certification of firewall product / mess in my head
I want to apologise if this is a bit of topic but as it goes about replacing nice configured OpenBSD Firewalls (5 pieces) i am asking here (it really hurts, as i put a lot of effort to have something stable, simple, secure and ... ) Yesterday i got surprised, it looks that in Germany (and some other countries) there are some lows/requirenments/obligations that in case a firewall (appliance) is owned by third parties and they produce any damages to others for the damage are responsible even the chiefs, but if this appliance is certified these people dont have such trouble. Sounds funny, as we all know that certification and security doesnt walk always together, but ... My chief got a bit stressed and the plus that he will finally have web configuration and such extras :(( made it real: we are going out of the best solution. Does anybody knows something about this topic in Germany (EU), are any OpenBSD based firewalls around with such certification http://www.bsi.de/zertifiz/index.htm ? or is OpenBSD certificiert ?
Re: certification of firewall product / mess in my head
Hello there. qstreb schrieb: I want to apologise if this is a bit of topic but as it goes about replacing nice configured OpenBSD Firewalls (5 pieces) i am asking here (it really hurts, as i put a lot of effort to have something stable, simple, secure and ... ) Yesterday i got surprised, it looks that in Germany (and some other countries) there are some lows/requirenments/obligations that in case a firewall (appliance) is owned by third parties and they produce any damages to others for the damage are responsible even the chiefs, but if this appliance is certified these people dont have such trouble. Sounds funny, as we all know that certification and security doesnt walk Does anybody knows something about this topic in Germany (EU), are any OpenBSD based firewalls around with such certification http://www.bsi.de/zertifiz/index.htm ? I think OpenBSD itself is not certified but if you have a closer look on .genua.de the products there seem to be bsi certified. Don't know which OpenBSD Version they use. But it may be a good starting point for you. I remember there was a small article in one of the last ix-magazines but I didn't store them because of moving myself. Hope this is a hint for you. -- Andre Naehring
Re: A question about examining pf loging data
try #tcpdump arp to see only arp packages. wants to get link-level header? Add -e option.. 2005/9/12, ed [EMAIL PROTECTED]: On Mon, 12 Sep 2005 13:26:19 -0400 Will H. Backman [EMAIL PROTECTED] wrote: This has most of the data that I need, but it seems to be missing one thing that I think is important. How can I determine if the traffic is TCP/UDP/ICMP etc? If you have ack and window flags, then it is TCP, not UDP. What should I use to see packets at the ethernet level, such as ARP? -- http://edd.link9.net - http://irc.is-cool.net -- Huzeyfe VNAL --- First Turkish Qmail book is out! Go check it. Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti. http://www.acikakademi.com/catalog/qmail/
Running OpenBSD from firewall, servers, laptops and desktops
Hello List, Just wanted to say thanks to the List for your help and to OpenBSD devs for the awesome operating system. So far the alpha firewall is a lot faster serving up the web than my Linksys router did. : ) Went from Windows to OpenBSD in about three months of learning and still learning. Alpha firewall using ppp.conf, hosts and arp -a helped with a Realtek network card in my desktop. Realtek would not communicate to the firewall no matter what I tried. Ended up putting a Linksys nic in there and solved the problem. Now to build a sun web server and i386 mail server with maildroid. Best regards, rogern John 3:16
KDM in OpenBSD
Hi, Greetings from Colombia I'm using OpenBSD 3.7 and I configure the KDM When I starting KDM since a root console login: root Password: Terminal type? [vt220] [EMAIL PROTECTED]:~ # kdm It works fine :-) But I add an entry in a /etc/rc.conf and /etc/rc for KDM starts when I power on the machine In /etc/rc.conf kdm_flags=YES In the end of /etc/rc if [ X${kdm_flags} != XNO ]; then echo 'starting KDM...'; /usr/local/bin/kdm fi exit 0 But when I power on my PC and KDM start I can't use the Keyboard :'( In the Xorg.log appear the following entry only when KDM starts since /etc/rc: (EE) KbdOn: tcsetattr: Inappropriate ioctl for device Can explain me this error... and say me how to solve it Sincerely Diego Fernando Nieto Moreno --- IEEE Student Membership Number 41618544 http://www.compumundohypermegared.org They called BSD! And Open because it's always free
Re: certification of firewall product / mess in my head
Hi, ...on Tue, Sep 13, 2005 at 10:12:11AM +0200, qstreb wrote: Yesterday i got surprised, it looks that in Germany (and some other countries) there are some lows/requirenments/obligations that in case a firewall (appliance) is owned by third parties and they produce any damages to others for the damage are responsible even the chiefs, but if this appliance is certified these people dont have such trouble. That sounds a bit like fallout from the Sarbanes-Oxley Act (for a short summary, see http://en.wikipedia.org/wiki/Sarbanes-oxley), and last time I looked, Germany was not a part of the USA. On the other hand, I haven't followed our legislation in that sector recently, and if your company is incorporated in the US or does business with US-based companies, you will be affected either way. I assume that certification in that context is supposed to prove kind of due diligence in your itsec efforts. A proper documentation of you firewall setup should do the same, but in the end it's probably better to talk to a lawyer than to system administrators :) Alex.
Re: KDM in OpenBSD
Diego Fernando Nieto Moreno wrote: But when I power on my PC and KDM start I can't use the Keyboard :'( In the Xorg.log appear the following entry only when KDM starts since /etc/rc: (EE) KbdOn: tcsetattr: Inappropriate ioctl for device Yes, I don't use KDM so I can't really give you the answer, but what I know is that you should start KDM from /etc/ttys using a line like (can't give you the exact line) : ttyXX /usr/local/bin/kdm -nodaemon ... Search on google and in the archives, I've seen this question a few times already. Antoine
Re: KDM in OpenBSD
On 13/09/05, Antoine Jacoutot [EMAIL PROTECTED] wrote: Diego Fernando Nieto Moreno wrote: But when I power on my PC and KDM start I can't use the Keyboard :'( In the Xorg.log appear the following entry only when KDM starts since /etc/rc: (EE) KbdOn: tcsetattr: Inappropriate ioctl for device Yes, I don't use KDM so I can't really give you the answer, but what I know is that you should start KDM from /etc/ttys using a line like (can't give you the exact line) : ttyXX /usr/local/bin/kdm -nodaemon ... Search on google and in the archives, I've seen this question a few times already. Antoine Hello, This has been discussed many times before. Please check the archives: http://marc.theaimsgroup.com/?l=openbsd-miscw=2r=1s=kdmq=b Best Regards Edd
Re: KDM in OpenBSD
On Tue, Sep 13, 2005 at 06:20:29AM -0700, Diego Fernando Nieto Moreno wrote: ...But when I power on my PC and KDM start I can't use the Keyboard... Try running /usr/local/bin/genkdmconf to configure KDM.
Re:
On 13/09/05, Diego Fernando Nieto Moreno [EMAIL PROTECTED] wrote: Hi, Greetings from Colombia, I have a C-MEDIA Sound Card, since OpenBSD 3.5 this device use a AC97(4) driver, but OpenBSD play some sound formats too fast. I think that it is a OpenBSD bug because never Media Player (mplayer, mpg123, xmms, noatun) solve this problem. I see Enlace He ask the same question but he don't had a good answer. My dmesg is: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.77 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 737714176 (720424K) avail mem = 665817088 (650212K) using 4278 buffers containing 36986880 bytes (36120K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 03/05/04, BIOS32 rev. 0 @ 0xfdb10 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf76a0/192 (10 entries) pcibios0: PCI Interrupt Router at 000:02:0 (SIS 85C503 System rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 SIS 650 PCI rev 0x80 ppb0 at pci0 dev 1 function 0 SIS 86C201 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 SIS 650 VGA rev 0x00: aperture at 0xd000, size 0x40 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 2 function 0 SIS 85C503 System rev 0x25 pciide0 at pci0 dev 2 function 5 SIS 5513 EIDE rev 0x00: 650: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST380011A wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-4521B, 1.01 SCSI0 5/cdrom removable atapiscsi1 at pciide0 channel 1 drive 1 scsibus1 at atapiscsi1: 2 targets cd1 at scsibus1 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4165B, DL03 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 SIS 7013 Modem rev 0xa0 at pci0 dev 2 function 6 not configured auich0 at pci0 dev 2 function 7 SIS 7012 AC97 rev 0xa0: irq 10, SiS7012 AC97 ac97: codec id 0x434d4983 (C-Media Electronics CMI9761A+) audio0 at auich0 ohci0 at pci0 dev 3 function 0 SIS 5597/5598 USB rev 0x0f: irq 3, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: SIS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci0 dev 3 function 1 SIS 5597/5598 USB rev 0x0f: irq 5, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: SIS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered ehci0 at pci0 dev 3 function 3 SIS 7002 USB rev 0x00: irq 11 ehci0: EHCI version 1.0 ehci0: companion controllers, 3 ports each: ohci0 ohci1 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: SIS EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: single transaction translator uhub2: 6 ports with 6 removable, self powered sis0 at pci0 dev 4 function 0 SIS 900 10/100BaseTX rev 0x90: irq 11, address 00:0b:6a:49:19:03 rlphy0 at sis0 phy 1: RTL8201L 10/100 PHY, rev. 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83697HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb6d netmask eb6d ttymask fbef pctr: user-level cycle counter enabled dkcsum: wd0 matched BIOS disk 80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 Actually I'm using OpenBSD 3.7 and I recieve the following message when sound for example an MP3 file auich0: measured ac97 link rate at 48012 Hz, will use 48000 Hz The audioctl(1) command show the following error when I change some param # audioctl play.rate=44100 audioctl: set failed: Invalid argument # audioctl -a name=SiS7012 AC97 version=0xa0 config=auich0
How to lock a user in his home.
Hello people, I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? Thanks for attention, []s -- -- Leonardo Marques http://www.analyx.org --
Re: How to lock a user in his home.
On Tue, Sep 13, 2005 at 11:05:20AM -0300, Leonardo Marques wrote: Hello people, I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? ftp ? ssh ? local access ? what is the type access ?
Re: How to lock a user in his home.
--On 13 September 2005 11:05 -0300, Leonardo Marques wrote: I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? stsh?
Re: How to lock a user in his home.
Leonardo Marques wrote: Hello people, I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? Thanks for attention, []s -- -- Leonardo Marques http://www.analyx.org -- Hmm, if you lock your user in his home, he cannot access directories and files like /bin /usr/bin /dev/null and many others. This will prevent him from doing mostly anything (like ls, vi ...) If you want your user not to access directories of other users, have a look at chmod, chown, chgrp. guido
executable /bsd
hi there, is there a reason /bsd must be executable? is there a reason /bsd must be not executable? config -e -o writes an executable one. so is that the way it should be? -f -- it's my idea 'cause i stole it first!
Re: How to lock a user in his home.
You can always chroot them into homedir. rewrite stsh to make a chroot-call via sudo. Add access to chroot via sudo to everyone. add user with /bin/chrootsh as they shell. create a chroot-env for a user in they homedir. cp favorit shell into chroot-env and symlink it to chrootsh: cd /home/user; cd bin/; ln -s ksh chrootsh. do some tests. done. On Tuesday 13 September 2005 16:05, Leonardo Marques wrote: Hello people, I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? Thanks for attention, []s -- -- Leonardo Marques http://www.analyx.org --
Re: how to diagnose IErr's
--On 13 September 2005 17:39 +0200, -f wrote: if it causes Col's on half duplex, and then causes Ierr's on full duplex, then what is the problem? the modem or openbsd? there isn't a problem with collisions, they are correct and expected behaviour with half-duplex ethernet. the devices know how to detect collisions (the 'CD' part of CSMA-CD) (unless the segment is physically longer than permitted by specs) and back-off themselves... by forcing full-duplex, you turn off the collision detection, which causes loss in both directions, and extra delays in the half-full duplex direction (modem-PC, in your case). web100 NDT (google) should be able to detect duplex mismatch. (cc'd back to misc@ for the archives, hope you don't mind).
Re: A question about examining pf loging data
Thats good, thanks, I thought tcpdump was IP layer only, because of the name. On Tue, 13 Sep 2005 14:38:09 +0300 Huzeyfe Onal [EMAIL PROTECTED] wrote: try #tcpdump arp to see only arp packages. wants to get link-level header? Add -e option.. 2005/9/12, ed [EMAIL PROTECTED]: On Mon, 12 Sep 2005 13:26:19 -0400 Will H. Backman [EMAIL PROTECTED] wrote: This has most of the data that I need, but it seems to be missing one thing that I think is important. How can I determine if the traffic is TCP/UDP/ICMP etc? If you have ack and window flags, then it is TCP, not UDP. What should I use to see packets at the ethernet level, such as ARP? -- http://edd.link9.net - http://irc.is-cool.net
Re: How to lock a user in his home.
On Tue, Sep 13, 2005 at 11:05:20AM -0300, Leonardo Marques wrote: I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? rksh may be appropriate, but this is only for *very* simple setups (no other shell in the user's PATH, and no programs that can change to, read from or write to arbitrary directories, i.e. not even an ed(1)). If the user should actually do more than just poke around in his HOME, a chroot environment is probably the better choice. Ciao, Kili
Re: How to lock a user in his home.
how can i do to create a chrooted environment? On 9/13/05, Matthias Kilian [EMAIL PROTECTED] wrote: On Tue, Sep 13, 2005 at 11:05:20AM -0300, Leonardo Marques wrote: I wanna how to lock a user in his home, he cannot see any other directory, just his home. Someone how can i do this? rksh may be appropriate, but this is only for *very* simple setups (no other shell in the user's PATH, and no programs that can change to, read from or write to arbitrary directories, i.e. not even an ed(1)). If the user should actually do more than just poke around in his HOME, a chroot environment is probably the better choice. Ciao, Kili -- -- Leonardo Marques http://www.analyx.org --
Re: document
Please read the document. Unknown command - PLEASE. Try HELP. Summary of resource utilization --- CPU time:0.000 secDevice I/O:4 Overhead CPU:0.000 secPaging I/O:0 CPU model: 1133MHz Pentium III 512k (1280M) Job origin: misc@OPENBSD.ORG
[OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)
I'm running 3.7-RELEASE with all patches on x86 hardware. I've tested the bandwidth on them machine, and can easily handle 200-300Mbps. I/O is decent too (this is an IBM x335 [dmesg below]). What *really* is nearly impossible is running nessus and nmap on this host. Even using the ports, a single nmap scan will take more than 4 hours. The network is 100 full-duplex, and I've even testing setting the bge(4) cards to half-duplex at 100Mbps. Any machine I've ever run nessus/nmap on with OpenBSD as the underlying operating platform has had this problem. For those of us running your vulnerability scanners on OpenBSD, do you have any tricks to fix these issues? I know they're not the best-coded applications, but I'm stuck running them. Any thoughts are appreciated. I've tried with pf enabled and disabled, no major difference in speed. I have a GENERIC.MP kernel with all the current patches applied. Thanks. - Eric OpenBSD 3.7 (GENERIC.MP) #0: Thu Sep 1 09:49:35 CDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) 3.06 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 4294438912 (4193788K) avail mem = 3791622144 (3702756K) using 4278 buffers containing 214822912 bytes (209788K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(02) BIOS, date 09/17/03, BIOS32 rev. 0 @ 0xfd7d1 pcibios0 at bios0: rev 2.1 @ 0xf/0x pcibios0: PCI BIOS has 8 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 9 10 11 15 pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x4000 mainbus0: Intel MP Specification (Version 1.4) (IBM ENSW TURQUIOSESMP) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 132 MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) cpu1: FPU,CX8,APIC,CNXT-ID mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type ISA ioapic0 at mainbus0: apid 14 pa 0xfec0, version 11, 16 pins ioapic1 at mainbus0: apid 13 pa 0xfec01000, version 11, 16 pins ioapic2 at mainbus0: apid 12 pa 0xfec02000, version 11, 16 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE rev 0x33 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE rev 0x00 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE rev 0x00 pci1 at pchb2 bus 1 mpt0 at pci1 dev 1 function 0 Symbios Logic 53c1030 rev 0x07: apic 13 int 6 (irq 9) mpt0: sending FW Upload request to IOC (size: 36, img size: 67560) mpt0: IM support: 4 scsibus0 at mpt0: 16 targets sd0 at scsibus0 targ 0 lun 0: LSILOGIC, 1030 IM, 1000 SCSI2 0/direct fixed sd0: 140013MB, 140013 cyl, 16 head, 128 sec, 512 bytes/sec, 286746624 sec total mpt0: target 0 Asynchronous at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0 vga1 at pci0 dev 1 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb3 at pci0 dev 15 function 0 ServerWorks CSB5 SouthBridge rev 0x93 pci2 at pchb3 bus 3 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: TEAC, CD-224E, 2.9B SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2 ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 14 int 11 (irq 11), version 1.0, legacy support ohci0: SMM does not respond, resetting usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: ServerWorks OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 4 ports with 4 removable, self powered pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 PCI rev 0x00 pchb4 at pci0 dev 17 function 0 ServerWorks CIOBX2 rev 0x05 pchb5 at pci0 dev 17 function 2 ServerWorks CIOBX2 rev 0x05 pci3 at pchb5 bus 2 bge0 at pci3 dev 1 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): apic 13 int 8 (irq 3) address 00:0d:60:1c:b5:6a brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 bge1 at pci3 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 (0x1002): apic 13 int 9 (irq 5) address 00:0d:60:1c:b5:6b brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker sysbeep0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)
On Tue 2005.09.13 at 15:40 -0500, eric wrote: I'm running 3.7-RELEASE with all patches on x86 hardware. I've tested the bandwidth on them machine, and can easily handle 200-300Mbps. I/O is decent too (this is an IBM x335 [dmesg below]). What *really* is nearly impossible is running nessus and nmap on this host. Even using the ports, a single nmap scan will take more than 4 hours. The network is 100 full-duplex, and I've even testing setting the bge(4) cards to half-duplex at 100Mbps. Any machine I've ever run nessus/nmap on with OpenBSD as the underlying operating platform has had this problem. For those of us running your vulnerability scanners on OpenBSD, do you have any tricks to fix these issues? I know they're not the best-coded applications, but I'm stuck running them. Any thoughts are appreciated. I've tried with pf enabled and disabled, no major difference in speed. I have a GENERIC.MP kernel with all the current patches applied. you fail to mention details of such issues...what are they?
Re: BGP peering, 2 peers, hardware reqirements questions
You might also want to read http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml, which will try to talk you out of using BGP for load balancing and present a simpler alternative. j knight wrote: --- Quoting Karl O. Pinc on 2005/09/13 at 01:05 +: Finally, not knowing much about bgp, I've a question about load balancing over the two WAN links. Does bgp/OpenBGP have any provisions for load balancing, say based on WAN link latency? (Seems like this _could_ be a bgp policy at the local level, but nothing leaps out at me from bgpd.conf(5).) Highly recommend this book: http://www.oreilly.com/catalog/bgp/ .joel
Re: How to lock a user in his home.
On Tue, Sep 13, 2005 at 03:31:34PM -0300, Leonardo Marques wrote: how can i do to create a chrooted environment? QUICK HACK ALERT (untested, undocumented, tty stuff ignored, ugly ugly ugly, most probably unsecure): #include err.h #include sys/types.h #include unistd.h #include pwd.h int main(void) { struct passwd *pwent; if (!(pwent = getpwuid(getuid( err(1, NULL); if (chroot(pwent-pw_dir) != 0 || chdir(/) != 0) err(1, NULL); execl(/usr/bin/login, login, -f, pwent-pw_name, (char*)NULL); err(1, NULL); } Don't use this as is. The idea is to write a simple chroot-wrapper like this, install setuid-root, use it as login-shell for $USER, and set $USER's home to something like /var/jail. /var/jail then should be a self-contained, trimmed-down filesystem hierarchy. Again: this is just an ugly (and probably completely retarded) quick hack. Ciao, Kili
Re: BGP peering, 2 peers, hardware reqirements questions
--- Quoting Darrin Chandler on 2005/09/13 at 13:56 -0700: You might also want to read http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml, which will try to talk you out of using BGP for load balancing and present a simpler alternative. This solution talks about using dual static routes. This doesn't (yet) work on OpenBSD as the support isn't there. Best bet if this track is taken is to involve pf's load balancing features (http://www.openbsd.org/faq/pf/pools.html and pf.conf(5)). .joel
Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)
On 9/13/05, eric [EMAIL PROTECTED] wrote: Scans on a local subnet (nmap -sT -p 1-65535) taking 7 hours or more. The built-in nessus port scanner does the same. have you tried running tcpdump on the interface and seeing what's getting sent over the wire, and how often?
Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)
On 9/13/05, C. Bensend [EMAIL PROTECTED] wrote: Scans on a local subnet (nmap -sT -p 1-65535) taking 7 hours or more. The built-in nessus port scanner does the same. H, something _definately_ wrong there. On my LAN, using your command line above (from a 3.7-STABLE host to a 3.6-STABLE host): Nmap finished: 1 IP address (1 host up) scanned in 1309.464 seconds tweaking syntax to this using nmap 3.50 on 3.6 completed in 343 seconds: nmap -P0 -T Insane -v -sT -p 1-65535 x.x.x.x (as root) It was definately slower using the same syntax on 3.7 though, I didn't have time to see how long it was going to take.
isakmpd: openbsd - cisco = problems
I'm using an OpenBSD 3.7 box to try to connect to our cisco concentrator at work. Here is what I was sent by our network admin: 10.0.0.0/0.0.0.255 192.168.240.0/0.0.15.255 172.22.0.0/0.0.0.255 10.10.0.0/0.0.255.255 10.20.0.0/0.0.255.255 as networks I would need to tunnel to. Here is my isakmpd.conf file with the proper edits: [General] Listen-On= xx.xxx.xxx.xx [Phase 1] yy.yyy.yyy.yy= concentrator [Phase 2] Connections= VPN-home-240, VPN-home-10_0, VPN-home-172, VPN-home-10_10, VPN-home-10_20 [concentrator] Phase= 1 Transport= udp Address= yy.yyy.yyy.yy Configuration= Default-main-mode Authentication= my_shared_secret [VPN-home-240] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work_240 [VPN-home-10_0] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-10_0 [VPN-home-172] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-172 [VPN-home-10_10] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-10_10 [VPN-home-10_20] Phase= 2 ISAKMP-peer= concentrator Configuration= Default-quick-mode Local-ID= home-net Remote-ID= work-10_20 Network Defs ## [home-net] ID-type= IPV4_ADDR_SUBNET Network= 192.168.0.0 Netmask= 0.0.255.255 [work_240] ID-type= IPV4_ADDR_SUBNET Network= 192.168.240.0 Netmask= 0.0.15.255 [work-10_0] ID-type= IPV4_ADDR_SUBNET Network= 10.0.0.0 Netmask= 0.0.0.255 [work-172] ID-type= IPV4_ADDR_SUBNET Network= 172.22.0.0 Netmask= 0.0.0.255 [work-10_10] ID-type= IPV4_ADDR_SUBNET Network= 10.10.0.0 Netmask= 0.0.255.255 [work-10_20] ID-type= IPV4_ADDR_SUBNET Network= 10.20.0.0 Netmask= 0.0.255.255 #Mode Defs # [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5 [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE where x's represent my ip address and y's represent the concentrator. Here is my isakmpd.policy file: Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; and the output of isakmpd -d bash-3.00# isakmpd -d 191943.477359 Default ipsec_validate_id_information: dubious ID information accepted 191951.404865 Default ipsec_validate_id_information: dubious ID information accepted 192010.536856 Default transport_send_messages: giving up on message 0x3c069780, exchange VPN-home-240 192010.537309 Default transport_send_messages: giving up on message 0x3c069900, exchange VPN-home-10_0 192010.537697 Default transport_send_messages: giving up on message 0x3c069a80, exchange VPN-home-172 192010.538067 Default transport_send_messages: giving up on message 0x3c069c00, exchange VPN-home-10_10 192010.538467 Default transport_send_messages: giving up on message 0x3c069d80, exchange VPN-home-10_20 relevant sections of my pf.conf file: pass in proto esp from any to any pass out proto esp from any to any keep state pass in on enc0 from any to any pass out on enc0 from any to any pass in on $ext_if proto udp from any to any port 500 pass out on $ext_if proto udp from ($ext_if) to any port 500 which I know is way relaxed, but just wanting to rule out any pf related issues. Ultimately I'm trying to reach 192.168.250.111 which is a voip server. I don't get any reples when I try to ping it, nor do I see anything on the enc0 interface. Let me know if you have any thoughts or if you need more information. I've really been banging my head against the wall trying to figure this one out.
Re: ath0 troubles
On 9/13/05, Jonathan Gray [EMAIL PROTECTED] wrote: On Tue, Sep 13, 2005 at 07:54:52PM -0500, Matt Brenneke wrote: I just bought an Atheros based Netgear 311T to replace my ailing wi0[1] card. I put it in, updated my pf and bridge config files to point to ath0 instead of wi0, and I can't connect. KisMAC doesn't see it from my laptop either. Instead, I get ath0: device timeout repeating over and over in my dmesg and /var/log/messages. The man page simply says this should not happen. This is in the same machine that wouldn't support a ralink based card because it isn't PCI 2.2, only a late PCI 2.1 revision. Can anyone help me debug/fix this problem? I'm currently running a shopshot from Aug. 8, and plan on upgrading to a current CVS version tonight to see if that helps. Single chip AR5212 devices like the 311T are not supported yet. Thanks for the quick answer. Can anyone recomend an Atheros card that IS currently supported and is still being produced? -Matt
Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)
On Tue, 2005-09-13 at 17:09:19 -0700, Karsten McMinn proclaimed... tweaking syntax to this using nmap 3.50 on 3.6 completed in 343 seconds: nmap -P0 -T Insane -v -sT -p 1-65535 x.x.x.x (as root) It was definately slower using the same syntax on 3.7 though, I didn't have time to see how long it was going to take. Here's what I've been seeing for a looong time... $ nmap -sS -p 1-65535 172.81.141.197 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-13 22:20 CDT sendto in send_ip_packet: sendto(3, packet, 40, 0, 172.81.141.197, 16) = No route to host That host is on the same subnet as the scanning machine.
Re: isakmpd: openbsd - cisco = problems
--- Quoting Mattias R. Lindgren on 2005/09/13 at 19:31 -0600: bash-3.00# isakmpd -d 191943.477359 Default ipsec_validate_id_information: dubious ID information accepted 191951.404865 Default ipsec_validate_id_information: dubious ID information accepted 192010.536856 Default transport_send_messages: giving up on message 0x3c069780, exchange VPN-home-240 192010.537309 Default transport_send_messages: giving up on message 0x3c069900, exchange VPN-home-10_0 192010.537697 Default transport_send_messages: giving up on message 0x3c069a80, exchange VPN-home-172 192010.538067 Default transport_send_messages: giving up on message 0x3c069c00, exchange VPN-home-10_10 192010.538467 Default transport_send_messages: giving up on message 0x3c069d80, exchange VPN-home-10_20 Crank up the debugging info by using the -D switch to isakmpd and see what you see then. .joel
Re: isakmpd: openbsd - cisco = problems
On Tuesday, September 13, 2005, 21:31:51, Mattias R. Lindgren wrote: I'm using an OpenBSD 3.7 box to try to connect to our cisco concentrator at work. Here is what I was sent by our network admin: 10.0.0.0/0.0.0.255 192.168.240.0/0.0.15.255 172.22.0.0/0.0.0.255 10.10.0.0/0.0.255.255 10.20.0.0/0.0.255.255 OK, instead of netmasks it looks like he gave you Cisco wildcard patterns where the 0's are the bits that are constant and the 1's are the bits allowed to change. For this trivial case of a sequence of zeros followed by ones simply take the ones complement to get the desired netmask. ... [work-10_10] ID-type= IPV4_ADDR_SUBNET Network= 10.10.0.0 Netmask= 0.0.255.255 Use 255.255.0.0 to identify the 10.10/16 network. -- [EMAIL PROTECTED] The avalanche has already started, it is too Rod Dorman late for the pebbles to vote. Ambassador Kosh
Re: executable /bsd
no. On Tue, 13 Sep 2005, -f wrote: hi there, is there a reason /bsd must be executable? is there a reason /bsd must be not executable? config -e -o writes an executable one. so is that the way it should be? -f -- And that's why it's important to floss.
Re: system/4506
You DON'T write a bugreport before you are sure about it is a bug! You CAN always ask ppl on [EMAIL PROTECTED] You ASK and TEST first, then WRITE. On Wednesday 14 September 2005 02:41, you wrote: I'd just like to say, in case (miraculously) people on the OpenBSD team don't already know this, this guy Theo is completely rude, self righteous and arrogant beyond tollerability. He uses profanity when uncalled for, when I'm a simple user asking for help. Apparently Theo believes OpenBSD is for elitist snobs who care not for helping of those who'd like to better the OS. A real shame. Sorry to have wasted anyone's time on this. I deal with enough arrogant developers in my like and don't wish to know another for one more second. Theo de Raadt wrote: Synopsis: ypbind fails to authenticate over time State-Changed-From-To: open-closed State-Changed-By: deraadt State-Changed-When: Tue Sep 13 18:34:20 MDT 2005 State-Changed-Why: submitter is unable to provide test results as asks does not understand how YP works attempts to preach to me about how it works what he is describing as broken must be a local configuration issue. since he totally does not understand the code, does not want to give me test results, does not trust the guy who WROTE THE CODE, screw him. this PR gets closed because it does not describe a real bug.