On Mon, Mar 09, 2009 at 04:50:51PM +0100, Felipe Alfaro Solana wrote:
> ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.
SeND will not be coming to OpenBSD any time soon.
http://www.ietf.org/rfc/rfc3971.txt
http://www.ietf.org/rfc/rfc3972.txt
80 pages across two RFCs for
On Mon, Jul 28, 2014 at 08:28:04PM -0500, Stan Gammons wrote:
> A fellow from Intel told me they are coming out with Coreboot
> firmware for the Minnowboard max, no ETA other than "soon", and
> he didn't know if any of the BSD's would work with it. He said
> the forthcoming FreeBSD 11 almost boots
My immediate reaction is "don't do it", but on the other hand I've never
known people for whom 'money is not a problem' to shy away from
something because of boring concerns like security. So...
Software:
Basically, to do this "correctly" you need to parse all the packets
running in both directi
On Fri, Nov 09, 2012 at 04:14:28PM +0100, Ariel Burbaickij wrote:
> What is the rationale behind this statement:
>
>
> "...
> - CPU: maximum SINGLE CORE "turbo" speed. Disable the other cores,
> they're not helping you at all..."?
OpenBSD doesn't run multiprocessor inside the kernel, so SMP pr
On Fri, Nov 09, 2012 at 06:27:06PM +0200, Dan Shechter wrote:
> I can do some assumptions regarding the TCP flow and its origins. Its
> coming from the stock exchange over IPSEC gateways over leased lines.
> I think I can trust the origin of the flow. At least I can trust it as
> much as the off t
On Mon, Dec 31, 2012 at 04:53:15PM +1100, Aaron Mason wrote:
> Ok, I just tried freeing NULL, and it did nothing. Granted it was on
> a Linux system but still...
free() handles a NULL pointer by doing nothing, and it will behave this
way on any posix system compliant system. However, on an OpenBS
On Fri, Sep 04, 2015 at 11:22:48AM -0700, Chris Cappuccio wrote:
> Since the purpose of Secure Boot provide little to no benefit to users
> (in fact quite the opposite), the question becomes why?
>
For paranoid softraid crypto users who are concerned about a modified
boot
Are you using route-to in your configuration?
This has been partly fixed in -current; if the route-to rule is matching
on an outbound packet the deferred packet will be routed correctly.
It is still broken in the case where route-to is on the inbound path;
this is trickier to fix and I'm still co
On Wed, Dec 05, 2007 at 01:00:11PM +0100, SeDoFa wrote:
> It's true, but this can't solve any problems. In my case I have a /16
> subnet and I need to nat every single IP to a different IP, for a
> total amount of about 400 IPs. Same subnet, same interface, redundant
> firewall with carp. Is ther
On Thu, Jan 24, 2008 at 10:11:14AM +0100, Pau Amaro-Seoane wrote:
> I was thinking, as somebody in the thinkpad forum suggested, of "an
> USB WLAN "dongle", but one of those with an external antenna that is
> connected through a standard (typically: Reverse) SMA-connector. Next,
> get a sufficientl
On Sun, Feb 24, 2008 at 11:27:31PM -0800, Don Jackson wrote:
> I would like "make release" to use [ a ] "read only source tree"
I use lndir(1) to accomplish this. Check your source tree out somewhere
else, and use lndir to make a 'copy' in /usr/src. Build from there, no
other magic required.
On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote:
> On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote:
>
> > Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where
> > applicable?
>
> No. Furthermore, there are no "FIPS 140-2 certified bits" - it is an
> entire package that is cert
On Sun, Mar 16, 2008 at 12:47:48PM +1030, Timothy Wilson wrote:
> I was wondering how I can use a dvorak keyboard on the console? I've
> googled, but I can only find how to's for X11, or for 2.x OpenBSD. I'm
> sure its something simple in rc.conf (.local!), but I can't find it.
> Any help would be
On Sun, Mar 16, 2008 at 02:57:23PM +1030, Timothy Wilson wrote:
> Maybe this is new in 4.3 or 4.2? I don't have this option in 4.1. I
> guess I should upgrade :)
Are you sure you're looking in the right place?
$ uname -a
OpenBSD foo 4.1 GENERIC.MP#0 i386
$ which kbd
/sbin/kbd
On Sat, Mar 22, 2008 at 10:49:26AM -0700, johan beisser wrote:
>> I would like to reach a state, if possible, in which load balancing is
>> performed, but at the same time, if one machine fails, the other will
>> automatically take over. I believe this setup is also very useful when
>> deploying up
On Mon, Mar 24, 2008 at 12:15:55AM -0700, Bryan Irvine wrote:
> having also not read the book, my guess would be that a transparent
> proxy + firewall would increase security because people don't have the
> the option to run SSH tunnels via the HTTP port. A good example would
> be years ago I ran
On Sat, May 26, 2007 at 09:36:48AM +0200, Alberich de megres wrote:
> I know i repeat myself, but that's important for me: my pf isn't syncing
> tables i create. Can I solve this?
Write a tool that synchronises your tables.
The pfsync protocol as it stands is not an appropriate protocol for
synch
On Thu, May 31, 2007 at 03:43:56PM -0700, [EMAIL PROTECTED] wrote:
> Were nearing the 8300pps mark so I was worried? But should I be?
You're fine. The 8300pps mark is not an upper limit, it's the best case
for a full 100Mbit ethernet link (ignoring jumbograms).
> Becuase the majority of my pack
On Thu, Jun 28, 2007 at 02:56:33PM +0100, Stuart Henderson wrote:
> On 2007/06/28 15:45, Huzeyfe ONAL wrote:
> > Use "no state" in your rule.
>
> and 'flags any' if it's TCP.
You can set this explicitly if you'd like, but it's not necessary:
pfctl only applies 'flags S/SA' by default if the rule
On Wed, Jul 04, 2007 at 10:03:20AM -0700, Austin Hook wrote:
> Thanks for the pointer to some "stable" binaries, however it's too old for
> me. I guess I will try with current snapshot and build stable 4.1 if I
> need it.
If the problem is entirely a kernel issue, until 4.2-beta you should be
abl
On Tue, Jul 31, 2007 at 09:59:23PM +0100, poncenby wrote:
> Grateful if anyone could recommend a mail retrieval program which does
> not require a local SMTP service like fetchmail does.
How about fetchmail? (with procmail / maildrop / whatever)
poll mailserver protocol imap service 993:
use
On Thu, Jun 22, 2006 at 01:04:00PM +0100, Constantine A. Murenin wrote:
> On 21/06/06, Joco Salvatti <[EMAIL PROTECTED]> wrote:
> >So the attacker could enter in single
> >user mode, without the need for the root password, and load a
> >malicious kernel module.
>
> The attacker cannot load a malic
On Sun, Jun 25, 2006 at 01:55:24PM -0400, Barry, Christopher wrote:
> > display format of the host. One selection is network board
> > manufacturer, based on MAC allocation I'm guessing. My CARP
> > interface says the mfg is U.S. Department of Defense.
CARP uses the same MAC address range as VRR
On Mon, Jul 03, 2006 at 04:58:09PM +0200, Sebastian Reitenbach wrote:
> I can setup a tunnel between both hosts, and route the mulitcast
> packets through the tunnel and then have the IP address shared between
> the two hosts?
No. CARP does not accept packets that have crossed a router, to preven
On Wed, Jul 05, 2006 at 10:35:15AM -0700, c.s.r.c.murthy wrote:
> "block all" in pf.conf is ok, but it will go away when the rules are
> flushed for known/unknown reasons. I feel it is desirable to have a
> kernel parameter that does default blocking when all rules are flushed.
A patch is
On Wed, Jul 05, 2006 at 02:36:44AM -0400, Nick Guenther wrote:
> #pftcl -f all && echo "block all" | pfctl -f -
> then the switch over to the new ruleset is pretty snappy and hardly
> enough time for any malicious packets to get through.
Flushing the ruleset is totally unneccessary when loading a
On Tue, Aug 08, 2006 at 12:33:23PM +0200, Henning Brauer wrote:
> > Why the carp "interface" cannot be used in context of the interface?
>
> well, because it is that way.
Because of the way that the routing currently works, if both the carpdev
'physical' interface and the carp interfaces have add
On Wed, Aug 09, 2006 at 07:33:08PM -0400, Jason Dixon wrote:
> Unless you're using more than 255 VLANs (unlikely), you don't need
> that many vhids.
Also, if the carp(4) devices are connected are on different VLANS
(distinct layer 2 segments), you can use the same vhid on multiple
interfaces.
On Mon, Aug 28, 2006 at 09:15:44PM +0200, Joachim Schipper wrote:
> On Mon, Aug 28, 2006 at 11:58:39AM -0600, Tim Pushor wrote:
> > Only question is to whether or not to use the/a carp address for the DNS.
>
> It will work, but as noted, there's no particular reason to do this;
> redundancy is bui
On Tue, Aug 29, 2006 at 05:50:56PM +0200, [EMAIL PROTECTED] wrote:
> block drop in log quick on $ext_if os NMAP overload flush
This is a bad idea, because nmap scans can be trivially spoofed (nmap
provides a command line option to do this), resulting in a simple denial
of service attack.
We have
On Mon, Aug 11, 2008 at 01:14:53PM +0200, Marco Fretz wrote:
>> How odd. I know at least one site that runs all of their BGP off of
>> OpenBGP on OpenBSD boxes that are dedicated as routers. In all cases,
>> these systems outperform the equivalent Cisco hardware for a fraction
>> of the cost.
>
> F
On Tue, Apr 08, 2008 at 07:04:31PM -0600, Daniel Melameth wrote:
> 8.25Kb/s? I know this is 1Kb/s so what's going on? Is this just an
> inaccuracy in the pfctl output or does altq really think I'm moving 8Kb/s?
> I assume it's the former as pftop appears to get it right:
Make sure you're paying
On Tue, Jun 10, 2008 at 11:19:46PM -0700, Aaron Glenn wrote:
> Is there a particular time of day most changes are committed (like
> pre-dinner) or should we sync and build at whim?
People are working pretty much all the time, though you may notice a
slight decrease in commit rate around beer o'clo
On Mon, Jun 16, 2008 at 05:19:16PM +0800, Dongsheng Song wrote:
> How can I default boot into GENERIC.MP, and not remove the 5 second
> pause at boot-time?
Use the following in your boot.conf:
set image bsd.mp
man boot.conf for more details...
On Mon, Jun 16, 2008 at 11:28:36AM +0200, Michiel van Baak wrote:
> > How can I default boot into GENERIC.MP, and not remove the 5 second
> > pause at boot-time?
>
> cd / && mv bsd bsd.up && mv bsd.mp bsd && reboot
This is not really good advice, because it breaks next time you
accidentally copy
On Fri, Jun 20, 2008 at 12:49:43PM -0700, Darrin Chandler wrote:
> > Yes, you use sloppy state only on the host(s) seeing half of the trafic.
>
> So to say it even more plainly... anywhere you are forced to deal with
> asymetric routing you can use sloppy state in place of not having any
> statefu
On Thu, Jun 26, 2008 at 09:37:28AM +0530, Amarendra Godbole wrote:
> It would be a pleasure meeting folks on this mailing list, including
> OBSD developers' at BH or DefCon. Thanks.
The great majority of OpenBSD developers are from outside the United
States, and I would guess that most of us prefe
On Wed, Jul 02, 2008 at 03:52:26AM -0700, kavitha reddy wrote:
> very recently i bought openBSD 4.2 (pack of 3CD's).Now, as a part of my
> research work iam interested to know whether it is possible to show DoS
> attacks in openBSD 4.1 .If so let me know how can that be possible.As u said
> when
On Wed, Jul 02, 2008 at 04:19:21PM +0200, Michael wrote:
> topic says all I guess... if you need more details please let me know.
Well, with a bug report as detailed as this all I can say is it's
probably been fixed, try a new snapshot.
On Mon, Jul 14, 2008 at 09:19:22PM -0700, Parvinder Bhasin wrote:
> When I try to add the external ips as aliases on my external interface,
> it works fine.
>
> Isn't the BINAT statement sufficient??? do i have to use aliases???
Unless the addresses are being routed to the firewall in question, y
On Mon, Jul 14, 2008 at 09:48:22PM -0700, Parvinder Bhasin wrote:
> Actually Ryan, when I do the aliases way , do I still need the binat
> statements? because when I use aliases and binat statements together,
> it doesn't work.
> Without the binat statements and with aliases everything works f
On Mon, Jul 14, 2008 at 10:28:18PM -0700, Parvinder Bhasin wrote:
>> Filtering happens AFTER translation, so you need to filter on the real
>> addresses of the hosts, not the alias addresses.
>
> Hmm by real ip do you mean internal ips of the servers??
Yes.
On Wed, Jul 16, 2008 at 10:24:36PM +0200, Martin Schmitt wrote:
> I'm trying to use a Huawei E220 UMTS USB modem on an ALIX, using OpenBSD
> Flashdist 20080504.
Please try this with the GENERIC kernel, and report back to us if you
still have a problem.
synproxy in pf already makes sure the 3-way handshake completes before
the connection is completed on the other side; rate limiting can also be
done on the OpenBSD firewall, so it's not clear why you would need an
extra box there.
The bigger problem with DDoS attacks is that the upstream pipe is f
On Wed, Oct 04, 2006 at 10:18:21AM +0200, Joachim Schipper wrote:
> > I have two firewalls running CARP and pfsync for high availability. The
> > physical interfaces do not have IP addresses, only the CARP interface
> > do. The problem is is that the backup CARP interface still needs to be
> > a
I've just committed code based on a suggestion made by Daniel Hartmeier
to make flags S/SA keep state the default for rules.
NOTE: This does change is in -current only, and does not apply to the
4.0 release.
These changes makes pf rulesets significantly cleaner, improving
readability. More impor
> The company I work for is required to get PCI (Payment Card
> something-or-other) certified in order to keep doing some of the things
> that we are doing with credit card payments.
Payment Card Industry Data Security Standard
[snip]
> However, now that we need this cert, one of the few things
On Sun, Oct 08, 2006 at 01:53:42AM -0400, Martin Gignac wrote:
> Is there any plan to add a variable in /etc/rc.conf to achieve this,
> or is using '-o' during boot considered a bad thing?
The plan is to make it possible to specify the optimization level
directly in the pf.conf file (which one cou
On Tue, Oct 10, 2006 at 05:50:50PM -0400, Brian A. Seklecki wrote:
> Certainly a way to log events (interfaces, etc.) and the resulting actions
> taken by the code would be useful in mission critical environments.
>
> Anything beats "tcpdump 'proto carp'" and making guesses from there.
Nothing n
On Tue, Oct 10, 2006 at 08:31:25PM -0500, Sam Fourman Jr. wrote:
> for what is it worth I would like to say thank you for porting kismet,
> I use it all the time, because I do not know of another tool to scan
> for available AP's
ifconfig -M
dstumbler (in security/bsd-airtools)
On Thu, Oct 19, 2006 at 01:09:57PM -0600, Breen Ouellette wrote:
> > From: Daniel Hartmeier (danielbenzedrine.cx)
> > pf uses a binary search tree instead of a hash table, which doesn't
> > require pre-defining a maximum size. The tree will just grow until
> > memory allocation fails. With 64MB RAM
On Tue, Oct 24, 2006 at 12:55:09AM -0500, Sam Fourman Jr. wrote:
> is it possible to have a AJAX enabled Website hosted on OpenBSD?
Yes
> the reason why I am asking is because Apache is version 1.3.x (due to
> licencing issues).
> if not Maybe there is another http server that would support it?
On Tue, Oct 24, 2006 at 10:42:25AM +0200, Magnus Bodin wrote:
> On Tue, Oct 24, 2006 at 01:30:02AM -0500, Sam Fourman Jr. wrote:
> > my next question is Would it be Possible to use AJAX from a CGI made
> > with C running from Apache that Ships w/ OpenBSD?
>
> Yes. C, INTERCAL, ksh.
> Any applicat
On Tue, Oct 24, 2006 at 02:37:05PM +0200, Andreas Bihlmaier wrote:
> On Tue, Oct 24, 2006 at 08:25:52AM +0900, vladas wrote:
> > On 10/24/06, Andreas Bihlmaier <[EMAIL PROTECTED]> wrote:
> > Is this LiveCD/DVD reliable enough to send in dmesg's from it?
>
> Exuse me, but I don't see a point in pos
On Wed, Nov 01, 2006 at 04:50:50PM -0500, Der Engel wrote:
> VMware Workstation 3.2.1 is like a bit old don't you think?
When can we expect your patches to make VMWare Workstation 5.* work on
OpenBSD?
On Wed, Nov 08, 2006 at 10:08:14PM -0500, Michael Hernandez wrote:
> When I got home... I looked... and low and behold... X was running
> just fine, and there was no xorg.conf to be found.
> Is that expected behavior? Of course not...
Actually, that IS the expected behaviour from X now. It does
At 2006-11-14 13:03:51, Chris Cameron wrote:
> I can't (easily) give direct output from things like ifconfig or pf.conf
> as they're both huge and contain information I've been told we don't
> want to send out. Hopefully this doesn't prevent anyone from helping me
> out.
If it's a problem with car
On Mon, Nov 27, 2006 at 12:16:13PM -, Pedro Hugo wrote:
> Is it possible to send packets with the carp address as the source
> address ?
You have a few options:
- Have the process bind to the carp address only (most daemons allow
this to be configured as do some userland tools such as nc an
On Tue, Jun 07, 2005 at 01:06:53AM +0100, Stephen Marley wrote:
> Is there a way to make a pair of carp hosts to renegotiate with an
> existing ipsec peer when a new carp master is elected? I tried it once
> and it didn't work out.
If the connection to the ipsec peer is not passive, you can use
if
On Thu, Aug 11, 2005 at 07:02:35PM -0300, Luiz Ot?vio Souza wrote:
> Probably my problem is hardware (two cheap realteks for sync), but why the
> pfsync accept this malformed address, and why the kernel panic on flush ?
> (i can also get panic from a pf -F state).
>
> i can send more info if som
On Mon, Mar 27, 2006 at 12:32:31PM +0900, Jason Stubbs wrote:
> Same main question as in the last thread I posted to, but without any of
> the distractions. Can a pair of redundant firewalls be used with
> arpbalance without being affected by the "state race"?
It should work fine with arpbalance
On Thu, Nov 03, 2005 at 06:11:20PM -0500, Jon Hart wrote:
>1) used to determine that a particular carp packet is intended for
> you carp host?
carp(4) does a number of validity checks before treating the packet a
real carp packet:
- was the device recieved on a interface that has a ca
On Sat, Nov 05, 2005 at 04:05:17AM +1300, Josh wrote:
> Is this anything to be concerned about?
>
> http://www.isrc.qut.edu.au/people/mbradfor/openbsd-carp-arpbalance.html
Only if you use arpbalance in a situation where it really matters (as
opposed to a situation where you use it because you thi
On Fri, Nov 04, 2005 at 05:16:22PM +1100, Cameron Simpson wrote:
> [var/[EMAIL PROTECTED]> pfctl -s rules
> block return all
> pass quick proto tcp from any to any port = ssh flags S/SA keep state
> pass in quick proto icmp all keep state
^^
How are the packets
On Fri, Nov 04, 2005 at 07:22:33PM +1100, Cameron Simpson wrote:
> I was imagining the keep state stuff handled that. So - for my mental
> model - a packet being forwarded traverses the rules twice: once on the
> way in and once on the way out?
Yes.
> Well I'd reduced my test to pinging the firew
On Thu, Nov 17, 2005 at 03:02:56PM +1100, Alex Strawman wrote:
> ok, now this makes sense, how is the next hop meant to send packets
> back? it sends them to the mac address the carp0 is broadcasting,
> which the master happily accepts, only to see its not in its state
> table, and drops it.
>
> t
On Wed, Feb 22, 2006 at 08:39:36PM -0500, Nick Holland wrote:
> Steve D. wrote:
> >Hi,
> >
> >I'm setting up a gateway (1.7 Ghz machine with 1 Gig of ram) for 700+
> >users using pf with NAT and BINAT's (90% NAT).I would like to know
> >if anyone has any recommendations on tweaking the runtim
No, there is no single mutex around PF specifically in OpenBSD, the
whole kernel is wrapped in a biglock.
I think if they work out all the nits and dead-ends we may have
something to learn from this effort, but I don't see this code coming
back to OpenBSD.
It's not critical because they can chang
100Mb/s with aes-128 / hmac-sha1 on
hw.model=Intel(R) Xeon(TM) CPU 2.80GHz ("GenuineIntel" 686-class)
hw.vendor=Dell Computer Corporation
hw.product=PowerEdge 1850
550Mb/s with aes-128-gcm (requires AES-NI and amd64) on
hw.model=Intel(R) Xeon(R) CPU E5649 @ 2.53GHz
hw.vendor=HP
hw.product=ProLiant
$ cat /etc/hostname.trunk0
dhcp trunkport em0 trunkport iwn0 trunkproto failover
Only annoyance is the iwn0 device doesn't attach to the trunk properly
if I boot with the wifi hardware switch turned off.
iwn0: radio is disabled by hardware switch
On Wed, Jun 27, 2012 at 05:04:26PM +0600, �?л�?
On Fri, Jun 29, 2012 at 01:20:49PM +0200, Martin Pelikan wrote:
> 2012/6/29 Matt Hamilton :
> > Does pfsync require firewalls to have the same firewall rules on all
> > hosts in the sync group?
>
> pfsync only synchronizes states. Which rules created them is
> irrelevant.
This absolutely incorrec
On Wed, Aug 29, 2012 at 12:54:18PM -0400, Michel Blais wrote:
> How much can I increase net.inet.ip.ifq.maxlen ?
>
> I'm now at 2048 and still seeing increase in net.inet.ip.ifq.drops.
> This morning, it was at 21280 and now at 21328.
A little bit of congestion increase is not the end of the worl
600Mbps seems about right, I tested a pair of E5649-based boxes to
550Mbps last year (with aes-128-gcm):
http://marc.info/?l=openbsd-misc&m=134033767126930
You'll probably get slightly more than 600 with with multiple TCP
streams.
Assuming PF was enabled for your test (the default configuration
On Tue, Oct 02, 2012 at 09:59:05AM +0200, Christiano F. Haesbaert wrote:
> Why not using tcpbench where you can actually specify the parameters
> and know what is going on :).
>
> Play with buffer sizes and you'll see a big difference, using -u will
> give you the actual PPS.
I agree with this.
On Thu, Jun 23, 2011 at 01:21:06PM -0700, Chris Cappuccio wrote:
> Unfortunately I'm not sure that the vlan driver can easily layer on
> top of trunk, a few tweaks may be required to make it work properly
> unless it mirrors if_capabilities from the parent interface (which
> isn't clear to me after
Thanks for pointing this out, it was an oversight in the recent changes
to pf_test_rule().
I recommend specifying explicitly the correct protocols if you're
wanting to to match by user/group/os fingerprints.
block return out log proto { tcp, udp } all user = 1002
If you'd like, you can a
There is not much to tweak, performance-wise. OpenBSD avoids such
buttons like the plague, and besides: benchmarks should be run with a
stock install, which is what 99% of users are going to be doing as well.
You can try looking at the output of 'pfctl -si' and see if any of those
is increasing a
wise, I'm
> using a xeon 2.4 GHz monocore with 1 GB of RAM. Since this server is
> used as firewall only, I've raised the kernel space memory to up to
> 90% of total memory. I don't want to make hasty conclusion, so I'll
> keep searching..
>
>
>
> R
On Wed, Aug 17, 2011 at 11:30:05PM +0200, Pablo Velasco FernC!ndez wrote:
> Hi all. Its possible to recovery a FFS partition? During my last OpenBSD
> installation I format by mistake my second hard disk with all my videos,
> texts, pictures etc... Thank you for you attention.
In the past I've use
On Tue, Aug 23, 2011 at 09:10:05AM +0200, Per-Olov SjC6holm wrote:
> If you please will explain how "baddynamic" and avoiding certain ports will
> affect what we are talking about...
>
> Naaahh lets forget that section
I believe people are referring to the text above that:
One goal of OpenBSD
On Tue, Aug 23, 2011 at 10:42:59AM +, Stuart Henderson wrote:
> On 2011-08-22, Per-Olov Sj?holm wrote:
> > MCLGETI ?? Is it in if_em.c if I want to see how it is implemented?
>
> it's in various files, see mbuf(9) and look for videos/slides from talks
> by dlg (David Gwynne), there's an asiab
On Wed, Aug 24, 2011 at 07:00:09PM +0200, Per-Olov SjC6holm wrote:
> - SMP
> worse. Really sucks! _Dramatically_ reduced throughput.
This is probably a result of you testing a virtualised guest rather than
real hardware.
> - One processor core (as most of my tests have used)
> An improvement, b
You and anyone else with an x220 want to be running -current, not the
Aug 17 snapshot. Do a CVS checkout and make build, it shouldn't take
long, especially with a nice SSD like that.
(I don't know that it will fix this specific problem - I don't have one
- but it will definately help other things)
On Fri, Sep 02, 2011 at 05:41:26AM -0700, Stefan N wrote:
> Okay guys. Thanks for the suggestion.
>
> > On 2 September 2011 09:26, Stefan N wrote:
> >
> > anchors + crontab as Peter suggested is an easy alternative.
Depending on what exact effect you want to acheive, you can maybe do it
without
On Tue, Oct 11, 2011 at 04:03:48PM +0200, BARDOU Pierre wrote:
> I'm looking for hardware capable of doing 1bgps IPsec, under OpenBSD
> of course. Do you think it is possible with a brand new high end
> server and their new instructions (AES/NI and/or AVX) ?
Currently I don't think you'll be able
On Wed, Feb 23, 2011 at 06:07:16PM +0100, Patrick Lamaiziere wrote:
> I log the congestion counter (each 10s) and there are at max 3 or 4
> congestions per day. I don't think the bottleneck is pf.
The congestion counter doesn't directly mean you have a bottleneck in
PF; it's triggered by the IP in
On Fri, Feb 25, 2011 at 02:05:30PM +0100, Patrick Lamaiziere wrote:
> Le Fri, 25 Feb 2011 13:51:32 +0100,
> Patrick Lamaiziere a icrit :
>
> (ooops, push the wrong button)
>
> > > How about a _full_ dmesg, so someone can take a wild guess at what
> > > your machine is capable of?
>
> full dmesg
On Mon, Feb 28, 2011 at 12:49:01PM +0100, Manuel Guesdon wrote:
> OK. Anyway NIC buffers restrict buffered packets number. But the problem
> remain: why a (for exemple) dual Xeon E5520@2.27GHz with Intel PRO/1000
> (82576) can't route 150kpps without Ierr :-)
> http://www.oxymium.net/tmp/core3-dmes
On Mon, Feb 28, 2011 at 12:49:01PM +0100, Manuel Guesdon wrote:
> OK. Anyway NIC buffers restrict buffered packets number. But the problem
> remain: why a (for exemple) dual Xeon E5520@2.27GHz with Intel PRO/1000
> (82576) can't route 150kpps without Ierr :-)
> http://www.oxymium.net/tmp/core3-dmes
On Thu, Mar 03, 2011 at 03:52:54PM +0100, Manuel Guesdon wrote:
> Of course and s/OpenBSD/FreeBSD/ may help too but none of these proposals
> seems very constructive.
If you think that you'd be better served by FreeBSD, please go ahead and
use that instead.
> >| I think we already mentioned it th
On Fri, Feb 25, 2011 at 08:40:10PM +0100, Manuel Guesdon wrote:
> "systat -s 2 vmstat":
>
>3.2%Int 0.1%Sys 0.0%Usr 0.0%Nic 96.8%Idle
> |||||||||||
The numbers presented here are cal
On Thu, Mar 10, 2011 at 12:18:32PM +, Tom Murphy wrote:
> I had a pair of Dell PowerEdge R200s that have both em(4) and bge(4)s
> in them, however, it's the em(4) doing the heavy lifting. Roughly 30-40
> megabits/s sustained and doing anywhere between 3000-4000 packets/s.
>
> On OpenBSD
On Sat, Mar 12, 2011 at 06:29:42PM -0800, Chris Cappuccio wrote:
> > Are you suggesting that because you have a quad-port gig nic, your box
> > should be able to do 6 *million* packets per second? By that logic my
> > 5-port Soekris net4801 should be able to handle 740kpps. (for reference,
> > the
This sounds a lot like a kernel/userland mismatch. Please update both
kernel and userland from the same snapshot and try again.
On Thu, Jul 01, 2010 at 03:33:56AM +0200, Laurent CARON wrote:
> Hi,
>
> I did upgrade one of my BGP routers today with latest current.
>
> Upon reboot I have no networ
On Thu, Jul 01, 2010 at 10:15:26PM +0200, Laurent CARON wrote:
> This incidentally made my other router (running openBGPd) crash with:
>
> uvm_fault(0x80cc7320, 0xdeafb000, 0, 1) -> e
> page fault trap, code=0
> Stopped atpfsync_in_clr+0x123:movq 0x10(%rbx),%rax
Inte
On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote:
>Confirmed - synproxy works great if the synproxy machine is the
> default gateway for the end host.
Yes, PF has to handle every packet of a synproxy'd connection.
> Sadly this means scalability (adding multiple synproxy boxes) is not
On Tue, Jan 12, 2010 at 11:11:54PM -0500, Pascal Lalonde wrote:
> I just caught the following from openbsd-cvs:
>
> http://marc.info/?l=openbsd-cvs&m=126326657232193&w=2
>
> If my understanding is correct, this means that it will become
> impossible to emulate weighted round robin with constructs
On Fri, Oct 16, 2009 at 10:58:53AM +0200, k...@oav.net wrote:
> I love OpenBSD, and I really like to set a small OpenBSD distribution on
> USB stick to allow make "cheap" OpenBGPd routers.
>
> Is there any project that is officialy supported by OpenBSD team?
Do the regular OpenBSD install, select
On Sat, Oct 31, 2009 at 03:00:41PM -0600, ghe wrote:
> I'm fresh off the boat from Debian. I love OpenBSD's attitude, and
> the documentation is even pretty decipherable, but I'm still a
> little confused by pf. I managed to build a trivial filter, but
> there are a few things I don't understand.
>
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote:
> May I ask whether or not "per user" ownership (or permission to update) a
> table is/will be possible?
>
> I am pondering the best mechanism for a non-root process to add/remove
> addresses to a table.
You can look at sysutils/table
1 - 100 of 104 matches
Mail list logo
