Re: Lifecycle question

[Siju George]

On 9/5/05, Giedrius Rekaius [EMAIL PROTECTED] wrote:
 On Mon, 05 Sep 2005 15:52:50 +0300, Stephan A. Rickauer
 [EMAIL PROTECTED] wrote:
 
  I am already in love with it, since I plan to use it as a HA-firewall
  using carp and pfsync. Problem here is just that it looks as if I had to
  reinstall it all year ...
 
 Hi Stephan,
 
 If it's just a firewall, and you won't need any new features (wich will
 come with some
 new release), then why should you upgrade? Just configure it, put the
 server somewhere
 in the dark corner and it will handle it's job very nicely :)
 

If it is a firewall it is a very dangerous thing to do.
I would recommend that you not only upgrade for every release but also
apply all security patches as soon as they are released.
Otherwise your *OpenBSD firewall* can go for a toss :-)

kind regards

Siju

Re: Lifecycle question

[Abraham Al-Saleh]

On 9/5/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote:
 Ramiro Aceves schrieb:
  I like and use  both systems. But If you are concerned about easy
  upgrading,  I would recommend Debian GNU/Linux (no flamewars please ;-)
  ). It is a very stable system that it is upgraded slowly, about 2 years
  (they whant to speed it in the future to 18 month cicle). You will not
 
 We have FreeBSD, Debian Sarge and SuSE 9.0  9.1  9.3 as productive
 systems running. Technically, we're kind of aware of the differences.
 
  system. If you want a desktop with hundreds of packages installed, I
  find Debian more practical to upgrade. Both systems allow you to tweak
  the internals as you want. Both come with the base system and the
  remaining applications.
 
 We use SuSE on ~50 desktops in our Institute and are quite happy (well,
 we had to tune it a bit to make it use apt-get). Debian is my first
 choice for non-BSD servers, but I would not use it for dekstop purposes
 still. Well, don't wan't flame wars here either ;)
 
  Anyway, I am getting in love with OpenBSD because of its securyty,
  simplicity, stability, clarity, superb documentation and coherency.
  If I would have to build a server conected to the dangerous Internet, I
  will undoubtlely use OpenBSD.
 
 I am already in love with it, since I plan to use it as a HA-firewall
 using carp and pfsync. Problem here is just that it looks as if I had to
 reinstall it all year ...

If that's the case, then you just take one down, upgrade it, bring it
back online, take the other down, upgrade it, bring it back online. I
fail to see the issue here. 'nuff said.

 
 Thanks,
 
 --
 
   Stephan A. Rickauer
 
   
   Institut f|r Neuroinformatik
   Universitdt / ETH Z|rich
   Winterthurerstriasse 190
   CH-8057 Z|rich
 
   Tel: +41 44 635 30 50
   Sek: +41 44 635 30 52
   Fax: +41 44 635 30 53
 
   http://www.ini.ethz.ch
   
 
 


-- 
Abe Al-Saleh
And then came the Apocolypse. It actually wasn't that
bad, everyone got the day off and there were barbeques
all around.

Re: Lifecycle question

[Stephan A. Rickauer]

Abraham Al-Saleh schrieb:

I am already in love with it, since I plan to use it as a HA-firewall
using carp and pfsync. Problem here is just that it looks as if I had to
reinstall it all year ...



If that's the case, then you just take one down, upgrade it, bring it
back online, take the other down, upgrade it, bring it back online. I
fail to see the issue here. 'nuff said.


The issue is that I don't have only two firewalls but also many, many 
others plus even more ;) I am asking 'generally' and not because I don't 
have the time to update *two* machines twice a year.


Not to mention that upgrades with other OS's are even painful _with_ HA 
setup ...


As an Insitute we have limited resources in terms of personal AND money. 
Therefore, I am forced to rethink any strategy twice. Thanks to all 
comments - had been very helpful so far.


Stephan

Re: Lifecycle question

[Niclas Sodergard]

On 9/6/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote:

 Not to mention that upgrades with other OS's are even painful _with_ HA
 setup ...
 
 As an Insitute we have limited resources in terms of personal AND money.
 Therefore, I am forced to rethink any strategy twice. Thanks to all
 comments - had been very helpful so far.

I'm responsible for 4 different OpenBSD-based firewalls and 4
different customers. One locations is carp+pfsync based one with two
machines. Last week I upgraded one of the customers to a new release
and it took me a total of 30 minutes on-site work. 15 of those were
trying to access the firewall in the cramped server room ;-). With
planning and an extra set of backups it took me about 1 hour of
worktime. This should be able to fit within most limited budgets :-).

Once you learn the OpenBSD mindset it is easier to install, upgrade
and maintain than most other package based systems. I would say that
is it faster to upgrade an OpenBSD box from one release to another
compared to Debian (with their wonderful apt-get/dpkg system). The
reason is that OpenBSD installations are usually much smaller and
leaner and you don't have to download 500MB+ to get a working system.

cheers,
Nickus

Re: Lifecycle question

[Stephan A. Rickauer]

Nick Holland schrieb:

There are a lot of measures to how the upgrade process works out.  Here
are SOME:
1) Frequency  (i.e., how often do you need to do upgrades)
2) Difficulty (how much human work is involved)
3) Ugency (when an upgrade is needed, how important is it that it
   is done *NOW*)
4) Downtime   (when you do the upgrade, do you need to do it at
   3:00am, or can you do it during production hours?)
5) Flexibility (what cute tricks can you do to make the process simpler,
   safer, easier, etc.)


I agree. Furthermore, one has to distinguish between upgrades of an 
entire OS release level and patching a running system. The latter is not 
an issue here since any OS needs patching all the time. Well, they may 
differ in frequency etc. again, but the differences are negligible.




Yes, OpenBSD had new releases every six months, and only supports a
previous release with patches for one past release, so your frequency is
going to be higher.  So, at the outside, you are looking at an upgrade


Ok, that is the key issue here. Upgrading a firewall which has not much 
software installed at all, which even runs in a HA environemnt etc. is 
really not a big thing.


But think of applications servers that run all weired kind of things ... 
it is a nightmare to upgrade those every half a year (not speaking of 
*patching* - only saying that since some posts seem to treat patching 
and OS upgrade similarly).




Anyway...look at the whole picture, not just how often you have to do
upgrades.  Remember: there are reasons we don't support old releases
very long -- in addition to the work required, there is the fundemental
moving forward philosophy of OpenBSD.  With every release, they try to
make the OS more secure and more correct.  Not only does pushing stuff
back to old releases take time and effort, but some stuff just won't go
easily.  The malloc(3) upgrades were a huge improvement to security, but
pushing them back to 3.6 or before isn't going to happen.  We don't want
you to think that because you run 3.5-stable, that you are as safe or as
reliable as you are if you are running -current.


For those application server beasts mentioned earlier one is not 
necessarily interested in getting 'new features', even if they made the 
system more secure. I would not even expect backporting - just deliver 
patches for security relevant issues, so that one can keep the system 
running for 2-3 years.




Lifecycle has to be part of your planning -- if you can push off a
problem for two years, you may just hope it isn't your problem then
and never deal with it.  If you know that every six months to a year you
should upgrade, and put that into your planning now, overall your life
will be easier.


Hm. In my case it will be definitely *my* problem and I can now choose 
how often I would like to have it ;)


One main reason why companies are interested in 'enterprise products' of 
vendors like Redhat and SuSE etc. is the five (!) year lifecycle (at 
least with SuSE, don't know with RH). That means you buy your hardware, 
install the OS, patch five years and toss the systems afterwards. That 
keeps TCO pretty low compared to a (technically much better) system that 
I need to reinstall/upgrade 10 times during that period, don't you think?


There is one thing I still don't understand. What effort is it to 
deliver patches (not backports) longer than just a few month - given 
that the overall amount of patches per release is low with OpenBSD 
anyway... let's say you have four security relevant patches per release, 
then you had 20 in 2.5 years ...


Well, I am not a programmer, therefore I may not see the effort.

Thanks for your comments!


--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

Re: Lifecycle question

[Stephan A. Rickauer]

Tobias Weingartner schrieb:

This is a systems management issue.  It all depends on how you manage
your systems.  Compartementalizing change, change management, etc.  I


Exactly.


can recommend talking to Fritz Zaucker (tell him I sent ya).  He's at
ETHZ as well (in EE I think).  His team, along with Tobias Oetiker and
the guys/gals over there have some experience in this sort of management.


Yes, I know those guys. They base their infrastructure on Debian mostly. 
And they've had the man power to build great system management tools, 
like SEPP or the ISG Toolchest.


The reason why I bother this list is that I am impressed of OpenBSD from 
the technical point of view. I like its consistency and purity. But in 
business environments or comparable organizations where money is an 
issue, one needs to think about system management very carefully, since 
it has a direct impact on money as well. That's why I can't understand 
people can really live with the 6 months lifecycle.


Thanks,

--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

tcpdump/pflog - rule numbering

[Stephan A. Rickauer]

My 'tcpdump -n -e -i pflog0' generates lines like these:

11:22:12.538707 rule 267/(match) block in on em0: 172.16.2.97.32790  
225.4.5.6.6001:  udp 341 [ttl 1]


I am now trying to find out, what 'rule 267' should be and found posts 
regarding 'pfctl -s rules'. My problem is, that rule number 267 has 
absolutely nothing to do with the line logged above.


pfctl -s rules | sed -e '1,266d' -e '268,$d':

pass out log quick inet proto tcp from 172.16.2.178 port = 1023 to 
id431E1F62.2 port = 4899 keep state label [RULE:18 - IF:global - 
ACTION:ACCEPT]


I couldn't find any detailed information about how pflog numbers the 
rules. Could anyone point me there?


Thanks!


--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

Re: Lifecycle question

[knitti]

On 9/6/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote:
 The reason why I bother this list is that I am impressed of OpenBSD from
 the technical point of view. I like its consistency and purity. But in
 business environments or comparable organizations where money is an
 issue, one needs to think about system management very carefully, since
 it has a direct impact on money as well. That's why I can't understand
 people can really live with the 6 months lifecycle.

I (as many others) use some OpenBSD servers in a business environment. 
I recently upgraded a server from 3.5 to 3.7 (I chose to skip a release). 
upgrading the system lasted for about 60 mins, including downloading the 
new release. about 45 mins of these I spent checking things in /etc (I could 
have been quicker, but I wanted to use those new pf features ;)
application upgrades did cost about 8 hours, with about 6.5 hours for
one sngle application which configuration had changed.
I think, a firewall could upgrade in about 20 mins. the first one. if
you more than one, and they are similiar, its more like 5-10 mins  for
each following.

--knitti

Re: Jose Nazario's dmesg explained for OpenBSD

[Hans-Joerg Hoexer]

On Tue, Sep 06, 2005 at 12:25:23AM -0500, Andrew Daugherity wrote:
 ===
 a) biomask e74d netmask ff4d ttymask ffef
...

this are the interrupt masks (on i386) for the levels IPL_BIO,
IPL_NET and IPL_TTY after autoconfiguration has finished.  They
will be modified again when clock and rtc are initialized, i.e.
interrupts 0 and 8 will be unblocked on all three levels.

Re: tcpdump/pflog - rule numbering

[Andreas Kahari]

I have a scrub all fragment reassemble showing up on the first line
of pfctl -s rules.  The rules are numbered from 0 (zero).  Therefore
I need to add 2 to the line number of the pfctl output to get the
right rule.

The log entry

Sep 04 21:45:56.156323 rule 8/(match) pass in on fxp0:
xxx.xxx.xxx.xxx.39665  yyy.yyy.yyy.yyy.22: S 224562907:224562907(0)
win 5840 mss 1460,nop,wscale 0 (DF)

...corresponds to

# pfctl -s rules | sed -n '10p'
pass in log on fxp0 proto tcp from any to (fxp0) port = ssh flags S/SA
keep state


Andreas


On 06/09/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote:
 My 'tcpdump -n -e -i pflog0' generates lines like these:
 
 11:22:12.538707 rule 267/(match) block in on em0: 172.16.2.97.32790 
 225.4.5.6.6001:  udp 341 [ttl 1]
 
 I am now trying to find out, what 'rule 267' should be and found posts
 regarding 'pfctl -s rules'. My problem is, that rule number 267 has
 absolutely nothing to do with the line logged above.
 
 pfctl -s rules | sed -e '1,266d' -e '268,$d':
 
 pass out log quick inet proto tcp from 172.16.2.178 port = 1023 to
 id431E1F62.2 port = 4899 keep state label [RULE:18 - IF:global -
 ACTION:ACCEPT]
 
 I couldn't find any detailed information about how pflog numbers the
 rules. Could anyone point me there?
 
 Thanks!
 
 
 --
 
   Stephan A. Rickauer
 
   
   Institut f|r Neuroinformatik
   Universitdt / ETH Z|rich
   Winterthurerstriasse 190
   CH-8057 Z|rich
 
   Tel: +41 44 635 30 50
   Sek: +41 44 635 30 52
   Fax: +41 44 635 30 53
 
   http://www.ini.ethz.ch
   
 
 


-- 
Andreas Kahari

Re: tcpdump/pflog - rule numbering

[Stephan A. Rickauer]

Andreas Kahari schrieb:

I have a scrub all fragment reassemble showing up on the first line
of pfctl -s rules.  The rules are numbered from 0 (zero).  Therefore
I need to add 2 to the line number of the pfctl output to get the
right rule.


Thanks Andreas, that explanation fixes my problem as well ... somtimes 
life is so obvious ;)


--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

Re: tcpdump/pflog - rule numbering

[Stuart Henderson]

--On 06 September 2005 11:29 +0200, Stephan A. Rickauer wrote:


I am now trying to find out, what 'rule 267' should be and found
posts regarding 'pfctl -s rules'. My problem is, that rule number 267
has absolutely nothing to do with the line logged above.


# pfctl -sr -vv

Re: tcpdump/pflog - rule numbering

[Stephan A. Rickauer]

Stuart Henderson schrieb:

# pfctl -sr -vv


Cool!

--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

Re: Lifecycle question

[Stuart Henderson]

--On 06 September 2005 10:16 +0200, Stephan A. Rickauer wrote:


There is one thing I still don't understand. What effort is it to
deliver patches (not backports) longer than just a few month - given
that the overall amount of patches per release is low with OpenBSD
anyway... let's say you have four security relevant patches per
release, then you had 20 in 2.5 years ...


Some problems could be addressed quite simply in an older system, but 
having that as the stated policy means that all problems fixed in newer 
code would have to go through a procedure something like: Decide on the 
severity of the problem as to whether it needs fixing in older code, 
Check which released versions are affected, Produce and test patches 
for all of these, Distribute patches, Notify users where 
security-critical, etc. In areas of code which have undergone major 
change, just backporting the fix can be quite a task.


This may be ok for a vendor, who can dedicate staff to the process of 
maintaining what, 6 or 7 trees (though some vendors don't seem to do 
particularly well at the 'test patches' stage), but doesn't seem to fit 
well with how OpenBSD is developed - fixing problems seems at least 
equally important as adding new features, so that's a lot of time spent 
analysing (e.g. as to whether a particular problem fixed might affect 
security). The people who are capable of that type of analysis usually 
can find more productive ways to spend their time.



But think of applications servers that run all weired kind of things
... it is a nightmare to upgrade those every half a year (not
speaking of *patching* - only saying that since some posts seem to
treat patching and OS upgrade similarly).


There doesn't have to be so much difference, actually. With OpenBSD an 
upgrade is usually pretty straightforward. The main part of the process 
(boot from bsd.rd, run the 'upgrade' process) can equally be used for 
patches and upgrades. With an upgrade the initial step is to read 
updateXX.html, with a patch you can first create distribution *.tgz 
files using 'make build' and 'make release' and host them on local ftp 
(a bit of overkill for one or two machines, but invaluable on a larger 
network).


Obviously there have been major transitions (a.out to ELF, for example) 
where greater care has to be taken, but these are unusual and 
well-publicised. Perhaps they can be taken as a cue to carry out a more 
involved rebuild rather than a simpler upgrade (which often gives a 
chance to refactor and simplify a complex organically-grown system). 
With an application server, you often have to pay so much attention to 
keeping the parts other than the OS up-to-date (which of course are the 
parts with the most custom configuration), that the time spent on the 
OS is pretty low in comparison anyway.

Re: Lifecycle question

[Igor Grabin]

On Tue, Sep 06, 2005 at 11:00:34AM +0100, Stuart Henderson wrote:
 There doesn't have to be so much difference, actually. With OpenBSD an 
 upgrade is usually pretty straightforward. The main part of the process 
 (boot from bsd.rd, run the 'upgrade' process) can equally be used for 
 patches and upgrades. With an upgrade the initial step is to read 
 updateXX.html, with a patch you can first create distribution *.tgz 
 files using 'make build' and 'make release' and host them on local ftp 
 (a bit of overkill for one or two machines, but invaluable on a larger 
 network).
I usually do it the other way. dirty, but works most of the time.
minimal downtime for sure.

pkg_info | awk '{print $1}'  packages-2keep
vi packages-2keep ; leave the bare minimum which will bring the rest
  ; as dependencies
mkdir /old
mv /bsd /bsd.old
mv bsd /bsd
cp -R /bin /sbin /old/
export PATH=/old/sbin:/old/bin:$PATH
for file in man* comp* base*; do tar -zvxpf $file -C/; done
reboot

then - or pkg_add according to packages-2keep, or ports rebuild
for non-kernel issues tar -zvxpf ... -C/ works like a charm. :-)

-- 
Igor CacoDem0n Grabin, http://violent.death.kiev.ua/

Re: Lifecycle question

[Marc Espie]

--On 06 September 2005 10:16 +0200, Stephan A. Rickauer wrote:

There is one thing I still don't understand. What effort is it to
deliver patches (not backports) longer than just a few month - given
that the overall amount of patches per release is low with OpenBSD
anyway... let's say you have four security relevant patches per
release, then you had 20 in 2.5 years ...

Development does not stand still. There are *huge* differences in some
areas of OpenBSD over two years of time.  In many cases, some are designed
to block new areas of attack, and to clean-up code in a major way.

Forcing you to update at least once every two releases is a good way to
make sure you benefit from all these changes.

And evaluating those changes, and porting back whatever may have some
security relevance is too hard.

If you prefer: some developer rewrites some code to clean it up at time T.
Then a new attack comes up at time T2 that targets that specific area. 
We discover that OpenBSD is not affected... well, if the gap between T and
T2 is greater than two releases, we do not even check that the old code
was affected.

This happens more often than you would think. 

Re: Lifecycle question

[Nick Holland]

Stephan A. Rickauer wrote:
 Nick Holland schrieb:
...
 Yes, OpenBSD had new releases every six months, and only supports a
 previous release with patches for one past release, so your frequency is
 going to be higher.  So, at the outside, you are looking at an upgrade
 
 Ok, that is the key issue here. Upgrading a firewall which has not much 
 software installed at all, which even runs in a HA environemnt etc. is 
 really not a big thing.
 
 But think of applications servers that run all weired kind of things ... 
 it is a nightmare to upgrade those every half a year (not speaking of 
 *patching* - only saying that since some posts seem to treat patching 
 and OS upgrade similarly).

well...they often are a very similar process.
The good news is upgrading OpenBSD is pretty well documented in one place.

However, the application servers you mention often will need
*application* upgrades, probably more often than OpenBSD does.  You will
end up doing your upgrades one way or another.  Sometimes the
applications will just be patched, in other cases, you will have to
upgrade to new versions.
...

 One main reason why companies are interested in 'enterprise products' of 
 vendors like Redhat and SuSE etc. is the five (!) year lifecycle (at 
 least with SuSE, don't know with RH). That means you buy your hardware, 
 install the OS, patch five years and toss the systems afterwards. That 
 keeps TCO pretty low compared to a (technically much better) system that 
 I need to reinstall/upgrade 10 times during that period, don't you think?

not at all.
If that Redhat system gets rooted once in five years, you will lose far
more than you ever lost in time doing planned upgrades/updates.  Your
reputation, your client/customer data is worth far more than planned
upgrades.

 There is one thing I still don't understand. What effort is it to 
 deliver patches (not backports) longer than just a few month - given 
 that the overall amount of patches per release is low with OpenBSD 
 anyway... let's say you have four security relevant patches per release, 
 then you had 20 in 2.5 years ...
 
 Well, I am not a programmer, therefore I may not see the effort.

First of all, you are trivializing the process of making patches.  In
some cases, yes, it is just a matter of applying the exact same patch in
the earlier tree.  But that is certainly not always the case.  Sometimes
the patch needs significant reworking to work on previous versions, and
of course, each patch has to be tested on each release that is supported.


Let's say a bug is found.
It is fixed.  A quick look is taken to see what the significance of the
bug is.  IF there is obviously an implication to the bug (reliability,
security), it is published as an errata patch.  If not, we just move on.
 The developers don't spend a huge amount of time looking at the
implications of a bug -- it's a bug, fix it.  This attitude causes the
often-seen fixed six months ago in OpenBSD message on security
bulletins.  Sometimes people critisize the OpenBSD project because we
don't wave our hands and warn people of every bug we find...well, watch
the source-changes list, you will see thousands of bugs fixed every
year.  IF there is clearly a security implication, sure, we let people
know, but if it isn't obvious, fix and move on.

Here's the gotcha: Most bugs are *potential* security holes.  We treat
'em as such.  Most other projects are only interested in proof that a
bug has security implications.  We don't care, it's a bug, fix it.
Anyone remember the OpenSSH bug where some people who should have known
better were running around encouraging people to *ignore* our warnings
and NOT upgrade until we showed the actual bug?  And that was one that
was CLEARLY a security bug.  Any of those fixed and moved on bugs
could later be found to be exploitable.

OpenBSD 3.5 is not as secure as OpenBSD 3.6 was, patches or no patches.
 OpenBSD 3.7 is more secure than 3.6.  And so on.  OpenBSD is about
security.  Supporting old releases, even if practical, would be
defeating the purpose people use OpenBSD for.

I can not believe that SuSE or any other Linux vendor can provide good
support for five-year-old platforms, regardless of claims.  Linux
thrashes too much (This week's packet filtering system is X) for
this to be practical.  Since they clearly don't proactively audit code
anyway, how will they even find bugs in obsoleted code from three or
four years ago until AFTER they are exploited?

Nick.

Re: update /etc/changelist as part of package install?

[MikeyG]

Ingo Schwarze wrote:


By the way, in case you are looking for serious intrusion
detection, you should not rely on /etc/security anyway, but
install (and maintain!) some real intrusion detection system.

Yours,
 Ingo
 

Agreed.  Even storing hashes off site it wouldn't be difficult to get 
around this system. But I do find it extremely useful for keeping track 
of system changes.


What real IDS would people here recommend?

Mike

Active Swap space

[João Salvatti]

Hi all,

I have a OpenBSD system acting as a firewall. When I use the top command I see
that the swap space is not being used. I'd like to know if the swap space is
only enabled when the system needs it or if it's enabled just when the system
comes up.

Thanks
-- 
Joco Salvatti
Undergraduating in Computer Science
Federal University of Para - UFPA
web: http://salvatti.expert.com.br 
e-mail: [EMAIL PROTECTED]

Re: Active Swap space

[Stuart Henderson]

--On 06 September 2005 09:36 -0300, JoC#o Salvatti wrote:


I have a OpenBSD system acting as a firewall. When I use the top
command I see that the swap space is not being used.


Typically, one would hope that a firewall doesn't have to swap...


I'd like to know
if the swap space is only enabled when the system needs it or if it's
enabled just when the system comes up.


It's enabled when the system comes up, but only used when the system 
needs it. You can also display it with 'pstat -s' (default output in 
blocks, add -k for KB). If you're using multiple partitions, it lists 
them separately.

Re: Active Swap space

[Andreas Kahari]

It is enabled at all times but on OpenBSD, it is not used until
needed.  See also swapctl -l and swapctl(8).

Andreas

On 06/09/05, Joco Salvatti [EMAIL PROTECTED] wrote:
 Hi all,
 
 I have a OpenBSD system acting as a firewall. When I use the top command I 
 see
 that the swap space is not being used. I'd like to know if the swap space is
 only enabled when the system needs it or if it's enabled just when the system
 comes up.
 
 Thanks
 --
 Joco Salvatti
 Undergraduating in Computer Science
 Federal University of Para - UFPA
 web: http://salvatti.expert.com.br
 e-mail: [EMAIL PROTECTED]
 
 


-- 
Andreas Kahari

sendmail and clamd

[Cristian Del Carlo]

Hi list,
i am planning to use openbsd as mail server with sendmail and clamd as 
antivirus on intel machine.
What can i use to connect sendmail and clamd? 
I know that there are several methods : milter, amavis etc...
Thanks,

Cristian Del Carlo

Snort-Inline with OpenBSD

[Florian]

Hello community

I tried to install Snort_Inline on my OpenBSD-firewall.
But in the ports-collection only snort is implemented.
when I try to compile / configure the sources from www.snort.org with
--enable-inline
I get an error that a libipq.h is missing. Its a file for iptables under
linux.
Now my question: Is there any way to install snort with inline functionality
??

Please help

Regards


Florian

Re: sendmail and clamd

[marc]

Cristian Del Carlo wrote:

Hi list,
i am planning to use openbsd as mail server with sendmail and clamd as 
antivirus on intel machine.
What can i use to connect sendmail and clamd? 


smtp-vilter, which is in ports.


I know that there are several methods : milter, amavis etc...
Thanks,

Cristian Del Carlo

Re: sendmail and clamd

[Stephan A. Rickauer]

Cristian Del Carlo schrieb:
What can i use to connect sendmail and clamd? 


We use clamsmtp on linux. Don't know whether it is available for OpenBSD...

Anyway: http://memberwebs.com/nielsen/software/clamsmtp/

--

 Stephan A. Rickauer

 
 Institut f|r Neuroinformatik
 Universitdt / ETH Z|rich
 Winterthurerstriasse 190
 CH-8057 Z|rich

 Tel: +41 44 635 30 50
 Sek: +41 44 635 30 52
 Fax: +41 44 635 30 53

 http://www.ini.ethz.ch
 

Re: sendmail and clamd

[Stuart Henderson]

--On 06 September 2005 15:13 +0200, Cristian Del Carlo wrote:


i am planning to use openbsd as mail server with sendmail and clamd
as antivirus on intel machine. What can i use to connect sendmail and
clamd?


/usr/ports/mail/smtp-vilter works nicely, but if users should normally 
receive most attachments, take care with attachment.conf (or disable 
the attachment backend).


Configuration seems quite a lot easier than amavisd-new.

Re: Snort-Inline with OpenBSD

[Gleydson Soares]

 Now my question: Is there any way to install snort with inline functionality
 ??
i dont know, snort inline need netfilter API.
you can to use snortsam. - http://www.snortsam.net

bgpctl

[tony sarendal]

I've started to test bgpd to see if I can use if for a future project.
Are there any plans to make bgpctl show communities, originator-id and
cluster-list ?

Any plans of adding route-refresh to bgpctl ? Something like bgpctl
nei peer clear (in|out) ?

Although I miss a few features it is really nice to use, it is
starting to give me the same feeling as pf. I got a 10 router bgp-only
test network up and running in just a few hours, most of the time was
spent installing the boxes.

/Tony S

-- 
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   I couldn't help it, it's my nature =-

Re: sendmail and clamd

[Alexander Bochmann]

...on Tue, Sep 06, 2005 at 03:13:01PM +0200, Cristian Del Carlo wrote:

  i am planning to use openbsd as mail server with sendmail and clamd as 
  antivirus on intel machine.
  What can i use to connect sendmail and clamd? 
  I know that there are several methods : milter, amavis etc...

Depends on your hardware and the amount of 
traffic you expect (and some other things).

I'm successfully using smtp-vilter as milter 
for clamav, but I haven't followed the latest
development on OpenBSD pthreads, and people 
used to say that there's problems with the 
thread implementation (search the archives 
for specifics) - so going with milters might 
not be the optimal solution for a high-volume 
system.

I've done some setups with MailScanner, which 
works quite nice even unter extreme loads, 
but is queue-based instead of being plugged 
into the MTA like a milter in sendmail, so 
mails have to be fully accepted into the system 
befor MailScanner can work on them.

Alex.

Re: Snort-Inline with OpenBSD

[Murali Raju]

There is no support for PF. If you need in-line function for an IPS, you can
take a look at a FreeBSD/snort_inline/IPFW/divert socket solution:

http://freebsd.rogness.net/snort_inline/

The snort_inline code primarily supports Linux netfilter/libpq. Also note
that snort2pf is considered Active Response and not really an IPS, since
it is not in-line

Cheers,

_Raju

On 9/6/05, [EMAIL PROTECTED] [EMAIL PROTECTED]
wrote:

 Do you search for something like this?
 http://www.thinknerd.org/~ssc/wiki/doku.php?id=snort2pf

 -Original Message-
 From: Florian [mailto:[EMAIL PROTECTED]
 Sent: dinsdag 6 september 2005 15:20
 To: misc@openbsd.org
 Subject: Snort-Inline with OpenBSD

 Hello community

 I tried to install Snort_Inline on my OpenBSD-firewall.
 But in the ports-collection only snort is implemented.
 when I try to compile / configure the sources from
www.snort.orghttp://www.snort.orgwith
 --enable-inline I get an error that a libipq.h is missing. Its a file
 for iptables under linux.
 Now my question: Is there any way to install snort with inline
 functionality ??

 Please help

 Regards


 Florian





=

 A disclaimer applies to this email and any attachments.
 Refer to http://www.sparkholland.com/emaildisclaimer for the full text of
 this disclaimer.




--
May the packets be with you.

(3.6) httpd - Too many open files - problem

[Peter Huncar]

Hi.

I'm using OpenBSD (3.6 now) as my web/dns/mail/whatever server for a couple of
years. I was very satisfied until a couple of days ago I noticed, that my web
server is not working. I restarted apache, everything was ok then, but after
some time the same happened. I got many many lines like this in error_log :

[Tue Sep  6 13:58:01 2005] [error] [client 84.47.4.140] (24)Too many open files:
file permissions deny server access: /htdocs/apex.sk/index.html

The trafic is very low, there are a few very simple web pages.

Can anybody tell me what's wrong, or where to look? Anyway, this weekend I'm
gonna upgrade it to 3.7 probably...

Thanks

Hunci


This message was sent using IMP, the Internet Messaging Program.

Re: sendmail and clamd

[Juan J.]

El mar, 06-09-2005 a las 15:13 +0200, Cristian Del Carlo escribis:
 Hi list,
 i am planning to use openbsd as mail server with sendmail and clamd as 
 antivirus on intel machine.
 What can i use to connect sendmail and clamd? 
 I know that there are several methods : milter, amavis etc...
 Thanks,

I'm using the milter provided with the clamav port and works pretty fine
for me.

Actually I'm using two milters in the same machine, first is to
interface a bayesian anti-spam filter, and second one is to interface
clamav.

regards,

Juanjo

-- 
Desarrollo y sistemas: http://www.usebox.net/
  Pagina Personal: http://www.usebox.net/jjm/

Re: Lifecycle question

[Moritz Grimm]

Stephan A. Rickauer wrote:

Nick Holland schrieb:


There are a lot of measures to how the upgrade process works out.  Here
are SOME:
1) Frequency  (i.e., how often do you need to do upgrades)
2) Difficulty (how much human work is involved)
3) Ugency (when an upgrade is needed, how important is it that it
   is done *NOW*)
4) Downtime   (when you do the upgrade, do you need to do it at
   3:00am, or can you do it during production hours?)
5) Flexibility (what cute tricks can you do to make the process simpler,
   safer, easier, etc.)


I agree. Furthermore, one has to distinguish between upgrades of an 
entire OS release level and patching a running system. The latter is not 


This is somewhat related to what I wrote earlier -- the severity of 
upgrading an entire OS release level is (with some subjectivity) 
insignificant compared to what I have seen on other OSes. This is a 
clear benefit of the short release cycle, and it would be a waste not to 
use it, e.g. by upgrading only once a year. Consider upgrading an 
intrusive patch, i.e. something you might already be used to on other 
OSes, except that it doesn't happen every month but every six months. I 
say that, because if you'd choose to do the patching as I do (see Nick's 
point #5), upgrading is pretty much the same work as patching, with only 
a few extra steps.


The largest part of the procedure is explained in the release(8) man 
page. To recapitulate, the steps required for upgrading OpenBSD manually are


 0. Get the install media: Buy a CD, or download, or make your own
release(8) at the appropriate time on a local build box tracking
-current
 1. Install and boot new kernel
 2. Untar install sets
 3. Update /etc and /dev
 4. Reboot

This is quite similar to patching the way I do it, except that it's ok 
to take a shortcut and /etc and /dev may be left alone:


 0. Make a new -stable release(8)
 1. Install new kernel (shortcut: it's ok not to reboot here)
 2. Untar install sets
for x in list of sets; do tar xpfz $x -C /; done
 3. Reboot

This release(8) stuff is the reason why I highly suggest to have some 
support infrastructure -- a build machine in addition to test boxes.


I am using a few self-written scripts for making releases; bloaty sh 
stuff from 1.5 years ago -- they work nicely, but aren't fit for wide 
public release and probably in desperate need of a rewrite. Interested 
parties may request them, though, and I will give them to anyone who can 
convince me that (s)he doesn't actually need them (wrt release(8) 
knowledge.) Anyways, with these scripts, that anyone could just as well 
write for him- or herself, I start a screen and come back later -- two 
hours later, give or take, I have nice -stable install sets that I can 
deploy and a bootable install .iso image if I need it. This is lots of 
work for the computer, and very little to do for me. I estimate some 10 
minutes of actual human work, and during the course of following 
-stable, even more things could be automated than what I currently do.


*patching* - only saying that since some posts seem to treat patching 
and OS upgrade similarly).


They *are* really similar, see above. :-)

One main reason why companies are interested in 'enterprise products' of 
vendors like Redhat and SuSE etc. is the five (!) year lifecycle (at 
least with SuSE, don't know with RH). That means you buy your hardware, 
install the OS, patch five years and toss the systems afterwards. That 


As Henning@ is quoted from somewhere in another mail, he has some boxes 
that were upgraded since OpenBSD 2.7. Those are from more than 5 years 
ago, and since he even made it through the a.out-ELF change, I can't 
think of anything that would prevent this from going on another 10 years 
... well, except for utter and complete hardware destruction or those 
boxes becoming too slow for their future purpose(s).



Moritz

Re: Snort-Inline with OpenBSD

[Florian]

The problem is, that the firewall MUST run with OpenBSD !!

Thanks for answers

Re: sendmail and clamd

[Cristian Del Carlo]

Ok,
thanks a lot it seems quite simple to configure.
I don't know about the  configuration of sendmail. What i need to have in 
sendmail.cf to work with smtp-vilter?
Thanks,

cristian


On Sep 06, 2005 03:34 PM, Stuart Henderson [EMAIL PROTECTED] wrote:

 --On 06 September 2005 15:13 +0200, Cristian Del Carlo wrote:
 
  i am planning to use openbsd as mail server with sendmail and clamd
  as antivirus on intel machine. What can i use to connect sendmail and
  clamd?
 
 /usr/ports/mail/smtp-vilter works nicely, but if users should normally 
 receive most attachments, take care with attachment.conf (or disable 
 the attachment backend).
 
 Configuration seems quite a lot easier than amavisd-new.

Re: sendmail and clamd

[Vlad Ciubotariu]

Search google for openbsd vilter.

Then follow the cached link at the top of the results. The tutorial
describes pretty much what you want. Also tells you how to generate a
new sendmail.cf. 

Also, update your /etc/rc* files to have sendmail use the new config
file.

vlad

On Tue, Sep 06, 2005 at 05:03:15PM +0200, Cristian Del Carlo wrote:
 Ok,
 thanks a lot it seems quite simple to configure.
 I don't know about the  configuration of sendmail. What i need to have in 
 sendmail.cf to work with smtp-vilter?
 Thanks,
 
 cristian
 
 
 On Sep 06, 2005 03:34 PM, Stuart Henderson [EMAIL PROTECTED] wrote:
 
  --On 06 September 2005 15:13 +0200, Cristian Del Carlo wrote:
  
   i am planning to use openbsd as mail server with sendmail and clamd
   as antivirus on intel machine. What can i use to connect sendmail and
   clamd?
  
  /usr/ports/mail/smtp-vilter works nicely, but if users should normally 
  receive most attachments, take care with attachment.conf (or disable 
  the attachment backend).
  
  Configuration seems quite a lot easier than amavisd-new.

Re: [OT]: good home switch?

[L. V. Lammert]

On Sun, 4 Sep 2005, Shawn K. Quinn wrote:

 On Sun, 2005-09-04 at 13:57 +0200, [EMAIL PROTECTED] wrote:
  p.s.
  Forget about D-Link! I recomment to stay far far away of these crap.

 I am using a D-Link switch and it has performed acceptably so far. Their
 wireless access points might be another story, though...

I have used a dLink AP for many years (via POE), no problems whatsoever.
We also use Linksys 5-port  8-port switches and have found that they
'like' to be power cycled on a regular occasion (a la weekly).

Lee


  Leland V. Lammert[EMAIL PROTECTED]
Chief Scientist Omnitec Corporation
 Network/Internet Consultants   www.omnitec.net

Re: Lifecycle question

[Theo de Raadt]

 The reason why I bother this list is that I am impressed of OpenBSD from 
 the technical point of view. I like its consistency and purity. But in 
 business environments or comparable organizations where money is an 
 issue, one needs to think about system management very carefully, since 
 it has a direct impact on money as well. That's why I can't understand 
 people can really live with the 6 months lifecycle.

I don't understand this whole conversation.

Instead, what those vendors give people is a 5 year patch-every-month
cycle.

That is completely unsustainable.  The pieces we build upon are
advancing too fast.

I don't buy into that method of operating system componentizatio at
all, that you can just keep patching and patching.  It was not true 15
years ago, 10 years ago, 5 years ago, and I see no proof that it will
be true ever in the future.

Re: Lifecycle question

[Steve Williams]

Stephan A. Rickauer wrote:


Tobias Weingartner schrieb:


This is a systems management issue.  It all depends on how you manage
your systems.  Compartementalizing change, change management, etc.  I



Exactly.


can recommend talking to Fritz Zaucker (tell him I sent ya).  He's at
ETHZ as well (in EE I think).  His team, along with Tobias Oetiker and
the guys/gals over there have some experience in this sort of 
management.



Yes, I know those guys. They base their infrastructure on Debian 
mostly. And they've had the man power to build great system management 
tools, like SEPP or the ISG Toolchest.


The reason why I bother this list is that I am impressed of OpenBSD 
from the technical point of view. I like its consistency and purity. 
But in business environments or comparable organizations where money 
is an issue, one needs to think about system management very 
carefully, since it has a direct impact on money as well. That's why I 
can't understand people can really live with the 6 months lifecycle.


Thanks,


Hi,

My input on living with a 6 month release cycle...  Security is always 
a compromise.  I can accept a 6 month release cycle in the interests of 
keeping a system exposed to the Internet as proactively secure as 
possible.  I find little comfort in other operating systems where 
security is more of a management by crisis environment.  OMG, an 
active exploit, we need to patch NOW!  That is MUCH more disruptive than 
a planned upgrade that realistically takes little time.  As someone else 
pointed out, an actual intrusion takes a much larger amount of time 
(forensics trying to figure out how far the damage goes...  try that on 
250+ PC's!!).


With tools such as expect, serial consoles, the rather simple upgrade 
cycle, central storage of configuration files (ssh backups nightly of 
/etc), it can be pretty simple to press a button and have an upgrade 
happen.  I haven't taken it that far myself, because I only maintain 6 
OpenBSD firewalls, but I have to say they are on the east cost, central, 
and western Canada, and I have YET to make an onsite visit (well, that 
wouldn't happen, but the server would be shipped to me.. darn, I'd love 
to get to Halifax!  :-) ).


Anyway, of course you have to make your own decision, and as you have 
stated, you are not a programmer, so yes, that puts you in a difficult 
position from an automation point of view.  Much kudos to you for having 
the foresight to be considering this issue.


One more point.. from a programmer's point of view...  Some patches are 
trivial to backport.  Othere patches can be EXTREMETLY difficult, if not 
impossible under certain circumstances.  There can be a cascading effect 
of dependencies, and the chances of this increase as you go back in time. 

If the OpenBSD team promised to support (pick a number) 4 releases back, 
there is a huge chance that at some point in time, they will just 
technically NOT be able to back port a security issue to a (pick a 
number) 2 year old system.  In this case, they have to break their 
promise and say sorry, but we cannot do it and maintain the integrity 
of the system.  To get this patch, you will have to upgrade your 
system.  WHAM  out of the blue you need to in a panic plan to upgrade 
your 100,200, etc systems.  With some of the changes in OpenBSD, I would 
imagine it is difficult to support 1 release back, but they have made 
that committment, and to my knowledge have never failed.


I cannot imagine any software vendor promising a secure system for 5 
years!  there is absolutely NO WAY to predict the state that computers 
will be in 5 years from now.  Maybe someone will bring a Quantum 
computer online and our whole concept of security will have to change 
(and yes, I know I am talking out of my ass here)...but 5 hears is a 
HUGE amount of time.  That would be 10 releases of OpenBSD, and that 
would date back to OpenBSD 2.7, which is about where I started using 
OpenBSD.  The state of the world has changed significantly since then.  
Who would have thought that we would have to dedicate so much human 
time/computer resources to fighting SPAM??  I first set up spamdb on 
OpenBSD 3.6.  There were feature enhancements that made it better for 
3.7enough that it justified (in my mind) upgrading.


As for application servers, I have a different perspective.  Protect 
them with other servers that you plan on keeping secure.  Get the app 
server working, make sure you have good hardware, and forget about 
them.  I have a few OpenBSD systems internal on networks protected by 
other hardware that are running probably 3.2.  They are not exposed to 
the Internet, have basic protection for themselves, and I have no 
intentions on upgrading them until my client wants to upgrade the 
software...In this case, I have an attitude of if it's not broken, 
don't fix it.  I know that it's a risky policy, but as I said in my 
first sentence, security is a tradeoff.


Best of luck on your decision!

Re: Lifecycle question

[Will H. Backman]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of
 Theo de Raadt
 Sent: Tuesday, September 06, 2005 11:43 AM
 To: Stephan A. Rickauer
 Cc: misc@openbsd.org
 Subject: Re: Lifecycle question
 
  The reason why I bother this list is that I am impressed of OpenBSD
from
  the technical point of view. I like its consistency and purity. But
in
  business environments or comparable organizations where money is an
  issue, one needs to think about system management very carefully,
since
  it has a direct impact on money as well. That's why I can't
understand
  people can really live with the 6 months lifecycle.
 
 I don't understand this whole conversation.
 
 Instead, what those vendors give people is a 5 year patch-every-month
 cycle.
 
 That is completely unsustainable.  The pieces we build upon are
 advancing too fast.
 
 I don't buy into that method of operating system componentizatio at
 all, that you can just keep patching and patching.  It was not true 15
 years ago, 10 years ago, 5 years ago, and I see no proof that it will
 be true ever in the future.

Familiarity breeds content

I'm scared to death just patching OpenBSD, but I just did another
successful one recently and my stress levels go down every time.  While
I have been personally using OpenBSD for years, it was only with version
3.6 that I started using it in production.  I'm sure that over time,
I'll be less scared.

I'm nervous when I update Linux, Windows, Novell, OSX, or OpenBSD.  I
think what scares me about OpenBSD is that _I_ will make a mistake due
to the additional manual steps.  Most other systems automate more, and I
can falsely assume that people smarter than me have worked through the
issues.

It is hard to get a feel for the true level of risk without statistics.
People can give anecdotal evidence about how a Windows security update
blew out their accounting server and required a rebuild.  You can get
those stories for any OS.

I think the lifecycle question will seem less disruptive as I become
more familiar.

Perhaps we should call the current OpenBSD Version 3, Service Pack 7.
In the Windows world, there are all kinds of software packages that
require a recent service pack.  Windows 2000 is supported for many
years, but not at the original service pack level if you intend to do
anything useful with it.  Same thing with OSX.

Re: bgpctl

[Karl Austin]

tony sarendal wrote:


I've started to test bgpd to see if I can use if for a future project.
Are there any plans to make bgpctl show communities, originator-id and
cluster-list ?

Any plans of adding route-refresh to bgpctl ? Something like bgpctl
nei peer clear (in|out) ?

Although I miss a few features it is really nice to use, it is
starting to give me the same feeling as pf. I got a 10 router bgp-only
test network up and running in just a few hours, most of the time was
spent installing the boxes.

/Tony S

 

You've read my mind, that was going to be my next question if my issue 
about having multiple communities per route was addressed (I tried 
-current and it doesn't work).  Soft reset, and more route information 
from bgpctl are sorely needed.


Thanks,

Karl

OpenBSD 3.8-beta MP Panic

[Mike Tancsa]

I thought I would give the latest Beta a try on a 4WAY PIII.  The USB 
is supposed to be disabled in the BIOS as there are no physical USB 
connectors even on this box.  Its a Dell 6350


---Mike



 OpenBSD/i386 BOOT 2.10
boot
booting hd0a:/bsd: 4846336+944176 [52+249696+230995]=0x5fb28c
entry point at 0x100120

[ using 481116 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2005 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 3.8-beta (GENERIC.MP) #277: Mon Aug 22 23:04:26 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 
cache) 500 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

real mem  = 2147061760 (2096740K)
avail mem = 1953095680 (1907320K)
using 4278 buffers containing 107454464 bytes (104936K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 02/12/03, BIOS32 rev. 0 @ 0xffe90
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc7a0/208 (11 entries)
pcibios0: PCI Interrupt Router at 000:02:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x6600 0xd/0x1000 
0xd4000/0x800 0xd8000/0x800 0xdc000/0x800

mainbus0: Intel MP Specification (Version 1.4) (DELL PowerEdge 83)
cpu0 at mainbus0: apid 3 (boot processor)
cpu0: apic clock running at 100 MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 
cache) 500 MHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 
cache) 500 MHz
cpu2: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

cpu3 at mainbus0: apid 2 (application processor)
cpu3: Intel Pentium III Xeon (GenuineIntel 686-class, 1024KB L2 
cache) 500 MHz
cpu3: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE

mainbus0: bus 0 is type PCI
mainbus0: bus 1 is type PCI
mainbus0: bus 2 is type PCI
mainbus0: bus 3 is type ISA
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apic 4
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pcib0 at pci0 dev 2 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 2 function 1 Intel 82371AB IDE rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

pciide0: channel 0 ignored (disabled)
pciide0: channel 1 ignored (disabled)
uhci0 at pci0 dev 2 function 2 Intel 82371AB USB rev 
0x01pci_intr_map: bus 0 dev 2 func 2 pin 4; line 5

pci_intr_map: no MP mapping found
isa_intr_establish: no MP mapping found
: irq 5
usb0 at uhci0uhci0: host controller process error
uhci0: host controller halted
: USB revision 1.0
uhci_freex: xfer=0xd2863a00 not busy, 0x4f4e5155
panic: usbd_transfer: not done
Stopped at  Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb{0} trace
Debugger(d2863900,65,1,0,d2863900) at Debugger+0x4
panic(d056fb6a,d2863940,8,d289cd80,d2863900) at panic+0x63
usbd_sync_transfer(d2863900,d059fb60,d06fea68,d0310125,d059fb60) at usbd_sync_t
ransfer
usbd_do_request_flags_pipe(d289cd80,d289cd00,d06feae0,d289cdb8,0) at usbd_do_re
quest_flags_pipe+0x72
usbd_do_request_flags(d289cd80,d06feae0,d289cdb8,0,0) at usbd_do_request_flags+
0x23
usbd_do_request(d289cd80,d06feae0,d289cdb8,d04a1eb4,1000680) at usbd_do_request
+0x1d
usbd_get_desc(d289cd80,1,0,8,d289cdb8,c8,1,0) at usbd_get_desc+0x3d
usbd_new_device(d289ce00,d28a1000,0,2,0,d289ce34,d06fed08,d049eceb) at usbd_new
_device+0x152
usb_attach(d28a1000,d289ce00,d28a1000,0,d28a1000) at usb_attach+0xf1
config_attach(d28a1000,d0585614,d28a1000,d049f0ac,1) at config_attach+0xef
uhci_pci_attach(d289bf40,d28a1000,d06fedf0,0,d289f000) at uhci_pci_attach+0x21d

config_attach(d289bf40,d0583f04,d06fedf0,d0364f7c) at config_attach+0xef
pciattach(d289bfc0,d289bf40,d06feeb0,0,d0593058) at pciattach+0x1c8
config_attach(d289bfc0,d05833e8,d06feeb0,d0364b48) at config_attach+0xef
mainbus_attach(0,d289bfc0,0,0,d06fef10) at mainbus_attach+0x134
config_attach(0,d05833c4,0,0,d05d7100) at config_attach+0xef
config_rootfound(d051ba1c,0,d06fef58,d033a530) at config_rootfound+0x27
cpu_configure(0,1,3,0,7fffe000) at cpu_configure+0x1f
main(0,0,0,0,0) at main+0x359
ddb{0} ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT   COMMAND
*0 -1  0  0  7 0x80204 swapper
ddb{0}


If I take out the Sangoma DSL modem, the boot looks like



ddb{0}  OpenBSD/i386 BOOT 2.10
boot
booting hd0a:/bsd: 4846336+944176 

Multiple IP's on single NIC using DHCP

[r . noor]

In short, I'm looking for a way to obtain multiple IP addresses via DHCP
on a single NIC. For a more elaborate explanation, see below.

I'm working on a router / firewall in a somewhat arcane network setup.
The situation is as follows: I live in a student dorm with a farily
large local 100 Mbit network, where everyone has a single network
outlet. For every system you want to use on the network, you have to
register it's MAC adress before you can use it. When a computer is used,
it gets its IP address via DHCP, but only if it's MAC is registered.
Otherwise, you'll get a very short term address that you can only use to
register your MAC via a special web page. If a system isn't used for a
long time, it is automatically unregistered. On the local network, you
can have multiple systems active at the same time. However, internet
access is provided via a single PPPoE connection per person.

What I am trying to do, is using an OpenBSD computer as firewall and
gateway for my computers. It sits between the large local network, and
my personal switch. Internet access is shared via NAT, but on the local
dorm network I want each of my PC's to have it's own IP address using
Binat. The problem is that I need to obtain multiple IP addresses via
DHCP on the single external NIC of the router (which is connected to the
dorm LAN). Also, the DHCP leases should be renewed using the registered
MAC addresses as identifiers. Using static aliasses is prohibited and as
such not an option.

Is there a way to do this? Just sending additional MAC addresses via
dhclient.conf doesn't work. It would be ideal to have some sort of
virtual NIC's that have the external NIC as parent physical device, but
none of the OpenBSD pseudo devices appear to be really suitable for this
purpose.

Using a virtual device would have the extra advantage of being able to
use the ($if) notation in PF, so that it can react to changes in IP
addresses. Otherwise, I will have to find a way for PF to discover the
addresses on boot time.

Any thoughts?

Regards,

Richard Noorlandt

Re: Lifecycle question

[Brandon Mercer]

Will H. Backman wrote:

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf


Of
  

Theo de Raadt
Sent: Tuesday, September 06, 2005 11:43 AM
To: Stephan A. Rickauer
Cc: misc@openbsd.org
Subject: Re: Lifecycle question



The reason why I bother this list is that I am impressed of OpenBSD
  

from
  

the technical point of view. I like its consistency and purity. But
  

in
  

business environments or comparable organizations where money is an
issue, one needs to think about system management very carefully,
  

since
  

it has a direct impact on money as well. That's why I can't
  

understand
  

people can really live with the 6 months lifecycle.
  

I don't understand this whole conversation.

Instead, what those vendors give people is a 5 year patch-every-month
cycle.

That is completely unsustainable.  The pieces we build upon are
advancing too fast.

I don't buy into that method of operating system componentizatio at
all, that you can just keep patching and patching.  It was not true 15
years ago, 10 years ago, 5 years ago, and I see no proof that it will
be true ever in the future.



Familiarity breeds content

I'm scared to death just patching OpenBSD, but I just did another
successful one recently and my stress levels go down every time.  While
I have been personally using OpenBSD for years, it was only with version
3.6 that I started using it in production.  I'm sure that over time,
I'll be less scared.

I'm nervous when I update Linux, Windows, Novell, OSX, or OpenBSD.  I
think what scares me about OpenBSD is that _I_ will make a mistake due
to the additional manual steps.  Most other systems automate more, and I
can falsely assume that people smarter than me have worked through the
issues.

It is hard to get a feel for the true level of risk without statistics.
People can give anecdotal evidence about how a Windows security update
blew out their accounting server and required a rebuild.  You can get
those stories for any OS.
  

Yeah.  But the thing about other OS's doing that is that they have
significant data loss, complete dead systems and software that cannot
run on that machine until it gets updated.  This is not very likely with
OpenBSD as the whole system is patched and built as a whole.  That's one
of the great things about OpenBSD as opposed to some *other* OS's...
it's not simply a kernel, or userland, or windows it's the complete
package all in one. 
Brandon

Re: bgpctl

[Joe .]

Agreed! Soft-reset would be awesome and more functionality from bgpctl
wouldn't hurt. As is though I like the output style from bgpctl since it
keeps things concise.

Regards,
Joe

On 9/6/05, Karl Austin [EMAIL PROTECTED] wrote:

 tony sarendal wrote:

 I've started to test bgpd to see if I can use if for a future project.
 Are there any plans to make bgpctl show communities, originator-id and
 cluster-list ?
 
 Any plans of adding route-refresh to bgpctl ? Something like bgpctl
 nei peer clear (in|out) ?
 
 Although I miss a few features it is really nice to use, it is
 starting to give me the same feeling as pf. I got a 10 router bgp-only
 test network up and running in just a few hours, most of the time was
 spent installing the boxes.
 
 /Tony S
 
 
 
 You've read my mind, that was going to be my next question if my issue
 about having multiple communities per route was addressed (I tried
 -current and it doesn't work). Soft reset, and more route information
 from bgpctl are sorely needed.

 Thanks,

 Karl

Re: sendmail and clamd

[poncenby]

Cristian Del Carlo wrote:

Hi list,
i am planning to use openbsd as mail server with sendmail and clamd as 
antivirus on intel machine.


use qmail (http://cr.yp.to/qmail.html) as the MTA - not sendmail.

What can i use to connect sendmail and clamd? 
I know that there are several methods : milter, amavis etc...

Thanks,


look here (http://www.clamav.net/3rdparty.html#mta) for ways of using 
clam with qmail.


good luck!

poncenby

USB flash disk stopped working after 3.7

[Sebastiaan Indesteege]

Hello list,

I just noticed that my USB flash memory stick stopped working after
3.7 (it's been a while since I last used it). Whereas it used to
work perfectly, any attempt to access (e.g. read the disklabel,
mount, dd, ...) the disk now just hangs the machine.

So I traced back the commit which made this particular device stop
working:
src/sys/scsi/scsi_all.h, version 1.24 (Fri May 27 00:14:50 2005 UTC)
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/scsi/scsi_all.h#rev1.24

With a kernel built from sources before this commit it works, after,
it doesn't. But as this commit fixes some other devices (it says
so in the commit message), there is maybe another way to make this
USB flash stick work again?

Any ideas?

Regards,

Sebastiaan

And of course the obligatory dmesg (with a recent snapshot kernel). I've
tried on other machines too (with different USB controllers, ...), but
no difference.

OpenBSD 3.8 (GENERIC) #137: Thu Sep  1 17:41:20 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 1.40GHz (GenuineIntel 686-class) 598 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2
cpu0: Enhanced SpeedStep 600 MHz (988 mV): speeds: 1400, 1300, 1200, 1100, 
1000, 900, 800, 600 MHz
real mem  = 526884864 (514536K)
avail mem = 473833472 (462728K)
using 4278 buffers containing 26447872 bytes (25828K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(5a) BIOS, date 01/07/05, BIOS32 rev. 0 @ 0xfd740
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC off, battery charge high, estimated 3:37 hours
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd6d0/0x930
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdeb0/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xc800! 0xcc800/0x1000 0xcd800/0x1000 0xdc000/0x4000! 
0xe/0x1
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82852GM Hub-PCI rev 0x02
Intel 82852GM Memory rev 0x02 at pci0 dev 0 function 1 not configured
Intel 82852GM Configuration rev 0x02 at pci0 dev 0 function 3 not configured
vga1 at pci0 dev 2 function 0 Intel 82852GM AGP rev 0x02: aperture at 
0xe000, size 0x800
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Intel 82852GM AGP rev 0x02 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 11
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x81
pci1 at ppb0 bus 1
cbb0 at pci1 dev 0 function 0 Ricoh 5C476 CardBus rev 0x8d: irq 11
vendor Ricoh, unknown product 0x0822 (class system unknown subclass 0x05, rev 
0x13) at pci1 dev 0 function 1 not configured
em0 at pci1 dev 1 function 0 Intel PRO/1000MT Mobile (82541GI) rev 0x00: irq 
11, address: 00:0a:e4:32:eb:cb
iwi0 at pci1 dev 2 function 0 Intel PRO/Wireless 2200BG rev 0x05: irq 11, 
address 00:12:f0:36:23:79
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0xb0
pcmcia0 at cardslot0
ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x01
pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: HITACHI_DK13FA-40B
wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
Intel 82801DB SMBus rev 0x01 at pci0 dev 31 function 3 not configured
auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x01: irq 11, ICH4 
AC97
ac97: codec id 0x41445374 (Analog Devices AD1981B)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
Intel 82801DB Modem rev 0x01 at pci0 dev 31 function 6 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 

Re: bgpctl

[tony sarendal]

On 06/09/05, Karl Austin [EMAIL PROTECTED] wrote:
 tony sarendal wrote:
 
 I've started to test bgpd to see if I can use if for a future project.
 Are there any plans to make bgpctl show communities, originator-id and
 cluster-list ?
 
 Any plans of adding route-refresh to bgpctl ? Something like bgpctl
 nei peer clear (in|out) ?
 
 Although I miss a few features it is really nice to use, it is
 starting to give me the same feeling as pf. I got a 10 router bgp-only
 test network up and running in just a few hours, most of the time was
 spent installing the boxes.
 
 /Tony S
 
 
 
 You've read my mind, that was going to be my next question if my issue
 about having multiple communities per route was addressed (I tried
 -current and it doesn't work).  Soft reset, and more route information
 from bgpctl are sorely needed.
 

I also ran into the problem with multiple communities but I haven't
had time to look closer at it. Have you seen any changes in bgpd since
you tried -current ?

I was going to give it a go tonight if I manage to stay awake.

/Tony

-- 
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
   -= The scorpion replied,
   I couldn't help it, it's my nature =-

Re: (3.6) httpd - Too many open files - problem

[Han Boetes]

Peter Huncar wrote:
 I'm using OpenBSD (3.6 now) as my web/dns/mail/whatever server
 for a couple of years. I was very satisfied until a couple of
 days ago I noticed, that my web server is not working. I
 restarted apache, everything was ok then, but after some time
 the same happened. I got many many lines like this in error_log
 :

 [Tue Sep 6 13:58:01 2005] [error] [client 84.47.4.140] (24)Too
 many open files: file permissions deny server access:
 /htdocs/apex.sk/index.html

 The trafic is very low, there are a few very simple web pages.

First you need to find out what is keeping all those files open.
Use fstat(1)



# Han

Re: bgpctl

[Karl Austin]

tony sarendal wrote:


On 06/09/05, Karl Austin [EMAIL PROTECTED] wrote:
 


You've read my mind, that was going to be my next question if my issue
about having multiple communities per route was addressed (I tried
-current and it doesn't work).  Soft reset, and more route information
from bgpctl are sorely needed.

   



I also ran into the problem with multiple communities but I haven't
had time to look closer at it. Have you seen any changes in bgpd since
you tried -current ?

I was going to give it a go tonight if I manage to stay awake.

/Tony

 

Not been any changes in the last 3 weeks as far as I can see from CVS 
Web.  At least I've found someone else having the same problem now, was 
begining to think I was loosing the plot.


Thanks,

Karl

Re: OpenBSD 3.8-beta Alpha panic with pppoe SOS!

[Roger Neth Jr]

Hello List,
I reinstalled 3.8-beta on the alpha with just the required sets and the 
hostname.pppoe0 and ppp.conf files with the amap_wipeout panic still 
occuring.


I tried UKC disable amap and pkg_delete -F amap-5.1.tgz and amap-4.5.tgz 
without any success.


Any ideas on solving this is much appreciated.

Thank you,

rogern

John 3:16



From: Roger D Neth Jr [EMAIL PROTECTED]
To: misc@openbsd.org, [EMAIL PROTECTED]
Subject: OpenBSD 3.8-beta Alpha panic with pppoe
Date: Mon, 05 Sep 2005 11:58:49 -0700

Hello List,
I am unable to get pppoe to work with an alpha that I want to use as a 
firewall. It panics


amap_wipeout: corrupt amap

when I connect the ADSL Speedstream modem to any of the three nic's.

I have used the same hostname.pppoe0 and ppp.conf files with the same modem 
and a secondary nic on an i386 successfully.


My assumption is this is hardware related to the alpha and not OpenBSD.

Would anyone be able to check this out and verify this or let me know how I 
can correct this error.  Would ukc  disable amap  work?


I Googled this and did not find any information on this.

Thank you,

rogern

John 3:16



ppp.conf

pppoedev de1
!/sbin/ifconfig de1 up
!/usr/sbin/spppcontrol \$if myauthproto=pap myauthname=xx \
myauthkey=xx
!/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x
!/sbin/route add default 0.0.0.1
up

default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 0
set reconnect 15 0

pppoe:
set device !/usr/sbin/pppoe -i de1
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xx

snip

_
FREE pop-up blocking with the new MSN Toolbar  get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Re: sendmail and clamd

[marc]

Alexander Bochmann wrote:

I'm successfully using smtp-vilter as milter 
for clamav, but I haven't followed the latest
development on OpenBSD pthreads, and people 
used to say that there's problems with the 
thread implementation (search the archives 
for specifics) - so going with milters might 
not be the optimal solution for a high-volume 
system.


We serve 20'000+ user without problems here.

Re: sendmail and clamd

[Rogier Krieger]

On 9/6/05, Cristian Del Carlo [EMAIL PROTECTED] wrote:
 What can i use to connect sendmail and clamd?

Perhaps, if only for hints, you may want to take a look at MailDroid
that came across the list some time ago. It connects the in-base
sendmail to clamav through smtp-vilter from ports.

You'll find it at: http://www.maildroid.org/

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

routing question

[John Brooks]

My office network has an adsl connection with a single static 
ip as follows:

   209.145.160.141/24  (gw 209.145.160.1)

I requested additional ip's from my provider and they gave me
8 addresses at:

   207.246.198.216/29

They are routing all 8 of these new addresses down my adsl
'pipe'. On my OBSD box I can alias any of these 8 addresses
to the outward facing nic and reach them from the outside,
so I know that they work. 

Now I want to set up another OBSD box to use one of these
addresses (which are no longer aliased to the first box).


(209.145.160.141)
OBSD #1 -
 \
 Switch  DSL Modem  ISP(209.145.160.1)
 /
OBSD #2 -
(207.246.198.220)

I was expecting that 207.246.198.217 would have been set up as 
the gateway on the ISP's end, leaving me with 5 useable addresses. 

I don't want to NAT box #2 behind box #1. Are there some 
routing commands that would allow me to send traffic to 
the ISP from box #2 using these new IP's?

Thanks,

--
John Brooks
[EMAIL PROTECTED] 

Re: routing question

[Todd Boyer]

On Tuesday, September 06, John Brooks wrote: 

 
 (209.145.160.141)
 OBSD #1 -
  \
  Switch  DSL Modem  ISP(209.145.160.1)
  /
 OBSD #2 -
 (207.246.198.220)
 
 I was expecting that 207.246.198.217 would have been set up 
 as the gateway on the ISP's end, leaving me with 5 useable addresses. 
 

In this case, you need to create (not your ISP) a default gateway for
your new 207.246.198.216/29 network on your border router, so alias
207.246.198.217 on OBSD #1 This will leave you hosts 218-222 to use any
way you see fit.

---
Todd M. Boyer, CISSP 
President   AutumnTECH, LLC 
[EMAIL PROTECTED]   http://www.AutumnTECH.com

AutumnTECH Manufactures Entire Network Protection Appliances 
that Identify Spam and Sanitize Dangerous E-mail Content  
---

Re: routing question

[Rod.. Whitworth]

On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote:

My office network has an adsl connection with a single static 
ip as follows:

   209.145.160.141/24  (gw 209.145.160.1)

I requested additional ip's from my provider and they gave me
8 addresses at:

   207.246.198.216/29

They are routing all 8 of these new addresses down my adsl
'pipe'. On my OBSD box I can alias any of these 8 addresses
to the outward facing nic and reach them from the outside,
so I know that they work. 

Now I want to set up another OBSD box to use one of these
addresses (which are no longer aliased to the first box).


(209.145.160.141)
OBSD #1 -
 \
 Switch  DSL Modem  ISP(209.145.160.1)
 /
OBSD #2 -
(207.246.198.220)

I was expecting that 207.246.198.217 would have been set up as 
the gateway on the ISP's end, leaving me with 5 useable addresses. 

I don't want to NAT box #2 behind box #1. Are there some 
routing commands that would allow me to send traffic to 
the ISP from box #2 using these new IP's?

Thanks,

--
John Brooks
[EMAIL PROTECTED] 



Hi John,

I've been doing the ADSL with a routed /29 for servers in addition to
having a NATted LAN behind the same firewall. You can probably use some
of the tricks I get up to to conserve addresses.

Let us know what modem you are using, whether you are doing PPPoE or
PPPoA or whatever and I'll tailor my reply to suit. You can get into
lots of frustration by taking obvious approaches to this problem,
only to find that they result in more problems rather than solutions.

I don't see why you need all of that pain.

From the land down under: Australia.
Do we look umop apisdn from up over?

Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.

Re: netstat - how to show PID

[Jason McIntyre]

On Tue, Aug 30, 2005 at 03:41:14PM +0200, Simon Dassow wrote:
 On Tue, Aug 30, 2005 at 03:30:01PM +0200, Miroslav Kubik wrote:
  Is there a way how to show PID which belongs to the socket by netstat 
  command? I searched man pages but I haven't found any useful switch for my 
  need. I searched in Linux man pages for netstat as well and it seems that 
  Linux can do it by p switch.
  
  -p, --program
  Show the PID and name of the program to which each socket belongs.
  
  But what about OpenBSD?
 
 man fstat
 
 Regards,
 Simon
 
 P.S.: Missing Xref in netstat?

i just added some references to make the various stat pages (some of
them anyway) cross-reference each other.

jmc

adding a partition, fdisk, disklabel, and other fun

[Kelly Martin]

I gotta ask for help or I'm gonna hose my multi-boot system.

I've got an A6 primary partition with various /usr and /var style partitions
within. Pretty standard, but I ran out of disk space. I added a second
primary A6 partition in the freespace of the same disk using fdisk, but
cannot figure out how to use disklabel and newfs properly to add this new
partition and then mount it as /var/www/htdocs. When I try to use disklabel,
it seems to only want to use my existing primary partition, and not the new
one. I have read the manual, which appears to be in Chinese, and then I read
the FAQ, which says, This will seem confusing. Yeah? Well no shit! :)

The parameters of this new partition are as follows:
-first physical sector 15,052,905 (Cyl 937, Hd 0, Sect 1)
-last physical sector 19,261,934 (Cyl 1198, Hd 254, Sect 63)
-total physical sectors: 4,209,030 (2,055.2MB)
-physical geometry: 1,823 Cyls, 255 Hds, 63 Sects

Can someone walk me through this as if I were a monkey, and take me
step-by-step? I wanna tell disklabel it's got to be /var/www/htdocs on the
above partition, then run newfs, then mount it, and then add it to my fstab
for good.

Since it took my machine almost a full day to compile the kernel + all the
binaries up to -CURRENT, I'd much rather not have to wipe it clean and
reinstall with the correct partition size and do it all over again. On i386,
in case you didn't guess. And I'm wearing my OpenBSD greenie t-shirt as I
write this!!

Thanks,

Kelly

Updated: Trouble connecting to OBSD VPN (isakmpd on 3.7 generic) from an XP (sp1) client using ipseccmd.exe (more data)

[Ben]

Still getting the same errors as below:


131529.495890 Plcy 40 check_policy: adding authorizer [passphrase:password]
131529.495915 Plcy 40 check_policy: adding authorizer
[passphrase-md5-hex:5f4dcc3b5aa765d61d8327deb882cf99]
131529.495927 Plcy 40 check_policy: adding authorizer
[passphrase-sha1-hex:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8]
131529.495939 Plcy 40 check_policy: kn_do_query returned 0
131529.495953 Default check_policy: negotiated SA failed policy check


For some reason it's failing in the passphrase,  I've edited the policy file
and conf file to remove any/all unusual codings, and even removed the
Policies section (also removed spaces at the end of lines, etc) and ended up
with files as follows:

/etc/isakmpd/isakmpd.policy:
Authorizer: POLICY
Licensees: passphrase:password
esp_present == yes 
esp_enc_alg != null - true;


/etc/isakmpd/isakmpd.conf
[General]
Retransmits = 5
Exchange-max-time   = 120
Listen-on   = External_ip_for_OBSD
Shared-SADB=Defined
Renegotiate-on-HUP= Defined

[Phase 1]
Default = ISAKMP-clients

[Phase 2]
Passive-Connections = IPsec-clients

[ISAKMP-clients]
Phase   = 1
Transport   = udp
Configuration   = win-main-mode
Authentication  = password

[IPsec-clients]
Phase   = 2
Configuration   = win-quick-mode
Local-ID= default-route
Remote-ID   = dummy-remote

[default-route]
ID-type = IPV4_ADDR_SUBNET
Network = 0.0.0.0
Netmask = 0.0.0.0

[dummy-remote]
ID-type = IPV4_ADDR
Address = 0.0.0.0

[win-main-mode]
DOI = IPSEC
EXCHANGE_TYPE   = ID_PROT
Transforms  = 3DES-SHA-GRP2

[win-quick-mode]
DOI = IPSEC
EXCHANGE_TYPE   = QUICK_MODE
Suites  = QM-ESP-3DES-SHA-SUITE



(again tried to clear any possible control characters)

On the windows side start_vpn.bat (hard coded spaces to show different
lines):

@echo off

c:\ipsec\ipseccmd.exe -u

echo cleared

c:\ipsec\ipseccmd.exe -f 0=192.168.1.0/255.255.255.0 -n ESP[3DES,SHA] -t
public_ip_oBSD -a PRESHARE:password -1s 3DES-SHA-2

echo part 1 finished

c:\ipsec\ipseccmd.exe -f 192.168.1.0/255.255.255.0=0 -n ESP[3DES,SHA] -t
public_ip_xp -a PRESHARE:password -1s 3DES-SHA-2

echo finished




Have to admit, now it's a matter of wanting to know wtf is going on, and
less a matter of wanting to move away from SSH tunneling.


If anyone needs more info I can  isakmpd -v -d -D A=99 2 vpn_debug.txt
(then email the gzipped file,  but it looks like the above errors are the
problem, which implies it's a password problem,  but the preshare is
*EXACTLY* as you see it above (I'll change the password once it works one
time.)  The only things changed are the IPs  to protect the not so innocent.


Off to bang my head against a wall for a bit.


Ben
(and no, there are no firewalls currently installed on the test XP box,  I
want to get it to work there before running into the old,  does this work
with this software firewall problem on my personal laptop)

Dell m70 and HP nc6230 experiences?

[Aaron Glenn]

Does anyone on the list have any comments or caveats on using OpenBSD
as a primary OS on either the Dell Precision m70 or Hewlett Packard
nc6230 notebooks? Google turns up nothing interesting on either.

regards,
aaron.glenn

WLAN Device problem

[Sam Ficher]

Hello
 I have the following problem, i have a CNet CWP-854 Ralink Wireless-G PCI
Adapter i have configured it on OpenBSD 3.8 Beta after some attempts i was
able to get a status to ACTIVE, however it seems that there is no connection
available, ping any clients on the same network fails same goes for the
gateway too. I can't seem to understand what is wrong, i have tried other
people's help, they have said probably the chip is not supported.
 Best Regards,
Sam

Re: adding a partition, fdisk, disklabel, and other fun

[Ted Unangst]

On Tue, 6 Sep 2005, Kelly Martin wrote:

 I've got an A6 primary partition with various /usr and /var style partitions
 within. Pretty standard, but I ran out of disk space. I added a second
 primary A6 partition in the freespace of the same disk using fdisk, but

don't do this.

 Can someone walk me through this as if I were a monkey, and take me
 step-by-step? I wanna tell disklabel it's got to be /var/www/htdocs on the
 above partition, then run newfs, then mount it, and then add it to my fstab
 for good.

create some other parition type in fdisk, go into disklabel, use 'b' to 
edit the whole disk, and add a new partition with the appropriate values.  
i'd definitely use raw sector offsets for this, as chs geometry will 
likely be wrong.  then newfs and away you go.


-- 
And that's why we don't want to be expected to help clean up the
mess you made.

Re: Lifecycle question

[Uwe Dippel]

On Mon, 05 Sep 2005 15:35:19 +0200, Stephan A. Rickauer wrote:

 Well, I am thinking of using OpenBSD for our firewalls. Those I do want 
 to upgrade regularly. Not because of features, but because of patches.

You will be rewarded by this choice; I am sure !
And still, I cannot understand the writers of arguments 'compared to'.
Having something out there that is worse, does not make you automatically
the invincible market leader.
The OpenBSD boxes that I run need the least intervention. But still, there
could be even less. Patches are a good example. When I download a patch
for the first box, I rather read and study and understand what is going on
and apply the steps described in the header one by one, manually. 
For all the other boxes, I simply have no real time to sit next to them and 
wait for some 'make' to have finished. Also, here, the most obvious solution 
is a script doing this automatically on demand: checking some URL for new
patches, download, and run the header as script. Including recompiling the
kernel (if required). Me passing by that box, check the success and reboot
(if needed) manually should be quite enough. I don't see a need to sit
next to the boxes again and again, issuing and waiting for the always same
commands for always the same patch.

I am too lousy as coder; and I can imagine that someone else has written a
perfect script for this; so why not include this as utility for everyone
to use ?

Re: routing question

[John Brooks]

 On Tuesday, September 06, John Brooks wrote: 
 
  
  (209.145.160.141)
  OBSD #1 -
   \
   Switch  DSL Modem  ISP(209.145.160.1)
   /
  OBSD #2 -
  (207.246.198.220)
  
  I was expecting that 207.246.198.217 would have been set up 
  as the gateway on the ISP's end, leaving me with 5 useable addresses. 
  
 
 In this case, you need to create (not your ISP) a default gateway for
 your new 207.246.198.216/29 network on your border router, so alias
 207.246.198.217 on OBSD #1 This will leave you hosts 218-222 to use any
 way you see fit.
 

Well that was simple enough, takes a couple extra rules in pf on OBSD #1,
but otherwise works. Thanks.

Re: routing question

[John Brooks]

 On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote:
 
 My office network has an adsl connection with a single static 
 ip as follows:
 
209.145.160.141/24  (gw 209.145.160.1)
 
 I requested additional ip's from my provider and they gave me
 8 addresses at:
 
207.246.198.216/29
 
 They are routing all 8 of these new addresses down my adsl
 'pipe'. On my OBSD box I can alias any of these 8 addresses
 to the outward facing nic and reach them from the outside,
 so I know that they work. 
 
 Now I want to set up another OBSD box to use one of these
 addresses (which are no longer aliased to the first box).
 
 
 (209.145.160.141)
 OBSD #1 -
  \
  Switch  DSL Modem  ISP(209.145.160.1)
  /
 OBSD #2 -
 (207.246.198.220)
 
 I was expecting that 207.246.198.217 would have been set up as 
 the gateway on the ISP's end, leaving me with 5 useable addresses. 
 
 I don't want to NAT box #2 behind box #1. Are there some 
 routing commands that would allow me to send traffic to 
 the ISP from box #2 using these new IP's?
 
 Thanks,
 
 --
 John Brooks
 [EMAIL PROTECTED] 
 
 
 
 Hi John,
 
 I've been doing the ADSL with a routed /29 for servers in addition to
 having a NATted LAN behind the same firewall. You can probably use some
 of the tricks I get up to to conserve addresses.

JB: My thoughts were to not be behind the firewall with box #2, but 'next'
to it. But I'm open to all alternative methods. Having multiple options
is always a good thing.

 
 Let us know what modem you are using, whether you are doing PPPoE or
 PPPoA or whatever and I'll tailor my reply to suit. You can get into
 lots of frustration by taking obvious approaches to this problem,
 only to find that they result in more problems rather than solutions.

JB: The dsl modem is a straight bridge. No PPPoE or PPPoA. What goes in 
the front comes out the back. I have a single static IP on a /24 
network with a normal gateway address - plus these 8 additional IP's
they are now sending down my wire.

 
 I don't see why you need all of that pain.

JB: I appreciate that... (sometimes a little pain can be a good thing,
especially if something new is learned)

 
 From the land down under: Australia.
 Do we look umop apisdn from up over?
 
 Do NOT CC me - I am subscribed to the list.
 Replies to the sender address will fail except from the list-server.

Re: sendmail and clamd

[[EMAIL PROTECTED]]

poncenby wrote:
 use qmail (http://cr.yp.to/qmail.html) as the 
MTA - not sendmail.  
  
Aaaag!!! At the risk of starting a  
flame-fest, do yourself a favour, ignore this  
advice and stay away from qmail. The license  
issue alone should make you stop and think  
first. It is about as encumbered with  
restrictions as it is possible to be with a  
so-called free license.  
  
After that, you have to start patching the  
source and rebuilding everything from scratch in  
order to make it actually useful. It is hideous.  
No one can supply you a binary or even  
pre-patched sources despite such patches having  
been extensively tested and mature. Don't expect  
to be able to add any kind of plug-ins either.  
  
There are plenty of MTAs out there which I would  
use ahead of qmail, especially if you're already  
using sendmail, and as other posters have  
pointed out, there are tools that work with  
sendmail as it is, so there's no need to scrap  
your MTA just to get clamav integration.  
  
My 2c