Update: Reinstalling the OS and reapplying all patches cleared this
issue. I can't explain why security fix 3 previously horked this system.
dn
On 2/23/22 7:04 PM, David Newman wrote:
OpenBSD 7.0 GENERIC#3 i386, running as a VM on VMware vSphere 5.5
After applying a security fix th
OpenBSD 7.0 GENERIC#3 i386, running as a VM on VMware vSphere 5.5
After applying a security fix through syspatch, this system failed on
reboot with the error:
kernel: privileged instruction fault trap, code=0
Stopped at: pf_tabladdr_setup:
Links to trace and ps info below. Thanks in advan
On 4/13/21 9:38 PM, Ivo Chutkin wrote:
> Hello guys,
>
> Thanks for replies. To add some more info for the case.
>
> We have DWDM network with star topology. Switches will be connected to
> center point with 100G uplink (currently 10G or 2x10G) via DWDM lambda.
> Customers are connected to 10G p
On 4/1/21 2:51 PM, Rafael Possamai wrote:
>> One of my systems rebooted at 03:01 local time today.
>
> Do you happen to have a cat nearby?
:-)
I'm allergic, and this box is in a colo.
Appreciate all the feedback. I've enabled accounting per Stuart's
suggestion and am pretty sure this is a hicc
On 3/29/21 5:28 AM, Nick Holland wrote:
> On 3/28/21 12:13 PM, David Newman wrote:
>> On 3/28/21 4:58 AM, Kristjan Komloši wrote:
>>
>>> On 3/27/21 10:27 PM, David Newman wrote:
>>>> OpenBSD 6.8 GENERIC#5 i386
>>>>
>>>> One of my
On 3/28/21 4:58 AM, Kristjan Komloši wrote:
> On 3/27/21 10:27 PM, David Newman wrote:
>> OpenBSD 6.8 GENERIC#5 i386
>>
>> One of my systems rebooted at 03:01 local time today. I've seen kernel
>> panics and bad hardware but I've never seen OpenBSD "just
OpenBSD 6.8 GENERIC#5 i386
One of my systems rebooted at 03:01 local time today. I've seen kernel
panics and bad hardware but I've never seen OpenBSD "just reboot" by
itself, ever.
There's no cron job that would do this. last(1) is no help; it shows the
reboot command but not the shutdown that pr
On 3/4/21 12:29 AM, Stuart Henderson wrote:
> On 2021-03-04, David Newman wrote:
>> Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName
>> in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The
>> subjectAltName can be the same as the
Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName
in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The
subjectAltName can be the same as the CN; it just has to be present.
Questions about this:
1. Does the 'ikectl ca certificate create' command
support c
On 11/18/20 8:11 PM, Theo Buehler wrote:
> On Wed, Nov 18, 2020 at 03:16:57PM -0800, David Newman wrote:
>> Do recent complaints about certificate chains [1] [2] also apply when a
>> client running OpenBSD 6.8 uses a self-signed cert, and there are no
>> intermediat
Do recent complaints about certificate chains [1] [2] also apply when a
client running OpenBSD 6.8 uses a self-signed cert, and there are no
intermediate certs?
Since upgrading to OpenBSD 6.8, a machine running the bacula-client
backup package has been throwing "unable to get local issuer
certific
On 4/8/15 2:42 AM, Martin Pieuchot wrote:
> On 07/04/15(Tue) 15:42, David Newman wrote:
>> On 3/30/15 12:54 PM, Martin Pieuchot wrote:
>>> [...]
>> Not OK for the carp interfaces. On the production machines I'm
>> replicating here as VMs, it looks li
On 3/30/15 12:54 PM, Martin Pieuchot wrote:
> On 30/03/15(Mon) 11:58, David Newman wrote:
>> On 3/29/15 12:38 PM, mxb wrote:
>>> Probably your PF rules.
>>> put in ‘pass quick proto icmp’.
>>
>> No joy. This did not improve on the existing ICMP rule in pf.
1 pass **
CARP is up and MASTER/BACKUP state changes work between boxes, but
neither firewall can ping other hosts or vice-versa via the CARP interface.
How to get those interfaces to bind to vic1 instead of lo0?
Thanks!
dn
>
>
>> On 28 mar 2015, at 00:59, David Newman wrote:
&
Greetings. In preparation for upgrading two CARP+pfsync boxes to
5.6/i386, I put together a lab network to test new firewall rules.
Topology is pretty simple:
outside box (vic0) <-> (vic1) two carp boxes (vic0) <-> inside box
with a third interface on each firewall for pfsync traffic. I'm focuse
unicast rather than multicast for carp for both v4
and v6 interfaces. Is this supported in the release versions of 5.1 or 5.2?
Thanks
dn
On 11/1/12 4:39 PM, David Newman wrote:
> OpenBSD 5.1 / i386, two boxes connected using CARP/pfsync. There are
> VLANs on the physical interfa
OpenBSD 5.1 / i386, two boxes connected using CARP/pfsync. There are
VLANs on the physical interfaces, and CARP interfaces on the VLAN
interfaces. Both boxes run dual stack on VLAN and CARP interfaces. This
all works fine.
To get rid of multicast CARP traffic, I tried using the carppeer keyword
in
On 10/25/11 6:20 PM, Jussi Peltola wrote:
> I had some similar looking problems some releases back. Using a separate
> carp if for ipv6 mostly fixed it. Didn't write down the exact problem,
> though.
>
Had a similar issue awhile back, with duplicate messages due to both pf
boxes thinking they wer
On 10/9/11 11:08 AM, rik wrote:
> i'm not doing load balance, just active/passive router/firewall
> configuration, but we're using only one ip on carp, with no ip address on
> the phisical interfaces.
+1
We set up CARP on unnumbered interfaces all the time. Works fine.
This is useful if, for exa
On 8/9/11 3:12 PM, Stuart Henderson wrote:
>> bge0 at pci4 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1
>> (0x4201): apic 2 int 16 (irq 15), address 00:25:64:3c:c1:0a
>> brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
>> bge1 at pci5 dev 0 function 0 "Broadcom BCM5721" rev
On 7/31/11 4:02 PM, Jussi Peltola wrote:
> On Sun, Jul 31, 2011 at 02:16:15PM -0700, David Newman wrote:
>> 2. CARP heartbeat messages use multicast. This means a switch with
>> dual-stack CARP-attached devices should support not only IGMP snooping
>> for IPv4 but also
aces can be bound to VLAN interfaces, which in turn can be
bound to an unnumbered physical interface. This is true for both IPv4
and IPv6 addressing.
dn
On 7/18/11 8:23 PM, David Newman wrote:
> 4.9-release
>
> Greetings. I'm looking to configure IPv6 in addition to IPv4 on a
>
4.9-release
Greetings. I'm looking to configure IPv6 in addition to IPv4 on a
two-box pf setup that uses CARP and pfsync. The systems have multiple
VLANs, which are bound to physical interfaces, and the CARP interfaces
in turn are bound to the VLAN interfaces. There is no dynamic routing
protocol
On 12/9/10 12:34 PM, Kapetanakis Giannis wrote:
> On 09/12/10 17:07, Gilles Chehade wrote:
>> Own box :-)
>>
>> lh wrote:
>
> That's ofcourse the best solution.
>
> But YOU have to make it secure and private. If you're not able to do
> this yourself, then your best option is to choose a strong p
On 11/25/10 2:47 PM, Stuart Henderson wrote:
> Postfix - the network daemons are most likely chroot'ed to
> /var/spool/postfix and there will be an etc/resolv.conf in the
> jail.
Bingo. It's coming up on 17 hours since changing this and restarting
postfix. So far there haven't been any more querie
Greetings. I manage an mail server running OpenBSD 4.5 i386. For various
layer-9 reasons I cannot reboot the server at this time let alone
upgrade it. I can stop and restart processes.
Awhile back when changing ISPs I temporarily added Google's public
nameserver at 8.8.8.8 to /etc/resolv.conf. Alt
On 8/2/09 12:11 PM, Nick Bender wrote:
>> How to reach that server when in shell mode? Or is there another way to
>> do this?
>
> NFS isn't available on the install media, and neither is ssh. If the
> server has ftp or
> http then you can use ftp like:
>
> ftp -o - http://someserver/part.dump
How to restore entire partitions using NFS? When booting the install
disk into the shell and bringing up a network interface, an NFS mount
command returns an error:
# mkdir /store
# mount -t nfs -o rw 10.41.2.3:/store /store
mount: no mount helper program found for nfs: No such file or directory
On 6/18/09 4:36 AM, Tom wrote:
>> # start openvpn
>> #
>> if [ -x /usr/local/sbin/openvpn ]; then
>> /usr/local/sbin/openvpn --config /opt/openvpn-2.0/server.conf &&
>> echo 'opening openvpn server...' &
>> else
>> echo 'ERROR: cannot start openvpn; file /usr/local/sbin/openvpn is missing.'
On 6/16/09 10:07 PM, Jason Dixon wrote:
> I would suggest booting into single-user and using netstart for each of
> the physical and carp interfaces until you find out where your
> misconfiguration is. Set it all up manually, document it, then use
> hostname.* to properly bring up your interfaces
On 6/16/09 4:36 PM, Jason Dixon wrote:
> On Tue, Jun 16, 2009 at 03:47:47PM -0700, David Newman wrote:
>> Running 4.5/i386 on a pair of firewalls using pf and carp and pfsync
>> (and also multiple VLANs).
>>
>> After a reboot, either system will hang at 'starting n
Running 4.5/i386 on a pair of firewalls using pf and carp and pfsync
(and also multiple VLANs).
After a reboot, either system will hang at 'starting network' until
pressing Ctrl-C at the console. (By 'hang' I means no action for at
least 60 minutes; I have not waited longer than that.)
Initially
On 8/28/08 10:22 AM, Parvinder Bhasin wrote:
> perhaps pfsysinfo and pfstat. Some of the stuff you'll have to make
> your own graphs.
>
> -Parvinder Bhasin
>
> On Aug 28, 2008, at 8:24 AM, Stephan A. Rickauer wrote:
>
>> I am curious what tools people here use to visualize pf-generated logs
>>
On 8/16/08 12:54 PM, Johan Beisser wrote:
> On Sat, Aug 16, 2008 at 12:37 PM, David Newman <[EMAIL PROTECTED]> wrote:
>
>> Is there some other way to install ports across machines?
>
> You'll have to either map the root user (-maproot=user)
Thanks -- that did t
Two 4.3/i386 machines, one with enough disk space for the ports
collection and the other with hardly any disk.
I'm looking to install the net-snmp port with the packetmischief patches
onto the smaller machine. I tried using NFS, mounting the /usr/ports
directory read-write as root:
on server's /e
On 8/6/08 11:29 AM, #ukasz Bromirski wrote:
[EMAIL PROTECTED] wrote:
I'll be looking for that day wherein those Cisco guys can boost no more
that they are the only ones in the planet that has the MPLS skills. Whew,
maybe somebody knows where to start on how to add this MPLS feature so as
to answ
On 7/8/08 2:30 PM, Peter N. M. Hansteen wrote:
Pete Vickers <[EMAIL PROTECTED]> writes:
Does this mean we should expect one soon ?
Possibly. Still can't think of a valid reason why they decided to
post a Microsoft document (your choice of strings or OpenOffice.org)
or html:
http://is.gd/O
On 7/8/08 9:02 AM, Philip Guenther wrote:
acl int_masters {
10.0.0.1;
};
...
zone "somedomain.com" {
type slave;
masters { int_masters; };
file "slave/internal/somedomain.com";
};
but apparently named does not parse this and complains that
On 7/7/08 4:44 PM, Jacob Yocom-Piatt wrote:
afaict as of BIND 9.3.2 use of an acl in the masters option was
supported, e.g.
acl int_masters {
10.0.0.1;
};
...
zone "somedomain.com" {
type slave;
masters { int_masters; };
file "slave/inter
On 6/12/08 9:14 PM, Tim Donahue wrote:
Quoting David Newman <[EMAIL PROTECTED]>:
Looking for info on seeing near-real-time or real-time info on TCP
connection states using pftop.
A 4.3-release box has pf rules that allow Windows Remote Desktop
connections from a handful of sources.
Looking for info on seeing near-real-time or real-time info on TCP
connection states using pftop.
A 4.3-release box has pf rules that allow Windows Remote Desktop
connections from a handful of sources.
pftop shows entries something like the following:
PRD SRC DEST
Any recommendations for an Ethernet card that fits into a PCI Express x8
slot? I didn't see anything specific on the hardware page or in the
archives.
This is for a Dell CR100 OEM server. The spec sheet mentions the usual
two Broadcom gigabit Ethernet interfaces, plus a "PCI Express x8
(1-lan
Greetings. I'm setting up ftp access* for a number of users to a
directory structure like this (assume "/" is an alias for the top of the
tree):
Username directory perms
user1/ rw
user2/projects r
user3/projects rw
user4/ r
The FAQ a
(apologies in advance if this has been answered before, but I looked in
the manpages and on the marc search engine and didn't find a direct answer)
I'm looking to set up Apache virtual hosting, with two requirements:
1. Customers can upload files to their vhosts
2. Customers cannot clobber each
Martin Toft wrote:
On Fri, Mar 28, 2008 at 11:49:01AM +0100, Jordi Espasa Clofent wrote:
Hi all,
I need a RAID-1 (mirroring) for production environment.
?Should I use RAIDFrame or softraid?
The reliability is the main request feature.
AFAIK, not all features of softraid are finished yet. Ho
Two questions about mediawiki that I didn't find in the misc archives:
1. On a 4.2 i386 box, installing mediawiki from ports died during tk
install with the header error pasted below. This box has xbase installed
but none of the rest of the X stuff.
How to remedy?
2. The package and port are
On 1/23/08 4:21 PM, Daniel Ouellet wrote:
So, you could check for UDP RTP stream from that IP's and all phones can
and are most likely preset with a fix range of ports that they can use
and if you can find that, then you have all that you need.
Gack. No.
I've seen more than one MegaCorp use
On 1/23/08 4:08 PM, Chris Cappuccio wrote:
Just use the 'tos' tag in pf.conf to match against the IP tos field.
Most equipment sets this to something predictable, like 0x68 for RTP and
0xb8 for SIP Just use tcpdump to see what your RTP traffic is tagged
as, and also prioritize SIP above R
On 1/23/08 6:28 AM, Jeff Santos wrote:
I would like to setup PF so that, whenever an initial voip flow was
detetcted, all other non relevant traffic would be blocked, and normal
packet flow being restored only after some voip idleness be detected.
Can it be done? Can someone give some ideas of
On 12/29/07 11:11 PM, johan beisser wrote:
> It's permitted in IEEE 802.3, if not encouraged.
This is not correct. The relatively recent (2005) IEEE 802.3as spec
extends Ethernet frame length only to 2048 bytes, mainly to accommodate
VLAN stacking and various encap methods. It does not define a s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/24/07 5:55 AM, bofh wrote:
> On Dec 24, 2007 8:45 AM, Lars Noodin <[EMAIL PROTECTED]> wrote:
>
>> scott wrote:
>>> If small form factor, *LOWEST* power factor (i.e. fanless) and
>>> accelerated crypto are of any importance, consider
>>> http://w
On 12/19/07 6:05 AM, Peter N. M. Hansteen wrote:
> I'm not directly involved in
> distribution and can not make any guarantees about when you'll get
> yours
I checked yesterday with No Starch, and the company says "it should ship
in early January."
Mine's pre-ordered; looking forward to reading
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/22/07 1:55 PM, Christian Weisgerber wrote:
> David Newman <[EMAIL PROTECTED]> wrote:
>
>>>> There is some layer-2 stuff that happens before layer-3 handshaking
>>>> begins -- 802.11 association and deassocia
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/20/07 6:45 AM, Fridiric Pli wrote:
> Hello,
>
> Is there a way to control which multicast MAC address an ethernet interface
> should handle ?
>
> I have problem with a server running OpenBSD4.1-rel (A) with a pcn and carp
> interface.
> On the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/19/07 2:36 PM, Tonnerre LOMBARD wrote:
> Salut,
>
> On Mon, Nov 19, 2007 at 02:20:54PM -0800, David Newman wrote:
>> There is some layer-2 stuff that happens before layer-3 handshaking
>> begins -- 802.11 association and de
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/19/07 8:16 AM, Tonnerre LOMBARD wrote:
> Personally, I use IPsec to secure my WLAN, and I can only recommend that
> to others. It is very effective.
IPSec can be an effective safeguard -- for IP headers and the
upper-layer protocols and payload
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/19/07 3:18 AM, Tor Houghton wrote:
> On Sun, Nov 18, 2007 at 10:51:49PM -0700, Clint Pachl wrote:
>>> OpenBSD supports WEP.
>>>
>> Does it even matter?
>>
>
> Well, if you want to prevent someone from accidentally connecting to your
> network,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/12/07 5:01 AM, Stuart Henderson wrote:
> On 2007/11/12 12:56, knitti wrote:
>>> Looking to manage several webservers I am wondering if anybody uses
>>> something like this: http://soekris.kd85.com/images/tn/dsc03600.med.jpg ?
>>> (That image show
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/07 8:59 AM, Stuart Henderson wrote:
> On 2007/09/07 08:41, David Newman wrote:
>> 1. I believe "keep state" is still needed when using queuing. The
>> pf.conf manpage says it must be specified explicitly to apply option
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/7/07 7:54 AM, mail-lists wrote:
> I'm attempting to set up pf for a voip system. In order to prioritize
> VoIP packets I have this queue:
>
> altq on $ext_if priq bandwidth 1.4Mb queue {std_out, voip_out,
> tos_lowdelay_out}
> queue std_out priq(
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/5/07 2:01 AM, Henning Brauer wrote:
> * David Newman <[EMAIL PROTECTED]> [2007-09-05 00:59]:
>>> Can any one comment on this ? Would it not be better to use some think
>>> like a Cisco layer 3 GB switch.
>> Most e
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/5/07 1:50 AM, Henning Brauer wrote:
> * Michael Gale <[EMAIL PROTECTED]> [2007-09-05 00:16]:
>> Hey,
>>
>> It was suggested that we create an OpenBSD server with 9GB
>> interfaces to start. 7 Will be used right off the bat.
>>
>> This w
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/4/07 3:03 PM, Michael Gale wrote:
> Hey,
>
> It was suggested that we create an OpenBSD server with 9GB
> interfaces to start.
I think here you mean 9 1-Gbit/s interfaces
7 Will be used right off the bat.
>
> This would function as a core
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/3/07 3:28 PM, Paolo Supino wrote:
> Hi David
>
> It's true that all IP addresses are in the 10.x.x.x private address
> space that isn't supposed to be routed on the Internet, but in all the
> connections over the Internet the only visible addres
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/3/07 2:15 PM, Paolo Supino wrote:
> Hi
>
> I have a firewall that also acts as a VPN peer for 2 VPNs. One of
> the VPNs is IPSEC that connects between the main office and a branch
> office. The second VPN is OpenVPN that connects windows based r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/31/07 9:15 PM, mufurcz wrote:
> Greetings,
>
> Need advise how to setup one DNS server for multiple domain
> names, like: abcd._com_.xy, abcd._net_.xy, abcd._org_.xy, and
> abcd._biz_.xy
>
> The name server FQDN is server1.abcd._com_.xy (first
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/1/07 12:29 PM, Siju George wrote:
> On 9/1/07, Marco Peereboom <[EMAIL PROTECTED]> wrote:
>> Try to run strings on windows command line utilities. You'll see that
>> they preserved the copyrights as required.
>>
>
> Could somebody please explain
>> And here we come full circle. Given the OpenBSD now IS a router --
>> whether it's a little two-interface pf box for home use or some big
>> studly hardware running OpenBGPD and OpenOSPFD box for ISPs, I would say
>> the addition of support for DSCP re-marking would be a very desirable
>> featur
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/22/07 5:22 AM, Henning Brauer wrote:
> * David Newman <[EMAIL PROTECTED]> [2007-08-21 21:41]:
>> Question: Can OpenBSD and/or pf itself set TOS and/or DSCP values?
>
> not for forwarded traffic, no.
> for locally origin
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/21/07 7:31 PM, Chris Cappuccio wrote:
> On a related note, I work with some equipment that uses TOS values and
> some that uses DSCP.
>
> When you see a TOS value in tcpdump (0x68 for instance) just divide by 4
> to get the DSCP (and throw away a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I'm setting up ALTQ and hfsc to prioritize VoIP traffic. The pf.conf(5)
says pf uses TOS values to assign packets to queues.
Question: Can OpenBSD and/or pf itself set TOS and/or DSCP values?
Only some of my VoIP gear does DSCP marking.
Also, I not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/13/07 5:25 AM, Stuart Henderson wrote:
> On 2007/08/13 13:51, [EMAIL PROTECTED]@mgedv.net wrote:
>> why don't you just switch your ssh port to a different one.
>
> In my case, because it annoys me, and max-src-conn-rate doesn't.
I concur, and wo
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/9/07 11:58 AM, Joshua Gimer wrote:
> We are planning on moving a large amount of Exchange mailboxes to UNIX
> mbox format.
>
> My question is, does anyone know of any projects out there or of any
> tools that can assist in this conversion?
>
Ge
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/9/07 10:24 AM, David Newman wrote:
> On 8/9/07 3:22 AM, Joachim Schipper wrote:
>
>>> # Allow quick valid traffic to ssh but log all attempts as well
>>> pass in log quick on $unpro inet proto tcp from ! \
>>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 8/9/07 3:22 AM, Joachim Schipper wrote:
>> # Allow quick valid traffic to ssh but log all attempts as well
>> pass in log quick on $unpro inet proto tcp from ! \
>>to $unpro port ssh $SSH_LIMIT
>
> Skip '! ' unless it's intended as documentat
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> On Thu, Aug 09, 2007 at 06:07:08PM +1000, Chris wrote:
>> I'm trying to buy (from ebay) a cisco switch, router and pix firewall
>> for learning purposes. All these will be connected to a Linksys ADSL
>> modem which also has wireless capability. The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/27/07 10:39 PM, Daniel Ouellet wrote:
> Steve B wrote:
>> The rule I've had in my pf.conf file to catch and block forceful SSH
>> attempts no longer appears to be working. I see the entries in my
>> authlog,
>> but the IPs are no longer getting ad
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/18/07 4:01 AM, Nick Holland wrote:
>> I plan to implement cgi.
>
> which means you probably (though not certainly) have an app which
> requires the ability to write to files. If that is true, that means
> you have negated at least some of the b
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 6/13/07 12:40 PM, Bryan Vyhmeister wrote:
>> Is there some means of getting CARP to work where one side of the pf box
>> sits on a /30?
>
> You don't actually need an address for each physical interface. It is
> nice but really not essential. This
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What is the longest v4 prefix length CARP supports?
In the example given here:
http://www.openbsd.org/faq/pf/carp.html
Each physical interface has two IPv4 addresses, one for a shared IP and
one for the interface address. That would require a /29 or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
What's the deal for upgrading systems running RAIDframe?
I have Sparc64 boxes running 4.0 and RAIDframe. Is it possible to
upgrade these through the regular process, or do I need to do a clean
install and restore from backups?
Thanks in advance for p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stuart Henderson wrote:
> On 2007/06/04 07:11, David Newman wrote:
>> I could divide the /26 into smaller netblocks and configure pf to route
>> between them but I'm reluctant to do that given that I'd burn a network
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Henning Brauer wrote:
> * David Newman <[EMAIL PROTECTED]> [2007-06-04 03:59]:
>> but it says carp doesn't work with bridging
>
> carp alows two hosts to share an IP.
> now explain me how that is supposed to work with bri
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Thanks in advance for guidelines on using pf with carp and pfsync boxes
that bridge rather than route.
I found this guide:
http://www.seattlecentral.edu/~dmartin/docs/bridge.html
but it says carp doesn't work with bridging and to use spanning tree
i
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/28/07 11:33 AM, Joe wrote:
> I've done full packet capture in FreeBSD for 100-200 Mbps networks. Can
> I expect similar performance numbers for doing full packet capture in
> OpenBSD?
With equivalent hardware, yes
>
> And out of curiousity, how
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/27/07 6:57 AM, tony sarendal wrote:
> On 27/01/07, earx <[EMAIL PROTECTED]> wrote:
>> hi everyone
>> i want to learn more in BGP, and ospf routing.
>> can u have an advice on a good book about routing ?
>> or documentation ?
>> and better, with op
On 1/23/07 1:13 AM, Thomas Alexander Frederiksen wrote:
> doc Hyde skrev:
>
>> Can anyone help me please?
>> Thank you.
>
> Google can...
>
> http://www.eclectica.ca/howto/openbsd-software-raid-howto.php
>
> These are the steps you are most likely to have missed:
>
> # raidctl -a /dev/sd0d raid0
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenBSD 4.0 i386 on dual Nexcom 1563 firewall boxes using carp and pfsync.
In my setup, there are two carp interfaces bound to the "external"
physical interface fxp0, each in turn bound to a different internal
machine using nat and rdr. This worked fi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/12/07 4:03 PM, Chris 'Xenon' Hanson wrote:
> Bob DeBolt wrote:
>> I have been trying numerous configs trying to out smart
>> the inability of VOIP to transfer to UDP encapsulated RTP.
>> A very common problem as anyone who deals with NAT and VOIP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 1/5/07 12:42 AM, Tasmanian Devil wrote:
>> - Machine A, a single i386 box without enough disk space to unpack the
>> source tree
>
> http://openbsdbinpatch.sourceforge.net/ :-)
Thanks much for this, and also for Nick Holland's excellent suggestion
I have two machines:
- Machine A, a single i386 box without enough disk space to unpack the
source tree
- Machine B, a two-CPU i386 box running bsd.mp with plenty of disk
My questions:
1. For purposes of applying kernel security patches, can I compile a
patched kernel on Machine B and just
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Julian Labuschagne wrote:
> raidctl -I 2006111501
> Can I undo the previous command?
raidctl -u
dn
iD8DBQFFXdZZyPxGVjntI4IRAsPXAJ9pFX5zMUoLJotq3OOQDp2mBF5EXgCeJB2n
jNkDUSu/sLB0ePljIQWzkh4=
=qhZ9
-END PGP SIGNATURE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenBSD 4.0 on UltraSparc II, two 18G SCSI drives
I am trying to set up software RAID disk mirroring. There are many fine
howtos out there, including:
http://www.monkey.org/openbsd/archive/misc/0203/msg00803.html
http://www.eclectica.ca/howto/openbsd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Greg Troxel wrote:
> Does anyone have any thoughts or experience with Lenovo or ThinkPad
> laptops?
>
> On most Thinkpads (Lenovo or IBM - I have seen no real changes), BSD
> runs fine. I or friends have had good experiences with
>
> 760ED
>
Darrin Chandler wrote:
rdr on $ExtIfa inet proto tcp from any to $ExtIfa port 25 -> $box2
rdr on $ExtIf inet proto tcp from any to $ExtIf port 25 -> $box1
Forget for a second what you *want* to have happen, and look at the
above snippets of your pf.conf. What's the *last* matching rule for
Looking for guidance on pf and aliases. I have an OBSD 3.8 box running
pf in front of two SMTP servers.
Here's my setup:
Net -> 1.2.3.4-> pf box -> box1 9.8.7.6
1.2.3.5 (alias)->-> box2 9.8.7.7
Problem is, pf sends all requests to box1, even those addressed to 1.2.3.5.
I'm looking for recommendations for embedded systems that would work well
for an OBSD 3.7 firewall.
I've heard of Commell and Soekris. Are there others?
Requirements:
--abiilty to run OBSD, pf, openvpn, apcupsd
--compact flash or 2.5-inch hard drive
--forward >3 Mbit/s with ~50 rules in pf
--
97 matches
Mail list logo
