling software, how is that different than me
> running a fork bomb and doing the same?

Why are people jumping over each other, spreading horseshit
like crazy?  This is so wrong it's not even funny anymore...

Re: iptables vs pf

[per engelbrecht]

Edy Purnomo wrote:

i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much 
faster to respond the http requests (he had a same configuration on 
openbsd, pf + squid proxy).


is there any program that can proof what he says ?
thanks.


No.

If your friend prefer Linux then fine, but his speed statement is wrong. 
(unless he'd misconfigured something due to a lack of knowlegde on 
OpenBSD .. or pf .. or squid .. or run unsupported hw .. or ..)


BTW Edy, statements (in particular 
tux_userland_mock-up_no_79_glued_on_kernel_no_61_aka_slashdotoftheweek 
[heck, it even got its own place on securityfocus.com] vs. OpenBSD) 
without  anything but the statement, is useless in any respect. In fact 
it appear borderline trollish.


If this friend of yours have a problem with a OpenBSD installation, then 
tell him to address this list and he will get all the help he need.



/per
[EMAIL PROTECTED]




-edy-

Re: iptables vs pf

[Han Boetes]

Edy Purnomo wrote:
> i suggested to my friend to replace his linux box to openbsd. he
> uses mailnly for internet gateway : pf + squid proxy after 2
> weeks later he switched it back linux and said : linux much
> faster to respond the http requests (he had a same configuration
> on openbsd, pf + squid proxy).

If an experienced Linux admin has to admin a production OpenBSD
machine without any experience he is bound to get into trouble
somewhere.

Better advice him to experiment and learn OpenBSD so he knows how
to admin a box before he switches a production server to it.


# Han

Re: iptables vs pf

[Jason Dixon]

On Oct 19, 2005, at 6:21 PM, Edy Purnomo wrote:


i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much  
faster to respond the http requests (he had a same configuration on  
openbsd, pf + squid proxy).


is there any program that can proof what he says ?
thanks.


Three points:

1) No way in hell is iptables faster than PF.

2) His box _may_ pass traffic faster, but this is almost certainly  
due to the support level of the hardware.  Without real information,  
it's hard to qualify this.


3) Who cares?  Why are you worried about what your friend uses?  If  
it works for him, so be it.  Rather than trying to bring him over  
"cuz PF is l33t", just make sure you mention how cool it is when your  
stateful firewalls run 24x7.  Oh, and when your 3.8 VPNs failover  
statefully, too.  :)


http://www.openbsd.org/goals.html


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net

Re: Multiple connections to n WLANs with one WLAN-NIC?

[Reyk Floeter]

On Tue, Oct 18, 2005 at 09:51:42PM +0200, [EMAIL PROTECTED] wrote:
> Is it possible to connect to multiple WLANs at the same time with just one
> WLAN-NIC?

supported- no
possible- yes (same channel, not possible with all drivers, probably slow)

it's mostly the same as having multiple "virtual" accesspoints on one
wireless interface. 

reyk

OpenBSD/SAN success story

[Jason Dixon]

Yet another reason to love OpenBSD.  Here is a dmesg from a Dell  
PowerEdge 750 running OpenBSD 3.7 with a new QLA-2310F fibre card  
connected via Brocade 3900 to a 467GB LUN on an Apple XRaid.  All it  
took was rebuilding the kernel with "option ISP_COMPILE_FW", as  
described in isp (4).  Zoned it up on the switch, masked the LUN on  
the XRaid, rebooted... voila!  :)



First, the df:
# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/raid0a195M   34.8M150M19%/
/dev/raid0d3.9G1.3G2.4G36%/usr
/dev/raid0e251M2.0K238M 0%/tmp
/dev/raid0f3.9G9.4M3.7G 0%/var
/dev/raid0g   56.4G2.0K   53.6G 0%/home
/dev/sd2a  460G2.0K437G 0%/san


OpenBSD 3.7 (GENERIC) #2: Tue Oct 18 12:11:01 EDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class)  
2.80 GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, 
CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,PNI,MWAIT,CNXT-ID

real mem  = 1073065984 (1047916K)
avail mem = 971517952 (948748K)
using 4278 buffers containing 53755904 bytes (52496K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 02/16/05, BIOS32 rev. 0 @  
0xffe90

pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc570/144 (7 entries)
pcibios0: no compatible PCI ICU found: ICU vendor 0x8086 product 0x25a1
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xc9000/0x5600  
0xce800/0x1000 0xec000/0x4000!

cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
ppb0 at pci0 dev 3 function 0 "Intel 82875P PCI-CSA" rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547EI)" rev 0x00:  
irq 3, address: 00:12:3f:25:43:fc

ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci2 at ppb1 bus 2
ahc1 at pci2 dev 1 function 0 "Adaptec AHA-3960D U160" rev 0x01: irq 11
scsibus0 at ahc1: 16 targets
sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/ 
direct fixed
sd0: 70007MB, 90774 cyl, 2 head, 789 sec, 512 bytes/sec, 143374650  
sec total
sd1 at scsibus0 targ 1 lun 0:  SCSI3 0/ 
direct fixed
sd1: 70007MB, 90774 cyl, 2 head, 789 sec, 512 bytes/sec, 143374650  
sec total

ahc2 at pci2 dev 1 function 1 "Adaptec AHA-3960D U160" rev 0x01: irq 11
scsibus1 at ahc2: 16 targets
uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 5300ESB USB" rev 0x02: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 7
ehci0: EHCI version 1.0
ehci0: companion controllers, 2 ports each: uhci0 uhci1
usb2 at ehci0: USB revision 2.0
uhub2 at usb2
uhub2: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
uhub2: single transaction translator
uhub2: 4 ports with 4 removable, self powered
ppb2 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x0a
pci3 at ppb2 bus 3
em1 at pci3 dev 2 function 0 "Intel PRO/1000MT (82541EI)" rev 0x00:  
irq 10, address: 00:12:3f:25:43:fd


<= good stuff=>
isp0 at pci3 dev 3 function 0 "QLogic ISP2300" rev 0x01: irq 11
scsibus2 at isp0: 256 targets
sd2 at scsibus2 targ 0 lun 1:  SCSI5 0/ 
direct fixed
sd2: 478736MB, 59842 cyl, 128 head, 128 sec, 512 bytes/sec, 980451328  
sec total

<==>

vga1 at pci3 dev 14 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02
pciide0 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: DMA,  
channel 0 configured to compatibility, channel 1 configured to  
compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus3 at atapiscsi0: 2 targets
cd0 at scsibus3 targ 0 lun 0:  SCSI0 5/cdrom  
removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
"Intel 6300ESB SMBus" rev 0x02 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using  
wsdisplay0

pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: 
sysbeep0 at pcppi0
npx0 at isa0 port 0xf

Re: iptables vs pf

[Roger Neth Jr]

On 10/19/05, Edy Purnomo <[EMAIL PROTECTED]> wrote:
> i suggested to my friend to replace his linux box to openbsd.
> he uses mailnly for internet gateway : pf + squid proxy
> after 2 weeks later he switched it back linux and said : linux much faster
> to respond the http requests (he had a same configuration on openbsd, pf +
> squid proxy).
>
> is there any program that can proof what he says ?
> thanks.
>
> -edy-
>
>

Hello, I put OpenBSD 3.8 snapshot on an old DEC 500pws with pf.conf
and it was okay on response. Then I redid my pf.conf with the tutorial
by Jeff Hansteen posted a couple of days ago.

Wow! what a difference. My DEC firewall is faster than snot loading up
web pages. It is like I upgraded my ADSL to a faster speed.

Beats my old Linksys router I was using before this.

Thanks OpenBSD and Jeff.

Best regards,

rogern

John 3:16

Re: Guruness (was the bug report thread)

[Siju George]

On 10/19/05, Wolfpaw - Dale Corse <[EMAIL PROTECTED]> wrote:
> > 
>
> Diddo.
>
> >
> > >- That also being said, as Darren pointed out below, we have
> > a group of
> > >people on this list, in particular the devs (but others too
> > I am sure)
> > >that have some serious UNIX skills. I personally, came from
> > the Linux &
> > >Cisco world primarily, but Unix has its strengths too.
> > (Linux is more..
> > >tolerant of users errors).
> >
> > Bullshit! I have retired from being a Linux instructor for
> > IBM just this year and I don't think anything has changed much since.
>
> Try something for me - toss 40 novice programmers on a machine, and
> let them hammer away at it. In this one, I think I have you beat,
> running a shell provider for muds, for almost 10 years - I can tell
> you, BSD does not stand up to it .. Now I admit - it was years ago,
> and it was FreeBSD that we tried - it just didn't stand up.. Had
> users crashing the box and such. This was not a "Linux is better"
> comment - the opposite actually.. I find UNIX more useful by far,
> but for a beginner, linux is a better place to start. Linux has the
> OOM killer, among other things, that save the box from being eaten
> Alive. If you'd like to debate shell hosting with me, please feel free,
> But you may want to lose that debate one off the list.
>
> > >What I believe, is that OpenBSD has the ability, with the
> > features it
> > >is concentrated around, specifically in the areas of IP redundancy,
> > >routing, and firewalling - to take a very big chunk out of Cisco,
> > >Juniper, etc. If it was properly put forward - it would be a huge
> > >victory for the Open Source movement, UNIX, and for OpenBSD itself.
> >
> > OpenBSD is not into World Domination (TM Linus)
> >
> > 
>
> Duh. If that's what you read - read it again.  It says "OpenBSD is
> a better product. It should be shown to people. This generates a
> bigger community, and kudo's for Open Source (which is also an
> Attitude - one which, if I am not mistaken, the lead devs for this
> Project tend to be quite defensive of. Ask Theo sometime about
> Adaptec, or Intel .. And see what he says.)
>
> > >- If bug reporting is such a headache - write a bug handling
> > system. I
> > >will
> > >  even write it for you. There are many distro's with one,
> > and it saves the
> > >  devs problems with reports, and the users frustration at
> > not sending them
> > >  correctly - and the bitching from the list that goes with
> > it. E-mailed bug
> > >  reports is behind the times.
> > >
> > http://openbsd.org/report.html is referenced in the link menu
> > on the left hand side of the homepage.
>
> Can you please enlighten me as to how this is a web based system?
>

Hi Wolfpaw,

You could use

http://www.openbsd.org/cgi-bin/man.cgi?query=sendbug&sektion=1&format=html

as said on

http://www.openbsd.org/report.html

to report the bug through internet easily.

sendbug is a tool used to submit problem reports (PRs) to the OpenBSD
 bugs database.  sendbug invokes an editor on a problem report template
 (after filling in some fields with reasonable default values).  When you
 exit the editor, sendbug sends the completed form to the OpenBSD bugs
 database.  The PR will be assigned a unique number and stored in the bugs
 database according to its category.  An automatic reply will be sent with
 an acknowledgement, citing the category and the PR number.

 The bugs database can be queried using the online bug tracking system
 available at http://www.openbsd.org/query-pr.html.  This allows users to
 search for PRs based on either their PR number or content.

Hope this helps :-)

Kind Regards

Siju

Re: Very high interrupts on a supermicro machine.

[dormando]

So,

My latest update;

Theo mentioned the single CPU kernels don't make use of APIC interrupt
controllers, just ISA. I booted my single P4 systems into the bsd.mp
kernel, and behold there's a major difference in speed!

Now the systems no longer claim 95%+ CPU held in interrupts, but claim
to be 100% idle most of the time, bouncing into 1-6% sys CPU every few
seconds, and holding at 0% int CPU. Traffic changed from lossy at 120
megs, to maxed out at 150 megabits, ~70k pps per interface.

At that point traffic very obviously flatlined, but it did not dip or
fail. I saw no visible CPU load, interrupts were around 7.8k/sec per
active NIC. It looked almost like I had set an altq limit of 150
megabits. Any idea on how to profile where my packets are spending
most of their time? I'm not so great with this level of
troubleshooting, but I would love to get better at it.

Right now I have two machines in a semi-carp cluster. A 3.7 stable
box, and a -current as of oct 15th. 3.7 doesn't have the tuner Henning
mentioned, but 3.8 and -current do. Set net.inet.ip.ifq.maxlen=250 on
the -current box and traffic went up to 160 megabits and flatlined
again.

The next thing I'm trying tomorrow morning is switching the internal
interface to one of the bge nics. The systems have two bge nics
built-in, and one PCI-X 133mhz intel dual port 1000MT server nic.
Right now the int/ext are on the intel card and the pfsync int is on
bge1.

-Dormando

On 10/19/05, Henning Brauer <[EMAIL PROTECTED]> wrote:
> eh, this is really only good for benching, because otherwise we stop
> traversing the pf ruleset for very short amounts of time if we are
> about to exhaust CPU. this allows already established connections to
> live on and the OP to log in to the box via console and take
> countermeasures. if you already ahd an ssh sessionto teh box it has
> good chances to survive and you can even take countermeasures over that.
>
> what you really want to do for high speed routers is increasing
>   net.inet.ip.ifq.maxlen
> I currently use 250 on some routers which seems good, but I need to do
> more tests before I can make qualified assumptions about good values.
>
> This is the max length of a queue in the input path, and the default of
> 50 packets is too small for high speed routers with modern GigE cards
> that can put about that into teh queue with one single int. Or even more.
>
> In the end I think we need a better default based on some factors like
> ip forwarding enabled and summarized link speed and RAM in teh box or
> somesuch. Ryan and I discussed that on the ferry earlier this year and
> have some good ideas, now we just need some time to work on it ;(
>
> * Schvberle Daniel <[EMAIL PROTECTED]> [2005-10-18 18:36]:
> > Hi,
> >
> > I was trying to bench routing pps with pf on and henning gave me
> > some advice which I think might help you too. For my benching purposes
> > it helped break the 200k pps barrier with current but no guaranties
> > that it'll do you any good or that it won't hurt you.
> >
> > 
> > The high drop rates
> > are a anti-DDoS measure - yeah, that pretty much makes benching
> > impossible...
> > you could change IF_INPUT_ENQUEUE in sys/net/if.h so that it looks like
> >
> > #define IF_INPUT_ENQUEUE(ifq, m) {  \
> > if (IF_QFULL(ifq)) {\
> > IF_DROP(ifq);   \
> > m_freem(m); \
> > } else  \
> > IF_ENQUEUE(ifq, m); \
> > }
> >
> > i. e. remove these two lines:
> > if (!(ifq)->ifq_congestion) \
> > if_congestion(ifq); \
> >
> > that means the congestion flag will never be set.
> > or you add a return; as first statement in if_congestion() in if.c.
> >
> > 
> >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> > > On Behalf Of dormando
> > > Sent: Monday, October 17, 2005 8:29 PM
> > > To: misc@openbsd.org
> > > Subject: Very high interrupts on a supermicro machine.
> > >
> > > Hey all,
> > >
> > > Attached is a dmesg of one of a pair of supermicro based firewalls I
> > > recently bought. I had set them up as a CARP/pfsync redundant pair of
> > > frontend firewalls for our network. However, after they reached 15,000
> > > interrupts per second (~ 110 megabits of our site traffic),
> > > they passed 90%
> > > CPU usage through interrupts and stopped being useful.
> > >
> > > The machines have two built-in BGE nics. I swapped in an
> > > Intel PRO/1000MT
> > > Dual Port Server Nic into a PCI-X 133mhz PCI slot, but it
> > > made absolutely no
> > > difference in the interrupt load. The current firewalls in
> > > place are freebsd
> > > machines running on supermicro hardware with two em based
> > > built-in nics
> > > running past 40k interrupts without passing 50% CPU load on
> > > interrupts. The

Re: Rationale for allowing mount_mfs in securelevel 2?

[Otto Moerbeek]

On Wed, 19 Oct 2005, Roman Rodyakin wrote:

> On Wed, Oct 19, 2005 at 08:44:49AM +0200, Otto Moerbeek wrote:
> > 
> > On Wed, 19 Oct 2005, Roman Rodyakin wrote:
> > 
> > > I have been recently thinking about trade-offs involved in running
> > > servers at the securelevel 2.  In securelevel 2, it is possible to mount
> > > a MFS over an arbitrary disk directory and create arbitrary files in it,
> > > including those that have system immutable flags set in the original
> > > (disk) filesystem.  This would essentially allow an attacker to
> > > circumvent the system immutable flag until the reboot.
> > > 
> > > My question is then this: what is the rationale, if any, for allowing
> > > mount_mfs in securelevel 2?  
> > > 
> > > Not that it is a big deal (as MFS can be disabled in the kernel IIRC), I
> > > am just wondering if I am perhaps misunderstanding the concept of
> > > securelevel and protections allowed by it.
> > > 
> > > I searched both mailing list archives and Google, but couldn't find
> > > anything relevant.  Feel free to point me to earlier discussions on the
> > > subject, if there were any.
> > 
> > Mounting in general is allowed, so why should mount_mfs be disallowed?
> 
> Correct me if I'm wrong, but I thought that, unlike most other mount_XXX
> commands, mount_mfs not only mounts a filesystem, but also creates it,
> essentially also doing what newfs does on a disk partition.  newfs,
> however, fails in securelevel 2.

So you prepare the image somewhere else and transfer it.

> That said, I can totally see your point though, as singling out one file
> system type and disabling mounting it can certainly be viewed as
> inconsistent.

-Otto

Re: iptables vs pf

[Andrew Daugherity]

On 10/19/05, Roger Neth Jr <[EMAIL PROTECTED]> wrote:
> Hello, I put OpenBSD 3.8 snapshot on an old DEC 500pws with pf.conf
> and it was okay on response. Then I redid my pf.conf with the tutorial
> by Jeff Hansteen posted a couple of days ago.
>

I assume you meant the one posted by Peter N. M. Hansteen[1]?  I'm not
finding anything by a "Jeff Hansteen" in either the misc or pf mailing
list archives.

It does seem to be a rather useful document.

-Andrew

[1] http://marc.theaimsgroup.com/?l=openbsd-pf&m=112963309005279&w=2