X710 10Gb card not configured
Hi Misc, I am running the latest OpenBSD snapshot and it appears that the 10Gb cards that we have in the unit aren't recognized or configured properly. I had a look at pcidevs and pcidevs.h files in src/dev/pci and it appears that the device should be found as src/sys/dev/pcidevs product INTEL X710_10G_SFP 0x1572 X710 SFP+ src/sys/dev/pcidevs.h #define PCI_PRODUCT_INTEL_X710_10G_SFP 0x1572 /* X710 SFP+ */ I have attached a pcidump -v below hoping someone might resolve this issue. Please let me know if there is anything else I can provide and when I might be able to try another snapshot. 1:0:0: Intel X710 SFP+ 0x: Vendor ID: 8086 Product ID: 1572 0x0004: Command: 0006 Status: 0010 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01 0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR mem prefetchable 64bit addr: 0x9200/0x0100 0x0018: BAR empty () 0x001c: BAR mem prefetchable 64bit addr: 0x93008000/0x8000 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 8086 Product ID: 0006 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00 0x0040: Capability 0x01: Power Management State: D0 0x0050: Capability 0x05: Message Signalled Interrupts (MSI) 0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X) 0x00a0: Capability 0x10: PCI Express Link Speed: 5.0 / 8.0 GT/s Link Width: x8 / x8 0x0100: Enhanced Capability 0x01: Advanced Error Reporting 0x0140: Enhanced Capability 0x03: Device Serial Number 0x0150: Enhanced Capability 0x0e: Alternate Routing ID 0x01a0: Enhanced Capability 0x17: TPH Requester 0x01b0: Enhanced Capability 0x0d: Access Control Services 0x01d0: Enhanced Capability 0x19: Secondary PCIe Capability 0x00e0: Capability 0x03: Vital Product Data (VPD) 1:0:1: Intel X710 SFP+ 0x: Vendor ID: 8086 Product ID: 1572 0x0004: Command: 0006 Status: 0010 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01 0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 00 0x0010: BAR mem prefetchable 64bit addr: 0x9100/0x0100 0x0018: BAR empty () 0x001c: BAR mem prefetchable 64bit addr: 0x9300/0x8000 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 8086 Product ID: 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0b Min Gnt: 00 Max Lat: 00 0x0040: Capability 0x01: Power Management State: D0 0x0050: Capability 0x05: Message Signalled Interrupts (MSI) 0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X) 0x00a0: Capability 0x10: PCI Express Link Speed: 5.0 / 8.0 GT/s Link Width: x8 / x8 0x0100: Enhanced Capability 0x01: Advanced Error Reporting 0x0140: Enhanced Capability 0x03: Device Serial Number 0x0150: Enhanced Capability 0x0e: Alternate Routing ID 0x01a0: Enhanced Capability 0x17: TPH Requester 0x01b0: Enhanced Capability 0x0d: Access Control Services 0x00e0: Capability 0x03: Vital Product Data (VPD) -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Re: X710 10Gb card not configured
- On 26 Sep, 2017, at 20:25, Jonathan Gray j...@jsg.id.au wrote: | On Tue, Sep 26, 2017 at 05:35:40PM -0700, James A. Peltier wrote: |> Hi Misc, |> |> I am running the latest OpenBSD snapshot and it appears that the 10Gb cards that |> we have in the unit aren't recognized or configured properly. I had a look at |> pcidevs and pcidevs.h files in src/dev/pci and it appears that the device |> should be found as |> |> src/sys/dev/pcidevs |> product INTEL X710_10G_SFP 0x1572 X710 SFP+ |> |> src/sys/dev/pcidevs.h |> #define PCI_PRODUCT_INTEL_X710_10G_SFP 0x1572 /* X710 SFP+ */ |> |> |> I have attached a pcidump -v below hoping someone might resolve this issue. |> Please let me know if there is anything else I can provide and when I might be |> able to try another snapshot. | | There is currently no driver in the tree for Intel X710/XL710 10Gb/40Gb. Can I get a recommendation on a comparable 10Gb/40Gb card that will work? Specific card or model numbers so I can get them in ASAP -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
10Gb single mode fibre adapters
Hi Misc, I'm looking to get some insight into those that have 10Gb single mode fibre adaptors in their OpenBSD machines and if they're being used in bridging mode? I've got a user who is asking what the current state of 10Gb is on OpenBSD given all the MP work that's been done. There will be 70 or so VLANs, some traffic shaping, and packet filter taking place on this device and so choosing the appropriate hardware is rather important. Any input from heavy bridging/VLAN use is even more important. Thanks. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Re: 10Gb single mode fibre adapters
- Original Message - | James A. Peltier [jpelt...@sfu.ca] wrote: | > Hi Misc, | > | > I'm looking to get some insight into those that have 10Gb single mode fibre | > adaptors in their OpenBSD machines and if they're being used in bridging | > mode? I've got a user who is asking what the current state of 10Gb is on | > OpenBSD given all the MP work that's been done. There will be 70 or so | > VLANs, some traffic shaping, and packet filter taking place on this device | > and so choosing the appropriate hardware is rather important. Any input | > from heavy bridging/VLAN use is even more important. Thanks. | > | | I've tested the Xeon CPU E5-1630v3 (3.70GHz, 4 core), myricom myx, | intel ix and emulex oce cards, and the results under 5.8-current | are great. OpenBSD 5.8 is not bad either. Under 5.8-current, a | small routing table of 500 or so routes and option ART, plus PF | NAT enabled and 1.4Gbps/200kpps of load, vlans, the average load | is 11%, which transates to load of 30-40% on two cores and almost | none on two (or sometimes evenly loads across three cores, out of | nowhere). The network stack is undergoing big changes so this keeps | improving. | | The oce card/driver gives me .06ms round-trip ping times across a | cisco 5020 whereas ix and myx are currently at .2ms-.3ms rtt on | the same switch. I'm not sure why, but it's fascinating. | | Chris I'm looking at the Dell R220 which lists the Emulex OneConnect OCe14102-UX-D 2-port PCIe 10GbE CNA or Intel X520 DP 10Gb DA/SFP+ Server Adapter. The OCE driver doesn't list the 14102 as a listed device that is supported, but ix does list the X520-DA2. Is it safe to assume that the DA and DA-2 are the same or similar chipsets and will work? I'd likely be running 5.8-CURRENT on this box. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Re: OpenBSD pxe automated install
- Original Message - | read the FAQ, Loic. | | http://openbsd.org/faq/faq4.html#site | | Site*.tgz, install.site and upgrade.site are a good starting point. | | On Mon, Aug 12, 2013 at 11:59 AM, Loïc BLOT | wrote: | > Hello @misc. | > | > Today i'm working on automated deploy with PXE. I have successful | > found | > and made automated PXE install on Debian with pxelinux. | > | > I know OpenBSD have a pxe boot image to netinstall the system | > http://www.cyberciti.biz/faq/openbsd-boot-install-using-pxe-preboot-execution | > -environment/ | > | > Is there any options to automate the installation ? | > I want a machine to boot on bsd.rd, read a configuration file (url | > passed by etc/boot.conf, for example) and install with the read | > parameters. | > Is there any issue to do this or i do it myself ? | > | > Thanks for advance | > -- | > Best regards, | > Loïc BLOT, | > UNIX systems, security and network expert | > http://www.unix-experience.fr | > | > [demime 1.01d removed an attachment of type | > application/pgp-signature which had a name of signature.asc] If you are looking for automated partitioning and the like the site.install and site.upgrade don't apply whatsoever. In order to fully automate the installation you will need to modify the bsd.rd file contents in order to do that. site.install and site.upgrade can be used to do other things like install packages or upgrade the OS as necessary. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices “A successful person is one who can lay a solid foundation from the bricks others have thrown at them.” -David Brinkley via Luke Shaw
Re: OpenBSD pxe automated install
- Original Message - | On Tue, Aug 13, 2013 at 9:48 AM, Marian Hettwer | wrote: | > Hi Loic, | > | > | > Am 13.08.13 15:43, schrieb � Blot: | > | >> Hello Marian, | >> i think you are right, because bsd.rd is required for last chance | >> to | >> repair system, among others. | >> | > | > right. And I'd like to leave it untouched. This hopefully also | > increases the | > possibility that whatever we come up with might get added | > upstream... ;) | | There's nothing preventing you from building your own installer | within | the RAMDISK kernel. I've done it in the past to handle some | personalized extensions. This isn't the point though. Debian, RedHat, Suse, all of these OSs include support for network installs by default, no customization of the installer required. OpenBSD does not, but it would be VERY nice if it did, even if it was just noting that it was PXE booting and should look at the location where it PXE booted (a mirror) and then looked for install.netboot for network boot instructions, fetched it and ran it. This wouldn't require any changes on behalf of an end user to make this process happen. If install.netboot doesn't exist, carry on with an interactive install, else fetch it and run it. No building of a custom RAMDISK required. | > I agree that the most pressing point is automatic network | > configuration in | > order to be able to download additional configs, like disk config, | > package | > config, ... | | It's doable within the base tools, if you assemble things correctly. | No reason to not have these stuff off of NFS or TFTP to pull in the | config. There is reason not to do this. HTTP based booting being one of them. VMs without NFS access being another. The complete inability to use NFS due to policy being another. I think the point is that the end user shouldn't have to build/modify the base installer to get this functionality. The diffs presented show that it could be possible and other OSs already offer this. Maybe not on the floppy disk versions but certainly the CD version should offer it. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices “A successful person is one who can lay a solid foundation from the bricks others have thrown at them.” -David Brinkley via Luke Shaw
Re: bridge + vlan broke after 5.5 > 5.6 upgrade
- Original Message - | > On 4 Nov 2014, at 06:41, Pieter Verberne wrote: | > | >> On 2014-11-02 13:51, Jorge Schrauwen wrote: | >>> Hey All, | >>> TL;DR: traffic leaving a bridge over a vlan does | >>> not get tagged but leaves untagged after upgrade. | >>> Is this by design? | >> Looks exactly like my problem. Running 5.6 release. | | bridge(4) puts frames on the wire by calling the outgoing interfaces start | routine, which in this case is vlan_start() because you're bridging vlan(4) | interfaces. | | mpi@ and weerd@ correctly identified the diff where henning@ changed | vlan_start(). he assumed that ether_output is always called before | vlan_start, and moved the tagging code into ether_output to make injecting | the vlan tag more streamlined. | | bridge obviously breaks this assumption cos it just shoves the packet into | vlan_start() which then just shoves the packet onto the parent interface. | | i have a massive headache and sleep deficit right now so im not going to | suggest a way to fix this. | | dlg | | Was a fix for this applied to current or -STABLE? -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Re: bridge + vlan broke after 5.5 > 5.6 upgrade
- Original Message - | Interesting, looks fine on cvs web view. | Yet the file on my box does not have the change. | | I will give it another go next week and instead of pulling in changes | start fresh. | | Regards | | Jorge I just had a look and it does seem to be working fine for me. VLAN tagging/untagging is working as expected. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology "Build upon strengths and weaknesses will generally take care of themselves" - Joyce C. Lock
Re: bridge + vlan broke after 5.5 > 5.6 upgrade
This was fixed in one of the snapshots and was working so it likely got broken again somehow http://marc.info/?l=openbsd-cvs&m=141770981219927&w=2 - Original Message - | | | On 17/11/2014 04:51, James A. Peltier wrote: | > Was a fix for this applied to current or -STABLE? | > | | Just ran into this problem again on a testing box using -CURRENT, | Seems this has not been fixed :( | | Any idea who I should talk to get this into before 5.7 hits -STABLE? | | Regards | | -- | ~ sjorge | -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology "Build upon strengths and weaknesses will generally take care of themselves" - Joyce C. Lock
Jan 4, 2013 snapshot fails with DHCP
I just tried to use the latest amd64 snapshot to prepare for an upgrade to our firewall. We use DHCP during initial installation to PXE boot and perform the install at which point we configure through site52.tgz. However, during installation and after boot DHCP reports the following error Cannot lstat() '/var/db/dhclient.leases.bge0': No such file or directory it does this for all interfaces and DHCP fails to configure the interface. This does not happen with 5.2-RELEASE. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier "The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking." - Jeff Bezos
Re: Jan 4, 2013 snapshot fails with DHCP
- Original Message - | On Jan 04 12:05:53, jpelt...@sfu.ca wrote: | > I just tried to use the latest amd64 snapshot to prepare for an | > upgrade to our firewall. We use DHCP during initial installation | > to PXE boot and perform the install at which point we configure | > through site52.tgz. However, during installation and after boot | > DHCP reports the following error | > | > Cannot lstat() '/var/db/dhclient.leases.bge0': No such file or | > directory | > | > it does this for all interfaces and DHCP fails to configure the | > interface. This does not happen with 5.2-RELEASE. | | I've had the same problem with this snapshot. | Simply escaping to shell and doing | | > /var/db/dhclient.leases.bge0 | dhclient bge0 | | solved that. Yes, I am aware of that, but it doesn't work by default and that doesn't help if you reboot and you are not at the console. It's a bug and so I am reporting it. ;) -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier "The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking." - Jeff Bezos
Re: Jan 4, 2013 snapshot fails with DHCP
- Original Message - | On Fri, Jan 04, 2013 at 02:10:02PM -0800, James A. Peltier wrote: | > - Original Message - | > | On Jan 04 12:05:53, jpelt...@sfu.ca wrote: | > | > I just tried to use the latest amd64 snapshot to prepare for an | > | > upgrade to our firewall. We use DHCP during initial | > | > installation | > | > to PXE boot and perform the install at which point we configure | > | > through site52.tgz. However, during installation and after | > | > boot | > | > DHCP reports the following error | > | > | > | > Cannot lstat() '/var/db/dhclient.leases.bge0': No such file | > | > or | > | > directory | > | > | > | > it does this for all interfaces and DHCP fails to configure the | > | > interface. This does not happen with 5.2-RELEASE. | > | | > | I've had the same problem with this snapshot. | > | Simply escaping to shell and doing | > | | > | > /var/db/dhclient.leases.bge0 | > | dhclient bge0 | > | | > | solved that. | > | > Yes, I am aware of that, but it doesn't work by default and that | > doesn't help if you reboot and you are not at the console. It's a | > bug and so I am reporting it. ;) | | It was fixed a day or so ago, so newer snaps should not have the | problem. | | Ken | Thanks! I couldn't find the commit in source-changes so I wasn't sure it was fixed. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier "The smartest people are constantly revising their understanding, reconsidering a problem they thought they’d already solved. They’re open to new points of view, new information, new ideas, contradictions, and challenges to their own way of thinking." - Jeff Bezos
logrotate error on latest snapshot
I do PF log rotation for blocked packets and the latest snapshot reports the following error each time syslog is run. Is this a bug? tcpdump: pcap_loop: bogus savefile header /etc/pflogrotate #!/bin/sh PFLOG=/var/log/pflog FILE=/var/log/pflog5min.$(date "+%Y%m%d%H%M") pkill -ALRM -u root -U root -t - -x pflogd if [ -r $PFLOG ] && [ $(stat -f %z $PFLOG) -gt 24 ]; then mv $PFLOG $FILE pkill -HUP -u root -U root -t - -x pflogd tcpdump -n -e -s 160 -ttt -r $FILE | logger -t pf -p local0.info rm $FILE fi /etc/syslog.conf local0.info /var/log/pf-block.log -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices “A successful person is one who can lay a solid foundation from the bricks others have thrown at them.” -David Brinkley via Luke Shaw
Re: logrotate error on latest snapshot
I'm still seeing these errors each time tcpdump: pcap_loop: truncated dump file tcpdump: pcap_loop: bogus savefile header simply running tcpdump -nettt -r /var/log/pflog leads to the tcpdump: pcap_loop: truncated dump file. Any ideas? Below is the content of /var/log/pf-block.log Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450168 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450178 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450541 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.450552 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550100 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550107 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550114 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.52856 > ff02::1:3.5355: udp 22 [hlim 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.550125 rule 10/(match) block in on vlan310: 192.168.0.4.61394 > 224.0.0.252.5355: udp 22 [ttl 1] Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.750482 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:05:01 core-install pf: Apr 29 12:00:44.750494 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:05:01 core-install pf: Apr 29 12:00:45.500168 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:05:01 core-install pf: Apr 29 12:00:45.500179 rule 10/(match) block in on vlan310: 192.168.0.4.137 > 192.168.0.255.137: udp 50 Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.056424 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.546 > ff02::1:2.547:dhcp6 solicit [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.056436 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.546 > ff02::1:2.547:dhcp6 solicit [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400461 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400469 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400584 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.400592 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427442 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427450 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33 > ff02::16: HBH multicast listener report v2, 1 group record(s) [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427565 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.427572 rule 10/(match) block in on vlan310: 192.168.0.4 > 224.0.0.22: igmp-2 [v2] [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.428080 rule 10/(match) block in on vlan310: 192.168.0.4.56486 > 224.0.0.252.5355: udp 24 [ttl 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.428088 rule 10/(match) block in on vlan310: fe80::151:6adb:4921:8e33.58621 > ff02::1:3.5355: udp 24 [hlim 1] Apr 29 12:10:01 core-install pf: Apr 29 12:08:25.428095 rule 0.\M-t.0/(match) block in on vlan)\M-E~Qh\M-\: bad-ip6-version 4 - Original Message - | I do PF log rotation for blocked packets and the latest snapshot | reports the following error each time syslog is run. Is this a bug? | | tcpdump: pcap_loop: bogus savefile header | | | /etc/pflogrotate | | | #!/bin/sh | | PFLOG=/var/log/pflog | FILE=/var/log/pflog5min.$(date "+%Y%m%d%H%M") | pkill -ALRM -u root -U root -t - -x pflogd | if [ -r $PFLOG ] && [ $(stat -f %z $PFLOG) -gt 24 ]; then |mv $PFLOG $FILE |pkill -HUP -u root -U root -t - -x pflogd |tcpdump -n -e -s 160 -ttt -r $FILE | logger -t pf -p local0.info |rm $FILE | fi | | | /etc/syslog.conf | | | local0.info /var/log/pf-block.log | | | -- | James A
Re: NFS encoding?
- Original Message - | Looks like there is no resolution but replacement. Thanks. | | http://superuser.com/questions/302407/what-to-do-with-nfs-server-utf-8-and-wi | ndows-7 | | Best regards, | Zhi-Qiang Lei | | > On Jul 6, 2015, at 1:56 PM, Johan Petersson wrote: | > | > i really wish i could help you out - my girlfriend lives in hong kong so i | > understand the need to display chinese chars, i do. | > i have ran NFS for years, but only in a pure UNIX environment - | bsd-versions, | > linux and osx. but i'm not any kind of NFS expert - i'd have to suggest | that | > you try to read as many man-pages as you can. or check out the NFS source | > code. once you know the encoding, put the question to Microsoft. | > or simply stop using windows haha | > | > good luck! | > /Johan | > | > On Mon, Jul 6, 2015 at 7:36 AM, Zhi-Qiang Lei mailto:zhiqiang@gmail.com>> wrote: | > Is there such encoding option in NFS setting? And what encoding does | > OpenBSD | used as default for filenames? Thanks for your suggestion though. | > | > Best regards, | > Zhi-Qiang Lei | > | >> On Jul 6, 2015, at 1:02 PM, Johan Petersson mailto:vhdlni...@gmail.com>> wrote: | >> | >> that is not a question for the OpenBSD people if you ask me. win7 is junk, | go | >> ask microsoft this kind of questions | >> | >> On Mon, Jul 6, 2015 at 6:58 AM, Zhi-Qiang Lei mailto:zhiqiang@gmail.com>> wrote: | >> I have an OpenBSD 5.6 server with NFS enabled. When I mount it on my Mac | and | >> Raspberry Pi, everything is fine. However, when I map it on Windows 7, all | the | >> filenames with Chinese in them cannot be displayed correctly. How can I | fix | >> this? Thanks. | >> | >> Best regards, | >> Zhi-Qiang Lei | | What about re-exporting the NFS share out via Samba and just ditching the NFS client in Windows 7 altogether? -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 604-365-6432 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Re: Dragonflybsd's pf concurrent instead of single-threaded
- Original Message - | It's a very interesting diff. | | If i have time i'll test it on -CURRENT on the two next weeks. | | -- | Best regards, | | Loïc BLOT, Engineering | UNIX Systems, Security and Network Engineer | http://www.unix-experience.fr Considering that these patches use the DragonflyBSD specific lightweight tokens, it's *HIGHLY UNLIKELY* (100% guaranteed) not to work against any OpenBSD sources. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices To be original seek your inspiration from unexpected sources.
Re: Making tftp download large files from tftpd
- Original Message - | I will spare you all the backstory but I found that tftp could not download | files over 32 mb by default from tftpd. I know you can pass blocksize to | tftpd | to handle much larger files but I was originally working with a client where | this wasn't possible. Tftp protocol has 2 bytes for block number which put a | 65535 limit on that. tftpd data doesn't care and will just roll that over | back | to 0 and keep sending data. Tftp client fails when there is block number roll | over because it is tracking all the blocks with an int so ends up comparing | its block counter which is now at 65536 to what comes off the network, 0 and | quits. I updated the tftp client code to use same data type as the network | side structs are using - u_int16_t. Now tftp counter rolls along with server | and can send file of any size with or without a blocksize change. I feel like | this is mostly pointless but doesn't hurt anything. Will gladly provide the | actuall diffs. I have to look into that process for openbsd but just wanted | to | check with the group first in case there was a reason an int was used that I | do not understand. | | J Or you could chainload iPXE to allow for the downloading of your file over HTTP which is much faster than TFTP to begin with. This is indeed what we do. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Twitter : @sfu_rcg Powering Engagement Through Technology
Re: net.inet.ip.arpqueued
- Original Message - | Hi, | | Would anyone be able to share some insight on this? | | | On 11/21/2013 3:44 AM, Han Hwei Woo wrote: | > Hi, | > | > I was doing some ARP troubleshooting, and noticed this sysctl | > variable, and was wondering what it is for? On our office firewall | > with just 14 ARP entries, I see it's normally at 0 but on a busy | > data | > centre firewall with 1,541 ARP entries, it seems to always be at or | > near 100, and never above. This is just speculation, but it would | > appear that the maximum queue length is 100, and that ARP requests | > may | > potentially be dropped above that number? Can somebody confirm | > this? | > Am I currently running into ARP limitations, or this is indicative | > of | > other problems? Is it possible to increase the queue length to | > something larger through the kernel configuration or at compile | > time, | > and would this be advisable? | > | > | > Thanks, | > Han | | report the number of packets that arp resolution is holding onto until it gets a mac addr for an ip under net.inet.ip.arpqueued. See http://www.openssh.com/cgi-bin/cvsweb/src/sys/netinet/in.h -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices “A successful person is one who can lay a solid foundation from the bricks others have thrown at them.” -David Brinkley via Luke Shaw
Re: Vision 2020: Making OpenBSD the world's fastest OS
- Original Message - | On Wed, Mar 5, 2014, at 09:08 AM, openda...@hushmail.com wrote: | > Anybody have any thoughts on how to achieve this? | | OpenBSD has never been about making the fastest operating system, | only | the most secure operating system. You're welcome to fork the project | and | pursue different goals if you wish. No. OpenBSD makes no claims to be the most secure operating system. From the web page "The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography." That's it. To make a claim that OpenBSD is "the most secure operating system" would be false since there are many ways to define secure depending on who you talk to. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices "Around here, however, we don’t look backwards for very long. We KEEP MOVING FORWARD, opening up new doors and doing things because we’re curious and curiosity keeps leading us down new paths." - Walt Disney
Re: large file system
- Original Message - | Is there anyone using openbsd for large file systems ? | For a large file system, nowadays, i mean 16 TB! | | Thanks on advance. | | You do not want to have a file system so large when using UFS. You would use a lot of memory and the file system check would take forever. Softupdates will not help in this situation. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices "Around here, however, we don’t look backwards for very long. We KEEP MOVING FORWARD, opening up new doors and doing things because we’re curious and curiosity keeps leading us down new paths." - Walt Disney
uvm_fault in Dec. 15 amd64 snapshot
Hi All,
Today is our semester maintenance day and we've upgraded our backup bridge
firewall to the Dec. 15, 2011 snapshot available from ftp.openbsd.org and I'm
getting this odd error when I boot it up. Oddly enough, this only happens when
connected to the switch that original one is connected to (we swap them out
each semester).
First, I use the upgrade method to go from snapshot to snapshot and reboot
I run sysmerge to bring in the new configuration files from etc50.tgz and
xetc50.tgz ( I only have bsd* man* base* xbase* installed) and reboot.
So as you can see the standard running -current and I've done several upgrades
now.
On my test switch (HP5304XL) it boots okay and I can reload the firewall rules
with no problem. When I connect it to my HP2910 where the current firewall is
running I cannot fully boot. If I press CTRL+C during the starting network
section it will continue to boot. If I then run pfctl -e it states that PF is
already enabled enabled but if I run pfctl -Fr -f /etc/pf.conf I get the
following.
# uvm_fault(0x80d2ff40, 0x0, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at pf_translate+0x154: cmpw %r13w,0(%rsi)
ddb{0}>
keyboard is dead, no response at all from console. Any ideas?
--
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have
Re: uvm_fault in Dec. 15 amd64 snapshot
- Original Message -
| Hi All,
|
| Today is our semester maintenance day and we've upgraded our backup
| bridge firewall to the Dec. 15, 2011 snapshot available from
| ftp.openbsd.org and I'm getting this odd error when I boot it up.
| Oddly enough, this only happens when connected to the switch that
| original one is connected to (we swap them out each semester).
|
| First, I use the upgrade method to go from snapshot to snapshot and
| reboot
| I run sysmerge to bring in the new configuration files from etc50.tgz
| and xetc50.tgz ( I only have bsd* man* base* xbase* installed) and
| reboot.
|
| So as you can see the standard running -current and I've done several
| upgrades now.
|
| On my test switch (HP5304XL) it boots okay and I can reload the
| firewall rules with no problem. When I connect it to my HP2910 where
| the current firewall is running I cannot fully boot. If I press CTRL+C
| during the starting network section it will continue to boot. If I
| then run pfctl -e it states that PF is already enabled enabled but if
| I run pfctl -Fr -f /etc/pf.conf I get the following.
|
| # uvm_fault(0x80d2ff40, 0x0, 0, 1) -> e
| kernel: page fault trap, code=0
| Stopped at pf_translate+0x154: cmpw %r13w,0(%rsi)
| ddb{0}>
|
| keyboard is dead, no response at all from console. Any ideas?
Okay, I've gotten some off list requests for more information, which I'm hoping
I'll be able to get for those people, but I'm now outside of my maintenance
window and will likely need to schedule another outage or figure out how to
reproduce it again. The current bridge firewall running the following version
does not exhibit the problem, but I'm not able to get a trace output at this
time. Maybe it's still at least somewhat useful reference for updates that may
have happened. ( Yeah right, from Aug 8th until now. Thousands of commits. ;) )
OpenBSD 5.0 (GENERIC.MP) #57: Mon Aug 8 14:58:00 MDT 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
--
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have
Re: how to move "advskew" out of hostname.carpXXX ?
Why not just use sed to modify the file before the copy to the backup. Else, you can use puppet templates or some other solution. - Original Message - | Hello! | | I'd like to sync /etc/hostname.carpXXX files between MASTER and | BACKUP, the | only difference, of course is "advskew" paramter. Is there a way to | specify | it in different config file ? | | I seen bug report on fwbuilder (www.fwbuilder.org), which describes | something called "create_args_carp0", but I didn't found any other | presence | of it: | | | see #2636 | "carp : Incorrect output in rc.conf.local format". Should use | create_args_carp0 instead of ifconfig_carp0 to set up CARP interface | vhid, | pass and adskew parameters." | | | Cheers, | Ilya Shipitsin | |
Re: upcoming pf changes in queue and sheduling system
- Original Message - | What new features will be included? | What changes will be with existing functions? | Will is on the functional traffic policing? Read the src-changes@ and tech@ mailing lists. Much of the committed code will give you some ideas. Also, have a look at the man pages for pf.conf in current to see some of the upcoming features that are worth documenting yet. Recently henning@ posted some info on scheduling albeit very vague. Basically, much of the work is still very much "in progress". -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier Success is to be measured not so much by the position that one has reached in life but as by the obstacles they have overcome. - Booker T. Washington
Can't call method "conflict_list" on unblessed reference at /usr/libdata/perl5/OpenBSD/PkgAdd.pm line 554.
I'm attempting an upgrade to the latest snapshot and so far everything seems to work except while updating packages I get the above stated error. Below is a typescript of the pkg_add -u with dmesg included. - Forwarded Message - From: "Charlie Root" To: jpelt...@sfu.ca Sent: Tuesday, 21 August, 2012 10:06:13 Script started on Tue Aug 21 10:03:35 2012 # dmesg OpenBSD 5.2-current (RAMDISK_CD) #127: Mon Aug 20 12:56:25 MDT 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 1072627712 (1022MB) avail mem = 1024077824 (976MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (98 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 04/15/2011 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU X5660 @ 2.80GHz, 2792.31 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AE S,NXE,LONG,LAHF cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 65MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01 ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01 pci1 at ppb0 bus 1 "Intel 82371AB PIIX4 ISA" rev 0x08 at pci0 dev 7 function 0 not configured pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 "Intel 82371AB Power" rev 0x08 at pci0 dev 7 function 3 not configured "VMware Virtual Machine Communication Interface" rev 0x10 at pci0 dev 7 function 7 not configured vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: apic 1 int 17 scsibus1 at mpi0: 16 targets, initiator 7 sd0 at scsibus1 targ 0 lun 0: SCSI2 0/direct fixed sd0: 20480MB, 512 bytes/sector, 41943040 sectors mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1 ppb1 at pci0 dev 17 function 0 "VMware Virtual PCI-PCI" rev 0x02 pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 "Intel PRO/1000MT (82545EM)" rev 0x01: apic 1 int 18, address 00:50:56:00:00:36 ppb2 at pci0 dev 21 function 0 "VMware Virtual PCIE-PCIE" rev 0x01 pci3 at ppb2 bus 3 ppb3 at pci0 dev 21 function 1 "VMware Virtual PCIE-PCIE" rev 0x01 pci4 at ppb3 bus 4 ppb4 at pci0 dev 21 function 2 "VMware Virtual PCIE-PCIE" rev 0x01 pci5 at ppb4 bus 5 ppb5 at pci0 dev 21 function 3 "VMware Virtual PCIE-PCIE" rev 0x01 pci6 at ppb5 bus 6 ppb6 at pci0 dev 21 function 4 "VMware Virtual PCIE-PCIE" rev 0x01 pci7 at ppb6 bus 7 ppb7 at pci0 dev 21 function 5 "VMware Virtual PCIE-PCIE" rev 0x01 pci8 at ppb7 bus 8 ppb8 at pci0 dev 21 function 6 "VMware Virtual PCIE-PCIE" rev 0x01 pci9 at ppb8 bus 9 ppb9 at pci0 dev 21 function 7 "VMware Virtual PCIE-PCIE" rev 0x01 pci10 at ppb9 bus 10 ppb10 at pci0 dev 22 function 0 "VMware Virtual PCIE-PCIE" rev 0x01 pci11 at ppb10 bus 11 ppb11 at pci0 dev 22 function 1 "VMware Virtual PCIE-PCIE" rev 0x01 pci12 at ppb11 bus 12 ppb12 at pci0 dev 22 function 2 "VMware Virtual PCIE-PCIE" rev 0x01 pci13 at ppb12 bus 13 ppb13 at pci0 dev 22 function 3 "VMware Virtual PCIE-PCIE" rev 0x01 pci14 at ppb13 bus 14 ppb14 at pci0 dev 22 function 4 "VMware Virtual PCIE-PCIE" rev 0x01 pci15 at ppb14 bus 15 ppb15 at pci0 dev 22 function 5 "VMware Virtual PCIE-PCIE" rev 0x01 pci16 at ppb15 bus 16 ppb16 at pci0 dev 22 function 6 "VMware Virtual PCIE-PCIE" rev 0x01 pci17 at ppb16 bus 17 ppb17 at pci0 dev 22 function 7 "VMware Virtual PCIE-PCIE" rev 0x01 pci18 at ppb17 bus 18 ppb18 at pci0 dev 23 function 0 "VMware Virtual PCIE-PCIE" rev 0x01 pci19 at ppb18 bus 19 ppb19 at pci0 dev 23 function 1 "VMware Virtual PCIE-PCIE" rev 0x01 pci20 at ppb19 bus 20 ppb20 at pci0 dev 23 function 2 "VMware Virtual PCIE-PCIE" rev 0x01 pci21 at ppb20 bus 21 ppb21 at pci0 dev 23 function 3 "VMware Virtual PCIE-PCIE" rev 0x01 pci22 at ppb21 bus 22 ppb22 at pci0 dev 23 function 4 "VMware Virtual PCIE-PCIE" rev 0x01 pci23 at ppb22 bus 23 ppb23 at pci0 dev 23 function 5 "VMware Virtual PCIE-PCIE" rev 0x01 pci24 at ppb23 bus 24 ppb24 at pci0 dev 23 function 6 "VMware Virtual PCIE-PCIE" rev 0x01 pci25 at ppb24 bus 25 ppb25 at pci0 dev 23 function 7 "VMware Virtual PCIE-PCIE" rev 0x01 pci26 at ppb25 bus 26 ppb26 at pci0 dev 24 function 0 "VMware Virtual PCIE-PCIE" rev 0x01 pci27 at ppb26 bus 27 ppb27 at pci0 dev 24 function 1 "VMware Virtua
Re: adding Journaled File System (JFS)
- Original Message - | Hi, I'd like to start working on the openbsd kernel. I thought about | adding JFS (http://jfs.sourceforge.net/) to it. | | Do you know if there's anyone already working on this? I cannot access | the bug tracking system (seems to be down) | | It seems that the JFS maintenance is being carried out in kernel.org | and contains the following legend: | | [...] | /* | * Copyright (C) International Business Machines Corp., 2000-2004 | * | * This program is free software; you can redistribute it and/or modify | * it under the terms of the GNU General Public License as published by | * the Free Software Foundation; either version 2 of the License, or | * (at your option) any later version. | * | * This program is distributed in the hope that it will be useful, | * but WITHOUT ANY WARRANTY; without even the implied warranty of | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See | * the GNU General Public License for more details. | * | * You should have received a copy of the GNU General Public License | * along with this program; if not, write to the Free Software | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 | USA | */ | [...] | | it is ok to port this kind of source code or a reimplementation is | preferred? | | Thanks. | | Regards. | Daniel. No GPL software will ever be included in the kernel. However, you might want to have a look at the file systems in the other BSDs, such as maybe HAMMERFS in DragonflyBSD. It certainly wouldn't be easy, or even likely for that matter, to work it in but it is certainly an interesting file system. ;) -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Firewall problem
Hi All,
I've been battling this issue for a couple of days now and I'm hoping someone
might have a possible fix for it. Any help is greatly appreciated.
I have a workstation which is on a network routed through VPN client device
The clients are on VLAN 304 with an address range of 192.168.18.0 -
192.168.18.128 (192.168.18.0/25)
This VPN client device is connected to a VPN concentrator
The VPN concentrator is on VLAN 300 with the IP address 192.168.1.141
I have the upper 128 IP addresses are also in VLAN 304 but have a default route
of 192.168.18.254
I have a OpenBSD bridge / firewall with several VLANs on it. It bridges VLANs
provided by Network Services, who have recently took over our routing, and our
VLANs
The bridge VLANs in question are as follows
Network Services Our VLAN
310 300 = bridge300
314 304 = bridge304
The problem is that traffic from a host on the 192.168.18.0/25 (192.168.18.90)
seems to be getting blocked by my rules. For example if I ping a host on VLAN
300 (192.168.1.59) from VLAN 304 (192.168.18.90) the packet is dropped as it is
found to match my default block rule for traffic passing to the public side of
the bridge.
If I add a default route on the 192.168.1.59 host for 192.168.18.0/25 to
192.168.1.254 traffic passes. It also passes if I remove the default block
rule.
It also look like every packet is passing through the firewall twice, in and
out, but the second packet is the one being blocked.
Block logs: Attempt connect to a web server
---
Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310: 192.168.18.90.2263
> 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF) [tos 0x10]
Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
---
Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310: 192.168.1.251 >
192.168.18.90: icmp: echo request (DF)
Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310: 192.168.1.251 >
192.168.18.90: icmp: echo request (DF)
PF Rules
=
NS_LAN1="vlan310"
NS_LAN2="vlan314"
LAN1="vlan300"
LAN2="vlan304"
# don't do any filtering on these devices
# only "public" side is filtered since you only
# need to filter on one side of the bridge
set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
# scrub incoming packets
match in all scrub (no-df)
# block any host deemed for whatever reason to be bad
# be meaner and just drop them which will use resources
# of the attacker slightly longer
block drop from
block drop from
# By default, do not permit remote connections to X11
# all X11 traffic should be tunnelled through SSH
block in quick on ! lo0 proto tcp to port 6000:6010
# Allow ping and traceroute through
pass quick log (to pflog1) inet proto icmp from any to any icmp-type echoreq
keep state
# traffic from these hosts should never be blocked
pass quick from
pass to
### LAN1 RULES ###
###
# Block access to FASNET
block in log on $NS_LAN1 all
# use modulate state to generate stronger ISNs on outgoing packets
# for OSs that don't already generate them
pass out quick log (to pflog1) on $NS_LAN1
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
Re: Firewall problem
- Original Message -
| Hi All,
|
| I've been battling this issue for a couple of days now and I'm hoping
| someone might have a possible fix for it. Any help is greatly
| appreciated.
|
| I have a workstation which is on a network routed through VPN client
| device
| The clients are on VLAN 304 with an address range of 192.168.18.0 -
| 192.168.18.128 (192.168.18.0/25)
| This VPN client device is connected to a VPN concentrator
| The VPN concentrator is on VLAN 300 with the IP address 192.168.1.141
| I have the upper 128 IP addresses are also in VLAN 304 but have a
| default route of 192.168.18.254
| I have a OpenBSD bridge / firewall with several VLANs on it. It
| bridges VLANs provided by Network Services, who have recently took
| over our routing, and our VLANs
| The bridge VLANs in question are as follows
|
| Network Services Our VLAN
| 310 300 = bridge300
| 314 304 = bridge304
|
|
| The problem is that traffic from a host on the 192.168.18.0/25
| (192.168.18.90) seems to be getting blocked by my rules. For example
| if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304
| (192.168.18.90) the packet is dropped as it is found to match my
| default block rule for traffic passing to the public side of the
| bridge.
|
| If I add a default route on the 192.168.1.59 host for 192.168.18.0/25
| to 192.168.1.254 traffic passes. It also passes if I remove the
| default block rule.
| It also look like every packet is passing through the firewall twice,
| in and out, but the second packet is the one being blocked.
|
| Block logs: Attempt connect to a web server
| ---
| Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310:
| 192.168.18.90.2263 > 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF) [tos
| 0x10]
|
|
| Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
| ---
| Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310:
| 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
| Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310:
| 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
|
|
| PF Rules
| =
| NS_LAN1="vlan310"
| NS_LAN2="vlan314"
| LAN1="vlan300"
| LAN2="vlan304"
|
|
| # don't do any filtering on these devices
| # only "public" side is filtered since you only
| # need to filter on one side of the bridge
| set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
|
| # scrub incoming packets
| match in all scrub (no-df)
|
| # block any host deemed for whatever reason to be bad
| # be meaner and just drop them which will use resources
| # of the attacker slightly longer
| block drop from
| block drop from
|
| # By default, do not permit remote connections to X11
| # all X11 traffic should be tunnelled through SSH
| block in quick on ! lo0 proto tcp to port 6000:6010
|
| # Allow ping and traceroute through
| pass quick log (to pflog1) inet proto icmp from any to any icmp-type
| echoreq keep state
|
| # traffic from these hosts should never be blocked
| pass quick from
| pass to
|
| ### LAN1 RULES ###
| ###
| # Block access to FASNET
| block in log on $NS_LAN1 all
|
| # use modulate state to generate stronger ISNs on outgoing packets
| # for OSs that don't already generate them
| pass out quick log (to pflog1) on $NS_LAN1
I should also mention that I tried adding a pass quick on $NS_LAN1 from
192.168.18.0/25 rule and this did not solve the problem either.
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
Re: Firewall problem
- Original Message -
| - Original Message -
| | Hi All,
| |
| | I've been battling this issue for a couple of days now and I'm
| | hoping
| | someone might have a possible fix for it. Any help is greatly
| | appreciated.
| |
| | I have a workstation which is on a network routed through VPN client
| | device
| | The clients are on VLAN 304 with an address range of 192.168.18.0 -
| | 192.168.18.128 (192.168.18.0/25)
| | This VPN client device is connected to a VPN concentrator
| | The VPN concentrator is on VLAN 300 with the IP address
| | 192.168.1.141
| | I have the upper 128 IP addresses are also in VLAN 304 but have a
| | default route of 192.168.18.254
| | I have a OpenBSD bridge / firewall with several VLANs on it. It
| | bridges VLANs provided by Network Services, who have recently took
| | over our routing, and our VLANs
| | The bridge VLANs in question are as follows
| |
| | Network Services Our VLAN
| | 310 300 = bridge300
| | 314 304 = bridge304
| |
| |
| | The problem is that traffic from a host on the 192.168.18.0/25
| | (192.168.18.90) seems to be getting blocked by my rules. For example
| | if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304
| | (192.168.18.90) the packet is dropped as it is found to match my
| | default block rule for traffic passing to the public side of the
| | bridge.
| |
| | If I add a default route on the 192.168.1.59 host for
| | 192.168.18.0/25
| | to 192.168.1.254 traffic passes. It also passes if I remove the
| | default block rule.
| | It also look like every packet is passing through the firewall
| | twice,
| | in and out, but the second packet is the one being blocked.
| |
| | Block logs: Attempt connect to a web server
| | ---
| | Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310:
| | 192.168.18.90.2263 > 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF)
| | [tos
| | 0x10]
| |
| |
| | Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
| | ---
| | Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310:
| | 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
| | Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310:
| | 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
| |
| |
| | PF Rules
| | =
| | NS_LAN1="vlan310"
| | NS_LAN2="vlan314"
| | LAN1="vlan300"
| | LAN2="vlan304"
| |
| |
| | # don't do any filtering on these devices
| | # only "public" side is filtered since you only
| | # need to filter on one side of the bridge
| | set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
| |
| | # scrub incoming packets
| | match in all scrub (no-df)
| |
| | # block any host deemed for whatever reason to be bad
| | # be meaner and just drop them which will use resources
| | # of the attacker slightly longer
| | block drop from
| | block drop from
| |
| | # By default, do not permit remote connections to X11
| | # all X11 traffic should be tunnelled through SSH
| | block in quick on ! lo0 proto tcp to port 6000:6010
| |
| | # Allow ping and traceroute through
| | pass quick log (to pflog1) inet proto icmp from any to any icmp-type
| | echoreq keep state
| |
| | # traffic from these hosts should never be blocked
| | pass quick from
| | pass to
| |
| | ### LAN1 RULES ###
| | ###
| | # Block access to FASNET
| | block in log on $NS_LAN1 all
| |
| | # use modulate state to generate stronger ISNs on outgoing packets
| | # for OSs that don't already generate them
| | pass out quick log (to pflog1) on $NS_LAN1
|
| I should also mention that I tried adding a pass quick on $NS_LAN1
| from 192.168.18.0/25 rule and this did not solve the problem either.
Problem solved. No worries. Move along, nothing to see here.
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
Re: Benchmarking guidelines for NAS/Samba
- Original Message - | Hi everyone. | | Just recently installed obsd 4.9 and setup samba to run on it for use | at home. | I am getting currently transfer rates of 8,9 MB/second on a 100 Mbit | connection. I would like maybe in the future to upgrade it into a | better machine with a Gb connection, maybe throw it in some RAID | controller into it, but first I am interesting in learning on how to | benchmark it and figure where the bottlenecks are on the current | machine. | The current machine contains a VIA C3 1GHz processor, 512 MB RAM, 100 | Mbit Ethernet and a SATA HDD. (old mini-itx form factor board I had at | home unnused) | | Can anyone give me some directions, point me to the right tools to | use, etc ? | | Regards, | Henrique The samba documentation is rather good. You could read through it paying particular attention to things like tcp_nodelay, oplocks, etc. For a small home network your not likely to see any substantial improvements but these little tweaks can help. It seems like you're already getting pretty decent performance out of your existing box now. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: OpenBSD on Dell PowerEdge
- Original Message - | On 2011-08-08, Michael Lechtermann wrote: | > Hi all, | > | > for a new loadbalancer setup that should replace two old F5s the | > plan | > is to use OpenBSD/relayd. | > | > Looking at the specs, a Dell R410 (or R610) would meet the | > requirements | > regarding hot-swap HDDs (RAID 1) and redundant power supply, but... | | R310 can do that too, dmesg from -current below. | | > Can anyone please confirm that OpenBSD is running on that hardware | > and | > what raid controller would be a good choice? | | H200 (mpii) works ok. H700 (mfi) is faster but I guess you probably | won't | be needing super-fast disks on a relayd box. | | > The boxes are also to have 6 network interfaces. Which additional | > Quad | > NIC would be the best to take, Broadcom or Intel? | | I don't ever recall seeing a quad Broadcom nic. I think there is an issue with Broadcom cards and VLANs IIRC. On the Dell R200 I have the integrated bge drivers do not seem to support VLANs, other cards might not have issues but YMMV. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: OpenBSD on Dell PowerEdge
- Original Message - | James A. Peltier [jpelt...@sfu.ca] wrote: | > | > I think there is an issue with Broadcom cards and VLANs IIRC. On the | > Dell R200 I have the integrated bge drivers do not seem to support | > VLANs, other cards might not have issues but YMMV. | | This isn't supposed to be broken, get the device ID of your R200's bge | so that someone can properly adjust the driver. A description of your | test is helpful as well. I'll get that back after I upgrade to the latest snapshot during our semester maintenance outage. It might work on later revisions but I'm not sure. I'll test it though before filing a bug. As of now, here is the bge0 information from dmesg bge0 at pci4 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1 (0x4201): apic 2 int 16 (irq 15), address 00:25:64:3c:c1:0a brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 bge1 at pci5 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1 (0x4201): apic 2 int 17 (irq 14), address 00:25:64:3c:c1:0b brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
network fails to start with firewall enabled. Used to work..
p } from
to any port $ARD_PORTS
# Allow FTP traffic to our compute servers
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
oak.example.com port ftp
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
dogwood.example.com port ftp
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
css.example.com port ftp
# Allow syslog traffic from ra1.example.com and ra2.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
ra1.example.com to any port syslog
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
ra2.example.com to any port syslog
# Allow external access to asb10830craig.example.com
# RT 151528
pass log (to pflog1) quick on $NS_FASNET proto tcp from any to
asb10830craig.example.com port 8085
# Allow redbug access to fornax
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
redbug.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
web.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
gradpcs.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
onara.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
intraweb.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
gradebook.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
cmpt165.example.com to fornax.example.com
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from
portal.example.com to fornax.example.com
# Allow all access to PlanetLab test machines from anywhere on unprivileged
ports
pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to
port 1025:65535
# Allows all traffic into FASNET
# USE FOR TESTING ONLY
#pass in log (to pflog1) on $NS_FASNET keep state
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpelt...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have
Re: CVS
- Original Message - | Why does it say on http://www.openbsd.org/anoncvs.html | | a.. NOTE: If you are updating a source tree that you initially fetched | from | a different server, or from a CD, you must add the -d | anon...@anoncvs.ca.openbsd.org:/cvs options to cvs. | # cd /usr/src | # cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd | Why But this is not mentioned on | http://www.openbsd.org/faq/faq5.html#BldGetSrc in the section on | Pre-loading | the tree ? Because the tarball does not contain CVS server information, just a clean tree which then you can use a CVS server to update from. Once you've ran the cvs up the local tree keeps track of the current cvs server you are fetching from. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier I will do the best I can with the talent I have
Re: vlan and pf
- Original Message - | Hi folks, | | does openbsd firewall handle vlan interfaces ? | | Thanks in advance. | | []s, | | Gustavo Nope sorry! man vlan, man ifconfig (search for VLAN) ;) # cat /etc/hostname.vlan300 vlan 300 vlandev em1 -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier I will do the best I can with the talent I have
Re: network bandwith with em(4)
Those documents do not necessarily apply any more. Don't go tweaking knobs until you know what they do. We have machines here that transfer nearly a gigabit of traffic/s without tuning in bridge mode non-the-less. Are you seeing any packet congestion markers (counter congestion) in systat pf? If so you might not have sufficient states available What about framentation? Interface errors? There are many other non-tweakable issues that could cause this. - Original Message - | Le Tue, 22 Feb 2011 11:19:26 -0600, | Mark Nipper a icrit : | | > > The problem is that we don't get more than ~320 Mbits/s of | > > bandwith | > > beetween the internal networks and internet (gigabit). | > | > Have you already looked at: | > --- | > https://calomel.org/network_performance.html | | Yes thanks. I've already increase the size of the | net.inet.ip.ifq.maxlen. | | But I don't see the point of these tunings for a firewall. IMHO, it | could help for a host handling tcp/udp connection. | | Anyway, I've tried, that does not change anything and I don't think it | should. | | I'm not a network expert, I could be wrong. Let see: | ## Calomel.org OpenBSD /etc/sysctl.conf | ## | kern.maxclusters=128000 # Cluster allocation limit | | = netstat -m reports a peak of *only* 2500 mbufs used. | | net.inet.ip.mtudisc=0 # TCP MTU (Maximum Transmission Unit) | | = still at "1". I don't use scrub in pf or mss clamping. | | net.inet.tcp.ackonpush=1 # acks for packets with the push bit | | = only one TCP connection on the firewall (ssh). | | net.inet.tcp.ecn=1 # Explicit Congestion Notification enabled | | net.inet.tcp.mssdflt=1472 # maximum segment size (1472 from scrub | pf.conf) | | = same here, I guess the default mss is for connections from the | machine. tcpdump shows that the mss is negociated around 1450. Looks | good. | | net.inet.tcp.recvspace=262144 # Increase TCP "recieve" windows size | to increase performance | | = same, no tcp nor udp... | | I'm wrong? | | Thanks, regards. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: network bandwith with em(4)
- Original Message - | On Thu, Mar 03, 2011 at 09:11:13AM +0100, Manuel Guesdon wrote: | > On Thu, 3 Mar 2011 00:51:46 + (UTC) | > Stuart Henderson wrote: | > | > >| On 2011-02-28, Manuel Guesdon | > >| wrote: | > >| > http://www.oxymium.net/tmp/core3-dmesg | > >| | > >| "ipmi0 at mainbus0: version 2.0 interface KCS iobase 0xca2/2 | > >| spacing 1" | > >| | > >| ipmi is disabled in GENERIC. have you tried without it? | > | > Not on this server (I can't reboot it often) but on another one with | > same | > hardware: it doesn't seems to make difference (it still have Ierr). | > | | This diff will help. | I think we already mentioned it that you will always see Ierr. The | question is if the box is able to forward more then 150kpps. | | -- | :wq Claudio | | Index: if_em.c | === | RCS file: /cvs/src/sys/dev/pci/if_em.c,v | retrieving revision 1.249 | diff -u -p -r1.249 if_em.c | --- if_em.c 13 Feb 2011 19:45:54 - 1.249 | +++ if_em.c 3 Mar 2011 10:01:39 - | @@ -3194,14 +3194,7 @@ em_update_stats_counters(struct em_softc | ifp->if_collisions = sc->stats.colc; | | /* Rx Errors */ | - ifp->if_ierrors = | - sc->dropped_pkts + | - sc->stats.rxerrc + | - sc->stats.crcerrs + | - sc->stats.algnerrc + | - sc->stats.ruc + sc->stats.roc + | - sc->stats.mpc + sc->stats.cexterr + | - sc->rx_overruns; | + ifp->if_ierrors = 0; | | /* Tx Errors */ | ifp->if_oerrors = sc->stats.ecol + sc->stats.latecol + Hey Claudio, Thanks! This diff helped and now my errors have gone to zero! LOL! That was funny. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: Choosing a window manager...
- Original Message - | thx bryan. | | btw. im atheist. I've always found it important to believe in something. I'm of the belief that I'm always right and everyone else is wrong. It helps me get through the day. ;) -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: new upper limit with BIGMEM
- Original Message - | > > real mem = 137428045824 (131061MB) | > > avail mem = 133755703296 (127559MB) | > > | > > seems to work ok... | > | > But have you hit the limit? | > | The sky is the limit, but his is not a flying machine. | | Miod Umm, we conquered the skies a while ago. Really the solar system is the limit currently. -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Recommended PCI-E adaptor with fibre connection
Hi All, I'm looking for a new 1Gb or 10Gb PCI-E adaptor with fibre connections. Can anyone make some recommendations on a good performing adapter under OpenBSD. I see there has been a lot of work going on with the Intel ix(4) based adapters would these be the recommended cards to use in the 10Gb department? If so what have the developers been using to test/develop this driver with? -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: Recommended PCI-E adaptor with fibre connection
- Original Message - | Hi All, | | I'm looking for a new 1Gb or 10Gb PCI-E adaptor with fibre | connections. Can anyone make some recommendations on a good performing | adapter under OpenBSD. I see there has been a lot of work going on | with the Intel ix(4) based adapters would these be the recommended | cards to use in the 10Gb department? If so what have the developers | been using to test/develop this driver with? Anyone have any comments/problems with the following cards? The following cards look to be well supported. I'm specifically talking about the Intel Gigabit EF Dual port SX adaptor based on the Intel 82576 Gigabit Ethernet Controller. This card supports full hardware virtualization which the others don't, so I'd likely go with it even though OpenBSD doesn't do H/W virtualization. http://www.intel.com/Products/Server/Adapters/Gb-EF-Dual-Port/Gb-EF-Dual-Port-overview.htm For 10GbE the following adaptor looks to be quite good and supported using the Intel 82599 10 Gigabit Ethernet Controller http://www.intel.com/Products/Server/Adapters/X520/ethernet-X520-overview.htm -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: nfsv4?
- Original Message - | > Pardon my ignorance in this matter, but what is it that is | > unpleasing? The complexity of it? From my understanding, NFSv4 is | > more firewall friendly, using only port 2049, and can also be | > kerberized for additional security. Can OpenBSD's NFS implementation | > do that? | | NFSv4 is a gigantic joke on everyone. IMO, so is the notion of divine deities, but that doesn't answer the original posters question, nor my response to Henning. We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no OpenBSD though, and to me complexity was the biggest issue. It was very difficult because of all the potential points of breakage and inter-dependency. Out of all of the protocols though it was the most transparent for our multi-platform support. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | > | > Pardon my ignorance in this matter, but what is it that is | > | > unpleasing? The complexity of it? From my understanding, NFSv4 | > | > is | > | > more firewall friendly, using only port 2049, and can also be | > | > kerberized for additional security. Can OpenBSD's NFS | > | > implementation | > | > do that? | > | | > | NFSv4 is a gigantic joke on everyone. | > | > IMO, so is the notion of divine deities, but that doesn't answer the | > original posters question, nor my response to Henning. | > | > We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no | > OpenBSD | > though, and to me complexity was the biggest issue. It was very | > difficult | > because of all the potential points of breakage and | > inter-dependency. | | > Out of all of the protocols though it was the most transparent for | > our multi-platform support. | | Hahahahaha. That's a good one. | | I guess by "all the other protocols" you must be rejecting all the | rest | of your network traffic as "not protocols" or "not services". Okay, let me rephrase it then. In order to support file services for all of the OS platforms we support, across all the campuses we support, Kerberized NFSv4 fit the bill best. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | > | I guess by "all the other protocols" you must be rejecting all the | > | rest | > | of your network traffic as "not protocols" or "not services". | > | > Okay, let me rephrase it then. | > | > In order to support file services for all of the OS platforms we | > support, across all the campuses we support, Kerberized NFSv4 fit | > the bill best. | | The comedy just never ends. Glad I can amuse you. I still find it funny that an answer hasn't been received as well. :) -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | > | > | I guess by "all the other protocols" you must be rejecting all | > | > | the | > | > | rest | > | > | of your network traffic as "not protocols" or "not services". | > | > | > | > Okay, let me rephrase it then. | > | > | > | > In order to support file services for all of the OS platforms we | > | > support, across all the campuses we support, Kerberized NFSv4 | > | > fit | > | > the bill best. | > | | > | The comedy just never ends. | > | > Glad I can amuse you. I still find it funny that an answer hasn't | > been received as well. :) | | You don't listen well either. I listen quite well, just recently had my hearing tested in fact, doctor said it was perfect. That said, the garbage that was spewed before did not have anything of substance prior to this post. | NFSv4 is not on our roadmap. It is a ridiculous bloated protocol | which they keep adding crap to. In about a decade the people who | actually start auditing it are going to see all the mistakes that it | hides. Great! OpenBSD will not support NFSv4. Period! This is an answer. Now the O.P. will know that NFSv4 is not going to happen, putting to rest the idea of any sort of NFSv4 services from OpenBSD. | The design process followed by the NFSv4 team members matches the | methodology taken by the IPV6 people. (As in, once a mistake is made, | and 4 people are running the test code, it is a fact on the ground and | cannot be changed again). The result is an unrefined piece of trash. Also, a much more useful answer. I look forward to seeing a multi-platform, secure file service being developed by OpenBSD developers that doesn't suck as much as IPv6 or NFSv4. It's certainly possible that your team can do it by looking at the other successful projects. Now, that said, is there anything that you could recommend instead of NFSv4 for offering secure file services to multiple platforms? My research only led me to NFSv4 and AFS, and AFS would have been a much, much larger project for us than a move to NFSv4 from NFSv3 w/Samba re-shares. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Oct 27 11:31:31, James A. Peltier wrote: | > - Original Message - | > | > Pardon my ignorance in this matter, but what is it that is | > | > unpleasing? The complexity of it? From my understanding, NFSv4 | > | > is | > | > more firewall friendly, using only port 2049, and can also be | > | > kerberized for additional security. Can OpenBSD's NFS | > | > implementation | > | > do that? | > | | > | NFSv4 is a gigantic joke on everyone. | > | > IMO, so is the notion of divine deities, but that doesn't answer the | > original posters question, nor my response to Henning. | > | > We implemented, NFSv4 using AD, Kerberos, GNU/Linux and Mac OS X, no | > OpenBSD though, and to me complexity was the biggest issue. It was | > very difficult because of all the potential points of breakage and | > inter-dependency. Out of all of the protocols though it was the most | > transparent for our multi-platform support. | | You mean, NFSv4 seems more "transparent" to you (whatever that means) | than, say, NFSv2? No, in that NFSv4 with Kerberos was an easier move from NFSv3 than to move to something like AFS, which seem would have required much more work to migrate the existing systems. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | James A. Peltier wrote: | | > Now, that said, is there anything that you could recommend instead | > of NFSv4 for offering secure file services to multiple platforms? | | Apache with SSL may be a solution. I've used it on small scale | projects. | You can auth users against LDAP, AD, etc. Should work with any client | that has a SSL capable web browser/client of some sort. It's very | portable, file system and client agnostic. | | The one downside (IMO) is that the clients won't see it as a native | file | system mount, but there are interfaces available and you can always | write your own or customize one to fit your needs. | | Your own little dropbox-ish solution. | | Brad I deal with research data. Most of which are tens to hundreds of gigabytes in size, so it's not a solution for me, but we did evaluate that for some smaller scale uses. Our users are used to typing cd /cs/ and having their files be available to them. They are used to seeing the same files in the UNIX home as is in their Windows or Mac shares. This better describes what I mean by transparent. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Wed, 2010-10-27 at 14:26 -0700, James A. Peltier wrote: | > - Original Message - | | > | You mean, NFSv4 seems more "transparent" to you (whatever that | > | means) | > | than, say, NFSv2? | > | > No, in that NFSv4 with Kerberos was an easier move from NFSv3 than | > to move to something like AFS, which seem would have required much | > more work to migrate the existing systems. | | What problem were you trying to solve by moving to NFSv4 from NFSv3? | | AFS was interesting in 1990. It also had some security flaws that led | to it being sunset in many environments by about 1998. It also had | some | damn annoying issues with cache coherency between systems which made | it | a nightmare for running circuit simulations and synthesis on a | cluster. | DCE/DFS was interesting 12-15 years ago, but lacked wide platform | adoption and was essentially killed off when key people quit working | on | it in 2000. | | If you're actually writing oodles and oodles from many servers at | once, | you're going to want a cluster filesystem suitable for scientific | computing. | If you're doing manipulation of the files from workstations... you go | with whatever is supported on them... but I'm not seeing OpenBSD as a | prime candidate for workstations. | | Thanks, | Chris Dukes The move to NFSv4, more specifically, NFSv4 with Kerberos security, was to continue to be able to provide our users the ability to log into any UNIX, GNU/Linux or Mac OS X machine, and have their home directories be mounted on each of those platforms. We are currently doing this with NFSv3 and NIS. VLANs were used to segment this insecure environment from the rest of the university network. We are now moving towards a larger campus wide solution. One where VLANs are not permitted, nor is MPLS/VRF functionality currently available. We are also moving towards single sign on using AD 2008 w/Kerberos tickets for secure access to file system mounts. This better allows us to provide relatively secure file system access using fix or automounts to other campuses over insecure networks at varying levels of security based on mounts and security requirements. As I stated earlier. I'm not doing any NFSv4 with OpenBSD. I am using Solaris, OS X, GNU/Linux and Windows mostly in my environment. I was just interested more towards why NFSv4 was deemed so bad. This has now been pointed out much more clearly in recent posts, but still seems to be the best of the worst choice. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com -- -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Oct 27 15:28:37, James A. Peltier wrote: | > - Original Message - | > | James A. Peltier wrote: | > | | > | > Now, that said, is there anything that you could recommend | > | > instead | > | > of NFSv4 for offering secure file services to multiple | > | > platforms? | > | | > | Apache with SSL may be a solution. I've used it on small scale | > | projects. | > | You can auth users against LDAP, AD, etc. Should work with any | > | client | > | that has a SSL capable web browser/client of some sort. It's very | > | portable, file system and client agnostic. | > | | > | The one downside (IMO) is that the clients won't see it as a | > | native | > | file | > | system mount, but there are interfaces available and you can | > | always | > | write your own or customize one to fit your needs. | > | | > | Your own little dropbox-ish solution. | > | | > | Brad | > | > I deal with research data. Most of which are tens to hundreds of | > gigabytes in size, so it's not a solution for me, but we did | > evaluate that for some smaller scale uses. | > | > Our users are used to typing cd /cs/ and having their | > files be available to them. They are used to seeing the same files | > in the UNIX home as is in their Windows or Mac shares. This better | > describes what I mean by transparent. | > | | OK. So what exactly does NFSv4 do for you in this situation | that NFSv3 did not? Also, exactly which NFS client (v3, v4) | are you using on Windows? What it offers: Kerberos security, selectable security level (-o sec=krb5/krb5i/krb5p), firewall friendly For Windows, we re-share the NFS volume via Samba or have them speak directly to a NetApp that speaks AD/Kerberos -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Fri, 29 Oct 2010 08:23 +0200, "Henning Brauer" | wrote: | > * James A. Peltier [2010-10-28 20:23]: | > > What it offers: | > > Kerberos security, | > | > what again? | > | > > selectable security level (-o sec=krb5/krb5i/krb5p), | > | > ha ha ha ha | > | > > firewall friendly | > | > right | | And this huge infrastructure creation (nfsv4/Kerberos/blah blah) all | so | his users can type 'cp' and 'mv' instead of 'put' and 'get'? | I don't get it. | Also the last time I checked SFTP was supported on all the | platforms he listed | Or did I miss something? No I cannot just put and get. Moving hundreds of gigabytes of medical imaging data around with FTP/SSH would be out of the question. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On 2010-10-28, James A. Peltier wrote: | > What it offers: | > Kerberos security, selectable security level (-o | > sec=krb5/krb5i/krb5p), firewall friendly | | authentication != security My apologies, you are correct and so I change "selectable security levels" to selectable authentication levels. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On 2010-10-29 11.28, Eric Furman wrote: | > On Fri, 29 Oct 2010 08:23 +0200, "Henning Brauer" | >> * James A. Peltier [2010-10-28 20:23]: | >>> What it offers: | >>> Kerberos security, | >> what again? | >>> selectable security level (-o sec=krb5/krb5i/krb5p), | >> ha ha ha ha | >>> firewall friendly | >> right | > And this huge infrastructure creation (nfsv4/Kerberos/blah blah) all | > so | > his users can type 'cp' and 'mv' instead of 'put' and 'get'? | > I don't get it. | > Also the last time I checked SFTP was supported on all the | > platforms he listed | > Or did I miss something? | | Oh come on, surely you can't fail to realize that there are actually | benefits to having all your data on one place, always? Especially if | you | have an environment where you might need to access it from several | different platforms. | | Not only in terms of user friendliness but also to avoid the problem | of | having to cope with several versions of the same data, or even the | problem of the data producer and consumer not being the same. And | those | were just some examples where a central networked file system comes in | really handy. | | (That the available options to solve the problem may not be perfect is | another matter entirely. I'm sure you can still appreciate the fact | that | the need may exist?) | | | Regards, | | /Benny | | | -- | internetlabbet.se / work: +46 8 551 124 80 / "Words must | Benny LC6fgren / mobile: +46 70 718 11 90 / be weighed, | / fax: +46 8 551 124 89 / not counted." | / email: benny -at- internetlabbet.se Sure they can! All these people ridiculing the choices have super advanced disk deduplication systems and infinite amounts of disk space which allows them to have tens of thousands of copies of the same data scattered everywhere. I mean why would anyone ever want to try to securely share files from a centralized location. That's insanity! -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
| > No I cannot just put and get. Moving hundreds of gigabytes of | > medical imaging data around with FTP/SSH would be out of the | > question. | | Yet moving hundreds of gigabytes of medical imaging data | around with NFS is OK. More specifically yet, moving them | around with NFSv4 is OK, but moving them around with NFSv3 | is not. Right? | | Let's stay technical: what exactly does NFSv4 do for you in your | situation that NFSv3 does not? "Kerberos security", as in "users | authenticate themselvzes"? "Firewall friendly"? How exactly is | NFSv4 more "firewall friendly" than NFSv3? | | (Don't get me wrong: I want a multi-platform shared storage too. | I do it with NFSv3. You use NFSv4, Kerberos, and Samba. How exactly | is that better?) | | Do you need file access or file transfer, in the sense of | Callahan's standard "NFS Illustrated" book? | | Jan Okay, while we do employ NIS/NFSv3 now. this is on a completely segmented network. The data that is being transferred is separate from the rest of the network. In the new setup this will not be the case. It was but one example of why NFSv4 might be chosen over NFSv3. The added Kerberos authentication is but one step in providing additional data security. I understand that it does not substitute for good password security. It was but one example of why NFSv4 might be chosen over NFSv3. NFSv4 with kerberos supports encryption. While using krb5p, every communication between client and server is sent over the wire after it was encrypted which was not supported by NFSv3. NFSv4 is stateful and uses a single port. Port 2049 I am looking for file access just like we are currently providing with NFSv3. We just need to add additional levels of security in the sense of authentication and access control to work across a less secure, non-segmented network. I am *not* using OpenBSD for *any* of this. I was merely attempting to offer input as to why someone *might* require NFSv4. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Fri, 29 Oct 2010 06:05:28 -0700 (PDT) | "James A. Peltier" wrote: | | > No I cannot just put and get. Moving hundreds of gigabytes of | > medical imaging data around with FTP/SSH would be out of the | > question. | | Why? | | I imagine you know but FTP/SSH != sftp Yes I do. I was lumping FTP,SCP, SFTP into that group of choices. | Do you think ssh is too slow and unreliable? I don't think it's too slow, I know it for my purposes | Don't you have a duty to secure that medical data for many reasons, | obviously not jeopardising lives being paramount via reliability first | and speed, does nfs offer that. Yes, but the data is mostly scrubbed of personal info. | Seems all you need is interfaces for sftp? At face value it would seem that way, but you need to remember that each and every SFTP/SCP is a duplicate of the data. | >> and have their home directories be mounted on each of those | >> platforms. | | >>I am using Solaris, OS X, GNU/Linux and Windows mostly | | | If your trusting a windows gui!!! with this data then why are | others using the commandline put and get. Are your windows users using | dir and copy. No, the NFS share is re-exported out via Samba as a native CIFS mount to Windows machines. It's a simple copy paste for them | I do understand that you may be reluctant to change to something tried | and tested but then your moving to nfsv4. It was the most logical step considering where we were and our needs. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Fri, 29 Oct 2010 06:54:07 -0700 (PDT) | "James A. Peltier" wrote: | | > I was merely attempting to offer input as to why someone *might* | > require NFSv4. | | Fair enough but you haven't convinced me, how about ipsec, nfsv3, | authpf etc, but I'd still investigate sftps applicability first. IPSEC was also considered. This lead to two points. First, we do not want to encrypt *everyones* traffic, only research labs with an increased data security requirement. Second, these people are not all in one location and not all people in one location have the requirement it was ruled out because of the number of possibilities for breakage. Take for example a lab that might have 150 machines. 20 of which are engineering, 50 of which are split across several different types of research labs and the remaining computing science labs. Now only 3 in engineering, 40 research labs and 1 in computing science request increased data security. Sure, I could setup those individual workstations with IPSEC clients but that becomes more difficult to maintain. Deploying this is also more difficult to maintain. I'm not saying it's not possible, just more difficult. To be honest, I'm not sure how AuthPF fits into this. Additionally, I'm not sure how it would fit into our HPC systems but if you could provide additional detail if might be an option for me to consider. As for SFTP or any other method that would duplicate data, I have already discussed why it is not a possibility. SSHFS *was and still is* a possibility but it was ruled out because of our HPC needs. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | James A. Peltier wrote: | | > No, the NFS share is re-exported out via Samba as a native CIFS | > mount to Windows machines. It's a simple copy paste for them | | CIFS? How do you encrypt that? That's all clear text (except the auth) | right? | | Brad Yes, you are correct. Only auth is encrypted and currently SMB/CIFS encryption is something that is not supported via Samba. At least not that I can see. In cases were senstive, i.e. our medical imaging data, is being visualized, we employ remote visualization stations, such as the Dell R5400, which provides hardware OpenGL accelerated graphics to view an manipulate this data and this machine. For most other cases people are using the cluster to run various tasks on the data. All other uses are at the risk of the owner. -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Oct 29 07:22:22, James A. Peltier wrote: | > - Original Message - | > | On Fri, 29 Oct 2010 06:05:28 -0700 (PDT) | > | "James A. Peltier" wrote: | > | | > | > No I cannot just put and get. Moving hundreds of gigabytes of | > | > medical imaging data around with FTP/SSH would be out of the | > | > question. | > | | > | Why? | > | | > | I imagine you know but FTP/SSH != sftp | > | > Yes I do. I was lumping FTP,SCP, SFTP into that group of choices. | > | > | Do you think ssh is too slow and unreliable? | > | > I don't think it's too slow, I know it for my purposes | > | > | Don't you have a duty to secure that medical data for many | > | reasons, | > | obviously not jeopardising lives being paramount via reliability | > | first | > | and speed, does nfs offer that. | > | > Yes, but the data is mostly scrubbed of personal info. | > | > | Seems all you need is interfaces for sftp? | > | > At face value it would seem that way, but you need to remember that | > each and every SFTP/SCP is a duplicate of the data. | > | > | >> and have their home directories be mounted on each of those | > | >> platforms. | > | | > | >>I am using Solaris, OS X, GNU/Linux and Windows mostly | > | | > | | > | If your trusting a windows gui!!! with this data then why are | > | others using the commandline put and get. Are your windows users | > | using | > | dir and copy. | > | > No, the NFS share is re-exported out via Samba as a native CIFS | > mount to Windows machines. It's a simple copy paste for them | | "re-exported" puzzles me; you export the data via NFS to those clients | who can speak NFS, and you export the same data via CIFS to those who | speak CIFS. Right? Yup! -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
- Original Message - | On Oct 29 06:54:07, James A. Peltier wrote: | > | > | > No I cannot just put and get. Moving hundreds of gigabytes of | > | > medical imaging data around with FTP/SSH would be out of the | > | > question. | > | | > | Yet moving hundreds of gigabytes of medical imaging data | > | around with NFS is OK. More specifically yet, moving them | > | around with NFSv4 is OK, but moving them around with NFSv3 | > | is not. Right? | > | | > | Let's stay technical: what exactly does NFSv4 do for you in your | > | situation that NFSv3 does not? "Kerberos security", as in "users | > | authenticate themselvzes"? "Firewall friendly"? How exactly is | > | NFSv4 more "firewall friendly" than NFSv3? | > | | > | (Don't get me wrong: I want a multi-platform shared storage too. | > | I do it with NFSv3. You use NFSv4, Kerberos, and Samba. How | > | exactly | > | is that better?) | > | | > | Do you need file access or file transfer, in the sense of | > | Callahan's standard "NFS Illustrated" book? | > | | > | Jan | > | > Okay, while we do employ NIS/NFSv3 now. this is on a completely | > segmented network. The data that is being transferred is separate | > from the rest of the network. | > | > In the new setup this will not be the case. | | You should have stated this clearly in the original mail: | "we have a properly segmented/isolated network where we use | NFSv3 to share data. Now the network will no longer be segmented | and/or isolated. So I think I need NFSv4 now". | I had already pointed out that this network was segmented from the rest and I was not asking if I should use NFSv4. I was pointing out why someone might choose NFSv4. That fact that I am choosing to use it is somewhat irrelevant to the thread but it exploded from the question of "why not to use NFSv4". -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: nfsv4?
This discussion has deviated rather extensively from the O.P. question. As such it would likely be advisable to start a new thread to continue the discussion if people would like to continue. I, however, will likely no longer be able to participate because I have other things to work on. I would like to thank everyone for some of the thought provoking responses. It certainly brings to light some other possibilities that were posted on and off list. Cheers! -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
OpenBSD bridge setup
Problem Description: I'm trying to filter VLANs on the bridge. However, when enabling VLAN devices on the em1 interface the bridge does not work. Test Setup: The 2910AL-24G port 19 has its ports configured as TAGGED for VLAN 300 and VLAN 302 with no other VLANs are enabled on this port. This cable enters the bridge via em0 of the bridge and em1 connects to port 1 on the HP5304XL which is configured for TAGGED VLAN 300 and VLAN 302. Port two is configured as VLAN 300 UNTAGGED. HP2910AL-24G (port 19) --- OpenBSD Bridge --- HP 5304XL (port 1) OS - OpenBSD 4.8-beta (GENERIC.MP) #259: Tue Aug 3 09:06:37 MDT 2010 (no difference with newer versions) PF - Disabled Two physical interfaces em0 em1 VLAN devices # cat /etc/hostname.vlan300 vlan 300 vlandev em1 # cat /etc/hostname.vlan302 vlan 302 vlandev em1 cat /etc/hostname.em0 up cat /etc/hostname.em1 up Working configuration but without filtering. = cat /etc/hostname.bridge0 add em0 add em1 up With this configuration and no VLAN devices created the bridge works and the tags are passed appropriately, however I am unable to filter the traffic on the VLANs. dhclient eth0 on client works fine pinging out works fine Non-Working configuration with hopes of filtering == However, as soon as I create the vlan300 devices with a parent of em1 the bridge stops functioning and the client on HP5304XL Port 2 (UNTAGGED VLAN 300) stops functioning. This remains the same even if I add the vlan300 and vlan302 devices to the bridge. dhclient stops working ping is dead I'm stumped here. Any ideas? -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: OpenBSD bridge setup
- Original Message - | Am 06.11.2010 03:23, schrieb James A. Peltier: | > Problem Description: | > | > I'm trying to filter VLANs on the bridge. However, when enabling | > VLAN devices on the em1 interface the bridge does not work. | > | Hello | > | > Test Setup: | > | > | > The 2910AL-24G port 19 has its ports configured as TAGGED for VLAN | > 300 and VLAN 302 with no other VLANs are enabled on this port. This | > cable enters the bridge via em0 of the bridge and em1 connects to | > port 1 on the HP5304XL which is configured for TAGGED VLAN 300 and | > VLAN 302. Port two is configured as VLAN 300 UNTAGGED. | > | > HP2910AL-24G (port 19) --- OpenBSD Bridge --- HP 5304XL (port 1) | > | > OS - OpenBSD 4.8-beta (GENERIC.MP) #259: Tue Aug 3 09:06:37 MDT 2010 | > (no difference with newer versions) | > PF - Disabled | > | > Two physical interfaces | > | > em0 | > em1 | > | > VLAN devices | > # cat /etc/hostname.vlan300 | > vlan 300 vlandev em1 | > | > # cat /etc/hostname.vlan302 | > vlan 302 vlandev em1 | > | > cat /etc/hostname.em0 | > up | > | > cat /etc/hostname.em1 | > up | > | > | | Make also 2 corresponding vlan devices on em1 (they must have | different | names then vlan300 and vlan302, but the same vlan tag ) | hostname.vlan300: | vlan 300 vlandev em0 | hostname.vlan302: | vlan 302 vlandev em0 | hostname.vlan1300: | vlan 300 vlandev em1 | hostname.vlan1302: | vlan 302 vlandev em1 | | | > Working configuration but without filtering. | > = | > cat /etc/hostname.bridge0 | > add em0 | > add em1 | > up | > | | Make 2 bridges, one for vlan tag 300 and one for tag 302. | Bridge0: | add vlan300 | add vlan1300 | up | | Bridge1: | add vlan302 | add vlan1302 | up | | Now you should be able to filter on bridge0 (vlan 300) and bridge1 | (vlan | 302). | | | guido | | > With this configuration and no VLAN devices created the bridge works | > and the tags are passed appropriately, however I am unable to filter | > the traffic on the VLANs. | > | > dhclient eth0 on client works fine | > pinging out works fine | > | > Non-Working configuration with hopes of filtering | > == | > | > However, as soon as I create the vlan300 devices with a parent of | > em1 the bridge stops functioning and the client on HP5304XL Port 2 | > (UNTAGGED VLAN 300) stops functioning. This remains the same even if | > I add the vlan300 and vlan302 devices to the bridge. | > | > dhclient stops working | > ping is dead | > | > | > I'm stumped here. Any ideas? | > -- | > James A. Peltier | > Systems Analyst (FASNet), VIVARIUM Technical Director | > Simon Fraser University - Burnaby Campus | > Phone : 778-782-6573 | > Fax : 778-782-3045 | > E-Mail : jpelt...@sfu.ca | > Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca | > http://blogs.sfu.ca/people/jpeltier | > MSN : subatomic_s...@hotmail.com Damn! Why didn't I think of that. Argh. Too tired. :) Thanks all. :) -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Apache with latest snapshot
27 bus 28 ppb28 at pci0 dev 24 function 2 "VMware Virtual PCIE-PCIE" rev 0x01 pci29 at ppb28 bus 29 ppb29 at pci0 dev 24 function 3 "VMware Virtual PCIE-PCIE" rev 0x01 pci30 at ppb29 bus 30 ppb30 at pci0 dev 24 function 4 "VMware Virtual PCIE-PCIE" rev 0x01 pci31 at ppb30 bus 31 ppb31 at pci0 dev 24 function 5 "VMware Virtual PCIE-PCIE" rev 0x01 pci32 at ppb31 bus 32 ppb32 at pci0 dev 24 function 6 "VMware Virtual PCIE-PCIE" rev 0x01 pci33 at ppb32 bus 33 ppb33 at pci0 dev 24 function 7 "VMware Virtual PCIE-PCIE" rev 0x01 pci34 at ppb33 bus 34 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec mtrr: Pentium Pro MTRR support vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root root on sd0a swap on sd0b dump on sd0b -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: Apache with latest snapshot
Good point. PHP for use with symon. I'll check for package updates there. Thanks! - Original Message - | On Sat, Dec 4, 2010 at 6:31 PM, James A. Peltier | wrote: | > Just performed a binary snapshot upgrade to the latest snapshot of | > current from ftp.openbsd.org. I get the following errors when | > launching apache, but it does start. I'm not using SSL so this | > doesn't affect me at all but just thought I would report it. It's | > probably related to the libssl changes from October 18 - Nov 17th, | > 2010. I don't see anything on the following -current page about how | > to fix this from binary snapshots. Maybe this is something missed by | > me or the team? | > | > # apachectl start | > /usr/sbin/httpd:/usr/lib/libcrypto.so.18.0: | > /usr/lib/libcrypto.so.19.0 : WARNING: symbol(v3_alt) size mismatch, | > relink your program | | Wild guess: do you use apache modules that are not part of base that | link against libcrypto and that you haven't recompiled since the | libcrypto update? | | | Philip Guenther -- -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: Apache with latest snapshot
Updating all installed packages with pkg_add -ui worked perfectly. Thanks - Original Message - | Good point. PHP for use with symon. I'll check for package updates | there. Thanks! | | - Original Message - | | On Sat, Dec 4, 2010 at 6:31 PM, James A. Peltier | | wrote: | | > Just performed a binary snapshot upgrade to the latest snapshot of | | > current from ftp.openbsd.org. I get the following errors when | | > launching apache, but it does start. I'm not using SSL so this | | > doesn't affect me at all but just thought I would report it. It's | | > probably related to the libssl changes from October 18 - Nov 17th, | | > 2010. I don't see anything on the following -current page about | | > how | | > to fix this from binary snapshots. Maybe this is something missed | | > by | | > me or the team? | | > | | > # apachectl start | | > /usr/sbin/httpd:/usr/lib/libcrypto.so.18.0: | | > /usr/lib/libcrypto.so.19.0 : WARNING: symbol(v3_alt) size | | > mismatch, | | > relink your program | | | | Wild guess: do you use apache modules that are not part of base that | | link against libcrypto and that you haven't recompiled since the | | libcrypto update? | | | | | | Philip Guenther | | -- | -- | James A. Peltier | Systems Analyst (FASNet), VIVARIUM Technical Director | Simon Fraser University - Burnaby Campus | Phone : 778-782-6573 | Fax : 778-782-3045 | E-Mail : jpelt...@sfu.ca | Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca | http://blogs.sfu.ca/people/jpeltier | MSN : subatomic_s...@hotmail.com -- -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: Donations
- Original Message - | > > Are you planning on having the OpenBSD development team perform | > > some | > > sort of illegal activity soon? | > > | > > If not, you shouldn't be worried about Paypal. | > | | You're discussing intent. Intent is a tricky thing that in the past | lawyers | had to jump through hoops to prove in the (fed)nited States. Now with | the | (un)Patriot Act and other legislation they can rely on the whole | notion of | "pre-crime." | | Seems like most of America is happy with "point and click" hegemony | and I'm | glad the Internet is trying to block the interrupts. I don't understand the worry about these "pre-cogs" Minority report proved the theory to be infallible. :) -- James A. Peltier Systems Analyst (FASNet), VIVARIUM Technical Director Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.fas.sfu.ca | http://vivarium.cs.sfu.ca http://blogs.sfu.ca/people/jpeltier MSN : subatomic_s...@hotmail.com
Re: symbol ( - - - - ) size mismatch, relink your program
- Original Message - | On Sat, Dec 11, 2010 at 10:04 AM, Mihai Popescu B.S. | wrote: | > Hello, | > | > I did a snapshot install and I got many warnings like this one. What | > could be this warning, is it about mismatch on .so files ? | > | > Thanks. | > | > | | I think this is in the archives... Yes it is because I created the most recent thread and it was because of packages. PHP in my case. -- James A. Peltier Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
