Re: Lifecycle question
On 9/5/05, Giedrius Rekaius [EMAIL PROTECTED] wrote: On Mon, 05 Sep 2005 15:52:50 +0300, Stephan A. Rickauer [EMAIL PROTECTED] wrote: I am already in love with it, since I plan to use it as a HA-firewall using carp and pfsync. Problem here is just that it looks as if I had to reinstall it all year ... Hi Stephan, If it's just a firewall, and you won't need any new features (wich will come with some new release), then why should you upgrade? Just configure it, put the server somewhere in the dark corner and it will handle it's job very nicely :) If it is a firewall it is a very dangerous thing to do. I would recommend that you not only upgrade for every release but also apply all security patches as soon as they are released. Otherwise your *OpenBSD firewall* can go for a toss :-) kind regards Siju
Re: Lifecycle question
On 9/5/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: Ramiro Aceves schrieb: I like and use both systems. But If you are concerned about easy upgrading, I would recommend Debian GNU/Linux (no flamewars please ;-) ). It is a very stable system that it is upgraded slowly, about 2 years (they whant to speed it in the future to 18 month cicle). You will not We have FreeBSD, Debian Sarge and SuSE 9.0 9.1 9.3 as productive systems running. Technically, we're kind of aware of the differences. system. If you want a desktop with hundreds of packages installed, I find Debian more practical to upgrade. Both systems allow you to tweak the internals as you want. Both come with the base system and the remaining applications. We use SuSE on ~50 desktops in our Institute and are quite happy (well, we had to tune it a bit to make it use apt-get). Debian is my first choice for non-BSD servers, but I would not use it for dekstop purposes still. Well, don't wan't flame wars here either ;) Anyway, I am getting in love with OpenBSD because of its securyty, simplicity, stability, clarity, superb documentation and coherency. If I would have to build a server conected to the dangerous Internet, I will undoubtlely use OpenBSD. I am already in love with it, since I plan to use it as a HA-firewall using carp and pfsync. Problem here is just that it looks as if I had to reinstall it all year ... If that's the case, then you just take one down, upgrade it, bring it back online, take the other down, upgrade it, bring it back online. I fail to see the issue here. 'nuff said. Thanks, -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch -- Abe Al-Saleh And then came the Apocolypse. It actually wasn't that bad, everyone got the day off and there were barbeques all around.
Re: Lifecycle question
Abraham Al-Saleh schrieb: I am already in love with it, since I plan to use it as a HA-firewall using carp and pfsync. Problem here is just that it looks as if I had to reinstall it all year ... If that's the case, then you just take one down, upgrade it, bring it back online, take the other down, upgrade it, bring it back online. I fail to see the issue here. 'nuff said. The issue is that I don't have only two firewalls but also many, many others plus even more ;) I am asking 'generally' and not because I don't have the time to update *two* machines twice a year. Not to mention that upgrades with other OS's are even painful _with_ HA setup ... As an Insitute we have limited resources in terms of personal AND money. Therefore, I am forced to rethink any strategy twice. Thanks to all comments - had been very helpful so far. Stephan
Re: Lifecycle question
On 9/6/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: Not to mention that upgrades with other OS's are even painful _with_ HA setup ... As an Insitute we have limited resources in terms of personal AND money. Therefore, I am forced to rethink any strategy twice. Thanks to all comments - had been very helpful so far. I'm responsible for 4 different OpenBSD-based firewalls and 4 different customers. One locations is carp+pfsync based one with two machines. Last week I upgraded one of the customers to a new release and it took me a total of 30 minutes on-site work. 15 of those were trying to access the firewall in the cramped server room ;-). With planning and an extra set of backups it took me about 1 hour of worktime. This should be able to fit within most limited budgets :-). Once you learn the OpenBSD mindset it is easier to install, upgrade and maintain than most other package based systems. I would say that is it faster to upgrade an OpenBSD box from one release to another compared to Debian (with their wonderful apt-get/dpkg system). The reason is that OpenBSD installations are usually much smaller and leaner and you don't have to download 500MB+ to get a working system. cheers, Nickus
Re: Lifecycle question
Nick Holland schrieb: There are a lot of measures to how the upgrade process works out. Here are SOME: 1) Frequency (i.e., how often do you need to do upgrades) 2) Difficulty (how much human work is involved) 3) Ugency (when an upgrade is needed, how important is it that it is done *NOW*) 4) Downtime (when you do the upgrade, do you need to do it at 3:00am, or can you do it during production hours?) 5) Flexibility (what cute tricks can you do to make the process simpler, safer, easier, etc.) I agree. Furthermore, one has to distinguish between upgrades of an entire OS release level and patching a running system. The latter is not an issue here since any OS needs patching all the time. Well, they may differ in frequency etc. again, but the differences are negligible. Yes, OpenBSD had new releases every six months, and only supports a previous release with patches for one past release, so your frequency is going to be higher. So, at the outside, you are looking at an upgrade Ok, that is the key issue here. Upgrading a firewall which has not much software installed at all, which even runs in a HA environemnt etc. is really not a big thing. But think of applications servers that run all weired kind of things ... it is a nightmare to upgrade those every half a year (not speaking of *patching* - only saying that since some posts seem to treat patching and OS upgrade similarly). Anyway...look at the whole picture, not just how often you have to do upgrades. Remember: there are reasons we don't support old releases very long -- in addition to the work required, there is the fundemental moving forward philosophy of OpenBSD. With every release, they try to make the OS more secure and more correct. Not only does pushing stuff back to old releases take time and effort, but some stuff just won't go easily. The malloc(3) upgrades were a huge improvement to security, but pushing them back to 3.6 or before isn't going to happen. We don't want you to think that because you run 3.5-stable, that you are as safe or as reliable as you are if you are running -current. For those application server beasts mentioned earlier one is not necessarily interested in getting 'new features', even if they made the system more secure. I would not even expect backporting - just deliver patches for security relevant issues, so that one can keep the system running for 2-3 years. Lifecycle has to be part of your planning -- if you can push off a problem for two years, you may just hope it isn't your problem then and never deal with it. If you know that every six months to a year you should upgrade, and put that into your planning now, overall your life will be easier. Hm. In my case it will be definitely *my* problem and I can now choose how often I would like to have it ;) One main reason why companies are interested in 'enterprise products' of vendors like Redhat and SuSE etc. is the five (!) year lifecycle (at least with SuSE, don't know with RH). That means you buy your hardware, install the OS, patch five years and toss the systems afterwards. That keeps TCO pretty low compared to a (technically much better) system that I need to reinstall/upgrade 10 times during that period, don't you think? There is one thing I still don't understand. What effort is it to deliver patches (not backports) longer than just a few month - given that the overall amount of patches per release is low with OpenBSD anyway... let's say you have four security relevant patches per release, then you had 20 in 2.5 years ... Well, I am not a programmer, therefore I may not see the effort. Thanks for your comments! -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: Lifecycle question
Tobias Weingartner schrieb: This is a systems management issue. It all depends on how you manage your systems. Compartementalizing change, change management, etc. I Exactly. can recommend talking to Fritz Zaucker (tell him I sent ya). He's at ETHZ as well (in EE I think). His team, along with Tobias Oetiker and the guys/gals over there have some experience in this sort of management. Yes, I know those guys. They base their infrastructure on Debian mostly. And they've had the man power to build great system management tools, like SEPP or the ISG Toolchest. The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think about system management very carefully, since it has a direct impact on money as well. That's why I can't understand people can really live with the 6 months lifecycle. Thanks, -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
tcpdump/pflog - rule numbering
My 'tcpdump -n -e -i pflog0' generates lines like these: 11:22:12.538707 rule 267/(match) block in on em0: 172.16.2.97.32790 225.4.5.6.6001: udp 341 [ttl 1] I am now trying to find out, what 'rule 267' should be and found posts regarding 'pfctl -s rules'. My problem is, that rule number 267 has absolutely nothing to do with the line logged above. pfctl -s rules | sed -e '1,266d' -e '268,$d': pass out log quick inet proto tcp from 172.16.2.178 port = 1023 to id431E1F62.2 port = 4899 keep state label [RULE:18 - IF:global - ACTION:ACCEPT] I couldn't find any detailed information about how pflog numbers the rules. Could anyone point me there? Thanks! -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: Lifecycle question
On 9/6/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think about system management very carefully, since it has a direct impact on money as well. That's why I can't understand people can really live with the 6 months lifecycle. I (as many others) use some OpenBSD servers in a business environment. I recently upgraded a server from 3.5 to 3.7 (I chose to skip a release). upgrading the system lasted for about 60 mins, including downloading the new release. about 45 mins of these I spent checking things in /etc (I could have been quicker, but I wanted to use those new pf features ;) application upgrades did cost about 8 hours, with about 6.5 hours for one sngle application which configuration had changed. I think, a firewall could upgrade in about 20 mins. the first one. if you more than one, and they are similiar, its more like 5-10 mins for each following. --knitti
Re: Jose Nazario's dmesg explained for OpenBSD
On Tue, Sep 06, 2005 at 12:25:23AM -0500, Andrew Daugherity wrote: === a) biomask e74d netmask ff4d ttymask ffef ... this are the interrupt masks (on i386) for the levels IPL_BIO, IPL_NET and IPL_TTY after autoconfiguration has finished. They will be modified again when clock and rtc are initialized, i.e. interrupts 0 and 8 will be unblocked on all three levels.
Re: tcpdump/pflog - rule numbering
I have a scrub all fragment reassemble showing up on the first line of pfctl -s rules. The rules are numbered from 0 (zero). Therefore I need to add 2 to the line number of the pfctl output to get the right rule. The log entry Sep 04 21:45:56.156323 rule 8/(match) pass in on fxp0: xxx.xxx.xxx.xxx.39665 yyy.yyy.yyy.yyy.22: S 224562907:224562907(0) win 5840 mss 1460,nop,wscale 0 (DF) ...corresponds to # pfctl -s rules | sed -n '10p' pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA keep state Andreas On 06/09/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: My 'tcpdump -n -e -i pflog0' generates lines like these: 11:22:12.538707 rule 267/(match) block in on em0: 172.16.2.97.32790 225.4.5.6.6001: udp 341 [ttl 1] I am now trying to find out, what 'rule 267' should be and found posts regarding 'pfctl -s rules'. My problem is, that rule number 267 has absolutely nothing to do with the line logged above. pfctl -s rules | sed -e '1,266d' -e '268,$d': pass out log quick inet proto tcp from 172.16.2.178 port = 1023 to id431E1F62.2 port = 4899 keep state label [RULE:18 - IF:global - ACTION:ACCEPT] I couldn't find any detailed information about how pflog numbers the rules. Could anyone point me there? Thanks! -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch -- Andreas Kahari
Re: tcpdump/pflog - rule numbering
Andreas Kahari schrieb: I have a scrub all fragment reassemble showing up on the first line of pfctl -s rules. The rules are numbered from 0 (zero). Therefore I need to add 2 to the line number of the pfctl output to get the right rule. Thanks Andreas, that explanation fixes my problem as well ... somtimes life is so obvious ;) -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: tcpdump/pflog - rule numbering
--On 06 September 2005 11:29 +0200, Stephan A. Rickauer wrote: I am now trying to find out, what 'rule 267' should be and found posts regarding 'pfctl -s rules'. My problem is, that rule number 267 has absolutely nothing to do with the line logged above. # pfctl -sr -vv
Re: tcpdump/pflog - rule numbering
Stuart Henderson schrieb: # pfctl -sr -vv Cool! -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: Lifecycle question
--On 06 September 2005 10:16 +0200, Stephan A. Rickauer wrote: There is one thing I still don't understand. What effort is it to deliver patches (not backports) longer than just a few month - given that the overall amount of patches per release is low with OpenBSD anyway... let's say you have four security relevant patches per release, then you had 20 in 2.5 years ... Some problems could be addressed quite simply in an older system, but having that as the stated policy means that all problems fixed in newer code would have to go through a procedure something like: Decide on the severity of the problem as to whether it needs fixing in older code, Check which released versions are affected, Produce and test patches for all of these, Distribute patches, Notify users where security-critical, etc. In areas of code which have undergone major change, just backporting the fix can be quite a task. This may be ok for a vendor, who can dedicate staff to the process of maintaining what, 6 or 7 trees (though some vendors don't seem to do particularly well at the 'test patches' stage), but doesn't seem to fit well with how OpenBSD is developed - fixing problems seems at least equally important as adding new features, so that's a lot of time spent analysing (e.g. as to whether a particular problem fixed might affect security). The people who are capable of that type of analysis usually can find more productive ways to spend their time. But think of applications servers that run all weired kind of things ... it is a nightmare to upgrade those every half a year (not speaking of *patching* - only saying that since some posts seem to treat patching and OS upgrade similarly). There doesn't have to be so much difference, actually. With OpenBSD an upgrade is usually pretty straightforward. The main part of the process (boot from bsd.rd, run the 'upgrade' process) can equally be used for patches and upgrades. With an upgrade the initial step is to read updateXX.html, with a patch you can first create distribution *.tgz files using 'make build' and 'make release' and host them on local ftp (a bit of overkill for one or two machines, but invaluable on a larger network). Obviously there have been major transitions (a.out to ELF, for example) where greater care has to be taken, but these are unusual and well-publicised. Perhaps they can be taken as a cue to carry out a more involved rebuild rather than a simpler upgrade (which often gives a chance to refactor and simplify a complex organically-grown system). With an application server, you often have to pay so much attention to keeping the parts other than the OS up-to-date (which of course are the parts with the most custom configuration), that the time spent on the OS is pretty low in comparison anyway.
Re: Lifecycle question
On Tue, Sep 06, 2005 at 11:00:34AM +0100, Stuart Henderson wrote: There doesn't have to be so much difference, actually. With OpenBSD an upgrade is usually pretty straightforward. The main part of the process (boot from bsd.rd, run the 'upgrade' process) can equally be used for patches and upgrades. With an upgrade the initial step is to read updateXX.html, with a patch you can first create distribution *.tgz files using 'make build' and 'make release' and host them on local ftp (a bit of overkill for one or two machines, but invaluable on a larger network). I usually do it the other way. dirty, but works most of the time. minimal downtime for sure. pkg_info | awk '{print $1}' packages-2keep vi packages-2keep ; leave the bare minimum which will bring the rest ; as dependencies mkdir /old mv /bsd /bsd.old mv bsd /bsd cp -R /bin /sbin /old/ export PATH=/old/sbin:/old/bin:$PATH for file in man* comp* base*; do tar -zvxpf $file -C/; done reboot then - or pkg_add according to packages-2keep, or ports rebuild for non-kernel issues tar -zvxpf ... -C/ works like a charm. :-) -- Igor CacoDem0n Grabin, http://violent.death.kiev.ua/
Re: Lifecycle question
--On 06 September 2005 10:16 +0200, Stephan A. Rickauer wrote: There is one thing I still don't understand. What effort is it to deliver patches (not backports) longer than just a few month - given that the overall amount of patches per release is low with OpenBSD anyway... let's say you have four security relevant patches per release, then you had 20 in 2.5 years ... Development does not stand still. There are *huge* differences in some areas of OpenBSD over two years of time. In many cases, some are designed to block new areas of attack, and to clean-up code in a major way. Forcing you to update at least once every two releases is a good way to make sure you benefit from all these changes. And evaluating those changes, and porting back whatever may have some security relevance is too hard. If you prefer: some developer rewrites some code to clean it up at time T. Then a new attack comes up at time T2 that targets that specific area. We discover that OpenBSD is not affected... well, if the gap between T and T2 is greater than two releases, we do not even check that the old code was affected. This happens more often than you would think.
Re: Lifecycle question
Stephan A. Rickauer wrote: Nick Holland schrieb: ... Yes, OpenBSD had new releases every six months, and only supports a previous release with patches for one past release, so your frequency is going to be higher. So, at the outside, you are looking at an upgrade Ok, that is the key issue here. Upgrading a firewall which has not much software installed at all, which even runs in a HA environemnt etc. is really not a big thing. But think of applications servers that run all weired kind of things ... it is a nightmare to upgrade those every half a year (not speaking of *patching* - only saying that since some posts seem to treat patching and OS upgrade similarly). well...they often are a very similar process. The good news is upgrading OpenBSD is pretty well documented in one place. However, the application servers you mention often will need *application* upgrades, probably more often than OpenBSD does. You will end up doing your upgrades one way or another. Sometimes the applications will just be patched, in other cases, you will have to upgrade to new versions. ... One main reason why companies are interested in 'enterprise products' of vendors like Redhat and SuSE etc. is the five (!) year lifecycle (at least with SuSE, don't know with RH). That means you buy your hardware, install the OS, patch five years and toss the systems afterwards. That keeps TCO pretty low compared to a (technically much better) system that I need to reinstall/upgrade 10 times during that period, don't you think? not at all. If that Redhat system gets rooted once in five years, you will lose far more than you ever lost in time doing planned upgrades/updates. Your reputation, your client/customer data is worth far more than planned upgrades. There is one thing I still don't understand. What effort is it to deliver patches (not backports) longer than just a few month - given that the overall amount of patches per release is low with OpenBSD anyway... let's say you have four security relevant patches per release, then you had 20 in 2.5 years ... Well, I am not a programmer, therefore I may not see the effort. First of all, you are trivializing the process of making patches. In some cases, yes, it is just a matter of applying the exact same patch in the earlier tree. But that is certainly not always the case. Sometimes the patch needs significant reworking to work on previous versions, and of course, each patch has to be tested on each release that is supported. Let's say a bug is found. It is fixed. A quick look is taken to see what the significance of the bug is. IF there is obviously an implication to the bug (reliability, security), it is published as an errata patch. If not, we just move on. The developers don't spend a huge amount of time looking at the implications of a bug -- it's a bug, fix it. This attitude causes the often-seen fixed six months ago in OpenBSD message on security bulletins. Sometimes people critisize the OpenBSD project because we don't wave our hands and warn people of every bug we find...well, watch the source-changes list, you will see thousands of bugs fixed every year. IF there is clearly a security implication, sure, we let people know, but if it isn't obvious, fix and move on. Here's the gotcha: Most bugs are *potential* security holes. We treat 'em as such. Most other projects are only interested in proof that a bug has security implications. We don't care, it's a bug, fix it. Anyone remember the OpenSSH bug where some people who should have known better were running around encouraging people to *ignore* our warnings and NOT upgrade until we showed the actual bug? And that was one that was CLEARLY a security bug. Any of those fixed and moved on bugs could later be found to be exploitable. OpenBSD 3.5 is not as secure as OpenBSD 3.6 was, patches or no patches. OpenBSD 3.7 is more secure than 3.6. And so on. OpenBSD is about security. Supporting old releases, even if practical, would be defeating the purpose people use OpenBSD for. I can not believe that SuSE or any other Linux vendor can provide good support for five-year-old platforms, regardless of claims. Linux thrashes too much (This week's packet filtering system is X) for this to be practical. Since they clearly don't proactively audit code anyway, how will they even find bugs in obsoleted code from three or four years ago until AFTER they are exploited? Nick.
Re: update /etc/changelist as part of package install?
Ingo Schwarze wrote: By the way, in case you are looking for serious intrusion detection, you should not rely on /etc/security anyway, but install (and maintain!) some real intrusion detection system. Yours, Ingo Agreed. Even storing hashes off site it wouldn't be difficult to get around this system. But I do find it extremely useful for keeping track of system changes. What real IDS would people here recommend? Mike
Active Swap space
Hi all, I have a OpenBSD system acting as a firewall. When I use the top command I see that the swap space is not being used. I'd like to know if the swap space is only enabled when the system needs it or if it's enabled just when the system comes up. Thanks -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://salvatti.expert.com.br e-mail: [EMAIL PROTECTED]
Re: Active Swap space
--On 06 September 2005 09:36 -0300, JoC#o Salvatti wrote: I have a OpenBSD system acting as a firewall. When I use the top command I see that the swap space is not being used. Typically, one would hope that a firewall doesn't have to swap... I'd like to know if the swap space is only enabled when the system needs it or if it's enabled just when the system comes up. It's enabled when the system comes up, but only used when the system needs it. You can also display it with 'pstat -s' (default output in blocks, add -k for KB). If you're using multiple partitions, it lists them separately.
Re: Active Swap space
It is enabled at all times but on OpenBSD, it is not used until needed. See also swapctl -l and swapctl(8). Andreas On 06/09/05, Joco Salvatti [EMAIL PROTECTED] wrote: Hi all, I have a OpenBSD system acting as a firewall. When I use the top command I see that the swap space is not being used. I'd like to know if the swap space is only enabled when the system needs it or if it's enabled just when the system comes up. Thanks -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://salvatti.expert.com.br e-mail: [EMAIL PROTECTED] -- Andreas Kahari
sendmail and clamd
Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Thanks, Cristian Del Carlo
Snort-Inline with OpenBSD
Hello community I tried to install Snort_Inline on my OpenBSD-firewall. But in the ports-collection only snort is implemented. when I try to compile / configure the sources from www.snort.org with --enable-inline I get an error that a libipq.h is missing. Its a file for iptables under linux. Now my question: Is there any way to install snort with inline functionality ?? Please help Regards Florian
Re: sendmail and clamd
Cristian Del Carlo wrote: Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? smtp-vilter, which is in ports. I know that there are several methods : milter, amavis etc... Thanks, Cristian Del Carlo
Re: sendmail and clamd
Cristian Del Carlo schrieb: What can i use to connect sendmail and clamd? We use clamsmtp on linux. Don't know whether it is available for OpenBSD... Anyway: http://memberwebs.com/nielsen/software/clamsmtp/ -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53 http://www.ini.ethz.ch
Re: sendmail and clamd
--On 06 September 2005 15:13 +0200, Cristian Del Carlo wrote: i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? /usr/ports/mail/smtp-vilter works nicely, but if users should normally receive most attachments, take care with attachment.conf (or disable the attachment backend). Configuration seems quite a lot easier than amavisd-new.
Re: Snort-Inline with OpenBSD
Now my question: Is there any way to install snort with inline functionality ?? i dont know, snort inline need netfilter API. you can to use snortsam. - http://www.snortsam.net
bgpctl
I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like bgpctl nei peer clear (in|out) ? Although I miss a few features it is really nice to use, it is starting to give me the same feeling as pf. I got a 10 router bgp-only test network up and running in just a few hours, most of the time was spent installing the boxes. /Tony S -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: sendmail and clamd
...on Tue, Sep 06, 2005 at 03:13:01PM +0200, Cristian Del Carlo wrote: i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Depends on your hardware and the amount of traffic you expect (and some other things). I'm successfully using smtp-vilter as milter for clamav, but I haven't followed the latest development on OpenBSD pthreads, and people used to say that there's problems with the thread implementation (search the archives for specifics) - so going with milters might not be the optimal solution for a high-volume system. I've done some setups with MailScanner, which works quite nice even unter extreme loads, but is queue-based instead of being plugged into the MTA like a milter in sendmail, so mails have to be fully accepted into the system befor MailScanner can work on them. Alex.
Re: Snort-Inline with OpenBSD
There is no support for PF. If you need in-line function for an IPS, you can take a look at a FreeBSD/snort_inline/IPFW/divert socket solution: http://freebsd.rogness.net/snort_inline/ The snort_inline code primarily supports Linux netfilter/libpq. Also note that snort2pf is considered Active Response and not really an IPS, since it is not in-line Cheers, _Raju On 9/6/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Do you search for something like this? http://www.thinknerd.org/~ssc/wiki/doku.php?id=snort2pf -Original Message- From: Florian [mailto:[EMAIL PROTECTED] Sent: dinsdag 6 september 2005 15:20 To: misc@openbsd.org Subject: Snort-Inline with OpenBSD Hello community I tried to install Snort_Inline on my OpenBSD-firewall. But in the ports-collection only snort is implemented. when I try to compile / configure the sources from www.snort.orghttp://www.snort.orgwith --enable-inline I get an error that a libipq.h is missing. Its a file for iptables under linux. Now my question: Is there any way to install snort with inline functionality ?? Please help Regards Florian = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer. -- May the packets be with you.
(3.6) httpd - Too many open files - problem
Hi. I'm using OpenBSD (3.6 now) as my web/dns/mail/whatever server for a couple of years. I was very satisfied until a couple of days ago I noticed, that my web server is not working. I restarted apache, everything was ok then, but after some time the same happened. I got many many lines like this in error_log : [Tue Sep 6 13:58:01 2005] [error] [client 84.47.4.140] (24)Too many open files: file permissions deny server access: /htdocs/apex.sk/index.html The trafic is very low, there are a few very simple web pages. Can anybody tell me what's wrong, or where to look? Anyway, this weekend I'm gonna upgrade it to 3.7 probably... Thanks Hunci This message was sent using IMP, the Internet Messaging Program.
Re: sendmail and clamd
El mar, 06-09-2005 a las 15:13 +0200, Cristian Del Carlo escribis: Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Thanks, I'm using the milter provided with the clamav port and works pretty fine for me. Actually I'm using two milters in the same machine, first is to interface a bayesian anti-spam filter, and second one is to interface clamav. regards, Juanjo -- Desarrollo y sistemas: http://www.usebox.net/ Pagina Personal: http://www.usebox.net/jjm/
Re: Lifecycle question
Stephan A. Rickauer wrote: Nick Holland schrieb: There are a lot of measures to how the upgrade process works out. Here are SOME: 1) Frequency (i.e., how often do you need to do upgrades) 2) Difficulty (how much human work is involved) 3) Ugency (when an upgrade is needed, how important is it that it is done *NOW*) 4) Downtime (when you do the upgrade, do you need to do it at 3:00am, or can you do it during production hours?) 5) Flexibility (what cute tricks can you do to make the process simpler, safer, easier, etc.) I agree. Furthermore, one has to distinguish between upgrades of an entire OS release level and patching a running system. The latter is not This is somewhat related to what I wrote earlier -- the severity of upgrading an entire OS release level is (with some subjectivity) insignificant compared to what I have seen on other OSes. This is a clear benefit of the short release cycle, and it would be a waste not to use it, e.g. by upgrading only once a year. Consider upgrading an intrusive patch, i.e. something you might already be used to on other OSes, except that it doesn't happen every month but every six months. I say that, because if you'd choose to do the patching as I do (see Nick's point #5), upgrading is pretty much the same work as patching, with only a few extra steps. The largest part of the procedure is explained in the release(8) man page. To recapitulate, the steps required for upgrading OpenBSD manually are 0. Get the install media: Buy a CD, or download, or make your own release(8) at the appropriate time on a local build box tracking -current 1. Install and boot new kernel 2. Untar install sets 3. Update /etc and /dev 4. Reboot This is quite similar to patching the way I do it, except that it's ok to take a shortcut and /etc and /dev may be left alone: 0. Make a new -stable release(8) 1. Install new kernel (shortcut: it's ok not to reboot here) 2. Untar install sets for x in list of sets; do tar xpfz $x -C /; done 3. Reboot This release(8) stuff is the reason why I highly suggest to have some support infrastructure -- a build machine in addition to test boxes. I am using a few self-written scripts for making releases; bloaty sh stuff from 1.5 years ago -- they work nicely, but aren't fit for wide public release and probably in desperate need of a rewrite. Interested parties may request them, though, and I will give them to anyone who can convince me that (s)he doesn't actually need them (wrt release(8) knowledge.) Anyways, with these scripts, that anyone could just as well write for him- or herself, I start a screen and come back later -- two hours later, give or take, I have nice -stable install sets that I can deploy and a bootable install .iso image if I need it. This is lots of work for the computer, and very little to do for me. I estimate some 10 minutes of actual human work, and during the course of following -stable, even more things could be automated than what I currently do. *patching* - only saying that since some posts seem to treat patching and OS upgrade similarly). They *are* really similar, see above. :-) One main reason why companies are interested in 'enterprise products' of vendors like Redhat and SuSE etc. is the five (!) year lifecycle (at least with SuSE, don't know with RH). That means you buy your hardware, install the OS, patch five years and toss the systems afterwards. That As Henning@ is quoted from somewhere in another mail, he has some boxes that were upgraded since OpenBSD 2.7. Those are from more than 5 years ago, and since he even made it through the a.out-ELF change, I can't think of anything that would prevent this from going on another 10 years ... well, except for utter and complete hardware destruction or those boxes becoming too slow for their future purpose(s). Moritz
Re: Snort-Inline with OpenBSD
The problem is, that the firewall MUST run with OpenBSD !! Thanks for answers
Re: sendmail and clamd
Ok, thanks a lot it seems quite simple to configure. I don't know about the configuration of sendmail. What i need to have in sendmail.cf to work with smtp-vilter? Thanks, cristian On Sep 06, 2005 03:34 PM, Stuart Henderson [EMAIL PROTECTED] wrote: --On 06 September 2005 15:13 +0200, Cristian Del Carlo wrote: i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? /usr/ports/mail/smtp-vilter works nicely, but if users should normally receive most attachments, take care with attachment.conf (or disable the attachment backend). Configuration seems quite a lot easier than amavisd-new.
Re: sendmail and clamd
Search google for openbsd vilter. Then follow the cached link at the top of the results. The tutorial describes pretty much what you want. Also tells you how to generate a new sendmail.cf. Also, update your /etc/rc* files to have sendmail use the new config file. vlad On Tue, Sep 06, 2005 at 05:03:15PM +0200, Cristian Del Carlo wrote: Ok, thanks a lot it seems quite simple to configure. I don't know about the configuration of sendmail. What i need to have in sendmail.cf to work with smtp-vilter? Thanks, cristian On Sep 06, 2005 03:34 PM, Stuart Henderson [EMAIL PROTECTED] wrote: --On 06 September 2005 15:13 +0200, Cristian Del Carlo wrote: i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? /usr/ports/mail/smtp-vilter works nicely, but if users should normally receive most attachments, take care with attachment.conf (or disable the attachment backend). Configuration seems quite a lot easier than amavisd-new.
Re: [OT]: good home switch?
On Sun, 4 Sep 2005, Shawn K. Quinn wrote: On Sun, 2005-09-04 at 13:57 +0200, [EMAIL PROTECTED] wrote: p.s. Forget about D-Link! I recomment to stay far far away of these crap. I am using a D-Link switch and it has performed acceptably so far. Their wireless access points might be another story, though... I have used a dLink AP for many years (via POE), no problems whatsoever. We also use Linksys 5-port 8-port switches and have found that they 'like' to be power cycled on a regular occasion (a la weekly). Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: Lifecycle question
The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think about system management very carefully, since it has a direct impact on money as well. That's why I can't understand people can really live with the 6 months lifecycle. I don't understand this whole conversation. Instead, what those vendors give people is a 5 year patch-every-month cycle. That is completely unsustainable. The pieces we build upon are advancing too fast. I don't buy into that method of operating system componentizatio at all, that you can just keep patching and patching. It was not true 15 years ago, 10 years ago, 5 years ago, and I see no proof that it will be true ever in the future.
Re: Lifecycle question
Stephan A. Rickauer wrote: Tobias Weingartner schrieb: This is a systems management issue. It all depends on how you manage your systems. Compartementalizing change, change management, etc. I Exactly. can recommend talking to Fritz Zaucker (tell him I sent ya). He's at ETHZ as well (in EE I think). His team, along with Tobias Oetiker and the guys/gals over there have some experience in this sort of management. Yes, I know those guys. They base their infrastructure on Debian mostly. And they've had the man power to build great system management tools, like SEPP or the ISG Toolchest. The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think about system management very carefully, since it has a direct impact on money as well. That's why I can't understand people can really live with the 6 months lifecycle. Thanks, Hi, My input on living with a 6 month release cycle... Security is always a compromise. I can accept a 6 month release cycle in the interests of keeping a system exposed to the Internet as proactively secure as possible. I find little comfort in other operating systems where security is more of a management by crisis environment. OMG, an active exploit, we need to patch NOW! That is MUCH more disruptive than a planned upgrade that realistically takes little time. As someone else pointed out, an actual intrusion takes a much larger amount of time (forensics trying to figure out how far the damage goes... try that on 250+ PC's!!). With tools such as expect, serial consoles, the rather simple upgrade cycle, central storage of configuration files (ssh backups nightly of /etc), it can be pretty simple to press a button and have an upgrade happen. I haven't taken it that far myself, because I only maintain 6 OpenBSD firewalls, but I have to say they are on the east cost, central, and western Canada, and I have YET to make an onsite visit (well, that wouldn't happen, but the server would be shipped to me.. darn, I'd love to get to Halifax! :-) ). Anyway, of course you have to make your own decision, and as you have stated, you are not a programmer, so yes, that puts you in a difficult position from an automation point of view. Much kudos to you for having the foresight to be considering this issue. One more point.. from a programmer's point of view... Some patches are trivial to backport. Othere patches can be EXTREMETLY difficult, if not impossible under certain circumstances. There can be a cascading effect of dependencies, and the chances of this increase as you go back in time. If the OpenBSD team promised to support (pick a number) 4 releases back, there is a huge chance that at some point in time, they will just technically NOT be able to back port a security issue to a (pick a number) 2 year old system. In this case, they have to break their promise and say sorry, but we cannot do it and maintain the integrity of the system. To get this patch, you will have to upgrade your system. WHAM out of the blue you need to in a panic plan to upgrade your 100,200, etc systems. With some of the changes in OpenBSD, I would imagine it is difficult to support 1 release back, but they have made that committment, and to my knowledge have never failed. I cannot imagine any software vendor promising a secure system for 5 years! there is absolutely NO WAY to predict the state that computers will be in 5 years from now. Maybe someone will bring a Quantum computer online and our whole concept of security will have to change (and yes, I know I am talking out of my ass here)...but 5 hears is a HUGE amount of time. That would be 10 releases of OpenBSD, and that would date back to OpenBSD 2.7, which is about where I started using OpenBSD. The state of the world has changed significantly since then. Who would have thought that we would have to dedicate so much human time/computer resources to fighting SPAM?? I first set up spamdb on OpenBSD 3.6. There were feature enhancements that made it better for 3.7enough that it justified (in my mind) upgrading. As for application servers, I have a different perspective. Protect them with other servers that you plan on keeping secure. Get the app server working, make sure you have good hardware, and forget about them. I have a few OpenBSD systems internal on networks protected by other hardware that are running probably 3.2. They are not exposed to the Internet, have basic protection for themselves, and I have no intentions on upgrading them until my client wants to upgrade the software...In this case, I have an attitude of if it's not broken, don't fix it. I know that it's a risky policy, but as I said in my first sentence, security is a tradeoff. Best of luck on your decision!
Re: Lifecycle question
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: Tuesday, September 06, 2005 11:43 AM To: Stephan A. Rickauer Cc: misc@openbsd.org Subject: Re: Lifecycle question The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think about system management very carefully, since it has a direct impact on money as well. That's why I can't understand people can really live with the 6 months lifecycle. I don't understand this whole conversation. Instead, what those vendors give people is a 5 year patch-every-month cycle. That is completely unsustainable. The pieces we build upon are advancing too fast. I don't buy into that method of operating system componentizatio at all, that you can just keep patching and patching. It was not true 15 years ago, 10 years ago, 5 years ago, and I see no proof that it will be true ever in the future. Familiarity breeds content I'm scared to death just patching OpenBSD, but I just did another successful one recently and my stress levels go down every time. While I have been personally using OpenBSD for years, it was only with version 3.6 that I started using it in production. I'm sure that over time, I'll be less scared. I'm nervous when I update Linux, Windows, Novell, OSX, or OpenBSD. I think what scares me about OpenBSD is that _I_ will make a mistake due to the additional manual steps. Most other systems automate more, and I can falsely assume that people smarter than me have worked through the issues. It is hard to get a feel for the true level of risk without statistics. People can give anecdotal evidence about how a Windows security update blew out their accounting server and required a rebuild. You can get those stories for any OS. I think the lifecycle question will seem less disruptive as I become more familiar. Perhaps we should call the current OpenBSD Version 3, Service Pack 7. In the Windows world, there are all kinds of software packages that require a recent service pack. Windows 2000 is supported for many years, but not at the original service pack level if you intend to do anything useful with it. Same thing with OSX.
Re: bgpctl
tony sarendal wrote: I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like bgpctl nei peer clear (in|out) ? Although I miss a few features it is really nice to use, it is starting to give me the same feeling as pf. I got a 10 router bgp-only test network up and running in just a few hours, most of the time was spent installing the boxes. /Tony S You've read my mind, that was going to be my next question if my issue about having multiple communities per route was addressed (I tried -current and it doesn't work). Soft reset, and more route information from bgpctl are sorely needed. Thanks, Karl
OpenBSD 3.8-beta MP Panic
I thought I would give the latest Beta a try on a 4WAY PIII. The USB is supposed to be disabled in the BIOS as there are no physical USB connectors even on this box. Its a Dell 6350 ---Mike OpenBSD/i386 BOOT 2.10 boot booting hd0a:/bsd: 4846336+944176 [52+249696+230995]=0x5fb28c entry point at 0x100120 [ using 481116 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2005 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 3.8-beta (GENERIC.MP) #277: Mon Aug 22 23:04:26 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 cache) 500 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 2147061760 (2096740K) avail mem = 1953095680 (1907320K) using 4278 buffers containing 107454464 bytes (104936K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 02/12/03, BIOS32 rev. 0 @ 0xffe90 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc7a0/208 (11 entries) pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x6600 0xd/0x1000 0xd4000/0x800 0xd8000/0x800 0xdc000/0x800 mainbus0: Intel MP Specification (Version 1.4) (DELL PowerEdge 83) cpu0 at mainbus0: apid 3 (boot processor) cpu0: apic clock running at 100 MHz cpu1 at mainbus0: apid 0 (application processor) cpu1: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 cache) 500 MHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 cache) 500 MHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu3 at mainbus0: apid 2 (application processor) cpu3: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 cache) 500 MHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type ISA ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins ioapic0: misconfigured as apic 0, remapped to apic 4 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 ignored (disabled) pciide0: channel 1 ignored (disabled) uhci0 at pci0 dev 2 function 2 Intel 82371AB USB rev 0x01pci_intr_map: bus 0 dev 2 func 2 pin 4; line 5 pci_intr_map: no MP mapping found isa_intr_establish: no MP mapping found : irq 5 usb0 at uhci0uhci0: host controller process error uhci0: host controller halted : USB revision 1.0 uhci_freex: xfer=0xd2863a00 not busy, 0x4f4e5155 panic: usbd_transfer: not done Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb{0} trace Debugger(d2863900,65,1,0,d2863900) at Debugger+0x4 panic(d056fb6a,d2863940,8,d289cd80,d2863900) at panic+0x63 usbd_sync_transfer(d2863900,d059fb60,d06fea68,d0310125,d059fb60) at usbd_sync_t ransfer usbd_do_request_flags_pipe(d289cd80,d289cd00,d06feae0,d289cdb8,0) at usbd_do_re quest_flags_pipe+0x72 usbd_do_request_flags(d289cd80,d06feae0,d289cdb8,0,0) at usbd_do_request_flags+ 0x23 usbd_do_request(d289cd80,d06feae0,d289cdb8,d04a1eb4,1000680) at usbd_do_request +0x1d usbd_get_desc(d289cd80,1,0,8,d289cdb8,c8,1,0) at usbd_get_desc+0x3d usbd_new_device(d289ce00,d28a1000,0,2,0,d289ce34,d06fed08,d049eceb) at usbd_new _device+0x152 usb_attach(d28a1000,d289ce00,d28a1000,0,d28a1000) at usb_attach+0xf1 config_attach(d28a1000,d0585614,d28a1000,d049f0ac,1) at config_attach+0xef uhci_pci_attach(d289bf40,d28a1000,d06fedf0,0,d289f000) at uhci_pci_attach+0x21d config_attach(d289bf40,d0583f04,d06fedf0,d0364f7c) at config_attach+0xef pciattach(d289bfc0,d289bf40,d06feeb0,0,d0593058) at pciattach+0x1c8 config_attach(d289bfc0,d05833e8,d06feeb0,d0364b48) at config_attach+0xef mainbus_attach(0,d289bfc0,0,0,d06fef10) at mainbus_attach+0x134 config_attach(0,d05833c4,0,0,d05d7100) at config_attach+0xef config_rootfound(d051ba1c,0,d06fef58,d033a530) at config_rootfound+0x27 cpu_configure(0,1,3,0,7fffe000) at cpu_configure+0x1f main(0,0,0,0,0) at main+0x359 ddb{0} ps PID PPID PGRPUID S FLAGS WAIT COMMAND *0 -1 0 0 7 0x80204 swapper ddb{0} If I take out the Sangoma DSL modem, the boot looks like ddb{0} OpenBSD/i386 BOOT 2.10 boot booting hd0a:/bsd: 4846336+944176
Multiple IP's on single NIC using DHCP
In short, I'm looking for a way to obtain multiple IP addresses via DHCP on a single NIC. For a more elaborate explanation, see below. I'm working on a router / firewall in a somewhat arcane network setup. The situation is as follows: I live in a student dorm with a farily large local 100 Mbit network, where everyone has a single network outlet. For every system you want to use on the network, you have to register it's MAC adress before you can use it. When a computer is used, it gets its IP address via DHCP, but only if it's MAC is registered. Otherwise, you'll get a very short term address that you can only use to register your MAC via a special web page. If a system isn't used for a long time, it is automatically unregistered. On the local network, you can have multiple systems active at the same time. However, internet access is provided via a single PPPoE connection per person. What I am trying to do, is using an OpenBSD computer as firewall and gateway for my computers. It sits between the large local network, and my personal switch. Internet access is shared via NAT, but on the local dorm network I want each of my PC's to have it's own IP address using Binat. The problem is that I need to obtain multiple IP addresses via DHCP on the single external NIC of the router (which is connected to the dorm LAN). Also, the DHCP leases should be renewed using the registered MAC addresses as identifiers. Using static aliasses is prohibited and as such not an option. Is there a way to do this? Just sending additional MAC addresses via dhclient.conf doesn't work. It would be ideal to have some sort of virtual NIC's that have the external NIC as parent physical device, but none of the OpenBSD pseudo devices appear to be really suitable for this purpose. Using a virtual device would have the extra advantage of being able to use the ($if) notation in PF, so that it can react to changes in IP addresses. Otherwise, I will have to find a way for PF to discover the addresses on boot time. Any thoughts? Regards, Richard Noorlandt
Re: Lifecycle question
Will H. Backman wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: Tuesday, September 06, 2005 11:43 AM To: Stephan A. Rickauer Cc: misc@openbsd.org Subject: Re: Lifecycle question The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think about system management very carefully, since it has a direct impact on money as well. That's why I can't understand people can really live with the 6 months lifecycle. I don't understand this whole conversation. Instead, what those vendors give people is a 5 year patch-every-month cycle. That is completely unsustainable. The pieces we build upon are advancing too fast. I don't buy into that method of operating system componentizatio at all, that you can just keep patching and patching. It was not true 15 years ago, 10 years ago, 5 years ago, and I see no proof that it will be true ever in the future. Familiarity breeds content I'm scared to death just patching OpenBSD, but I just did another successful one recently and my stress levels go down every time. While I have been personally using OpenBSD for years, it was only with version 3.6 that I started using it in production. I'm sure that over time, I'll be less scared. I'm nervous when I update Linux, Windows, Novell, OSX, or OpenBSD. I think what scares me about OpenBSD is that _I_ will make a mistake due to the additional manual steps. Most other systems automate more, and I can falsely assume that people smarter than me have worked through the issues. It is hard to get a feel for the true level of risk without statistics. People can give anecdotal evidence about how a Windows security update blew out their accounting server and required a rebuild. You can get those stories for any OS. Yeah. But the thing about other OS's doing that is that they have significant data loss, complete dead systems and software that cannot run on that machine until it gets updated. This is not very likely with OpenBSD as the whole system is patched and built as a whole. That's one of the great things about OpenBSD as opposed to some *other* OS's... it's not simply a kernel, or userland, or windows it's the complete package all in one. Brandon
Re: bgpctl
Agreed! Soft-reset would be awesome and more functionality from bgpctl wouldn't hurt. As is though I like the output style from bgpctl since it keeps things concise. Regards, Joe On 9/6/05, Karl Austin [EMAIL PROTECTED] wrote: tony sarendal wrote: I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like bgpctl nei peer clear (in|out) ? Although I miss a few features it is really nice to use, it is starting to give me the same feeling as pf. I got a 10 router bgp-only test network up and running in just a few hours, most of the time was spent installing the boxes. /Tony S You've read my mind, that was going to be my next question if my issue about having multiple communities per route was addressed (I tried -current and it doesn't work). Soft reset, and more route information from bgpctl are sorely needed. Thanks, Karl
Re: sendmail and clamd
Cristian Del Carlo wrote: Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. use qmail (http://cr.yp.to/qmail.html) as the MTA - not sendmail. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Thanks, look here (http://www.clamav.net/3rdparty.html#mta) for ways of using clam with qmail. good luck! poncenby
USB flash disk stopped working after 3.7
Hello list, I just noticed that my USB flash memory stick stopped working after 3.7 (it's been a while since I last used it). Whereas it used to work perfectly, any attempt to access (e.g. read the disklabel, mount, dd, ...) the disk now just hangs the machine. So I traced back the commit which made this particular device stop working: src/sys/scsi/scsi_all.h, version 1.24 (Fri May 27 00:14:50 2005 UTC) http://www.openbsd.org/cgi-bin/cvsweb/src/sys/scsi/scsi_all.h#rev1.24 With a kernel built from sources before this commit it works, after, it doesn't. But as this commit fixes some other devices (it says so in the commit message), there is maybe another way to make this USB flash stick work again? Any ideas? Regards, Sebastiaan And of course the obligatory dmesg (with a recent snapshot kernel). I've tried on other machines too (with different USB controllers, ...), but no difference. OpenBSD 3.8 (GENERIC) #137: Thu Sep 1 17:41:20 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1.40GHz (GenuineIntel 686-class) 598 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 cpu0: Enhanced SpeedStep 600 MHz (988 mV): speeds: 1400, 1300, 1200, 1100, 1000, 900, 800, 600 MHz real mem = 526884864 (514536K) avail mem = 473833472 (462728K) using 4278 buffers containing 26447872 bytes (25828K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(5a) BIOS, date 01/07/05, BIOS32 rev. 0 @ 0xfd740 apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 100% apm0: AC off, battery charge high, estimated 3:37 hours apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd6d0/0x930 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc800! 0xcc800/0x1000 0xcd800/0x1000 0xdc000/0x4000! 0xe/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82852GM Hub-PCI rev 0x02 Intel 82852GM Memory rev 0x02 at pci0 dev 0 function 1 not configured Intel 82852GM Configuration rev 0x02 at pci0 dev 0 function 3 not configured vga1 at pci0 dev 2 function 0 Intel 82852GM AGP rev 0x02: aperture at 0xe000, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82852GM AGP rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 11 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x81 pci1 at ppb0 bus 1 cbb0 at pci1 dev 0 function 0 Ricoh 5C476 CardBus rev 0x8d: irq 11 vendor Ricoh, unknown product 0x0822 (class system unknown subclass 0x05, rev 0x13) at pci1 dev 0 function 1 not configured em0 at pci1 dev 1 function 0 Intel PRO/1000MT Mobile (82541GI) rev 0x00: irq 11, address: 00:0a:e4:32:eb:cb iwi0 at pci1 dev 2 function 0 Intel PRO/Wireless 2200BG rev 0x05: irq 11, address 00:12:f0:36:23:79 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0xb0 pcmcia0 at cardslot0 ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: HITACHI_DK13FA-40B wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) Intel 82801DB SMBus rev 0x01 at pci0 dev 31 function 3 not configured auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x01: irq 11, ICH4 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 Intel 82801DB Modem rev 0x01 at pci0 dev 31 function 6 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12
Re: bgpctl
On 06/09/05, Karl Austin [EMAIL PROTECTED] wrote: tony sarendal wrote: I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like bgpctl nei peer clear (in|out) ? Although I miss a few features it is really nice to use, it is starting to give me the same feeling as pf. I got a 10 router bgp-only test network up and running in just a few hours, most of the time was spent installing the boxes. /Tony S You've read my mind, that was going to be my next question if my issue about having multiple communities per route was addressed (I tried -current and it doesn't work). Soft reset, and more route information from bgpctl are sorely needed. I also ran into the problem with multiple communities but I haven't had time to look closer at it. Have you seen any changes in bgpd since you tried -current ? I was going to give it a go tonight if I manage to stay awake. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: (3.6) httpd - Too many open files - problem
Peter Huncar wrote: I'm using OpenBSD (3.6 now) as my web/dns/mail/whatever server for a couple of years. I was very satisfied until a couple of days ago I noticed, that my web server is not working. I restarted apache, everything was ok then, but after some time the same happened. I got many many lines like this in error_log : [Tue Sep 6 13:58:01 2005] [error] [client 84.47.4.140] (24)Too many open files: file permissions deny server access: /htdocs/apex.sk/index.html The trafic is very low, there are a few very simple web pages. First you need to find out what is keeping all those files open. Use fstat(1) # Han
Re: bgpctl
tony sarendal wrote: On 06/09/05, Karl Austin [EMAIL PROTECTED] wrote: You've read my mind, that was going to be my next question if my issue about having multiple communities per route was addressed (I tried -current and it doesn't work). Soft reset, and more route information from bgpctl are sorely needed. I also ran into the problem with multiple communities but I haven't had time to look closer at it. Have you seen any changes in bgpd since you tried -current ? I was going to give it a go tonight if I manage to stay awake. /Tony Not been any changes in the last 3 weeks as far as I can see from CVS Web. At least I've found someone else having the same problem now, was begining to think I was loosing the plot. Thanks, Karl
Re: OpenBSD 3.8-beta Alpha panic with pppoe SOS!
Hello List, I reinstalled 3.8-beta on the alpha with just the required sets and the hostname.pppoe0 and ppp.conf files with the amap_wipeout panic still occuring. I tried UKC disable amap and pkg_delete -F amap-5.1.tgz and amap-4.5.tgz without any success. Any ideas on solving this is much appreciated. Thank you, rogern John 3:16 From: Roger D Neth Jr [EMAIL PROTECTED] To: misc@openbsd.org, [EMAIL PROTECTED] Subject: OpenBSD 3.8-beta Alpha panic with pppoe Date: Mon, 05 Sep 2005 11:58:49 -0700 Hello List, I am unable to get pppoe to work with an alpha that I want to use as a firewall. It panics amap_wipeout: corrupt amap when I connect the ADSL Speedstream modem to any of the three nic's. I have used the same hostname.pppoe0 and ppp.conf files with the same modem and a secondary nic on an i386 successfully. My assumption is this is hardware related to the alpha and not OpenBSD. Would anyone be able to check this out and verify this or let me know how I can correct this error. Would ukc disable amap work? I Googled this and did not find any information on this. Thank you, rogern John 3:16 ppp.conf pppoedev de1 !/sbin/ifconfig de1 up !/usr/sbin/spppcontrol \$if myauthproto=pap myauthname=xx \ myauthkey=xx !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x !/sbin/route add default 0.0.0.1 up default: set log Phase Chat LCP IPCP CCP tun command set redial 15 0 set reconnect 15 0 pppoe: set device !/usr/sbin/pppoe -i de1 disable acfcomp protocomp deny acfcomp set mtu max 1492 set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname xx snip _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Re: sendmail and clamd
Alexander Bochmann wrote: I'm successfully using smtp-vilter as milter for clamav, but I haven't followed the latest development on OpenBSD pthreads, and people used to say that there's problems with the thread implementation (search the archives for specifics) - so going with milters might not be the optimal solution for a high-volume system. We serve 20'000+ user without problems here.
Re: sendmail and clamd
On 9/6/05, Cristian Del Carlo [EMAIL PROTECTED] wrote: What can i use to connect sendmail and clamd? Perhaps, if only for hints, you may want to take a look at MailDroid that came across the list some time ago. It connects the in-base sendmail to clamav through smtp-vilter from ports. You'll find it at: http://www.maildroid.org/ Cheers, Rogier -- If you don't know where you're going, any road will get you there.
routing question
My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing all 8 of these new addresses down my adsl 'pipe'. On my OBSD box I can alias any of these 8 addresses to the outward facing nic and reach them from the outside, so I know that they work. Now I want to set up another OBSD box to use one of these addresses (which are no longer aliased to the first box). (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. I don't want to NAT box #2 behind box #1. Are there some routing commands that would allow me to send traffic to the ISP from box #2 using these new IP's? Thanks, -- John Brooks [EMAIL PROTECTED]
Re: routing question
On Tuesday, September 06, John Brooks wrote: (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. In this case, you need to create (not your ISP) a default gateway for your new 207.246.198.216/29 network on your border router, so alias 207.246.198.217 on OBSD #1 This will leave you hosts 218-222 to use any way you see fit. --- Todd M. Boyer, CISSP President AutumnTECH, LLC [EMAIL PROTECTED] http://www.AutumnTECH.com AutumnTECH Manufactures Entire Network Protection Appliances that Identify Spam and Sanitize Dangerous E-mail Content ---
Re: routing question
On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote: My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing all 8 of these new addresses down my adsl 'pipe'. On my OBSD box I can alias any of these 8 addresses to the outward facing nic and reach them from the outside, so I know that they work. Now I want to set up another OBSD box to use one of these addresses (which are no longer aliased to the first box). (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. I don't want to NAT box #2 behind box #1. Are there some routing commands that would allow me to send traffic to the ISP from box #2 using these new IP's? Thanks, -- John Brooks [EMAIL PROTECTED] Hi John, I've been doing the ADSL with a routed /29 for servers in addition to having a NATted LAN behind the same firewall. You can probably use some of the tricks I get up to to conserve addresses. Let us know what modem you are using, whether you are doing PPPoE or PPPoA or whatever and I'll tailor my reply to suit. You can get into lots of frustration by taking obvious approaches to this problem, only to find that they result in more problems rather than solutions. I don't see why you need all of that pain. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: netstat - how to show PID
On Tue, Aug 30, 2005 at 03:41:14PM +0200, Simon Dassow wrote: On Tue, Aug 30, 2005 at 03:30:01PM +0200, Miroslav Kubik wrote: Is there a way how to show PID which belongs to the socket by netstat command? I searched man pages but I haven't found any useful switch for my need. I searched in Linux man pages for netstat as well and it seems that Linux can do it by p switch. -p, --program Show the PID and name of the program to which each socket belongs. But what about OpenBSD? man fstat Regards, Simon P.S.: Missing Xref in netstat? i just added some references to make the various stat pages (some of them anyway) cross-reference each other. jmc
adding a partition, fdisk, disklabel, and other fun
I gotta ask for help or I'm gonna hose my multi-boot system. I've got an A6 primary partition with various /usr and /var style partitions within. Pretty standard, but I ran out of disk space. I added a second primary A6 partition in the freespace of the same disk using fdisk, but cannot figure out how to use disklabel and newfs properly to add this new partition and then mount it as /var/www/htdocs. When I try to use disklabel, it seems to only want to use my existing primary partition, and not the new one. I have read the manual, which appears to be in Chinese, and then I read the FAQ, which says, This will seem confusing. Yeah? Well no shit! :) The parameters of this new partition are as follows: -first physical sector 15,052,905 (Cyl 937, Hd 0, Sect 1) -last physical sector 19,261,934 (Cyl 1198, Hd 254, Sect 63) -total physical sectors: 4,209,030 (2,055.2MB) -physical geometry: 1,823 Cyls, 255 Hds, 63 Sects Can someone walk me through this as if I were a monkey, and take me step-by-step? I wanna tell disklabel it's got to be /var/www/htdocs on the above partition, then run newfs, then mount it, and then add it to my fstab for good. Since it took my machine almost a full day to compile the kernel + all the binaries up to -CURRENT, I'd much rather not have to wipe it clean and reinstall with the correct partition size and do it all over again. On i386, in case you didn't guess. And I'm wearing my OpenBSD greenie t-shirt as I write this!! Thanks, Kelly
Updated: Trouble connecting to OBSD VPN (isakmpd on 3.7 generic) from an XP (sp1) client using ipseccmd.exe (more data)
Still getting the same errors as below: 131529.495890 Plcy 40 check_policy: adding authorizer [passphrase:password] 131529.495915 Plcy 40 check_policy: adding authorizer [passphrase-md5-hex:5f4dcc3b5aa765d61d8327deb882cf99] 131529.495927 Plcy 40 check_policy: adding authorizer [passphrase-sha1-hex:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8] 131529.495939 Plcy 40 check_policy: kn_do_query returned 0 131529.495953 Default check_policy: negotiated SA failed policy check For some reason it's failing in the passphrase, I've edited the policy file and conf file to remove any/all unusual codings, and even removed the Policies section (also removed spaces at the end of lines, etc) and ended up with files as follows: /etc/isakmpd/isakmpd.policy: Authorizer: POLICY Licensees: passphrase:password esp_present == yes esp_enc_alg != null - true; /etc/isakmpd/isakmpd.conf [General] Retransmits = 5 Exchange-max-time = 120 Listen-on = External_ip_for_OBSD Shared-SADB=Defined Renegotiate-on-HUP= Defined [Phase 1] Default = ISAKMP-clients [Phase 2] Passive-Connections = IPsec-clients [ISAKMP-clients] Phase = 1 Transport = udp Configuration = win-main-mode Authentication = password [IPsec-clients] Phase = 2 Configuration = win-quick-mode Local-ID= default-route Remote-ID = dummy-remote [default-route] ID-type = IPV4_ADDR_SUBNET Network = 0.0.0.0 Netmask = 0.0.0.0 [dummy-remote] ID-type = IPV4_ADDR Address = 0.0.0.0 [win-main-mode] DOI = IPSEC EXCHANGE_TYPE = ID_PROT Transforms = 3DES-SHA-GRP2 [win-quick-mode] DOI = IPSEC EXCHANGE_TYPE = QUICK_MODE Suites = QM-ESP-3DES-SHA-SUITE (again tried to clear any possible control characters) On the windows side start_vpn.bat (hard coded spaces to show different lines): @echo off c:\ipsec\ipseccmd.exe -u echo cleared c:\ipsec\ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -n ESP[3DES,SHA] -t public_ip_oBSD -a PRESHARE:password -1s 3DES-SHA-2 echo part 1 finished c:\ipsec\ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -n ESP[3DES,SHA] -t public_ip_xp -a PRESHARE:password -1s 3DES-SHA-2 echo finished Have to admit, now it's a matter of wanting to know wtf is going on, and less a matter of wanting to move away from SSH tunneling. If anyone needs more info I can isakmpd -v -d -D A=99 2 vpn_debug.txt (then email the gzipped file, but it looks like the above errors are the problem, which implies it's a password problem, but the preshare is *EXACTLY* as you see it above (I'll change the password once it works one time.) The only things changed are the IPs to protect the not so innocent. Off to bang my head against a wall for a bit. Ben (and no, there are no firewalls currently installed on the test XP box, I want to get it to work there before running into the old, does this work with this software firewall problem on my personal laptop)
Dell m70 and HP nc6230 experiences?
Does anyone on the list have any comments or caveats on using OpenBSD as a primary OS on either the Dell Precision m70 or Hewlett Packard nc6230 notebooks? Google turns up nothing interesting on either. regards, aaron.glenn
WLAN Device problem
Hello I have the following problem, i have a CNet CWP-854 Ralink Wireless-G PCI Adapter i have configured it on OpenBSD 3.8 Beta after some attempts i was able to get a status to ACTIVE, however it seems that there is no connection available, ping any clients on the same network fails same goes for the gateway too. I can't seem to understand what is wrong, i have tried other people's help, they have said probably the chip is not supported. Best Regards, Sam
Re: adding a partition, fdisk, disklabel, and other fun
On Tue, 6 Sep 2005, Kelly Martin wrote: I've got an A6 primary partition with various /usr and /var style partitions within. Pretty standard, but I ran out of disk space. I added a second primary A6 partition in the freespace of the same disk using fdisk, but don't do this. Can someone walk me through this as if I were a monkey, and take me step-by-step? I wanna tell disklabel it's got to be /var/www/htdocs on the above partition, then run newfs, then mount it, and then add it to my fstab for good. create some other parition type in fdisk, go into disklabel, use 'b' to edit the whole disk, and add a new partition with the appropriate values. i'd definitely use raw sector offsets for this, as chs geometry will likely be wrong. then newfs and away you go. -- And that's why we don't want to be expected to help clean up the mess you made.
Re: Lifecycle question
On Mon, 05 Sep 2005 15:35:19 +0200, Stephan A. Rickauer wrote: Well, I am thinking of using OpenBSD for our firewalls. Those I do want to upgrade regularly. Not because of features, but because of patches. You will be rewarded by this choice; I am sure ! And still, I cannot understand the writers of arguments 'compared to'. Having something out there that is worse, does not make you automatically the invincible market leader. The OpenBSD boxes that I run need the least intervention. But still, there could be even less. Patches are a good example. When I download a patch for the first box, I rather read and study and understand what is going on and apply the steps described in the header one by one, manually. For all the other boxes, I simply have no real time to sit next to them and wait for some 'make' to have finished. Also, here, the most obvious solution is a script doing this automatically on demand: checking some URL for new patches, download, and run the header as script. Including recompiling the kernel (if required). Me passing by that box, check the success and reboot (if needed) manually should be quite enough. I don't see a need to sit next to the boxes again and again, issuing and waiting for the always same commands for always the same patch. I am too lousy as coder; and I can imagine that someone else has written a perfect script for this; so why not include this as utility for everyone to use ?
Re: routing question
On Tuesday, September 06, John Brooks wrote: (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. In this case, you need to create (not your ISP) a default gateway for your new 207.246.198.216/29 network on your border router, so alias 207.246.198.217 on OBSD #1 This will leave you hosts 218-222 to use any way you see fit. Well that was simple enough, takes a couple extra rules in pf on OBSD #1, but otherwise works. Thanks.
Re: routing question
On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote: My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing all 8 of these new addresses down my adsl 'pipe'. On my OBSD box I can alias any of these 8 addresses to the outward facing nic and reach them from the outside, so I know that they work. Now I want to set up another OBSD box to use one of these addresses (which are no longer aliased to the first box). (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as the gateway on the ISP's end, leaving me with 5 useable addresses. I don't want to NAT box #2 behind box #1. Are there some routing commands that would allow me to send traffic to the ISP from box #2 using these new IP's? Thanks, -- John Brooks [EMAIL PROTECTED] Hi John, I've been doing the ADSL with a routed /29 for servers in addition to having a NATted LAN behind the same firewall. You can probably use some of the tricks I get up to to conserve addresses. JB: My thoughts were to not be behind the firewall with box #2, but 'next' to it. But I'm open to all alternative methods. Having multiple options is always a good thing. Let us know what modem you are using, whether you are doing PPPoE or PPPoA or whatever and I'll tailor my reply to suit. You can get into lots of frustration by taking obvious approaches to this problem, only to find that they result in more problems rather than solutions. JB: The dsl modem is a straight bridge. No PPPoE or PPPoA. What goes in the front comes out the back. I have a single static IP on a /24 network with a normal gateway address - plus these 8 additional IP's they are now sending down my wire. I don't see why you need all of that pain. JB: I appreciate that... (sometimes a little pain can be a good thing, especially if something new is learned) From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: sendmail and clamd
poncenby wrote: use qmail (http://cr.yp.to/qmail.html) as the MTA - not sendmail. Aaaag!!! At the risk of starting a flame-fest, do yourself a favour, ignore this advice and stay away from qmail. The license issue alone should make you stop and think first. It is about as encumbered with restrictions as it is possible to be with a so-called free license. After that, you have to start patching the source and rebuilding everything from scratch in order to make it actually useful. It is hideous. No one can supply you a binary or even pre-patched sources despite such patches having been extensively tested and mature. Don't expect to be able to add any kind of plug-ins either. There are plenty of MTAs out there which I would use ahead of qmail, especially if you're already using sendmail, and as other posters have pointed out, there are tools that work with sendmail as it is, so there's no need to scrap your MTA just to get clamav integration. My 2c