On Wed, Oct 24, 2012 at 10:30:21PM +0200, Claudio Jeker wrote:
> On Wed, Oct 24, 2012 at 10:12:33PM +0300, Jussi Peltola wrote:
> > On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
> > > What you need to multihome is either BGP or NAT. Exactly as in IPv4.
> &g
On Wed, Oct 24, 2012 at 01:43:01PM -0600, Theo de Raadt wrote:
> Luckily that is not a problem in ipv4.
I can get IPv6 PI and multihome with v6 as it is just like I used to be
able with v4; now there is no more v4 PI at RIPE. But what does this
have to do with the on-wire protocol again?
> > Do y
On Wed, Oct 24, 2012 at 01:28:38PM -0600, Theo de Raadt wrote:
> Basically to make IPv6 pseudo-"multihoming" work like IPv4
> multihoming, ssh and sshd need to be modified that they can handle a
> network break, and re-connect using another address.
I fail to see what any of this has to do with a
On Wed, Oct 24, 2012 at 01:21:33PM -0600, Theo de Raadt wrote:
> What happens if one of your links goes down for a day?
>
> Do all your ssh sessions to everywhere in the world stay up?
>
> The internet has non-transient traffic, too.
No, I will have to re-start some of them. This is something t
On Wed, Oct 24, 2012 at 02:25:07PM -0400, Kurt Mosiejczuk wrote:
> I read about it in the following article earlier this year.
> http://www.theregister.co.uk/2012/03/31/ipv6_sucks_for_smes/
Everybody except a few zealots have accepted the fact that NAT will
exist in ipv6 just like v4. The differe
On Wed, Oct 24, 2012 at 02:43:14PM -0400, Simon Perreault wrote:
> What you need to multihome is either BGP or NAT. Exactly as in IPv4.
> Nothing has changed. The only new thing with IPv6 is that there's
> more bits.
Oh? I have two internet connections plugged directly into my desktop box
at home
On Wed, Oct 24, 2012 at 12:43:12PM -0400, Daniel Ouellet wrote:
> Hi,
>
> Just saw a few questions and patch for NAT64 on misc and tech@ and I
> am really questioning the reason to be fore NAT64 and why anyone in
> their right mind would actually want to use this?
To reach v4 only hosts, d'oh?
You can work around this by pointing a default at your provider, too.
But it is kind of yucky.
On Sat, Jan 07, 2012 at 09:21:35AM +0100, Pete Vickers wrote:
> SOO can be used for loop detection, but only if your bgp peerings don't strip
> extended communities.
>
> another dirty hack would be to g
not make
it any less likely that the modem will drop them.
The original poster's objective was
1) Utilize the full link bandwidth
2) Prioritize some packets (affecting their risk of getting dropped, and
their delay)
This is impossible to do if you do not have feedback about the modem's
queue, or knowledge of the speed of the link. 2) is possible without 1),
assuming that some lower bound of the link speed is known. 1) is
obviously possible without any prioritization at all.
Jussi Peltola
On Sat, Nov 19, 2011 at 08:58:46PM -0500, quartz wrote:
> is there a way to set up altq+priq on an internet connection with highly
> variable/unknown bandwidth?
>
> I'd like to create a simple one layer queue system that prioritizes empty
> ACKs over anything else (always, all the time, no matter
You can ignore the clueless parts in my previous message :)
I can set up remote access to one of these machines if needed.
This made the ems work again:
--- if_em.c.origWed Nov 9 21:37:39 2011
+++ if_em.c Wed Nov 9 21:39:01 2011
@@ -331,6 +331,2 @@
- /* Only use MSI on the
My em(4)'s stopped working with 5.0 - has anyone seen this on 82571EBs?
I'll try backing out the MSO patch.
Perhaps this is related:
ftp://download.intel.com/design/network/specupdt/82571eb_72ei.pdf
Page 22, Errata 7: Device Transmit Operation Might Halt in TCP
Segmentation Offload (TSO) Mode whe
I had some similar looking problems some releases back. Using a separate
carp if for ipv6 mostly fixed it. Didn't write down the exact problem,
though.
On Sun, Oct 23, 2011 at 12:08:22AM +0200, Jan Stary wrote:
> Just out of curiosity, what would be an example
> situation for using a machine that simultaneously
>
> (1) acts as a name-server for others
> (2) gets its network settings dynamicaly reconfigured
Any kind of box that is connected to a
I'm lazy.
On Sun, Jul 31, 2011 at 02:16:15PM -0700, David Newman wrote:
> 2. CARP heartbeat messages use multicast. This means a switch with
> dual-stack CARP-attached devices should support not only IGMP snooping
> for IPv4 but also MLD snooping for IPv6.
Hmm. carppeer does not seem to like an inet6 addre
I have a vlan on top of a vlan on an em. It connects to a remote switch
that requires me to use a specified lladdr.
Everything works just fine if I change the lladdr on em0, or run tcpdump
to switch it to promiscuous mode, but I need another lladdr on the other
vlans.
Setting the lladdr on the ou
In my experience, the caveat makes using most devices next to
impossible. It is way worse than using 3G data.
I use separate APs. They're usually cheaper and easier to find than
supported cards, anyway.
On Fri, Dec 31, 2010 at 01:36:32AM -0800, S Mathias wrote:
> Does anyone has a similar howto on OpenBSD for using private VLAN's?
>
> like:
>
> http://blog.ine.com/2008/07/14/private-vlans-revisited/
>
> I just need to separate the client's on Layer3 or better: on Layer2.
> Each client uses 1 p
I have heard of multilink PPPoE, which you'd probably have to tunnel in
a gre / gif tunnel if it's not a "private" adsl link, lowering the MTU
even further...
I've never tried it, it may not work at all, but it might be usable if
the dsl connection in question is not a very "wide" wan.
The n900 most certainly can run openvpn.
On Wed, Sep 22, 2010 at 08:39:36PM -0300, Nenhum_de_Nos wrote:
> On Wed, September 22, 2010 18:56, Luis F Urrea wrote:
> > On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida wrote:
> >
> >> "Iptables is ok, until you know PF, after knowing PF you'll never use
> >> Linux, at least for firewalls, anymor
rdware that you can do a regular install on), some kind of QoS
is a must on such an oversubscribed line. It will very likely be
completely unusable without it.
Jussi Peltola
Perhaps it is because you have a /8 netmask on em0.
man hostname.if
Jussi Peltola
nly a dmesg it is
rather hard to tell what you're trying to accomplish. You should include
at least ifconfig output and hostname.* files, probably also the pf
rules you mention.
Jussi Peltola
Does the machine recover after the loop is gone?
On Fri, Jul 09, 2010 at 02:19:42PM -0700, Matt S wrote:
> Given the following:
>
> [internet - DSL Modem - 192.168.0.1]--[bge0:192.168.0.254 - OpenBSD
> 4.7 - em0:10.40.60.1]--[Laptop - DHCP]
>
> net.inet.ip.forwarding=1
>
> How can I get my laptop to reach the internet? I kind
On Fri, Jul 09, 2010 at 01:34:26AM +0200, Floor Terra wrote:
> > I admit that I'm a bit ignorant here, as I've myself never
> > administered an SSL web site, but I am not convinced by this: Doesn't
> > the above just mean that it switches to HTTPS *after* transmitting my
> > information in the clea
Something like http://zakalwe.fi/~shd/foss/pmr/ might work
Search the archives.
On Sat, Jun 12, 2010 at 10:53:52AM +0200, E.T wrote:
> > * Nick [2010-06-11 12:55]:
> >> If you want low power consumption and low cost, I'd suggest a small
> >> PIII or Celeron based system, hard to beat for the price (usually,
> >> free!). IF the new, cool stuff has any real power savings, you
reply-to
On Mon, May 24, 2010 at 09:56:45PM -0700, J.C. Roberts wrote:
> Since most providers have bandwidth caps measuring all network
> traffic, preventing your system from connecting when it doesn't need to
> be connected is fairly important. Unlike the old POTS (land line)
> modems, these new mobile dat
On Fri, May 21, 2010 at 10:45:01PM -0500, Marco Peereboom wrote:
> I've lost 3 due to washing...
I've revived many with a toothbrush and alcohol.
It's not the water, but all of the stuff that deposits on the thing.
Still, just take the backups...
On Fri, May 21, 2010 at 12:22:10AM +0200, Reyk Floeter wrote:
> > Linux's bonding module has an arp monitor which solves some of these
> > problems, but the implementation is so hackish (as usual there...) that
> > I'd rather not use it in production. arping and ifstated might do the
> > same on op
I do this too. In addition to the previously mentioned problems with
cheap switches losing their configs (and vlans) you should make sure the
active interfaces are all on one switch so that the link between them
isn't uselessly used; this will also avoid an unpleasant split brain
event if that link
On Thu, May 20, 2010 at 08:17:48PM +0200, Henning Brauer wrote:
> > I have two identical "core" switches in one (not really so critical at
> > all) place running OSPF, with a bunch of routers connecting to both
> > switches for redundancy. Works pretty well and there has even been a
> > config rese
outing protocol) is pretty difficult.
One pseudo solution is to run a bridge instead of trunk on the 2
interfaces and use STP for fail-over; I find that too yucky to solve a
problem that doesn't really exist (just buy a reliable switch with a
redundant power supply or connect the single one to a good UPS)
However, if you need to ask if you can run a trunk on top of a carp, do
yourself a favor and use a single switch. There will be less downtime.
Jussi Peltola
On Sun, May 09, 2010 at 01:59:16AM +0300, Sviatoslav Chagaev wrote:
> Hello,
>
> I have the following network configuration:
>
> $ext_if -- wired interface, connected to my ISP's network, with a real
> IP address, visible from the Intertubes.
>
> $int_if -- wired interface, to which comps on my
On Thu, May 06, 2010 at 11:55:58AM -0700, Jeff Powell wrote:
> All this works just fine until I try to put another server on the public net.
> When I point that server's gateway at the public IP of the router ($IntIF),
> it's blocked by the NAT. I understand that this is NAT doing its job by
> blo
On Wed, May 05, 2010 at 07:27:46PM +0100, Kevin Chadwick wrote:
> Of course, if it's your mail server and clients you can use ips without
> dns have certficates tied to those ips and even block or monitor resets,
> none of which can be done with starttls and it is also a smaller window
> of opportu
you've lost.
Current day email just is not secure. It's no use trying to pretend
otherwise.
Jussi Peltola
Yes, yes. Polarized insults and yet more preaching... and PHP, give me a
break.
How can you use Gmail? Or is closed source SaaS suddenly OK? Why would
hosted sharepoint be any different?
Also, could you translate these sentences into English? I'm having
serious problems parsing them.
> Its wrong
;
> Take the hint and get rid of both. Their presence fucks up the net.
Could you stop spewing this on m...@? This is not Lars's-little-soapbox@
and your opinions of all kinds of proprietary products have nothing to
do with OpenBSD. The fact that the rest of this thread is almost as
irrelevant is not a good excuse.
Jussi Peltola
On Sat, Apr 10, 2010 at 12:38:25PM +0200, Mats-Gxran Karlsen wrote:
> -rw-r- 1 root wheel 390 Jul 13 18:30 rc.transmission
it's not executable
> The following is appended to /etc/rc.conf
use rc.conf.local
Any extra steps will probably lead to someone screwing up (and I don't
want to be the sole person able to do day to day operations on these
things...)
Thanks
Jussi Peltola
On Mon, Mar 15, 2010 at 08:02:50AM -0400, Steve Shockley wrote:
> If you do take it apart, make sure you have some heatsink grease
> on-hand, as the factory stuff may look (and function) like dried
> toothpaste. Don't spend extra on "special" grease, it doesn't really
> make a difference.
L
You are trying to do something evil by making a bridge pretend it is the
host on its other side. Do not do that. Just fix the upstream firewall
to pass the management traffic you need to the box.
127.0.0.1 shouldn't arrive on a non-loopback interface. If you wanted to
try to do this kind of silly
On Tue, Feb 23, 2010 at 10:10:16PM +0800, Edwin Eyan Moragas wrote:
> hi misc,
>
> i have two outgoing DSL connections using PPPoE.
>
> i've read about mpath in the FAQ (together with ifstated(8)) and
> scoured the PF examples but i haven't found any straightforward
> examples using PPPoE.
>
> a
On Sun, Feb 21, 2010 at 08:26:44PM +1000, David Gwynne wrote:
> i hate to bring this up, but if you have cisco gear with dhcp snooping enabled
> you can enforce this on the switch.
That's probably also the only reasonable place to do it. Thankfully it's
not only cisco that does that nowadays.
St
The input should be capacitively coupled, so even if your mic has a DC
offset it shouldn't matter. Either the capacitor is leaky or the ADC is
broken. It could be a driver weirdness but that sounds unlikely.
If you don't mind losing the few bits of dynamic range, you can just
remove the DC offset
Just put your data on some funny port, then? Or give it a long and hard
to guess name, that might actually have sufficient entropy to be any
use.
A less-than-16-bit "random" port is rather easy to guess.
And, if you really want to do port blocking, read the pf man page. It is
possible with a rule
On Sun, Feb 14, 2010 at 02:36:56PM +0100, Claudio Jeker wrote:
> I would install a default blackhole route like this:
> route add default -blackhole 127.0.0.1
Hmm, why not -reject? To avoid error messages while the routes are not
yet installed in the kernel?
On Sun, Feb 07, 2010 at 10:10:22PM -0500, Nick Holland wrote:
> With all this talk about power reduction...I'm going to toss out one
> small suggestion:
>
> Get a Wattmeter, and measure... Don't waste your time speculating.
>
> An ammeter and high school physics V*A=>Watts doesn't cut it for AC
On Mon, Feb 01, 2010 at 04:54:49AM +, Jacob Meuser wrote:
> On Mon, Feb 01, 2010 at 05:57:11AM +0200, Jussi Peltola wrote:
> > On Mon, Feb 01, 2010 at 02:35:54AM +, Jacob Meuser wrote:
> > > yeah, but wasn't the original issue that started this thread was that
> &
On Mon, Feb 01, 2010 at 02:35:54AM +, Jacob Meuser wrote:
> yeah, but wasn't the original issue that started this thread was that
> the locate database was "too old"? maybe if locate, apropos, etc would
> print "databse last updated 3 weeks 2 days ago"?
This should be done in any case. IMHO
http://www.gossipgamers.com/pokemon-redesigned-in-traditional-japanese-style-artwork/
On Sat, Dec 26, 2009 at 09:07:13AM -0600, Chris Bennett wrote:
> SMART is not the final word.
True
> Try running badblocks from e2fsprogs.
Neither is badblocks
> Be sure you use it correctly. You will need the partitions unmounted for it
It's rather hard to prove a disk isn't broken; a program
State. Blocking outgoing traffic will not prevent replies being allowed
out.
On Fri, Dec 18, 2009 at 02:51:34PM +0700, Edho P Arief wrote:
> can you please enlighten me on why that's a bad thing?
Filling up / can be more annoying than filling up /usr.
It's better to make sure your mounts work and not try to work around
broken systems, though.
This is just silly. If you make a firewall distribution to "promote
OpenBSD" instead of making a firewall distribution, your source of
motivation is wrong.
OpenBSD is free software. You are completely free to use it as a basis
for your firewall distribution.
The project, on the other hand, does n
Check that another pass rule later in the file is not overriding it.
Maybe try with quick.
I've seen my share of broken WaveLAN cards and AP-2000 power supplies.
Still, the new crappy WLAN devices probably have 10 times the failure
rate and don't work too well even when not broken...
IME even with newer hardware, leaving it open and using IPSec, openssh
etc. will be less painful. WPA s
On Sat, Dec 05, 2009 at 12:44:42PM -0800, rhubbell wrote:
> On Sat, 5 Dec 2009 15:28:09 -0500
> STeve Andre' wrote:
>
> > mostly a waste of time, except for the educational aspects of what not
> > to do.
>
> Thanks for the nice story. I get a kick out of how far folks here go out
> of their way
Try setting srcid and dstid manually (I used FQDN:s and pubkeys to make
it work, didn't succeed with IP addresses), you might also try testing
with a PSK to eliminate one part of the equation.
This is normal. The Linkstate column shows the CARP state, and the
interface is passive so it is DOWN - you do not run OSPF on it so there
are no neighbors.
On Tue, Dec 01, 2009 at 06:17:32AM -0500, stan wrote:
> On Mon, Nov 30, 2009 at 11:29:00PM +0200, Jussi Peltola wrote:
> > Not knowing your network I can only guess you don't want to mix CARP and
> > OSPF on the "outside" interfaces. OSPF will handle the fail-over.
&
Not knowing your network I can only guess you don't want to mix carp and
OSPF on the "outside" interfaces. OSPF will handle the fail-over.
CARP interfaces listed in ospfd.conf as passive will "just work" and get
advertised in OSPF when they are master.
You probably don't want redistribute connect
This works for me:
# NB: if a carp address is the lowest IP you will get duplicate
# router-id's - maybe ospfd should ignore CARP interfaces when selecting
# the host id?
router-id 1.2.3.4
area 0.0.0.0 {
interface gif0 { } # link to another site
interface gif1 { } # link to anot
Insufficient data.
What are you going to do with it?
On Tue, Nov 10, 2009 at 11:18:57AM -0700, Theo de Raadt wrote:
> If you want to never lose data, you have an option. Make the filesystem
> syncronous, using the -o sync option.
>
> If you can't accept the performance hit from that, then please accept
> that all the work done over the ages is only
Even expensive APs tend to run
hot and be somewhat unreliable, this also allows you to position the APs
optimally. If you need to drive to change the broken AP, buy a more
expensive one and hope for the best.
Ignore WLAN "security" if you can and use IPSec or something similar
that is truly secure and not a pain in the butt.
Jussi Peltola
The card's inputs probably work only one at a time. You would also need
some interesting post-processing to merge 3 streams of RGB captured
separately, and lack of sync would probably make it not work very well.
VHS has so little bandwidth that using composite video is just fine.
Don't fuss about
How about re-scheduling it so it wakes you up in the morning at the
right time :)
How about trying it? Our crystal ball is unfortunately not able to
predict your traffic patterns.
50mbps sounds very little for a modern box running openbsd. I can get
20mbps over IPSec on an ALIX...
Jussi Peltola
On Wed, Oct 14, 2009 at 01:14:00PM -0500, Sergio Andris Gsmez del Real wrote:
> Thanks for the reply.
>
> Indeed, I use usb_modeswitch under Linux, it is, however, quite just
> for Linux, cause it reloads a certain kernel module. With GENERIC
> kernel, usb_modeswitch does not even recognize the de
since it only really
guards against hardware failure and not against user or software errors.
--
Jussi Peltola
On Wed, Sep 16, 2009 at 08:22:19PM +, Stuart Henderson wrote:
> On 2009-09-16, Peter Kay - Syllopsium wrote:
> >
> > At the risk of a flaming, sysmerge is also a pain in the arse. Once you
> > know how to use patch files and diff properly I'm sure it is absolutely
> > wonderful, but it also c
On Sun, Sep 13, 2009 at 03:35:04PM +0200, Maurice Janssen wrote:
> The NFS-server is an embedded device (Netgear NAS). Unfortunately I
> can't set the +5 on the shutdown command...
Then there's probably no way to mount the NFS server's FS's sync? That
could be enough if all processes that need
On Sat, Sep 05, 2009 at 05:37:58AM -0600, Anathae Townsend wrote:
> match out on external from to any nat-to (external) round-robin
IIRC it's been that way as long as I can remember, if you only have one
address round-robin doesn't really do anything.
--
Jussi Peltola
I'd suggest running ospf over pointopoint links (gif/gre, on ipsec if
desired) instead of faking a layer 2 backbone where there isn't one.
--
Jussi Peltola
~tlbdk/Privileges-Drop-1.01/lib/Privileges/Drop.pm
--
Jussi Peltola
> port $ROUTER_ALLOW_OUT
>
>
> pass out log on $EXTIF001 proto icmp from
> {$ROUTERSINTIFACES,$IBGPALLOW,$DECLAREDHOSTS} to any
> pass out log on $EXTIF001 proto {tcp, udp} from
> {$ROUTERSINTIFACES,$IBGPALLOW} to any port $ROUTER_ALLOW_OUT
>
> # IPv6 config not yet completed, will do once v4 fully done
> passquick inet6
>
I'm not sure if I see a typical border filtering scheme (maybe I didn't
read carefully enough), you'll want to drop:
* Packets not from you (your advertised prefix) to your ISP, probably
also log these (even though your ISP should drop them, they might
not[1] and you really want to know about them)
* Packets from you from your ISP, they are not you. Logging these should
be interesting, too.
* Probably also: packets not addressed to you from your ISP
[1] I once managed to send packets from an RFC1918 address through two
AS's to my home DSL line. Don't trust your ISP, do your own
filtering.
--
Jussi Peltola
It makes no sense to try to bridge ethernet over ppp. You need to route,
not bridge.
the narrow, tall spike
into a wide, low pulse that you can't easily hear. Surely not somehing
you can fix without physically poking the hardware, though probably not
very difficult if the noise is really annoying.
--
Jussi Peltola
On Fri, Jun 26, 2009 at 09:57:51PM +0530, Siju George wrote:
> I am wondering why this has increased in the near future :-(
>
> --Siju
>
Maybe you should stop sending more of it
But even measuring the ripple with a scope won't guarantee it's OK.
Swapping out all of the hardware is sometimes the only way to find out.
Same goes for memtest86+: it can prove it's broken, but if it doesn't
find problems it doesn't guarantee there are none.
--
Jussi Peltola
MUA that doesn't suck too much :)
--
Jussi Peltola
On Fri, Jun 05, 2009 at 04:11:39PM -0400, Joe Gidi wrote:
> Also, the machine has no serial port, so I can't try the serial console
> trick.
It does, but you need the port replicator to access it. Maybe you can
find one you can borrow.
--
Jussi Peltola
x27;t have much money for making the internet links redundant.
--
Jussi Peltola
I'd rather run pfsync in its own vlan than over a realtek card. It's
probably not any slower (what could be slower than a realtek...) and
it's not really any less reliable (what use is pfsync if your "business"
network goes down?)
On Sun, May 24, 2009 at 02:49:53PM +0200, Martin Schrvder wrote:
> 2009/5/24, Stuart Henderson :
> > The "P" (Private) suggests some kind of privacy.
>
> "MPLS is well suited to the task as it provides traffic isolation and
> differentiation without substantial overhead."
>
Doesn't the public I
Depends on the db9-rj45 adaptor, some need a rollover cable, some a
straight one. Try it.
Many (probably 50%) of RJ11 4-wire telephone cables were crimped wrong
by the factory and are in fact roll over cables (RJ11 fits in RJ45,
but you need 4 wires, 2 won't work).
Saved me some from hair loss one sunday far away from everything.
--
Jussi Peltola
pensive new
plasticy thing that sounds like it's going to take off until the fan
fails after a year... let alone the icky hardware with driver pains.
--
Jussi Peltola
7;s usually pretty good.
Small switching supplies like ones for sokeris etc. can be pretty bad.
Linear supplies will also be far from 1.
--
Jussi Peltola
ly, ssh is one session, https is a stream of tiny ones.
still, the point stands, encrypting bus data sounds pretty slow
especially since it's latency sensitive
--
Jussi Peltola
On Mon, Apr 06, 2009 at 06:57:56PM -0500, Abel Camarillo wrote:
> Personally I believe that HP printers are they only thing that doesn't
> suck.
>
> I have had a very cheap HP printer for the last 8 years without any
> problems (a very cheap Inkjet).
I can agree with that they didn't suck 8 year
ght have interesting differences. I wish I could
just put my PCBs through a laser printer and etch away...
--
Jussi Peltola
r), and scary examples of shared ethernet segments
with windows broadcasts storming in...
General ideas on securing ethernet are also welcome (I don't really like
the idea of having separate servers sharing a subnet, either - and we
had a discussion about the wrong solutions a while ago.)
--
Jussi Peltola
1 - 100 of 209 matches
Mail list logo
