certification of firewall product / mess in my head

2005-09-13 Thread qstreb 

I want to apologise if this is a bit of topic
but as it goes about replacing nice configured OpenBSD Firewalls (5 pieces)
i am asking here
(it really hurts, as i put a lot of effort to have something stable, 
simple, secure and ... )


Yesterday i got surprised, it looks that in Germany (and some other 
countries)
there are some lows/requirenments/obligations that in case a firewall 
(appliance) is owned

by third parties and they produce any damages to others
for the damage are responsible even the chiefs,
but if this appliance is certified these people dont have such trouble.

Sounds funny, as we all know that certification and security doesnt walk 
always together, but ...


My chief got a bit stressed and the plus that he will finally have web 
configuration

and such extras :(( made it real:
we are going out of the best solution.

Does anybody knows something about this topic in Germany (EU),
are any OpenBSD based firewalls around with such certification
http://www.bsi.de/zertifiz/index.htm ?

or is OpenBSD certificiert ?

Re: certification of firewall product / mess in my head

2005-09-13 Thread Andre Naehring 
Hello there.

qstreb schrieb:
 I want to apologise if this is a bit of topic
 but as it goes about replacing nice configured OpenBSD Firewalls (5 pieces)
 i am asking here
 (it really hurts, as i put a lot of effort to have something stable,
 simple, secure and ... )
 
 Yesterday i got surprised, it looks that in Germany (and some other
 countries)
 there are some lows/requirenments/obligations that in case a firewall
 (appliance) is owned
 by third parties and they produce any damages to others
 for the damage are responsible even the chiefs,
 but if this appliance is certified these people dont have such trouble.
 
 Sounds funny, as we all know that certification and security doesnt walk

 Does anybody knows something about this topic in Germany (EU),
 are any OpenBSD based firewalls around with such certification
 http://www.bsi.de/zertifiz/index.htm ?

I think OpenBSD itself is not certified but if you have a closer look on
.genua.de the products there seem to be bsi certified. Don't know
which OpenBSD Version they use. But it may be a good starting point for
you. I remember there was a small article in one of the last
ix-magazines but I didn't store them because of moving myself.

Hope this is a hint for you.

-- 

Andre Naehring

Re: A question about examining pf loging data

2005-09-13 Thread Huzeyfe Onal 
try  #tcpdump arp to see only arp packages.
 wants  to get link-level header? Add -e option..


2005/9/12, ed [EMAIL PROTECTED]:
 On Mon, 12 Sep 2005 13:26:19 -0400
 Will H. Backman [EMAIL PROTECTED] wrote:
 
  
   This has most of the data that I need, but it seems to be missing
   one thing
   that I think is important. How can I determine if the traffic is
   TCP/UDP/ICMP etc?
  
  If you have ack and window flags, then it is TCP, not UDP.
 
 What should I use to see packets at the ethernet level, such as ARP?
 
 --
 http://edd.link9.net - http://irc.is-cool.net
 
 


-- 
Huzeyfe VNAL  
---
First Turkish Qmail book is out! Go check it.
Duydunuz mu! Turkiye'nin ilk Qmail kitabi cikti.
http://www.acikakademi.com/catalog/qmail/

Running OpenBSD from firewall, servers, laptops and desktops

2005-09-13 Thread mrservices 
Hello List, Just wanted to say thanks to the List for your help and to 
OpenBSD devs for the awesome operating system.


So far the alpha firewall is a lot faster serving up the web than my 
Linksys router did.  : )


Went from Windows to OpenBSD in about three months of learning and still 
learning.


Alpha firewall using ppp.conf, hosts and arp -a helped with a Realtek 
network card in my desktop.


Realtek would not communicate to the firewall no matter what I tried. 
Ended up putting a Linksys nic in there and solved the problem.


Now to build a sun web server and i386 mail server with maildroid.

Best regards,

rogern

John 3:16

KDM in OpenBSD

2005-09-13 Thread Diego Fernando Nieto Moreno 
Hi,

Greetings from Colombia

I'm using OpenBSD 3.7 and I configure the KDM

When I starting KDM since a root console

 login: root
 Password:
 Terminal type? [vt220]
 [EMAIL PROTECTED]:~ # kdm

It works fine :-)

But I add an entry in a /etc/rc.conf and /etc/rc for KDM starts when I power on 
the machine

In /etc/rc.conf
 kdm_flags=YES

In the end of /etc/rc
 if [ X${kdm_flags} != XNO ]; then
 echo 'starting KDM...'; /usr/local/bin/kdm 
 fi

exit 0

But when I power on my PC and KDM start I can't use the Keyboard :'( In the 
Xorg.log appear the following entry only when KDM starts since /etc/rc:
 (EE) KbdOn: tcsetattr: Inappropriate ioctl for device

Can explain me this error... and say me how to solve it


Sincerely

Diego Fernando Nieto Moreno
---
IEEE Student Membership Number 41618544
http://www.compumundohypermegared.org

They called BSD!
And Open because it's always free

Re: certification of firewall product / mess in my head

2005-09-13 Thread Alexander Bochmann 
Hi,

...on Tue, Sep 13, 2005 at 10:12:11AM +0200, qstreb wrote:

  Yesterday i got surprised, it looks that in Germany (and some other 
  countries)
  there are some lows/requirenments/obligations that in case a firewall 
  (appliance) is owned
  by third parties and they produce any damages to others
  for the damage are responsible even the chiefs,
  but if this appliance is certified these people dont have such trouble.

That sounds a bit like fallout from the 
Sarbanes-Oxley Act (for a short summary, see 
http://en.wikipedia.org/wiki/Sarbanes-oxley), 
and last time I looked, Germany was not a part 
of the USA. On the other hand, I haven't 
followed our legislation in that sector recently, 
and if your company is incorporated in the 
US or does business with US-based companies, 
you will be affected either way.

I assume that certification in that context 
is supposed to prove kind of due diligence 
in your itsec efforts.

A proper documentation of you firewall setup 
should do the same, but in the end it's 
probably better to talk to a lawyer than 
to system administrators :)

Alex.

Re: KDM in OpenBSD

2005-09-13 Thread Antoine Jacoutot 

Diego Fernando Nieto Moreno wrote:

But when I power on my PC and KDM start I can't use the Keyboard :'( In the 
Xorg.log appear the following entry only when KDM starts since /etc/rc:


(EE) KbdOn: tcsetattr: Inappropriate ioctl for device


Yes, I don't use KDM so I can't really give you the answer, but what I 
know is that you should start KDM from /etc/ttys using a line like 
(can't give you the exact line) :


ttyXX /usr/local/bin/kdm -nodaemon ...

Search on google and in the archives, I've seen this question a few 
times already.


Antoine

Re: KDM in OpenBSD

2005-09-13 Thread Edd Barrett 
On 13/09/05, Antoine Jacoutot [EMAIL PROTECTED] wrote:
 Diego Fernando Nieto Moreno wrote:
  But when I power on my PC and KDM start I can't use the Keyboard :'( In the 
  Xorg.log appear the following entry only when KDM starts since /etc/rc:
 
 (EE) KbdOn: tcsetattr: Inappropriate ioctl for device
 
 Yes, I don't use KDM so I can't really give you the answer, but what I
 know is that you should start KDM from /etc/ttys using a line like
 (can't give you the exact line) :
 
 ttyXX /usr/local/bin/kdm -nodaemon ...
 
 Search on google and in the archives, I've seen this question a few
 times already.
 
 Antoine
 
 

Hello,

This has been discussed many times before. Please check the archives:

http://marc.theaimsgroup.com/?l=openbsd-miscw=2r=1s=kdmq=b

Best Regards

Edd

Re: KDM in OpenBSD

2005-09-13 Thread Josh Grosse 
On Tue, Sep 13, 2005 at 06:20:29AM -0700, Diego Fernando Nieto Moreno wrote:

 ...But when I power on my PC and KDM start I can't use the Keyboard...

Try running /usr/local/bin/genkdmconf to configure KDM.

Re:

2005-09-13 Thread Edd Barrett 
On 13/09/05, Diego Fernando Nieto Moreno [EMAIL PROTECTED] wrote:
 Hi,
 
 Greetings from Colombia,
 
 I have a C-MEDIA Sound Card, since OpenBSD 3.5 this device use a AC97(4) 
 driver, but OpenBSD play some sound formats too fast.
 
 I think that it is a OpenBSD bug because never Media Player (mplayer, mpg123, 
 xmms, noatun) solve this problem.
 
 I see Enlace He ask the same question but he don't had a good answer.
 
 My dmesg is:
 
  OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005
  [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
  cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz (GenuineIntel 686-class) 2.77 GHz
  cpu0:
  FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
  real mem  = 737714176 (720424K)
  avail mem = 665817088 (650212K)
  using 4278 buffers containing 36986880 bytes (36120K) of memory
  mainbus0 (root)
  bios0 at mainbus0: AT/286+(00) BIOS, date 03/05/04, BIOS32 rev. 0 @ 0xfdb10
  pcibios0 at bios0: rev 2.1 @ 0xf/0x1
  pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf76a0/192 (10 entries)
  pcibios0: PCI Interrupt Router at 000:02:0 (SIS 85C503 System rev 0x00)
  pcibios0: PCI bus #1 is the last bus
  bios0: ROM list: 0xc/0x8000
  cpu0 at mainbus0
  pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
  pchb0 at pci0 dev 0 function 0 SIS 650 PCI rev 0x80
  ppb0 at pci0 dev 1 function 0 SIS 86C201 AGP rev 0x00
  pci1 at ppb0 bus 1
  vga1 at pci1 dev 0 function 0 SIS 650 VGA rev 0x00: aperture at 
  0xd000, size 0x40
  wsdisplay0 at vga1: console (80x25, vt100 emulation)
  wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
  pcib0 at pci0 dev 2 function 0 SIS 85C503 System rev 0x25
  pciide0 at pci0 dev 2 function 5 SIS 5513 EIDE rev 0x00: 650: DMA, 
  channel 0 wired to compatibility, channel 1 wired to  compatibility
  wd0 at pciide0 channel 0 drive 0: ST380011A
  wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
  wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
  atapiscsi0 at pciide0 channel 1 drive 0
  scsibus0 at atapiscsi0: 2 targets
  cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, RW/DVD GCC-4521B, 1.01 SCSI0 
  5/cdrom removable
  atapiscsi1 at pciide0 channel 1 drive 1
  scsibus1 at atapiscsi1: 2 targets
  cd1 at scsibus1 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4165B, DL03 SCSI0 
  5/cdrom removable
  cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
  cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
  SIS 7013 Modem rev 0xa0 at pci0 dev 2 function 6 not configured
  auich0 at pci0 dev 2 function 7 SIS 7012 AC97 rev 0xa0: irq 10, SiS7012 
  AC97
  ac97: codec id 0x434d4983 (C-Media Electronics CMI9761A+)
  audio0 at auich0
  ohci0 at pci0 dev 3 function 0 SIS 5597/5598 USB rev 0x0f: irq 3, version 
  1.0, legacy support
  usb0 at ohci0: USB revision 1.0
  uhub0 at usb0
  uhub0: SIS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
  uhub0: 3 ports with 3 removable, self powered
  ohci1 at pci0 dev 3 function 1 SIS 5597/5598 USB rev 0x0f: irq 5, version 
  1.0, legacy support
  usb1 at ohci1: USB revision 1.0
  uhub1 at usb1
  uhub1: SIS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
  uhub1: 3 ports with 3 removable, self powered
  ehci0 at pci0 dev 3 function 3 SIS 7002 USB rev 0x00: irq 11
  ehci0: EHCI version 1.0
  ehci0: companion controllers, 3 ports each: ohci0 ohci1
  usb2 at ehci0: USB revision 2.0
  uhub2 at usb2
  uhub2: SIS EHCI root hub, class 9/0, rev 2.00/1.00, addr 1
  uhub2: single transaction translator
  uhub2: 6 ports with 6 removable, self powered
  sis0 at pci0 dev 4 function 0 SIS 900 10/100BaseTX rev 0x90: irq 11, 
  address 00:0b:6a:49:19:03
  rlphy0 at sis0 phy 1: RTL8201L 10/100 PHY, rev. 1
  isa0 at pcib0
  isadma0 at isa0
  pckbc0 at isa0 port 0x60/5
  pckbd0 at pckbc0 (kbd slot)
  pckbc0: using irq 1 for kbd slot
  wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using 
  wsdisplay0
  pmsi0 at pckbc0 (aux slot)
  pckbc0: using irq 12 for aux slot
  wsmouse0 at pmsi0 mux 0
  pcppi0 at isa0 port 0x61
  midi0 at pcppi0: PC speaker
  sysbeep0 at pcppi0
  lpt0 at isa0 port 0x378/4 irq 7
  lm0 at isa0 port 0x290/8: W83697HF
  npx0 at isa0 port 0xf0/16: using exception 16
  pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
  fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
  fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
  biomask eb6d netmask eb6d ttymask fbef
  pctr: user-level cycle counter enabled
  dkcsum: wd0 matched BIOS disk 80
  root on wd0a
  rootdev=0x0 rrootdev=0x300 rawdev=0x302
 
 Actually I'm using OpenBSD 3.7 and I recieve the following message when sound 
 for example an MP3 file
  auich0: measured ac97 link rate at 48012 Hz, will use 48000 Hz
 
 The audioctl(1) command show the following error when I change some param
  # audioctl play.rate=44100
  audioctl: set failed: Invalid argument
 
  # audioctl -a
  name=SiS7012 AC97
  version=0xa0
  config=auich0

How to lock a user in his home.

2005-09-13 Thread Leonardo Marques 
Hello people,

I wanna how to lock a user in his home, he cannot see any other
directory, just his home. Someone how can i do this?

Thanks for attention,
[]s

--
--
Leonardo Marques
http://www.analyx.org
--

Re: How to lock a user in his home.

2005-09-13 Thread Gleydson Soares 
On Tue, Sep 13, 2005 at 11:05:20AM -0300, Leonardo Marques wrote:
 Hello people,
 
 I wanna how to lock a user in his home, he cannot see any other
 directory, just his home. Someone how can i do this?
 

ftp ? ssh ? local access ? what is the type access ?

Re: How to lock a user in his home.

2005-09-13 Thread Stuart Henderson 

--On 13 September 2005 11:05 -0300, Leonardo Marques wrote:


I wanna how to lock a user in his home, he cannot see any other
directory, just his home. Someone how can i do this?


stsh?

Re: How to lock a user in his home.

2005-09-13 Thread Guido Tschakert 

Leonardo Marques wrote:

Hello people,

I wanna how to lock a user in his home, he cannot see any other
directory, just his home. Someone how can i do this?

Thanks for attention,
[]s

--
--
Leonardo Marques
http://www.analyx.org
--



Hmm,

if you lock your user in his home, he cannot access directories and 
files like /bin /usr/bin /dev/null and many others. This will prevent 
him from doing mostly anything (like ls, vi ...)


If you want your user not to access directories of other users, have a 
look at chmod, chown, chgrp.



guido

executable /bsd

2005-09-13 Thread -f 
hi there,

is there a reason /bsd must be executable?
is there a reason /bsd must be not executable?

config -e -o  writes an executable one.
so is that the way it should be?

-f
-- 
it's my idea 'cause i stole it first!

Re: How to lock a user in his home.

2005-09-13 Thread Maxim Bourmistrov 
You can always chroot them into homedir.
rewrite stsh to make a chroot-call via sudo.
Add access to chroot via sudo to everyone.
add user with /bin/chrootsh as they shell.
create a chroot-env for a user in they homedir.
cp favorit shell into chroot-env and symlink it to chrootsh:
cd /home/user; cd bin/; ln -s ksh chrootsh. 
do some tests.
done.

On Tuesday 13 September 2005 16:05, Leonardo Marques wrote:
 Hello people,
 
 I wanna how to lock a user in his home, he cannot see any other
 directory, just his home. Someone how can i do this?
 
 Thanks for attention,
 []s
 
 --
 --
 Leonardo Marques
 http://www.analyx.org
 --

Re: how to diagnose IErr's

2005-09-13 Thread Stuart Henderson 

--On 13 September 2005 17:39 +0200, -f wrote:


if it causes Col's on half duplex, and then causes Ierr's on full
duplex, then what is the problem?  the modem or openbsd?


there isn't a problem with collisions, they are correct and expected 
behaviour with half-duplex ethernet. the devices know how to detect 
collisions (the 'CD' part of CSMA-CD) (unless the segment is physically 
longer than permitted by specs) and back-off themselves...


by forcing full-duplex, you turn off the collision detection, which 
causes loss in both directions, and extra delays in the half-full 
duplex direction (modem-PC, in your case).


web100 NDT (google) should be able to detect duplex mismatch.

(cc'd back to misc@ for the archives, hope you don't mind).

Re: A question about examining pf loging data

2005-09-13 Thread ed 
Thats good, thanks, I thought tcpdump was IP layer only, because of
the name.


On Tue, 13 Sep 2005 14:38:09 +0300
Huzeyfe Onal [EMAIL PROTECTED] wrote:

 try  #tcpdump arp to see only arp packages.
  wants  to get link-level header? Add -e option..
 
 
 2005/9/12, ed [EMAIL PROTECTED]:
  On Mon, 12 Sep 2005 13:26:19 -0400
  Will H. Backman [EMAIL PROTECTED] wrote:
  
   
This has most of the data that I need, but it seems to be
missing one thing
that I think is important. How can I determine if the traffic is
TCP/UDP/ICMP etc?
   
   If you have ack and window flags, then it is TCP, not UDP.
  
  What should I use to see packets at the ethernet level, such as ARP?

-- 
http://edd.link9.net - http://irc.is-cool.net

Re: How to lock a user in his home.

2005-09-13 Thread Matthias Kilian 
On Tue, Sep 13, 2005 at 11:05:20AM -0300, Leonardo Marques wrote:
 I wanna how to lock a user in his home, he cannot see any other
 directory, just his home. Someone how can i do this?

rksh may be appropriate, but this is only for *very* simple setups
(no other shell in the user's PATH, and no programs that can change
to, read from or write to arbitrary directories, i.e. not even an
ed(1)).

If the user should actually do more than just poke around in his
HOME, a chroot environment is probably the better choice.

Ciao,
Kili

Re: How to lock a user in his home.

2005-09-13 Thread Leonardo Marques 
how can i do to create a chrooted environment?

On 9/13/05, Matthias Kilian [EMAIL PROTECTED] wrote:
 On Tue, Sep 13, 2005 at 11:05:20AM -0300, Leonardo Marques wrote:
  I wanna how to lock a user in his home, he cannot see any other
  directory, just his home. Someone how can i do this?
 
 rksh may be appropriate, but this is only for *very* simple setups
 (no other shell in the user's PATH, and no programs that can change
 to, read from or write to arbitrary directories, i.e. not even an
 ed(1)).
 
 If the user should actually do more than just poke around in his
 HOME, a chroot environment is probably the better choice.
 
 Ciao,
 Kili
 
 


-- 
--
Leonardo Marques
http://www.analyx.org
--

Re: document

2005-09-13 Thread L-Soft list server at LISTSERV.NTBUGTRAQ.COM (1.8e) 
 Please read the document.
Unknown command - PLEASE. Try HELP.

Summary of resource utilization
---
 CPU time:0.000 secDevice I/O:4
 Overhead CPU:0.000 secPaging I/O:0
 CPU model: 1133MHz Pentium III 512k (1280M)
 Job origin:  misc@OPENBSD.ORG

[OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)

2005-09-13 Thread eric 
I'm running 3.7-RELEASE with all patches on x86 hardware. I've tested
the bandwidth on them machine, and can easily handle 200-300Mbps. I/O is
decent too (this is an IBM x335 [dmesg below]). What *really* is nearly
impossible is running nessus and nmap on this host. Even using the ports, a
single nmap scan will take more than 4 hours. The network is 100
full-duplex, and I've even testing setting the bge(4) cards to half-duplex
at 100Mbps. Any machine I've ever run nessus/nmap on with OpenBSD as the
underlying operating platform has had this problem.

For those of us running your vulnerability scanners on OpenBSD, do you have
any tricks to fix these issues? I know they're not the best-coded
applications, but I'm stuck running them.

Any thoughts are appreciated. I've tried with pf enabled and disabled, no
major difference in speed. I have a GENERIC.MP kernel with all the current
patches applied.

Thanks.

- Eric

OpenBSD 3.7 (GENERIC.MP) #0: Thu Sep  1 09:49:35 CDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class) 3.06 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem  = 4294438912 (4193788K)
avail mem = 3791622144 (3702756K)
using 4278 buffers containing 214822912 bytes (209788K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(02) BIOS, date 09/17/03, BIOS32 rev. 0 @ 0xfd7d1
pcibios0 at bios0: rev 2.1 @ 0xf/0x
pcibios0: PCI BIOS has 8 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 9 10 11 15
pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 SouthBridge rev 
0x00)
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x4000
mainbus0: Intel MP Specification (Version 1.4) (IBM ENSW TURQUIOSESMP)
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 132 MHz
cpu1 at mainbus0: apid 6 (application processor)
cpu1: Intel(R) Xeon(TM) CPU 3.06GHz (GenuineIntel 686-class)
cpu1: FPU,CX8,APIC,CNXT-ID
mainbus0: bus 0 is type PCI   
mainbus0: bus 1 is type PCI   
mainbus0: bus 2 is type PCI   
mainbus0: bus 3 is type ISA   
ioapic0 at mainbus0: apid 14 pa 0xfec0, version 11, 16 pins
ioapic1 at mainbus0: apid 13 pa 0xfec01000, version 11, 16 pins
ioapic2 at mainbus0: apid 12 pa 0xfec02000, version 11, 16 pins
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE rev 0x33
pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE rev 0x00
pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE rev 0x00
pci1 at pchb2 bus 1
mpt0 at pci1 dev 1 function 0 Symbios Logic 53c1030 rev 0x07: apic 13 int 6 
(irq 9)
mpt0: sending FW Upload request to IOC (size: 36, img size: 67560)
mpt0: IM support: 4
scsibus0 at mpt0: 16 targets
sd0 at scsibus0 targ 0 lun 0: LSILOGIC, 1030 IM, 1000 SCSI2 0/direct fixed
sd0: 140013MB, 140013 cyl, 16 head, 128 sec, 512 bytes/sec, 286746624 sec total
mpt0: target 0 Asynchronous at 0MHz width 8bit offset 0 QAS 0 DT 0 IU 0
vga1 at pci0 dev 1 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pchb3 at pci0 dev 15 function 0 ServerWorks CSB5 SouthBridge rev 0x93
pci2 at pchb3 bus 3
pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: TEAC, CD-224E, 2.9B SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2, Ultra-DMA mode 2
ohci0 at pci0 dev 15 function 2 ServerWorks OSB4/CSB5 USB rev 0x05: apic 14 
int 11 (irq 11), version 1.0, legacy support
ohci0: SMM does not respond, resetting
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: ServerWorks OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 4 ports with 4 removable, self powered
pcib0 at pci0 dev 15 function 3 ServerWorks CSB5 PCI rev 0x00
pchb4 at pci0 dev 17 function 0 ServerWorks CIOBX2 rev 0x05
pchb5 at pci0 dev 17 function 2 ServerWorks CIOBX2 rev 0x05
pci3 at pchb5 bus 2
bge0 at pci3 dev 1 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 
(0x1002): apic 13 int 8 (irq 3) address 00:0d:60:1c:b5:6a
brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
bge1 at pci3 dev 2 function 0 Broadcom BCM5703X rev 0x02, BCM5703 A2 
(0x1002): apic 13 int 9 (irq 5) address 00:0d:60:1c:b5:6b
brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0 (mux 1 ignored for console): console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom0: console
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec

Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)

2005-09-13 Thread Okan Demirmen 
On Tue 2005.09.13 at 15:40 -0500, eric wrote:
 I'm running 3.7-RELEASE with all patches on x86 hardware. I've tested
 the bandwidth on them machine, and can easily handle 200-300Mbps. I/O is
 decent too (this is an IBM x335 [dmesg below]). What *really* is nearly
 impossible is running nessus and nmap on this host. Even using the ports, a
 single nmap scan will take more than 4 hours. The network is 100
 full-duplex, and I've even testing setting the bge(4) cards to half-duplex
 at 100Mbps. Any machine I've ever run nessus/nmap on with OpenBSD as the
 underlying operating platform has had this problem.
 
 For those of us running your vulnerability scanners on OpenBSD, do you have
 any tricks to fix these issues? I know they're not the best-coded
 applications, but I'm stuck running them.
 
 Any thoughts are appreciated. I've tried with pf enabled and disabled, no
 major difference in speed. I have a GENERIC.MP kernel with all the current
 patches applied.

you fail to mention details of such issues...what are they?

Re: BGP peering, 2 peers, hardware reqirements questions

2005-09-13 Thread Darrin Chandler 
You might also want to read 
http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml, 
which will try to talk you out of using BGP for load balancing and 
present a simpler alternative.

j knight wrote:

--- Quoting Karl O. Pinc on 2005/09/13 at 01:05 +:

  

Finally, not knowing much about bgp, I've a question
about load balancing over the two WAN links.  Does
bgp/OpenBGP have any provisions for load balancing, say
based on WAN link latency?  (Seems like this _could_
be a bgp policy at the local level, but nothing
leaps out at me from bgpd.conf(5).)




Highly recommend this book: http://www.oreilly.com/catalog/bgp/



.joel

Re: How to lock a user in his home.

2005-09-13 Thread Matthias Kilian 
On Tue, Sep 13, 2005 at 03:31:34PM -0300, Leonardo Marques wrote:
 how can i do to create a chrooted environment?

QUICK HACK ALERT (untested, undocumented, tty stuff ignored, ugly
ugly ugly, most probably unsecure):

#include err.h
#include sys/types.h
#include unistd.h
#include pwd.h

int main(void) {
struct passwd *pwent;
if (!(pwent = getpwuid(getuid(
err(1, NULL);
if (chroot(pwent-pw_dir) != 0 || chdir(/) != 0)
err(1, NULL);
execl(/usr/bin/login, login, -f, pwent-pw_name, (char*)NULL);
err(1, NULL);
}


Don't use this as is. The idea is to write a simple chroot-wrapper
like this, install setuid-root, use it as login-shell for $USER,
and set $USER's home to something like /var/jail.

/var/jail then should be a self-contained, trimmed-down filesystem
hierarchy.

Again: this is just an ugly (and probably completely retarded) quick
hack.

Ciao,
Kili

Re: BGP peering, 2 peers, hardware reqirements questions

2005-09-13 Thread j knight 
--- Quoting Darrin Chandler on 2005/09/13 at 13:56 -0700:

 You might also want to read 
 http://www.inetdaemon.com/columns/ask/internet-load-balancing.shtml, 
 which will try to talk you out of using BGP for load balancing and 
 present a simpler alternative.


This solution talks about using dual static routes. This doesn't (yet)
work on OpenBSD as the support isn't there. Best bet if this track is
taken is to involve pf's load balancing features
(http://www.openbsd.org/faq/pf/pools.html and pf.conf(5)).




.joel

Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)

2005-09-13 Thread Aaron Glenn 
On 9/13/05, eric [EMAIL PROTECTED] wrote:
 
 Scans on a local subnet (nmap -sT -p 1-65535) taking 7 hours or more.
 
 The built-in nessus port scanner does the same.
 

have you tried running tcpdump on the interface and seeing what's
getting sent over the wire, and how often?

Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)

2005-09-13 Thread Karsten McMinn 
On 9/13/05, C. Bensend [EMAIL PROTECTED] wrote:

  Scans on a local subnet (nmap -sT -p 1-65535) taking 7 hours or more.
 
  The built-in nessus port scanner does the same.

 H, something _definately_ wrong there. On my LAN, using your
 command line above (from a 3.7-STABLE host to a 3.6-STABLE host):

 Nmap finished: 1 IP address (1 host up) scanned in 1309.464 seconds


tweaking syntax to this using nmap 3.50 on 3.6 completed in 343 seconds:
nmap -P0 -T Insane -v -sT -p 1-65535 x.x.x.x (as root)

It was definately slower using the same syntax on 3.7 though, I
didn't have time to see how long it was going to take.

isakmpd: openbsd - cisco = problems

2005-09-13 Thread Mattias R. Lindgren 
 I'm using an OpenBSD 3.7 box to try to connect to our cisco concentrator at
work. Here is what I was sent by our network admin:

10.0.0.0/0.0.0.255
192.168.240.0/0.0.15.255
172.22.0.0/0.0.0.255
10.10.0.0/0.0.255.255
10.20.0.0/0.0.255.255

as networks I would need to tunnel to. Here is my isakmpd.conf file with the
proper edits:

[General]
Listen-On= xx.xxx.xxx.xx

[Phase 1]
yy.yyy.yyy.yy= concentrator

[Phase 2]
Connections= VPN-home-240, VPN-home-10_0, VPN-home-172, VPN-home-10_10,
VPN-home-10_20

[concentrator]
Phase= 1
Transport= udp
Address= yy.yyy.yyy.yy
Configuration= Default-main-mode
Authentication= my_shared_secret

[VPN-home-240]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work_240

[VPN-home-10_0]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-10_0

[VPN-home-172]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-172

[VPN-home-10_10]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-10_10

[VPN-home-10_20]
Phase= 2
ISAKMP-peer= concentrator
Configuration= Default-quick-mode
Local-ID= home-net
Remote-ID= work-10_20



 Network Defs ##


[home-net]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 0.0.255.255

[work_240]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.240.0
Netmask= 0.0.15.255

[work-10_0]
ID-type= IPV4_ADDR_SUBNET
Network= 10.0.0.0
Netmask= 0.0.0.255

[work-172]
ID-type= IPV4_ADDR_SUBNET
Network= 172.22.0.0
Netmask= 0.0.0.255

[work-10_10]
ID-type= IPV4_ADDR_SUBNET
Network= 10.10.0.0
Netmask= 0.0.255.255

[work-10_20]
ID-type= IPV4_ADDR_SUBNET
Network= 10.20.0.0
Netmask= 0.0.255.255


#Mode Defs #


[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5

[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE

where x's represent my ip address and y's represent the concentrator. Here is
my isakmpd.policy file:

Keynote-version: 2
Authorizer: POLICY
Conditions: app_domain == IPsec policy 
esp_present == yes 
esp_enc_alg != null - true;

and the output of isakmpd -d

bash-3.00# isakmpd -d
191943.477359 Default ipsec_validate_id_information: dubious ID information
accepted
191951.404865 Default ipsec_validate_id_information: dubious ID information
accepted
192010.536856 Default transport_send_messages: giving up on message
0x3c069780, exchange VPN-home-240
192010.537309 Default transport_send_messages: giving up on message
0x3c069900, exchange VPN-home-10_0
192010.537697 Default transport_send_messages: giving up on message
0x3c069a80, exchange VPN-home-172
192010.538067 Default transport_send_messages: giving up on message
0x3c069c00, exchange VPN-home-10_10
192010.538467 Default transport_send_messages: giving up on message
0x3c069d80, exchange VPN-home-10_20

relevant sections of my pf.conf file:

pass in proto esp from any to any
pass out proto esp from any to any keep state
pass in on enc0 from any to any
pass out on enc0 from any to any
pass in on $ext_if proto udp from any to any port 500
pass out on $ext_if proto udp from ($ext_if) to any port 500

which I know is way relaxed, but just wanting to rule out any pf related
issues. Ultimately I'm trying to reach 192.168.250.111 which is a voip server.
I don't get any reples when I try to ping it, nor do I see anything on the
enc0 interface. Let me know if you have any thoughts or if you need more
information. I've really been banging my head against the wall trying to
figure this one out.

Re: ath0 troubles

2005-09-13 Thread Matt Brenneke 
On 9/13/05, Jonathan Gray [EMAIL PROTECTED] wrote:
 On Tue, Sep 13, 2005 at 07:54:52PM -0500, Matt Brenneke wrote:
  I just bought an Atheros based Netgear 311T to replace my ailing
  wi0[1] card.  I put it in, updated my pf and bridge config files to
  point to ath0 instead of wi0, and I can't connect.  KisMAC doesn't see
  it from my laptop either.  Instead, I get ath0: device timeout
  repeating over and over in my dmesg and /var/log/messages.  The man
  page simply says this should not happen.  This is in the same
  machine that wouldn't support a ralink based card because it isn't PCI
  2.2, only a late PCI 2.1 revision.
 
  Can anyone help me debug/fix this problem?  I'm currently running a
  shopshot from Aug. 8, and plan on upgrading to a current CVS version
  tonight to see if that helps.
 
 Single chip AR5212 devices like the 311T are not supported yet.
 

Thanks for the quick answer.  Can anyone recomend an Atheros card that
IS currently supported and is still being produced?

-Matt

Re: [OT]: Vulnerability Scanning Frustrations (Or: if you run nessus, how do you make it run faster?)

2005-09-13 Thread eric 
On Tue, 2005-09-13 at 17:09:19 -0700, Karsten McMinn proclaimed...

 tweaking syntax to this using nmap 3.50 on 3.6 completed in 343 seconds:
 nmap -P0 -T Insane -v -sT -p 1-65535 x.x.x.x (as root)
 
 It was definately slower using the same syntax on 3.7 though, I
 didn't have time to see how long it was going to take.

Here's what I've been seeing for a looong time...

$ nmap -sS -p 1-65535 172.81.141.197
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-09-13 22:20 CDT
sendto in send_ip_packet: sendto(3, packet, 40, 0, 172.81.141.197, 16) =
No route to host

That host is on the same subnet as the scanning machine.

Re: isakmpd: openbsd - cisco = problems

2005-09-13 Thread j knight 
--- Quoting Mattias R. Lindgren on 2005/09/13 at 19:31 -0600:

 bash-3.00# isakmpd -d
 191943.477359 Default ipsec_validate_id_information: dubious ID information
 accepted
 191951.404865 Default ipsec_validate_id_information: dubious ID information
 accepted
 192010.536856 Default transport_send_messages: giving up on message
 0x3c069780, exchange VPN-home-240
 192010.537309 Default transport_send_messages: giving up on message
 0x3c069900, exchange VPN-home-10_0
 192010.537697 Default transport_send_messages: giving up on message
 0x3c069a80, exchange VPN-home-172
 192010.538067 Default transport_send_messages: giving up on message
 0x3c069c00, exchange VPN-home-10_10
 192010.538467 Default transport_send_messages: giving up on message
 0x3c069d80, exchange VPN-home-10_20

Crank up the debugging info by using the -D switch to isakmpd and see
what you see then.
 


.joel

Re: isakmpd: openbsd - cisco = problems

2005-09-13 Thread Rod Dorman 
On Tuesday, September 13, 2005, 21:31:51, Mattias R. Lindgren wrote:
 I'm using an OpenBSD 3.7 box to try to connect to our cisco
 concentrator at work. Here is what I was sent by our network admin:

 10.0.0.0/0.0.0.255
 192.168.240.0/0.0.15.255
 172.22.0.0/0.0.0.255
 10.10.0.0/0.0.255.255
 10.20.0.0/0.0.255.255

OK,  instead  of  netmasks  it  looks  like  he  gave you Cisco wildcard
patterns  where  the  0's are the bits that are constant and the 1's are
the bits allowed to change.

For  this  trivial  case  of a sequence of zeros followed by ones simply
take the ones complement to get the desired netmask.

  ...
 [work-10_10]
 ID-type= IPV4_ADDR_SUBNET
 Network= 10.10.0.0
 Netmask= 0.0.255.255

Use 255.255.0.0 to identify the 10.10/16 network.

-- 
[EMAIL PROTECTED] The avalanche has already started, it is too
Rod Dorman  late for the pebbles to vote.  Ambassador Kosh

Re: executable /bsd

2005-09-13 Thread Ted Unangst 
no.

On Tue, 13 Sep 2005, -f wrote:

 hi there,
 
 is there a reason /bsd must be executable?
 is there a reason /bsd must be not executable?
 
 config -e -o  writes an executable one.
 so is that the way it should be?
 
 -f
 

-- 
And that's why it's important to floss.

Re: system/4506

2005-09-13 Thread Maxim Bourmistrov 
You DON'T write a bugreport before you are sure about it is a bug!
You CAN always ask ppl on [EMAIL PROTECTED]

You ASK and TEST first, then WRITE.


On Wednesday 14 September 2005 02:41, you wrote:
 I'd just like to say, in case (miraculously) people on the OpenBSD team don't 
 already know this, this guy Theo is completely rude, self righteous and 
 arrogant 
 beyond tollerability. He uses profanity when uncalled for, when I'm a simple 
 user asking for help. Apparently Theo believes OpenBSD is for elitist snobs 
 who 
 care not for helping of those who'd like to better the OS. A real shame.
 
 Sorry to have wasted anyone's time on this. I deal with enough arrogant 
 developers in my like and don't wish to know another for one more second.
 
 Theo de Raadt wrote:
  Synopsis: ypbind fails to authenticate over time
  
  State-Changed-From-To: open-closed
  State-Changed-By: deraadt
  State-Changed-When: Tue Sep 13 18:34:20 MDT 2005
  State-Changed-Why: 
  submitter is unable to provide test results as asks
  does not understand how YP works
  attempts to preach to me about how it works
  what he is describing as broken must be a local configuration
  issue.
  since he totally does not understand the code, does not want to
  give me test results, does not trust the guy who WROTE THE CODE,
  screw him.  this PR gets closed because it does not describe a real
  bug.