Re: Dual boot problem

[Andrei]

Josh Grosse wrote:
> 
> On Mon, 7 Apr 2008 11:04:41 -0700 (PDT), Andrei wrote
> 
>> I have PC with two OpenBSD 4.2 - bootable harddisks. Clearly I can
>> boot from either of them by setting a boot sequence in BIOS or by
>> typing "boot hdXa:/bsd" in the boot prompt (X = 0 or 1).
>> 
>> What I want is to specify a boot hdd without boot-time user
>> intervention. Thus, imagine I run OpenBSD on hd0, I want to specify
>> what hd1 shell be used as bootable on the next reboot.
> 
> See boot.conf(5), set image may be what you are looking for.
> 

Thanks Josh, this works fine. The reason I did not consider boot.conf at the
beginning is that it concerns second-stage bootstrap, while I was trying to
find a solution first-stage bootstrap. 

 Andrei

-- 
View this message in context: 
http://www.nabble.com/Dual-boot-problem-tp16538144p16548546.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Kerberos ~/.k5user file

[Janne Johansson]

On Mon, 2008-04-07 at 20:48 -0700, Clint Pachl wrote:
> Is the ~/.k5user file supported in OpenBSD's Heimdal implementation? I'm

...

> BTW, what is /root/.klogin? Is it for kerberos 4? It doesn't have a man

Yes, it is (was) for krb4.

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Allégez vos crédits de 60%, Nouveaux critères, 50 euros offerts à la réalisation de votre dossier

[Vanessa � Etoiles Finances]

Si ce message ne s'affiche pas correctement, vous pouvez le visualiser en
suivant ce lien.
Etoiles Finances, le spicialiste du rachat de cridits

[IMAGE]

[IMAGE]Augmentez votre pouvoir d'achat
[IMAGE]en iconomisant jusqu'` 60%
[IMAGE]sur vos mensualitis ![IMAGE]

[IMAGE]

[IMAGE]LES AVANTAGES DU RACHAT DE CREDITS :[IMAGE]

[IMAGE]C'est pour tout le monde
[IMAGE]On s'occupe de tout
[IMAGE]Pas de changement de banque
[IMAGE]C'est pour tout le monde
[IMAGE]Regroupez votre cridit immobilier
[IMAGE]et vos cridits consommation
[IMAGE]en un seul prjt !

[IMAGE]Prilhvement unique ` date fixe
[IMAGE]Possibiliti d'une trisorerie
[IMAGE]Etude possible crithres
[IMAGE]hors norme et hors assurances

[IMAGE]

[IMAGE]Possibiliti de diffirer
[IMAGE]votre remboursement[IMAGE]

[IMAGE]

[IMAGE]

NOUVEAUX CRITERES PROPRIETAIRES ET LOCATAIRES POUR 2008

[IMAGE]

Aucun versement, de quelque nature que ce soit, ne peut jtre exigi d'un
particulier, avant l'obtention d'un ou plusieurs prjts d'argent.

Conformiment ` la loi informatique et liberti du 06 janvier 1978, vous
disposez d'un droit d'acchs, de rectification ou d'opposition aux
informations vous concernant auprhs du service clients d'Etoiles
Finances.com.

Pour ne plus recevoir de message de notre part, cliquez ici

Re: Dual boot problem

[Girish Venkatachalam]

On 01:00:04 Apr 08, Andrei wrote:
 
> Thanks Josh, this works fine. The reason I did not consider boot.conf at the
> beginning is that it concerns second-stage bootstrap, while I was trying to
> find a solution first-stage bootstrap. 
 
Then you have to do it manually.

OpenBSD is not very convenient for multiboot or for having more than one
OpenBSD on the same disk.

-Girish

Re: suggested change to fgetln manpage example code

[Marc Espie]

On Tue, Apr 08, 2008 at 05:49:09AM +0200, Tobias Ulmer wrote:
> Costs 250$/EUR or something last time i've checked.

The electronic version should be available for *ways* cheaper, like $18 or
so.

There's also a paper book by Wiley & Sons, with the rationale and standard,
costing ~50 EUR. 

ISBN 0 470 84573 2.

Re: macosx vs winxp: pf packet blocking

[Duncan Patton a Campbell]

This sounds like a timing/fragmenting problem.  Google
blasts things out big and smooth.  Most sites you see
a lot more chatter on the tcp layer.  If you have another
machine with a different stack (Sun/Linux..) put it on
the inside of the firewall and see what happens.  Or 
use a sniffer and look.  

Dhu

On Mon, 07 Apr 2008 20:37:10 -0500
Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote:

> have spent a fair deal of time working with pf and have just seen what 
> appears to be quite a bizarre problem:
> 
> topology is (internet)--pppoe--(openbsd fw - running 
> 4.2-release)--switch--(wired/wifi router).
> 
> a winxp host connected to the wifi router has no problem viewing 
> webpages, etc, however, a macosx host connected to the wifi router gets 
> packets randomly (AFAICT) dropped by the openbsd fw. google seems to 
> load fine on the macosx machine but other sites will not load with any 
> regularity. the packet dropping has been observed on the firewall using 
> 'tcpdump -nettvi pflog0' and packets were being blocked on the internal 
> internal interface, either em2 or vlan2, until the pf rule 'pass on 
> $int_if' was changed to 'pass on $int_if no state'. then packets started 
> getting blocked on the external interface, despite a rule 'pass out on 
> $ext_if' as a catch-all at the end of the ruleset. the rule that shows 
> as being the blocker is 'block log all', the first rule in the set.
> 
> so in essence, i see rules that are not being obeyed in the pf ruleset, 
> but only for the macosx host and not the winxp one. the macosx firewall 
> is turned off and i can ssh from the macosx host to the openbsd fw just 
> fine. i can also ping fine from the macosx host, so dns and routing are 
> working.
> 
> clues as to wtf is going on would be appreciated. can supply more 
> detailed info on request.
> 
> cheers,
> jake
> 
> -- 

relayd and pf states

[Need Coffee]

I have relayd in production with textbook (or manpage) examples
of doing redirects to backend webservers.

relayd seems to notice host state changes properly and makes
the necessary pf table adjustments.  The problem is that the pf
states take so long to expire, that any clients that have existing
state table entries to the now-downed backend server continue
to talk to that downed server (I.e. they hang).

pfctl -k obviously resolves the issue, but shouldn't relayd kill those
states when it notices the host won't answer?

Thanks in advance.

opencvs succeeded / 64-bit checkout of xenocara

[Need Coffee]

I believe I encountered the bug referenced here the other day on amd64,
checking-out xenocara:

http://www.webservertalk.com/archive248-2005-7-1143312.html

"This is known, it's the infamous 64-bit cvs bug. Some of the fonts in
XF4 cause any 64-bit client to allocate too much memory on the server
side and fail, it hasn't been debugged/fixed yet."

After reading that, I realized that the snapshot I was running had
opencvs installed.  Trying the exact same command (against a local
repository) with opencvs worked perfectly and I had xenocara built in
no time.

Thanks to the OpenCVS committers for saving the day.

Re: : Dual boot problem

[Raimo Niskanen]

On Tue, Apr 08, 2008 at 01:00:04AM -0700, Andrei wrote:
> Josh Grosse wrote:
> > 
> > On Mon, 7 Apr 2008 11:04:41 -0700 (PDT), Andrei wrote
> > 
> >> I have PC with two OpenBSD 4.2 - bootable harddisks. Clearly I can
> >> boot from either of them by setting a boot sequence in BIOS or by
> >> typing "boot hdXa:/bsd" in the boot prompt (X = 0 or 1).
> >> 
> >> What I want is to specify a boot hdd without boot-time user
> >> intervention. Thus, imagine I run OpenBSD on hd0, I want to specify
> >> what hd1 shell be used as bootable on the next reboot.
> > 
> > See boot.conf(5), set image may be what you are looking for.

I'd say "set device ..." is what you are looking for.
I have a bootable USB pen drive that only contains
/boot
/etc/boot.conf
that boots OpenBSD from the hard drive when I have not
wanted to touch the MBR code. It contains:
set device hd1a
set howto -c
the last line to push the boot into UKC> since I need
to disable acpi. And it is hd1a since boot(8) see
the USB pen drive as first hard disk.

> > 
> 
> Thanks Josh, this works fine. The reason I did not consider boot.conf at the
> beginning is that it concerns second-stage bootstrap, while I was trying to
> find a solution first-stage bootstrap. 

OpenBSD's MBR does no fancy tricks. It only boots the first
partition on the hard drive marked as bootable.

You may be able to get the BIOS to boot the second hard drive,
but not from a running OS for the next boot.

GRUB installed to MBR can do it, but needs a partition
to exist in. So then it will be its second stage bootloader
that does the selection. And you will have to modify
menu.lst in the GRUB installation, so the GRUB installation
will have to be writable from OpenBSD.

As you found out OpenBSD's boot(8) can do it.
You will have to modify /etc/boot.conf on the 
hard drive the BIOS boots.

And there are of course other bootloaders out there...



> 
>  Andrei
> 
> -- 
> View this message in context: 
> http://www.nabble.com/Dual-boot-problem-tp16538144p16548546.html
> Sent from the openbsd user - misc mailing list archive at Nabble.com.

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Installing Perl on openBSD 4.0

[pichi]

Hello,

I am running OpenBSD 4.0 (GENERIC) #1107 on my Nagios monitoring server.
Everything works great but I would like to expand reporting a little bit. I
have decided on using Nagiosgraph.

The install docs for Nagiosgraph say I need Perl and CGI-perl among other
things (Apache, rrdtool, nagios, nagios plugins) . I have got everything
installed except for the perl stuff.

My question:

When apps like nagiosadmin say I need "perl" what package would that be for
OpenBSD? I know this is a lame question but I am really new to OpenBSD. And
yes I did look around for an answer before posting this.

Thanks,

P.
-- 
View this message in context: 
http://www.nabble.com/Installing-Perl-on-openBSD-4.0-tp16557812p16557812.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Installing Perl on openBSD 4.0

[Josh Grosse]

On Tue, 8 Apr 2008 05:17:42 -0700 (PDT), pichi wrote

> When apps like nagiosadmin say I need "perl" what package would that 
> be for OpenBSD? I know this is a lame question but I am really new 
> to OpenBSD. And yes I did look around for an answer before posting this.

1.  Perl is included in the base OS.
2.  If you are new to OpenBSD, you should try to stick to already-ported 3rd
party applications in the ports/packages system.  That way, you will be sure
of automatically install any dependencies without worry.
3.  OpenBSD 4.0 has been unsupported for five months.  The most recent release
is 4.2, and 4.3 will be released on May 1.

Re: : Dual boot problem

[Louis V. Lambrecht]

Not quite, you don't need a specific partition for grub.Grub only needs 
to be installed

on the BIOS first boot device.
Which can be a hard drive, a floppy, a cdrom, an usb key...

On a hard drive with only OpenBSD slices, grub will usually be installed 
on the

first slice, the one with the largest volume label. The BIOS boot one.

At boot, the mbr jumps to the /grub directory, loads some stages and 
reads the

menu.lst.
Grub has the ability to mark partition types (keyword parttype) and
mark a partition active (define root(x,y) and keyword makeactive)
just as any fdisk would do (you eventually can partition a disk from 
within grub).


There is some info, even without the need to install it first:
/usr/ports/sysutils/grub/files/README.OpenBSD and a menu example
/usr/ports/sysutils/grub/files/menu.lst

As you will see, the trick is to mark unused OpenBSD slices with another
identifier.

Would you want to by-pass the grub's choices menu, (no intervention)
you only would have to write different menu.lst.xxx files and mv the one
you need at next reboot.

Fwiw, my default menu is on the hard drive, simple entry.
When messing around I boot from an usb key.

Raimo Niskanen wrote:

On Tue, Apr 08, 2008 at 01:00:04AM -0700, Andrei wrote:
  

Josh Grosse wrote:


On Mon, 7 Apr 2008 11:04:41 -0700 (PDT), Andrei wrote

  

I have PC with two OpenBSD 4.2 - bootable harddisks. Clearly I can
boot from either of them by setting a boot sequence in BIOS or by
typing "boot hdXa:/bsd" in the boot prompt (X = 0 or 1).

What I want is to specify a boot hdd without boot-time user
intervention. Thus, imagine I run OpenBSD on hd0, I want to specify
what hd1 shell be used as bootable on the next reboot.


See boot.conf(5), set image may be what you are looking for.
  


I'd say "set device ..." is what you are looking for.
I have a bootable USB pen drive that only contains
/boot
/etc/boot.conf
that boots OpenBSD from the hard drive when I have not
wanted to touch the MBR code. It contains:
set device hd1a
set howto -c
the last line to push the boot into UKC> since I need
to disable acpi. And it is hd1a since boot(8) see
the USB pen drive as first hard disk.

  

Thanks Josh, this works fine. The reason I did not consider boot.conf at the
beginning is that it concerns second-stage bootstrap, while I was trying to
find a solution first-stage bootstrap. 



OpenBSD's MBR does no fancy tricks. It only boots the first
partition on the hard drive marked as bootable.

You may be able to get the BIOS to boot the second hard drive,
but not from a running OS for the next boot.

GRUB installed to MBR can do it, but needs a partition
to exist in. So then it will be its second stage bootloader
that does the selection. And you will have to modify
menu.lst in the GRUB installation, so the GRUB installation
will have to be writable from OpenBSD.

As you found out OpenBSD's boot(8) can do it.
You will have to modify /etc/boot.conf on the 
hard drive the BIOS boots.


And there are of course other bootloaders out there...



  

 Andrei

--
View this message in context: 
http://www.nabble.com/Dual-boot-problem-tp16538144p16548546.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Firefox 2.0.0.12

[Dusty]

On Mon, Apr 07, 2008 at 04:44:08PM +, Jacob Meuser wrote:
>> or, quit using firefox.  it's security record is rather lousy, wouldn't
>> you agree?

>What alternatives to firefox do you suggest?

Seamonkey?

Also, (for the rest of you on misc) as far as security goes, the
OpenBSD development team are developing OpenBSD. So don't blame them
for the ports maintainer.
Also, go and look at the exploits and security problems in firefox
which mostly have to do with BHO and the like that don't even exist or
work on OpenBSD anyway because OpenBSD in itself is secure.

I use Seamonkey. It works.
Why use Seamonkey? It is more resource friendly than running
Firefox+Thunderbird+whatever.

Regards
Dusty

Re: Firefox 2.0.0.12

[Pau]

on obsd 4.2 SM is 1.1.4... there are some issues

But in any case I absolutely agree with you that fatfox is very
"resource-unfriendly"

I think I'm going to switch to links

Is there a flash plugin for it?? ... hehe

By the way... why is lynx default page openbsd.org? I thought all
packages were "vanilla". I'm fine with it, just wondering.

-
Fixed in SeaMonkey 1.1.9
MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
MFSA 2008-18 Java socket connection to any local port via LiveConnect
MFSA 2008-17 Privacy issue with SSL Client Authentication
MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
Fixed in SeaMonkey 1.1.8
MFSA 2008-13 Multiple XSS vulnerabilities from character encoding
MFSA 2008-10 URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-07 Possible information disclosure in BMP decoder
MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12)
Fixed in SeaMonkey 1.1.7
MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard
Fixed in SeaMonkey 1.1.5
MFSA 2007-36 URIs with invalid %-encoding mishandled by Windows
MFSA 2007-35 XPCNativeWrapper pollution using Script object
MFSA 2007-34 Possible file stealing through sftp protocol
MFSA 2007-33 XUL pages can hide the window titlebar
MFSA 2007-32 File input focus stealing vulnerability
MFSA 2007-31 Browser digest authentication request splitting
MFSA 2007-30 onUnload Tailgating
MFSA 2007-29 Crashes with evidence of memory corruption (rv:1.8.1.8)
MFSA 2007-28 Code execution via QuickTime Media-link files

2008/4/8, Dusty <[EMAIL PROTECTED]>:
> On Mon, Apr 07, 2008 at 04:44:08PM +, Jacob Meuser wrote:
>  >> or, quit using firefox.  it's security record is rather lousy, wouldn't
>  >> you agree?
>
>
> >What alternatives to firefox do you suggest?
>
>
> Seamonkey?
>
>  Also, (for the rest of you on misc) as far as security goes, the
>  OpenBSD development team are developing OpenBSD. So don't blame them
>  for the ports maintainer.
>  Also, go and look at the exploits and security problems in firefox
>  which mostly have to do with BHO and the like that don't even exist or
>  work on OpenBSD anyway because OpenBSD in itself is secure.
>
>  I use Seamonkey. It works.
>  Why use Seamonkey? It is more resource friendly than running
>  Firefox+Thunderbird+whatever.
>
>  Regards
>
> Dusty

Re: macosx vs winxp: pf packet blocking

[Jacob Yocom-Piatt]

Duncan Patton a Campbell wrote:

This sounds like a timing/fragmenting problem.  Google
blasts things out big and smooth.  Most sites you see
a lot more chatter on the tcp layer.  If you have another
machine with a different stack (Sun/Linux..) put it on
the inside of the firewall and see what happens.  Or 
use a sniffer and look.  

  


thx for the advice duncan. others share your suspicion of packet 
fragmenting or something similar.


will post back after doing a more thorough investigation.

cheers,
jake


Dhu

On Mon, 07 Apr 2008 20:37:10 -0500
Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote:

  
have spent a fair deal of time working with pf and have just seen what 
appears to be quite a bizarre problem:


topology is (internet)--pppoe--(openbsd fw - running 
4.2-release)--switch--(wired/wifi router).


a winxp host connected to the wifi router has no problem viewing 
webpages, etc, however, a macosx host connected to the wifi router gets 
packets randomly (AFAICT) dropped by the openbsd fw. google seems to 
load fine on the macosx machine but other sites will not load with any 
regularity. the packet dropping has been observed on the firewall using 
'tcpdump -nettvi pflog0' and packets were being blocked on the internal 
internal interface, either em2 or vlan2, until the pf rule 'pass on 
$int_if' was changed to 'pass on $int_if no state'. then packets started 
getting blocked on the external interface, despite a rule 'pass out on 
$ext_if' as a catch-all at the end of the ruleset. the rule that shows 
as being the blocker is 'block log all', the first rule in the set.


so in essence, i see rules that are not being obeyed in the pf ruleset, 
but only for the macosx host and not the winxp one. the macosx firewall 
is turned off and i can ssh from the macosx host to the openbsd fw just 
fine. i can also ping fine from the macosx host, so dns and routing are 
working.


clues as to wtf is going on would be appreciated. can supply more 
detailed info on request.


cheers,
jake

--

Re: : : Dual boot problem

[Raimo Niskanen]

On Tue, Apr 08, 2008 at 02:54:48PM +0200, Louis V. Lambrecht wrote:
> Not quite, you don't need a specific partition for grub.Grub only needs 
> to be installed
> on the BIOS first boot device.
> Which can be a hard drive, a floppy, a cdrom, an usb key...
> 

Thank you for your correction.

I looked at an OpenBSD 4.1 machine and did
not find grub in neither the packages nor
the ports tree. So I erroneously assumed
a non-OpenBSD aware grub was needed.

> On a hard drive with only OpenBSD slices, grub will usually be installed 
> on the
> first slice, the one with the largest volume label. The BIOS boot one.
> 
> At boot, the mbr jumps to the /grub directory, loads some stages and 
> reads the
> menu.lst.
> Grub has the ability to mark partition types (keyword parttype) and
> mark a partition active (define root(x,y) and keyword makeactive)
> just as any fdisk would do (you eventually can partition a disk from 
> within grub).
> 
> There is some info, even without the need to install it first:
> /usr/ports/sysutils/grub/files/README.OpenBSD and a menu example
> /usr/ports/sysutils/grub/files/menu.lst
> 
;
:
> Raimo Niskanen wrote:
:
:
> >GRUB installed to MBR can do it, but needs a partition
> >to exist in. So then it will be its second stage bootloader
> >that does the selection. And you will have to modify
> >menu.lst in the GRUB installation, so the GRUB installation
> >will have to be writable from OpenBSD.
> >
:
:

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Firefox 2.0.0.12

[Zbigniew Baniewski]

On Tue, Apr 08, 2008 at 02:51:32PM +0200, Dusty wrote:

> I use Seamonkey. It works.
> Why use Seamonkey? It is more resource friendly than running
> Firefox+Thunderbird+whatever.

Both are starting in about the same - long - time: 20 seconds...  :/
(Pentium II 400, 256 MB RAM, SATA drive, OpenBSD 4.2)

Perhaps someone could make a tip, how could I make that start-up period
shorter? Yes, I know: "buy new hardware". Any other available solutions?

There should be the other ones; on the NetBSD 3.1 Firefox is ready to work
in about 4 seconds... quite a difference, isn't it?
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: Firefox 2.0.0.12

[Hannah Schroeter]

Hi!

On Tue, Apr 08, 2008 at 04:34:49PM +0200, Zbigniew Baniewski wrote:
>On Tue, Apr 08, 2008 at 02:51:32PM +0200, Dusty wrote:

>> I use Seamonkey. It works.
>> Why use Seamonkey? It is more resource friendly than running
>> Firefox+Thunderbird+whatever.

>Both are starting in about the same - long - time: 20 seconds...  :/
>(Pentium II 400, 256 MB RAM, SATA drive, OpenBSD 4.2)

>Perhaps someone could make a tip, how could I make that start-up period
>shorter? Yes, I know: "buy new hardware". Any other available solutions?

Doesn't help. With >1GHz and 768 MB RAM, it takes two-figure amounts of
seconds, too.

Deleting the files XPC.mfasl and XUL.mfasl files in your profile
occasionally can help a *bit* in some aspects of performance, but as far
as I can observe, not in startup time.

>There should be the other ones; on the NetBSD 3.1 Firefox is ready to work
>in about 4 seconds... quite a difference, isn't it?

Do they already do prebinding?

Kind regards,

Hannah.

Re: Firefox 2.0.0.12

[Zbigniew Baniewski]

On Tue, Apr 08, 2008 at 04:45:15PM +0200, Hannah Schroeter wrote:

> >There should be the other ones; on the NetBSD 3.1 Firefox is ready to work
> >in about 4 seconds... quite a difference, isn't it?
> 
> Do they already do prebinding?

AFAIK they have something called RelCache (aka ELF prebinding), f.e.
http://mail-index.netbsd.org/tech-userlevel/2002/12/04/0017.html

You mean, exactly this is making a difference?
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: Do I need to switch to MP system?

[B A]

Probably sound strange, but when I have switched to MP

kernel server load droped to ~1% of interrupts.

So looks like MP kernel has worse userspace performance,

but better interrupt handling. 





02.04.08, 00:29, "Stuart Henderson" <[EMAIL PROTECTED]>:



> On 2008-04-01, B A <[EMAIL PROTECTED]> wrote:

> > We have OpenBSD acting as router+IPsec vpn concentrator.

> > Our company expanding, so I noticed what "interrupt" in top sometimes

> > jumps to 30-40%, and always about ~25% in average.

> > Server is DL360 server with bge0 and bge1.

> > So I want to upgrade to newer multicore system.

> > Can it help? Is it possible to assigne one NIC to one core,

> > and other to another?

> It isn't possible. Look for the fastest CPUs, not the highest

> number of cores, and run a uniprocessor kernel.

> I'm not sure if they're valid, but I've read suggestions that

> amd64 CPUs may be better for this type of workload due to

> the larger L1 (not L2) cache.

> If you feel like testing, compare i386 and amd64 kernels and

> post the results, there are people who would be interested to

> know...

> If you currently run a pre-4.2 OS, upgrade it, you should see

> improved performance just by doing this.

Re: Dual boot problem

[Andrei]

Girish Venkatachalam-2 wrote:
> 
> On 01:00:04 Apr 08, Andrei wrote:
>  
>> Thanks Josh, this works fine. The reason I did not consider boot.conf at
>> the
>> beginning is that it concerns second-stage bootstrap, while I was trying
>> to
>> find a solution first-stage bootstrap. 
>  
> Then you have to do it manually.
> 
> OpenBSD is not very convenient for multiboot or for having more than one
> OpenBSD on the same disk.
> 
> -Girish
> 

Yes, I noticed it. BTW, I managed to use more than one OpenBSD on different
partitions of the same disk.
The trick was to use 'A6' partition ID only for the active OpenBSD
partition, and use another ID for all the rest ones. At least this worked
for OpenBSD 4.2, I am not sure if this issue is planned to be fixed in
future releases.

-- 
View this message in context: 
http://www.nabble.com/Dual-boot-problem-tp16538144p16561041.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

PC/OS Workstation listed

[Roberto J. Dohnert]

Hey guys, I have put a refurbed machine with PC/OS on sale at eBay.  It 
comes preloaded with PC/OS and has all the essentials to get up an 
running .  Comes preloaded but you can put any Linux or BSD on there 
that you want. (It did run OpenBSD for awhile) Perfect for those just 
starting to use Linux/BSD or are looking for that dedicated workstation 
without having to dual boot. I also have a Sun ultra thats listed in 
case anyones interested with BSD on SPARC


*http://tinyurl.com/4tz364*

*http://tinyurl.com/44gwlj*

--
For the ultimate desktop Linux experience try PC/OS
http://www.pc-os.org

Re: Firefox 2.0.0.12

[Dale Rahn]

On Tue, Apr 08, 2008 at 04:34:49PM +0200, Zbigniew Baniewski wrote:
> On Tue, Apr 08, 2008 at 02:51:32PM +0200, Dusty wrote:
> 
> > I use Seamonkey. It works.
> > Why use Seamonkey? It is more resource friendly than running
> > Firefox+Thunderbird+whatever.
> 
> Both are starting in about the same - long - time: 20 seconds...  :/
> (Pentium II 400, 256 MB RAM, SATA drive, OpenBSD 4.2)
> 
> Perhaps someone could make a tip, how could I make that start-up period
> shorter? Yes, I know: "buy new hardware". Any other available solutions?
> 
> There should be the other ones; on the NetBSD 3.1 Firefox is ready to work
> in about 4 seconds... quite a difference, isn't it?
> -- 
>   pozdrawiam / regards
> 
>   Zbigniew Baniewski
> 

There is a system already present in OpenBSD called prebind (see ldconfig(8))
that does this type of speedup, however the ports integration was never
finished. Most of the issue with ports was that the mechanism used modifies
the md5 values for each binary and library. If the md5 package checking
mechanism could detect the prebind data and 'ignore' it, then the md5 values
could be verified.

While no problems with the full system scan of prebind, the update mode
(which ports would use) may have had a problem.

Dale Rahn   [EMAIL PROTECTED]

Re: Firefox 2.0.0.12

[Pau]

In my case this does help

ldconfig -SP /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/X11R6/bin

and has never been a problem

2008/4/8, Dale Rahn <[EMAIL PROTECTED]>:
> On Tue, Apr 08, 2008 at 04:34:49PM +0200, Zbigniew Baniewski wrote:
>
> > On Tue, Apr 08, 2008 at 02:51:32PM +0200, Dusty wrote:
>  >
>  > > I use Seamonkey. It works.
>  > > Why use Seamonkey? It is more resource friendly than running
>  > > Firefox+Thunderbird+whatever.
>  >
>  > Both are starting in about the same - long - time: 20 seconds...  :/
>  > (Pentium II 400, 256 MB RAM, SATA drive, OpenBSD 4.2)
>  >
>  > Perhaps someone could make a tip, how could I make that start-up period
>  > shorter? Yes, I know: "buy new hardware". Any other available solutions?
>  >
>  > There should be the other ones; on the NetBSD 3.1 Firefox is ready to work
>  > in about 4 seconds... quite a difference, isn't it?
>  > --
>  >   pozdrawiam / regards
>  >
>  >   Zbigniew Baniewski
>  >
>
>
> There is a system already present in OpenBSD called prebind (see ldconfig(8))
>  that does this type of speedup, however the ports integration was never
>  finished. Most of the issue with ports was that the mechanism used modifies
>  the md5 values for each binary and library. If the md5 package checking
>  mechanism could detect the prebind data and 'ignore' it, then the md5 values
>  could be verified.
>
>  While no problems with the full system scan of prebind, the update mode
>  (which ports would use) may have had a problem.
>
>
>  Dale Rahn   [EMAIL PROTECTED]

Re: : : Dual boot problem

[Louis V. Lambrecht]

Cm'on Raimo. Tssk! Tssk!
http://www.openbsd.org/cgi-bin/cvsweb/ports/sysutils/grub/files/

I mostly use openports.se, rather than searching my own filesystem
which is not quite conforming to the standard file hierarchy. :-)

Raimo Niskanen wrote:

On Tue, Apr 08, 2008 at 02:54:48PM +0200, Louis V. Lambrecht wrote:
  
Not quite, you don't need a specific partition for grub.Grub only needs 
to be installed

on the BIOS first boot device.
Which can be a hard drive, a floppy, a cdrom, an usb key...




Thank you for your correction.

I looked at an OpenBSD 4.1 machine and did
not find grub in neither the packages nor
the ports tree. So I erroneously assumed
a non-OpenBSD aware grub was needed.

  
On a hard drive with only OpenBSD slices, grub will usually be installed 
on the

first slice, the one with the largest volume label. The BIOS boot one.

At boot, the mbr jumps to the /grub directory, loads some stages and 
reads the

menu.lst.
Grub has the ability to mark partition types (keyword parttype) and
mark a partition active (define root(x,y) and keyword makeactive)
just as any fdisk would do (you eventually can partition a disk from 
within grub).


There is some info, even without the need to install it first:
/usr/ports/sysutils/grub/files/README.OpenBSD and a menu example
/usr/ports/sysutils/grub/files/menu.lst



;
:
  

Raimo Niskanen wrote:


:
:
  

GRUB installed to MBR can do it, but needs a partition
to exist in. So then it will be its second stage bootloader
that does the selection. And you will have to modify
menu.lst in the GRUB installation, so the GRUB installation
will have to be writable from OpenBSD.

  

:
:

Re: Firefox 2.0.0.12

[Zbigniew Baniewski]

On Tue, Apr 08, 2008 at 07:03:43PM +0200, Pau wrote:

> In my case this does help
> 
> ldconfig -SP /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/X11R6/bin

Just tried the sequence - can't see any difference, unfortunately.
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: relayd and pf states

[Tautvydas Bruzas]

Well, if you read archives it's a known problem with sticky-address.
If you remove sticky-address everything works as expected.
Following patch should work (I wrote it for 4.1 hoststated, not sure
why it was not accepted, maybe quality of the code?,
and modified it to work with 4.3 relayd), use it at your own risk.

Tautvydas

> I have relayd in production with textbook (or manpage) examples
> of doing redirects to backend webservers.

> relayd seems to notice host state changes properly and makes
> the necessary pf table adjustments.  The problem is that the pf
> states take so long to expire, that any clients that have existing
> state table entries to the now-downed backend server continue
> to talk to that downed server (I.e. they hang).

> pfctl -k obviously resolves the issue, but shouldn't relayd kill those
> states when it notices the host won't answer?

> Thanks in advance.

[demime 1.01d removed an attachment of type text/x-diff which had a name of 
relayd.diff]

Re: Firefox 2.0.0.12

[Jordi Espasa Clofent]

It's made to be secure, it's prone to be installed on a server not just 
a fuckin desktop o.s.


Well, it depends. I use OpenBSD as a critical-mission server and as a 
common daily desktop. I'm very happy in both cases.


A secure, funcional and free desktop, of course.

--
Thanks,
Jordi Espasa Clofent

Re: Firefox 2.0.0.12

[Marco S Hyman]

Zbigniew Baniewski writes:

 > > ldconfig -SP /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin 
 > > /usr/X11R6/bin
 > 
 > Just tried the sequence - can't see any difference, unfortunately.

Not suprising as the firefox binary is not in any of the given
paths.

// marc

Re: Firefox 2.0.0.12

[Zbigniew Baniewski]

On Tue, Apr 08, 2008 at 01:39:29PM -0700, Marco S Hyman wrote:

>  > > ldconfig -SP /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin 
> /usr/X11R6/bin
>  > 
>  > Just tried the sequence - can't see any difference, unfortunately.
> 
> Not suprising as the firefox binary is not in any of the given
> paths.

Yes, you're right... :-O  didn't check, that "which firefox" returns just
the location of startup script.

But including its "own" sub-dir wasn't helpful neither; several "failed to
load" errors. I'm afraid, one has to wait a little(?) for something a'la
NetBSD's RelCache.
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: Firefox 2.0.0.12

[james]

Zbigniew Baniewski  ispid.com.pl> writes:

> 
> On Tue, Apr 08, 2008 at 01:39:29PM -0700, Marco S Hyman wrote:
> 
> >  > > ldconfig -SP /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin
/usr/X11R6/bin
> >  > 
> >  > Just tried the sequence - can't see any difference, unfortunately.
> > 
> > Not suprising as the firefox binary is not in any of the given
> > paths.
> 
> Yes, you're right... :-O  didn't check, that "which firefox" returns just
> the location of startup script.
> 
> But including its "own" sub-dir wasn't helpful neither; several "failed to
> load" errors. I'm afraid, one has to wait a little(?) for something a'la
> NetBSD's RelCache.


Include /usr/local/mozilla-firefox in the ldconfig line and run the ldconfig
command through /usr/local/mozilla-firefox/run-mozilla.sh (or manually set
LD_LIBRARY_PATH to include /usr/local/mozilla-firefox)

Re: Firefox 2.0.0.12

[Daniel Horecki]

On Tue, Apr 8, 2008 at 5:21 PM, Zbigniew Baniewski <[EMAIL PROTECTED]> wrote:
> On Tue, Apr 08, 2008 at 04:45:15PM +0200, Hannah Schroeter wrote:
>
>  > >There should be the other ones; on the NetBSD 3.1 Firefox is ready to work
>  > >in about 4 seconds... quite a difference, isn't it?
>  >
>  > Do they already do prebinding?
>
>  AFAIK they have something called RelCache (aka ELF prebinding), f.e.
>  http://mail-index.netbsd.org/tech-userlevel/2002/12/04/0017.html
>
>  You mean, exactly this is making a difference?

If I recall correctly, it was never commited to the sources. Anyway,
NetBSD haven't any prelink/prebind feature now.

Daniel

-- 
Daniel Horecki
http://morr.pl

Re: PC/OS Workstation listed

[Greg Thomas]

How nice.  Many people just give that stuff away.  Instead of giving it away
let's all post our Ebay junk sales and put "it did run OpenBSD for awhile"
in the message so everyone will think it's on topic.

On Tue, Apr 8, 2008 at 8:33 AM, Roberto J. Dohnert <[EMAIL PROTECTED]>
wrote:

> Hey guys, I have put a refurbed machine with PC/OS on sale at eBay.  It
> comes preloaded with PC/OS and has all the essentials to get up an running .
>  Comes preloaded but you can put any Linux or BSD on there that you want.
> (It did run OpenBSD for awhile) Perfect for those just starting to use
> Linux/BSD or are looking for that dedicated workstation without having to
> dual boot. I also have a Sun ultra thats listed in case anyones interested
> with BSD on SPARC
>
> *http://tinyurl.com/4tz364*
>
> *http://tinyurl.com/44gwlj*
>
> --
> For the ultimate desktop Linux experience try PC/OS
> http://www.pc-os.org

Re: Firefox 2.0.0.12

[Zbigniew Baniewski]

On Tue, Apr 08, 2008 at 09:50:21PM +, james wrote:

> Include /usr/local/mozilla-firefox in the ldconfig line and run the ldconfig
> command through /usr/local/mozilla-firefox/run-mozilla.sh (or manually set
> LD_LIBRARY_PATH to include /usr/local/mozilla-firefox)

I think, the latter method is better suitable for including "individual
cases". Or perhaps: "would be", instead of "is" - because there's still
no desired effect. I can't see any difference.

I'm afraid, it can't be solved right now; currently "it's just the way it
is", and one has to live with that.
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: Firefox 2.0.0.12

[Zbigniew Baniewski]

On Tue, Apr 08, 2008 at 11:56:29PM +0200, Daniel Horecki wrote:

> >  http://mail-index.netbsd.org/tech-userlevel/2002/12/04/0017.html
> >
> >  You mean, exactly this is making a difference?
> 
> If I recall correctly, it was never commited to the sources. Anyway,
> NetBSD haven't any prelink/prebind feature now.

So what exactly is making firefox's startup time under NetBSD much shorter?
-- 
pozdrawiam / regards

Zbigniew Baniewski

Re: macosx vs winxp: pf packet blocking

[Damon McMahon]

Hello Jake,

On 08/04/2008, at 11:07 AM, Jacob Yocom-Piatt wrote:
have spent a fair deal of time working with pf and have just seen  
what appears to be quite a bizarre problem:


topology is (internet)--pppoe--(openbsd fw - running 4.2-release)-- 
switch--(wired/wifi router).


a winxp host connected to the wifi router has no problem viewing  
webpages, etc, however, a macosx host connected to the wifi router  
gets packets randomly (AFAICT) dropped by the openbsd fw. google  
seems to load fine on the macosx machine but other sites will not  
load with any regularity. the packet dropping has been observed on  
the firewall using 'tcpdump -nettvi pflog0' and packets were being  
blocked on the internal internal interface, either em2 or vlan2,  
until the pf rule 'pass on $int_if' was changed to 'pass on $int_if  
no state'. then packets started getting blocked on the external  
interface, despite a rule 'pass out on $ext_if' as a catch-all at  
the end of the ruleset. the rule that shows as being the blocker is  
'block log all', the first rule in the set.


so in essence, i see rules that are not being obeyed in the pf  
ruleset, but only for the macosx host and not the winxp one. the  
macosx firewall is turned off and i can ssh from the macosx host to  
the openbsd fw just fine. i can also ping fine from the macosx  
host, so dns and routing are working.


clues as to wtf is going on would be appreciated. can supply more  
detailed info on request.


cheers,
jake




I saw something sounding similar with a MacOX X 10.3 (Panther) host  
having packet fragmentation issues. In an effort to troubleshoot the  
issue I altered the MTU on the Panther host to 1492 appeared to  
resolve the issue. Upgrading that mac to 10.4 (Tiger) reset the MTU  
to 1500 without the issue reoccuring.


I don't know if that helps, if not you might try posting your pf.conf  
and a tcpdump packet capture.


Best wishes,
Damon

Use of 'Puffy' Logo

[Matthew Smith]

Hi Folks

I am about to write an article on why I will be switching to OpenBSD 
when I build my new server and would like to use the 'Puffy' logo in 
some shape or form.


A search of the site for a style guide or media pack has failed to turn 
up anything so I thought that I would ask here: how do I obtain 
permission to use the 'Puffy' logo in the article and are there variants 
from which I can choose?  A cropped version of what's on the front page 
of www.openbsd.org would suit me fine but I don't want to start making 
'derivative works' without obtaining the appropriate permissions first.


Cheers

M

--
Matthew Smith
Smiffytech - Technology Consulting & Web Application Development
Business: http://www.smiffytech.com/
Personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy

Re: Firefox 2.0.0.12

[Damon McMahon]

Greetings,

On 07/04/2008, at 10:13 PM, Unix Fan wrote:
I back ported Firefox 2.0.0.12 to OpenBSD 4.2+patches, I can't  
believe the OpenBSD team is letting people use the insecure 2.0.0.6  
version, "We believe in security" my ass.




OpenBSD 4.3 will have 2.0.0.12, unfortunately 2.0.0.13 is out, and  
that fixes yet another security problem... so, manual back porting  
is the only option, I don't know why they give the people using - 
CURRENT the secured ports, more people use -RELEASE or -STABLE, so  
they should be providing resources for "OUR" security, not the  
extremists living on -CURRENT.. compiling their entire system from  
scratch every other hour/day/week.




(Who the hell could live like that? f**king insanity!).


[snip]

This is purely a personal opinion, but if you are using tools that  
aren't part of the OpenBSD base system (e.g. Firefox) and you're  
using them in a high-risk environment (e.g. connecting to untrusted  
sites) and you're paranoid (like me) then you really do need to live  
on -current.


There is an array of tools - particularly for servers - included in  
base that are updated via source patches as soon as vulnerabilities  
come to light.


Some tools I use that aren't in base (e.g. curl, dovecot) I only use  
for relatively low-risk tasks (e.g. downloading OpenBSD patches, my  
internal IMAP server) so I don't have a problem with them not being  
updated at the first announcement of a new vulnerability. But if I  
was using Firefox on OpenBSD I would stay on -current for the reasons  
you have outlined. If you're not prepared to do this (and it is a  
hassle - particularly if you tried to do it on dial-up like me! Yes,  
I gave up) then don't use OpenBSD for your web browsing machine.


As I say, this is a personal opinion and not intended to flame.

Cheers,
Damon

Optimising OpenBSD

[Matthew Smith]

Hi Folks

As part of my move from GNU/Linux to OpenBSD on my server, I just want 
to clarify what I need to do to ensure that I have performance 
optimised.  I am coming from Gentoo Linux, where optimisation is mostly 
about using the appropriate compiler flags.


If I were to use the appropriate base distribution (x86_64), configure 
my kernel correctly (as per the likes of 
) and set the 
appropriate compiler flags, is this all I need to do?


I'm only really concerned about the base system as I always build all my 
LAMPP components, Postfix, etc., by hand so that migrating box-to-box 
can go without [a hitch|many hitches].


Cheers

M

--
Matthew Smith
Smiffytech - Technology Consulting & Web Application Development
Business: http://www.smiffytech.com/
Personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy

Re: Optimising OpenBSD

[Ted Unangst]

On 4/8/08, Matthew Smith <[EMAIL PROTECTED]> wrote:
>  If I were to use the appropriate base distribution (x86_64), configure my
> kernel correctly (as per the likes of
> )
> and set the appropriate compiler flags, is this all I need to do?

Nothing beats an 8 year old article for the latest info.  OpenBSD now
comes fully optimized out of the box.

Re: Optimising OpenBSD

[Jason Beaudoin]

On Tue, Apr 8, 2008 at 6:51 PM, Matthew Smith <[EMAIL PROTECTED]> wrote:
> Hi Folks
>
>  As part of my move from GNU/Linux to OpenBSD on my server, I just want to
> clarify what I need to do to ensure that I have performance optimised.  I am
> coming from Gentoo Linux, where optimisation is mostly about using the
> appropriate compiler flags.

What one does in Gentoo does not apply to OpenBSD.


>  If I were to use the appropriate base distribution (x86_64), configure my
> kernel correctly (as per the likes of
> ) and set the
> appropriate compiler flags, is this all I need to do?

Linux mannerisms don't apply either - you're better off with the stock kernel.

>  I'm only really concerned about the base system as I always build all my
> LAMPP components, Postfix, etc., by hand so that migrating box-to-box can go
> without [a hitch|many hitches].

At times, PpenBSD doesn't seem as snappy as Linux.. (more so with
desktop stuff) but then again, Linux *never* seems as stable. So take
your pick.

I imagine, if you run the standard OpenBSD system on your servers for
some time, you'll be satisfied.


Cheers,
~Jason

Re: Optimising OpenBSD

[Matthew Smith]

Quoth Ted Unangst at 2008-04-09 08:38...

Nothing beats an 8 year old article for the latest info.  OpenBSD now
comes fully optimized out of the box.


Yes, I did notice the age, but that was about all that Google had for me.

"Optimised out of the box" sounds good to me - not having to do anything 
is the way I like to work ;-)


You do realise that this means that the installation time of the base 
system is now going to be down to about 15 minutes (from over a day) - 
what am I going to do with all that spare time?


I've never before had so much of my hardware recognised without extra 
effort; it's even recognising my Stallion PCI serial cards - now I just 
need to figure what I have to do to get them configured.


Cheers

M

PS - @Jason - it's unlikely that OpenBSD will seem any less zippy than 
the current server - going from an Athlon XP2000 CPU to an Intel Core 2 
Duo and from 1Gb RAM to 4Gb RAM should make a little difference...



--
Matthew Smith
Smiffytech - Technology Consulting & Web Application Development
Business: http://www.smiffytech.com/
Personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy

Re: Optimising OpenBSD

[Martin Schröder]

2008/4/9, Matthew Smith <[EMAIL PROTECTED]>:
>  As part of my move from GNU/Linux to OpenBSD on my server, I just want to
> clarify what I need to do to ensure that I have performance optimised.  I am

http://www.openbsd.org/faq/faq5.html#Why

Best
   Martin

Re: ospfd not resyncing

[Linden Varley]

Bringing up an old-topic here, but just letting everyone know I have the 
exact same problem. It occurs quite often.


One of my links goes down, the routes change, but when the link comes 
back up the routes don't go back to the default lower-cost one and I 
have to restart ospfd in order to force it.


It seems like a simple issue but wondered why it happens. I'm glad its 
not just me!



Paul Civati wrote:

I have a fairly simple set-up, where I have ospfd announcing
a few routes to a Juniper router.

Twice now, when the Juniper has been unreachable and has then
come back on-line, the ospf routes have not reconverged on
the Juniper end.

It has taken a restart of the OSPF on the Juniper to resync
the routes..  I've not tried restarting the ospfd's on the
OpenBSD end but I presume that would also solve the issue.

I suppose it's plausible this is a JunOS bug, and I'll look 
into that, but wondered if this is a known issue?


OpenBSD/ospfd 4.2 RELEASE.

-Paul-

Re: Use of 'Puffy' Logo

[Martin Schröder]

2008/4/9, Matthew Smith <[EMAIL PROTECTED]>:
>  A search of the site for a style guide or media pack has failed to turn up
> anything so I thought that I would ask here: how do I obtain

Click on the logo on the front page.

Best
   Martin

Re: Optimising OpenBSD

[Gilles Chehade]

On Wed, Apr 09, 2008 at 08:49:38AM +0930, Matthew Smith wrote:
> Quoth Ted Unangst at 2008-04-09 08:38...
> >Nothing beats an 8 year old article for the latest info.  OpenBSD now
> >comes fully optimized out of the box.
> 
> Yes, I did notice the age, but that was about all that Google had for me.
> 
> "Optimised out of the box" sounds good to me - not having to do anything 
> is the way I like to work ;-)
> 
> You do realise that this means that the installation time of the base 
> system is now going to be down to about 15 minutes (from over a day) - 
> what am I going to do with all that spare time?
> 

I would take that spare time to make sure I read all the pages of the
faq, found some area I could contribute to, and find my way to paypal
to subscribe for a monthly donation ;-)

Gilles

-- 
Gilles Chehade
http://www.poolp.org/

Re: Optimising OpenBSD

[bofh]

The standard recommendation for openbsd is to install the stock kernel.  For
the applications you've described, the standard recommendation is also to
use packages or ports.

Think of OpenBSD as an appliance, and you're good to go.

As a FYI - OpenBSD concentrates on correctness over optimization, and for
most people, the defaults suffice.  If you are one of those who need to eke
out that last extra connection for your lamp, be prepared to roll your
sleeves up and work on the source code yourself.  Otherwise, you will be
told - use defaults.

-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity." --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted." -- Gene Spafford
learn french: http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

[off topic] Carp router

[Tom Geman]

I currently have a webserver that I host at home using OpenBSD.  I want to
introduce a second identical webserver as a hot spare and/or to help shoulder
the load.  I want to use CARP to share my IP but unfortunately, my ADSL
service provider uses DHCP to give the webserver its static IP.

I have searched the archives and have found people with the same problem and
no answers.  The only answer I have found has hacked CARP to work correctly
(using aliases and other scripts), but only in "hot spare" mode and not in
"share the load" mode.

I understand CARP doesn't work with an IP address obtained via DHCP, so I
would like to put a router after the ADSL modem to get the DHCP IP address,
and then attach my two webservers to the LAN side of the router and setup CARP
on a private network.

I know that with this kind of setup, I still have a few weaker points, like my
ADSL connection, my ADSL modem and the router.  I already have an extra ADSL
modem which I periodically swap with the working one to ensure that both
continue to work.  I also know that many people here recommend that I don't
host a critical web server at home.  I do plan on upgrading the ADSL
connection in the future, so this is an interm solution.

I am looking for comments or suggestions on a hardware router that I can place
between the webserver and the ADSL modem.  I know that this isn't an OpenBSD
specific question, but this is the only list in which I participate and I
value the networking knowledge on this list.

My router requirements:
- WAN side RJ-45 port to connect to ADSL modem
- minimum 2 LAN side RJ-45 ports to connect to the two webservers
- ability to do redirection of some sort, whether this is just port forwarding
http and https ports to the CARP address, or re-directing all WAN side traffic
to the CARP address (some sort of DMZ)
- can handle 200,000 hits per day of regular web traffic
- cheap, so that I can actually have a cold spare for replacement if needed

I have considered the following options:
- cheap linksys/dlink/netgear/etc home routers (my limited experience with
these doesn't give me confidence that they are reliable enough)
- low-end cisco router (have looked at the 851 [~$300], 871 [~$500], and 1711
[~$600] models), anything higher starts to cost too much
- building a soekris (or similar) router and using OpenBSD (maybe the net5501
[~$340])

Thanks for help,
- Tom
_
Going green? See the top 12 foods to eat organic.
http://green.msn.com/galleries/photos/photos.aspx?gid=164&ocid=T003MSN51N1653
A

Re: Optimising OpenBSD

[Rod Whitworth]

On Wed, 09 Apr 2008 08:21:52 +0930, Matthew Smith wrote:

>Hi Folks
>
>As part of my move from GNU/Linux to OpenBSD on my server, I just want 
>to clarify what I need to do to ensure that I have performance 
>optimised.  I am coming from Gentoo Linux, where optimisation is mostly 
>about using the appropriate compiler flags.
>
>If I were to use the appropriate base distribution (x86_64), configure 
>my kernel correctly (as per the likes of 
>) and set the 
>appropriate compiler flags, is this all I need to do?

Matthew, you are pretty new here so I'll be kind.
Read http://www.openbsd.org/faq/faq5.html#Why

Also Search The Fine Archives and you will see that questions like
yours just raise lots of dust and heat and encourage trolls to run to
your aid whilst wasting the time of developers who read this list as
they try to stamp out the grass fires.

OpenBSD is NOT another Linux and certainly not a Gentoo. I come from
being an IBM Linux instructor and so I've been there, done that. You
don't need to customise OpenBSD until you have (a) found something that
demands it, and (b) you know it well enough not to need to ask
questions about the process.

The GENERIC kernel has been compiled with all the right flags. The
article you cite was never good advice and furthermore it is going on 8
years old.

>
>I'm only really concerned about the base system as I always build all my 
>LAMPP components, Postfix, etc., by hand so that migrating box-to-box 
>can go without [a hitch|many hitches].
>
Don't do that either without a better reason. Postfix, for example,
comes as a package in OpenBSD. Two versions (stable and snapshot, both
good enough to use in critical service) and several flavours. Look at
http://openports.se/mail/postfix/snapshot for a clue.

In general, try what OpenBSD provides already compiled and optimised.
Apache is in base (Apache2 is a package (called apache-httpd) if you
MUST have 2, but remember that it is not anywhere near as secure as the
heavily patched one that installs by default) and Mysql is a package as
is php.

Enjoy the luxury of not needing all the recompiles you are used to and
make some money in the time you save ;-)

Don't work your ass off trying to prove me wrong either, it's worth
neither the time nor the angst.

NB: On-list replies are fine. I am subscribed. Off-list (if you really
must) to the reply-to address as only the list server has access to
this mailbox.

Good luck.
R/

Rod/

>From the land "down under": Australia.
Do we look  from up over?

Re: Use of 'Puffy' Logo

[Matthew Smith]

Quoth Martin SchrC6der at 2008-04-09 08:51...

 A search of the site for a style guide or media pack has failed to turn up
anything so I thought that I would ask here: how do I obtain


Click on the logo on the front page.


Thanks.  I've had the Art page pointed out to me now, but was unable to 
find it when using the site search on terms like 'logos' and 'press pack'.


I will now attempt to make a contribution by suggesting the following:

* Provide a link to 'logos and artwork' or some such in the main 
navigation.  Linking the image is all very well, but there is nothing to 
suggest that there is a link there at all.


* Add text to the Art page containing terms like 'logos' so that it may 
be found by the site search as not everyone will be searching for 'art' 
or 'artwork'.


Cheers

M

--
Matthew Smith
Smiffytech - Technology Consulting & Web Application Development
Business: http://www.smiffytech.com/
Personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy

Re: Firefox 2.0.0.12

[Stephen Takacs]

Matthew Szudzik wrote:
> What alternatives to firefox do you suggest?

/usr/bin/lynx is actually pretty good for a lot of things, and if you
rebuild it with '--enable-externs', it can launch scripts or another
browser on the current page or current link.  It even has an almost
foolproof advertisement filter built-in.  Only google has managed to
"break" that filter. :-)

On the graphics side, links+ is excellent.  It's blazing fast compared
to everything else, and makes firefox look like a bloated pig.
Unfortunately its Javascript implemention is almost non-existent.
Because of that, you might not be able to use it to login to your online
banking site, so keep the pig around (but only use it for the bank
website).


-- 
Stephen Takacs   <[EMAIL PROTECTED]>   http://perlguru.net/
4149 FD56 D078 C988 9027  1EB4 04CC F80F 72CB 09DA

Re: Optimising OpenBSD

[Marc Espie]

On Wed, Apr 09, 2008 at 08:49:38AM +0930, Matthew Smith wrote:
> Quoth Ted Unangst at 2008-04-09 08:38...
>> Nothing beats an 8 year old article for the latest info.  OpenBSD now
>> comes fully optimized out of the box.
>
> Yes, I did notice the age, but that was about all that Google had for me.
>
> "Optimised out of the box" sounds good to me - not having to do anything is 
> the way I like to work ;-)
>
> You do realise that this means that the installation time of the base 
> system is now going to be down to about 15 minutes (from over a day) - what 
> am I going to do with all that spare time?
>
> I've never before had so much of my hardware recognised without extra 
> effort; it's even recognising my Stallion PCI serial cards - now I just 
> need to figure what I have to do to get them configured.

Write new code, instead of fiddling up with old one ?

Re: Optimising OpenBSD

[Matthew Smith]

Quoth Rod Whitworth at 2008-04-09 08:04...

Matthew, you are pretty new here so I'll be kind.
Read http://www.openbsd.org/faq/faq5.html#Why
For this, I apologise.  I am currently in the situation that I don't 
know where to look for what.  I might try writing a "OpenBSD for Linux 
escapees" somewhere down the track, because that's what I really need.


Also Search The Fine Archives 
I now discover that they are under a different domain - which is why the 
site search wasn't pulling up much.  I must pull out my copy of 'Google 
Hacks' and see if there is a way that an aggregated site search can be 
done that pulls in the list archives as well.



The GENERIC kernel has been compiled with all the right flags. The
article you cite was never good advice and furthermore it is going on 8
years old.
It's going to take me a while to get used to having a kernel that I 
don't HAVE to touch - not that I'm complaining!



Don't do that either without a better reason. Postfix, for example,
comes as a package in OpenBSD. Two versions (stable and snapshot, both
good enough to use in critical service) and several flavours. Look at
http://openports.se/mail/postfix/snapshot for a clue.
Postfix I can probably take from a package.  However, this server will 
need to duplicate the environment on my two Internet-facing Linodes 
(Linux virtual servers), plus my laptop, which is my main development 
platform.


Apache and MySQL have to be hand-builds - my Apache installation is 
configured for a very specific environment (and all my apps would break 
if chrooted) and I have applications that rely on specific Apache 
modules.  MySQL - well - I use 5.1 and that's not a production release, 
but has features that I need in my development environment.  I'll 
probably get yelled at now, having entered a security conscious|paranoid 
community, but it would take MONTHS to change my environment and re-code 
everything to work otherwise.  It is also a bit of a non-issue as 
regards this server - it's on an intranet with one user that logs in - me.



From the land "down under": Australia.
Do we look  from up over?
No, but when I first came here, I was fascinated by the way water goes 
down the plughole the other way round.


Thanks all for your replies and patience.

Cheers

M

--
Matthew Smith
Smiffytech - Technology Consulting & Web Application Development
Business: http://www.smiffytech.com/
Personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy

Incorrect pfctl -vvq s Output

[Daniel Melameth]

In piloting HFSC's service curves on 4.2-release, I uncovered something
wrong.  In sending one 1024 byte ICMP packet every second (ping -s 1016),
pfctl gets it mostly right:

 

queue  interac on pcn0 bandwidth 64Kb priority 7 hfsc( realtime(128Kb 128
32Kb) )

  [ pkts:333  bytes: 329274  dropped pkts:  0 bytes:  0
]

  [ qlength:   0/ 50 ]

 

queue  interac on pcn0 bandwidth 64Kb priority 7 hfsc( realtime(128Kb 128
32Kb) )

  [ pkts:338  bytes: 334564  dropped pkts:  0 bytes:  0
]

  [ qlength:   0/ 50 ]

 

Five packets in five second and the bytes, largely, add up correctly.
However, the measured bandwidth is way off:

 

  [ measured: 1.0 packets/s, 8.25Kb/s ]

 

8.25Kb/s?  I know this is 1Kb/s so what's going on?  Is this just an
inaccuracy in the pfctl output or does altq really think I'm moving 8Kb/s?
I assume it's the former as pftop appears to get it right:

 

QUEUE   BW SCH  PR  PKTS BYTES DROP_P DROP_B QLEN BORR SUSP P/S
B/S

root_pcn01024K hfsc  0 0 0  0  00 0
0

interac 64000 hfsc  7   338  327K  0  00   1.0
1050

Re: Incorrect pfctl -vvq s Output

[Ryan McBride]

On Tue, Apr 08, 2008 at 07:04:31PM -0600, Daniel Melameth wrote:
> 8.25Kb/s?  I know this is 1Kb/s so what's going on?  Is this just an
> inaccuracy in the pfctl output or does altq really think I'm moving 8Kb/s?
> I assume it's the former as pftop appears to get it right:

Make sure you're paying attention to the difference between BITS and
BYTES. Bandwidth on network devices is generally measured in bits, and
that's what the queueing in PF uses.

Re: Incorrect pfctl -vvq s Output

[Daniel Melameth]

On Tue, Apr 8, 2008 at 7:22 PM, Ryan McBride <[EMAIL PROTECTED]> wrote:
> On Tue, Apr 08, 2008 at 07:04:31PM -0600, Daniel Melameth wrote:
> > 8.25Kb/s?  I know this is 1Kb/s so what's going on?  Is this just an
> > inaccuracy in the pfctl output or does altq really think I'm moving 8Kb/s?
> > I assume it's the former as pftop appears to get it right:
>
> Make sure you're paying attention to the difference between BITS and
> BYTES. Bandwidth on network devices is generally measured in bits, and
> that's what the queueing in PF uses.

I got bit by the ol' bit/byte bit--and I should have seen it.  Thanks
Ryan.  Maybe I'll get more sleep tonight than I did last night...

Re: Optimising OpenBSD

[Sevan / Venture37]

> Apache and MySQL have to be hand-builds - my Apache installation is
> configured for a very specific environment (and all my apps would break
> if chrooted) and I have applications that rely on specific Apache
> modules.

You dont have to run the bundled apache chrooted, you can change it, very
easily.
_
Win 100s of Virgin Experience days with BigSnapSearch.com
http://www.bigsnapsearch.com

Re: Optimising OpenBSD

[Nick Holland]

Matthew Smith wrote:
> Quoth Rod Whitworth at 2008-04-09 08:04...
>> Matthew, you are pretty new here so I'll be kind.
>> Read http://www.openbsd.org/faq/faq5.html#Why
> For this, I apologise.  I am currently in the situation that I don't 
> know where to look for what.  I might try writing a "OpenBSD for Linux 
> escapees" somewhere down the track, because that's what I really need.

http://www.openbsd.org/faq/faq9.html  :)
Don't re-invent, improve. :)
(It used to be called "migrating from Linux" or something like that,
but there are a lot of other non-Linux Unixes that people might be
coming from).

>> Also Search The Fine Archives 
> I now discover that they are under a different domain - which is why the 
> site search wasn't pulling up much.  I must pull out my copy of 'Google 
> Hacks' and see if there is a way that an aggregated site search can be 
> done that pulls in the list archives as well.

there's a bunch of archives out there, each has their own search
functions, and that's really a good thing.  Very often, when looking
for something and one search engine strikes out, another will pop up
the answer for you.  As wonderful as Google is, it isn't the Final
Word on knowledge retrieval.  Often, when the best answer is "don't",
search engines do a much better job of coming up with more long-
winded and incorrect answers.

>> The GENERIC kernel has been compiled with all the right flags. The
>> article you cite was never good advice and furthermore it is going on 8
>> years old.
> It's going to take me a while to get used to having a kernel that I 
> don't HAVE to touch - not that I'm complaining!

wait until you get used to working on your projects rather than
tweaking your OS... It will raise your expectations on everything.


Nick.

Re: Firefox 2.0.0.12

[Douglas A. Tutty]

On Mon, Apr 07, 2008 at 05:20:01PM +, Matthew Szudzik wrote:
> On Mon, Apr 07, 2008 at 04:44:08PM +, Jacob Meuser wrote:
> > or, quit using firefox.  it's security record is rather lousy, wouldn't
> > you agree?
>  
> What alternatives to firefox do you suggest?

On my main desktop, I use debian.  While its not OpenBSD, they do
respond quickly to security problems and, on stable (Etch right now),
they backport the fix to the version in stable, and provide a new binary
update.  While firefox is a large binary and takes a while to download
on dialup, at least there is not compile time.

I wish there was a way to use OpenBSD for the main base system but to
use Debian binary packages (debs) for third-party apps.  Looking into
the details of this is on my todo list.

IIUC, debian debs can't be in something that is chrooted but I don't
understand the reasons or if it applies to all packages (e.g.
firefox/iceweasel).  However, on debian chroots work just fine if the
right directories are mounted (e.g. proc).  Debian has a package call
schroot which allows ordinary users to run programs as themselves in the
chroot and handles automatically bind-mounting necessary directories.
Each user gets their own copy of the chroot.  

Doug.

Re: Optimising OpenBSD

[Douglas A. Tutty]

On Tue, Apr 08, 2008 at 11:27:03PM +, Gilles Chehade wrote:
> On Wed, Apr 09, 2008 at 08:49:38AM +0930, Matthew Smith wrote:
> > Quoth Ted Unangst at 2008-04-09 08:38...
> > >Nothing beats an 8 year old article for the latest info.  OpenBSD now
> > >comes fully optimized out of the box.
> > 
> > Yes, I did notice the age, but that was about all that Google had for me.
> > 
> > "Optimised out of the box" sounds good to me - not having to do anything 
> > is the way I like to work ;-)
> > 
> > You do realise that this means that the installation time of the base 
> > system is now going to be down to about 15 minutes (from over a day) - 
> > what am I going to do with all that spare time?
> > 
> 
> I would take that spare time to make sure I read all the pages of the
> faq, found some area I could contribute to, and find my way to paypal
> to subscribe for a monthly donation ;-)

Don't forget to read all the man pages.  Unlike Linux, they are all
complete (if they're not, it's a bug not a normal occurance).  

If you want a book, although its a bit old there's Absolute OpenBSD by
nostarch press.

Doug.

Thinkpad x61 can see 3 GB of RAM out of total 4 GB

[Zoong PHAM]

My new Thinkpad x61 has 4 GB of RAM.
The BIOS can see 4 GB.
OBSD-4.2 and 4.3 (snapshot 07/04/2008), both i386 and amd64, can see
only 3 GB.
What can I do to make OBSD see all the RAM?

FYI, the Windows XP that preinstalled by IBM can also see only 3 GB.

Thanks,
Zoong PHAM

Re: relayd and pf states

[Need Coffee]

On Tue, Apr 8, 2008 at 2:22 PM, Tautvydas Bruzas <[EMAIL PROTECTED]> wrote:
> Well, if you read archives it's a known problem with sticky-address. If you
> remove sticky-address everything works as expected.

I searched for hours before posting, I guess I need to pick different keywords
or something...

> Following patch should work (I wrote it for 4.1 hoststated, not sure why it
> was not accepted, maybe quality of the code?,
>
> and modified it to work with 4.3 relayd), use it at your own risk.

Thanks, I appreciate it... I'll give it a try.  I've already had to modify
relayd, as it won't start properly sometimes and the error it gives is
completely different than what you'd expect...


> > I have relayd in production with textbook (or manpage) examples
> > of doing redirects to backend webservers.
>
> > relayd seems to notice host state changes properly and makes
>
> > the necessary pf table adjustments. The problem is that the pf
> > states take so long to expire, that any clients that have existing
> > state table entries to the now-downed backend server continue
> > to talk to that downed server (I.e. they hang).
>
>
> > pfctl -k obviously resolves the issue, but shouldn't relayd kill those
> > states when it notices the host won't answer?
>
> > Thanks in advance.

Re: macosx vs winxp: pf packet blocking

[Jacob Yocom-Piatt]

Damon McMahon wrote:

Hello Jake,

On 08/04/2008, at 11:07 AM, Jacob Yocom-Piatt wrote:
have spent a fair deal of time working with pf and have just seen 
what appears to be quite a bizarre problem:


topology is (internet)--pppoe--(openbsd fw - running 
4.2-release)--switch--(wired/wifi router).


a winxp host connected to the wifi router has no problem viewing 
webpages, etc, however, a macosx host connected to the wifi router 
gets packets randomly (AFAICT) dropped by the openbsd fw. google 
seems to load fine on the macosx machine but other sites will not 
load with any regularity. the packet dropping has been observed on 
the firewall using 'tcpdump -nettvi pflog0' and packets were being 
blocked on the internal internal interface, either em2 or vlan2, 
until the pf rule 'pass on $int_if' was changed to 'pass on $int_if 
no state'. then packets started getting blocked on the external 
interface, despite a rule 'pass out on $ext_if' as a catch-all at the 
end of the ruleset. the rule that shows as being the blocker is 
'block log all', the first rule in the set.


so in essence, i see rules that are not being obeyed in the pf 
ruleset, but only for the macosx host and not the winxp one. the 
macosx firewall is turned off and i can ssh from the macosx host to 
the openbsd fw just fine. i can also ping fine from the macosx host, 
so dns and routing are working.


clues as to wtf is going on would be appreciated. can supply more 
detailed info on request.


cheers,
jake




I saw something sounding similar with a MacOX X 10.3 (Panther) host 
having packet fragmentation issues. In an effort to troubleshoot the 
issue I altered the MTU on the Panther host to 1492 appeared to 
resolve the issue. Upgrading that mac to 10.4 (Tiger) reset the MTU to 
1500 without the issue reoccuring.


I don't know if that helps, if not you might try posting your pf.conf 
and a tcpdump packet capture.




damon,

this was exactly the issue, except it was osx 10.4.11. setting the mtu 
to 1492 on the wireless interface did the trick. for whatever reason 
this osx machine in this particular configuration was not working. the 
same machine works at home with the same pf ruleset and network topology.


i have been informed that the proper fix for this is encapsulated in the 
MTU section of man 4 pppoe. apparently i have been running without a 
"proper" mtu setting in my pf.conf and it just so happened to have 
worked this whole time. it is odd that the only machine and network 
configuration i've ever seen this with is with this osx machine over 
wireless at this site. have run for years with this setting off and no 
probs


cheers,
jake


Best wishes,
Damon

pf change destination port for outgoing traffic

[Karel Galuska]

Hi all,
I use OpenBSD as a firewall with nat function for local network.
For special reason now I need change some destination ports for outgoing
traffic to every
internet server.

For example when internal PC a.a.a.a wants to connect internet server b.b.b.b
on port p1 I need transparently redirect connection to port p2 of the same
internet server b.b.b.b.
But b.b.b.b represents every internet server, which client wants to connect.

Could you please help me construct the pf rule?

Thanks
Karel

Re: Installing Perl on openBSD 4.0

[pichi]

Josh,

Thanks so much for clearing that up for me. That would explain why it was so
hard to find documentation on installing  Perl on an OpenBSD 4.0 box;
because its already there!

I will upgrade to the latest version. The only thing that worries me is this
is a production box and I have never upgraded an OpenBSD server.

Wish me luck,

P.
-- 
View this message in context: 
http://www.nabble.com/Installing-Perl-on-openBSD-4.0-tp16557812p16580508.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.