Re: serial console on macbook?

[scorch]

Ben Calvert wrote:
can't install 4.0 or snapshots on my macbook due to what appear to be 
issues with the usb controller.  ( lots of errors about the usb 
controller, and the keyboard is nonresponsive... no capslock light, no 
input )


does anyone have any ideas about how to capture the dmesg so i can 
submit?


thanks,

ben
sounds like a similar pb i had on an hp omnibook - you can't get the 
installer to complete to get a dmesg,  maybe you don't have a suitable 
serial cable or port to capture it otherwise. i'm not sure about the 
lights  loss of input, maybe that's a different problem. but you can 
try the following in either case: make a new boot cd with an additional 
file, as follows, based on 4.0 release or a -current:


file:///etc/boot.conf
set timeout 5
boot -c

this will drop you into the ukc before the device probing starts, so you 
can try  try again disabling various things, such as :


verbose
disable uhci*
disable ehci*
disable ohci*
disable usb*

this got me to a working state  then i could fine-tune adding them back 
in until things were usable again.


info on making the CD, ymmv:
http://www.webengr.com/development/tools/openbsd/tips/cdrom/
http://undeadly.org/cgi?action=articlesid=20031105030127

a+
scorch

Re: Supported GPS receivers

[Marc Balmer]

Phusion wrote:


What are the best supported GPS receivers under 4.0 release and stable
code-base? I would like to find a GPS receiver (serial or USB) that is
supported under OpenBSD that will work for OpenNTPD or NTP.


You should go for a GPS receiver that provides a PPS signal, like e.g.
the Garmin GPS 18 LVC.   Without a PPS signal, the nmea(4) line discipline
can only guess when the received time information was valid. With a PPS
signal, you can turn on TTY timestamping and you get precise time
information.

Most PPS capable GPS receivers need the PPS signal be specifically turned
on by sending them some command bytes.  NB, if you turn on TTY
timestamping without having the GPS provide a PPS signal, the time
information will be invalid.

Re: serial console on macbook?

[Paul de Weerd]

On Sun, Feb 18, 2007 at 08:27:54PM -0800, Ben Calvert wrote:
| can't install 4.0 or snapshots on my macbook due to what appear to be
| issues with the usb controller.  ( lots of errors about the usb
| controller, and the keyboard is nonresponsive... no capslock light,
| no input )
|
| does anyone have any ideas about how to capture the dmesg so i can
| submit?

I'm reading MacBook, so I think you're not talking about the MacBook
Pro (just to make sure). I had similar issues with the MacBook Pro, so
maybe this helps.

I got things working on the MacBook Pro. See [1]. This required the
latest snapshot (where you can type at the bootprompt, some changes
went in to support this) and enabling acpi in UKC. What I did
initially (burn a CD with a bsd.rd kernel that I had config'd on
another machine to enable acpi) should not be necessary anymore.

On a side note, audio *does* work albeit *extremely* low volume. If I
crank everything up in mixerctl I can barely hear something. You may
experience similar issues on your MacBook.

And X looks like it'll be a while. There's no new Radeon support in
xorg yet and I've found no one working on a driver. It works with
vesa(4) for now, but that doesn't support the 1440x900 resolution of
the machine.

Ben, let us know how you proceed with the MacBook.

Cheers,

Paul 'WEiRD' de Weerd

[1] http://marc.theaimsgroup.com/?l=openbsd-miscm=117002194202234w=2

--
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: OpenOSPFd and kernel routing table

[Claudio Jeker]

On Sun, Feb 18, 2007 at 02:46:09PM +0100, Falk Brockerhoff wrote:
 And the output of the forwarding database with the unexpected nexthop of 
 the local interface instead of the opsf-neighbor:
 
 # ospfctl sh fib
 flags: * = valid, O = OSPF, C = Connected, S = Static
 Flags  Destination  Nexthop
  C 195.140.212.0/24 link#22
 
 I killed the ospfd-process and started it again, and the fib looks better:
 
 # ospfctl sh fib
 flags: * = valid, O = OSPF, C = Connected, S = Static
 Flags  Destination  Nexthop
 *O 195.140.212.0/24 10.0.0.2
 
 Hm, killing and restarting ospfd isn't the way I want to do it everytime 
  the state of the carp-interface changes :-)
 

Hmm. For some reasons the carp route is not cleared correctly.
I'll have a look at it.

Btw. I think for your simple setup with two bgpd routers and one carped LAN
network behind them does not need ospfd. Try to keep it simple until you
know that you need ospf.

-- 
:wq Claudio

Re: OpenBGPd won't receive prefix

[Claudio Jeker]

On Sat, Feb 17, 2007 at 11:22:48PM +, Stuart Henderson wrote:
 On 2007/02/17 23:41, Falk Brockerhoff wrote:
  I will play with localpref later, but before I want to ask if my planned
  setup is the right solution for my needs. I want to run two bgp-routers
  and connect several eBGP sessions to the two routers.
  To the inside I want to provide a failover-tolerant default gateway for
  my vlans, that's why I'm using carp.
 
 If you run PF on the same routers as well, take care with stateful rules,
 stateless is the easy way, or arrange so that the CARP master is a better
 route (maybe prepend on the backup). you are unlikely to get states sync'd
 quickly enough to avoid problems if you have things too asymmetric.
 
  want to do this for the internal networks, too.
 
 I would normally use OSPF for this, using iBGP to carry internal routes
 is possible but I think mostly something done on larger networks.
 

iBGP and an IGP like OSPF are used for different tasks. iBGP brings
routing information from the edges to the core of your network and is used
to find the best path out of your network. OSPF on the other hand is
mostly used for internal and incomming traffic. If your network is simple
enough that a few static routes suffice to describe your network there is
no need for OSPF.
Huge networks (ab)use iBGP to cover also the topology information for the
network. To set up such a network needs a lot of knowledge and a very good
documentation process.

 ospfd has a nice feature; when you use interface carpXX { passive },
 the network is only announced via OSPF when CARP is master. This works
 really well.
 

Yes, but if you just have two routers with one carp interface on them you
don't need OSPF. In such simple cases depend on carp and demote carp
may suffice.

-- 
:wq Claudio

openbsd 4.0 on vmware server

[Úlfar M . E . Johnson]

I was wondering if anyone else experienced clock trouble with openbsd 4.0 as a
host on vmware server 1.01?
My setup was vmware server 1.01 on centos 4.4 using a dell c600 laptop.  I had
openbsd 4.0 installed as a host, but after many attempts
to fix the time synch issue between openbsd and centos I gave up and just
installed openbsd 4.0 on the laptop.  I tried to resolve the issue using ntp,
but to no avail.

Would anyone recommend using openbsd 4.0 as a server on vmware server?  Or is
openbsd as a virtual host not really a feasible option?

Re: openbsd 4.0 on vmware server

[Frank Habermann]

Hi,

this is not a OpenBSD problem. Check the Vmware documentation about your 
timeproblem. You need to change something in your vmx file! Openbsd 
works also fine as virtual machine!


Frank

Zlfar M. E. Johnson schrieb:

I was wondering if anyone else experienced clock trouble with openbsd 4.0 as a
host on vmware server 1.01?
My setup was vmware server 1.01 on centos 4.4 using a dell c600 laptop.  I had
openbsd 4.0 installed as a host, but after many attempts
to fix the time synch issue between openbsd and centos I gave up and just
installed openbsd 4.0 on the laptop.  I tried to resolve the issue using ntp,
but to no avail.

Would anyone recommend using openbsd 4.0 as a server on vmware server?  Or is
openbsd as a virtual host not really a feasible option?

Re: OpenOSPFd and kernel routing table

[Falk Brockerhoff]

Claudio Jeker wrote:


Hmm. For some reasons the carp route is not cleared correctly.
I'll have a look at it.


Thanks, I would be happy if this works.


Btw. I think for your simple setup with two bgpd routers and one carped LAN
network behind them does not need ospfd. Try to keep it simple until you
know that you need ospf.


I'm thinking about alternatives for this setup. But as the routes are 
dynamic in dependence of the state of the carp-interfaces such an IGP 
fits all the needs, doesn't it?


Falk

Re: serial console on macbook?

[Otto Moerbeek]

On Mon, 19 Feb 2007, Paul de Weerd wrote:

 On Sun, Feb 18, 2007 at 08:27:54PM -0800, Ben Calvert wrote:
 | can't install 4.0 or snapshots on my macbook due to what appear to be
 | issues with the usb controller.  ( lots of errors about the usb
 | controller, and the keyboard is nonresponsive... no capslock light,
 | no input )
 |
 | does anyone have any ideas about how to capture the dmesg so i can
 | submit?
 
 I'm reading MacBook, so I think you're not talking about the MacBook
 Pro (just to make sure). I had similar issues with the MacBook Pro, so
 maybe this helps.
 
 I got things working on the MacBook Pro. See [1]. This required the
 latest snapshot (where you can type at the bootprompt, some changes
 went in to support this) and enabling acpi in UKC. What I did
 initially (burn a CD with a bsd.rd kernel that I had config'd on
 another machine to enable acpi) should not be necessary anymore.
 
 On a side note, audio *does* work albeit *extremely* low volume. If I
 crank everything up in mixerctl I can barely hear something. You may
 experience similar issues on your MacBook.
 
 And X looks like it'll be a while. There's no new Radeon support in
 xorg yet and I've found no one working on a driver. It works with
 vesa(4) for now, but that doesn't support the 1440x900 resolution of
 the machine.
 
 Ben, let us know how you proceed with the MacBook.

The MacBook is different from the MacBook Pro. 

The first sign of trouble is that the UKC prompt doesn't work. It
won't accept input. When booting without going to UKC, it shows
various USB related error messages and the after a very long time
comes to the install prompt, which doesn't accept input either.

This happens both with an acpi-enabled bsd.rd and the default bsd.rd.

I didn't have a chanche yet to diagnose this further.

-Otto

Re: openbsd 4.0 on vmware server

[Jan Mason]

From the VMWare website:


This paper describes how timekeeping hardware works in physical
machines, how typical guest operating systems use this hardware to
keep time, and how VMware products virtualize the hardware.

http://www.vmware.com/pdf/vmware_timekeeping.pdf

On 2/19/07, Zlfar M. E. Johnson [EMAIL PROTECTED] wrote:

I was wondering if anyone else experienced clock trouble with openbsd 4.0 as

a

host on vmware server 1.01?
My setup was vmware server 1.01 on centos 4.4 using a dell c600 laptop.  I

had

openbsd 4.0 installed as a host, but after many attempts
to fix the time synch issue between openbsd and centos I gave up and just
installed openbsd 4.0 on the laptop.  I tried to resolve the issue using

ntp,

but to no avail.

Would anyone recommend using openbsd 4.0 as a server on vmware server?  Or

is

openbsd as a virtual host not really a feasible option?


--
Jan Mason
Registered Linux User #156002
[EMAIL PROTECTED]

Re: Serial console not working for IBM Aptiva

[Nick Holland]

Damon McMahon wrote:
 Thanks for the response, Nick, I'm almost there and just one further query:
 
 On 18/02/07, Nick Holland [EMAIL PROTECTED] wrote:
...
 The Aptiva has an anaemic BIOS program, but by disabling one of the
 two serial interfaces I now appear to have eliminated IRQ conflicts
 and acquired a working serial console - BUT I lose nearly all of the
 dmesg(8) and init(8) output at boot, with it being directed to the
 screen instead. I also note that boot(8) tells me I have com0 and no
 com1 (which is expected since I disabled it in the BIOS) whereas
 dmesg(8) tells me I have pccom1 but no pccom0 and this seems a little
 strange to me.

boot(8) tells you what the BIOS tells it.  boot(8) uses the BIOS to
communicate.
dmesg(8) tells you what hardware OpenBSD actually found.

The BIOS can define ports as it wishes.
OpenBSD defines ports as spec'd in /usr/src/sys/arch/i386/conf/GENERIC

From your dmesg,
 pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo

That's not the standard definition for com0 (DOS COM1), but rather,
com1 (DOS COM2:)

From pccom(4):
 pccom0 at isa? port 0x3f8 irq 4
 pccom1 at isa? port 0x2f8 irq 3

 
 To clarify, boot(8) tells me I have com0 available at boot. So in
 /etc/boot.conf I tell it:
 
 set tty com0
 
 and it switches to the console but all that is output to the console is:
 
 OpenBSD/i386 BOOT 2.10
 boot
 booting hd0a:/bsd: 4966344+867848 [52+255872+237161]=0x608d64
 entry point at 0x100120

so once the kernel is loaded, your redirection is screwed up...

 That's it for the output seen on the terminal, at this point the
 dmesg(8) and init(8) output is directed to the screen. Then when
 getty(8) is executed interactivity for _both_ the keyboard and the
 serial console are restored.

I haven't played with this kind of config, but my guess is you are
sending the output to a non-existant com0, so the system falls back to
using the screen.

You get the serial IO again after boot because of your ttys setting
which has tty01 turned on, you would get the login prompt on the
serial port even if you didn't do the set tty com0.

 Any further thoughts will be appreciated; dmesg(8) and ttys(5) are
 included below:

...thanks, snipped for size
 
 # head -n 20 /etc/ttys
 #
 #   $OpenBSD: ttys,v 1.17 2002/06/09 06:15:14 todd Exp $
 #
 # name  getty   typestatus  comments
 #
 console /usr/libexec/getty Pc vt220   off secure
 ttyC0   /usr/libexec/getty Pc vt220   on  secure
 ttyC1   /usr/libexec/getty Pc vt220   on  secure
 ttyC2   /usr/libexec/getty Pc vt220   on  secure
 ttyC3   /usr/libexec/getty Pc vt220   on  secure
 ttyC4   /usr/libexec/getty Pc vt220   off secure
 ttyC5   /usr/libexec/getty Pc vt220   on  secure
 ttyC6   /usr/libexec/getty Pc vt220   off secure
 ttyC7   /usr/libexec/getty Pc vt220   off secure
 ttyC8   /usr/libexec/getty Pc vt220   off secure
 ttyC9   /usr/libexec/getty Pc vt220   off secure
 ttyCa   /usr/libexec/getty Pc vt220   off secure
 ttyCb   /usr/libexec/getty Pc vt220   off secure
 tty00   /usr/libexec/getty std.9600   vt220on secure
 tty01   /usr/libexec/getty std.9600   vt220on secure

What's hurting you is that non-standard first com port.  Take another
look at your BIOS setup, see if there is anything that allows you to
change how it is defined.  Also check to make sure you don't have any
BIOS-based redirection going..that can cause various problems that
might be similar to this on some machines.  (BIOS redirection is
great, but unfortunately, not at all standardized, so results are
sometimes unpredictable.)

Nick.

Ral drivers are they in bsd.rd

[Sunnz]

Just wondering if the ral WiFi drivers are in bsd.rd kernel?

I just installed a Ralink WiFi card today and attempted to install 4.0
on the computer from cd40.iso. It didn't pick up the WiFi card PCI.

Mean while I will check if I have installed it correctly.

Thanks.

--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

NIS uid/gid range

[Antoine Jacoutot]

Hi.

This diff makes it possible to only include a range of uid/gid for NIS 
password maps. I'm no regex guru but it seems to do the job (inspired 
from NetBSD).

Maybe some people can make use of this...



Index: Makefile.yp
===
RCS file: /cvs/src/usr.sbin/ypserv/ypinit/Makefile.yp,v
retrieving revision 1.13
diff -u -r1.13 Makefile.yp
--- Makefile.yp 1 Nov 2002 23:54:18 -   1.13
+++ Makefile.yp 19 Feb 2007 12:22:29 -
@@ -14,6 +14,7 @@
 MAKEDBM=/usr/sbin/makedbm
 SED=/usr/bin/sed
 SENDMAIL=/usr/sbin/sendmail
+SORT=/usr/bin/sort
 STDHOSTS=/usr/sbin/stdhosts
 STDETHERS=/usr/sbin/stdethers
 MKALIAS=/usr/sbin/mkalias
@@ -34,33 +35,53 @@
 # If you want ypserv to ask DNS for unknown hosts set USEDNS to -b
 USEDNS=

+# Only include UID/GID between MIN/MAX range in the maps.
+MINUID=1000
+MAXUID=32765
+MINGID=1000
+MAXGID=32765
+
 all: passwd group hosts ethers networks rpc services protocols netid netgroup 
amd.home aliases

 passwd.time: $(DIR)/master.passwd
[EMAIL PROTECTED] [ -f $() ]; then \
if [ ! $(UNSECURE) ]; then \
$(CAT) $() | $(CUT) -d: -f1-4,8-10 | \
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$1, $$1:*:$$3:$$4:$$5:$$6:$$7 }' -|\
-   $(MAKEDBM) - passwd.byname; \
+   $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \
+   'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
+   { if (minuid = $$3  maxuid = $$3) \
+   print $$1, $$1:*:$$3:$$4:$$5:$$6:$$7 }' -|\
+   ${SORT} | $(MAKEDBM) - passwd.byname; \
$(CAT) $() | $(CUT) -d: -f1-4,8-10 |\
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$3, $$1:*:$$3:$$4:$$5:$$6:$$7 }' -|\
-   $(MAKEDBM) - passwd.byuid; \
+   $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \
+   'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
+   { if (minuid = $$3  maxuid = $$3) \
+   print $$3, $$1:*:$$3:$$4:$$5:$$6:$$7 }' -|\
+   ${SORT} | $(MAKEDBM) - passwd.byuid; \
else \
$(CAT) $() | $(CUT) -d: -f1-4,8-10 | \
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$1, $$0 }' - | $(MAKEDBM) - passwd.byname; \
+   $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \
+   'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
+   { if (minuid = $$3  maxuid = $$3) \
+   print $$1, $$0 }' - | ${SORT} | \
+   $(MAKEDBM) - passwd.byname; \
$(CAT) $() | $(CUT) -d: -f1-4,8-10 |\
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$3, $$0 }' - | $(MAKEDBM) - passwd.byuid; \
+   $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \
+   'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
+   { if (minuid = $$3  maxuid = $$3) \
+   print $$3, $$0 }' - | ${SORT} | \
+   $(MAKEDBM) - passwd.byuid; \
fi; \
$(CAT) $() | \
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$1, $$0 }' - | $(MAKEDBM-S) - master.passwd.byname; \
+   $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \
+   'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
+   { if (minuid = $$3  maxuid = $$3) \
+   print $$1, $$0 }' - | $(MAKEDBM-S) - master.passwd.byname; \
$(CAT) $() | \
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$3, $$0 }' - | $(MAKEDBM-S) - master.passwd.byuid; \
+   $(AWK) -v minuid=${MINUID} -v maxuid=${MAXUID} \
+   'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
+   { if (minuid = $$3  maxuid = $$3) \
+   print $$3, $$0 }' - | $(MAKEDBM-S) - master.passwd.byuid; \
$(TOUCH) $(@); \
$(ECHO) updated passwd; \
if [ ! $(NOPUSH) ]; then \
@@ -79,12 +100,14 @@

 group.time: $(DIR)/group
[EMAIL PROTECTED] [ -f $() ]; then \
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$1, $$0 }' $() | \
-   $(MAKEDBM) - group.byname; \
-   $(AWK) 'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
-   { print $$3, $$0 }' $() | \
-   $(MAKEDBM) - group.bygid; \
+   $(AWK) -v mingid=${MINGID} -v maxgid=${MAXGID} \
+   'BEGIN { FS=:; OFS=\t; } /^[a-zA-Z0-9_]/ \
+   { if (mingid = $$3  maxgid = $$3) print $$1, $$0 }' $() | \
+

Re: Ral drivers are they in bsd.rd

[Stuart Henderson]

On 2007/02/19 22:35, Sunnz wrote:
 Just wondering if the ral WiFi drivers are in bsd.rd kernel?

Depends which architecture. i386, yes for PCI and cardbus.
amd64, cardbus only. You can check all these for yourself, either in
the architecture pages (openbsd.org/i386.html etc) or looking at the
kernel configuration files via cvsweb (in src/sys/arch/ZZZ/conf).

 I just installed a Ralink WiFi card today and attempted to install 4.0
 on the computer from cd40.iso. It didn't pick up the WiFi card PCI.
 
 Mean while I will check if I have installed it correctly.

If it's installed correctly but isn't picked up by a driver, it would
show as a not configured device in dmesg.

cisco vpn gateway

[atstake atstake]

I been given this Cisco VPN Client software version 4.8 where a
vpnclient.ini file needs to be imported and authentication is done
via username and password to a Cisco VPN gateway which (after
authentication) drops me off to the internal network.

Does anyone know if it is at all possible to use OpenBSD's isakpmd or
anything else to authenticate to the Cisco VPN gateway instead of
using Cisco VPN Client software version 4.8 on Windows XP?

Thanks.

HP ML110 failed install

[Administrator]

Hi all,

I am having an issue trying to install to a HP ML110 G4.

There was an identical thread a week or so ago that doest seem to have a
solution.
I was hoping someone may have some further suggestions.

I keep getting flooded with these messages during the install

axe0: read PHY failed
axe0: read PHY failed
axe0: read PHY failed

The machine finally gets to the install prompt but becomes unresponsive.

It was suggested to boot -c and disable axe but the machine is also
unresponsive at the ukc prompt.

This is supposed to be on-site tomorrow so any thoughts would be greatly
appreciated.

Steve

Pf - Private address blocking

[martin g]

Hey all

I have a question about blocking private addr. with pf.

I have defined the  reserved addresses acording  to RFC 1918 in a table
priv_ip

My default  rule is :

block in on $ext_if
block out  on $ext_if

pass in on $int_if
pass out on $int_if

1. With this 2 rules defined is it still recomended to block private addr.

If it is then:

Computers on my network  have IP's from block 192.168.0.0/16 let's say
192.168.1.100 to 192.168.1.105
I make another table called lan

What is the correct rule? Do i negate table lan in a rule

block in on $ext_if from any to  { priv_ip, !lan }
block out on $ext_if from  { priv_ip, !lan } to any

or do i negate ip's in a table like so

table lan { !192.168.1.100 , ...}

tnx for reply

SSL Certs on Carp'd web servers

[Bill Chmura]

Hello,

I have two web servers carp'd that I am getting ssl certs for.  I have it all 
running with my own self signed ones, but need to get a verisign or thwate cert.

Is there any issues that are gonna bite me with doing this?  Since they all 
appear the same, the cert info will be very similar and I don't want to buy 
them without making sure it's gonna be okay if I just apply for them using the 
info generated on each box?

The servers are a master / backup - so the the traffic should mostly be going 
to one server (unless something bad happens).

Any info would be great.

Thanks

Bill

Re: cisco vpn gateway

[Marian Hettwer]

Hi there,

atstake atstake schrieb:

I been given this Cisco VPN Client software version 4.8 where a
vpnclient.ini file needs to be imported and authentication is done
via username and password to a Cisco VPN gateway which (after
authentication) drops me off to the internal network.


ugh. That's Cisco's way of extended authentication.


Does anyone know if it is at all possible to use OpenBSD's isakpmd or
anything else to authenticate to the Cisco VPN gateway instead of
using Cisco VPN Client software version 4.8 on Windows XP?

To my knowledge, the extended authentication (username  password in 
Cisco's VPN Client) is some propritary extension, therefor it won't work 
with isakmpd.

If I'm wrong, I'd like to be corrected :-)

Regards,
./Marian

Re: SSL Certs on Carp'd web servers

[Nico Meijer]

Hey Bill,

 Is there any issues that are gonna bite me with doing this?

No, not that I know of.

I do this with a bunch of boxes. I only use the carp'ed IP address on
either box when configuring apache.

HTH... Nico

Re: Ral drivers are they in bsd.rd

[Sunnz]

Ohh, got AMD64 here... so how could I connect to the wireless network
from boot CD? Is there a way to load the ral driver or something?

2007/2/20, Stuart Henderson [EMAIL PROTECTED]:

On 2007/02/19 22:35, Sunnz wrote:
 Just wondering if the ral WiFi drivers are in bsd.rd kernel?

Depends which architecture. i386, yes for PCI and cardbus.
amd64, cardbus only. You can check all these for yourself, either in
the architecture pages (openbsd.org/i386.html etc) or looking at the
kernel configuration files via cvsweb (in src/sys/arch/ZZZ/conf).

 I just installed a Ralink WiFi card today and attempted to install 4.0
 on the computer from cd40.iso. It didn't pick up the WiFi card PCI.

 Mean while I will check if I have installed it correctly.

If it's installed correctly but isn't picked up by a driver, it would
show as a not configured device in dmesg.





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: SSL Certs on Carp'd web servers

[Bill Chmura]

On Mon, 19 Feb 2007 16:22:59 +0100
Nico Meijer [EMAIL PROTECTED] wrote:

 Hey Bill,
 
  Is there any issues that are gonna bite me with doing this?
 
 No, not that I know of.
 
 I do this with a bunch of boxes. I only use the carp'ed IP address on
 either box when configuring apache.
 
 HTH... Nico

Thanks Nico,

I noticed that Verisign has an option to secure more than one server with a 
single cert, but it basically doubles the price. 

The only reason I could think of that would require a single cert for two is if 
I was load balanced and you never knew what you were going to get on your next 
request...  In fact, I am probably at this point going to self sign the backup, 
and do a normal cert on the primary.

Thanks for the sanity check!

Re: SSL Certs on Carp'd web servers

[Jörg Streckfuß]

Am Mon, 19 Feb 2007 16:22:59 +0100
schrieb Nico Meijer [EMAIL PROTECTED]:

 Hey Bill,

  Is there any issues that are gonna bite me with doing this?

 No, not that I know of.

 I do this with a bunch of boxes. I only use the carp'ed IP address on
 either box when configuring apache.

 HTH... Nico


Hmm, I'm not sure but what's about ssl session data? When the ssl handshake
happens client and server will negotiate session keys. Those information
will be lost when the master system goes down because carp only works on
ip-layer. You have to ensure to sync this info. I don't know how.
Perhaps rsync is your friend.
But of course this concerns only to already initiated connections.

Regards Joerg

--
Dipl.-Ing. (FH) Joerg Streckfuss, Phone: +49 40 808077-631
PGP RSA/2048, E0D4BD3F, 90 C3 FB 4A CB D3 20 70  6B 04 47 84 B5 3C 28 8C

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

_SC_GETGR_R_SIZE_MAX ?

[Nick Holmes]

Dear all,

I have been trying to compile PHP 5.2.1 with the Suhosin Patch on an 
OpenBSD-STABLE 3.9 i386 machine. /configure finishes fine, but each time I 
try to make, it stops with:


/var/build/php-5.2.1/ext/posix/posix.c: In function `zif_posix_getgrgid':
/var/build/php-5.2.1/ext/posix/posix.c:889: error: `_SC_GETGR_R_SIZE_MAX' 
undeclared (first use in this function)
/var/build/php-5.2.1/ext/posix/posix.c:889: error: (Each undeclared 
identifier is reported only once
/var/build/php-5.2.1/ext/posix/posix.c:889: error: for each function it 
appears in.)


Someone with a similar problem posted at the Hardened-PHP.net forums and was 
told that it was not a Suhosin issue. After searching for the (sysconf 
definition??) _SC_GETGR_R_SIZE_MAX on my own machine I found it in 
/usr/include/sys/unistd.h but it is in a section under #ifdef notyet /* 
P1003.1c */ - Does that mean those items in that section are not yet 
implemented in OpenBSD? (I read the getgr* man pages but am still none the 
wiser). Apologies for my ignorance of these nuts  bolts issues which I am 
having great difficulty understanding.


Does anyone have a workaround for this problem?
Many thanks in advance...
Nick

_
Click Here To Find Your Perfect Match This Valentines!  
http://msnuk.match.com/

Re: SSL Certs on Carp'd web servers

[Vijay Sankar]

On Monday 19 February 2007 09:13, Bill Chmura wrote:
 Hello,

 I have two web servers carp'd that I am getting ssl certs for.  I have it
 all running with my own self signed ones, but need to get a verisign or
 thwate cert.

I am not sure about Thawte but Verisign has a clause in their license 
agreement that does not allow one certificate to be used on more than one 
physical server. I encountered this problem once, and they said that this 
rule applies in all cases including active/passive configurations.


 Is there any issues that are gonna bite me with doing this?  Since they all
 appear the same, the cert info will be very similar and I don't want to buy
 them without making sure it's gonna be okay if I just apply for them using
 the info generated on each box?

 The servers are a master / backup - so the the traffic should mostly be
 going to one server (unless something bad happens).

 Any info would be great.

 Thanks

 Bill


 !DSPAM:1,45d9bfe9211582517112723!

-- 
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]

Re: SSL Certs on Carp'd web servers

[Nico Meijer]

Hey Bill,

 I noticed that Verisign has an option to secure more than one server
 with a single cert, but it basically doubles the price. 

You don't need this per se.

FWIW, I have my certs via GoDaddy at this point in time. Works for me.

 The only reason I could think of that would require a single cert for
 two is if I was load balanced and you never knew what you were going to
 get on your next request...  In fact, I am probably at this point going
 to self sign the backup, and do a normal cert on the primary.

Well, since any of my masters has yet to fail me in more than 3 years,
I've never had to deal with *anything*, basically. (Yes, I tried just
about everything in my 'lab setup')

I don't use a load-balancing, but a failover setup.

AFAIAC, one set of carp hosts is one server, therefore I need one cert,
which I configure on each individual carp host. For me, that's end of
story.

I am a really, really cheap bastard... Nico ;-)

Re: serial console on macbook?

[Pierre Riteau]

On 2/19/07, Otto Moerbeek [EMAIL PROTECTED] wrote:

On Mon, 19 Feb 2007, Paul de Weerd wrote:

 On Sun, Feb 18, 2007 at 08:27:54PM -0800, Ben Calvert wrote:
 | can't install 4.0 or snapshots on my macbook due to what appear to be
 | issues with the usb controller.  ( lots of errors about the usb
 | controller, and the keyboard is nonresponsive... no capslock light,
 | no input )
 |
 | does anyone have any ideas about how to capture the dmesg so i can
 | submit?

 I'm reading MacBook, so I think you're not talking about the MacBook
 Pro (just to make sure). I had similar issues with the MacBook Pro, so
 maybe this helps.

 I got things working on the MacBook Pro. See [1]. This required the
 latest snapshot (where you can type at the bootprompt, some changes
 went in to support this) and enabling acpi in UKC. What I did
 initially (burn a CD with a bsd.rd kernel that I had config'd on
 another machine to enable acpi) should not be necessary anymore.

 On a side note, audio *does* work albeit *extremely* low volume. If I
 crank everything up in mixerctl I can barely hear something. You may
 experience similar issues on your MacBook.

 And X looks like it'll be a while. There's no new Radeon support in
 xorg yet and I've found no one working on a driver. It works with
 vesa(4) for now, but that doesn't support the 1440x900 resolution of
 the machine.

 Ben, let us know how you proceed with the MacBook.

The MacBook is different from the MacBook Pro.

The first sign of trouble is that the UKC prompt doesn't work. It
won't accept input. When booting without going to UKC, it shows
various USB related error messages and the after a very long time
comes to the install prompt, which doesn't accept input either.

This happens both with an acpi-enabled bsd.rd and the default bsd.rd.

I didn't have a chanche yet to diagnose this further.

-Otto


One easy method to install OpenBSD on a Macbook is to plug an external
usb keyboard before booting on the CD. Booting takes a while but then
you can use the external keyboard to install OpenBSD. Be sure not to
use the network, msk0 will hang the machine without some acpi features
IIRC.
Then reboot, you will get errors about ehci, ignore them and still use
the external keyboard.
Compile a GENERIC.MP kernel with all acpi option enabled on another
machine and copy it to the macbook with a CD, or grab -current sources
on CD from another machine and copy them to the macbook. Reboot and
enjoy, built-in keyboard works, ethernet (msk0) works, usb sticks
work. But wireless device (ath0) doesn't.
I haven't tried X11 for a while but I think it works too.

Pierre Riteau

Re: _SC_GETGR_R_SIZE_MAX ?

[Joachim Schipper]

On Mon, Feb 19, 2007 at 12:33:43AM +, Nick Holmes wrote:
 Dear all,
 
 I have been trying to compile PHP 5.2.1 with the Suhosin Patch on an 
 OpenBSD-STABLE 3.9 i386 machine. /configure finishes fine, but each time I 
 try to make, it stops with:
 
 /var/build/php-5.2.1/ext/posix/posix.c: In function `zif_posix_getgrgid':
 /var/build/php-5.2.1/ext/posix/posix.c:889: error: `_SC_GETGR_R_SIZE_MAX' 
 undeclared (first use in this function)
 /var/build/php-5.2.1/ext/posix/posix.c:889: error: (Each undeclared 
 identifier is reported only once
 /var/build/php-5.2.1/ext/posix/posix.c:889: error: for each function it 
 appears in.)
 
 Someone with a similar problem posted at the Hardened-PHP.net forums and 
 was told that it was not a Suhosin issue. After searching for the (sysconf 
 definition??) _SC_GETGR_R_SIZE_MAX on my own machine I found it in 
 /usr/include/sys/unistd.h but it is in a section under #ifdef notyet /* 
 P1003.1c */ - Does that mean those items in that section are not yet 
 implemented in OpenBSD? (I read the getgr* man pages but am still none the 
 wiser). Apologies for my ignorance of these nuts  bolts issues which I am 
 having great difficulty understanding.
 
 Does anyone have a workaround for this problem?
 Many thanks in advance...

I presume you are aware that a) -current has this patch in its PHP port,
and b) 4.0 (at least) has a -hardened flavour which, while it uses
another patch, is pretty comparable?

This suggests that there's an easier solution...

Joachim

Re: SSL Certs on Carp'd web servers

[Jason Faulkner]

Bill Chmura wrote:

Hello,

I have two web servers carp'd that I am getting ssl certs for.  I have it all 
running with my own self signed ones, but need to get a verisign or thwate cert.

Is there any issues that are gonna bite me with doing this?  Since they all 
appear the same, the cert info will be very similar and I don't want to buy 
them without making sure it's gonna be okay if I just apply for them using the 
info generated on each box?

The servers are a master / backup - so the the traffic should mostly be going 
to one server (unless something bad happens).

Any info would be great.

Thanks

Bill

  


This should basically work the same as it does here -- we have one DNS 
entry pointing to multiple machines, and we just make sure our 
certificate is based on the shared domain (i.e. server.foo.bar rather 
than server1.foo.bar).


If you want to make this /extra/ easy, buy a *.foo.bar certificate and 
just copy it to both places.


--
Jason Faulkner
Systems Manager
Broadwick Corporation
(919) 459-2509

VPN manpage missing in 4.0?

[nachocheeze]

Noticed that 4.0 release (fresh install) seems to be missing a couple
of man pages that exist in both 3.9 and 'current'.

$ uname -a
OpenBSD hostname.domainname.com 4.0 GENERIC#1107 i386

$ man vpn
man: no entry for vpn in the manual.

Went thru the list of the See Also man pages listed under both 3.9
and 'current', and found another that also doesn't exist for some
reason.

$ man ipsecadm
man: no entry for ipsecadm in the manual.

Hadn't seen anything referencing this on the web site or on [EMAIL PROTECTED]

No big deal, just curious why these are missing on the 4.0 release.
Was this simply an oversight, or is there we left this out for a
reason; we don't think you should use these items under 4.0 logic
behind this?

Re: VPN manpage missing in 4.0?

[Theo de Raadt]

 Noticed that 4.0 release (fresh install) seems to be missing a couple
 of man pages that exist in both 3.9 and 'current'.
 
 $ uname -a
 OpenBSD hostname.domainname.com 4.0 GENERIC#1107 i386
 
 $ man vpn
 man: no entry for vpn in the manual.
 
 Went thru the list of the See Also man pages listed under both 3.9
 and 'current', and found another that also doesn't exist for some
 reason.
 
 $ man ipsecadm
 man: no entry for ipsecadm in the manual.
 
 Hadn't seen anything referencing this on the web site or on [EMAIL PROTECTED]
 
 No big deal, just curious why these are missing on the 4.0 release.
 Was this simply an oversight, or is there we left this out for a
 reason; we don't think you should use these items under 4.0 logic
 behind this?

ipsecadm has been replaced with a whole new mechanism for ipsec
management

man ipsecctl

Try it.  You will see that it is way better.

Re: VPN manpage missing in 4.0?

[Jason McIntyre]

On Mon, Feb 19, 2007 at 11:28:25AM -0600, [EMAIL PROTECTED] wrote:
 Noticed that 4.0 release (fresh install) seems to be missing a couple
 of man pages that exist in both 3.9 and 'current'.
 
 $ uname -a
 OpenBSD hostname.domainname.com 4.0 GENERIC#1107 i386
 
 $ man vpn
 man: no entry for vpn in the manual.
 
 $ man ipsecadm
 man: no entry for ipsecadm in the manual.
 

these pages have been removed from -current. man -k ipsec and man -k
isakmpd contain all the relevant ipsec stuff.

jmc

Re: Ral drivers are they in bsd.rd

[Stuart Henderson]

On 2007/02/20 02:18, Sunnz wrote:
 Ohh, got AMD64 here... so how could I connect to the wireless network
 from boot CD? Is there a way to load the ral driver or something?

You could run i386 on it. Otherwise you'll need to install from a
source other than the PCI ralink.

Re: serial console on macbook?

[Otto Moerbeek]

On Mon, 19 Feb 2007, Pierre Riteau wrote:

  The MacBook is different from the MacBook Pro.
  
  The first sign of trouble is that the UKC prompt doesn't work. It
  won't accept input. When booting without going to UKC, it shows
  various USB related error messages and the after a very long time
  comes to the install prompt, which doesn't accept input either.
  
  This happens both with an acpi-enabled bsd.rd and the default bsd.rd.
  
  I didn't have a chanche yet to diagnose this further.
  
  -Otto
 
 One easy method to install OpenBSD on a Macbook is to plug an external
 usb keyboard before booting on the CD. Booting takes a while but then
 you can use the external keyboard to install OpenBSD. Be sure not to
 use the network, msk0 will hang the machine without some acpi features
 IIRC.
 Then reboot, you will get errors about ehci, ignore them and still use
 the external keyboard.
 Compile a GENERIC.MP kernel with all acpi option enabled on another
 machine and copy it to the macbook with a CD, or grab -current sources
 on CD from another machine and copy them to the macbook. Reboot and
 enjoy, built-in keyboard works, ethernet (msk0) works, usb sticks
 work. But wireless device (ath0) doesn't.
 I haven't tried X11 for a while but I think it works too.

Ah, I did try that before but it didn't work. But now it turns out
that I have to use the frontmost USB port. The other one is not
working. Installing as I write this...

-Otto

DNSBL ratings

[J Moore]

I'm reviewing the DNSBLs I have in my sendmail configuration:

* dnsbl.sorbs.net
* bl.spamcop.net
* sbl.spamhaus.org
* cbl.abuseat.org
* ipwhois.rfc-ignorant.org

Is there a rating service that anybody's aware of that rates the 
quality of these services?

Thnx,
Jay

Re: serial console on macbook?

[Ben Calvert]

On Feb 19, 2007, at 11:13 AM, Otto Moerbeek wrote:


On Mon, 19 Feb 2007, Pierre Riteau wrote:


The MacBook is different from the MacBook Pro.

The first sign of trouble is that the UKC prompt doesn't work. It
won't accept input. When booting without going to UKC, it shows
various USB related error messages and the after a very long time
comes to the install prompt, which doesn't accept input either.

This happens both with an acpi-enabled bsd.rd and the default  
bsd.rd.


I didn't have a chanche yet to diagnose this further.

-Otto


One easy method to install OpenBSD on a Macbook is to plug an  
external

usb keyboard before booting on the CD. Booting takes a while but then
you can use the external keyboard to install OpenBSD. Be sure not to
use the network, msk0 will hang the machine without some acpi  
features

IIRC.
Then reboot, you will get errors about ehci, ignore them and still  
use

the external keyboard.
Compile a GENERIC.MP kernel with all acpi option enabled on another
machine and copy it to the macbook with a CD, or grab -current  
sources

on CD from another machine and copy them to the macbook. Reboot and
enjoy, built-in keyboard works, ethernet (msk0) works, usb sticks
work. But wireless device (ath0) doesn't.
I haven't tried X11 for a while but I think it works too.


Ah, I did try that before but it didn't work. But now it turns out
that I have to use the frontmost USB port. The other one is not
working. Installing as I write this...



Trying now...  this is all i386, i assume?


-Otto

Re: Pf - Private address blocking

[Woodchuck]

On Mon, 19 Feb 2007, martin g wrote:

 Hey all
 
 I have a question about blocking private addr. with pf.
 
 I have defined the  reserved addresses acording  to RFC 1918 in a table
 priv_ip
 
 My default  rule is :
 
 block in on $ext_if
 block out  on $ext_if
 
 pass in on $int_if
 pass out on $int_if
 
 1. With this 2 rules defined is it still recomended to block private addr.

Yes.  RFC1918 source/destination packets should be kept from the
public internet.  Any coming to you are bogus.  Any leaving your
router are bogus; they should both be dropped.  Such packets are
non-routable.

 If it is then:
 
 Computers on my network  have IP's from block 192.168.0.0/16 let's say
 192.168.1.100 to 192.168.1.105
 I make another table called lan
 
 What is the correct rule? Do i negate table lan in a rule
 
 block in on $ext_if from any to  { priv_ip, !lan }
 block out on $ext_if from  { priv_ip, !lan } to any
 
 or do i negate ip's in a table like so
 
 table lan { !192.168.1.100 , ...}
 
 tnx for reply

Neither. You want to block them all at the ext_if.  You want to use
nat to map your LAN addresses to something routable.  If you forward
packets from an RFC1918 address, those packets will soon be dropped,
probably by the next host to forward them.

Dave

Re: HP ML110 failed install

[Ron Oliver]

On 2/19/07, Administrator [EMAIL PROTECTED] wrote:

Hi all,

I am having an issue trying to install to a HP ML110 G4.

There was an identical thread a week or so ago that doest seem to have a
solution.
I was hoping someone may have some further suggestions.

I keep getting flooded with these messages during the install

axe0: read PHY failed
axe0: read PHY failed
axe0: read PHY failed

The machine finally gets to the install prompt but becomes unresponsive.

It was suggested to boot -c and disable axe but the machine is also
unresponsive at the ukc prompt.

This is supposed to be on-site tomorrow so any thoughts would be greatly
appreciated.


I got around this by boot -c from a serial console.  UKC prompt works
from there.  You can then disable axe and boot.  Then once you're
up,
# cp -p /bsd /bsd.orig
# config -e -o /bsd /bsd
UKC disable axe
UKC quit

and it'll boot.

As per previous thread, your null modem cable must provide DCD;
otherwise, you'll see the boot prompt, but it won't accept your
input.

It will still take several minutes to boot; haven't heard any reasons
for that yet.  It stalls after entry point at  for a few
minutes, then stalls again a couple of times.  But it will finally
come up and appears to run ok after that.
--
Ron Oliver

Re: HP ML110 failed install

[Administrator]

Thanks Ron,

I have gone through these options but no luck.

Even my serial console locks up when the main machine becomes
unresponsive at the ukc prompt.

I have applied the latest firmware and tried the latest snapshot. The
symptoms don't change.

The long waits seem to improve if I disable USB on the BIOS

Is there an easy way to create a modified bsd.rd that has axe already
disabled and maybe even USB disabled
for use in a pxe install ?

Steve

-Original Message-
From: Ron Oliver [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 20 February 2007 9:52 AM
To: Administrator; misc@openbsd.org
Subject: Re: HP ML110 failed install


On 2/19/07, Administrator [EMAIL PROTECTED] wrote:
 Hi all,

 I am having an issue trying to install to a HP ML110 G4.

 There was an identical thread a week or so ago that doest seem to have

 a solution. I was hoping someone may have some further suggestions.

 I keep getting flooded with these messages during the install

 axe0: read PHY failed
 axe0: read PHY failed
 axe0: read PHY failed

 The machine finally gets to the install prompt but becomes
 unresponsive.

 It was suggested to boot -c and disable axe but the machine is also
 unresponsive at the ukc prompt.

 This is supposed to be on-site tomorrow so any thoughts would be
 greatly appreciated.

I got around this by boot -c from a serial console.  UKC prompt works
from there.  You can then disable axe and boot.  Then once you're up,
# cp -p /bsd /bsd.orig # config -e -o /bsd /bsd
UKC disable axe
UKC quit

and it'll boot.

As per previous thread, your null modem cable must provide DCD;
otherwise, you'll see the boot prompt, but it won't accept your input.

It will still take several minutes to boot; haven't heard any reasons
for that yet.  It stalls after entry point at  for a few minutes,
then stalls again a couple of times.  But it will finally come up and
appears to run ok after that.
--
Ron Oliver

Problem with MTU IPSec VPN

[Tim Pushor]

Hi all,

I'm getting to the point where I don't really know where to turn. I am 
having a weird problem with an OpenBSD server/firewall that has a 
permament IPSec tunnel to a checkpoint embedded security device. The 
problem is, that half the time large packets can't get through. I've 
trial and error'ed (via windows ping -l) that ping packets 1306 bytes 
get through all the time, while packets  1306 (even 1307) only get 
through half the time. Not half the time like 50% loss, but like it 
works for hours, then doesn't for 10 minutes.


I only have control of one half of the connection (unfortunately), and 
am kind of lost. I have a rudimentary understanding of IP, so do 
understand things like MTU's  fragementation, and things like VPN 
adding packet overhead that reduces the effective MTU. I just don't 
really know where to start tracking this down. I guess I don't 
understand enough (any?) about how this part of the tunnel works  under 
the covers.


Can anyone help maybe point me in a direction? My ruleset is default 
deny with log, and nothing is being dropped. pfctl -x loud doesn't 
reveal anything. I pass everything to/from the VPN. My network 
configuration is unfortunately kind of complex. I have vlan's and carp's 
on those vlan's so I'll refrain from trying to describe the setup unless 
its necessary.


Hopefully thanks in advance :)
Tim

Re: 100 brave souls needed

[Sam Fourman Jr.]

Jacek,

I did not purchase your first edition book, But I would sincerely love
to partake in your beta program, if you have room. I am VERY
interested in OpenBSD and pf,carp firewalls and wireless devices.

please if you have any room left contact me.

Sam Fourman Jr.

On 2/19/07, Jacek Artymiak [EMAIL PROTECTED] wrote:

Hi,

I'd like to ask those of you who bought the first 100 (numbered)
copies of the first edition of Building Firewalls with OpenBSD and PF
to get in touch with me privately. I've got some beta invites for you
and free copies of my new books that will go to the printers end of
February.

PS (1). Those of you already on the RadioBSD beta just wait for more
information.

PS (2). I don't want to clutter this list with my emails. If you want
to know more about what's happening in my neck of woods, visit and
subscribe to this feed:

http://feeds.artymiak.com/jacek-artymiak

--
Jacek Artymiak
devGuide.net :: RadioBSD

spamd unnecessarily abrasive?

[J Moore]

I was testing a new DNSBL, and got the test results shown below:

I was under the impression that spamd was supposed to politely defer 
connections from unknown/greylisted hosts. The dialogue below suggests 
that the assumption is that the unknown host is a spammer (which is true 
99% of the time, but still...)

Isn't this a bit over the top?

Rgds,
Jay


- TEST RESULTS ---
Date: 20 Feb 2007 03:34:43 -
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Your SBL test report

Testing your SBL block.  See http://www.crynwr.com/spam/ for more info.
Please note that this test will not tell you if your server is open for
relaying.  Instead, it tests to see if your server blocks email from IP
addresses listed in various blocking lists; in this case, the SBL list.

Here's how the conversation looked from sbl.crynwr.com.
Note that some sites don't apply the SBL block to postmaster, so
I use your envelope sender as the To: address.

I connected to 67.33.XX.YYY and here's the conversation I had:

220 kingcull.cullmail.com ESMTP spamd IP-based SPAM blocker; Mon Feb 19 
21:34:43 2007
helo sbl.crynwr.com
250 Hello, spam sender. Pleased to be wasting your time.
mail from:
250 You are about to try to deliver spam. Your time will be spent, for 
nothing.
rcpt to:[EMAIL PROTECTED]
451 Temporary failure, please try again later.
Terminating conversation

Re: Problem with MTU IPSec VPN

[Darren Spruell]

On 2/19/07, Tim Pushor [EMAIL PROTECTED] wrote:

Hi all,

I'm getting to the point where I don't really know where to turn. I am
having a weird problem with an OpenBSD server/firewall that has a
permament IPSec tunnel to a checkpoint embedded security device. The
problem is, that half the time large packets can't get through. I've
trial and error'ed (via windows ping -l) that ping packets 1306 bytes
get through all the time, while packets  1306 (even 1307) only get
through half the time. Not half the time like 50% loss, but like it
works for hours, then doesn't for 10 minutes.


If that Check Point device has SmartDefense enabled, it has rules that
futz with ICMP packets larger than some threshold. See if you have any
of that mojo going on.

DS

Mono project support

[Mislav Božičević]

Is Mono Project (http://www.mono-project.com/Main_Page) supported by
the OpenBSD OS? In other words, am I able to compile and run C# files
under the OpenBSD OS? Thanks.