Re: HP DL145 G2?
On Monday 25 July 2005 16.52, Mike Shaw wrote: Hey folksI'm about to build another obsd server for some pseudo-mission critical work, and HP is kind of our standard now. I've verified with someone off list that a DL140's run well, but for performance and philosophical reasons I'm choosing AMD...looking at a DL145 G2 2Ghz SATA. I saw some troubles on the archives regarding this, but I wanted to verify the latest: * Are the broadcom nics reliable at this point? * I'm assuming amd64 OpenBSD is ready for prime time. * Any potential gotchas? Currently the DL145 G2 is not well supported for various reasons. There's an issue with the pci shitz on this server which makes OBSD unable to detect cards seated in the expansion slots. Since this server is based on Nvidia (nForce4) chipset I guess it's not prio one to support it due to lack of documentation etc. So before you shop HP stuff make sure it's not fitted with Nvidia motherboards as in the case with DL 145G2. Regards Johan M:son
Re: carp failover on DSL and Cable connection?
On Mon, Jul 25, 2005 at 08:57:06PM -0700, Jonathan Walther wrote: You could run ospfd (or quagga) on each host. (You'll need to use gif or gre tunnels to give a multicast capable link over the vpns). Make the dsl tunnel the lower cost route and ospf will change the routing tables to use the other link if it goes down. When it comes back up, ospfd will switch the routing table back to the lower cost route. I use precisely this method to provide a backup to a 100Mb WAN link using ipsec/adsl. Thank you Stephen! This is exactly what I was looking for. One question; does this solution drop any connections during the change of the routing table? For my application, that isn't a problem, but it is Nothing is explicitly dropped, but the behaviour depends on how long you set the router dead time to and how the application behaves. The default dead time is 40sec, but I use 10secs in my setup. TCP/IP is able to handle some packet loss and routing table changes without dropping connections. -- stephen
Re: MySQL socket problem (solved)
On Thu, 21 Jul 2005 13:22:43 +0300, Tomas wrote: BTW Edd, I liked your trick :) Me, too !! maybe something wrong still on my side, though; because the trick only works with an additional chown _mysql:_mysql /var/www/var/run/mysql/ in my case, otherwise I get 050726 16:57:22 mysqld started 050726 16:57:22 Can't start server : Bind on unix socket: Permission denied 050726 16:57:22 Do you already have another mysqld server running on socket: /var/run/mysql/mysql.sock ? 050726 16:57:22 Aborting 050726 16:57:22 /usr/local/libexec/mysqld: Shutdown Complete 050726 16:57:22 mysqld ended
Re: Disable IPv6 on 3.7
On Tue, Jul 26, 2005 at 03:05:37AM +0200, knitti wrote: On 7/26/05, Russell J. Wood [EMAIL PROTECTED] wrote: On Mon, Jul 25, 2005 at 08:42:29PM -0400, Brad wrote: Go ahead if you want to use a custom un-supported system. Thanks, I will. What is it that you think you're gaining from this? A system without IPv6. you won't. you'll get a kernel without IPv6. and a broken system. --knitti My system works fine with IPv6 disabled... - Russell
Re: MySQL socket problem (solved)
chown _mysql:_mysql /var/www/var/run/mysql/ Because mine was on my laptop (which isnt connected to the network when I run mysql. Infact I hardly ever run mysql), I took the shortcut 'mysqld_safe --user=root' to start it. You are right, the mysql user will have to have access Edd
Re: Disable IPv6 on 3.7
knitti said: What is it that you think you're gaining from this? A system without IPv6. you won't. you'll get a kernel without IPv6. and a broken system. knitti's right. But why do you so much against Ipv6? -- Adam Papai D i g i t a l Influence E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735
Re: Disable IPv6 on 3.7
* Russell J. Wood [EMAIL PROTECTED] [2005-07-26 02:36]: Yes, one can by commenting out `OPTION INET6' in the kernel configuration. the question was specifically (and for good reasons) for doing so WITHOUT compiling a custom kernel. And one would want to do that if they don't use, IPv6, since it's pointless fat otherwise. another wrong myth. it just doesn't make a difference. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
spamd greylisting, masking on /24
I seem to remember seeing a patch to spamd that makes greylisting only look at the first /24 of the address, but I can't find it after fairly extensive searching with google/marc. Does anyone have a copy they could point me at? The whitelists on puremagic.com (on which greylisting.org's lists are based) don't list networks with a common spool unless more than a /24 is involved (there are some /24 listed with other factors requiring whitelisting, e.g. unique sender addresses per delivery attempt).
Re: Create my own shell?
On 7/25/05, Jon Drews [EMAIL PROTECTED] wrote: On 7/25/05, Abel Talaversn Estevez [EMAIL PROTECTED] wrote: I need to create a particular but simple shell for a firewall running OpenBSD 3.6. The idea is create a user whose shell is a very limited one. Hi: Operating ksh in restricted mode may fulfill your needs. Oops - this is not true. I set up an account with rksh (ksh -r) and it is possible for the user to still switch shells. For the details on this see: Practical Unix Internet Security, 3rd Edition by Simson Garfinkel, Gene Spafford, Alan Schwartz. The relevant material is on pages 576 to 578. Basically the restricted shell can be subverted and they advise using chroot. -- Kind regards, Jonathan
Re: Did anybody hear this??
On Mon, Jul 25, 2005 at 10:05:32PM -0700, Bruno Delbono wrote: how much truth is actually in this article??? It makes a lot of sense and is right on. What I take out of this article is that having one single firewall (can be any type: network, application etc.) at the perimeter doesn't stop hackers. It does look like the before situation in the article is one where there is only one firewall that separates the LAN from the Internet, and everything on the LAN is treated equally, workstations and servers alike. Generally, that is a bad situation. So, the advice to put different types of machines into different (protected) networks is good. Many people wouldn't go as far as entirely eliminating the outside firewall though; although he says that the desktops run secure OSes he also mentions Active Directory. Some would say those two terms don't go well together. :-) I don't see what really alarmed you? The author makes excellent points and I agree with the him. I also agree, except for the part of eliminating the externally facing firewall entirely. -- Jurjen Oskam
Updating packages.
Hello, I'm trying to go from stable to current. I have the kernel and userland in place but having trouble updating my desktop. When trying to compile gnome I'm getting errors on the dependencies conflicting with older versions of themselves? Is there anyway to tell the make command to force reinstall the dependencies? After an evening of googling I still can't find the answer. Best Regards, Kevin MacPherson
Re: Updating packages.
On 26/07/05, Kevin MacPherson [EMAIL PROTECTED] wrote: Hello, I'm trying to go from stable to current. I have the kernel and userland in place but having trouble updating my desktop. When trying to compile gnome I'm getting errors on the dependencies conflicting with older versions of themselves? Is there anyway to tell the make command to force reinstall the dependencies? After an evening of googling I still can't find the answer. Best Regards, Kevin MacPherson Hello, Take a look at pkg_add -r ;) OpenBSD favors pkg's over ports. Either that or pkg_delete -q /var/db/pkg/* then complile your stuff. Edd
Re: Did anybody hear this??
On Tue, Jul 26, 2005 at 03:20:05PM +0200, Jurjen Oskam wrote: snip It does look like the before situation in the article is one where there is only one firewall that separates the LAN from the Internet, and everything on the LAN is treated equally, workstations and servers alike. Generally, that is a bad situation. So, the advice to put different types of machines into different (protected) networks is good. I only have one firewall but it is three legged, the DMZ box and the LAN are seperate. Is this what you mean by different (protected) networks? Terry
Re: Did anybody hear this??
From: Terry Tyson [mailto:[EMAIL PROTECTED] Generally, that is a bad situation. So, the advice to put different types of machines into different (protected) networks is good. I only have one firewall but it is three legged, the DMZ box and the LAN are seperate. Is this what you mean by different (protected) networks? I take it as meaning avoiding the crunchy on the outside, chewy in the middle architecture that only perimeter security gives you. Depending on your network and the assets and information located on the LAN, you may find that seperating services by access level gives you benefit. For example, say you have financial users, financial servers, HR users, HR servers, standard internal servers, and regular end users / trained monkey staff. Even though they are technically all on the LAN, you can protect your financial servers from the places and people on the LAN that don't need access to them by placing/protecting them such that only your financial users that DO need access to them can reach them. Ditto for the HR systems/people. As for the standard network services servers, since everybody needs to access them, you have a less restrictive policy around them. Real segmentation of the LAN works for this kind of thing, via VLANs or whatever. DS
Re: Did anybody hear this??
On Tue, Jul 26, 2005 at 11:20:35AM -0500, Terry Tyson wrote: I only have one firewall but it is three legged, the DMZ box and the LAN are seperate. Is this what you mean by different (protected) networks? Everything depends on your particular situation and needs, but the general idea is that servers shouldn't be wide open to the clients. In your case, if that one firewall is compromised, all attached networks are exposed. This might or might not be something you should worry about. It all depends on your needs. -- Jurjen Oskam
chrooted httpd and directory
Which path should I use in a directory directive in the config file for a chrooted httpd? In both cases below, changing Deny to Allow achieves the desired effect. thanks! Directory /var/www/users/* AllowOverride FileInfo AuthConfig Limit Options Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI Limit GET POST OPTIONS PROPFIND Order allow,deny Deny from all /Limit Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK Order deny,allow Deny from all /Limit /Directory Directory /users/* AllowOverride FileInfo AuthConfig Limit Options Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec ExecCGI Limit GET POST OPTIONS PROPFIND Order allow,deny Deny from all /Limit Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK Order deny,allow Deny from all /Limit /Directory
Anyone know of a mavell based dual gigE copper card
From what everyone told me last time, the SK stuff is good. So I can fit my network together with a few dual cards, trunk the smaller stuff together and then be on my way. Trouble is I cannot find (for the life of me) anything dual based on the marvell stuff. The obsd man page http://www.openbsd.org/cgi-bin/man.cgi?query=skapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html For dual it only lists the SK-9822 SK-NET GE-T dual port, copper adapter, which from threads I read is now realTek chips in the newer revs. I've tried contacting Marvell for info on products made using them, but no answer yet. I've searched, prodded, poked and cursed and I still have not found one. Thoughts or suggestions? I appreciate the advice from the last round... I am using much of it. -- Bill Chmura
Other Sharp Zauri?
Hopefully this more general question is appropriate here. I've noticed sales for the Zaurus SL-5500. Geeks.com has a sale on them right now. My question is if it makes sense for efforts to support any of the other units besides the C3000 and C3100. I know very little about the Zaurus in general, hence this question. I'm not asking for any kind of a time-table for anything, just general feasibility for support for some of the cheaper units. Thanks, STeve Andre'
Re: Anyone know of a mavell based dual gigE copper card
* Bill Chmura [EMAIL PROTECTED] [2005-07-26 19:48]: For dual it only lists the SK-9822 SK-NET GE-T dual port, copper adapter, which from threads I read is now realTek chips in the newer revs. huh? that was linksys or dlink or netgear or one of the usual bandits. The SysKonnect stuff was and is sk based (take a minute to guess what sk stands for after all :) ) -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
isakmpd stops forwarding data over enc0
Sometime this morning, our openbsd firewall/VPN server entered a state where it stopped forwarding encrypted traffic over the enc0 interface. Incoming roadwarrior connections establish tunnels fine, but nothing is sent over enc0. There have been no isakmpd or pf configuration changes. There's nothing in the logs that seems indicate a problem. any ideas? thanks, Sean
Re: Updating packages
On Tuesday July 26 2005 11:09 am, Edd Barrett wrote: Today 11:09:49 am On 26/07/05, Kevin MacPherson [EMAIL PROTECTED] wrote: Hello, I'm trying to go from stable to current. I have the kernel and userland in place but having trouble updating my desktop. When trying to compile gnome I'm getting errors on the dependencies conflicting with older versions of themselves? Is there anyway to tell the make command to force reinstall the dependencies? After an evening of googling I still can't find the answer. Best Regards, Kevin MacPherson Hello, Take a look at pkg_add -r ;) OpenBSD favors pkg's over ports. Either that or pkg_delete -q /var/db/pkg/* then complile your stuff. Edd Outta http://www.openbsd.org/ports.html: # setenv PKG_PATH ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/ # pkg_add ${PKG_PATH}packageyouwant.tgz This takes care of dependencies. Dimitri
Bridge Interface stop ICMP redirects?
Hi, I had a great design redesign and secure a client's network. Once I got on site, there was a little surprise for me ... I can't re number a router that I had hoped to. Right now, there are multiple gateways on one network (all the gateways are plugged into one switch). They have a default gateway (OpenBSD) that sends ICMP redirects for computers to access the (non-default) gateways. This was done to avoid having to maintain routes on many network devices, and is causing problems with some applications. I have a nice new Dell server with 4 NIC's in it that I want to hang each gateway off of. Unfortunately, one of them cannot be renumbered. The main network is 192.168.11.0/24. The default gateway for the network is the OpenBSD server at 192.168.11.20/32. The router that can't be changed is 192.168.11.1/32. I figure I can still plug the 192.168.11.1/32 router into it's own NIC and set up bridging for it. But I am wondering if the OpenBSD box is going to be smart enough to NOT send ICMP redirects, knowing that it is on the other end of a bridge. This is so screwed up, and it's in production, so I do not have a lot of downtime to play around with things. I envision something like: OpenBSD 3.7-current with 4 NIC's Internal Network (em0) 192.168.11.20 (default gateway for 192.168.11.0/24) Internet Connection (em1) PPPoE Hospital Traffic (em2) (transparent bridge) to 192.168.11.1, dest IP A.B.C.D/32 Government Traffic (em3) 10.2.60.4 dest IP E.F.G.H/32 Right now the OpenBSD box has a route... route add A.B.C.D/32 192.168.11.1 As far as I can figure, this would still have to be there...to forward the packets to the next hop. It's just that the next hop is local.. Humm... maybe a route add -ifp em2 A.B.C.D/32 192.168.11.1 would solve the problem? Do I have a hope of getting this to work? Are ICMP redirects still going to be issued? I guess the joy of OpenBSD is that I can always block them with pf!!, but that just plain sounds wrong! Thanks, Steve
Re: Other Sharp Zauri?
On 7/26/05, Greg Thomas [EMAIL PROTECTED] wrote: On 7/26/05, STeve Andre' [EMAIL PROTECTED] wrote: Hopefully this more general question is appropriate here. I've noticed sales for the Zaurus SL-5500. Geeks.com has a sale on them right now. I've been thinking about one myself even if I have to stick with Linux. How much are they now, something like $120? One thing that scared me off is really short battery life. Anyone have one? Greg I have an SL-5500. It works great, but the battery life can be bad. When I was still in college, I could use it for a day of classes, but would have to charge it as soon as I got home. If you plan on doing anthing that uses the CF slot (wireless networking maybe?) the battery life drops drastically, so keep the charger with you if you can. Stefan
Re: Bridge Interface stop ICMP redirects?
Hi, That sounds great! Thanks very much for pointing that out, I would never have thought about sysctl to control that... Cheers, Steve Spruell, Darren-Perot wrote: From: Steve Williams [mailto:[EMAIL PROTECTED] The main network is 192.168.11.0/24. The default gateway for the network is the OpenBSD server at 192.168.11.20/32. The router that can't be changed is 192.168.11.1/32. I figure I can still plug the 192.168.11.1/32 router into it's own NIC and set up bridging for it. But I am wondering if the OpenBSD box is going to be smart enough to NOT send ICMP redirects, knowing that it is on the other end of a bridge. Do I have a hope of getting this to work? Are ICMP redirects still going to be issued? I guess the joy of OpenBSD is that I can always block them with pf!!, but that just plain sounds wrong! Right. You can configure a kernel variable using this sysctl: net.inet.ip.redirect sysctl(3) gives more information about what this controls. sysctl.conf(5) may be of use to you. DS
Re: MySQL socket problem (solved)
Another way is this: # MySQL if [ -x /usr/local/bin/mysqld_safe ]; then echo -n ' mysqld' rm -f /var/www/var/run/mysql/mysql.sock /usr/local/bin/mysqld_safe /dev/null sleep 10 ln /var/run/mysql/mysql.sock /var/www/var/run/mysql/mysql.sock fi That's my rc.local for starting mysql. Works just fine here :) This way, it's /var/run/mysql.sock inside and outside the chroot. But you have to recreate the hardlink if mysql restarts. -- Jonathan
rdr question
Hi list, is it possible to have the following: rdr on $ext_if proto tcp from any to any port 80 - $server re-written as: rdr on $ext_if proto tcp from any to domain.com port 80 - $server where $server an internal web server and domain.com a specific domain name? In general I would like to have one static IP where more than one domains are registered and for each domain a different internal web server should serve the incoming requests! Thanks George
Re: rdr question
--On 27 July 2005 00:27 +0200, GV wrote: is it possible to have the following: rdr on $ext_if proto tcp from any to any port 80 - $server re-written as: rdr on $ext_if proto tcp from any to domain.com port 80 - $server where $server an internal web server and domain.com a specific domain name? In general I would like to have one static IP where more than one domains are registered and for each domain a different internal web server should serve the incoming requests! No, you need some kind of 'reverse-proxy' to do this type of thing (maybe pound, tinyproxy 1.70, or squid in accelerator-mode). It would run on either the PF box or another box that you rdr to.
Apache icons inside chroot
I've done the googling and turned up empty :( I'm trying to get the included icons to show when someone does a directory view, but everything I try comes back with: [Wed Jul 27 01:35:57 2005] [error] [client 192.168.0.3] (13)Permission denied: access to /icons/movie.gif failed because search permissions are missing on a component of the path 192.168.0.3 - - [27/Jul/2005:01:35:57 +] GET /icons/movie.gif HTTP/1.1 403 225 in the error and access logs, respectively. I'm almost certain it's because I'm not accounting for the chroot properly (the icons live in /var/www/icons by default). The section of httpd.conf that addresses it reads thus: --- Alias /icons/ /var/www/icons/ Directory /var/www/icons Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all /Directory --- I've also tried using /icons/, /icons, and ../icons, all with negative results. The files inside /var/www/icons are all mode 444, and the directory itself is mode 644, so I'm not sure what permission it needs that it doesn't already have. Where should I look next?
openbsd rpc/xdr
Hey folks, i am doing efforts in order to learn about xdr/rpc. So, i decided to read some code in src/lib/libc/rpc. I found it to be a little heavy, cause there too many function invocation overhead between the caller and the real function that do the job. So, i wonder if anybody knows an alternative implementation for xdr/rpc? Just like there are for stdio functionalities. Of course, my requirement is that it runs on our OS of choice. Thanks a lot.
Re: Did anybody hear this??
On 7/26/05, Bruno Delbono [EMAIL PROTECTED] wrote: +++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]: how much truth is actually in this article??? It makes a lot of sense and is right on. What I take out of this article is that having one single firewall (can be any type: network, application etc.) at the perimeter doesn't stop hackers. I don't see what really alarmed you? Thanks for the reply Bruno. Just the thing whether this is the current trend. eliminating firewalls and going for an alternative like he mentioned? kind regards Siju The author makes excellent points and I agree with the him. Now SMB's might traditionally fit better with these articles, bigger enterprises tends to differ as many roles (for the users anyway) are well defined and access (incoming, outgoing) for internal external. -Bruno
Re: Did anybody hear this??
On 7/26/05, Siju George [EMAIL PROTECTED] wrote: On 7/26/05, Bruno Delbono [EMAIL PROTECTED] wrote: +++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]: how much truth is actually in this article??? It makes a lot of sense and is right on. What I take out of this article is that having one single firewall (can be any type: network, application etc.) at the perimeter doesn't stop hackers. I don't see what really alarmed you? Thanks for the reply Bruno. Just the thing whether this is the current trend. eliminating firewalls and going for an alternative like he mentioned? You completely missed the point. The point was that the crunchy on the outside, chewy on the inside security model is wrong. A single perimeter firewall tends to allow the inside network to be woefully unsecure and this is something to be avoided. Or, put another way, the single greatest failing of a firewall is that it allows people to continue behaving unsafely. Think about it: if every host you control is set up to survive contact with an evil host, then it doesn't matter much if someone out there tries to break in, or someone brings in a virus-laden laptop or whatever else. So maybe the elimination of the firewall is a worthwhile pursuit so long as you keep an eye toward properly bolting down your empire. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Anyone know of a mavell based dual gigE copper card
On Tue, Jul 26, 2005 at 08:06:59PM +0200, Henning Brauer wrote: * Bill Chmura [EMAIL PROTECTED] [2005-07-26 19:48]: For dual it only lists the SK-9822 SK-NET GE-T dual port, copper adapter, which from threads I read is now realTek chips in the newer revs. huh? that was linksys or dlink or netgear or one of the usual bandits. The SysKonnect stuff was and is sk based (take a minute to guess what sk stands for after all :) ) That was the Linksys EG1032 cards. 32-bit PCI single port cards. rev 2 uses Marvell chipset and rev 3 uses RealTek. It was even more fun fixing support for the cards since Linksys used the same PCI ID code for both cards. Thanks to Daniel Polak who got in contact with the appropriate people from SysKonnect. I will be receiving 3 newer SysKonnect cards for testing and developement sometime very soon. He managed to score some hardware too. I also had some offers from other individuals to purchase hardware. I'm very appreciative of these offers. Of course there is no point to taking these offers when I was able to get hardware from the vendor itself. I will be looking for other stuff in the future. I can always use the help of kind and helpful individuals on this list.
Re: openbsd rpc/xdr
Gustavo Rios [EMAIL PROTECTED] writes: Hey folks, i am doing efforts in order to learn about xdr/rpc. So, i decided to read some code in src/lib/libc/rpc. I found it to be a little heavy, cause there too many function invocation overhead between the caller and the real function that do the job. If I read correctly, it seems that you don't like fuction calls. Why are functions bad? You prefer a macro and inline hell? //art