Re: Assigning OpenBSD server to a single IP to Two NICs , Connect to Two Switches
On Thu, Mar 08, 2012 at 01:25:35PM +0800, Pok Yie wrote: Hye guys, I have an issue to ask here. I have two core switches. Am I able to use a single IP for two NICs, and each NICs connecting to each core switches to provide fail-over? Core 1 == NIC 1 [192.168.0.1 ] NIC 2 == Core 2 So, my client only know a single IP address, regardless core 1 or core 2 down (not both) at the same time. You might take a look at trunking the two; the ifconfig man page should have enough info to get you started on that. -pokyie- From Bangkok with love
Re: OpenBSD PF tables
Take a look at pf anchors.
On Thu, Dec 08, 2011 at 10:21:14PM +1100, John Tate wrote:
Is there a way to control ports on a filter from the command line? I guess
I just have manually adding and deleting rules.
On Thu, Dec 8, 2011 at 10:19 PM, Andres Perera andre...@zoho.com wrote:
the documentation is pretty clear by saying that tables can only hold
addresses, not a random set of numbers
On Thu, Dec 8, 2011 at 6:41 AM, John Tate j...@johntate.org wrote:
Misc,
I have sucessfully got an OpenBSD machine to connect via ADSL and forward
packets, I am gradually upgrading my pf.conf. I am having trouble with
this
configuration (ignore some obvious bugs related to table names where
tables
are defined and the rules I have seen them).
At the moment I am working on doing some things as tables. I want tables
to
hold the ports, but it appears perhaps they can only hold IP addresses.
The
following tables do not work from line 10-11...
table etcpserv { 22 }
table itcpserv { 22, 53 }
The whole thing is here: http://pastebin.com/VuLNW9Ph
John Tate
--
www.johntate.org
--
www.johntate.org
Re: Developing software on OpenBSD
On Fri, Dec 02, 2011 at 03:15:16AM -0800, Neoklis Kyriazis wrote: Hi I hesitate somewhat to post this, being aware of the recommendations to look for answers in the extensive documentation of OpenBSD, but I just don't seem to find the information I need. I have been using Linux for a number of years and have written a few applications for that platform, mainly for my Ham Radio hobby (they are available on my website below). I have recently installed OpenBSD on my second SSD and I would like to edit the source code to make it compatible with OpenBSD's coding standards (I have managed to compile a couple of my simplest apps and I already have warnings of bad practices like using strcpy and strcat... ;-) Is there a guide for developers regarding OpenBSD programming standards and practices, including specific API functions like strlcpy etc? Some of the apps I have written use the ALSA sound API, which I understand is not available on OpenBSD (and I think on all *BSDs). Is OpenBSD using the standard OSS API? The indent utility and the style man page are your friends. Assuming you're doing this in C, that is. My thanks in advance! Regards Neoklis - Ham Radio Call 5B4AZ QTH Locator KM64KR Website: http://www.qsl.net/5b4az/
Re: Narcicism?
On Fri, Dec 02, 2011 at 02:25:06AM +1100, John Tate wrote: On Thu, Dec 1, 2011 at 7:20 PM, Scott McEachern sc...@blackstaff.ca wrote: On 12/01/11 02:28, John Tate wrote: I think I've found a bug in the OpenBSD crowd. They bug the hell out of me and my little mistakes. I am not talking about people who actually have a solution, but I can't seem to ask anything on this list without parrots coming along picking on me. I think some people just hang out here because it's the most anal bunch of hackers ever, in recorded history. What are your experiences? I'm 24 years old. I was a Linux hacker since I was 13. I am a bit of a guru and do my own Kerberos and such on an all BSD/Linux network. OpenBSD and Debian Linux. I love OpenBSD, I'm a bit weird because I use bash. I can put up with being made fun of. At 13 I didn't just start learning Linux I started learning C++ as well. I failed to apprehend it properly at that age, but at an older age I relearned it well. I am the guru sort of guy, I know a hell of a lot but I'm still connecting it and in that sense still learning. Psyche-shatteringly awesome troll has massive balls, but is still a troll. News at 11. Is it true that occasionally we attract people who either love bullying or are just lazy and pretending to be one of the clever? Well I get messages that are worthless and seem to be insults. It just figures some of these people sit on the list, and email you poorly researched crap with no answers contain. If you hate a question, it truly doesn't belong, bug me. But if you just can't answer a question, ignore it. John Tate. Note: Yes, it's not my list. John, if you don't mind, I'll give you some advice: Do your homework before posting to the list. Your basic instinct is to click Send instead of thinking first. I've lost count of how many of your posts were retracted by yourself, with a big oops, my bad or were replied to with RTFM-type responses. I got a kick out of one retraction where you said something like Sorry, I was drunk. You're obviously new here. Sure, it's a tough crowd at times, but that only happens when people don't bother reading the FAQ, or the man pages, or trying things out for themselves. A lot of people have asked stupid questions or said something dumb -- myself included -- and got painful responses. I've had my share of facepalm experiences and had my ass handed to me plenty of times, but I deserved it. But you know what? I try to not make a regular occasion of it. It seems you do. I help a lot of people off-list, and I know for a fact many others do the same. I've found through years of experience there are two kinds of people on this list: those that need a little help and pointed in the right direction, and those that need their hands held for every step. Guess which category I put you in? And that's exactly why I've helped you a grand total of zero times. Now you have the gall to come on this list and insult the people that are trying to help you. I don't think there's anyone on this list that sits idly, waiting for an opportunity to pick on or bully someone. Get a grip, get some thicker skin, and most of all, RTFM first. I guarantee that if you take my advice, you'll find this list to be a very, very valuable resource. Remember, there is a difference between *reading* and *comprehension*. Work a little harder on the latter and I think you'll find you won't be picked on. Stop playing the victim. You're not the first and it's old. -- Scott McEachern https://www.blackstaff.ca -- www.johntate.org
Re: Kernel without INET6 error on pipex.c
On Thu, Nov 24, 2011 at 12:20:29PM +, Kevin Chadwick wrote: On Thu, 24 Nov 2011 22:12:10 +1100 Rod Whitworth wrote: You are the only one who knows exactly what you did. Maybe. Why should we waste time guessing? It's a pretty damn stupid thing to do anyway when it is so easy to block v6 traffic using GENERIC and, BTW, your kernel is NOT GENERIC. It doesn't matter that you were too ignorant to change the name... It may well not be worth the effort to fix if it is broken, especially considering the difficulties IPV6 has brought. Have you tried diff or GTFO current out of interest. IPV6 commenting has broken the build before assuming that is the single thing that was changed and it builds now when uncommented. I completely disagree with damn stupid, it is obviously the most reliable method to disable ipv6 and the archives (ppp) add weight to this. You should ALWAYS /bin/cp -p GENERIC to a new file if you make changes though, that could waste a lot of devs precious time.
Re: traffic shaping in OpenBSD
On Tue, Nov 01, 2011 at 09:47:35AM +0200, Gregory Edigarov wrote: On Tue, 1 Nov 2011 11:17:56 +0400 ZZ Wave zzw...@gmail.com wrote: What solution should be used for traffic shaping on real-life, production gateways with tens and hundreds users? PF queues seem to be too userspace-ish and CPU consuming. Pardon? What do you mean userspace-ish ? I believe he wants to communicate with the kernel with the power of his mind. -- With best regards, Gregory Edigarov
Re: traffic shaping in OpenBSD
On Tue, Nov 01, 2011 at 12:26:30PM +0400, ZZ Wave wrote: For example, in FreeBSD there is slow pf in userspace and fast kernel-level netgraph. *headasplode* 2011/11/1 Gregory Edigarov g...@bestnet.kharkov.ua On Tue, 1 Nov 2011 11:17:56 +0400 ZZ Wave zzw...@gmail.com wrote: What solution should be used for traffic shaping on real-life, production gateways with tens and hundreds users? PF queues seem to be too userspace-ish and CPU consuming. Pardon? What do you mean userspace-ish ? -- With best regards, Gregory Edigarov
Re: query bug reports?
On Thu, Oct 13, 2011 at 12:28:59PM +0200, Johan Ryberg wrote: [cut to the chase] I would love to help writing a new bug tracker that could be merged into base but I'm no skilled coder but I have engagement and I want to help testing. I can probably provide server and space but for sure give my own time as a tester of the system. At one point or another, every skilled coder was an unskilled coder. A need is going unfilled, and either someone will change that, or they won't. Either way, it's not going to be changed by mailing list chatter. Please, can we just think of the children and agree kill this thread before it becomes even more noise?
Re: Recompile OpenBSD without built-in Apache 1.3
On Tue, Jun 28, 2011 at 09:46:25PM -0700, Zeb Packard wrote: I say go for it. File is: usr.sbin/Makefile Code is: # $OpenBSD: Makefile,v 1.154 2011/02/09 17:17:47 jasper Exp $ .include bsd.own.mk SUBDIR= ac accton acpidump adduser amd apm apmd arp \ authpf bgpctl bgpd bind chroot config cron crunchgen dev_mkdb \ dhcpd dhcrelay dvmrpctl dvmrpd edquota eeprom faithd fdformat \ ftp-proxy gpioctl hostapd hotplugd *httpd* ifstated ikectl inetd It looks like inetd might build after httpd for configuration issues. For example, if you pulled 'chroot', you couldn't expect your apache I'm pretty sure you're confusing chroot (2) - change root directory with chroot (8) - change root directory install to be chrooted by default. If you try installing apache2 from ports later on, you might find some issues, but I'm not sure cause I'm a newbie too. If it doesn't fail to build, you don't ever plan on running a webserver and you're not on too strict a deadline, I'd go for it.
Re: Recompile OpenBSD without built-in Apache 1.3
On Wed, Jun 29, 2011 at 08:56:38AM -0400, sven falempin wrote: This is almost equivalent. And that's probably the way I will do it. But as comp, is separated from base, I'm saying that this minimal_base.tgz would be useful. Of course, only thinking about the talking around what to put in it, is discouraging. For example , i wouldn't put the package handling in it, nor apache. Somebody needs a man release. ... Wait, that came out wrong... 2011/6/29 Kevin Chadwick ma1l1i...@yahoo.co.uk On Wed, 29 Jun 2011 04:57:30 -0400 sven falempin wrote: As i don't want to use a smaller 'spinover'. I ll probably will have to list some non usefull files, making upgrade more difficult, for my next use of openBSD. Depending how you upgrade. Making a minimal-base.tgz and not selecting base.tgz should be pretty straight forward. -- - () ascii ribbon campaign - against html e-mail /\
Re: Crash when using the graphviz library
On Thu, May 19, 2011 at 02:32:39PM +0200, Reto Schneider wrote:
Hi
I have a fresh installation of openBSD 4.9-release where the sample code of
the graphviz library
fails. It also fails on openBSD 4.8 but works perfectly on
4.7/Ubuntu/Debian/FreeBSD/etc.
How to get the error:
Install graphviz:
# export PKG_PATH=http://mirror.switch.ch/ftp/pub/OpenBSD/4.9/packages/i386/;
# pkg_add -r graphviz
Creating the file sample.c with this content
(http://www.graphviz.org/pdf/libguide.pdf, found at
page 40):
#include gvc.h
int main(int argc, char **argv)
{
GVC_t *gvc;
graph_t *g;
FILE *fp;
gvc = gvContext();
if (argc 1)
fp = fopen(argv[1], r);
else
fp = stdin;
g = agread(fp);
gvLayout(gvc, g, dot);
gvRender(gvc, g, plain, stdout);
gvFreeLayout(gvc, g);
agclose(g);
return (gvFreeContext(gvc));
}
Compile it (like shown in the example Makefile on page 39):
$ gcc -o sample sample.c `pkg-config --libs --cflags libgvc`
You need to link it with the pthreads library by passing -lpthread.
Run it:
$ ulimit -c unlimited
$ echo graph G{node1;}|./sample
./sample:/usr/local/lib/libgthread-2.0.so.2600.0: undefined symbol
'pthread_getschedparam'
lazy binding failed!
Segmentation fault (core dumped)
Backtrace:
$ gdb sample sample.core
(gdb) bt
#0 0x01deb370 in _dl_bind () from /usr/libexec/ld.so
#1 0x01de7b87 in _dl_bind_start () from /usr/libexec/ld.so
#2 0x7c9a7628 in ?? ()
#3 0x0050 in ?? ()
#4 0xcfbe0033 in ?? ()
#5 0x01de0033 in ?? ()
#6 0x in ?? ()
The workaround I use for now is to link the program sample directly against
pthread:
$ gcc -o sample sample.c `pkg-config --libs --cflags libgvc` -pthread
I have found a commit to the ports which does exactly this for the dot tool
(without this patch it
fails like the code above):
http://www.openbsd.org/cgi-bin/cvsweb/ports/math/graphviz/patches/patch-cmd_dot_Makefile_in?rev=1.1;content-type=text%2Fx-cvsweb-markup
Now I am wondering it I did something wrong or if there is a problem with
openBSD 4.8 and 4.9.
Regards,
Reto
Re: new upper limit with BIGMEM
On Tue, Apr 05, 2011 at 02:02:10PM -0700, James A. Peltier wrote: - Original Message - | real mem = 137428045824 (131061MB) | avail mem = 133755703296 (127559MB) | | seems to work ok... | | But have you hit the limit? | | The sky is the limit, but his is not a flying machine. | | Miod Umm, we conquered the skies a while ago. Really the solar system is the limit currently. What we, biped? -- His Highness, The Holy Space Kraken -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier
Re: MAXDSIZ
On Wed, Mar 30, 2011 at 01:22:19PM +0200, Tony Berth wrote: I can't??? So the limit of 4G physical memory still exists? And why was this statement made from 4.4 release? physical vs virtual memory, as has been explained already it's no longer 1950; we've got this thing called swap Thanks On Wed, Mar 30, 2011 at 12:39 PM, Janne Johansson icepic...@gmail.comwrote: 2011/3/30 Tony Berth tonybe...@googlemail.com currently not but this machine will be a DB server (Postgresql + Mysql) and it was aksed if we could go beyond the 8G. In any case, for now, if I can address 8G physical memory is fine. ..which you cant. -- To our sweethearts and wives. May they never meet. -- 19th century toast
Re: Constant rate mbuf leak
Prime suspect here would be the network driver. dlg@ had a nice mbuf leak detect-o-matic diff a while back. I'll have to see if I can find it. In the meantime knowing which board it is (or, even better, what network drivers are in use) would help immensely. On Fri, Feb 11, 2011 at 06:20:50PM +, Lars Kotthoff wrote: Just to say that I've been having the same problem with a Soekris board since about 4.4. I haven't figured out what's going on, but strangely the problem is getting better with time (i.e. the rate at which mbufs are allocated decreases). I *think* that it was fine in 4.3 (though I never run the machine for any length of time with that kernel), so you could try that if you want to investigate. I haven't been able to establish a correlation between allocated mbufs and (network) load either. The solution for me so far has been to keep a watchful eye and reboot the machine once too much memory is used, combined with a watchdog and monit to reboot the machine automatically if it becomes unresponsive. Lars
Re: nat static-port option
On Thu, Feb 03, 2011 at 07:31:01AM -0800, Johan Beisser wrote: On Feb 3, 2011, at 5:17, Martin SchrC6der mar...@oneiros.de wrote: 2011/2/3 Bret Lambert bret.lamb...@gmail.com: Counting my toaster? Your toaster has an IP? Yours doesn't? He's got IPv6! His *cockroaches' toasters* have IPs!
Re: nat static-port option
On Wed, Feb 02, 2011 at 10:23:43PM +0100, Martin Schr?der wrote: 2011/2/2 Kevin Chadwick ma1l1i...@yahoo.co.uk: Also, If you look at the GeoIP lookup data you'll see great swathes were allocated early on and seemingly never actually used. Yeah. And there'll never be more than 2^32 IP devices in the world. Inorite? I mean, if I can't get an IP for my toaster, I'm just gonna *die*! Best Martin
Re: BPF device limitations
On Tue, Feb 01, 2011 at 09:23:05AM -0500, Steve Johnson wrote: Hi, I wanted to know what was the restriction on BPF devices and how to possibly go around it. We are currently running a 4.8 GENERIC.MP system with 3 dhcrelay processes (and would need to run more very soon), along with ladvd daemon for CDP and they are consuming pretty much all of the 10 BPF devices that I have read the system gives by default. Have you actually tried running it to more than 10 devices? My quick scan of sys/net/bpf.c didn't show a limitation in the open function. #fstat|grep bpf _dhcpdhcrelay 206984 / 52709 crw--- rw bpf8 _dhcpdhcrelay 4484 / 52708 crw--- rw bpf7 _dhcpdhcrelay 252484 / 52707 crw--- rw bpf6 root ladvd 208979 / 52702 crw--- rw bpf1 root ladvd 20897 10 / 52703 crw--- rw bpf2 root ladvd 20897 11 / 52704 crw--- rw bpf3 root ladvd 20897 12 / 52705 crw--- rw bpf4 root ladvd 20897 13 / 52706 crw--- rw bpf5 root ladvd 20897 14 / 52710 crw--- rw bpf9 _pflogd pflogd 63913 / 52701 crw--- rw bpf0 root pflogd 15613 / 52701 crw--- rw bpf0 Is there any way to increase that number and if so, would this be a bad practice? If need be I can always stop ladvd, but ideally we'd rather have it on. Thanks, Steve Johnson
Re: Donations
you come back as a cow ^^^ I thought it was a toilet brush? You just can't trust reincarnation this life.
Re: (Perhaps?) dumb pf question relating to tables
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote: Hello, May I ask whether or not per user ownership (or permission to update) a table is/will be possible? I am pondering the best mechanism for a non-root process to add/remove addresses to a table. Privilege separation. Kind regards, Tor
Re: How to convert .img to .iso
On Mon, Nov 08, 2010 at 08:22:13AM -0800, James Hozier wrote: Since there are apparently is no software for this kind of conversion, by what other means or methods are there to do this on OpenBSD? I cannot mount .img at all with either vnconfig or '-o loop'. Just FYI re: 'mount -o loop' $ man mount | grep -c the 73 $ man mount | grep -c loop 0 $ file file.img file.img: DOS floppy 1440k, x86 hard disk boot sector $ Is there a way to either mount .img or do I have to figure out a way to convert it?
Re: relayd port to linux
On Sat, Nov 06, 2010 at 03:08:12PM -0400, Joe McDonagh wrote: Move your puppet to apache+passenger instead of starting serveral mongrel instances. It is much simpler to manage. Claer I guess that depends on your definition of simple; I've done this setup but there are version incompatibilities that make it a PITA. I would definitely like to move to it, but it just seems too finicky. Had to work through those, but a half hour of mix-n-match should see you through. One of the annoyances you get paid to deal with. There are (some and incomplete, sadly) version issues detailed on the puppet website[1], and gems is easy enough to use to install ruby apps. FWIW, I've got puppet 2.6.1 running on passenger 2.2.15 [1] http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger -- Joe McDonagh Operations Engineer AIM: YoosingYoonickz IRC: joe-mac on freenode When the going gets weird, the weird turn pro.
Re: password-less console-only access and ssh remote access?
On Thu, Oct 21, 2010 at 05:38:54PM +, Jay K wrote: My ideal setup would be: 1) no passwords (* in /etc/passwd or via vipw) 2) only ssh for remote access i.e. no password-based security, only something better 3) except console, where anyone should be able to login without any password (granted, I only have two users, root and jay) You can get almost the same thing by setting PasswordAuthentication to no in your sshd_config file, and hand out empty or ridiculously simple passwords for the console (honestly, who would forget yermomsawhore as a password?). I haven't been able to achieve #3, so I compromise and have no console access at all, except maybe via single user. I really don't want security to be password-based. Hints? (This is on Linux, Solaris, NetBSD, Darwin, OpenBSD, FreeBSD; I've achieved #1 and #2 on all; presumably hints here only for OpenBSD.) Thanks, - Jay
Re: how to repeat messages about manual configuration
On Thu, Oct 21, 2010 at 05:27:02PM +, Jay K wrote: You know, installing ports/packages often gives you random manual configuration advise, like: === Installing jdk-1.6.0.03p9 from /usr/ports/packages/amd64/all/ jdk-1.6.0.03p9: ok --- +jdk-1.6.0.03p9 --- You may wish to add /usr/local/jdk-1.6.0/man to /etc/man.conf Use and distribution of this technology is subject to the Java Research License included herein. To use the Java plugin with Seamonkey or Firefox you must create a symbolic link (do not copy or hard link) from /usr/local/jdk-1.6.0/jre/plugin/amd64/ns7/libjavaplugin_oji.so to your local Mozilla plugins directory, which is found at ~/.mozilla/plugins/ or to the shared Mozilla plugins directory, which is found at /usr/local/lib/mozilla-plugins/ = 1) There should be a way to repeat all these messages for all installed packages. Maybe there already is. pkg_add arguments | tee pkg.out ?? 2) Every time one of these is printed, the command that does #1 should be reported, possibly both for the specific packages, and all installed packages, or at least for all installed packages. (Don't make users remember what packages are installed or how to determine which are installed or which had the messages.) Really, some sort of package log file is what you're asking for, and I'm really not seeing a way that doesn't smack of creeping Linux-itus. 3) You may wish to add /usr/local/jdk-1.6.0/man to /etc/man.conf isn't descriptive enough, I think, in that, when I looked into it, I didn't know what edit to make so I gave up. It should give a command. For that matter, so should the others. The Python messages give you actual copy/pastable commands. 3b) Maybe there should be a way to automate that further. But I suppose besides being optional, these things are also somewhat changable by user? I don't know. The Python ones surely could be automatic, without the -f. (ln -sf /usr/local/bin/python26 python or such) What if I'm developing in a split python 2.4/2.6 environment? Not saying that you're wrong, just raising a reason why what works for you may not be the best for everybody, or even the majority. - Jay
Re: CARP, no IPsec, Dell 1950 or NIC-less: boot crash, (uvm_fault)
On Thu, Oct 21, 2010 at 11:28:51AM +0200, chefren wrote:
CARP, no IPsec, Dell 1950 or NIC-less: boot crash
Our custom OpenBSD kernel crashes (uvm_fault) at boot on a Dell 1950.
We've tracked down the problem:
carpattach()
...
if_creategroup(carp)
...
TAILQ_INSERT_TAIL(ifg_head)
silently assumes that at least 1 'if_attach_common()' call has
happened by that point.
Dell 1950 has 'bnx' NICs, which delay attach until very late in kernel
boot (because of firmware load).
The 'enc' interface hides this bug in the stock kernel on Dell 1950,
and on computers without a NIC.
Easily reproduced with a stock kernel: 'boot -c', 'disable enc'
If a patch is appreciated by the maintainer, please don't hesitate to
mail me,
+++chefren
Is the patch something like the following?
Index: if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.225
diff -u -p -r1.225 if.c
--- if.c27 Aug 2010 17:08:01 - 1.225
+++ if.c21 Oct 2010 10:44:19 -
@@ -161,7 +161,7 @@ RB_HEAD(ifaddr_items, ifaddr_item) ifadd
RB_PROTOTYPE(ifaddr_items, ifaddr_item, ifai_entry, ifai_cmp);
RB_GENERATE(ifaddr_items, ifaddr_item, ifai_entry, ifai_cmp);
-TAILQ_HEAD(, ifg_group) ifg_head;
+TAILQ_HEAD(, ifg_group) ifg_head = TAILQ_HEAD_INITIALIZER(ifg_head);
LIST_HEAD(, if_clone) if_cloners = LIST_HEAD_INITIALIZER(if_cloners);
int if_cloners_count;
@@ -190,7 +190,7 @@ static int if_index = 0;
int if_indexlim = 0;
struct ifaddr **ifnet_addrs = NULL;
struct ifnet **ifindex2ifnet = NULL;
-struct ifnet_head ifnet;
+struct ifnet_head ifnet = TAILQ_HEAD_INITIALIZER(ifnet);
struct ifnet_head iftxlist = TAILQ_HEAD_INITIALIZER(iftxlist);
struct ifnet *lo0ifp;
@@ -443,10 +443,6 @@ void
if_attach_common(struct ifnet *ifp)
{
- if (if_index == 0) {
- TAILQ_INIT(ifnet);
- TAILQ_INIT(ifg_head);
- }
TAILQ_INIT(ifp-if_addrlist);
ifp-if_addrhooks = malloc(sizeof(*ifp-if_addrhooks),
M_TEMP, M_NOWAIT);
Re: FW: Force passwordcheck in login.conf
On Thu, Oct 14, 2010 at 10:16:12AM -0400, Brad Tilley wrote: Stuart VanZee wrote: For 8.5.12 see login.conf man page, look for passwordcheck. You will have to write (or find) a program that keeps track of previously used passwords. I just stored a hash of them in a file and have it check to see if the new password hash matches any of the old 4 password hashes. I considered that as a possible solution as well, but it seems that approach would weaken the security of the passwords, especially if you just use an unsalted hash (md5 or sah1) to store them. You could use blowfish to store them; the code already exists in the openbsd base. Storing multiple previous passwords has always seemed gratuitous to me, but we're not discussing technical merits, just technical solutions to management fiats... Brad
Re: Why renice not work in OpenBSD?
On Mon, Oct 11, 2010 at 12:45:39PM +0400, Dmitry-T wrote: 11.10.10, 12:13, Claudio Jeker cje...@diehard.n-r-g.com: You try to renice I/O bound processes. The scheduler priority only matters when processes are CPU bound. Yes of course, but... all my dd processes use CPU. After run dd if=/dev/urandom of=/dev/null first three dd if=/dev/wd0c of=/dev/null bs=1m reduce their part of CPU and run renice not recover their part of CPU. numbers or GTFO -- Dmitry Telegin
Re: Can't boot from 05-Oct-2010 snapshot's install48.iso
On Fri, Oct 08, 2010 at 06:24:23AM +0200, Dmitrij D. Czarkoff wrote: Nick Holland n...@holland-consulting.net wrote: On 10/07/10 18:24, Dmitrij D. Czarkoff wrote: Should I conclude nobody else gets this? (The story was about install48.iso from 05-Oct-2010 hanging on boot with no error message when encountering a misbehaving device that was simply disabled in august snapshots and previous releases). Well, you did kinda lead people down a very strange path, with no details until your FOURTH message in the thread. As for having this happen, uh...actually, I believe I have never plugged a CDROM drive into my netbook (first generation Acer Aspire One, looks like your is second generation). hm. come to think of it, the only time I saw a DVD-RAM disk (on a desktop), it hung there, too. I just assumed it was a bad drive (actually, the drive made noises that made me pretty sure it was bad, but maybe there was more...) I would recommend upgrading via other means (bsd.rd - network install, or copy files to local hd or USB flash drive first, whatever), and investigate then if the problem exists with the GENERIC kernel or if it is just a bsd.rd issue. Thanks for suggestion! I've downloaded the bsd.rd and booted it with the same result - booting process stops at the same point. The system still reacts on Num Lock. Anything else I can try? Is it possible to disable the device in bios? Can you disable the driver at the kernel boot prompt? Dmitrij D. Czarkoff czark...@gmail.com wrote: Matthew Dempsky matt...@dempsky.org wrote: Some more details would be helpful. E.g., at least a dmesg from your working 4.7 install, and if you could transcribe at least the last few lines of dmesg output from booting install48.iso (e.g., did it panic or just hang?) that would go a long way. My 4.7 dmesg: OpenBSD 4.7-stable (GENERIC.MP) #0: Thu Jul 22 09:31:34 MSD 2010 r...@ao531h.bedova:/usr/src/sys/arch/i386/compile/GENERIC.MP RTC BIOS diagnostic error 80clock_battery cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR real mem = 1060163584 (1011MB) avail mem = 1018466304 (971MB) RTC BIOS diagnostic error 80clock_battery mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/06/08, SMBIOS rev. 2.4 @ 0xe90b0 (31 entries) bios0: vendor Acer version v0.3110 date 10/06/2008 bios0: Acer AO531h acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT HPET APIC MCFG ASF! SLIC BOOT acpi0: wakeup devices P32_(S4) UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) ECHI(S3) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) AZAL(S0) MODM(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 132MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P32_) acpiprt2 at acpi0: bus 1 (EXP1) acpiprt3 at acpi0: bus -1 (EXP2) acpiprt4 at acpi0: bus 2 (EXP3) acpiprt5 at acpi0: bus 3 (EXP4) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpitz0 at acpi0: critical temperature 95 degC acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB acpibat0 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit online acpivideo0 at acpi0: OVGA acpivout0 at acpivideo0: CRT1 acpivout1 at acpivideo0: DTV1 acpivout2 at acpivideo0: DFP1 acpivout3 at acpivideo0: LCD_ acpivout4 at acpivideo0: DTV2 acpivout5 at acpivideo0: DFP2 bios0: ROM list: 0xc/0xec00! cpu0: Enhanced SpeedStep 1596 MHz: speeds: 1600, 1333, 1066, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945GME Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel 82945GME Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0x4000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 (irq 11) drm0 at inteldrm0 Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: apic 4 int 16 (irq 11) azalia0: codecs: Realtek ALC272
Re: Bandwidth consume by IP address
man pflow On Fri, Oct 01, 2010 at 08:57:07PM -0500, Hermes Ojeda Ruiz wrote: Hi, I'm working with a OpenBSD firewall on embedded hardware, and the client want to know the bandwidth consume by IP address. I don't know if this is possible using PF, another tool or making scripts to get the information. I'm worried about the performance, because, some weeks ago I make a question in the list How distribute bandwidth by IP's, and I solved it, using a lot of cbq's by ip address (~150 ip address) like was recommended on the replies, of course, using an script to generate it. That's work, perfect, but generate some delays on the packets, and if I log everything it can make the connection useless. The firewall is running in a Soekris net5501. Sorry, if this is a fool question, and my bad english. -- Hermes Ojeda Ruiz
Re: Minor nits in 4.7/001_kerberos.patch
All that, and you don't provide your own diff fixing these?
On Thu, Sep 16, 2010 at 08:41:18PM +1200, Richard Toohey wrote:
Hi all.
Patching a 4.7 box from the errata patch and noticed this:
+
+if (len checksum_sz + et-confoundersize) {
+ krb5_set_error_string(context, Encrypted data shorter then
+ checksum + confunder);
+ return KRB5_BAD_MSIZE;
+}
+
That then should be than shouldn't it?
Encrypted data shorter THAN x?
And as I read this email again - it should be confounder not confunder in the
message string?
The member name is confounder not confunder?
(Looks like both need to be fixed in three places.)
Looks like still in 4.8 and beyond (if I am looking in the right place.)
http://www.openbsd.org/cgi-bin/cvsweb/src/kerberosV/src/lib/krb5/crypto.c?rev
=1.10.12.1;content-type=text%2Fplain
And wrong in the comments ...
/*
* In the framework of kerberos, the length can never be shorter
* then at least one blocksize.
*/
Then should be than.
And the nits are in the code:
if (len checksum_sz + et-confoundersize) {
krb5_set_error_string(context, Encrypted data shorter then
checksum + confunder);
return KRB5_BAD_MSIZE;
}
Thanks.
Re: pf.conf : rdr-to IF rather than IP
Have you even tested a dup-to configuration? Or are you just trying to run the code in your head? On Sun, Sep 12, 2010 at 04:29:14PM +0200, Jean-Francois wrote: Hello, Well I am not sure dup-to is really suitable, I would like to redirect ports to multiple ip as following example : match in on $ext_if proto tcp from any to any port 1050 rdr-to 192.168.1.10:50 Regards Le dimanche 29 ao?t 2010 15:15:28, Bret S. Lambert a ?crit : On Sun, Aug 29, 2010 at 02:05:40PM +0200, Jean-Francois wrote: Hello, I would like to redirect particular ports on the sub-network, not only on one ip adress of the subnetwork. Taking an example, I would like some software that listen to ports on different machines with different ip adress without having to change the pf.conf rules each time it is needed. So...you want traffic matching certain criteria duplicated to multiple IP addresses on your network? Did you try to search for duplicate in the pf.conf man page? I'm not sure what your ultimate goal is (or how you won't have to do something when it is needed), but, hey; whatever lifts your luggage. Regards If you can explain what you're actually trying to do, rather than talk about how you're thinking of accomplishing it, maybe someone can suggest a way. On 2010-08-28, Jean-Francois jfsimon1...@gmail.com wrote: Good evening, Is it possible to redirect to an IF or at least an IP range such as following rules ? match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to $int_if match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to 192.168.100.0/16 I am not sure it even makes sense in regard of a redirection in a network topology but I'll try the question, since it can help to understand. I am thinking the probability is very high that a redirection of above kind needs to copy as many times the packets as wide as the range of ip is. Thanks to help me to understand this point. Jean-Frangois
Re: kernel hangs by many connections (reproducable)
On Mon, Sep 13, 2010 at 10:12:44AM +0600, Anton Maksimenkov wrote: 2010/9/13 Henning Brauer lists-open...@bsws.de: hangs. 1-2 sec after start. --- interrupt --- pool_do_get(d0a10b60,0,0,0,60) at pool_do_get+0x2c2 pool_get(d0a10b60,0,8000,0,0) at pool_get+0x54 m_gethdr(1,1,8000,369e99,0) at m_gethdr+0x39 too me that simply looks like you are running out of memory in mbpl and the pool_get is a M_WAITOK one But it not unfreezed even after minute. SSH connections dropped, com console didn't response (but it can be dropped into ddb, of course). yes, because you've soaked up all the memory that's available for handling incoming/outgoing network traffic; you've got a bunch of processes that try to grab a limited number of resources, fail to get all they need, and sleep while holding already-allocated mbufs, meaning that nobody else can get them, and none of your processes can advance. That said, the pool_get that's failing in the re driver is set as non-blocking, so it should fail. However, it's hard to see how you're tickling this without seeing the source that you're running, since we don't know how you're cornholing the network stack. -- antonvm
Re: automounter
On Fri, Sep 10, 2010 at 10:37:50PM +0200, Jean-Francois wrote: Hello, Do you have an idea where to look for an auto mounter in openbsd ? I installed gnome as a server for a friend and would like that his fat32 usb disks are auto mounted ... It might be useful to auto mount also other kind of file systems. And for esata, is it possible to mount without reboot, is this called a hot plug ? I eared that it's not possible yet ... is this correct ? man hotplugd, and script like a fiend. Thanks regards
Re: 4.8 Release and Download and
On Fri, Sep 10, 2010 at 12:58:40AM +0100, Keith wrote: Seeing that orders are being taken for the 4.8 release got me thinking about purchasing a copy, I don't need a copy on CD so just a download for my architecture would be fine. In the past I've sent a small donated to the project and was wondering if there's way that I could buy the right to download the OS before the official release. In reality, you already can; at no point is there code that's being held out for the CD release that isn't already in cvs; grabiing a -current snapshot from a period of time reasonably near the tree unlock that happens each cycle should be close enough for anything that doesn't require soothing some sort of OCD. Personally I would happily pay the same as the full CD costs and probably some more to just download the OS and the project would save on the production of the CD and the postage. I'd defiantly pay for 802.11G, hope that it's working in this release. Keith
Re: How to find out if process runs chrooted?
On Wed, Sep 08, 2010 at 02:55:19PM +0200, Elmar Bschorer wrote: hi list, short question - how can i find out if a process runs chrooted? You write a syscall to check if fdp-fd_rdir is not NULL? i couldn't find any hints in man chroot :-( thx, Elmar
Re: System Hangs
On Sat, Sep 04, 2010 at 09:40:30AM +0200, Guillermo Bernaldo de Quiros Maraver wrote: I've been seeing in these last days as OpenBSD hangs (I can not use the mouse or the keyboard and I can not return to the console) I ask here because I want to know if anyone has had a similar problem and if so, as it has resolved. First guess is that you're getting a kernel panic, but can't see it because the screen isn't being updated. If at all possible, try to get a serial connection to the machine to dump any kernel output Thanks for all. Greetings. Guillermo Bernaldo e Quirss Maraver The Hardware is a AMD Phenom II X4 955 and have 4 GB RAM (only see 3) My dmesg output: # dmesg OpenBSD 4.8-current (GENERIC.MP) #384: Mon Aug 30 21:00:36 MDT 2010 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 3352887296 (3197MB) avail mem = 3249815552 (3099MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf0700 (77 entries) bios0: vendor American Megatrends Inc. version 1301 date 12/18/2009 bios0: ASUSTeK Computer INC. Crosshair III Formula acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB HPET acpi0: wakeup devices PCE2(S4) PCE3(S4) PCE4(S4) PCE5(S4) PCE6(S4) PCE7(S4) PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) SBAZ(S4) PS2K(S4) PS2M(S4) P0PC(S4) UHC2(S4) UHC3(S4) UHC5(S4) UHC6(S4) UHC7(S4) UHC1(S4) USB4(S4) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Phenom(tm) II X4 955 Processor, 3211.41 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Phenom(tm) II X4 955 Processor, 3210.95 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu2 at mainbus0: apid 2 (application processor) cpu2: AMD Phenom(tm) II X4 955 Processor, 3210.95 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu2: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu2: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu2: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu3 at mainbus0: apid 3 (application processor) cpu3: AMD Phenom(tm) II X4 955 Processor, 3210.95 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DN OW cpu3: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu3: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu3: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative ioapic0 at mainbus0: apid 4 pa 0xfec0, version 21, 24 pins acpihpet0 at acpi0: 14318180 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (PCE2) acpiprt2 at acpi0: bus -1 (PCE3) acpiprt3 at acpi0: bus 3 (PCE4) acpiprt4 at acpi0: bus -1 (PCE5) acpiprt5 at acpi0: bus -1 (PCE6) acpiprt6 at acpi0: bus -1 (PCE7) acpiprt7 at acpi0: bus 2 (PCE9) acpiprt8 at acpi0: bus -1 (PCEA) acpiprt9 at acpi0: bus -1 (PCEB) acpiprt10 at acpi0: bus -1 (PCEC) acpiprt11 at acpi0: bus 1 (P0PC) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 aibs0 at acpi0 acpibtn0 at acpi0: PWRB pci0 at mainbus0 bus 0 mem address conflict 0xe000/0x2000 pchb0 at pci0 dev 0 function 0 vendor ATI, unknown product 0x5956 rev 0x00 ppb0 at pci0 dev 2 function 0 ATI RD790 PCIE rev 0x00 pci1 at ppb0 bus 4 vga1 at pci1 dev 0 function 0 ATI Radeon HD 5700 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci1 dev 0 function 1 ATI Radeon HD 5700 Audio rev 0x00: apic 4 int 19 (irq 10) azalia0: no supported codecs azalia0: initialization failure, detaching ppb1 at pci0 dev 4 function 0 ATI RD790 PCIE rev 0x00 pci2 at ppb1 bus 3 re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00),
Re: eSATA Hotplug
On Sat, Sep 04, 2010 at 10:48:46AM +0200, Gerald Holl wrote: On 2010-08-30 01:57, David Gwynne wrote: we'll happily take diffs though. Which diffs? Although my first instinct is to immediately degenerate into an hilarious who's on first parody, I'm just going to tell you ones that fix shit. Gerald
Re: How MAC address is incorporated in packets
On Mon, Aug 30, 2010 at 10:07:06AM +0200, Jean-Francois wrote: Hi, Might you please indicate how in the construction of an IP packet the mac address in incorporated into it. Is the job of the OS or of the IF ? If the OS is responsible for it, how is it processed and is it possible to change the physical address in the packets sent for an address of our choice ? Thanks JF This mailing list is not a basic networking primer. Enough of those already exist online and in print. I advise you to seek one out, and then come back when you realize why incorporating a MAC address into an IP packet makes absolutely no sense whatsoever.
Re: pf.conf : rdr-to IF rather than IP
On Sun, Aug 29, 2010 at 02:05:40PM +0200, Jean-Francois wrote: Hello, I would like to redirect particular ports on the sub-network, not only on one ip adress of the subnetwork. Taking an example, I would like some software that listen to ports on different machines with different ip adress without having to change the pf.conf rules each time it is needed. So...you want traffic matching certain criteria duplicated to multiple IP addresses on your network? Did you try to search for duplicate in the pf.conf man page? I'm not sure what your ultimate goal is (or how you won't have to do something when it is needed), but, hey; whatever lifts your luggage. Regards If you can explain what you're actually trying to do, rather than talk about how you're thinking of accomplishing it, maybe someone can suggest a way. On 2010-08-28, Jean-Francois jfsimon1...@gmail.com wrote: Good evening, Is it possible to redirect to an IF or at least an IP range such as following rules ? match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to $int_if match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to 192.168.100.0/16 I am not sure it even makes sense in regard of a redirection in a network topology but I'll try the question, since it can help to understand. I am thinking the probability is very high that a redirection of above kind needs to copy as many times the packets as wide as the range of ip is. Thanks to help me to understand this point. Jean-Frangois
Re: pf.conf : rdr-to IF rather than IP
On Sat, Aug 28, 2010 at 11:08:10PM +0200, Jean-Francois wrote: Good evening, Is it possible to redirect to an IF or at least an IP range such as following rules ? match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to $int_if Since all of the manpages use IP addresses, I'm guessing not; you're likely to be able to get the same effect with using the IP of the interface intstead of its name. Unless you're mistaken on what rdr-to does, as this isn't the first time someone appears to have been under the impression that rdr-to sort of just poured the traffic onto another network. match in on $ext_if proto tcp from any to any port 1024:32768 \ rdr-to 192.168.100.0/16 rdr-to won't do this, but dup-to may do what you're looking for; however, it's much more likely that you need to read the section on tables in the pf.conf man page. I am not sure it even makes sense in regard of a redirection in a network topology but I'll try the question, since it can help to understand. I am thinking the probability is very high that a redirection of above kind needs to copy as many times the packets as wide as the range of ip is. Yes, hence the duplicate root for dup-to. Thanks to help me to understand this point. Jean-Frangois
Re: Checking Routes/Gateways For Good Connection
On Sat, Aug 28, 2010 at 09:50:30PM -0500, dontek wrote: This is even more strange to me. If I change rule 39 and 40 by taking out the on interface to the following: PF Rules: (rule number prepended, these are the _last_ 6 lines in my pf.conf) 39: pass out quick log from 172.16.0.1 route-to (em0 192.168.0.1) 40: pass out quick log from 172.16.1.1 route-to (em1 10.10.0.1) 41:pass out log on em0 42:pass out log on em1 43:pass out log on em0 from em1 route-to (em1 10.10.0.1) 44:pass out log on em1 from em0 route-to (em0 192.168.0.1) Tests: $ traceroute -s 172.16.0.1 -n google.com Tcpdump pflog0 output: Aug 28 21:41:11.215660 rule 40/(match) pass out on em0: 172.16. 1.1.63306 74.125.45.147.33449: udp 12 Aug 28 21:41:11.225656 rule 39/(match) pass out on em1: 172.16.0.1.48096 74.125.45.147.33449: udp 12 Now these packets are being caught by my rule 39 and 40, but it appears the route-to is just being ignored. Am I reading the tcpdump output wrong? I just don't get it..? from pf.conf: When a route-to rule creates state, only packets that pass in the same direction as the filter rule specifies will be routed in this way. Packets passing in the opposite direction (replies) are not affected and are routed normally.
Re: cardbus on sparc64
On Wed, Aug 25, 2010 at 08:12:34PM +0200, Pete Vickers wrote: I have a SunBlade100 running 4.7RELEASE which I stuck a PCI/Cardbus adapter in; and it appears to be recognised in dmesg: . . . cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 . . . (full dmesg at foot) However whenever I insert a card into the adapter the machine panics. The same happen if I insert the card before boot, whereupon it panics midway through booting. I have tried various WLAN and GPRS cards. Before I go collecting ddb trace/ps is this the expected behaviour ( e.g. a known endien issue or suchlike) ? I'm gonna say not. Trace/ps would give me something to do while I ignore packing my apartment. BTW, I notice that PR3871 addressed the adapter itself (at least in i386). /Pete full dmesg: console is keyboard/display Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2010 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.7 (GENERIC) #258: Wed Mar 17 23:40:34 MDT 2010 dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC real mem = 805306368 (768MB) avail mem = 767369216 (731MB) mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe) cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l) psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0 psycho0: bus range 0-1, PCI bus 0 psycho0: dvma map c000-dfff pci0 at psycho0 ebus0 at pci0 dev 12 function 0 Sun RIO EBus rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59 ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 dma at ebus1 addr 0- ivec 0x2a not configured power0 at ebus1 addr 800-82f ivec 0x20 com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo gem0 at pci0 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, address 00:03:ba:08:46:e8 ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 Sun FireWire rev 0x01 at pci0 dev 12 function 2 not configured ohci0 at pci0 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 1.0, legacy support alipm0 at pci0 dev 3 function 0 Acer Labs M7101 Power rev 0x00: 223KHz clock iic0 at alipm0 max1617 at alipm0 addr 0x18 skipped due to alipm0 bugs scm001 at alipm0 addr 0x20 skipped due to alipm0 bugs spdmem0 at iic0 addr 0x50: 256MB SDRAM ECC PC133CL2 spdmem1 at iic0 addr 0x51: 256MB SDRAM ECC PC133CL2 spdmem2 at iic0 addr 0x52: 256MB SDRAM ECC PC133CL2 autri0 at pci0 dev 8 function 0 Acer Labs M5451 Audio rev 0x01: ivec 0x7e3 ac97: codec id 0x41445348 (Analog Devices AD1881A) ac97: codec features headphone, Analog Devices Phat Stereo audio0 at autri0 midi0 at autri0: 4DWAVE MIDI UART pciide0 at pci0 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x7cc for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: WDC WD200BB-60DGA0 wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI, DVD A DH20A4H, QP59 ATAPI 5/cdrom removable wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) ppb0 at pci0 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03 pci1 at ppb0 bus 1 ral0 at pci1 dev 1 function 0 Ralink RT2560 rev 0x01: ivec 0x7ca, address 00:11:50:a8:c8:a2 ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0 machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27 machfb0: ATY,RageXL, 1280x1024 wsdisplay0 at machfb0 mux 1: console (std, sun emulation) usb0 at ohci0: USB revision 1.0 uhub0 at usb0 Sun OHCI root hub rev 1.00/1.00 addr 1 uhidev0 at uhub0 port 2 configuration 1 interface 0 Sun Microsystems Type 6 Keyboard rev 1.00/1.01 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 19 wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub0 port 4 configuration 1 interface 0 Sun Microsystems Type 6 Mouse rev 1.00/1.02 addr 3 uhidev1: iclass 3/1 ums0 at uhidev1: 3 buttons wsmouse0 at ums0 mux 0 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root bootpath: /p...@1f,0/i...@d,0/d...@0,0 root on wd0a swap on wd0b dump on wd0b
Re: Pragmatics of Following current
On Thu, Aug 19, 2010 at 12:02:11PM -0400, Luis Useche wrote: Hi Guys, I have been meaning to follow current for a couple of weeks now. I read the Building Sources page and it seems like I should follow the process of: cvs up src xenocara ports - compile - install, where install includes merging of configuration files. Moreover, I should also keep an eye on the Following -current webpage for any change I should make. This looks like a lot of work every-time you run cvs up (mainly the compilation of ports and merging of conf files). I was wondering how do you usually work on current and if you all follow this process through-fully. If not, what kind of tricks do you use to make the process easier. For now, I am using snapshots with binary packages. Quite honestly, that's more useful, as snapshots a) are generally close enough to -current that you're more or less running -current anyway; and b) sometimes contain diffs which haven't made -current but need testing, which means that you're actually running a more -current -current at times Thanks in advance, You're welcome...from *the future* - Bert Luis.
Re: [OT] securely sharing documents on OpenBSD?
On Tue, Aug 17, 2010 at 02:19:07PM +0200, Jiri B. wrote: what's up with vpn and samba? And what's the deal with airline food?! /seinfeld jirib
Re: undeadly article
On Tue, Aug 17, 2010 at 01:50:55PM -0400, Mike Erdely wrote: On Tue, Aug 17, 2010 at 07:30:55PM +0300, Paul Irofti wrote: jcr, please forgive my fellow romanian as us gypsies don't get to travel much and don't know the mysteries of these flying birds and their inner workings. Gypsies who don't travel, eh? They just make your shit theirs with the power of their *mind* -ME
Re: Smtpd use
On Tue, Aug 17, 2010 at 11:24:37PM +0400, open...@e-solutions.re wrote:
Hi,
Today, i tried to build a mailserver for one domain : totoxx.org
Here my smtpd.conf :
listen on lo0
listen on em0
hostname puffymail.my.domain
map aliases { source db /etc/mail/aliases.db }
map virtual { source db /etc/mail/virtual.db }
accept for local deliver to mbox
accept from all for domain totoxx.org deliver to box
I ve a user : contact on the box.
And here my virtual file :
cont...@totoxx.org: contact
I can receive mails. It works good.
But how can i send mail? i need to use sendmail? How can i modify my
configuration to send emails ?
Thank's for your advices.
The magic word is relay, IIRC.
Re: Smtpd use
On Tue, Aug 17, 2010 at 11:55:43PM +0400, open...@e-solutions.re wrote: On Tue, 17 Aug 2010 21:34:56 +0200, Bret S. Lambert The magic word is relay, IIRC. add accept for all relay to the end of my smtpd.conf ? $ man smtpd.conf | grep accept for all relay accept for all relay via smtp.gmail.com tls enable auth accept for all relay $ Sure. Why not.
Re: Smtpd use
On Wed, Aug 18, 2010 at 12:09:31AM +0400, open...@e-solutions.re wrote: On Tue, 17 Aug 2010 21:57:03 +0200, Bret S. Lambert $ man smtpd.conf | grep accept for all relay accept for all relay via smtp.gmail.com tls enable auth accept for all relay $ Sure. Why not. Not what i want to do... I wish to be able to receive mail for cont...@totoxx.org, it works fine. But i wish also to send email using cont...@totoxx.org Actually on my OpenBSD Mailserver, i can only receive emails, but how can i send emails using the same box without a relay ? I'm assuming you mean you don't want an open mail relay. That's really up to you (and we're rapidly reaching the end of how deep I can reach into my ass for the purposes of pulling things out...); The following is incorrect, but was far too amusing not to share: accept from pimp.dat.ho relay to yermom.likes.it check out what options you have in the realm of accept from $foo, is where I would go with it. Need an other MTA ? Smtpd not a good choice to build what i want ?
Re: Disable Relayd's error message
On Fri, Aug 13, 2010 at 03:41:08PM +0100, Keith wrote:
I just realized that if I telnet to our web servers on port 80 and
press enter a few times that I get a reply back from relayd that I
didn't expect addressOpenBSD relayd at 127.0.0.1 port
8080/address This error is correct as we use a PF rdr rule to
redirect traffic on our firewall to localhost port 8080 where we
have relayd listening. I was wondering if it's possible to stop this
error from being displayed as I would prefer not to disclose to the
world what software we use.
I've had a look at our relayd.conf to see if there is a return
error line but there isn't and I can't see any other way of
stopping this error from being displayed. Does anyone have any
suggestions ?
Yes; the function you're looking for is relay_close_http(), in relay.c
You'll also have to hack the support for setting the string in parse.y
Of course, you could just redefine RELAYD_SERVERNAME in relayd.h, but
that's cheating :)
Thanks
Keith
HTTP/1.x 406 Not Acceptable
Date: Fri Aug 13 15:20:18 2010
Server: OpenBSD relayd
Connection: close
Content-Type: text/html
!DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN
html
head
title406 Not Acceptable/title
style type=text/css!-- body { background-color:#a0; color:
white; }--/style
/head
body
h1Not Acceptable/h1
div id='m'no method/div
div id='l'/div
hraddressOpenBSD relayd at 127.0.0.1 port 8080/address
/body
/html
Re: MTA choice
Real hackers do their email with awk and nc.
Re: Web hosting, restrict user to access only his folder
On Sat, Aug 14, 2010 at 12:04:56AM +0400, open...@e-solutions.re wrote: Hi, I installed OpenBSD 4.7 for web hosting (test). So i have 3 websites for 3 users (1 site per user) : www.first.xx (user : firstxx) www.2nd.xx (user : 2ndxx) www.third.xx (user : thirdxx) All web pages are stored in /var/www/domains/ So in /var/www/domains we have 3 folders : www.first.xx folder (owner : firstxx ; chmod 755) www.2nd.xx folder (owner : 2ndxx ; chmod 755) www.third.xx folder (owner : thirdxx ; chmod 755) i used ftpd (-4Dln) for users to upload their website(with /etc/ftpchroot configured). My problem, user can see content of others. For example, 2ndxx can update his folder but he can see also the content of firstxx folder. How can i restrict that ? Somewhere between the monitor_init and yyparse calls in ftpd.c thank's.
Re: cwm: don't warp to ignored windows
On Mon, Aug 09, 2010 at 09:28:40PM +0200, Christian Neukirchen wrote: Hi, cwm currently warps to all newly mapped windows. I think it would be nice to not warp to windows marked as ignore in .cwmrc, so popping windows you are not interested in don't disturb you. I think your mailer ate your patch. Thanks, -- Christian Neukirchen chneukirc...@gmail.com http://chneukirchen.org
Re: developing openbsd?
On Sun, Aug 08, 2010 at 08:23:03AM +, Jay K wrote: I've looked all over www.openbsd.org. Any sort of guide/projects for new wannabe developers? (not new to programming) man style Just the bug list? That's a good start, probably. Fix something send diffs? As mentioned on these lists multiple times over the years, yes, that's what you should start doing. - Jay
Re: Anyone playing with Active Protection System (hdaps) here ?
On Sat, Aug 07, 2010 at 03:11:01PM +0800, Aaron Lewis wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Mon Laptop has a device aps0 , and hdapsd works fine on Gentoo Box , i'm wondering how should i activate it on OpenBSD ? /etc/rc.conf doesn't have anything related .. Many thanks. from man aps: SEE ALSO isa(4), sensorsd(8), sysctl(8) That's your money reading, right there. $ sysctl | grep -c aps 9 and that's where you pull the values to stick into sensorsd.conf - -- Best Regards, Aaron Lewis - PGP: 0x4A6D32A0 FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0 irc: A4R0NL3WI5 on freenode Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxdBwUACgkQvf41sEptMqBbbQCgioVJ9ft6tUT+ELCLNSMPuaMh b0cAnA6xj5p0i9fR7eR0DphJ8Oc2B9Eh =IWgd -END PGP SIGNATURE-
Re: Anyone playing with Active Protection System (hdaps) here ?
On Sat, Aug 07, 2010 at 06:07:56PM +0800, aaron lewis wrote: from man aps: SEE ALSO isa(4), sensorsd(8), sysctl(8) That's your money reading, right there. $ sysctl | grep -c aps 9 Well , Thanks Bret , can you get me more instructions please ? Yes: get familiar with man(1) and experimentation. And thus is my reputation for being an unhelpful prick upheld! I think i should put a limit via sysctl , right ? -- Best Regards, Aaron Lewis - PGP: 0x4A6D32A0 FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0 irc: A4r0n on freenode
Re: Secret key in the packet filter.
On Tue, Jul 13, 2010 at 06:18:12PM +0400, jackwssp q wrote: Hello brothers and sisters, Backatcha! Who knows anything about the secret keys in the packet filter(pf), such as way only for developers. Secret...huh? Who're we talkin about? Is it real in the open source, and how can I realize it in my own firewall with open source? *headasplode* -- with best respect
Re: OpenBSD : FFS : Large Directories : Small files
On Sun, Jul 11, 2010 at 08:05:59PM +0200, Mayuresh Kathe wrote: On Sun 11/07/10 23:05, Ted Unangst ted.unan...@gmail.com wrote: On Sun, Jul 11, 2010 at 4:22 AM, Mayuresh Kathe mayur...@ka the.in wrote: Hello, may I know of limitations on supporting large directories (over 5 million files) with small files (less than 10 KB) under FFS/FFS2? This is for a research project under AMD x86 with SATA Disk[s]. It wouldn't be much of a research project if we told you the answer, would it? Step 4 of the scientific method: Perform experiments. The project is to do with large number of files stored in a directory, but definitely not about finding out whether OpenBSD would be in a position to handle that. The answer is vital to allow me usage of OpenBSD, else I will probably have to move over to some commercial Unix, hope you can help. :) The project is research, not finding out whether the research wouldn't yield results because the filesystem couldn't handle management of 5 million small files. :-) man newfs gives the following tantalizing hints: -b block-size The block size of the file system, in bytes. If a disklabel is available, the default is read from it. Otherwise the default is 16 KB or eight times the fragment size, whichever is smaller. -i bytesThis specifies the density of inodes in the file system. The default is to create an inode for each 8192 bytes of data space. If fewer inodes are desired, a larger number should be used; to create more inodes a smaller number should be given. the rest is left as an exercise to the reader
Re: PTY allocation error
The reasons that a read-only CF card is irrelevant for any reasonably modern CF card have been discussed to death on this list; save yourself the headache and just do a normal install. On Sun, Jul 11, 2010 at 04:31:20PM -0700, Peter Bako wrote: I'm setting up (well, trying to I guess :-) ) a read-only OpenBSD system to run off a small CF card. Never having done this before, I found an excellent article written by Daniele Mazzocchio (http://www.kernel-panic.it/openbsd/embedded/) to use as my guide. I had a few minor issues crop up, but have been able to work my way through them. However I finally got to one that I am stumped with. Basically once I boot of my new image, I am able to log into it on the serial console and things look ok. I can also ping the IP address of the unit, but when I try to SSH into it I get the following message: Server refused to allocate pty I've checked over my setup and all seems fine as per the instructions. I have all the pty* devices from /dev (which is RO) linked to /var/run/dev (which is in memory), so the problem cannot be that these devices are not writeable. (Actually /var is linked to /tmp/var, where the /tmp directory is in memory and populated by the image from a directory called /template.) Unfortunately this goes a bit beyond my current skill set, so if anyone has any suggestions I really would appreciate the help. BTW, in case it matters. I'm using OpenBSD 4.6 as both the host on which I setup the image and OS on the CF card. The card in question is a 64M SanDisk CF and is being plugged into a Soekris Net4801 box. None of these should make a difference, but you never know... :-) Thanks, Peter
Re: Ospfd -- Default config produces syntax error
On Wed, Jul 07, 2010 at 01:08:02PM -0700, Andrew Klettke wrote: All, A fresh install of OpenBSD 4.7 includes the default ospfd.conf (here are just the first 11 lines): # $OpenBSD: ospfd.conf,v 1.4 2007/06/19 16:49:56 reyk Exp $ # macros password=secret # global configuration # router-id 10.0.0.1 # fib-update no # stub router no # spf-delay 1 # spf-holdtime 5 If you uncomment out the fib-update no line, and have Ospfd perform a syntax check of the file... $ sudo ospfd -nf /etc/ospfd.conf WARNING: IP forwarding NOT enabled, running as stub router /etc/ospfd.conf:8: syntax error I'd bet dollars to donuts that you've not set net.inet.ip.forwarding to 1, as you should've. If I'm right, please mail me my dollar to The OpenBSD Foundation. If I'm wrong, please feel free to purchase a donut. Why does uncommenting a line in the default configuration throw a syntax error? Under 4.7, Ospfd will ALWAYS update the FIB, as you cannot tell it not to. Surely, this is a bug. -- Thanks, Andrew Klettke Optic Fusion NOC 253-830-2943
Re: OpenBSD OpenSSL Lib
On Tue, Jul 06, 2010 at 01:21:49PM +0100, Keith wrote: We are trying to install URLfilterDB on OpenBSD 4.7 but while doing a ./configure we keep getting. ./configure --with-bz2-lib=/usr/local/lib --with-ssl-lib=/usr/lib/ checking for library containing pthread_create... -lpthread checking for BZ2_bzBuffToBuffCompress in -lbz2... yes checking for SSL_load_error_strings in -lssl... no ** The OpenSSL library is required for ufdbGuard to compile. Install the openssl and openssl-devel packages from the installation media, or use the --with-ssl-lib option. Alternatively, get OpenSSL from http://www.openssl.org Use --with-ssl=DIR or --with-ssl-lib=DIR to specify its location. (default is /usr) We have downloaded and installed OpenSSL and have tried various OpenSSL is installed in the default OpenBSD release. Further: $ cd /usr/src/lib/libssl grep -R SSL_load_error_strings * | wc -l 42 $ ls /usr/lib/*ssl* | wc -l 8 I'm going to go out on a limb and assume that the config script is borked; I'd double-check the script itself, as well as the include path. paths to the ssl library but because we don't know what the files actually called we don't know if we are setting it correctly. Does anyone know exactly what the library would be called and where it should be or maby just give us a clue as to how to find out. Thanks Keith
Re: matching escape string , doesn't work ?
On Mon, Jul 05, 2010 at 06:35:01PM +0800, Aaron Lewis wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
echo %A3 | sed 's/(%[0-9A-Z]{2})//g'
I'd like %A3 like string to be removed , what's wrong with my script ?
According to the sed manpage, it doesn't use {} in this way; you seem
to be using the wrong syntax (although sed veterans can likely give a
more thorough answer).
try sed 's/%[0-9A-Z][0-9A-Z]//g'(minus any typos/thinkos on my part)
Thanks.
- --
Best Regards,
Aaron Lewis - PGP: 0x4A6D32A0
FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0
irc: A4r0n on freenode
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwxtVUACgkQvf41sEptMqBg9ACgmtDhFkoY14LS+oyRhDmdAcaw
6yAAoJvE0PW+UyayxG6+ZQtPABULpKkn
=L8MU
-END PGP SIGNATURE-
Re: mt_soname mbufs keep increasing steadily, where can I look?
On Fri, Jul 02, 2010 at 10:14:37PM +0200, Jurjen Oskam wrote: Hi everyone, I still haven't upgraded to 4.7 yet (I will do soon), so I'm still on 4.6. On my home server, I run symon and syweb to monitor several stats about my machine. I noticed that since about 3-4 months ago, the mbuf usage started to to increase and never decrease. The mbuf type responsible for this is mt_soname. The other thing is that this machine just sometimes reboots, out of nowhere. This may or not be connected to the mbufs. This sudden increase in mt_soname mbuf coincides with my replacing an external ADSL modem with an internal one (a Traverse PCI card, appearing as This would appear to indicate a driver error, if it coincided with replacing hardware; the place to start looking would be the relevant driver (re, in this case, according to ``man -k 8139C'') Banan. an RTL8139C+ to the system). The type of DSL connection changed as well, I now use dhclient to get an IP address. Can I investigate where these mbufs are used? As I said, I'll upgrade to 4.7 soon, so I primarily see this as a learning opportunity for me. Thanks, 176 mbufs in use: 130 mbufs allocated to data 4 mbufs allocated to packet headers 42 mbufs allocated to socket names and addresses 129/196/6144 mbuf 2048 byte clusters in use (current/peak/max) 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max) 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max) 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max) 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max) 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max) 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max) 764 Kbytes allocated to network (39% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines OpenBSD 4.6-stable (GENERIC.MP) #1: Mon Apr 5 13:05:43 CEST 2010 r...@calvin.stupendous.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2145910784 (2046MB) avail mem = 2071273472 (1975MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xf06c0 (56 entries) bios0: vendor American Megatrends Inc. version 0403 date 09/02/2008 bios0: ASUSTeK Computer INC. P5BV-C acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC MCFG OEMB HPET EINJ BERT ERST HEST acpi0: wakeup devices P0P2(S4) P0P3(S4) P0P1(S4) PS2K(S4) PS2M(S4) UAR1(S4) UAR2(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz, 2500.04 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR,NXE,LONG cpu0: 2MB 64b/line 8-way L2 cache cpu0: apic clock running at 333MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz, 2499.72 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR,NXE,LONG cpu1: 2MB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz, 2499.72 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR,NXE,LONG cpu2: 2MB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM)2 Quad CPU Q8300 @ 2.50GHz, 2499.72 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR,NXE,LONG cpu3: 2MB 64b/line 8-way L2 cache ioapic0 at mainbus0 apid 4 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (P0P2) acpiprt2 at acpi0: bus -1 (P0P3) acpiprt3 at acpi0: bus 1 (P0P1) acpiprt4 at acpi0: bus 4 (P0P4) acpiprt5 at acpi0: bus -1 (P0P5) acpiprt6 at acpi0: bus -1 (P0P6) acpiprt7 at acpi0: bus -1 (P0P7) acpiprt8 at acpi0: bus 3 (P0P8) acpiprt9 at acpi0: bus 2 (P0P9) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpicpu2 at acpi0: PSS acpicpu3 at acpi0: PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB cpu0: Enhanced SpeedStep 2499 MHz: speeds: 2497, 1998 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 3200/3210 Host rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 3200/3210 PCIE rev 0x01: apic 4 int 16 (irq 11) pci1 at ppb0 bus 5 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 4 int 16 (irq 11) pci2 at ppb1 bus 4 mpi0 at pci2 dev 0 function 0 Symbios Logic SAS1064E rev 0x08: apic 4 int 16 (irq 11)
Re: Donation issues with OpenBSD???
On Sat, Jul 03, 2010 at 10:21:00AM +0800, Brent Shumacher wrote: http://www.trollaxor.com/2010/06/why-i-almost-gave-openbsd-10-didnt.html You're a douchebag: http://www.trollaxor.com/2001/06/another-apology.html
Re: Patch for mtree (the -X flag)
On Wed, Jun 30, 2010 at 12:51:17PM +0300, Teemu Rinta-aho wrote: Hi all, I need the -X flag for mtree on OpenBSD to exclude certain paths. So, I ported the functionality from NetBSD. Seems to work for me. I was just thinking, whether anyone else cares about such patch, and what is the process if I want to propose some new (/ported) code to OpenBSD. The standard way of doing so is to mail the patch (inline) to tech@ Or, should I create an optional package (mtreex?), or, should I just keep this to myself? That would be bizarre. BR, Teemu
Re: Phoronix Test Suite
I agree, but you should admit that OpenBSD is clearly a looser in regard to pure performances (e.g. I/O, compression, encryption, etc.) Yes, if my goal is to have ZOMG AWEZUMZ benchmarks, clearly OpenBSD is a douchebag. But if I want a system that doesn't make me want to initiate a mass- casualty event, I'm afraid it's a clear winner. For those unable to read between the lines of the above: Internet troll is, once again, on the Internet
Re: Phoronix Test Suite
OpenBSD pleases me every day, Linux annoys me half the time. The number of mass casualty events avoided is the true metric by which operating systems should be measured.
Re: Launching bgpd restricted control socket without terminating bgpd ?
On Wed, Jun 23, 2010 at 09:09:02PM +0100, rh...@hushmail.com wrote: Hi, Is it possible to launch the second restricted control socket without having to pkill bgpd first ? I tried running bgpd -r without pkill first and that did not have the desired effect, it simply tried to relaunch conections to any configured peers rather than simply start up the second socket ! Yes, because you're invoking a second instance of the daemon. All else flows from that; upon my quick inspection of the bgpctl man page doesn't seem to indicate that you can fire up the restricted socket during runtime. Magic 8 ball says the judicious use of pkill and bgpd_flags=-r /path/to/foo is in your future.
Re: OpenBSD sends RSTs for gratuitous traffic
On Wed, Jun 16, 2010 at 04:33:42PM +0800, Patrick Coleman wrote: On Wed, Jun 16, 2010 at 4:28 PM, David Coppa dco...@gmail.com wrote: diff -u is preferred. Can you resend it in unified format? Sure. See http://patrick.ld.net.au/20100616-fix-gratuitous-reset.patch. And, not to nitpick, but I'm going to nitpick, can you also ``man style'' ? Cheers, Patrick -- http://www.labyrinthdata.net.au - WA Backup, Web and VPS Hosting
Re: It is 2010. Still no 3GB support by default?
On Tue, Jun 08, 2010 at 10:14:13AM -0600, Chris Cameron wrote: On Mon, Jun 7, 2010 at 9:32 PM, VICTOR TARABOLA CORTIANO vt...@c3sl.ufpr.br wrote: Most people that have those big amounts of memory don't use their PCs full potential. CPU is mostly idle, etc. Also they don't realize how big those amounts of memory are... Also there is the environment problem, too many good computers throwned away because of mere fashion... When questions of OpenBSD's short comings come around, it seems legions of OpenBSD apologetics leap out of the woodwork. My favourite instance was ^^^ apologists someone asking about rate-limiting in PF (which at the time didn't exist), and him being thoroughly berated because that wasn't the job of the firewall! That's the job of the daemon running the service. Shortly after someone implemented rate-limiting in PF, and it was touted as PF's awesomeness, now enhanced. Or how much better using a VPN over your WEP protected AP us rather than using WPA2. But really, the fact is, OpenBSD doesn't (didn't?) support WPA2. People waxing on about how unnecessary they think 4GB of RAM is, seems about par for the course. But I believe it to be equally ridiculous. Where I work, we have databases that would gladly use as much RAM as you could throw at them. Memcached, which does its job all the better with 4GB, and many many PHP utilizing webservers with a metric tonne of modules. Inefficient in CPU and memory use, yes, but we can't afford to pay our web developers to write our site in C. But why stop at C? How inefficient when compared to hand-tuned assembly?! I'm not complaining about what OpenBSD can or can't do. I'm just saying that telling people what their needs are is rather insulting. I imagine they'd just like to use their favourite OS in more places. Yes, but rabble-rousing on a notoriously cantankerous mailing list is pretty low on the list of ways to make it happen. The subject of what does it take to make feature jizzmahpantz happen??? always comes down to somebody with the skills, desire, and opportunity needs to do it. Punktum. To actively assist in making it happen, you need to find someone who posesses the first two items on that list and provide them with the third. Until then, it's complaining that it's not the future yet because we dont' have flying cars.
Re: It is 2010. Still no 3GB support by default?
On Mon, Jun 07, 2010 at 09:52:50PM +0300, Dexter Tomisson wrote: It's the future, where's my goddamn flying car?
Re: free binary search tree
On Mon, Jun 07, 2010 at 05:02:09PM -0400, Mark Bucciarelli wrote: Hi, On GNU/Linux, _GNU_SOURCE enables No. tdestroy(). How do I free a binary tree in OpenBSD? I grepped /usr/src and didn't find any places tdelete( is used. $ man -k tdelete tsearch, tfind, tdelete, twalk (3) - manipulate binary search trees
Re: Mysql connection from within php
On Tue, Jun 01, 2010 at 04:30:34PM +0300, What you get is Not what you see wrote: Freshly installed on openbsd 4.6 mysql,php and php5-mysql packages. Done the configs. Now php and mysql works. But I couldnt make it connect to mysql from within php with such a command mysql_connect(localhost,user,pass) It used to give Cant connect to mysql through socket error till I change the command to mysql_connect(127.0.0.1,user,pass) I want to learn why? cat /etc/resolv.conf cat /etc/hosts
Re: sftp chroot does'nt pass the login
On Sun, May 30, 2010 at 05:22:22PM +0200, Jean-Francois wrote: Hi, I am using sftp server with a chroot with following lines in sshd configuration file. The same works for my actual server in 4.4 OpenBSD but I just freshly installed a 4.7 one and on it the sftp login fails (it works without chroot). Match group web ChrootDirectory /var/www/htdocs ForceCommand internal-sftp Any idea what I get wrong ? $ grep web /etc/group $ grep www /etc/group www:*:67: $ Thanks
Re: Creating a mpe interface
On Mon, May 24, 2010 at 05:34:18PM -0700, Robert Bruce Carleton wrote: I'm having trouble creating a mpe interface on OpenBSD 4.7. What I've done so far is recompile the kernel with option MPLS. I've also enabled forwarding and mpls in the /etc/sysctl.conf. I've also been able to configure and start ldpd and use ldpctl show to display the status of ldpd. I used config -e /bsd to enable the mpe driver. I'm experimenting under Sun VirtualBox if that makes a difference. Going from mpe(4), I'm trying to run the command ifconfig mpe0 create. It throws the error SIOCIFCREATE: Invalid argument. The mpe(4) man page doesn't suggest any additional command line arguments. Does anyone have any suggestions? $ grep -n mpe GENERIC 105:#pseudo-device mpe # MPLS PE interface ^ Uncomment that in sys/conf/GENERIC and recompile your kernel, if you haven't already done so. Thanks in advance, --Bruce
Re: How to figure out the error location?
On Mon, May 24, 2010 at 12:52:39AM +0200, Roger Schreiter wrote: Hi, we've been running a BGP router on OpenBSD for the months without problems. Now it crashed two times within 4 days. After the second crash, I could have a look on the screen: uvm_fault (0xd088cfc0, 0x6c4e2000, 0, 1) - e kernel: page fault trap, code=0 Stopped at pool_do_get+0x11b: movl 0(%ebx),%eax Is there any mean to figure out, which driver did cause the problem? Yes, by following the instructions which accompanied this message. WTF is it with people unable to do that lately? There is a 4xFE-NIC from D-Link (interface ste0 .. 3), whose driver seems to be new at OpenBSD-4.6. Should I try updating to OpenBSD-4.7? Regards, Roger.
Re: Origin 350
On Wed, May 19, 2010 at 08:24:42AM -0500, Marco Peereboom wrote: Theo is out of town. We would have loved those :-( And, for those who only read the first 3% of want.html: If you do not get a response from these developers, please consider contacting another developer. If somebody doesn't get back to you before you trash equipment, find somebody else who you can email. Hell, I'll take the annoyance of dealing with people via email if it means we can get hardware people need. On Wed, May 19, 2010 at 08:09:00AM -0500, Matt Bettinger wrote: That is unfortunate. I emailed theo if they could use some origin 350s but got no response. They have been recycled yesterday. I do have sgi memory etc if needed. Sent from my iPhone On May 19, 2010, at 2:39 AM, syuu s...@dokukino.com wrote: Hi, Does anyone can bring SGI Origin 350 to c2k10? I'm planning to work on it in the hackathon if I could get one. syuu
Re: Research Affecting Creative Commons
On Thu, Apr 29, 2010 at 12:53:15PM -0600, Duncan Patton a Campbell wrote: Howdy List? This may, at first blush, seem to be more spam unrelated to the work of Open BSD. But it seems to me over the years one of the major criticisms of the Free/Open software movement has come from classical economics/ecology in the Really? I've never seen one that wasn't a press release from Microsoft; please to cite your sources. form of Garrett Hardin's Tragedy of the Commons. If we are to believe Hardin's thesis then building something like a free operating system (or free ideas in general) is the essense of pointless vanity. There is no parallel. The tragedy of the commons happens because of the overuse of a limited resource; the open source software world more closely resembles (in no small part because it grew out of) academia; if the tragedy of the commons were true for open source software, it would be true for universities as well, and humanity would have succumbed to gibbering idiocy long ago as human intellect was mined to the point of exhaustion. Now, since you have a magical thinking box that you're using to communicate with a large number of people automagically over the intertruck (itself something that would've been subject to the aforementioned process), the assertion is rather rediculous on its face, and ignores the fundamental difference between the two areas: human knowledge is entirely additive, whereas physical resources are consumed in some manner. You take an idea, and it's still there for someone else; you take a fish, and you've fucked somebody else out of their dinner. It's a false analogy, and I need something better *cough*girlfriend*cough* to do with my evenings. But here: http://www.physorg.com/news191765285.html we have a games model showing that resources managed by a communicant group are not necessarily exploited to extinction. Interestingly the ability to impose sanctions in the form of fines for overexploitation did not appear to enhance resource productivity, only the ability to make ongoing agreements about constructive action appear to have mattered. If you think this is off topic and irrelevant to misc at openbsd org please accept my apologies and press delete now ;-) Dhu
Re: Stop spam from ISP Mailserver
On Tue, Apr 27, 2010 at 03:01:59PM +0400, open...@e-solutions.re wrote: Hi, I have a client, he receives a lot of spam from his ISP Mailserver. Is there a way to limit spam using an OpenBSD Gateway with PF and Spamd at his place ? (His mailserver is ISP Mailserver, so he hasn't mailserver) I think it is not possible, true ? false. unless true meant that it's not possible? is 'maybe' in the mix? spamd won't filter mail after it hits the smtp server; derive your answer from that. If you have an idea ... without knowing how your client (and if it's more than one client, how he/they fetch his/their mail, etc) then there's not much that can be said except use client-side anti-spam solutions. Thank's.
Re: list of applied patches (v 4.6)
On Fri, Apr 23, 2010 at 03:13:29PM +0200, Tony Berth wrote: is it possible to list the patches already applied in a v 4.6 installation? cd /usr/src cvs diff . Thanks Tony
Re: OpenBSD culture?
Internet troll is on the Internet. On Wed, Apr 14, 2010 at 05:11:56AM -0400, Zachary Uram wrote: As a long time Linux user I will soon try out OpenBSD, I have been reading the list emails and contacted 1 OpenBSD top person who was very rude. There is some of the RTFM or get lost attitude in Linux, but if a questioner seems sincere there is usually a certain level of friendliness in Linux community towards them. Just what I have briefly observed the OpenBSD community is more abrupt and less interested in helping newbies, they prefer one find the answer solely on their own if possible. I must say I detect a certain attitude that smacks of superiority and even condescension at times. Is this a fair assessment of 6the OpenBSD culture? Zach http://www.fidei.org
Re: Best System Call Tracer
On Fri, Apr 09, 2010 at 07:21:02PM +0800, Aaron Lewis wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Is there any dtrace or strace like tools in OpenBSD ? apropos trace, much? Thanks in advance ! - -- Best Regards, Aaron Lewis - PGP: 0x4A6D32A0 FingerPrint EA63 26B2 6C52 72EA A4A5 EB6B BDFE 35B0 4A6D 32A0 irc: A4r0n on freenode Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku/DZ4ACgkQvf41sEptMqCWgwCfQf16xOvKCwsIuRo6vtbb24bU HKoAn1XanS91TbbyCeif6eJDYBO0Jw64 =4gVg -END PGP SIGNATURE-
Re: crontab last day of the month
On Tue, Apr 06, 2010 at 12:09:01PM +0200, frantisek holop wrote: hmm, on Tue, Apr 06, 2010 at 11:26:28AM +0200, Jan Stary said that On Apr 06 11:15:26, frantisek holop wrote: hi there, what happens if i specify a cronjob like this? 23 59 31 * * $HOME/bin/whatever Cron will just do what it's told: run whatever at 31.*. 23:59 so i could basically do 12 lines with the correct last day of the month rules :] i am looking for an alternative @monthly, not 0 0 1 * * but the last minutes of the last day of the month. Why? because for me the month ends at 23:59:59 on the last day of month n, and not at 00:00:00 on the first day of month n+1... Not to be a dick, but what does one second buy you, really? -f -- if you have to travel on a titanic, why not go first class?
Re: crontab last day of the month
On Tue, Apr 06, 2010 at 02:24:27PM +0200, frantisek holop wrote: hmm, on Tue, Apr 06, 2010 at 12:20:03PM +0200, Bret S. Lambert said that Not to be a dick, but what does one second buy you, really? it's not really about that second. actually, i dont mind losing some 5 minutes even from the current month. my goal is to have log files that end at a certain period. e.g. an archived log file of march that doesn't contain april entries (from the future), although it's all right if it contains a couple of stray entries from february (the casualties of log rotation). I'm still not seeing what you're really getting, here; you're just pushing that spillover from one end to another, which are just as easily rationalized as the casualties of log rotation. But, it's your bikeshed, you can build it how you want. now i have logfiles named after the current month containing all the entries from the previous month. getting the name of the previous month from the current month is another can of worms i dont want to open. date +mm? -f -- careful planning will never replace dumb luck.
Re: An idea for a very simple port knocking with pf
congratulations, you've broken the code! why this is a bad idea is left as an exercise to the reader. On Thu, Apr 01, 2010 at 02:09:36PM +0200, Marcus M?lb?sch wrote: Hello all, it occured to me that with a combination of some pass rules and adding the address via overload to a sort of whitelist tables you can implement a simple portknocking; using nothing but pf. The rules would look like this: pass in on $ext_if inet proto tcp from any to any port $knock1 synproxy state (max-src-conn 1 overload knock1) pass in on $ext_if inet proto tcp from knock1 to any port $knock2 synproxy state (max-src-conn 1 overload knock2) pass in on $ext_if inet proto tcp from knock2 to any port $knock3 synproxy state (max-src-conn 1 overload knock3) pass in on $ext_if inet proto tcp from knock2 to any port $knock3 synproxy state (max-src-conn 1 overload knock3) pass in on $ext_if inet proto tcp from knock3 to any port ssh No port knocking daemeon is needed, and with an appropriate blocking rule the ssh port is closed to all. This works; all you have to do is to try to connect to each port $knockn in order twice (since the max-src-conn is set to 1). I have two questions: 1) Is there any problem with that setup? I don't see any, but then again, it seems so simple and I didn't find any howtos on the web. Either nobody else did think of it before, or there is something wrong with my reasoning. If so, I'm happy if you tell me :-) 2) I would like to knock on each port only once. However, setting max-src-conn 0 does not change anything. I would expect that the first connect will fill the appropriate table, but it doesn't. Is there something I do not understand, or must the number that is allowed be equal or greater to one? Thanks for any pointers, Marcus
Re: feature request: ifconfig emX clear
On Thu, Apr 01, 2010 at 07:42:05PM +0200, Toni Mueller wrote: Hi, I'd like to be able to clear the counters of interfaces, similar to clear counters in Cisco lingo. 1) $EDITOR src/sys/net/if.c 2) Find the ioctl function, and start reading. 3) Thrill to the lulz of /* XXX hell this is ugly */ TIA! Kind regards, --Toni++
Re: Apache on amd64 or i386 and bsd.mp or bsd.sp
I think you're overthinking this; your bottleneck here is probably going to be the computation-heavy SSL stuff, not the firewall; and why run a single-processor kernel and leave 1-or-more procs idle? Obviously, testing the setups to get real-world numbers, as long as you're using a real-world workload, is the ultimate arbiter, but I'd be very surprised if a single-processor machine wins out as an SSL terminator. As for the rest of your post, I'm not too sure it really matters; although, IIRC, amd64 better supports W^X protection, as the i386 implementation is a bit of a workaround for an architecture that doesn't support it as well as others. - Bert On Mon, Mar 29, 2010 at 02:10:18PM +, trustlevel-...@yahoo.co.uk wrote: I'm unsure about using i386 or amd64 for an apache/php ssl webserver with relayd and pf running. I may test both as it shouldn't take too long, but I'd certainly like to know what people think. This isn't for a system with a large amount of memory. I imagine I'll need more systems and interfaces before needing 4G and I can switch quite easily and also move relayd to it's own system(s) to scale up. There is external firewalls but they have to be quite liberal on what they allow. What I'm thinking: i386 has more bug searching time under it's belt and probably more active users. i386 is said to filter packets more quickly according to Henning, though that is based on tests a while back and only for a pure firewall system. Attacks may be more likely to target i386. i386 has a few more packages, none of which I need to use the compiler may be configured to optimise apache for i386 amd64 cpu stack is reversed and so possibly more secure, so if speed is comparable i may as well use amd64. If I ever have a need for lots of memory, amd64 will handle it. What I'd like to know: 1./ are security related port upgrades such as php and sql almost as prompt on amd64 as i386. 2./ Would you choose bsd.mp or bsd.sp with amd64 or i386. I realise there's no substitute for real world tests and config checking, but I would appreciate any input. KeV
Re: ZFS in OpenBSD
On Mon, Mar 22, 2010 at 01:33:07PM +0200, Dan Naumov wrote: Hello Are there any plans to bring ZFS support to OpenBSD so that users don't have to worry about things like fsck, running out of inodes and other silly stuff in the year 2010? Intertruck troll is Intertruck. Thanks. - Sincerely, Dan Naumov
Re: 4.6 patch support
On Mon, Mar 22, 2010 at 01:36:45PM +0200, Andreas Gerdd wrote: Hi, I've an OpenBSD 4.6-Stable system. I wanted to ask how long will OBSD4.6 has patch/update support? If there is a support time limit like lets say up to 12/24 months, does it mean after that time, it will not get any update, not even (possible) critical vulnerabilities? The standard is to support the current and previous releases; given that the OpenBSD development cycle is one release every 6 months, releases over approximately 1 year old are considered unsupported. mvh Kind regards.
Re: ZFS in OpenBSD
On Mon, Mar 22, 2010 at 03:58:46PM +0200, Dan Naumov wrote: On Mon, Mar 22, 2010 at 3:41 PM, Marc Espie es...@nerim.net wrote: On Mon, Mar 22, 2010 at 02:29:51PM +0200, Dan Naumov wrote: The question of why 2 different BSDs have no issues including specific code into their base, while another does is a valid one. When asked hard questions, labeling the person asking them a troll is sadly a common occurrence on the internet. If you want to do something productive instead of acting like a clueless troll, go pester oracle until they release zfs under an acceptable licence for us. While some other BSD projects have more loose policies regarding introducing new code into their base system, our policy is to only include BSD-licensed code It seems that for several people who have replied, writing a simple, complete, coherent and civil answer like that was way beyond their capabilities. Why? Was it that hard? No, one MUST insert snide remarks, derogatory comments and call the person asking the question a troll. If acting like that is what makes you feel better about yourself, you are in a bad place, I can only suggest therapy, it works for millions of people. alt paa grunn av min skjede - Sincerely, Dan Naumov
Re: Opteron 250 Overheating
On Sun, Mar 14, 2010 at 11:50:56AM -0600, Jeff Ross wrote: Steve Shockley wrote: On 3/13/2010 5:27 PM, Jeff Ross wrote: I'm at a loss as what to try next. If I've read the AMD specs correctly these processors should not exceed 71 deg C but I see temps near that at inear dle. If your next one does the same thing, it might be interesting to see if the processor temp is actually that high. !DSPAM:4b9d208373307231010022! How can you tell that without relying on the sensors in the motherboard? It's unfortunate that we all had to live through the Great Thermometer Genocide of '97, or else there'd be a simple answer to your problem.
Re: any web management gui for pf ?
On Sun, Mar 14, 2010 at 11:48:44AM +0500, ??? wrote: we have many people who know ISA very well and all they do with ISA is publishing applications, rdr rules in terms of pf. they do not need to know all the pf detailed, all they need is a) something ISA-like b) syntax-checker, I mean that gui should only allow adding correct rules (what is not true when you edit file) learn pf.conf and edit file is not our case though. Then you're in a much more limited problem domain, and it may be solvable for you. However, this went from how do I export the full ability to edit pf.conf into gui form to possibly just being i need to add rdr rules via monkey-usable button, which is several orders of magnitude easier. However, in order to receive help in solving a problem, you must first state what the problem you're attempting to solve is. As awesome as I am, your tinfoil underwear is rendering my telepathy utterly useless. So, to summarize: details, mofo. 2010/3/14 Jason Dixon ja...@dixongroup.net: On Sun, Mar 14, 2010 at 11:02:29AM +0500, ??? wrote: Hello, is there any GUI (like pfsense) around which can be installed on a clean OpenBSD box (or even two CARP-connected boxes) for pf management ? I've found comixwall, but it seems to be dead already. None that are worth it, imho. If you want to do it right (you wouldn't use OpenBSD if you didn't) then learn pf and understand what you're putting together. It's not hard. In fact, compared to the other *nix firewalling alternatives, it's fucking easy. I've considered long and hard (TWSS) to write my own web interface for pf. The prevailing design philosophies SUCK. If you're going to bother, do it right; proper abstraction of filtering and routing concepts is mandatory if you want to make something easy *and* secure. Why hasn't anyone done it? It's really, really difficult. And most developers that might take a crack at an OpenBSD pf web ui aren't experienced in interface design. I've written a few web applications related to OpenBSD (Hatchet, NetFlow Dashboard, Blogsum). Compared to what a good web engineering team can put out, they suck. But they do an adequate job with the task they're designed to handle. Writing a log filtering interface isn't hard. Writing a NetFlow query interface isn't hard. Writing a blog application isn't hard (unless you're WordPress... then it's just bloated). I'll say it again... writing a good pf web UI is HARD. It's infinitely more complicated and prone to security problems. Reading the pf FAQ and editing pf.conf yourself is easier by geometric proportions. /rant -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: any web management gui for pf ?
On Sun, Mar 14, 2010 at 12:05:48PM +0500, ??? wrote: a) two CARP-connected OpenBSD boxes b) many real IP addresses bound to OpenBSD c) RFC1918 (non routable) network with servers d1) monkey button for nat rules, so some servers can connect to certain services (say, smtp to Gmail) d2) monkey button for rdr rules, so some servers could bepublished on certain IP addresses This is actually pretty straightforward, if you're willing to build a script which takes a few files as input and then generates a pf.conf from each machine from those. NAT monkey button adds/removes entries from a pf.conf.nat RDR monkey button adds/removes entries from a pf.conf.rdr Some magic happens to trigger the pf.conf getting pulled together from those and any other bits you may require (e.g., pf.conf.mypr0n) and that gets pushed to your servers. How complex you make each of these bits is left as an exercise for the reader. You don't need a towering edifice to solve simple problems. You damn just solve them. 2010/3/14 Bret S. Lambert bret.lamb...@gmail.com: On Sun, Mar 14, 2010 at 11:48:44AM +0500, ??? wrote: we have many people who know ISA very well and all they do with ISA is publishing applications, rdr rules in terms of pf. they do not need to know all the pf detailed, all they need is a) something ISA-like b) syntax-checker, I mean that gui should only allow adding correct rules (what is not true when you edit file) learn pf.conf and edit file is not our case though. Then you're in a much more limited problem domain, and it may be solvable for you. However, this went from how do I export the full ability to edit pf.conf into gui form to possibly just being i need to add rdr rules via monkey-usable button, which is several orders of magnitude easier. However, in order to receive help in solving a problem, you must first state what the problem you're attempting to solve is. As awesome as I am, your tinfoil underwear is rendering my telepathy utterly useless. So, to summarize: details, mofo. 2010/3/14 Jason Dixon ja...@dixongroup.net: On Sun, Mar 14, 2010 at 11:02:29AM +0500, ??? wrote: Hello, is there any GUI (like pfsense) around which can be installed on a clean OpenBSD box (or even two CARP-connected boxes) for pf management ? I've found comixwall, but it seems to be dead already. None that are worth it, imho. ?If you want to do it right (you wouldn't use OpenBSD if you didn't) then learn pf and understand what you're putting together. ?It's not hard. ?In fact, compared to the other *nix firewalling alternatives, it's fucking easy. I've considered long and hard (TWSS) to write my own web interface for pf. ?The prevailing design philosophies SUCK. ?If you're going to bother, do it right; ?proper abstraction of filtering and routing concepts is mandatory if you want to make something easy *and* secure. Why hasn't anyone done it? ?It's really, really difficult. ?And most developers that might take a crack at an OpenBSD pf web ui aren't experienced in interface design. I've written a few web applications related to OpenBSD (Hatchet, NetFlow Dashboard, Blogsum). ?Compared to what a good web engineering team can put out, they suck. ?But they do an adequate job with the task they're designed to handle. ?Writing a log filtering interface isn't hard. ?Writing a NetFlow query interface isn't hard. ?Writing a blog application isn't hard (unless you're WordPress... then it's just bloated). I'll say it again... writing a good pf web UI is HARD. ?It's infinitely more complicated and prone to security problems. ?Reading the pf FAQ and editing pf.conf yourself is easier by geometric proportions. /rant -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: any web management gui for pf ?
On Sun, Mar 14, 2010 at 12:30:58PM +0500, ??? wrote: I just want to make sure there's no wheel already invented )) While that's a fair enough thing to do, you didn't really tell anybody what you were going to use the wheel for. I could continue the metaphor, but that would quickly become illegible, so I'll just reiterate: State the problem you're trying to solve before try to enlist the help of others in solving it.
Re: any web management gui for pf ?
On Sun, Mar 14, 2010 at 12:42:21PM +0500, ??? wrote: the situation is pretty clear - any web gui for pf, something what pfsense already is, but installable on clean OpenBSD box. you probably do not make sense what are mailing lists for. mailing lists are for asking questions and for answering questions. if you have nothing to say except read the fantastic manual, please, keep quiet. read the fantastic manual doesn't help anybody. it does't make no point at all. I never pointed you at a manual; I asked for clarification and gave you a path to solving your problem, which apparently left you all butthurt. I'm sorry I didn't hold your hand and tell you you were special. 2010/3/14 Bret S. Lambert bret.lamb...@gmail.com: On Sun, Mar 14, 2010 at 12:30:58PM +0500, ??? wrote: I just want to make sure there's no wheel already invented )) While that's a fair enough thing to do, you didn't really tell anybody what you were going to use the wheel for. I could continue the metaphor, but that would quickly become illegible, so I'll just reiterate: State the problem you're trying to solve before try to enlist the help of others in solving it.
Re: h323 statefull firewall
On Thu, Mar 11, 2010 at 12:33:34AM +0200, Kapetanakis Giannis wrote: On 10/03/10 20:36, Antoine Jacoutot wrote: On Wed, 10 Mar 2010, Kapetanakis Giannis wrote: Hi, Looking through the manual pages as well in this list I found out that there is not any h323 helper for pf. Has this situation changed? How do you solve this problem if you must talk h323? net/gnugk I don't understand the 'net' part. I was thinking about gnugk as well. However the problem still exists if you put gnugk behind the pf firewall. Does it perform different than cisco gatekeeper/proxy in terms of session/connection tracking? Have you ever read the H.323 spec? If so, how have you not blotted out any idea of H.323 + firewall with copious amounts of sex, drugs, and rock and roll? Giannis
Re: loongson was -current or -stable [was: Not another Browser Question]
On Sat, Mar 06, 2010 at 05:07:36AM -0500, Eric Furman wrote: Yea ,and its made by the Chinese. As opposed to your Thinkpad/Dell/HP/etc? Fuck China. China is one of the worst murderous dictatorships in the last 500 years. If it was 1935 and the UberMensch PC would you all be falling over yourselves to get one?? George Santayana is rolling over in his grave. My appy poly loggies for my political rant. Cary on... On Sat, 06 Mar 2010 09:57 +0100, Peter Hessler phess...@theapt.org wrote: On 2010 Mar 06 (Sat) at 14:26:25 +0530 (+0530), Siju George wrote: :On Sat, Mar 6, 2010 at 1:25 PM, Peter Hessler phess...@theapt.org wrote: : : (I'm also running dpb3 on my OpenBSD/loongson system, but that is just : for private use, and to find packages that fail to build ;) ). : : :loongson seems to be a very low end cpu system. what is the special :attraction towards it? :-) : sort version: its a laptop, and its not intel. -- There's no point in being grown up if you can't be childish sometimes. -- Dr. Who
Re: -current or -stable [was: Not another Browser Question]
On Fri, Mar 05, 2010 at 01:12:17PM -0500, nixlists wrote: On 3/5/10, Marc Espie es...@nerim.net wrote: [snippz0rz] We're very far from lemmings-linux, aka debian, where very little engineering actually gets done, and where the whole development process relies on hordes of lemmings^Wusers going over the cliff to actually get things to work. ;-) Ok is that sarcasm, or are you for real? I have never seen espie@ in the same room as sarcasm, so I can only assume they are the same person. Anyway, at least one person has this opinion: Yes, a basic understanding, plus the understanding that you need to catch a set of commits completely. That requires some understanding of the code at some level. Fortunately messing that up only means that you have to wait and update again, and not make the mistake of posting on a mailing list that something is wrong. I just did this, with the new distributed package builder that Marc Espie has redone--had I paid more attention, I would have seen that new stuff was added, which fixed the particular problem I had. Would it be ok to say that -current is probably not a good idea on production systems, for some people (who for whatever reasons can't do what is recommended in the above comment). I am not a C/*nix developer, should I really risk running current in production because I may not understand which snapshot to run? It's not a matter of which snapshot to run; it's not like they're numbered with 4.6.x.y.z.aa.bb.cc. Snapshots are made periodically, and you've got a Hobson's choice: take it or don't. The other problem, that gets mentioned is some people are forced to run -current because some packages will only work with -current, and backporting sucks for many reasons. Unless you're running one of those, it doesn't affect you. Are you? You apparently don't know, no one is more qualified to answer these questions than you can. What you're looking to gain from this email exchange is what people call experience, which is what you get when you fuck something up a few times, not when you write an endless series of emails. So go fuck some shit up, and figure out what works for you. Go ahead and blog it. Write it down on the diary you keep under your bed. Use a gigantic laser to scribe it on the moon. Just, seriously, *do* something, instead of discussing it to death. This is worse than everybody being done, except for that one person who always chimes in with a well, what about...? in Monday-morning meetings. Would it be possible to give at least some information about where the progress is when each snapshot is made, or should it be assumed that a snapshot represents the source tree at a relatively stable state most of the time? No; search the archives for why (OH! SICK BURN!)
Re: Shutdown fails intermittently with OpenBSD running off SD MMC card
On Fri, Mar 05, 2010 at 05:17:47PM -0500, Frank Bax wrote: nixlists wrote: On 3/5/10, J.C. Roberts list-...@designtools.org wrote: look for the `-p` flag. Know all about it. The problem is the kernel won't even get to that point - it hangs on syncing disks... stage. Seems you might not be alone... http://www.mail-archive.com/misc@openbsd.org/msg72159.html But again, he just can't find that thread!
Re: Best Mail Archive
On Thu, Mar 04, 2010 at 10:56:00AM -0300, Christiano F. Haesbaert wrote: 2010/3/4 nixlists nixmli...@gmail.com: Every time someone tells me to go search an archive, I want to use profanity. They never think of just how painful mail archive searching is, but I guess we all have to bite the bullet and use search systems that are bad at searching. Do you realize how painful it is to answer the same question over and over ? Of course not! He can't find that thread!!!
Re: -current or -stable [was: Not another Browser Question]
On Thu, Mar 04, 2010 at 03:12:35PM -0500, nixlists wrote: On Thu, Mar 4, 2010 at 12:28 PM, and...@msu.edu wrote: If you don't have a good understanding of things, I'd say you should By good understanding do you mean ability to read and write system code, and intimate familiarity with *nix internals? I'd imagine he meant a basic understanding of unix systems in general. ... not follow -current on machines that are critical to you. I do use -current ... It seems the opinion on running current in production ranges from being overly optimistic to being very cautious. If running -current in production is only recommended for people who are intimately familiar with the internals, doesn't that exclude many if not most users? if intimate familiar[ity] with the internals means being able to damn read instructions, then yes. You're making this out to be far harder than it has to be. If you're able to follow instructions, you can run -stable or -current, the docs are there to do so. As to what each is, it's been discussed to death. Multiple times. Pick one, and get on with your life. Christ. ... You can learn tons from watching -current. I have. But till you have experience with it, don't make it your main system. So more suitable for learning and playing with the latest stuff, but less suitable for running production stuff at this point? I just feel Lots of people run -current on production machines with fewer bad experiences than running stable releases from other OSes. like someone is going to yell curmudgeon again. Thanks.
Re: -current or -stable [was: Not another Browser Question]
On Wed, Mar 03, 2010 at 09:36:31AM +0100, Manuel Giraud wrote: J.C. Roberts list-...@designtools.org writes: The short answer is painfully simple; if you're running OpenBSD as your desktop/laptop and you have a clue, then run just -current. These days, the -stable branch still exists primarily due to historical precedence for people unwilling to update their thinking. After 6 month using -current as desktop I was about to follow the opposite path and try to stay -stable (after 4.7 is released). Using -current, I sometimes have had to upgrade to the latest snapshot just because I wanted to install some new package and bumped into an error like not good version of libc. Yes, you're running a development version, which means that when library bumps happen, you're going to have to deal with them. In fact, I thought that having a -release (and -stable) was a strength of OpenBSD (if not why put so much effort for that). Actually, most effort goes towards -current, with -stable only getting major security/reliability fixes. For a while, there weren't any -stable ports, due to a lack of manpower. -- Manuel Giraud
