in the manual.
Because I have no intentions of learning the guts of the PHP
interpreter, the method I used back then was the stupidest of them
all, adding die("hard"); after every suspicious line in the execution
path. The function that failed was a MySQL one, IIRC. You can try
repeating that...
Martin Pelikan
ng matches to queue "big", it'll look for "big" on each
# direction, and appear on the queue it goes out on.
# This way you'll get bi-directional shaping using just one rule.
# Remember, never trust anything you didn't test yourself first.
Martin Pelikan
course, swap "download" for "upload" in all this.
Stuff queued going out is usually called upload, and it is on your egress
interfaces. This queueing happens when traffic leaves the machine.
Sorry. (this confusion sometimes happens to almost everyone I know) :-(
Martin Pelikan
e management this already is a bless, but
(it's probably irrelevant, so don't bother to start flamewars)
Martin Pelikan
per-anchor config files, like so:
$ cat my.conf
table persist
pass from
$ sudo pfctl -a potazmo -f my.conf
$ sudo pfctl -a potazmo -sT
$ sudo pfctl -sT | grep ausfahrt
...and then load the anchor in the main file using:
load anchor potazmo from "my.conf"
Martin Pelikan
n one screen)
Also, you can say if you ran other versions of OpenBSD on the same
configuration, or messed with the hypervisor's kernel lately, or if it
is a new install on an out of the box dom0 that just happens to fail.
Martin Pelikan
OpenBSD 5.1-current (GENERIC) #258: Mon Jun 11 11:52:2
} __packed;
Imagine what would you gain if you forced people to use the same rules
or even the same interface names. These are completely separate
Martin Pelikan
n our base as a legacy
option and go straight for NSD.
Seriously, it's just a matter of time before someone in your network
notices this and will wonder why some websites load and others not.
Martin Pelikan
here near ddb entry perhaps?).
Haven't tested it, though :-(
Martin Pelikan
Index: arch/amd64/amd64/mutex.S
RCS file: /cvs/src/sys/arch/amd64/amd64/mutex.S,v
retrieving revision 1.8
diff -u -p -r1.8 mutex.S
--- arch/amd6
example, because
one of the RFCs requires the redirect packet's source address to match
the address you sent it to in the first place. Try telling them that.
Or ask them why can't they take one of your addresses and
use it for their gateway? This is just crazy.
Yes, their MAC addresses/{U,G,D}UIDs can change; that's why you need to
ask them first. It also helps if they're running CARP/VRRP, because if
they don't play with VHIDs, their MAC addresses don't change with their
infrastructure :-)
Martin Pelikan
This way it'll work even if you don't invoke package updates from your
shell, but using some kind of remote administration software for
Martin Pelikan
ave it just a quick look (and
moved to more important things to do).
Martin Pelikan
8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
wbsio0 at isa0 port 0x2e/2: W83627DHG rev 0x25
lm1 at wbsio0 port 0xa10/8: W83627DHG
mtrr: Pentium Pro MTRR support
uhub1 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
Martin Pelikan
ling to
explain some of the behaviour I consider myself not educated enough to
play with kernel options...
Unfortunately I probably won't be able to repeat the tests for some
time now, as the machine is already in production.
Martin Pelikan
sudo tcpdump -qns 1500 -w ...
Martin Pelikan
pass on insidenet to queue (some_big_queue, lowdelay)
But this machine is quite loaded - consider increasing the limits by
several smaller steps.
I'm posting this also because someone can tell _me_ what I'm doing
wrong - any thoughts?
Martin Pelikan
acquire/require messages from the kernel but
> currently requires to have an active flow from an initial IKEv2
> handshake. B It is on our TODO list ;-).
iked(8) and certificate revocation work just fine.
Martin Pelikan
y became out of the question
since it doesn't support tab-completion at all. mksh seems to do work
fine - thanks to Kevin for posting on this list.
Martin Pelikan
penVPN running with UDP. Lots of
> dropped packets would be rather catastrophic for it.
When dropped packets are 'rather catastrophic', why on earth do you
use udp then?
Martin Pelikan
ou=Groups, cn=mygroup1 (an example of a group)
dn: cn=mygroup1,ou=Groups,o=storkhole
objectClass: top
objectClass: posixGroup
cn: mygroup1
gidNumber: 1001
memberUid: myusr1
Martin Pelikan
ard to write/port, can it?
And yes, it's painfully slow and stupid, but fortunately for us
unneccessary most of the time.
By the way, with the vmmap diff firefox4 and everything works just
fine for about 3 days now. Thanks!
Martin Pelikan
>> bi-directional traffic for port UDP/500 stops
Is the isakmpd process still running? Did you really run it like
'route -T1 exec isakmpd'? Because with httpd it seems to work fine for
me (different setup, but works). netstat -a displays all of them all
the time.
>> maybe i should try GRE with IPSEC on top of
>> that...(?)
Not sure it'd help.
Martin Pelikan
w will ldap manage uid alocation?
> Thanks in advance.
You have to manage that for yourself; this might help your tools written
in C. And note that in most schemas it's not 'uid', but 'uidNumber'.
Martin Pelikan
nside a screen? ssh'd to other
machines? Not to mention ^A is beginning-of-line in most terminals.
And the screen's window management! What a pleasure!
And the way screen reports its messages! Still a mystery to me.
tmux ftw :-)
Martin Pelikan
t. Either you're making a living,
and not-supporting IPv6 means deliberately disserving your customers
(sorry everyone, but ordinary people don't give a damn about your
opinion), or you're a non-profit organization, such as OpenBSD, and
you can rebel against it by not using it.
Martin Pelikan
as suggested by halex@ can become a problem if each of
these hosts hosts some huge application which is hard to modify.
Martin Pelikan
eople are refering to security reasons, but it
just equals to "block in" or "block in from any to $my_net"...
Martin Pelikan
'll notice the difference only with lots of
multimedia and heavy optimized computing.
Or a habit is just a second nature...
Martin Pelikan
hell is
going on. No ACPI sensors were found. What does "acpi0: PM1 stuck"
Thanks in advance.
Martin Pelikan
OpenBSD 4.8-current (GENERIC.MP) #759: Sun Jan 9 20:02:53 MST 2011
real mem = 2135785472 (2036
2011/1/10, Christoph Leser :
> Hello,
> I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line
> like:
> ike active esp tunnel from to peer
> My isakmpd.policy file is
> # cat /etc/isakmpd/isakmpd.policy
> Keynote-version: 2
> Authorizer: "POLICY"
> Conditions: a
would I have to change to only accept those remote network Ids
> that are configured in ipsec.conf?
The above, or more specific.
Sorry for the previous empty reply, I'll finally try to learn how to
use an email client.
Martin Pelikan
like this works for me (I'm in the UK and using
> ADSL from, who I thoroughly recommend)
Of course, this should be the right way on the router. Feel free to
ask your provider on how to acheive what you want..
Martin Pelikan
32 matches
Mail list logo