Re: 3.7 - in kernel pppoe
On Tue, Jul 05, 2005 at 02:18:21PM -0500, J.D. Bronson wrote: Last time I tried this - it worked fine, but if the link went down it never 'redialed' back to the PPPoE provider Using userland pppoe - this is never an issue. This question is already answered in the archives... so please, do your homework. Regards, Simon
Problem with ste-interface
Hi I recently switched from several rl-NICs to one quad ste-NIC (D-Link DFE-580tx) since I was running out of PCI-slots. The new NIC works very well except for one problem with kernel-pppoe. The SDSL-modem is connected to ste0 and hostname.pppoe0 is configured as described in the docs (and this configuration worked flawless with a rl-NIC). But now I only get 1/100 of the bandwidth over the pppoe-link it should have and the only way to fix this I found so far is to repower the modem. After that, pppoe reastablishes the link and I get full bandwidth. No idea what might cause this, so how can can I debug this? ste0 at pci2 dev 4 function 0 D-Link Systems 550TX rev 0x12: irq 11 address 00:05:5d:5e:93:14 ukphy0 at ste0 phy 0: Generic IEEE 802.3u media interface ukphy0: OUI 0x000885, model 0x0023, rev. 0 ukphy1 at ste0 phy 1: Generic IEEE 802.3u media interface ukphy1: OUI 0x000885, model 0x0023, rev. 0 ste1 at pci2 dev 5 function 0 D-Link Systems 550TX rev 0x12: irq 5 address 00:05:5d:5e:93:15 ukphy2 at ste1 phy 0: Generic IEEE 802.3u media interface ukphy2: OUI 0x000885, model 0x0023, rev. 0 ukphy3 at ste1 phy 1: Generic IEEE 802.3u media interface ukphy3: OUI 0x000885, model 0x0023, rev. 0 ste2 at pci2 dev 6 function 0 D-Link Systems 550TX rev 0x12: irq 12 address 00:05:5d:5e:93:16 ukphy4 at ste2 phy 0: Generic IEEE 802.3u media interface ukphy4: OUI 0x000885, model 0x0023, rev. 0 ukphy5 at ste2 phy 1: Generic IEEE 802.3u media interface ukphy5: OUI 0x000885, model 0x0023, rev. 0 ste3 at pci2 dev 7 function 0 D-Link Systems 550TX rev 0x12: irq 10 address 00:05:5d:5e:93:17 ukphy6 at ste3 phy 0: Generic IEEE 802.3u media interface ukphy6: OUI 0x000885, model 0x0023, rev. 0 ukphy7 at ste3 phy 1: Generic IEEE 802.3u media interface ukphy7: OUI 0x000885, model 0x0023, rev. 0 -- Fridtjof Busse
Re: Building READMEs
ok, NOW i'm baffled - it finished building them without a problem - which makes me think the problem before was not with hardware... viq -- Na randke, na randke, na randke... http://link.interia.pl/f189c
Re: bridge changes traffic interface for pf, but not for tcpdump
I found this: http://openbsd.automagic.org/plus.html Apply bridge filter rules to frames destined for the local machine, so a single-interface bridge can do filtering and tagging. And then searched on that phrase, and found this: http://www.monkey.org/openbsd/archive/misc/0411/msg01144.html Which sounds similar to the problems I'm seeing, but not quite the same scenario. The follow-up: http://www.monkey.org/openbsd/archive/misc/0411/msg01560.html Maybe you should add the warning: if the vlan interfaces have IP addresses the bridge will misbave. They all have the same MAC as the parent, so the bridge's choice for the source interface rewrite will be arbitrary). Since I'm running an SS20, all of my _real_ interfaces have the same MAC address (for Sparc 32-bit, it's a property of the machine, not the NIC). So: (a) Does anyone know if the first bit, about applying bridge filter rules to frames destined for the local machine, has been implemented in -stable yet? I'd been working with 3.5, and recently updated to 3.6, and then to -current, but I hadn't re-tried the bridge filter tagging rules since. (b) If not, it's off to try this patch... JMF
PF log and snort
Hello Guys, I am having a trouble with snort understanding the pf log format. Can Erkin Acar says that snort understand the pf format, see http://www.onlamp.com/pub/a/bsd/2004/05/06/pf_developers.html?page=3, but it didnt work for me, see: [EMAIL PROTECTED]:~/snort/snort-2.3.0RC1/src$ cat snort.conf log ip 192.168.0.0/24 any - 192.168.0.0/24 any (msg: Normal Logged Traffic; \ priority: 0;) You have new mail in /var/mail/leitao [EMAIL PROTECTED]:~/snort/snort-2.3.0RC1/src$ ./snort -c snort.conf -l /tmp -r ~/tmp/pflog.2 Running in IDS mode Log directory = /tmp TCPDUMP file reading mode. Reading network traffic from /home/leitao/tmp/pflog.2 file. snaplen = 1500 ERROR: OpenPcap() FSM compilation failed: unknown data link type 117 PCAP command: (null) Fatal Error, Quitting.. Anthem is a linux machine. and the pflog cames from a openbsd 3.5. I really cant make it work.. Does anyone know if snort really understant the pflog? Any suggestion will be welcome. Thank you Cheers Breno H. Leitco http://lcr.icmc.usp.br/~leitao -- Async Open Source (16) 3361 2331 Sco Carlos, SP Brasil
Re: OpenOffice, the next hurdle
Okay... I have tried everything. I have been banging my head against this wall for a week solid, and still not progress. I can get OO to run, but every time I try to save a file, the thing locks up. I have uninstalled OO, and redhat and reinstalled it a dozen times now. I have tried by installing on linux, then taring it up and moving it to OBSD, and I have tried it with the install script run on the OBSD system. I have done everything the docs discussed in setting up linux emulation (which isn't much). I have mounted procfs with the -o linux flag and without. There is never any error output when it locks up, so I am at a total loss. I am beginning to think that the linux emulation in the kernel is not so good. I don't know what else it could be. I have seen this: http://www.gruebchen.org/openbsd/openoffice.html and the webpage that it is based upon. I have read everything in the [EMAIL PROTECTED] mailing list. Maybe it is a 3.6 bug... I don't know. If anybody has any insight here, I would appreciate it. I have done everything I can think of and then some. Thanks. Chris Chris wrote: Okay. Much to my surprise, it appears that OpenOffice does not run on OBSD. I noticed that it does run on FreeBSD, but since I am a noob to BSD (I know nothing about freebsd and next to nothing about OBSD), I have no idea how those systems differ. I have read scattered threads here and other places that it is possible to run OpenOffice through linux emulation. So, I spent the last few hours looking into linux emulation. I have printed out all of the docs, and have them in a binder. I have been reading straight through as I build my system. I didn't see much about the appropriate way to set up linux emulation (It is briefly mentioned in chapter 9.4 of the Docs). I have poked around the net, and could not find anything recent on the issue, so finally I found a man page on my obsd 3.6 system that discussed it: compat_linux. I have done my best to make certain I have followed its recommendations, but it is a bit sparse with regards to what steps to take here. I have used ports to install redhat libraries. I have edited my /etc/sysctl.conf and uncommented kern.emul.linux=1. Now, there is some mention about using procfs in that man page, and I have sniffed all over the internet. I can find nothing conclusive on *how* to use it for this purpose. There is no /proc in BSD. There is no /emul/linux/proc either. I don't know if there is a file/image somewhere that I am supposed to mount, or if I just mount proc to proc. Should I make a /proc and/or a /emul/linux/proc? I beleive I understand the syntax, I just don't know what arguments to use, where to mount it or what to mount. For shits and giggles, I did made a /proc and a /emul/linux/proc and did this: mount_procfs -o linux /proc /proc; mount_procfs -o linux /emul/linux/proc /emul/linux/proc. I have no idea how close this is to anything useful. I sacrificed my OO on my Gentoo linux system. I completely uninstalled it because it was compiled for an Athlon system and I didn't want to introduce more vairables than necessary since this is my first time with linux emu. I downloaded the standard i386 binary installer for OO, and installed it. I tared that up, and scp'd it to my OBSD box. I ucompressed the tarball under /emul/linux/usr/OpenOffice. I cd to that directory, and I find the link to the executable. I issue this command: ./soffice. My hard drive starts crunching for a few seconds, then it bombs out, complaining that it cannot find libXext.so.6. Now, I know I have that file on my system, it lives here: /usr/local/redhat/emul/usr/X11R6/lib -- which sound right to me. My confusion: 1) I don't know if there is supposed to be some environmental variable to set a path for linux executables. Is that what I am missing? 2) I don't know if this is symptomatic of not understanding the whole procfs issue above. 3) I don't know if my system even knows that this is a *linux* application.. I assume the kernel knows the difference here... Am I supposed to run it through an emulation command first (like wine)? 4) Some other factor that I am completely unaware of. I am trying here. I am doing my homework but I am coming up dry. Can someone please help? Thanks. Chris
Re: PF, Bridge, and IP on bridged interface [more]
A helpful person on the PF list said he has a similar setup, but does not experience the problem I'm having. So I'm starting to suspect it might be an SBUS/Sparc-specific problem. I'm working with OpenBSD/Sparc on an SS20, and, if it makes any difference at all, my interfaces are lebuffer and ledma. Issue: bridging causes pf to mis-apply frames to the wrong interface. This is only a problem if I want to filter directionally -- that is, allow clients on one side of the bridged subnet more access than clients on the other. Using tcpdump on le0 and le2 shows traffic arriving and departing on the correct interfaces all of the time, regardless of bridge state. However, traffic appearing in pflog as matching rules from the wrong interface appears to be due to the bridge: $ sudo brconfig bridge0 down $ sudo tcpdump -netttvvv -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0 Feb 18 09:51:51.949840 rule 2/0(match): pass in on le0: 192.168.1.9 192.168.1.1: icmp: echo request (id:19bc seq:0) (ttl 64, id 30421) Feb 18 09:51:51.950030 rule 4/0(match): pass out on le0: 192.168.1.1 192.168.1.9: icmp: echo reply (id:19bc seq:0) (ttl 255, id 25154) $ sudo brconfig bridge0 up $ sudo tcpdump -netttvvv -i pflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0 Feb 18 09:52:29.459668 rule 3/0(match): pass in on le2: 192.168.1.9 192.168.1.1: icmp: echo request (id:19bd seq:0) (ttl 64, id 30487) Feb 18 09:52:29.459838 rule 4/0(match): pass out on le0: 192.168.1.1 192.168.1.9: icmp: echo reply (id:19bd seq:0) (ttl 255, id 21188) Where: @2 pass in log-all quick on le0 all @3 pass in log-all quick on le2 all @4 pass out log-all quick on le0 all Incidentally, this only happens to traffic TO and FROM the router. The packets that TRAVERSE the router from one host on le0 to another on le2, and vice versa, always appear on the correct interface. I've tried to use bridge rules, but have had even more problems with those, as applying the following to my bridgename.bridge0: rule pass in on le0 tag t_lan rule pass in on le2 tag t_wap Results in frames that match NEITHER pf rules for 'tagged t_lan' nor 'tagged t_wap.' So, back to my earlier questions: is this a bug in bridge? For Sparc? For these specific SBUS cards? More to the point, whether it is or is not a bug, is this behavior determinate -- that is, with the bridge up: inbound traffic from le0 to le2, and vice versa, always matches rules for the correct interfaces inbound traffic from le0 AND le2 to the router always appears to match rules for le2 outbound traffic from the router to le0 AND le2 always appears to match rules for le0 Why? Can I depend on this to always be the case? How do I know which interface it will pick for the 'outbound,' and which it will pick for the 'inbound'? Is that a function of which interface has the IP assigned? Is it a function of the order in which they were added to the bridge? Is it a function of boot-time discovery order? Interface number? Etc.? Thanks in advance, Jim
Re: No sound from ESS SOLO-1
Okay... sorry. I was trying to be polite and not bog the server down or bore others... here is my entire dmesg: OpenBSD 3.6-stable (GENERIC) #0: Mon Apr 11 03:19:36 EST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Celeron (GenuineIntel 686-class, 256KB L2 cache) 299 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 267952128 (261672K) avail mem = 237613056 (232044K) using 3296 buffers containing 13500416 bytes (13184K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7c) BIOS, date 11/17/99, BIOS32 rev. 0 @ 0xfd7a0 apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 96% apm0: AC off, battery charge high, estimated 11:55 hours pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf40/160 (8 entries) pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Neomagic Magicgraph NM2200 rev 0x20 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: TOSHIBA MK3021GAS wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LG, CD-ROM CRN-8241B, 1.16 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 2 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power Mgmt rev 0x02 at pci0 dev 2 function 3 not configured cbb0 at pci0 dev 3 function 0 Texas Instruments PCI1251 CardBus rev 0x01: irq 11 cbb1 at pci0 dev 3 function 1 Texas Instruments PCI1251 CardBus rev 0x01: irq 11 ATT/Lucent LTMODEM rev 0x01 at pci0 dev 6 function 0 not configured eso0 at pci0 dev 7 function 0 ESS SOLO-1 AudioDrive rev 0x02: ES1946 rev E, irq 5 eso0: mapping Audio 1 DMA using VC I/O space at 0xfc70 audio0 at eso0 opl0 at eso0: model OPL3 midi0 at opl0: ESO Yamaha OPL3 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt2 at isa0 port 0x3bc/4: polled npx0 at isa0 port 0xf0/16: using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x80 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 3 device 0 cacheline 0x0, lattimer 0x80 pcmcia1 at cardslot1 biomask efdd netmask efdd ttymask ffdf pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 ep1 at pcmcia0 function 0 3Com, OfficeConnect 572B, B port 0xa000/32: address 00:00:86:62:83:f5 tqphy0 at ep1 phy 0: 78Q2120 10/100 media interface, rev. 10 wi0 at pcmcia1 function 0 U.S. Robotics, IEEE 802.11b PC-CARD, Version 01.02 port 0xa400/64 wi0: PRISM2 HWB3163 rev.A, Firmware 0.3.0 (primary), 1.7.1 (station), address 00:90:d1:08:44:7d === The mixer settings were given in their entirety (even though I used snip), but here they are again: # mixerctl -av inputs.dac=112,112 volume inputs.mic=0,0 volume inputs.line=0,0 volume inputs.fmsynth=112,112 volume inputs.mono_in=0 volume inputs.cd=0,0 volume inputs.auxb=0,0 volume outputs.master=252,252 volume outputs.pc_speaker=112 volume outputs.spatial=0 level outputs.spatial.enable=off [ off on ] record.record=32,32 volume record.dac=240,240 volume record.mic=0,0 volume record.line=0,0 volume record.fmsynth=240,240 volume record.mono_in=0 volume record.cd=0,0 volume record.auxb=0,0 volume record.source=mic [ mic line cd mixerout ] outputs.mono_out=mute [ mute dac mixerout ] monitor.mute=off [ off on ] mic.preamp=off [ off on ]
PF, Bridge, and IP on bridged interface [more]
Okay, I can get my bridge and pf rules working if I need to, but I'd still like to understand WHY they work they way they do. So I ran some test cases. My configuration is this: OpenBSD/Sparc (SS20). I have one external interface, and two internal interfaces. There's NAT to the external, but that's working flawlessly, so we'll leave that out of the equation for now. The two internal interfaces are bridged, and I have various pf rules restricting what can and cannot pass between them (as well as between the internal and external world). However, I'm not entirely clear on what's going on... where the bridge acts in the general process flow, whether bridge rules act before or after frames are copied to the bridged interfaces, exactly how the bridge tagging rules work, etc. What I'm looking to do is construct something like the process flow diagrams at: http://mniam.net/pf/pf.png and http://homepage.mac.com/quension/pf/flow.png except with a bridge in the model. So I decided to run some test cases with rule sets that pass and log everything. Now that I have some data, and I've looked it over, I have a few questions. So, here's my first, simple case: $ cat /etc/bridgename.bridge0 add le0 add le2 blocknonip le0 blocknonip le2 rule pass in on le0 tag t_lan rule pass in on le2 tag t_wap up $ cat /etc/hostname.le0 inet 192.168.1.1 255.255.255.0 NONE $ cat /etc/hostname.le2 up pf rules: @0 pass out quick on lo0 all @1 pass in quick on lo0 all @2 pass in log-all quick on le0 all @3 pass in log-all quick on le2 all @4 pass out log-all quick on le0 all @5 pass out log-all quick on le2 all Router: 192.168.1.1 LAN client: 192.168.1.9 WLAN client: 192.168.1.130 And I proceeded to execute some pings, from the console of each machine. LAN machine pings router: Passes in on le2 (incorrect), reply passes out on le0 (correct) Feb 16 08:28:43.378979 rule 3/0(match): pass in on le2: 192.168.1.9 192.168.1.1 : icmp: echo request (id:0f5a seq:0) (ttl 64, id 3081) Feb 16 08:28:43.379197 rule 4/0(match): pass out on le0: 192.168.1.1 192.168.1.9 : icmp: echo reply (id:0f5a seq:0) (ttl 255, id 36469) LAN machine pings WLAN machine: Request passes in on le0 (correct) first, then out on le2 (correct) Reply passes in on le2 (correct) first, then out on le0 (correct) Feb 16 08:28:54.881680 rule 2/0(match): pass in on le0: 192.168.1.9 192.168.1.130: icmp: echo request (id:0f5b seq:0) (ttl 64, id 3108, bad cksum 0!) Feb 16 08:28:54.881737 rule 5/0(match): pass out on le2: 192.168.1.9 192.168.1.130: icmp: echo request (id:0f5b seq:0) (ttl 64, id 3108) Feb 16 08:28:54.882440 rule 3/0(match): pass in on le2: 192.168.1.130 192.168.1.9 : icmp: echo reply (id:0f5b seq:0) (ttl 64, id 48170, bad cksum 0!) Feb 16 08:28:54.882487 rule 4/0(match): pass out on le0: 192.168.1.130 192.168.1.9 : icmp: echo reply (id:0f5b seq:0) (ttl 64, id 48170) WLAN machine pings router: Passes in on le2 (correct), reply passes out on le0 (incorrect) Feb 16 08:29:22.925161 rule 3/0(match): pass in on le2: 192.168.1.130 192.168.1.1 : icmp: echo request (id:028b seq:0) (ttl 64, id 48190) Feb 16 08:29:22.925292 rule 4/0(match): pass out on le0: 192.168.1.1 192.168.1.130: icmp: echo reply (id:028b seq:0) (ttl 255, id 53634) WLAN machine pings LAN machine: Request passes in on le2 (correct) first, then out on le0 (correct) Reply passes in on le0 (correct) first, then out on le2 (correct) Feb 16 08:29:32.830865 rule 3/0(match): pass in on le2: 192.168.1.130 192.168.1.9 : icmp: echo request (id:028c seq:0) (ttl 64, id 48200, bad cksum 0!) Feb 16 08:29:32.830917 rule 4/0(match): pass out on le0: 192.168.1.130 192.168.1.9 : icmp: echo request (id:028c seq:0) (ttl 64, id 48200) Feb 16 08:29:32.831474 rule 2/0(match): pass in on le0: 192.168.1.9 192.168.1.130: icmp: echo reply (id:028c seq:0) (ttl 64, id 3191, bad cksum 0!) Feb 16 08:29:32.831523 rule 5/0(match): pass out on le2: 192.168.1.9 192.168.1.130: icmp: echo reply (id:028c seq:0) (ttl 64, id 3191) Router pings LAN machine: Passes out on le0 (correct), reply passes in on le2 (incorrect) Feb 16 08:29:48.837588 rule 4/0(match): pass out on le0: 192.168.1.1 192.168.1.9 : icmp: echo request (id:16ee seq:0) (ttl 255, id 62936) Feb 16 08:29:48.838269 rule 3/0(match): pass in on le2: 192.168.1.9 192.168.1.1 : icmp: echo reply (id:16ee seq:0) (ttl 64, id 3223) Router pings WLAN machine: Passes out on le0 (incorrect), reply passes in on le2 (correct) Feb 16 08:29:56.494341 rule 4/0(match): pass out on le0: 192.168.1.1 192.168.1.130: icmp: echo request (id:7ff8 seq:0) (ttl 255, id 60383) Feb 16 08:29:56.495223 rule 3/0(match): pass in on le2: 192.168.1.130 192.168.1.1 : icmp: echo reply (id:7ff8 seq:0) (ttl 64, id 48215) 1a. My pf rules are all log-all 1b. bridge (4), and all of the literature I can find online says
Re: lpd and cupsd
Hello, and thanks for your reply. I updated ports 2 days ago (following stable branch mind you). There is no cups in it. Since I am a newbie I can only guess, that the ports to which you are referring would be in the *current* branch. The docs warn me away from mixing my branches. I chose the stable, so I better stick with it. I am battling with OO right now... If that doesn't work, there will be nothing to print :0). When I have overcome that hurdle, I can try your advice in my printcap. Thank you. Chris umaxx wrote: It appears that OBSD developers are down on CUPS (I do not see it in ports or in the binaries). where did you look? http://www.openbsd.org/cgi-bin/cvsweb/ports/print/cups/ cups is in current ports-tree (afaik in snapshots too). From my web searching, it looks like this is because it is viewed as being less secure/stable. I must admit, I have been seduced by cups because of the added functionality and ease of use-- and my users certainly get a lot out of it as well. However, I want to be able to do things the OBSD way, so, if there is no CUPS on OBSD, then I will go back to lpd. My Problem: My printers are hooked up via parallel port and usb to Linux boxes (which use cups). Networking IPP from a cups machine to a cups machine is a snap, but what do I do with this OBSD laptop that does not use cups? What is the best way to get it to print to these printers? I am trying to go with gnome on this laptop, and I was going to put OpenOffice on it (if this makes a difference at all. I have not used gnome since 1.4, so I figure I will give it another shot.) I am following the stable branch of OBSD 3.6, and installed gnome using pkg_add. How do I print to my printers that are attached to Linux/CUPS machines? Any advice? if you want to use classic lpd you can try something like this on your clients: $ cat /etc/printcap # $OpenBSD: printcap,v 1.4 2003/03/28 21:32:30 jmc Exp $ #lp|local line printer:\ # :lp=/dev/lp:sd=/var/spool/output:lf=/var/log/lpd-errs: lp|remote line printer:\ :lp=:rm=server-ip:rp=lp:sd=/var/spool/output:lf=/var/log/lpd-errs: greets umaxx
No sound from ESS SOLO-1
Greetings everyone, As the subject states, I am not getting any sound from the soundcard in my laptop. According to dmesg, it is detected. It worked when win98 ran on this system, and when I boot to Knoppix. I couldn't find any specific references in the documentation to trouble-shooting sound cards, so I am not even sure where to start. I am still very much a newbie. I have installed KDE on the system, and tried to play several different wav files. Somtimes I will hear an extremely high-pitched (almost inaudible) beep like noise -- but most of the time I hear nothing. I have opened KMIX, turned on all channels and cranked them to the maximum. Still nothing. I am at a loss, can someone please point me in the right direction here? Thank you. Chris
Re: Newbie with Wireless woes
I'm sorry Pedro, I'm not sure I follow. What does OP mean, and what do you mean by [next]? I have searched the archives already, if that is what you mean. For solutions to my issue, for the firmware update utility in dos an Linux, I saw nothing. The links that reference the hawking site are broken. I have found nowhere else to download this utility. The OBSD documents did not refer to a firmware update for this card, so I was cuaght completely off guard here. I specifically picked this card because it was on the OBSD HCL. Todd, if you still have this update, do you think you could email it to me? thanks chris Pedro la Peu wrote: Or read the archives where all the OP's [next] questions have been answered ad nauseam.
ISAKMPD VPN w/ Cisco Concentrator
Hi all, I'm need of a little help setting up a VPN tunnel between my OpenBSD box and a Cisco VPN concentrator. I have successfully set up a tunnel with another OpenBSD box, but in trying to change the isakmpd.conf to then connect to the Cisco, I'm running into trouble. Part of my problem is that I have no Cisco VPN experience, so I don't know how translate the options set on the Cisco side to something usable by isakmpd. The person in charge of the Cisco side sent me the following config settings: Interface is 192.168.0.5 Authentication ESP/MD5/HMAC-128 Encryption 3DES-168 IKE Proposal IKE-3DES-MD5 Preshared Key is f00zb411 Target Network 192.168.0.0 Should 'Athentication' above be AUTHENTICATION_METHOD in isakmpd.conf? And what does 'IKE Proposal' mean? I couldn't find anything that seemed to match up with that in the isakmpd.conf man page. I'll gladly sent my iskmpd.conf file if anyone needs to see it. Thanks. -- Seeya, Paul [demime 1.01d removed an attachment of type application/pgp-signature]
Re: No sound from ESS SOLO-1
Okay... This is direclty from my dmesg output: ---snip- eso0 at pci0 dev 7 function 0 ESS SOLO-1 AudioDrive rev 0x02: ES1946 rev E, irq 5 eso0: mapping Audio 1 DMA using VC I/O space at 0xfc70 audio0 at eso0 opl0 at eso0: model OPL3 ---/snip- And this is from 'mixerctl -av' : ---snip- inputs.dac=112,112 volume inputs.mic=0,0 volume inputs.line=0,0 volume inputs.fmsynth=112,112 volume inputs.mono_in=0 volume inputs.cd=0,0 volume inputs.auxb=0,0 volume outputs.master=252,252 volume outputs.pc_speaker=112 volume outputs.spatial=0 level outputs.spatial.enable=off [ off on ] record.record=32,32 volume record.dac=240,240 volume record.mic=0,0 volume record.line=0,0 volume record.fmsynth=240,240 volume record.mono_in=0 volume record.cd=0,0 volume record.auxb=0,0 volume record.source=mic [ mic line cd mixerout ] outputs.mono_out=mute [ mute dac mixerout ] monitor.mute=off [ off on ] mic.preamp=off [ off on ] ---/snip-- since master is at 252,252 I would think it looks okay... Everything looks nominal in kmix as well. Thanks for you help! Chris Chris wrote: Greetings everyone, As the subject states, I am not getting any sound from the soundcard in my laptop. According to dmesg, it is detected. It worked when win98 ran on this system, and when I boot to Knoppix. I couldn't find any specific references in the documentation to trouble-shooting sound cards, so I am not even sure where to start. I am still very much a newbie. I have installed KDE on the system, and tried to play several different wav files. Somtimes I will hear an extremely high-pitched (almost inaudible) beep like noise -- but most of the time I hear nothing. I have opened KMIX, turned on all channels and cranked them to the maximum. Still nothing. I am at a loss, can someone please point me in the right direction here? Thank you. Chris
Re: OPEN SOURCE MASTERPLANS
Mr. Fafa also seems to be using multiple names to post from this [EMAIL PROTECTED] address, if one were to do a Google search on this e-mail address. One name is Fafa Hafiz Krantz, and another is Fafa Diliha Romanova. PG Ben Goren wrote: On 2005 May 3, at 12:23 PM, Fafa Hafiz Krantz wrote: I came here asking for advice, not having to prove myself by stating my knowledge and beliefs. Sorry, wrong. At best, you came here asking us to do your homework for you. But...if you really had the ears of world leaders, you'd have more than enough resources to do your own research. You'd also be professional enough to at least take the time to discover that inquiries and behavior like you've foisted upon us here at misc@ are unwelcome. *Maybe* your question would have been appropriate for advocacy@, but certainly not [EMAIL PROTECTED] Cross-posting to such a diverse mix of groups as you did--including OpenBSD and Debian, for example--is just plain rude. Since your primary claim is so blatantly false, the next most obvious conclusion is that you're a troll. I'm sorry, but, at this point, if you want to demonstrate otherwise, you'll have to do all the research on your own. Then, you can come back, present us with all these wonderful final solutions, and ask us to critique them. Fafa Hafiz Krantz Senior Designer @ http://www.home.no/barbershop This is a flash-only Web site that lives on a generic hosting provider. It advertises for a graphic design agency. Nothing there gives me any indication that you're any kind of well-known, respected expert on Free software. You may well use it and like it, but that's irrelevant. Further, Google knows nothing about you: http://www.google.com/search?q=%22Fafa+Hafiz+Krantz%22 Furious @ http://www.home.no/barbershop/smart/sharon.pdf This is a highly inflammatory rant against the elected leader of a nation written by his harshest political opponent. Whether the charges are merited or not, it shows an incredible lack of diplomacy on your part. Many world leaders will reject you out of hand for such tactlessness. Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm You send mail from @mail.com but receive it @london.com. It comes by way of outblaze.com. None of that gives me the slightest confidence in your claims of legitimacy. Now, will you kindly go away? There's no need to even reply to this note--just leave. Cheers, b
Re: pflog0, ICMP rule 4294967295/3(short)
John L. Scarfone wrote: On Tue, Mar 08, 2005 at 08:49:18PM -0500, Jim Fron mentioned: OpenBSD on le0: ...0800 60: 192.168.1.9 192.168.1.1: icmp: echo request (id: seq:21845) (ttl 255, id 24192) 4500 0018 5e80 ff01 da09 c0a8 0109 c0a8 0101 0800 f7ff tcpdump sees extra 0x55's? Is this reading past the short message into init'ed memory? Looks like OSX is incorrectly padding your short frame with non-nulls. Padding it, and then failing to report it in its own tcpdump, and OpenBSD subsequently removes the padding AFTER tcpdump on le0 sees it, but before tcpdump on pflog0 sees it? I _suppose_ that's possible. I'd need a machine that was neither OpenBSD nor OSX -- or an oscilloscope -- to test that theory. Moreover, on pflog0: Mar 08 20:04:23.030298 rule 4294967295/3(short): pass in on le0: 192.168.1.9 192.168.1.1: [|icmp] (ttl 255, id 24192) 4500 0018 5e80 ff01 da09 c0a8 0109 c0a8 0101 0800 f7ff Looks like your IP length is incorrect. I know it is. I used the wrong terminology in my previous post... it's not that it has no payload, it has no reserved bytes in the header. Incidentally, this wasn't intentional. I wasn't trying to test for bad frames (I presume there was plenty of stress testing when it was developed, and regression testing done on the OS itself for that sort of thing), I just left those bytes out in some of my test cases, and noticed this rather anomalous behavior. I suppose that's the point I was trying to make: a malformed ICMP frame (short header) is (a) appearing strangely in tcpdump, (b) being reported by pflog as passing rule -1. I find this odd, because: - of the inconsistency between tcpdump on le0 and pflog0 (I suppose it could be, as you suggest, being padded, and then having the padding stripped both in OSX and Openbsd/pflog0.) - malformed traffic makes it all the way to PF rules at all. - inconsistency in handling: UDP and TCP packets with malformed (short) headers are NOT showing up the same way. They don't get flagged in pflog0 at all. I'm willing to accept that the short frames are passed for some reason, perhaps for the ability to detect just this sort of bad traffic. I'm willing to accept that they'll flood pflog. I guess I'm just expecting someone to tell me that's perfectly normal behavior, by design. I wouldn't be surprised. Disgruntled, perhaps, but not surprised. How about this question, then: presuming this is all 100% expected, is there any way to prevent these from being logged? JMF
Re: pflog0, ICMP rule 4294967295/3(short)
To: misc@openbsd.org Subject: Re: pflog0, ICMP rule 4294967295/3(short) John L. Scarfone wrote: On Wed, Mar 09, 2005 at 07:42:16PM -0500, Jim Fron said: John L. Scarfone wrote: On Tue, Mar 08, 2005 at 08:49:18PM -0500, Jim Fron mentioned: OpenBSD on le0: ...0800 60: 192.168.1.9 192.168.1.1: icmp: echo request (id: seq:21845) (ttl 255, id 24192) 4500 0018 5e80 ff01 da09 c0a8 0109 c0a8 0101 0800 f7ff tcpdump sees extra 0x55's? Is this reading past the short message into init'ed memory? Looks like OSX is incorrectly padding your short frame with non-nulls. Padding it, and then failing to report it in its own tcpdump, and OpenBSD subsequently removes the padding AFTER tcpdump on le0 sees it, but before tcpdump on pflog0 sees it? I _suppose_ that's possible. I'd need a machine that was neither OpenBSD nor OSX -- or an oscilloscope -- to test that theory. Padding is required because your frame is below the Ethernet minimum but the requirement is for null padding, not anything else. Okay, so it's padding with crap. I'll go along with it's OSX f'ing up, as that's easy to believe. Makes perfect sense, as that's padded to 46 bytes of data (ethernet minimum). I guess OBSD would fail to show the padding if it were actually 0's. rather than 0x55's. (?) The OSX dump is showing it to you before the padding is done (before it's on the wire). Also the dumps of le0 and pflog0 have different link types. There's no Ethernet info in the pflog0 dump. True, okay. Hopefully I resolved the inconsistency. Yes, thank you. If I send malformed (short) ICMP, TCP, or UDP out of a 3.6 box I get the same behavior, they're being blocked. Stuff like: rule 4294967295/3(short): pass out on bge0: 192.168.1.63 192.168.1.4: icmp: echo request rule 4294967295/3(short): pass out on bge0: [|udp] rule 4294967295/3(short): pass out on bge0: truncated-tcp That's what threw me, I guess. I can't do that. When I try to send short TCP and UDP (from either OSX or OBSD 3.6), they aren't being logged. Only the short ICMP show up. I'm willing to accept that the short frames are passed for some reason, perhaps for the ability to detect just this sort of bad traffic. I'm willing to accept that they'll flood pflog. I guess I'm just expecting someone to tell me that's perfectly normal behavior, by design. I wouldn't be surprised. Disgruntled, perhaps, but not surprised. They're not being passed. They come in on le0 because they're on the wire and that's what a tcpdump there shows. pf will not pass them though. Hmm, if that's true, perhaps it oughtn't say pass when it logs them, then? I don't have a problem with them being logged against rule 0x, either, just it'd have been nice if the PF documentation would have noted that would happen. That is, while pflogd (8) indicates that short packets will be logged (by listing it as a logging option, under the assumption that all options are default, it would have helped if it had indicated that the rule for such packets would be undefined (-1). How about this question, then: presuming this is all 100% expected, is there any way to prevent these from being logged? Not that I know of but they're being blocked and I tend to log blocked things anyway. If I log everything I block, I fill /var. But I'll answer my own question: pflogd reason match Also pflogd (8) Also accepts bad-offset, fragment, bad-timestamp, short, normalize and memory. I guess my only question, then, would be what options to use to specify multiple reasons? `pflogd reason match reason normalize` JMF
Re: OpenBSD Visible Bridge and NAT box -- strangeness and questions
I want to thank the people who have responded recommending authpf. That seems like a nice add-on, as it will allow me to block all access to the LAN from wireless clients until they have logged in to the router. It's a trade-off, of course, as I had not intended to allow wireless clients SSH access to the router in the first place, but ultimately, it's probably better to initially trust in the security of SSH on OpenBSD than to trust the security of the services from the LAN. (Of course, I'll have to write a background task for the wireless clients that uses auth keys and logs them in automatically so the wireless users don't have to know about the authorization step, but...) As nice as authpf is, it won't solve my initial problem, which was this: In the simplest terms, I need a way to allow autodiscovery mechanisms to work between the wireless clients and the LAN. This involves such things as Zeroconf/Rendevous -- broadcast and multicast packets traveling from one subnet to the other. How do I accomplish that? My first instinct was to configure the router to know that the subnets were 192.168.1.1/25 and 192.168.1.129/25, and to configure the clients to think that they were 192.168.1.1/24. However, OpenBSD still failed to forward multicast packets, and, to make matters worse, would not proxy ARP. Thus, I presumed bridging le0 and le2 would help. It did, in that it passed ARP through. But once I brought up the bridge, all of my pf rules started failing, thinking that traffic that actually came in on le0 was coming in on le2. So, my questions, perhaps better stated this time: 1. Is the /24 /25 network fake subnetting scheme a filthy hack that will never work properly? 2. If I configure the LAN and wireless clients to know that they are on separate subnets, how do I make OpenBSD forward multicast packets between the two, so that autodiscovery features work across subnets? 3. Even if I don't use it in the end, I'm still curious: why do all of my pf rules go south when I bring up the bridge? That is, why, after a `brconfig bridge0 up,` do packets physically arriving on le0 appear to be from le2, and get blocked by rules for le2? Thanks, Jim -- Original message -- Hello, from my experience I would handle the WLAN as a DMZ with an extra subnet and pf-rules. To temporarily change access you could use authpf. That works well for me. A bridge is not the right solution for you. named: you are probably missing an entry for le2 in your configuration for named. regards Stefan Kell On Wed, 2 Feb 2005, Jim Fron wrote: I have an OpenBSD/Sparc box that I'm using for NAT at home. le0 is the LAN, le1 is the cablemodem. I recently purchased a wireless AP, and would like to add that to the internal network. However, I am paranoid, and, even though I've enabled WPA and hardware address restriction on the AP, I still don't want to just plug it right in to the switch on the LAN. I'd like to be able to restrict access to machines on the LAN to certain services. Also, the OpenBSD box is currently accessible to the LAN in an unrestricted manner -- if anyone has gained physical access to my LAN, well, it's far too late for PF to help :-) I want to restrict access to the wireless AP to DNS and routing services only. However, I additionally want things like iTunes autodiscovery (244.x broadcasts) to work between the LAN and AP. I've looked briefly into proxy ARP and mrouted, and it seemed that the way to go about this is really just to bridge le0 and le2, and use pf to restrict as much as possible between the two addresses... # le0 is the internal wired LAN # le1 is the external internet # le2 is the internal wireless AP # # Goals: # # Perform NAT for both internal networks to the outside world # Bridge LAN and wireless AP to provide certain broadcast-based # services (Rendezvous/Zeroconf) the impression that they # span the network # Provide DNS service to LAN and wireless # Provide full internet functionality to LAN and wireless # Provice full access to machines on the wireless from the LAN # Provide limited services on LAN machines to wireless clients # Protect the router, LAN, and AP from the internet # Protect the router and LAN from the wireless # # Architecture: # # Sub-net 192.168.1.x, the lower 128 to the LAN, the upper to the # wireless, but configure clients on each with a 255.255.255.0 # netmask. This will result in clients that all believe they # have the same network number and broadcast address. # # Bridge wireless and LAN interfaces # # Router provides default-route and DNS to each interface on its # respective network number (i.e. 192.168.1.1 and 192.168.1.129) # # /etc/hostname.le0 # inet 192.168.1.1 255.255.255.128 192.168.1.255 # # /etc/hostname.le1
Fw: 3.7 CD tshirt poster pre-orders
Dang. What happened to my keyboard? An attempt at humor lost in my dislexic fingers. Oh well maybe next time. - Original Message - From: Jim Mays [EMAIL PROTECTED] To: misc@openbsd.org Sent: Saturday, March 26, 2005 7:20 AM Subject: Fw: 3.7 CD tshirt poster pre-orders Now or we shall taunt you a second time
Question?
My Name is Shawn, I have a fulll version Window XP Professional and it is bootable but when I go into the BIOS it only gives the option to check the flooping then the hard drive, then the CD Rom, but I need it to check the CD Rom first can you tell me how to change boot sequence. Can you help? Shawn
Re: Very General ports and packages question.
Thank you all. This has been very helpful. Since I am using the stable branch, it sounds like I can use packages without a problem. I appreciate the help. Chris
Re: Units for Check-interval in isakmd.conf?
eric [EMAIL PROTECTED] writes: Default-phase-2-lifetime= 1200,60:86400 ^^ The Main Mode lifetime currently defaults to one hour (minimum 60 sec- onds, maximum 1 day). The Quick Mode lifetime defaults to 20 minutes (minimum 60 seconds, maximum 1 day). That all seems to point towards seconds. Oh, okay, I was unsure of assuming that. Thanks. -- Seeya, Paul
Re: snapshot, how to upgrade
The flavors of OpenBSD can be confusing. Don't think of snapshots as beta releases. They're not. They're not even a flavor of OpenBSD. Think of them, instead, as a point-in-time alpha release that was made for a particular test of a some kernel/userland/XF4 functionality. They are also used as a springboard to installing -current for the first time, because you can avoid manually making all of the structural changes described in http://openbsd.org/faq/current.html -- the following current document. It seems to me that because snapshots are packaged in a set of .tgz files like -releases, people think of them as beta releases. But they're not. OpenBSD doesn't have beta releases. Following -current has its uses, and can be attractive because of port developments. But -current changes constantly, and a snapshot is a convenient springboard only. This is how I think of it: -release:production release with integrated ports -stable: published patches to production release snapshot: alpha for a particular purpose / ease-of-use springboard to -current install -current: ever changing development environment From my perspective, none of those is a beta release. Chapter 5 of the FAQ begins with a flavor diagram. Snapshot isn't in the diagram. And, the rest of section 5.1 describes, in detail, what following -current means, what snapshots are and why snapshots are created, and how to use them. http://openbsd.org/faq/faq5.html#Flavors I hope this was helpful as a level set. -Josh Grosse- On Saturday, linc wrote: Howdy, I am running the April 10 snapshot, and it looks like the snapshots were updated April 27. I can't install packages now. This is the first time I've run a snapshot. So do I have to: 1)cvs source and rebuild everything, then use pkgsrc 2)install the new snapshot and be able to install new packages (will old packages work) 3)somehow just update some of my packages to meet dependencies for the newest packages I'm sure this is asked several times a year, haven't found it yet, sorry. Linc
Re: Background developer knowledge
On Mar 24, 2005, at 12:28 PM, T. wrote: Hello What kind of understanding/years of experience/education is really needed to be able to do anything useful with OpenBSD (or any OS in general) source-code? I wouldn't say I'm at the useful stage yet, but... the responses so far seem quite good. Learn C, but stay away from fluffy variants. Coursework is good. Book learning and experience are interchangeable for approximately the first 1-2 years. Beyond that, IMO, extra book learning doesn't buy you much until about the 5th year (when you might hit advanced concepts, mathematical analysis, or designing new things). Crap experience doesn't count for much, either. :-) Good experience is, on the other hand, invaluable. Luckily, there's a lot of good experience buried in the OBSD source. Read it. Take a break when you get a headache, then read it some more until it starts to make sense. A while ago, I read The Design and Implementation of the 4.4 BSD Operating System (McKusick, et. al.) cover-to-cover. I thought it was a fascinating read, and it might give you some good context. For my part, I find that the more you program applications in userland, the more you need to learn about the underlying OS. e.g. the only way to truly learn things like shared memory, threads, locks, etc. is to understand how the underlying OS handles them. The OS exists for one reason and one reason only: to be useful. Understanding its uses is a good way to get a handle on *why* it does what it does. To this end, write applications that take advantage of the underlying OS code WHILE you are learning it. (In this sense, I would view things like routing and PF to be applications, even though they are integrated, in the sense that they are functions beyond simple hardware management.) On the other hand, a background in working with simple systems (embedded RTOS, for example) doesn't hurt either. It might give you some idea of how and why an OS does what it does. Understand the simple, then add complexity until your head explodes. Though ultimately, I think the best way to learn might be: download the source compile (prove to yourself that it works) modify the source fail to compile fix what you've broken Knowing enough to be dangerous is the optimal position to be in for learning, as long as you force yourself to dig your own way out. JMF
Re: Newbie with Wireless woes
Okay... I have scoured the internet ceaselessly for the last 2 hours. I have been a this all day straight now. I found the page where I can download the firmware, but the update utilities for linux or dos are nowhere to be found. Can anybody please tell me where I can get we110p.exe or prism2_srec from? All the links on the hawking site are broken. I have been reading about this here: http://linux.junsun.net/intersil-prism/ I assume this is what you meant, right Todd? Thanks. Chris Chris wrote: Thanks Todd, Any Idea where I can get this firmware update from, and the utility? Todd C. Miller wrote: In message [EMAIL PROTECTED] so spake Chris (cditri): Here is what I have: OpenBSD 3.6 IBM 390e laptop D-Link DWL7100-AP (802.11a/g wireless access point, claims backward compat. with 802.11b) US Robotics USR2410 (802.11b wireless card) A RedHat Linux DHCP server running ISC's dhcpd I have a gentoo linux laptop working with this wireless setup. I just can't get my OBSD laptop working. The machine seems to detect the card. Dmesg: wi0 at pcmcia1 function 0 U.S. Robotics, IEEE 802.11b PC-CARD, Version 01.02 port 0xa000/64 wi0: PRISM2 HWB3163 rev.A, Firmware 0.3.0 (primary), 0.7.6 (station), address 00:90:d1:08:44:7d I have tried to construct my hostname.wi0 as suggested in the manpage: !/sbin/wicontrol wi0 -f 11 -x1 -E3 inet 10.100.100.29 255.255.255.0 10.100.100.255 nwid myssid nwkey 0xmylonghexkey mediaopt hostap dhcp Your firmware is very old and cannot support hostap (let alone enhanced security mode). I'm using station firmware 1.7.1 on my PRISM2 HWB3163 cards and it works quite well. You should be able to use the DOS-based prism flasher to update the firmware. - todd
Re: Newbie with Wireless woes
Okay! Firstly, thank you all for your help. I would like to post what I have done for posterity. I hope no one has to go through everything I went through with this. (Using a US Robotics USR2410 802.11b wireless nic). PROBLEM 1: The card did not seem to respond in any way no matter what I did. SOLUTION: Firmware update was, in fact, necessary (As Todd guessed). PROBLEM 2: Acquiring the firmware. Going to Intersil.com was a waste of time (even though they made the prism2 chip). Wound up getting referred to Connexant's website. Another dead end. Don't waste your time there either. SOLUTION: Finding the magical combination of words for a google search to turn up this site: http://linux.junsun.net/intersil-prism/ . Where ever you are Jun, thank you! PROBLEM 3: The page refers to a dos utility that it itself does not host. It is a link or two removed from the site, and when you find it, it points you to a broken link on the Hawking website. All subsequent search engine searches seem to point to same broken link. SOLUTION (sorta): decide to try linux utility prism2_srec to update (figuring I can boot to knoppix). PROBLEM 3a: Can't find that utility anywhere either, seems to be referred to all over the web, but can't find download source. Rumor has it that is in the HostAp suite, but I read the readme in that tarball and did a find . -iname *srec and similar such things and did not find it therein. PROBLEM 4: Stuart was kind enough to find out where hawking was hoarding its w110p.exe file. For future reference, it is here: http://www.hawkingtech.com/images/drivers/we110p.exe . I tried many variants on the hawking site (thinking the file might have been moved rather than deleted), but that one escaped me. Thanks Stuart. Now that I had the dos flash utility, however, it didn't work for me! It would not detect my cardbus -- even when using the legacy.exe as suggested. SOLUTION: As much as I didn't want to do this, I bit the bullet, and did a win98 install. I dug up an old win98 disk, and borrowed another hard drive so I wouldn't have to nuke my progress with OBSD. Well, due to hardware problems, couldn't do that. So I *did* nuke my OBSD install, installed win98, and all the drivers for that wireless nic. ULTIMATELY, I wound up using the windows utility to flash the 1.7.1 (Utility complained about 1.7.4). Since I had it up, I confirmed that it did work under windows. I nuked my win98 install, reinstalled OBSD 3.6, wrote a new /etc/hostname.wi0 that looks like this: !/sbin/wicontrol wi0 -e1 -k 0xmylongobnoxioushexkey -n myssid -t3 -f 6 -F 0 -A 2 dhcp NONE NONE NONE And BAM! It works! Praise be! And it only took me about 16 hours of solid work! Thank you all for your help. None of it was wasted. I hope that someday this post will be able to help someone else and your efforts will not have to be repeated. Chris
EMPRESA PRODUCTIVA DE CALIDAD Y SEGURA - Curso Productividad paraPyMEs con las 5Ss
Estimado emprendedor, recibe un cordial saludo. Me es grato invitarte a participar en el curso PRODUCTIVIDAD PARA PYMES CON LAS 5Ss que sera impartido en la Cd. de Mixico el prsximo 21 DE ABRIL del presente aqo. El curso proporciona una herramienta que adapta conceptos de origen japonis a las pequeqas y medianas empresas de Mixico, que fundamentan los procesos de mejoramiento continuo. Se orienta a la creacisn y mantenimiento de equipos y areas de trabajo, empresas mas limpias, mas organizadas y mas seguras, imprimiindole mayor calidad de vida al trabajo. Busca el logro de un funcionamiento mas eficiente y uniforme de todos los elementos que conforman a la empresa, haciindola mas productiva en sus operaciones. Es una metodologma sencilla y eficaz que brinda beneficios tanto a la persona como a la empresa en su conjunto. Beneficios del curso: Tu empresa producira con menos defectos, asegurara la calidad permitiendo cumplir con estandares y no tendra desperdicios. Previene el desabasto y reduce inventarios. Establecer programas de mantenimiento preventivo y promover la mejora continua dentro de la empresa. Desarrollar una empresa productiva, capaz de hacer mas con menos. Te permite generar ahorro de dinero con un mejor manejo y distribucisn de recursos. Generar tiempos de respuesta mas cortos en las operaciones, pues las hace mas eficientes y permite cumplir mejor con plazos. Permite tener mejor control de las operaciones, de los recursos y del personal. Minimiza errores, hace evidente lo que esta mal. Tendras dentro de tu empresa practicas seguras, se reduciran los accidentes y te ayudara a prevenir contaminaciones. Para mayor informacisn por favor comunmcate al (55) 56057743 NO DEJES PASAR ESTA OPORTUNIDAD Atte. Fabian E. Gsmez Coordinador de Capacitacisn NCM S.A. de C.V. Consultorma y Capacitacisn Tel.: (55) 5605 7743 Fax: (55) 5605 7469 E-mail: [EMAIL PROTECTED]
Re: bridge changes traffic interface for pf, but not for tcpdump
On Feb 27, 2005, at 2:00 PM, Camiel Dobbelaar wrote: On Sun, 27 Feb 2005, Jim Fron wrote: Yes, I'm getting the feeling that what I'm seeing is not normal. As I've said, I have a suspicion that it's due to the le[dma] SBUS interfaces not having their own MAC address, and that somehow getting confused at the bridge level. I'm thinking about getting a QFE to test this out. To determine if traffic is destined for one of its member interfaces, the bridge walks the member list and compares the destination MAC with that of the interface. Because LIST_INSERT_HEAD() is used, the interface you added last to the bridge is checked first, etc. So, that explains why traffic always arrives destined for the OpenBSD box on le2. I presume a similar search happens for outbound, and that's why all traffic is said to originate on le0, even if it is physically sent out le2? You probably added le2 to the bridge last, so that one will always get the traffic destined for the le MAC. Yup! Maybe sea.c is worth a try to change the MAC of one of the interfaces... http://www.monkey.org/openbsd/archive/tech/9810/msg00022.html Worth a try, but it doesn't help. le0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULT ICAST mtu 1500 address: 08:00:20:77:a4:79 ... le2: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULT ICAST mtu 1500 address: 08:00:20:77:a4:7b But a tcpdump from a machine connected to le2 says: 00 08:00:20:77:a4:79 ... Looks like the kernel thinks the address changed, but the le card overrides the hardware address supplied. Before you ask, yes, local-mac-address?=true Now ALL of the PF rules for traffic to and from the OpenBSD box from any machine, any interface, match le0 (rather than all in on le2, all out on le0). ;-) Thanks, though. Camiel, since you're the one who wrote the patch for vlan that I googled up, am I right in thinking that PF is confused about the interface because the bridge is changing the arriving interface, and that bridge rules for tagging aren't working properly, because of the same-MAC-address thing? Do you have any idea where I should start looking, in the source, for the place where bridge is confusing these interfaces? Basically, I would think that: frame arrives: if destined for some machine on the same interface, don't touch it (behave as it does now) if destined for some machine on the other side of the bridge (or unknown), behave as it does now. if destined for some machine on the NAT, behave as it does now. if destined for local machine, DON'T modify the interface it came in on by searching the list by MAC address, just pass it on to bridge rules and PF with the interface it was received on. I'm mucking about in src/sys/net/if_bridge.c, and I think I'm starting to follow it. Thanks, Jim
OpenOffice, the next hurdle
Okay. Much to my surprise, it appears that OpenOffice does not run on OBSD. I noticed that it does run on FreeBSD, but since I am a noob to BSD (I know nothing about freebsd and next to nothing about OBSD), I have no idea how those systems differ. I have read scattered threads here and other places that it is possible to run OpenOffice through linux emulation. So, I spent the last few hours looking into linux emulation. I have printed out all of the docs, and have them in a binder. I have been reading straight through as I build my system. I didn't see much about the appropriate way to set up linux emulation (It is briefly mentioned in chapter 9.4 of the Docs). I have poked around the net, and could not find anything recent on the issue, so finally I found a man page on my obsd 3.6 system that discussed it: compat_linux. I have done my best to make certain I have followed its recommendations, but it is a bit sparse with regards to what steps to take here. I have used ports to install redhat libraries. I have edited my /etc/sysctl.conf and uncommented kern.emul.linux=1. Now, there is some mention about using procfs in that man page, and I have sniffed all over the internet. I can find nothing conclusive on *how* to use it for this purpose. There is no /proc in BSD. There is no /emul/linux/proc either. I don't know if there is a file/image somewhere that I am supposed to mount, or if I just mount proc to proc. Should I make a /proc and/or a /emul/linux/proc? I beleive I understand the syntax, I just don't know what arguments to use, where to mount it or what to mount. For shits and giggles, I did made a /proc and a /emul/linux/proc and did this: mount_procfs -o linux /proc /proc; mount_procfs -o linux /emul/linux/proc /emul/linux/proc. I have no idea how close this is to anything useful. I sacrificed my OO on my Gentoo linux system. I completely uninstalled it because it was compiled for an Athlon system and I didn't want to introduce more vairables than necessary since this is my first time with linux emu. I downloaded the standard i386 binary installer for OO, and installed it. I tared that up, and scp'd it to my OBSD box. I ucompressed the tarball under /emul/linux/usr/OpenOffice. I cd to that directory, and I find the link to the executable. I issue this command: ./soffice. My hard drive starts crunching for a few seconds, then it bombs out, complaining that it cannot find libXext.so.6. Now, I know I have that file on my system, it lives here: /usr/local/redhat/emul/usr/X11R6/lib -- which sound right to me. My confusion: 1) I don't know if there is supposed to be some environmental variable to set a path for linux executables. Is that what I am missing? 2) I don't know if this is symptomatic of not understanding the whole procfs issue above. 3) I don't know if my system even knows that this is a *linux* application.. I assume the kernel knows the difference here... Am I supposed to run it through an emulation command first (like wine)? 4) Some other factor that I am completely unaware of. I am trying here. I am doing my homework but I am coming up dry. Can someone please help? Thanks. Chris
Re: mozilla: can't load library 'libmozjs.so.1.0', can't load library 'libnspr4.so.1.0'
On Tue, Dec 07, 2004 at 02:04:02AM +0100, Rogier Krieger wrote: Previous message from Chris Paul (7-12-2004 1:53): To sum up: firefox does not work, but sudo firefox does. Which, at first glance, makes me wonder about file permissions. Could be firefox profile. Try copying /root/.firefox para ~/.firefox. I think it is firefox, but you should copy .mozilla too. Cheers -- Breno H. Leitco http://lcr.icmc.usp.br/~leitao
pflog0, ICMP rule 4294967295/3(short)
I was testing my pf.conf rules, and I ran across something rather odd while sending odd ICMP frames. I wrote a quick app to send raw ICMP/UDP/TCP frames, and ran it from an OSX box to send raw ICMP. I ran simultaneous tcpdumps on the OSX box sending the frame, the OpenBSD (-stable, as of a couple of weeks ago) box le0 receiving the frame, and pflog0. On OSX (which includes the link-level in -xxx: ...ethertype IPv4 (0x0800), length 38: IP (tos 0x0, ttl 255, id 24192, offset 0, flags [none], length: 24) 192.168.1.9 192.168.1.1: [|icmp] 0x: 0800 2077 a479 000a 9579 cb8a 0800 4500 ...w.y...yE. 0x0010: 0018 5e80 ff01 da09 c0a8 0109 c0a8 ..^. 0x0020: 0101 0800 f7ff .. OpenBSD on le0: ...0800 60: 192.168.1.9 192.168.1.1: icmp: echo request (id: seq:21845) (ttl 255, id 24192) 4500 0018 5e80 ff01 da09 c0a8 0109 c0a8 0101 0800 f7ff tcpdump sees extra 0x55's? Is this reading past the short message into init'ed memory? Moreover, on pflog0: Mar 08 20:04:23.030298 rule 4294967295/3(short): pass in on le0: 192.168.1.9 192.168.1.1: [|icmp] (ttl 255, id 24192) 4500 0018 5e80 ff01 da09 c0a8 0109 c0a8 0101 0800 f7ff The only reference I could find to matching that rule (4294967295 == 0x) was in reference to a patch fixing a problem with backing out of anchors. I have no anchors. ICMP frames with 4 bytes of payload don't do this, and match their appropriate rule. Any idea what's going on? UDP and TCP with no payload don't do this, just ICMP. Is the frame being reported properly -- that is, is it actually being passed, or is it being dropped but being reported as a pass? Thanks, JMF
Re: More info on SIOCDIFADDR
I took all the wires loose from the cable modem and looked it over good. I could not find any reset button. However, since everything has been off for several hours, when I plugged it all back in and turned on the firewall, it got an address immediately. So my problem is fixed, but I don't know how. I guess it was something with Comcast. - Original Message - From: Steve Shockley [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Monday, March 07, 2005 8:56 AM Subject: Re: More info on SIOCDIFADDR Jim Mays wrote: Why can my laptop get an address and my firewall can't, when it could up until yesterday? Try doing a cold reset of your cable modem. On mine, you hold down the reset button in the back while plugging it in. On some providers, you need to do that so it picks up a new authorized MAC address.
bridge changes traffic interface for pf, but not for tcpdump
Okay, here's the deal: when I bridge two interfaces, one of which has an IP address, traffic from nodes on one side to the other passes through pf just fine, all rules matching properly. Traffic TO the OpenBSD system itself hits pf rules for in on le2, and out on le0 regardless of which physical interface the traffic actually appears on. Perhaps I'm the only person who has ever experienced this, or else, I'm the only one who has cared. I can't find anything by googling, and I've either stumped -- or, more likely, bored -- anyone listening. Thus, it's time for me to hit the source code myself. I've checked out -stable. I'm ready to go, I just don't know where to start. With bridge0 down, traffic matches rules for the proper interfaces, with bridge0 up, pf sees it on the wrong interfaces... Is if_bridge.c the right place to start? Any other suggestions? Much appreciated, JMF
Fw: 3.7 CD tshirt poster pre-orders
Now or we shall taunt you a second time - Original Message - From: Siegbert Marschall [EMAIL PROTECTED] To: Alexander Chamandy [EMAIL PROTECTED] Cc: Theo de Raadt [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, March 26, 2005 1:48 AM Subject: Re: 3.7 CD tshirt poster pre-orders Alexander Chamandy [EMAIL PROTECTED] (Money for Theo to live on because he does not have a job, his profession is trolling his own mailing lists and going all over the world to promote anti-BSD unity politics. Shut up idiot, you have no idea what you are talking about. It would be very nice if Theo could afford to buy let's say a nice private Jet from the money OpenBSD is generating. I would still buy the CDs and T-Shirts and make donations. You know why ? Because OpenBSD is worth more. You know nothing, have no clue and courtesy, not even the common sense to ask before acting, just go away. Thanks to all the people who make OpenBSD happen.
Re: Newbie with Wireless woes
Is this where you saw that? http://www.usr.com/support/product-template.asp?prod=2410 I see the hex, but I do not see a dos firmware update utility. Only a windows based gui. Can you show me where you saw the DOS version? Thanks, Chris Stuart Henderson wrote: --On 12 March 2005 18:49 -0500 Chris [EMAIL PROTECTED] wrote: Any Idea where I can get this firmware update from, and the utility? USR website has v1.4.9 station firmware and a Windows-based update tool listed under your card's support page, this version should be fine for normal use. DOS and Linux update tools are available, see http://netgate.com/info/miniPCI/Prism/Firmware/help.html.
Openbsd log
Hey Guys, I and kiko ([EMAIL PROTECTED]) patched snort to understand actual pf log format. Snort had support to only old (3.3?) pf log file. Now i need an old pf log file to keep snort backward compatibily. Can anyone send me some, so i can test and send a clear patch to snort-dev. Thank you all, Cheers, PS: Any old log we be welcome. :) Breno H. Leitco http://lcr.icmc.usp.br -- Async Open Source (16) 3361 2331 Sco Carlos, SP Brasil
Re: Newbie with Wireless woes
Thanks Todd, Any Idea where I can get this firmware update from, and the utility? Todd C. Miller wrote: In message [EMAIL PROTECTED] so spake Chris (cditri): Here is what I have: OpenBSD 3.6 IBM 390e laptop D-Link DWL7100-AP (802.11a/g wireless access point, claims backward compat. with 802.11b) US Robotics USR2410 (802.11b wireless card) A RedHat Linux DHCP server running ISC's dhcpd I have a gentoo linux laptop working with this wireless setup. I just can't get my OBSD laptop working. The machine seems to detect the card. Dmesg: wi0 at pcmcia1 function 0 U.S. Robotics, IEEE 802.11b PC-CARD, Version 01.02 port 0xa000/64 wi0: PRISM2 HWB3163 rev.A, Firmware 0.3.0 (primary), 0.7.6 (station), address 00:90:d1:08:44:7d I have tried to construct my hostname.wi0 as suggested in the manpage: !/sbin/wicontrol wi0 -f 11 -x1 -E3 inet 10.100.100.29 255.255.255.0 10.100.100.255 nwid myssid nwkey 0xmylonghexkey mediaopt hostap dhcp Your firmware is very old and cannot support hostap (let alone enhanced security mode). I'm using station firmware 1.7.1 on my PRISM2 HWB3163 cards and it works quite well. You should be able to use the DOS-based prism flasher to update the firmware. - todd
Newbie with Wireless woes
Hello everyone. I am new to OpenBSD (BSD in general), so please be gentle. I have taken special care to pick a wireless card that is on the HCL for openbsd, and I have read the wi man page, the hostname.if manpage and the ifconfig manpage. I have lurked all over google groups, and on this list, and I cannot find what I am doing wrong. I have been at this for over 4 hours straight and I am exhausted. Here is what I have: OpenBSD 3.6 IBM 390e laptop D-Link DWL7100-AP (802.11a/g wireless access point, claims backward compat. with 802.11b) US Robotics USR2410 (802.11b wireless card) A RedHat Linux DHCP server running ISC's dhcpd I have a gentoo linux laptop working with this wireless setup. I just can't get my OBSD laptop working. The machine seems to detect the card. Dmesg: wi0 at pcmcia1 function 0 U.S. Robotics, IEEE 802.11b PC-CARD, Version 01.02 port 0xa000/64 wi0: PRISM2 HWB3163 rev.A, Firmware 0.3.0 (primary), 0.7.6 (station), address 00:90:d1:08:44:7d I have tried to construct my hostname.wi0 as suggested in the manpage: !/sbin/wicontrol wi0 -f 11 -x1 -E3 inet 10.100.100.29 255.255.255.0 10.100.100.255 nwid myssid nwkey 0xmylonghexkey mediaopt hostap dhcp I have tried tweaking the above values in a myriad of permutations. My DWL7100 is set to use channel 6 for 802.11g, so I have tried that. I have tried x at both 0 and 1 values. I have found that no matter what value I give E, I get this error: wicontrol: SIOCSWAVELAN: Invalid argument (or something very similar). I have tried setting the card up manually with the ifconfig command, like so: ifconfig wi0 10.200.200.29 255.255.255.0 10.200.200.255 nwid myssid nwkey \ 0xmylonghexkey mediaopt hostap (\ added for readability). When I do this, I can ping 10.200.200.29 (itself), but not any other machine on the network. I have checked they key a million times. It is as it should be. I just cannot figure out what this thing wants from me... Could someone please give me a hand? Thank you! Chris
Units for Check-interval in isakmd.conf?
Hi all, Can someone tell me what units are used for the Check-interval value in the [General] section of isakmpd.conf? I looked in the man page, both locally and on-line, and couldn't figure this out. Also, is there a default value for this? If so, what is it? -- Thanks, Paul
Re: Truetype font
On Thu, 17 Feb 2005 18:36:02 +0100 (CET) Bash [EMAIL PROTECTED] wrote: How can I add truetype font in OpenBSD? http://www.openbsd.org/faq/truetype.html#manualfonts
spoofing question
A general security question about spoofing modern *nix operating systems, including OpenBSD. Is spoofing pretty much dead? Do modern *nix machines still use the old BSD style incrementation of sequence numbers (I don't know enough C to find it in the source)? Or are sequence numbers now random (unspoofable). Also, don't high speed LANs (gigabit, fibre) make it doubly hard to guess sequence number? I couldn't find much on the subject. Thanks.
Bug in 'usermod'?
Hello [EMAIL PROTECTED] Do we have a bug in 'usermod'? The situation: groupadd -g site1 ; groupadd -g 1112 site12; groupadd -g 1123 site123 then add same user to the groups usermod -G site1 en;usermod -G site12 en; usermod -G site123 en user 'en' will appear 3 times in group 'site1' and 2 times in 'site12' -- Best regards Maxim Bourmistrov
Interview: Theo de Raadt on Industry and Free Software
Hi all, I thought you might be interested to know that The Epoch Times is running an interview with Theo about why he does it, about industry use of open-source software, and about dedication to quality paying off: http://www.theepochtimes.com/news/5-7-5/30084.html Full disclosure: I conducted the interview. Thanks go to Theo for his time and for being a pleasure to work with. Best, -Matt
Re: C programming question
El lun, 04-04-2005 a las 11:43 -0700, Matt escribis: [...] Can someone break down these declarations (if that's what they are)? Is this a form of typecasting? Thanks for your help. Those are declarations of pointers to functions. /* real function */ void dumb(int a) { return a; } ... /* here follows a declaration of func pointer */ int (*func_ptr)(int); int a; /* assign it */ func_ptr=dumb; /* use it */ a=func_ptr(123); Any good book about C should cover this. Look for OOP in C also, it's frequent use pointers to functions + structs to add classes to C. regards, Juanjo -- Desarrollo y sistemas: http://www.usebox.net/ Pagina Personal: http://www.usebox.net/jjm/
Re: Mini-PC recommendation?
On Sun, Jul 03, 2005 at 02:28:00PM -0500, Matthew Weigel wrote: Take a look at the BioStar iDeq 220K, which uses K8M800 and VT8237... looks like on-board SATA, LAN*, and sound are supported, but useable graphics might be missing. I'm going to buy one. Support for the Via Unichrome chipset seems to be missing in OpenBSD Xorg server, but it is in the Xorg CVS tree.
Re: Ram Disk
From: Jim Mays [mailto:[EMAIL PROTECTED] Where can I find more Ram Disk information on: - what it is - why I want to use it - how to configure it - how to know if is done right I can't find a man page on Ram Disk, I can't find anything on the web site except for bug fixes in it. Google and the archives are your friends. rd(4) manual page, but what you *probably* want is MFS. DS
Re: Units for Check-interval in isakmd.conf?
Paul Lussier wrote: eric [EMAIL PROTECTED] writes: Default-phase-2-lifetime= 1200,60:86400 ^^ The Main Mode lifetime currently defaults to one hour (minimum 60 sec- onds, maximum 1 day). The Quick Mode lifetime defaults to 20 minutes (minimum 60 seconds, maximum 1 day). That all seems to point towards seconds. Oh, okay, I was unsure of assuming that. Thanks. Why has there been an influx of mail like this? This one is dated: 04/12/05 -- Best regards, Chris The man who has no more problems is out of the game.
Re: Flash Plugin for Firefox
On Tue, Jul 05, 2005 at 05:44:01PM -0800, JR Dalrymple wrote: I think if you used Opera for 5 days you'd find it better in EVERY WAY POSSIBLE than Firefox... My 2 cents. I find page loads to be much faster, and nav is 10x faster with gestures and keyboard shortcuts. Except that there is nothing like AdBlock, DOM Inspector, CSS editor and Developer Toolbar for Opera. swfdec is exciting, unfortunately it just never works with real-life Flash files.
problem with ftp-proxy
'lo all. i recently ran into a small issue with ftp-proxy running on my firewall...I definately know this is a misconfiguration problem as I have had this working as of yesterday. when I attempt to connect to a FTP site from behind the firewall, I do get an initial connection, but then am immediately dropped by the remote host with the following error: 421 Service not available, remote server has closed connection and get the following error on the console of my firewall: Jul 6 08:55:56 smitty ftp-proxy[15298]: cannot find user proxy running 'tcpdump -n -e -ttt -i pflogd' shows nothing getting blocked. at first I thought it was not catching it because i had set loginterface sis0 but I soon changed it to set loginterface sis2 which is my $TRUST_IF (or internal) interface and still saw no packets being dropped. I'm running OpenBSD 3.6 on a Soekris NET4801, relevant files and outputs are listed below (lines wrapped to be 80 columns)... here is my relevant lines from my pf.conf: - rdr on $TRUST_IF proto tcp from $TRUST_NET to any port 21 \ - 127.0.0.1 port 8021 where $TRUST_IF and $TRUST_NET correspond to the NIC and mask for my internal network. here is my relevant lines from my inetd.conf: 127.0.0.1:8021 stream tcp nowait root \ /usr/libexec/ftp-proxy ftp-proxy here is the output of 'netstat -nl': Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 127.0.0.1.8021 *.* LISTEN my 'ps -ax' output: --- PID TT STAT TIME COMMAND 1 ?? Is 0:00.04 /sbin/init 21764 ?? Is 0:02.51 /sbin/mount_mfs -s 16384 /dev/wd0b /tmp 28062 ?? Is 0:00.08 /usr/sbin/inetd 12175 ?? Is 0:00.11 syslogd: [priv] (syslogd) 30702 ?? I 0:00.38 /usr/sbin/syslogd -p /var/run/log 15472 00 Is 0:02.07 -ksh (ksh) 19016 00 ?+ 0:00.00 ps -ax I'm at a loss at this point...any ideas anyone? TIA, ryanc
Semi-OT: Problems getting find to not recurse
Hey folks, OK, I think I've got the dunce hat on today, and I'm about to go crazy with this one. I have a script on an OpenBSD 3.7-STABLE machine that does a find in a directory, and uses rm to remove files older than two days (where RETAIN = +2) : find /path/to/dir -type f -name \*.gz -mtime ${RETAIN} -exec rm {} \; This directory has a subdir (a .ssh), and no matter what I do, I cannot get find to NOT recurse into this subdirectory. I've tried using -path, ! -path, -maxdepth 0|1, and none of them seem to do what I want. I only want find to examine the /path/to/dir directory, and not any subdirs. I've been through the man page so many times, I can just about recite it. Am I just missing something, or is this not possible? I'm guessing it's the former and I've just stared at it too long to see the obvious. Any help greatly appreciated. Benny -- I'd rather staple a skunk to my forehead and go to a trade show for banjo makers.-- PHB's secretary, Dilbert, 07-2002
Re: ISAKMPD VPN w/ Cisco Concentrator
On Wed, Mar 23, 2005 at 12:28:17PM -0500, Paul Lussier wrote: Hi all, I'm need of a little help setting up a VPN tunnel between my OpenBSD box and a Cisco VPN concentrator. I have successfully set up a tunnel with another OpenBSD box, but in trying to change the isakmpd.conf to then connect to the Cisco, I'm running into trouble. Part of my problem is that I have no Cisco VPN experience, so I don't know how translate the options set on the Cisco side to something usable by isakmpd. The person in charge of the Cisco side sent me the following config settings: Interface is 192.168.0.5 Authentication ESP/MD5/HMAC-128 Encryption 3DES-168 IKE Proposal IKE-3DES-MD5 Preshared Key is f00zb411 Target Network 192.168.0.0 Should 'Athentication' above be AUTHENTICATION_METHOD in isakmpd.conf? And what does 'IKE Proposal' mean? I couldn't find anything that seemed to match up with that in the isakmpd.conf man page. It's simply the algorithm that you want to use to set up IKE. Has to do with dyanmic SAs. Good luck, btw. I can make almost any IPSEC capable device talk to almost any other IPSEC capable device. But the only thing I have ever got to talk to a Cisco is a Cisco. Can't help but notice that you just sent a preshared key to the whole world. I'll gladly sent my iskmpd.conf file if anyone needs to see it. Thanks. -- Seeya, Paul [demime 1.01d removed an attachment of type application/pgp-signature] -- BOFH excuse #287: Telecommunications is downshifting. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: bridge changes traffic interface for pf, but not for tcpdump
I've been informed, if I understand correctly, that bridge isn't intended to do what I want to do with it. FWIW, anyone who is interested, I'm hanging up the modification effort at half complete, because it accomplishes everything I need. That is, I'm interested in blocking traffic to the router differently depending on which leg of the bridge it arrives on. I've solved that, and PF sees the correct inbound interface. The only reason I can think of to care about blocking outbound traffic originating from the router differently--that is, the only reason that inbound rules alone would not be sufficient--would be in the event that the OpenBSD router were compromised. If that were the case, PF rules wouldn't do a bit of good anyway. My thanks to everyone who has helped, especially Camiel Dobbelaar for the vlan patch I found in the archives, which helped me significantly in making my own patch (appended). Jim # Patch to allow machines with multiple interfaces with the same MAC # address on a bridge to send inbound frames to PF with the correct # interface. JMF 2005.02.28 # --- if_bridge.c Wed Aug 18 08:07:47 2004 +++ if_bridge.c Mon Feb 28 11:30:00 2005 @@ -1289,6 +1289,7 @@ struct bridge_iflist *ifl, *srcifl; struct arpcom *ac; struct mbuf *mc; + int ifsrch = 1; /* * Make sure this interface is a bridge member. @@ -1383,6 +1384,14 @@ * Unicast, make sure it's not for us. */ srcifl = ifl; + + /* check to see if it arrived on the destination MAC address */ + if (srcifl-ifp-if_type == IFT_ETHER) { + ac = (struct arpcom *)srcifl-ifp; + if (bcmp(ac-ac_enaddr, eh-ether_dhost, ETHER_ADDR_LEN) == 0) + ifsrch = 0; + } + LIST_FOREACH(ifl, sc-sc_iflist, next) { if (ifl-ifp-if_type != IFT_ETHER) continue; @@ -1397,7 +1406,10 @@ m_freem(m); return (NULL); } - m-m_pkthdr.rcvif = ifl-ifp; + /* don't rewrite the packet header interface if the + source interface header matched */ + if (ifsrch) +m-m_pkthdr.rcvif = ifl-ifp; if (ifp-if_type == IFT_GIF) { m-m_flags |= M_PROTO1; ether_input(ifl-ifp, eh, m);
Re: Background developer knowledge
On 3/25/2005, Jim Fron [EMAIL PROTECTED] wrote: On Mar 24, 2005, at 12:28 PM, T. wrote: Hello What kind of understanding/years of experience/education is really needed to be able to do anything useful with OpenBSD (or any OS in general) source-code? I wouldn't say I'm at the useful stage yet, but... the responses so far seem quite good. Learn C, but stay away from fluffy variants. Coursework is good. Book learning and experience are interchangeable for approximately the first 1-2 years. Beyond that, IMO, extra book learning doesn't buy you much until about the 5th year (when you might hit advanced concepts, mathematical analysis, or designing new things). Crap experience doesn't count for much, either. :-) Good experience is, on the other hand, invaluable. Luckily, there's a lot of good experience buried in the OBSD source. Read it. Take a break when you get a headache, then read it some more until it starts to make sense. A while ago, I read The Design and Implementation of the 4.4 BSD Operating System (McKusick, et. al.) cover-to-cover. I thought it was a fascinating read, and it might give you some good context. For my part, I find that the more you program applications in userland, the more you need to learn about the underlying OS. e.g. the only way to truly learn things like shared memory, threads, locks, etc. is to understand how the underlying OS handles them. The OS exists for one reason and one reason only: to be useful. Understanding its uses is a good way to get a handle on *why* it does what it does. To this end, write applications that take advantage of the underlying OS code WHILE you are learning it. (In this sense, I would view things like routing and PF to be applications, even though they are integrated, in the sense that they are functions beyond simple hardware management.) On the other hand, a background in working with simple systems (embedded RTOS, for example) doesn't hurt either. It might give you some idea of how and why an OS does what it does. Understand the simple, then add complexity until your head explodes. Though ultimately, I think the best way to learn might be: download the source compile (prove to yourself that it works) modify the source fail to compile fix what you've broken Knowing enough to be dangerous is the optimal position to be in for learning, as long as you force yourself to dig your own way out. JMF -- This email has been verified as Virus free Virus Protection and more available at http://www.plus.net Hi, One of my friends has always said that you can not read the source without context. He is right. If you don't know what your looking for, it will not make any sense. This proves a problem if you have nothing to fix and just wish to learn. Would you not agree? Edd
Re: Release 3.7
At 02:44 PM 3/5/2005 -0600, Jim Mays wrote: How does one find out what is planned for the 3.7 release and how do I pre-order it (in order to get it first)? Jim Mays You might want to check your bookshelf - 3.7 started shipping last month. Normally, pre-orders are accepted 30-60 days in advance, simplest solution is to watch the web site for the order page to be updated. Lee
OpenBSD Visible Bridge and NAT box -- strangeness and questions
I have an OpenBSD/Sparc box that I'm using for NAT at home. le0 is the LAN, le1 is the cablemodem. I recently purchased a wireless AP, and would like to add that to the internal network. However, I am paranoid, and, even though I've enabled WPA and hardware address restriction on the AP, I still don't want to just plug it right in to the switch on the LAN. I'd like to be able to restrict access to machines on the LAN to certain services. Also, the OpenBSD box is currently accessible to the LAN in an unrestricted manner -- if anyone has gained physical access to my LAN, well, it's far too late for PF to help :-) I want to restrict access to the wireless AP to DNS and routing services only. Enter le2, stage left. However, I additionally want things like iTunes autodiscovery (244.x broadcasts) to work between the LAN and AP. I've looked briefly into proxy ARP and mrouted, and it seemed that the way to go about this is really just to bridge le0 and le2, and use pf to restrict as much as possible between the two addresses... # le0 is the internal wired LAN # le1 is the external internet # le2 is the internal wireless AP # # Goals: # # Perform NAT for both internal networks to the outside world # Bridge LAN and wireless AP to provide certain broadcast-based # services (Rendezvous/Zeroconf) the impression that they # span the network # Provide DNS service to LAN and wireless # Provide full internet functionality to LAN and wireless # Provice full access to machines on the wireless from the LAN # Provide limited services on LAN machines to wireless clients # Protect the router, LAN, and AP from the internet # Protect the router and LAN from the wireless # # Architecture: # # Sub-net 192.168.1.x, the lower 128 to the LAN, the upper to the # wireless, but configure clients on each with a 255.255.255.0 # netmask. This will result in clients that all believe they # have the same network number and broadcast address. # # Bridge wireless and LAN interfaces # # Router provides default-route and DNS to each interface on its # respective network number (i.e. 192.168.1.1 and 192.168.1.129) # # /etc/hostname.le0 # inet 192.168.1.1 255.255.255.128 192.168.1.255 # # /etc/hostname.le1 # dhcp NONE NONE NONE # # /etc/hostname.le2 # inet 192.168.1.129 255.255.255.128 192.168.1.255 # # /etc/bridgename/bridge0 # add le0 add le2 up Each internal subnet client has a 255.255.255.0 mask so that their broadcast addresses will be the same, and so that they all think that LAN and wireless AP are one big happy subnet. Thus, until I bring up bridge0 (or some other form of proxy ARP), LAN machines cannot ping AP machines, and vice versa, because OpenBSD does not proxy ARP by default, even though it knows that they are actually subnetted /25. However, when I bring up brige0, everything falls apart. My LAN and AP machines can ping each other, but the LAN can no longer connect to the outside world. Why?... from pflog: [date] rule 13/0(match): block in on le2: 192.168.1.9 192.168.1.1: icmp: echo request (id:08ee seq:1) (ttl 64, id 51788) What's the rule blocking this? Well, here are the rules leading up to it: @0 pass out quick on lo0 all @1 pass in quick on lo0 all @2 pass in quick on le0 from LAN:1 to WAP:1 @3 pass in quick on le0 inet from LAN:1 to [EXTERNAL INTERFACE ID REDACTED] @4 pass in quick on le0 from LAN:1 to RTER:2 @5 pass in quick on le0 from LAN:1 to LAN:1 @6 pass in quick on le0 from LAN:1 to MCAST:1 @7 block return in log quick on le0 from any to NORTE:6 @8 pass in quick on le0 from LAN:1 to any @9 pass in quick on le2 inet proto icmp from WAP:1 to any icmp-type echoreq @10 pass in quick on le2 inet proto icmp from WAP:1 to any icmp-type echorep @11 pass in quick on le2 inet proto icmp from WAP:1 to any icmp-type timex @12 pass in quick on le2 inet proto icmp from WAP:1 to any icmp-type unreach @13 block return in log quick on le2 inet proto icmp all LAN is 192.168.1.1/25 WAP is 192.168.1.129/25 RTER is { 192.168.1.1, 192.168.1.129 } -- the router IP addresses for le0 and le2, respectively MCAST is { 224.0.0.0/4 } NRTE is the list if RFC 1819 non-routable IP's, plus 127.0, etc. 192.168.1.9 is connected to le0, the LAN. It's traffic is blocked by a rule for inbound traffic on le2. From this, I deduce that: - the bridging operates before pf sees the traffic - the pass-in rules on le0 are not acting on this ping: @0-3 -- not applicable @4 -- pass in quick on le0 from a LAN address to a router address, which allows 192.168.1.9 to ping 192.168.1.1 when bridge0 is down, is NOT passing this ping. - the traffic from le0 appears to be originating from le2 when
Re: Dual monitor for openbsd box
Just out of curiosity, anyone have Dual/Display xorg.config file for a Radeon 9600Pro? I cannot seem to get mine working, and I was wondering if it had something to do with the fact that the second head wasn't identified in the kernel. Dmesg below. Thanks in advance, OpenBSD 3.7-current (GENERIC) #128: Thu Jun 9 12:39:08 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1072492544 (1047356K) avail mem = 908529664 (887236K) using 22937 buffers containing 107458560 bytes (104940K) of memory mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Athlon(tm) 64 Processor 3000+, 2002.89 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x01 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon 9600 Pro rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ATI Radeon 9600 Pro Sec rev 0x00 at pci1 dev 0 function 1 not configured VIA VT6306 FireWire rev 0x80 at pci0 dev 7 function 0 not configured skc0 at pci0 dev 10 function 0 Marvell SKv2 rev 0x13: irq 5 skc0: Marvell Yukon Lite rev. A3 (0x7) sk0 at skc0 port A: address 00:11:2f:8d:91:8f eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 pciide0 at pci0 dev 15 function 0 VIA VT8237 SATA rev 0x80: DMA pciide0: using irq 5 for native-PCI interrupt pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide1 channel 0 drive 0: ST380011A wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd1 at pciide1 channel 0 drive 1: ST340016A wd1: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide1 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, DVD-ROM DDU1621, S1.5 SCSI0 5/cdrom removable atapiscsi1 at pciide1 channel 1 drive 1 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4081B, A100 SCSI0 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide1:1:1): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 5 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 3 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: VIA EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered VIA VT8237 ISA rev 0x00 at pci0 dev 17 function 0 not configured auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x60: irq 3 ac97: codec id 0x41445370 (Analog Devices AD1980) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auvia0 pchb1 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb4 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83697HF uhidev0 at uhub0 port 1 configuration 1 interface 0 uhidev0: Logitech USB Mouse, rev 1.10/6.10, addr 2, iclass 3/1 ums0 at uhidev0: 3 buttons and Z dir. wsmouse0 at ums0 mux 0 wd0: no disk label dkcsum: wd0 matched BIOS disk 80 dkcsum: wd1 matched BIOS disk 81 root on wd1a rootdev=0x10 rrootdev=0x310 rawdev=0x312 uhub5 at uhub3 port 1 uhub5: Motorola MC141555 hub controller, class 9/0, rev
Re: Release 3.7
On Sat, 2005-03-05 at 14:44:41 -0600, Jim Mays proclaimed... How does one find out what is planned for the 3.7 release and how do I pre-order it (in order to get it first)? 3.7 has been out since May 17th, 2005. Read http://www.openbsd.org/ It's a good starting place.
Re: Question?
On Wed, Jul 06, 2005 at 09:39:10AM -0500, [EMAIL PROTECTED] wrote: On Sun, May 01, 2005 at 07:23:38PM -0400, Shawn Brand wrote: ^ Please watch for old mails. There seems to be some MS Exchange server going nuts at corp.medcenter.com, so don't blindly reply to every mail here. Ciao, Kili ps: I'll try to contact their postmaster.
Small office samba on OpenBSD
Scenario: 5 PC's --- 10/100 switch -- OpenBSD -- Broadband router -- Internet 5 Windows XP workstations on a LAN connected to an OpenBSD server running Samba, DHCP, DNS, SpamAssassin. A 2nd nic in the OpenBSD box goes to a broadband internet connection and PF is enabled and configured securely. Ideally, you want to layer your security services and not run your firewall and file server on the same box, but in a small budget operation that's not always feasible. Would it be preferred to hide the OpenBSD server behind a NAT broadband router (Linksys, Dlink, etc) that the client likely already has in place? Is that extra layer of protection worth the inconvenience? I'd like to create a simple product for SOHO customers for file storage, DVD backups, spam/virus filtering, etc. It's obviously going to be more secure than the same 5 PC's behind the NAT router alone, but should I recommend the box is behind a NAT router for that extra level of protection or is that just a false sense of security? Comments?
Re: C programming question
Making, drinking tea and reading an opus magnum from Juan J. [Mart_nez]: [Charset ISO-8859-1 unsupported, filtering to ASCII...] El lun, 04-04-2005 a las 11:43 -0700, Matt escribis: [...] Can someone break down these declarations (if that's what they are)? Is this a form of typecasting? Thanks for your help. Those are declarations of pointers to functions. /* real function */ void dumb(int a) { return a; } warning: `return' with a value, in function returning void ... /* here follows a declaration of func pointer */ int (*func_ptr)(int); int a; /* assign it */ func_ptr=dumb; warning: assignment from incompatible pointer type /* use it */ a=func_ptr(123); Any good book about C should cover this. Look for OOP in C also, it's frequent use pointers to functions + structs to add classes to C. perhaps you should read that book first (: cu -- paranoic mickey (my employers have changed but, the name has remained)
Re: C programming question
On Mon, 04 Apr 2005 11:43:21 -0700 Matt [EMAIL PROTECTED] wrote: I need some help understanding some C code. int (*if_ioctl) (struct ifnet *, int, caddr_t); int (*if_watchdog) (int); Can someone break down these declarations (if that's what they are)? Is this a form of typecasting? Thanks for your help. You already posted the *exact* same question a while ago and many people, including me, have answered it already.
Need BOGIES list
Hello All. I'm having trouble with Cracking Attempts and DoS attacks from a lot of places in China :) My client doesn't do any business in that region so they don't mind If I block the entire sub-continent :) Does anyone have a bad-guy list (or part of one) that I can use to get started? I'm using pf under OpenBSD 3.7 as a firewall box. E-mailing me off line is fine geoffw
Re: Units for Check-interval in isakmd.conf?
--On 06 July 2005 09:41 -0500, Chris wrote: Paul Lussier wrote: eric [EMAIL PROTECTED] writes: Default-phase-2-lifetime= 1200,60:86400 ^^ The Main Mode lifetime currently defaults to one hour (minimum 60 sec- onds, maximum 1 day). The Quick Mode lifetime defaults to 20 minutes (minimum 60 seconds, maximum 1 day). That all seems to point towards seconds. Oh, okay, I was unsure of assuming that. Thanks. Why has there been an influx of mail like this? This one is dated: 04/12/05 Some broken MS mail server re-sending them. Check the headers.
Re: Units for Check-interval in isakmd.conf?
Chris wrote: Paul Lussier wrote: eric [EMAIL PROTECTED] writes: Default-phase-2-lifetime= 1200,60:86400 ^^ The Main Mode lifetime currently defaults to one hour (minimum 60 sec- onds, maximum 1 day). The Quick Mode lifetime defaults to 20 minutes (minimum 60 seconds, maximum 1 day). That all seems to point towards seconds. Oh, okay, I was unsure of assuming that. Thanks. Why has there been an influx of mail like this? This one is dated: 04/12/05 And they all orginate from @comcast.net. -- Gudni Thor Bjorgvinsson [EMAIL PROTECTED]
Re: Semi-OT: Problems getting find to not recurse
On Wed, 6 Jul 2005, C. Bensend wrote: Hey folks, OK, I think I've got the dunce hat on today, and I'm about to go crazy with this one. I have a script on an OpenBSD 3.7-STABLE machine that does a find in a directory, and uses rm to remove files older than two days (where RETAIN = +2) : find /path/to/dir -type f -name \*.gz -mtime ${RETAIN} -exec rm {} \; This directory has a subdir (a .ssh), and no matter what I do, I cannot get find to NOT recurse into this subdirectory. I've tried using -path, ! -path, -maxdepth 0|1, and none of them seem to do what I want. I only want find to examine the /path/to/dir directory, and not any subdirs. I've been through the man page so many times, I can just about recite it. Am I just missing something, or is this not possible? I'm guessing it's the former and I've just stared at it too long to see the obvious. Something like this should work (compare some of th examples of the man page): find /path/to/dir -name .ssh -type d -prune -or \ -type f -name \*.gz -mtime ${RETAIN} -exec rm {} \; -Otto
Re: spoofing question
We consider the problem of inserting a malicious packet into a TCP connection, as well as establishing a TCP connection using an address that is legitimately used by another machine. We introduce the notion of a Spoofing Set as a way of describing a generalized attack methodology. We also discuss a method of constructing Spoofing Sets that is based on Phase Space Analysis and the presence of function attractors. We review the major network operating systems relative to this attack. The goal of this document is to suggest a way of measuring relative network-based sequence number generators quality, which can be used to estimate attack feasibility and analyze underlying PRNG function behavior. This approach can be applied to TCP/IP protocol sequence numbers, DNS query identifiers, session-id generation algorithms in cookie-based authentication schemes, etc. http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm Includes nice pictures -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Saturday, February 26, 2005 10:36 PM To: misc@openbsd.org Subject: spoofing question A general security question about spoofing modern *nix operating systems, including OpenBSD. Is spoofing pretty much dead? Do modern *nix machines still use the old BSD style incrementation of sequence numbers (I don't know enough C to find it in the source)? Or are sequence numbers now random (unspoofable). Also, don't high speed LANs (gigabit, fibre) make it doubly hard to guess sequence number? I couldn't find much on the subject. Thanks.
Re: Need BOGIES list
--On 06 July 2005 11:50 -0700, Geoff White wrote: Hello All. I'm having trouble with Cracking Attempts and DoS attacks from a lot of places in China :) My client doesn't do any business in that region so they don't mind If I block the entire sub-continent :) Does anyone have a bad-guy list (or part of one) that I can use to get started? Try /etc/spamd.conf.
Re: Dual monitor for openbsd box
mercredi, le 6 juillet, 2005, Whyzzi nous a dit ceci: Just out of curiosity, anyone have Dual/Display xorg.config file for a Radeon 9600Pro? I cannot seem to get mine working, and I was wondering if it had something to do with the fact that the second head wasn't identified in the kernel. Dmesg below. Thanks in advance, [ snip dmesg ] Here's the /etc/X11/xorg.conf from my OpenBSD/i386 3.7-stable system that has a Radeon 9600 Pro that I run as a dual-screen display. [ cut here ]-- # File generated by xf86config. # (and heavily modified since) #* # for the ATI Radeon 9600 PRO (AGP) # and the two Planar PX191 monitors #* # with XFree86 V4.x.x using the XFree86 server modules # on OpenBSD using the wsmouse mouse device. #* Section Files RgbPath /usr/X11R6/lib/X11/rgb # FontPath/usr/X11R6/lib/X11/fonts/local/ FontPath/usr/local/lib/X11/fonts/jmk/ FontPath/usr/local/lib/X11/fonts/terminus/ FontPath/usr/X11R6/lib/X11/fonts/misc/ FontPath/usr/X11R6/lib/X11/fonts/Type1/ FontPath/usr/X11R6/lib/X11/fonts/75dpi/:unscaled FontPath/usr/local/lib/X11/fonts/ghostscript/ # FontPath/usr/X11R6/lib/X11/fonts/100dpi/:unscaled # FontPath/opt/ttfonts/ EndSection Section Module Loaddbe Loadextmod Loadglx # Loaddri Loadtype1 Loadfreetype EndSection Section DRI Mode0666 EndSection Section ServerFlags Option BlankTime 0 # disable this Option StandbyTime 0 # disable 'standby mode' Option SuspendTime 0 # disable 'suspend mode' Option OffTime 30# turn the screen right off EndSection Section InputDevice Identifier LogiTechInternetKeyboard Driver keyboard Option autorepeat250 30 #Option XkbLayout my_kb_layout #Option XkbVariantmy_kb_variant Option XkbModel itouch Option XkbRules xfree86 EndSection Section InputDevice Identifier TrackManMarble Driver mouse Option Protocol wsmouse Option Device/dev/wsmouse Option ZAxisMapping 4 5 EndSection Section Monitor Identifier Planar PX191 LCD 1 VendorName Planar ModelName PX191 HorizSync 31.5-80 VertRefresh 56-75 Option DPMS # This monitor is connected directly to the DVI connector # and the server can therefore pull EDID information from # the monitor through the card during initialization, so # we don't need to put the display size here. EndSection Section Monitor Identifier Planar PX191 LCD 2 VendorName Planar ModelName PX191 HorizSync 31.5-80 VertRefresh 56-75 Option DPMS # This monitor is connected to the VGA connector through a # KVM switch that does not pass EDID information, so we # put the screen size here so the X server knows how big # the screen is and can figure out the DPI. DisplaySize 380 300 EndSection Section Device ### Available Driver options are:- ### Values: i: integer, f: float, bool: True/False, ### string: String, freq: f Hz/kHz/MHz ### [arg]: arg optional #Option NoAccel # [bool] #Option SWcursor # [bool] #Option Dac6Bit # [bool] #Option Dac8Bit # [bool] #Option Display # str #Option PanelWidth# i #Option PanelHeight # i #Option ProgramFPRegs # [bool] #Option UseFBDev # [bool] #Option VideoKey # i #Option ShowCache # [bool] Identifier ATI Radeon 9600 PRO Screen0 Driver radeon VendorName ATI Technologies Inc BoardName Radeon 9600 PRO BusID PCI:1:0:0 Screen 0 # DVI connector on this card. EndSection Section Device ### Available Driver options are:- ### Values: i: integer, f: float, bool: True/False, ### string: String, freq: f Hz/kHz/MHz ### [arg]: arg optional #Option NoAccel # [bool]
Re: Release 3.7
On Wed, 2005-07-06 at 13:16 -0500, eric wrote: On Sat, 2005-03-05 at 14:44:41 -0600, Jim Mays proclaimed... How does one find out what is planned for the 3.7 release and how do I pre-order it (in order to get it first)? 3.7 has been out since May 17th, 2005. Read http://www.openbsd.org/ It's a good starting place. Reading the date header of the original message would have been a good starting place, too... -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Semi-OT: Problems getting find to not recurse
Something like this should work (compare some of th examples of the man page): find /path/to/dir -name .ssh -type d -prune -or \ -type f -name \*.gz -mtime ${RETAIN} -exec rm {} \; Thank you very much, Otto. That works just fine. It's greatly appreciated! Benny -- I'd rather staple a skunk to my forehead and go to a trade show for banjo makers.-- PHB's secretary, Dilbert, 07-2002
Re: Background developer knowledge
On Wed, 6 Jul 2005, Edd Barrett wrote: Hi, One of my friends has always said that you can not read the source without context. He is right. If you don't know what your looking for, it will not make any sense. This proves a problem if you have nothing to fix and just wish to learn. Would you not agree? Of course the context of a source file is the program it is part of and the function it is supposed to perform. Now there are a bunch of simple, straightforward commands in any Unix system, which can be used to start learning. Take a simple command. Even yes(1) can be used as an example. Read the man page and try to map the functionality described in the man page to the source you are seeing. While you're at it, check the man page of the functions it uses to accomplish its task. Move on to more complex programs that use more and more library functions and system calls. Study the implementation of the library functions and system calls, now that you know what they are supposed to do and you have seen them used in actual programs. If you have no context, start building it. Of course, reading a few good books might help as well. -Otto
help getting a macintosh centris 610 going
Hi I was given a Macintosh centris 610 and when I turn it on I get the disk with the ? mark. I want to know how to get by this I have no disks or cds that came with it If you can help me please email me at [EMAIL PROTECTED] thanks I have a 9 year old bugging me to death
Re: problem with ftp-proxy
On Wed, 2005-07-06 at 10:11 -0500, Ryan Corder wrote: Jul 6 08:55:56 smitty ftp-proxy[15298]: cannot find user proxy I'll give you a hint: this error message means exactly what it says. -- Shawn K. Quinn [EMAIL PROTECTED]
Re: Small office samba on OpenBSD
Seems like a waste to me. I tend to replace those routers WITH openbsd boxes. As long as you keep the box updated and your pf rules sane (block smb from outside world, etc) there is absolutely nothing to be worried about really. Kevin Roosdahl wrote: Scenario: 5 PC's --- 10/100 switch -- OpenBSD -- Broadband router -- Internet 5 Windows XP workstations on a LAN connected to an OpenBSD server running Samba, DHCP, DNS, SpamAssassin. A 2nd nic in the OpenBSD box goes to a broadband internet connection and PF is enabled and configured securely. Ideally, you want to layer your security services and not run your firewall and file server on the same box, but in a small budget operation that's not always feasible. Would it be preferred to hide the OpenBSD server behind a NAT broadband router (Linksys, Dlink, etc) that the client likely already has in place? Is that extra layer of protection worth the inconvenience? I'd like to create a simple product for SOHO customers for file storage, DVD backups, spam/virus filtering, etc. It's obviously going to be more secure than the same 5 PC's behind the NAT router alone, but should I recommend the box is behind a NAT router for that extra level of protection or is that just a false sense of security? Comments?
Re: Semi-OT: Problems getting find to not recurse
On Wed, Jul 06, 2005 at 02:33:30PM -0500, C. Bensend wrote: find /path/to/dir -name .ssh -type d -prune -or \ -type f -name \*.gz -mtime ${RETAIN} -exec rm {} \; Thank you very much, Otto. That works just fine. It's greatly appreciated! Well, even if it helped, I can't reproduce your problem: find /home/kili -maxdepth 1 -type f -name \* -mtime +1 -exec echo {} \; | grep ssh yields no output at all. [And of course, I *do* have a .ssh directory.] Ciao, Kili
PF, Interface-groups and nat
Hi I'm trying to set up a small home-network with both wired and wireless access, so I've put the following NICs in a box: ath0: internal wireless 192.168.1.1 rl0: internal wired 192.168.0.1 rl1: external wired DHCP I've used the following pf.conf (a slight adaption from the example in the pf-FAQ): # macros tcp_services = { 22, 113 } icmp_types = echoreq # options set block-policy return set loginterface rl1 # scrub scrub in all # nat/rdr nat on rl1 from ath0:network to any - (rl1) nat on rl1 from rl0:network to any - (rl1) # filter rules block all pass quick on lo0 all pass in on rl1 inet proto tcp from any to (rl1) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on ath0 from ath0:network to any keep state pass out on ath0 from any to ath0:network keep state pass in on rl0 from rl0:network to any keep state pass out on rl0 from any to rl0:network keep state pass out on rl1 proto tcp all modulate state flags S/SA pass out on rl1 proto { udp, icmp } all keep state Then I tried to use interface-groups (cool feature, and it seems like it might reduce the pf.conf-file and make it easier to maintain) and put rl1 in group if_ext and the other two NICs in if_int and tried to adapt pf.conf accordingly and got this: # macros tcp_services = { 22, 113 } icmp_types = echoreq # options set block-policy return set loginterface if_ext # scrub scrub in all # nat/rdr nat on if_ext from (if_int:network) to any - (if_ext) # filter rules block all pass quick on lo0 all pass in on if_ext inet proto tcp from any to (if_ext) \ port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on if_int from (if_int:network) to any keep state pass out on if_int from any to (if_int:network) keep state pass out on if_ext proto tcp all modulate state flags S/SA pass out on if_ext proto { udp, icmp } all keep state All seems fine, running pfctl -n on it produces nothing, but when trying to load the rules I get DIOSETSTATUSIF, and no rules are loaded. What am I doing wrong? -- Erik Wikstrvm
Re: Semi-OT: Problems getting find to not recurse
On Wed, 6 Jul 2005, Matthias Kilian wrote: On Wed, Jul 06, 2005 at 02:33:30PM -0500, C. Bensend wrote: find /path/to/dir -name .ssh -type d -prune -or \ -type f -name \*.gz -mtime ${RETAIN} -exec rm {} \; Thank you very much, Otto. That works just fine. It's greatly appreciated! Well, even if it helped, I can't reproduce your problem: find /home/kili -maxdepth 1 -type f -name \* -mtime +1 -exec echo {} \; | grep ssh yields no output at all. [And of course, I *do* have a .ssh directory.] That's because you are not doing the same search. Especially -maxdepth 1 will influence the results. -Otto
Re: Flash Plugin for Firefox
On Wed, 6 Jul 2005 11:12:43 +0159 Frank Denis \(Jedi/Sector One\) [EMAIL PROTECTED] wrote: On Tue, Jul 05, 2005 at 05:44:01PM -0800, JR Dalrymple wrote: I think if you used Opera for 5 days you'd find it better in EVERY WAY POSSIBLE than Firefox... My 2 cents. I find page loads to be much faster, and nav is 10x faster with gestures and keyboard shortcuts. Except that there is nothing like AdBlock, DOM Inspector, CSS editor and Developer Toolbar for Opera. Way offtopic at this point, but have you actually tried opera? It has plenty of the features from those extensions built in, there are a few adblock extensions for opera, and it also has tons of stuff firefox either doesn't have, or does very poorly. If you are using i386, opera is definately a good option, especially if you do web development. Adam
Re: C programming question
On Wed, 6 Jul 2005 16:53:21 -0500 imEnsion [EMAIL PROTECTED] wrote: Again, look at the original date from the email... It looks like some old e-mails finally got through...a whole load of them. apparently he's having some hardcore issues with his mail client and/or computer in general. On 7/6/05, chaton [EMAIL PROTECTED] wrote: On Mon, 04 Apr 2005 11:43:21 -0700 Matt [EMAIL PROTECTED] wrote: I need some help understanding some C code. int (*if_ioctl) (struct ifnet *, int, caddr_t); int (*if_watchdog) (int); Can someone break down these declarations (if that's what they are)? Is this a form of typecasting? Thanks for your help. You already posted the *exact* same question a while ago and many people, including me, have answered it already. -- http://www.nedbsd.nl/~jasper/wth/ -- What The Hack!
Re: Bug in 'usermod'?
Maxim Bourmistrov wrote: Hello [EMAIL PROTECTED] Do we have a bug in 'usermod'? The situation: groupadd -g site1 ; groupadd -g 1112 site12; groupadd -g 1123 site123 then add same user to the groups usermod -G site1 en;usermod -G site12 en; usermod -G site123 en user 'en' will appear 3 times in group 'site1' and 2 times in 'site12' Maxim mentioned this earlier on IRC before mailing and I had a look. The patch below seems to fix it. I know it's trivial but it may save someone a few minutes :-). --- user.c.orig Wed Jul 6 11:21:25 2005 +++ user.c Wed Jul 6 11:29:03 2005 @@ -540,7 +540,8 @@ continue; } for (i = 0 ; i ngroups ; i++) { - if (strncmp(groups[i], buf, colon - buf) == 0) { +if (strlen(groups[i]) == (colon - buf) +strncmp(groups[i], buf, colon - buf) == 0) { while (isspace(buf[cc - 1])) cc--; buf[(j = cc)] = '\0';
Re: Dual monitor for openbsd box
I went to NV home page and could find this driver for OpenBSD, where did you fetched it? Was it binary only or source only? Thanks. On 7/6/05, Steve Shockley [EMAIL PROTECTED] wrote: Gustavo Rios wrote: my system desktop have a nvidia quadro nvs 280 dual head video board. I would like to be able to have two users logged at the same time using the system independently on each other, i.e., i have two monitor, two keyboard and two mice. I tried putting an nVidia Quadro NVS 280 DH board in my OpenBSD desktop, and couldn't get it working dual-head at all. I know it requires the proprietary nVidia driver crap to use any of the advanced features. I gave up and went back to a Matrox G450. I've seen pages on using a G450 as two terminals, try googling for that and see where it gets you.
Deja-vu?
Is anyone else seeing a ton of old messages being resent to the list? Every last one is identical to the previous on, but had an additional group of received headers: Received: from mail.corp.medcenter.com by shear.ucar.edu Received: from mail pickup service by mail.corp.medcenter.com -Jon
Re: Release 3.7
On Sat, 5 Mar 2005 14:44:41 -0600 Jim Mays [EMAIL PROTECTED] wrote: Uh, what's with the time machine? --- Lars Hansson
Re: Dual monitor for openbsd box
Gustavo Rios wrote: I went to NV home page and could find this driver for OpenBSD, where did you fetched it? Was it binary only or source only? Binary only, Linux version. I had toyed around with the Matrox Linux binary HAL under OpenBSD to see what it did (and got it working), I tried doing the same with the nVidia and got nowhere. Since hardware is so cheap I decided it was a waste of time to try to get it to work. (For ~$10 on eBay it was worth a shot.)
Re: Semi-OT: Problems getting find to not recurse
On Wed, 2005-07-06 at 22:19 +0200, Matthias Kilian wrote: find /home/kili -maxdepth 1 -type f -name \* -mtime +1 -exec echo {} \; | grep ssh This test is irrelevant to the OP's problem. yields no output at all. [And of course, I *do* have a .ssh directory.] But do you have *files* (-type f) that have ssh in their name and don't start with a dot (-name \*)? If you drop both the type -f and -name \* predicates your .ssh directory will show up just fine. However, -maxdepth 1 will keep find from recursing into that directory: $ touch .ssh/file $ find . -name file ./.ssh/file $ find . -maxdepth 1 -name file $ (OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC) Cheers Steffen.
Re: Small office samba on OpenBSD
I'd like to create a simple product for SOHO customers for file storage, DVD backups, spam/virus filtering, etc. It's obviously going to be more secure than the same 5 PC's behind the NAT router alone, but should I recommend the box is behind a NAT router for that extra level of protection or is that just a false sense of security? Comments? Make the OpenBSD box the NAT router, otherwise you're just providing a layer of protection made from fecal matter that will blow back into your mouth when it gets windy... Most of the SOHO nat routers have far more issues than an OpenBSD box, and you'd be better off without them. -Bob
Gnome KDE on OpenBSD
Hi, I am new to this list . I want to know , Gnome KDE can run on OpenBSD or not.
Re: Zaurus C3100
On Wed, 2005-07-06 at 22:32:37 -0600, Theo de Raadt proclaimed... Has anyone bought and tried OpenBSD yet on the new Zaurus C3100? It's black (ie. twice as cool). It's basically the same thing, though. Nothing much changed. It should work. Someone please let us know. Perhaps we should take up a collection for Theo to have one?