Halifax Bank Account Information
[IMAGE] Dear Customer, Our Technical Service department has recently updated our online bankingsoftware, and due to this upgrade we kindly ask you to follow thelink given below to confirm your online account details. Failure toconfirm the online banking details will suspend you from accessing youraccount online. https://www.halifax-online.co.uk/_mem_bin/formslogin.asp We use the latest security measures to ensure that your online bankingexperience is safe and secure. The administration asks you to accept ourapologies for the inconvience caused and expresses gratitude forcooperation. Regards, Halifax Online Technical Support -- Please do not reply to this email address as it is not monitored and wewill be unable to respond.For assistance, log in to your Halifax Online Bank account and choosethe Help link on any page. ) Halifax plc, Registered in England No. 2367076. Registered Office:Trinity Road, Halifax, West Yorkshire HX1 2RG. Authorised and regulatedby the Financial Services Authority. Represents only the HalifaxFinancial Services Marketing Group for the purposes of advising on andselling life assurance
Re: Why /bin/[
Hello! On Mon, Feb 06, 2006 at 09:00:59PM -0800, [EMAIL PROTECTED] wrote: Why is there a file called [ in the /bin directory of my generic 3.8 build? 144 -r-xr-xr-x 2 root bin 72128 Sep 10 15:18 [ There's been enough explanation. Just another thing: [ (AKA test) is a shell builtin in many shells today. But there still *might* be shells around for which this isn't (yet) the case. It's probably the same rationale for there being a kill binary even though most shells implement kill as builtin today. Kind regards, Hannah.
problems with Squirrelmail IMAP connection to courier-imap
Hi! I have been searching the archives to find info on my problem, but I only seem to find a lot of using courier-imap, apache chrooted and squirrelmail, and things work perfectly-messages. I use that combination of programs, but have some problems. Setup: OBSD 3.8/i386, Apache 1.3 (chrooted), courier-imap-3.0.5p2, Squirrelmail 1.4.5 (put in the /var/www directory). I only allow port 993 SSL IMAP connections, except from 127.0.0.1 where plain 143 is allowed. Using IMAP with Outlook and Thunderbird on port 993 works just fine. My regular PHP-based web-pages work perfectly, and I also can get the Squirrelmail login screen and configtest screen. Squirrelmail is set to use port 143 on localhost. Configtest fails in IMAP connection (and so does, naturally, login). In my local network, the OBSD machine is 192.168.0.12. The cumputer where I run the webbrowser is 192.168.0.26. But checking the logs for: Feb 7 10:52:32 cub imapd-ssl: LOGIN, user=jokke, ip=[:::192.168.0.11] Obviously, a connection from 192.168.0.11 on port 143 will be rejected, since only 127.0.0.1 is allowed here, but where does it get 192.168.0.11 (which is another computer on the network, not being used by anyone right now)? Any input or light on this issue would be very appreciated! Best regards, /Joakim -- http://www.df.lth.se/~jokke/
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
Christian Weisgerber [EMAIL PROTECTED] wrote: Meanwhile, ipsecctl has gained support for pre-shared key authentication. So in 3.9, things are simpler still: Sounds great and thx a lot for your help :-)) For those who are interested and have wifi windows xp clients. Recently I came across a tool called smartvpn dial-up connection management from draytek. It is a freeware (ipsec) client that makes it very simple to configure ipsec on windows 2k/xp. You will not have to use mmc + ipsec policy editor or ipseccmd.exe. It is available here: http://217.160.102.141/data/RouterTools/win/SmartVPN/SMARTVPN09_05.zip This tool does the following (based on your configuration choices), it dynamically creates the policies and activate/deactivate them when you need or don't need them anymore. I don't see a reason why it shouldn't not work with an openbsd ipsec gateway. Have a look at the client's ipsec tunnel mode (I think this is the one you will use) of the client. I personally did not have the opportunity to test it with openbsd (as I'm an ipsec novice) but I will make the test with openbsd current as soon as I can ... Regards Didier
Re: users filling partitions crashing system
Nick Holland wrote: I question your diagnosis. I just deliberately filled my /tmp partition. System is still running fine (which actually is a pleasant surprise, as this machine has been horribly unstable the last few days. Maybe I should have filled the /tmp partition long ago! :). If you can crash your system by filling the /tmp partition, I think that would be better described as a bug that needs fixing rather than trying to work around it. How about defining what you mean by crash, what message you are getting, etc. Thanks Nick, I agree my diagnosis is very questionable. I just tried filling /tmp and the system and it's running fine. And I've seen other partitions fill up with no problems before. I've put in place scripts to log as much info as possible and see what happens. If it hasn't recurred by tonight I'll attempt to reproduce the same conditions. Apologies, should have posted this info before. I see my session go link dead, the machine responds to pings for 30s or so but nothing else and then goes completely dead and reboots. /var/log/messages contains the following, other logs either contain the same info or nothing at all. Is there any way to direct cores to be saved somewhere else? Thanks all Feb 6 10:00:01 boxname syslogd: restart Feb 6 10:36:35 boxname syslogd: restart Feb 6 10:36:35 boxname /bsd: OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 Feb 6 10:36:35 boxname /bsd: [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Feb 6 10:36:35 boxname /bsd: cpu0: AMD-K6(tm) 3D processor (AuthenticAMD 586-class) 500 MHz Feb 6 10:36:35 boxname /bsd: cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX Feb 6 10:36:35 boxname /bsd: real mem = 198746112 (194088K) Feb 6 10:36:35 boxname /bsd: avail mem = 174600192 (170508K) Feb 6 10:36:35 boxname /bsd: using 2451 buffers containing 10039296 bytes (9804K) of memory Feb 6 10:36:35 boxname /bsd: mainbus0 (root) Feb 6 10:36:35 boxname /bsd: bios0 at mainbus0: AT/286+(00) BIOS, date 10/15/98, BIOS32 rev. 0 @ 0xfdb60 Feb 6 10:36:35 boxname /bsd: apm at bios0 function 0x15 not configured Feb 6 10:36:35 boxname /bsd: pcibios0 at bios0: rev 2.1 @ 0xf/0x1 Feb 6 10:36:35 boxname /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf71b0/112 (5 entries) Feb 6 10:36:35 boxname /bsd: pcibios0: PCI Interrupt Router at 000:01:0 (SIS 85C503 System rev 0x00) Feb 6 10:36:35 boxname /bsd: pcibios0: PCI bus #1 is the last bus Feb 6 10:36:35 boxname /bsd: bios0: ROM list: 0xc/0x8000 Feb 6 10:36:35 boxname /bsd: cpu0 at mainbus0 Feb 6 10:36:35 boxname /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (no bios) Feb 6 10:36:35 boxname /bsd: pchb0 at pci0 dev 0 function 0 SIS 530 PCI rev 0x03 Feb 6 10:36:35 boxname /bsd: pciide0 at pci0 dev 0 function 1 SIS 5513 EIDE rev 0xd0: 530: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility Feb 6 10:36:36 boxname /bsd: wd0 at pciide0 channel 0 drive 0: Maxtor 6Y080L0 Feb 6 10:36:36 boxname /bsd: wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors Feb 6 10:36:36 boxname /bsd: wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 Feb 6 10:36:36 boxname /bsd: wd1 at pciide0 channel 1 drive 0: ST3120022A Feb 6 10:36:36 boxname /bsd: wd1: 16-sector PIO, LBA48, 114473MB, 234441648 sectors Feb 6 10:36:36 boxname /bsd: wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 4 Feb 6 10:36:36 boxname /bsd: pcib0 at pci0 dev 1 function 0 SIS 85C503 System rev 0xb1 Feb 6 10:36:36 boxname /bsd: SIS 5595 System rev 0x00 at pci0 dev 1 function 1 not configured Feb 6 10:36:36 boxname /bsd: ohci0 at pci0 dev 1 function 2 SIS 5597/5598 USB rev 0x11: irq 11, version 1.0, legacy support Feb 6 10:36:36 boxname /bsd: ohci0: SMM does not respond, resetting Feb 6 10:36:36 boxname /bsd: usb0 at ohci0: USB revision 1.0 Feb 6 10:36:36 boxname /bsd: uhub0 at usb0 Feb 6 10:36:36 boxname /bsd: uhub0: SIS OHCI root hub, class 9/0, rev 1.00/1.00, addr 1 Feb 6 10:36:36 boxname /bsd: uhub0: 2 ports with 2 removable, self powered Feb 6 10:36:36 boxname /bsd: ppb0 at pci0 dev 2 function 0 SIS 86C201 AGP rev 0x00 Feb 6 10:36:36 boxname /bsd: pci1 at ppb0 bus 1 Feb 6 10:36:36 boxname /bsd: vga1 at pci1 dev 0 function 0 SIS 530 VGA rev 0xa3: aperture at 0xef00, size 0x40 Feb 6 10:36:36 boxname /bsd: wsdisplay0 at vga1: console (80x25, vt100 emulation) Feb 6 10:36:36 boxname /bsd: wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Feb 6 10:36:36 boxname /bsd: rl0 at pci0 dev 10 function 0 Realtek 8139 rev 0x10: irq 10 address 00:00:21:12:3b:72 Feb 6 10:36:36 boxname /bsd: rlphy0 at rl0 phy 0: RTL internal phy Feb 6 10:36:36 boxname /bsd: isa0 at pcib0 Feb 6 10:36:36 boxname /bsd: isadma0 at isa0 Feb 6 10:36:36 boxname /bsd: pckbc0 at isa0 port 0x60/5 Feb 6 10:36:36 boxname /bsd: pckbd0 at pckbc0 (kbd slot) Feb 6 10:36:36 boxname /bsd: pckbc0: using irq 1 for kbd slot Feb 6 10:36:36 boxname /bsd: wskbd0 at
pf.conf - question about queuing
I write this mail because I want to ask few questions about pf and queuing. Sorry, my english grammar is bad. English is a foreign language for me, I usually speak Romanian and Hungarian. I have a small computer network at home. This network have a gateway (OpenBSD 3.8). The scenario : 1) My gateway has two network cards ( rl0 and fxp0 ). rl0 - connected to Internet (82.79.81.6) fxp0 - connected to Ethernet switch (192.168.10.1) 2) This gateway share the Internet for all computers in local network (192.168.10.0/24) 3) The maximum Internet speed is 24kb/sec. Maximum internet speed mean: The download speed in Firefox is 24kb/sec, when i get a file from Internet. I think is not a very fast connection, but my ISP don't give more speed now :( 4) I have 5 users in network. I need to apply queue rules for 3 users (bob, mike, peter) - I want to reserve for bob and mike 8Kb/sec download bandwidth. I want to allow for bob and mike to use more than 8Kb/sec when it's aviable. - I want to reserve for peter 4Kb/sec download bandwidth. I want to allow for peter to use more than 4Kb/sec when it's aviable. - SSH and instant message traffic need to have a higher priority than regular traffic. - DNS queries and replies need to have the second highest priority. - Outgoing TCP ACK packets need to have a higher priority than all other outgoing traffic. This is my /etc/pf.conf now : # macros ext_if = rl0 int_if = fxp0 int_net = 192.168.10.0/24 irc_ports = { 6667, 6668, 6669, 7000 } irc_allow = { 192.168.10.2, 192.168.10.3 } ssh_ports = { 22 2022 } im_ports = { 1863 5190 5222 } bob = 192.168.10.4 mike = 192.168.10.5 peter = 192.168.10.6 # tables table deny persist file /etc/pf.deny # scrub scrub in all no-df scrub out all no-df # queuing on external interface altq on $ext_if priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \ tcp_ack_out } queue std_out priq(default) queue ssh_im_outpriority 4 priq(red) queue dns_out priority 5 queue tcp_ack_out priority 6 # queuing on internal interface altq on $int_if cbq bandwidth 2Mb queue { std_in, ssh_im_in, dns_in, bujor_in } queue std_in bandwidth 1.6Mb cbq(default) queue ssh_im_in bandwidth 200Kb priority 4 queue dns_in bandwidth 120Kb priority 5 queue bob_in bandwidth 80Kb cbq(borrow) # nat nat on $ext_if from $int_net to any - $ext_if # filter rules for external interface inbound block in on $ext_if all # filter rules for external interface outbound block out on $ext_if all pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \ keep state queue(std_out, tcp_ack_out) pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \ keep state queue dns_out pass out on $ext_if inet proto tcp from ($ext_if) to any port $ssh_ports \ flags S/SA keep state queue(std_outm ssh_im_out) pass out on $ext_if inet proto tcp from ($ext_if) to any port $im_ports \ flags S/SA keep state queue(ssh_im_out, tcp_ack_out) # filter rules for internal interface inbound block in on $int_if all pass in on $int_if from $int_net # filter rules for internal interface outbound block out on $int_if all pass out on $int_if from any to $int_net pass out on $int_if proto { tcp udp } from any port domain to $int_net \ queue dns_in pass out on $int_if proto tcp from any port $ssh_ports to $int_net \ queue(std_in, ssh_im_in) pass out on $int_if proto tcp from any port $im_ports to $int_net \ queue ssh_im_in pass out on $int_if from any to $bob queue bob_in # block irc block in on $int_if proto tcp from $int_net to any port $irc_ports pass in on $int_if proto tcp from $irc_allow to any port $irc_ports # block icmp block in on $ext_if inet proto icmp all icmp-type echoreq My problems are: - I don't know if queue value on external interface (610Kb) is good for my internet connection (my 24kb/sec internet connection). altq on $ext_if priq bandwidth 610Kb queue { std_out, ssh_im_out, dns_out, \ tcp_ack_out } - I don't know what lines need to add to define the following rules: - Reserve for bob and mike 8Kb/sec download bandwidth. Allow for bob and mike to use more than 8Kb/sec when it's aviable. - Reserve for peter 4Kb/sec download bandwidth. Allow for peter to use more than 4Kb/sec when it's aviable. If anyone want to help me a bit please write a reply. Until March I don't have time to read much documentation, I have a lot of exams at university. Thank you very much for any help!
Re: Problem with HP NetRAID Controller
Or you could just create a single RAID disk and then slice it up... Yes, exactly this I will do ... atlast *g* looks like I have to try other OS, maybe Debian :-( Dirk
Re: chrsh unofficial w/ current 3.9 - nope
i havn't looked at the code--but i've seen this before, try adding #include errno.h somewhere. On 2/7/06, Paul Pruett [EMAIL PROTECTED] wrote: Just a heads up for the few that use Ben Goren's Trumpetpower port for chrsh, http://www.trumpetpower.com/OpenBSD/chrsh It may not work as is with OpenBSD 3.9, without tweaking. but the official ports for current is compiling nicely even kde so far! got the following with current grabbed this weekend, complaining about extra tokens at end of directives and a while loop using test on error return value... if anyone has a quick suggestion, I'll try it, else I will set it aside. # make === Checking files for chrsh-1.0b2 chrsh.c doesn't seem to exist on this system. Fetch http://www.aarongifford.com/computers/chrsh.c. 100% || 26266 00:00 No size recorded for /usr/ports/distfiles/chrsh.c No checksum file. === Extracting for chrsh-1.0b2 mkdir -p /usr/ports/chrsh/w-chrsh-1.0b2/chrsh cp /usr/ports/test/distfiles/chrsh.c /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh/ cp files/Makefile /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh/ === Patching for chrsh-1.0b2 === Configuring for chrsh-1.0b2 === Building for chrsh-1.0b2 cc -o chrsh chrsh.c chrsh.c:99:25: warning: extra tokens at end of #undef directive chrsh.c:186:8: warning: extra tokens at end of #endif directive chrsh.c: In function `main': chrsh.c:335: error: `errno' undeclared (first use in this function) chrsh.c:335: error: (Each undeclared identifier is reported only once chrsh.c:335: error: for each function it appears in.) *** Error code 1 Stop in /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh (line 4 of Makefile). *** Error code 1 Stop in /usr/ports/test/chrsh (line 1924 of /usr/ports/infrastructure/mk/bsd.port.mk). NOTES for chrsh.c Line 99: #undef LOG_USEFILE /var/log/chrsh.log Line 186: #endif DEBUG Line 335: while (close(i) != 0 errno == EINTR);
Re: firewall (pf): where to view current scrub settings
On Mon, Feb 06, 2006 at 05:04:09PM +0100, mgEDV.net wrote: hi, if i, for example setup scrub max-mss 1462 in my pf.conf, where can i see these values have been set? is there any command that views the current scrub rules/states? btw., anybody had a look on my other posting regarding the macros for filenames in table-statements? Yes. See pfctl(8), specifically the '-s' option. -jon
Good SMTP and POP proxy for OpenBSD
On 2/6/06, Brandon Mercer [EMAIL PROTECTED] wrote: There is p3scan_pf for pop3 proxying... It can be found at www.undergroundsecurity.com. Brandon Thankyou so much Joachim, Brandon, Bill, Nils and Stuart for your responses. I tried p3scan. I configured everything clamav etc as said. At the last step launching p3scan it gave me a core dump :-( Is it because of the mmap, malloc changes in 3.8? http://www.undergroundsecurity.com/p3scan/installation.html describes the installation in 3.7 have you done it on 3.8?? Details # pwd /etc/p3scan # ls -l total 28 -rw-r--r-- 1 root _clamav 10661 Feb 7 18:20 p3scan.conf -rw-rw 1 _clamav _clamav758 Feb 7 18:07 p3scan.mail # p3scan # chown: mail: invalid group name # ls -l total 1276 -rw-r--r-- 1 root _clamav 10661 Feb 7 18:20 p3scan.conf -rw--- 1 root wheel614972 Feb 7 18:46 p3scan.core -rw-rw 1 _clamav _clamav 758 Feb 7 18:07 p3scan.mail # --- Core Dump file attached. Thankyou so much :-) Kind Regards Siju [demime 1.01d removed an attachment of type application/octet-stream which had a name of p3scan.core]
Re: problems with Squirrelmail IMAP connection to courier-imap
On 2006-02-07 11:00, Joakim Roubert wrote: Configtest fails in IMAP connection (and so does, naturally, login). ...but after some experiments with the config file, it seems I do now also belong to the people that have Squirrelmail running. Regards, /Joakim -- http://www.df.lth.se/~jokke/
Re: Good SMTP and POP proxy for OpenBSD
And in addition to the stunnel lead: http://www.sysdesign.ca/guides/secure_pop3.html Nils -Original Message- From: Siju George [mailto:[EMAIL PROTECTED] Sent: dinsdag 7 februari 2006 14:20 To: Brandon Mercer Cc: Joachim Schipper; misc Subject: Good SMTP and POP proxy for OpenBSD On 2/6/06, Brandon Mercer [EMAIL PROTECTED] wrote: There is p3scan_pf for pop3 proxying... It can be found at www.undergroundsecurity.com. Brandon Thankyou so much Joachim, Brandon, Bill, Nils and Stuart for your responses. I tried p3scan. I configured everything clamav etc as said. At the last step launching p3scan it gave me a core dump :-( Is it because of the mmap, malloc changes in 3.8? http://www.undergroundsecurity.com/p3scan/installation.html describes the installation in 3.7 have you done it on 3.8?? Details # pwd /etc/p3scan # ls -l total 28 -rw-r--r-- 1 root _clamav 10661 Feb 7 18:20 p3scan.conf -rw-rw 1 _clamav _clamav758 Feb 7 18:07 p3scan.mail # p3scan # chown: mail: invalid group name # ls -l total 1276 -rw-r--r-- 1 root _clamav 10661 Feb 7 18:20 p3scan.conf -rw--- 1 root wheel614972 Feb 7 18:46 p3scan.core -rw-rw 1 _clamav _clamav 758 Feb 7 18:07 p3scan.mail # --- Core Dump file attached. Thankyou so much :-) Kind Regards Siju [demime 1.01d removed an attachment of type application/octet-stream which had a name of p3scan.core] = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: rdist notify@ broken?
At the very least, it does make me feel better that it is not just me. :) Perhaps we should file a bug report on the issue? Joachim Schipper wrote: On Mon, Feb 06, 2006 at 09:07:59AM -0600, Matthew S Elmore wrote: Greetings misc@, I am using rdist (with ssh as the transport) to update files from one machine to another. This works fine, except that it does not send the notify message once it is complete. When running rdist from the command line, it hangs here: $ sudo rdist -o remove -f /etc/Distfile.notifytest testhost: updating host testhost testhost: notify @testhost ( test@test.com ) (obviously I swapped out users and hosts for this mail) When this happens I see sendmail in the process list: 11497 p0 I+ 0:00.02 /usr/sbin/sendmail -oi -t But the mail never sends. Here is the distfile: HOSTS = ( testhost ) FILES = ( /etc/resolv.conf ) default: ${FILES} - ${HOSTS} notify test@test.com ; Reproducible here (3.8-stable/i386), using postfix instead of sendmail. Joachim
GRE and WCCPv1
Hi. I am trying to configure a squid box (with dansguardian) with OpenBSD 3.8, as a transparent cache, at the exit of my network. In the border I have a Cisco 2600 router. When the router receives web packets it redirects (WCCPv1 protocol) via a GRE Tunnel to the squid box. So, my conclusion, is that the tunnel is working fine. But when the OpenBSD receives the packets (and it receives, because I see the packets with tcpdump) it only increments the unsupported/unknown packets when I issue the netstat -s command. I have the following configuration in /etc/pf.conf: rdr on bge0 inet proto tcp from any to any port www - 127.0.0.1 port 8080 pass out proto tcp from $Proxy_IP to any pass out proto tcp from any port = 80 to any pass in proto tcp from any port = 80 to $Proxy_IP pass in proto gre from $Router_IP to $Proxy_IP I already tried changing the interface bge0 (in the rdr line) to gre0, but nothing changed. I also have, in sysctl.conf, the following two lines, that permit the entry of gre packets and WCCP packets (It's not clear in the man pages if it is WCCPv1 or WCCPv2, but it says also to not use WCCPv2, so I assumed WCCPv1). I suspect the problem is the way that OpenBSD deals (or not) with the GRE packets. Can anyone help me? Ricardo Santos
Re: OpenBSD { future=PIM (DM-SM) } support or { only=XORP } ?
On Tuesday 07 February 2006 01:56, Jason Houx wrote: I only read the protocol and never tried to set it up on a Crisco but now that the network is up I see no reason not to as I am not that interested in trying out XORP and can patiently hold my breath till I start to catch wind of some commits on the CVS posts. If you manage to convince XORP to do PIM please let me know, that might come in handy when trying to produce some code for a OpenPIMD project.
Re: users filling partitions crashing system
On Tue, Feb 07, 2006 at 11:00:41AM +, MikeyG wrote: Is there any way to direct cores to be saved somewhere else? ... Feb 6 10:36:36 boxname /bsd: WARNING: / was not properly unmounted Feb 6 10:37:37 boxname savecore: reboot after panic: trap type 6, code=2, pc=d033737c Feb 6 10:37:37 boxname savecore: no dump, not enough free space on device Feb 6 13:00:01 boxname syslogd: restart Feb 6 17:00:01 boxname syslogd: restart Feb 7 10:00:01 boxname syslogd: restart And just to check: $ swapctl -l Device 512-blocks UsedAvail Capacity Priority swap_device10483200 1048320 0%0 You also need enough space in /var/crash to store the core dump. See crash(8). -Ray-
isakmpd problem only cookies
Hello all, Currently my brother and I try to set up a vpn using isakmpd between two OBSD 3.8 boxes. We had a similar vpn working before. We both changed ADSL providers and thought it is time for an upgrade. However... Our vpn refuses to work. We singled out a possible firewall problem. The pflog is quet and even after a '$pfctl -F rules' we keep the same problem. A 'tcpdump -i xl1 port 500' shows that both sided receive cookies, but nothing more: like this $ tcpdump -i xl1 port 500 13:24:47.067067 broeahs.net.isakmp daim.broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 385103343a680645-9c61c0d839d1d9ec msgid: len: 168 13:24:48.878894 daim.broeahs.net.isakmp broeahs.net.isakmp: isakmp v1.0 exchange ID_PROT cookie: 7fd785c9ee93e8fe-31884d57a94e56a0 msgid: len: 168 The debuggin' info gives messages like this: 132740.737518 Exch 40 exchange_establish_finalize: finalizing exchange 0x7cdb9b0 0 with arg 0x85e318d0 (daim-dimitri) fail = 1 132740.736495 SA 90 sa_find: no SA matched query 132641.268445 Default transport_send_messages: giving up on exchange dimitri, no response from peer 194.109.199.156:500 My question is: What is happening here? How is it possible there is traffic on both sides on port 500 but the two are not able to get decent contact? Thank you in advance. Daom confs follow: # cat /etc/isakmpd/isakmpd.policy KeyNote-Version: 2 Authorizer: POLICY Licensees: our_bad_passw Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; # cat /etc/isakmpd/isakmpd.conf # $OpenBSD: VPN-east.conf,v 1.7 1999/10/29 07:46:04 todd Exp $ # $EOM: VPN-east.conf,v 1.7 1999/07/18 09:25:34 niklas Exp $ # A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. [General] Retransmits= 5 Exchange-max-time=120 Listen-on= xxx.xxx.xxx.xxx #Shared-SADB= Defined # Incoming phase 1 negotiations are multiplexed on the source IP address [Phase 1] yyy.yyy.yyy.yyy=dimitri # These connections are walked over after config file parsing and told # to the application layer so that it will inform us when traffic wants to # pass over them. This means we can do on-demand keying. [Phase 2] Connections= daim-dimitri [dimitri] Phase= 1 Transport= udp Local-address= xxx.xxx.xxx.xxx Address= yyy.yyy.yyy.yyy Configuration= Default-main-mode Authentication= our_bad_passw [daim-dimitri] Phase= 2 ISAKMP-peer= dimitri Configuration= Default-quick-mode Local-ID= Net-daim Remote-ID= Net-dimitri [Net-daim] ID-type= IPV4_ADDR_SUBNET Network= 192.168.0.0 Netmask= 255.255.255.0 [Net-dimitri] ID-type= IPV4_ADDR_SUBNET Network= 10.10.10.0 Netmask= 255.255.255.0 # Main mode descriptions [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= DES-SHA # Main mode transforms ## # DES [DES-MD5] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB [DES-MD5-NO-VOL-LIFE] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS [DES-SHA] ENCRYPTION_ALGORITHM= DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_768 Life= LIFE_600_SECS,LIFE_1000_KB # 3DES [3DES-SHA] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_3600_SECS # Blowfish [BLF-SHA-M1024] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-MD5-EC155] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_155 Life= LIFE_600_SECS,LIFE_1000_KB [BLF-SHA-EC185] ENCRYPTION_ALGORITHM= BLOWFISH_CBC KEY_LENGTH= 128,96:192 HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= EC2N_185 Life= LIFE_600_SECS,LIFE_1000_KB [3DES-MD5] ENCRYPTION_ALGORITHM= 3DES_CBC HASH_ALGORITHM= MD5 AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1024 Life= LIFE_1_DAY [CAST-SHA] ENCRYPTION_ALGORITHM= CAST_CBC HASH_ALGORITHM= SHA AUTHENTICATION_METHOD= PRE_SHARED GROUP_DESCRIPTION= MODP_1536 Life= LIFE_1_DAY # Quick mode description [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-DES-MD5-PFS-SUITE [Greenbow-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-SHA-PFS-SUITE # Quick mode protection suites ## # DES [QM-ESP-DES-SUITE] Protocols= QM-ESP-DES [QM-ESP-DES-PFS-SUITE] Protocols= QM-ESP-DES-PFS [QM-ESP-DES-MD5-SUITE] Protocols=
Re: OpenBSD { future=PIM (DM-SM) } support or { only=XORP } ?
On Tue, 7 Feb 2006, Esben Norby wrote: If you manage to convince XORP to do PIM please let me know, that might come in handy when trying to produce some code for a OpenPIMD project. Guess its time for me to start reading XORP's project more: # XORP Design Documentation XORP PIM-SM Routing Daemon http://www.xorp.org/releases/1.1/docs/pim/pim_arch.pdf # XORP Design Documentation XORP PIM-SM Test Suite http://www.xorp.org/releases/1.1/docs/pim_testsuite/pim_testsuite.pdf # XORP Source Code http://www.xorp.org/releases/1.1/xorp-1.1.tar.gz
Re: table clearing time/date in pf
On 07/02/06, frantisek holop [EMAIL PROTECTED] wrote: hi there, i see this on a 3.8 stable: -pa-r- bad_ssh Addresses: 0 Cleared: Thu Jan 1 01:00:00 1970 Looks like a very early beta of 3.8 if you ask me. /Tony
BSD Boot Problems
Ran into an issue last night where my bsd (sparc64) would not boot. The boot stalled very close to the beginning of the boot process, right after it listed the available devices, followed by some number (address?) with the /-|\/-|/ spinner. The boot hung at this point. I was able to correct the problem by booting from cd and running the upgrade install back to the hd. Any insight as to why this would happen? Thanks, Axton Grams
sun quad hme performance
Hi, i read in the archives a lot of references about poor performance with the sun quad ethernet (hme) on diferent servers (netras and sunfires), is this still an issue or has been addressed in 3.8 or 3.9-current, i have two sunfire v120 that are losing packets between their ports, when i activate the pf rules the ping response time si very high, around 1253 ms,so our whatsup monitor report then down, the cpu load is very low (0.12) and the memory usage is 70mb, total memory of 512 mb , so this is not a resource problem,. What can i check? --- thanks
A dual DVI videocard working with OpenBSD?
Does anyone know of a Dual-DVI (two DVI signals on a single connector, no dual-head) videocard that works with OpenBSD? Eventually: 2D operation only is OK, no 3D features needed. Its for a 30 display with a one dual-DVI connector and 2560-by-1600 resolution. +++chefren
Re: sun quad hme performance
* Miguel [EMAIL PROTECTED] [2006-02-07 17:21]: Hi, i read in the archives a lot of references about poor performance with the sun quad ethernet (hme) on diferent servers (netras and sunfires), is this still an issue or has been addressed in 3.8 or 3.9-current, i have two sunfire v120 that are losing packets between their ports, when i activate the pf rules the ping response time si very high, around 1253 ms,so our whatsup monitor report then down, the cpu load is very low (0.12) load is NOT cpu load. check with top or systat vm, I bet you are maxing out your CPU. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: OpenBSD hardware router
z0mbix wrote: On 2/2/06, Kenny Mann [EMAIL PROTECTED] wrote: I'm looking for something that which I can slap OpenBSD 3.8 on and use it as a router. This will be used for a house (~ 4 people) and I'm looking for something small in form factor and that which doesn't run hot because it will run in a closet. I'm seeking to replace our D-Link router because it seems to lock up on an occasion and this seem like a fun little project to do. I'd also like it to have wireless capabilities as well. Anyone know where I can start looking or can point in a direction to start? Or are my hopes too high and I should just get a PC and make it happen that route (pun not intended)? Kenny Mann Don't forget the wrap: http://www.pcengines.ch/wrap.htm They're slightly cheaper than the soekris. I use one with 3.8 and it runs as a cable router/firewall and runs ipsec between home and work. Hi z0mbix, how did you install OpenBSD on a wrap? Like: http://wiki.bsdforen.de/index.php/OpenBSD_-_WRAP and the links on the bottom (websites of Jonathan Weiss Thomas Kaschwig) Thanks, Sven
Re: inet failover solution
[EMAIL PROTECTED] wrote: On Mon, 6 Feb 2006 23:54:21 -0500, Steven S wrote: [EMAIL PROTECTED] wrote: John R. Shannon wrote: On Monday 06 February 2006 06:46, Nickolay A Burkov wrote: Hi, All! ... I don't see any ping commands of the form: ping -I fxp0 .. in examples of ifstated use. I would think that forcing the interface to be used would be useful to prevent misleading results. Whilst I'm at it: Why wouldn't I change the default route by doing a route delete default route add default $SecondChoice type command and the reverse when a link comes up on $FirstChoice ? In general I'd love to see some more configurations with all the relevant pf.conf bits so that I can study an example or three in conjunction with the ifstated manpage. I think I'm going to have to set up a lab test and see what works well but some other viewpoints may may choosing a better way easier. I force the interface by creating a static route and not creating any route-to pf rules for the tested IP's. In my case one gw is bridged via wireless to the ISP2 interface, so no route is needed. Never tried the 'ping -I' but it sound easier than the creating routes, so thanks! I'll have to try that against a carp interface for my second ISP since I only have one address and it is assigned to a carp interface. I'm using the round-robin, load balanced route-to command in pf.conf to load share among the available ISPs. So my default gw isn't used much. -Steve S.
what do these log messages mean?
Hello all OpenBSD fans, Usually I am quite good at debuggin my own isakmpd conns, but now I'm stuck. I am seeking the following information: What do these isakmpd debug messages generally mean? Its so hard to find any documentation on these messages. 172804.454813 Exch 20 exchange_establish_finalize: finalizing exchange 0x7c57a800 with arg 0x83c748f0 (ragweed-slippery) fail = 1 and 173804.632227 SA 90 sa_find: no SA matched query thank you, Daim
systat vm question
I have this horrible problem with CISS driver and I am trying to get a grasp on a few things. I noticed Henning post on systat vm and started to look at this. I had just been looking at iostat/vmstat. This tool gives me some interesting output when I untar and tar files the No-cache section says this No-cache Miss = 523 % = 67 Interrupts are at 489 total with CISS0 doing over 200 load with 2 users hits 2.18 so far. My question is the No-cache section what has no-cache, and does 200 interrupts seem excessive for a Hardware Raid? Does this point anyone to any idea's as to the problem with CISS? Thanks, Jason
Per-User/IP traffic shaping query
I'm in the process of investigating a means by which I can shape the traffic individually for potentially 1000 users. Looking at the altq documentation, my reading of this implies that I would have to create a separate queue for each user/IP, which may also involve a kernel recompilation to get the number of queues I need. Is there any way to do something akin to the FreeBSD/dummynet method of queue creation - applying a mask to (say) the source IP and dynamically creating (and deleting) queues based on traffic flows? I'd quite like to stick with OpenBSD for this project, as there are a number of other features in pf that I'd like to use. However, the traffic shaping is a fairly key feature, hence my asking whether I can do this or not using OpenBSD. -- Andrew Veitchmailto:[EMAIL PROTECTED]http://erkle.org/
Re: systat vm question
On Tue, Feb 07, 2006 at 12:48:53PM -0500, Jason Houx wrote: the No-cache section says this No-cache Miss = 523 % = 67 Interrupts are at 489 total with CISS0 doing over 200 load with 2 users hits 2.18 so far. My question is the No-cache section what has no-cache, Your question isn't entirely clear to me, but I think you might be confused. The No-cache section you refer to is part of the namei (name translation) display. For a little more information on what this means, look in the systat(1) manual page or this brief FAQ entry: http://www.openbsd.org/faq/faq11.html#maxvnodes This is software cache, not a hardware one. and does 200 interrupts seem excessive for a Hardware Raid? Does this point anyone to any idea's as to the problem with CISS? Thanks, Jason
Re: OpenBSD hardware router
On 2/7/06, Sven Wolf [EMAIL PROTECTED] wrote: z0mbix wrote: On 2/2/06, Kenny Mann [EMAIL PROTECTED] wrote: I'm looking for something that which I can slap OpenBSD 3.8 on and use it as a router. This will be used for a house (~ 4 people) and I'm looking for something small in form factor and that which doesn't run hot because it will run in a closet. I'm seeking to replace our D-Link router because it seems to lock up on an occasion and this seem like a fun little project to do. I'd also like it to have wireless capabilities as well. Anyone know where I can start looking or can point in a direction to start? Or are my hopes too high and I should just get a PC and make it happen that route (pun not intended)? Kenny Mann Don't forget the wrap: http://www.pcengines.ch/wrap.htm They're slightly cheaper than the soekris. I use one with 3.8 and it runs as a cable router/firewall and runs ipsec between home and work. Hi z0mbix, how did you install OpenBSD on a wrap? Like: http://wiki.bsdforen.de/index.php/OpenBSD_-_WRAP and the links on the bottom (websites of Jonathan Weiss Thomas Kaschwig) Thanks, Sven Yes, I just followed information from the websites of Jonathan Weiss Thomas Kaschwig. I didn't have any success with pxebooting, but I gather someone has got that working now with a later bios version. Search the archives if you want to find out more about this. I couldn't be happier with my OpenBSD wrap setup.
Re: OpenBSD security could be tightened up easily
On 2/5/06, Dave Feustel [EMAIL PROTECTED] wrote: Also, all x11 and kde sockets are created with permissions up to and including 777 that can be restricted with no loss of functionality. I now and how are other users going to connect to the socket then?
Re: systat vm question
On Tue, 7 Feb 2006, Niall O'Higgins wrote: Your question isn't entirely clear to me, but I think you might be confused. Quite possible as this is a bit new territory for me to be going into. Thanks for the help The No-cache section you refer to is part of the namei (name translation) display. For a little more information on what this means, look in the systat(1) manual page or this brief FAQ entry: http://www.openbsd.org/faq/faq11.html#maxvnodes I was reading the systat page but I had not come to the realization yet that what I was looking at was refering to just namei. I tried adjusting the kern.maxvnodes several times but that has not improved the misses. This is software cache, not a hardware one. So this would for sure point to a hardware issue seeing how adjusting the software didn't help?
Re: sysctl hw.sensors question
Denny White wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Today Stuart Henderson spake forth boldly: On 2006/02/04 20:43, Denny White wrote: hw.sensors.11=lm0, Temp3, temp, 127.50 degC / 261.50 degF hw.sensors.0=nsclpcsio0, TSENS1, temp, 127.00 degC / 260.60 degF hw.sensors.1=nsclpcsio0, TSENS2, temp, 127.00 degC / 260.60 degF I have a similar problem, but my box is slightly hotter. $ sysctl hw.sensors | grep temp hw.sensors.9=lm0, Temp1, temp, 35.00 degC / 95.00 degF hw.sensors.10=lm0, Temp2, temp, 208.00 degC / 406.40 degF hw.sensors.11=lm0, Temp3, temp, 36.00 degC / 96.80 degF Wow, 406.40 F. I'd better purchase a supercooler. OpenBSD 3.8-stable (GENERIC) #1: Tue Feb 7 09:53:00 PST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,CNXT-ID real mem = 1072144384 (1047016K) avail mem = 971698176 (948924K) using 4278 buffers containing 53710848 bytes (52452K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(8b) BIOS, date 03/09/05, BIOS32 rev. 0 @ 0xfb770 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf64 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/224 (12 entries) pcibios0: PCI Exclusive IRQs: 5 9 10 11 12 pcibios0: no compatible PCI ICU found: ICU vendor 0x8086 product 0x25a1 pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02 ppb0 at pci0 dev 3 function 0 Intel 82875P PCI-CSA rev 0x02 pci1 at ppb0 bus 1 em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: irq 11, address: 00:30:48:81:cd:ec ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 Intel S21152BB PCI-PCI rev 0x00 pci3 at ppb2 bus 3 dc0 at pci3 dev 4 function 0 DEC 21142/3 rev 0x41: irq 9, address 00:60:f5:06:03:fc lxtphy0 at dc0 phy 1: LXT970 10/100 PHY, rev. 3 dc1 at pci3 dev 5 function 0 DEC 21142/3 rev 0x41: irq 9, address 00:60:f5:06:03:fd lxtphy1 at dc1 phy 1: LXT970 10/100 PHY, rev. 3 dc2 at pci3 dev 6 function 0 DEC 21142/3 rev 0x41: irq 9, address 00:60:f5:06:03:fe lxtphy2 at dc2 phy 1: LXT970 10/100 PHY, rev. 3 dc3 at pci3 dev 7 function 0 DEC 21142/3 rev 0x41: irq 9, address 00:60:f5:06:03:ff lxtphy3 at dc3 phy 1: LXT970 10/100 PHY, rev. 3 uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 5300ESB USB rev 0x02: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: irq 9 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x0a pci4 at ppb3 bus 4 vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em1 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 12, address: 00:30:48:81:cd:ed ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: HDS728080PLAT20 wd0: 16-sector PIO, LBA48, 78533MB, 160836480 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 1.9A SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 31 function 2 Intel 6300ESB SATA rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: couldn't map channel 0 cmd regs pciide1: couldn't map channel 1 cmd regs Intel 6300ESB SMBus rev 0x02 at pci0 dev 31 function 3 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 lm0 at isa0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port
Re: chrsh unofficial w/ current 3.9 - nope
Date: Tue, 7 Feb 2006 07:34:06 -0500 From: Jeff Quast [EMAIL PROTECTED] i havn't looked at the code--but i've seen this before, try adding #include errno.h somewhere. For unofficial chrsh port with current (3.9) got the following with current grabbed this weekend, complaining about extra tokens at end of directives and a while loop chrsh.c:335: error: `errno' undeclared (first use in this function) chrsh.c:335: error: (Each undeclared identifier is reported only once chrsh.c:335: error: for each function it appears in.) Stop in /usr/ports/test/chrsh/w-chrsh-1.0b2/chrsh (line 4 of Makefile). Hell of a deal! Good reply jeff. That did it! Ben, if you revesion your unoffical port for chrsh, you need to add for patching, #include errno.h
Re: OpenBSD security could be tightened up easily
On Tuesday 07 February 2006 13:16, Ted Unangst wrote: On 2/5/06, Dave Feustel [EMAIL PROTECTED] wrote: Also, all x11 and kde sockets are created with permissions up to and including 777 that can be restricted with no loss of functionality. I now and how are other users going to connect to the socket then? Since all six x11/kde sockets that I chmod to 600 have me as the owner, I assume that no one else should be connecting to those sockets. -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: sun quad hme performance
Henning Brauer wrote: * Miguel [EMAIL PROTECTED] [2006-02-07 17:21]: Hi, i read in the archives a lot of references about poor performance with the sun quad ethernet (hme) on diferent servers (netras and sunfires), is this still an issue or has been addressed in 3.8 or 3.9-current, i have two sunfire v120 that are losing packets between their ports, when i activate the pf rules the ping response time si very high, around 1253 ms,so our whatsup monitor report then down, the cpu load is very low (0.12) load is NOT cpu load. check with top or systat vm, I bet you are maxing out your CPU. I will try to reproduce the problem and send you some numbers, thanks
The Apache Question
Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn
openbsd's future plans?
hi list. I have been wondering what are the openbsd team's long term-plans (if any at all,of course) regarding future smp support. I am aware that openbsd currently supports smp under the big kernel lock, which offers some advantages for userland applications but generally things like interrupt and io load don't scale at all. I understand it is an enormous task, judging by the other os'es struggle to remove the bkl by various techniques. What are the developers thinking about the future regarding this matter, and what are their opinions about the other os'es paths as well.
Re: httpd question - solved
At 04:17 AM 2/6/06, Alexander Farber wrote: And there is also ipcheck.py On 2/6/06, Keith Richardson [EMAIL PROTECTED] wrote: This will handle the pesty case of your IP changing. 1. dyndns.org - get a free subdomain to map to your IP. 2. ddclient package - updates your DNS whenever your IP changes. Are there scripts available to do what dyndns.org does at the server side? I have an OpenBSD box with a static ip address hosting a few domains. I'd like to setup several machines as subdomains that are behind dynamic ip addresses. I'd like to install something on the system with static ip address to provide the same service dyndns.org does, but cannot seem to find thos scripts. Frank
Re: systat vm question
* Jason Houx [EMAIL PROTECTED] [2006-02-07 18:53]: Interrupts are at 489 total with CISS0 doing over 200 load with 2 users hits 2.18 so far. My question is the No-cache section what has no-cache, and does 200 interrupts seem excessive for a Hardware Raid? Does this point anyone to any idea's as to the problem with CISS? no, 200 int/s doesn't even remotely smell like a problem. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: The Apache Question
I would recommend reading the archives, but I guess a quick answer is no.
Re: The Apache Question
On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: The Apache Question
RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn Look this question in the archive and you will get the answer. In any case, the short of it is that the license will make it impossible to do so. It's a dead issue and that's why the version 1.3 is maintain isolated from the apache and there is way over what, may be 60K lines of difference by now or something like that. May be I am mistaken and it's 30K, I can't remember well, but the last time I look, it's HUGE!
isakmpd and x509
Hi ! By reading carefully isakmpd(8), isakmpd.conf(5) and isakmpd.policy(5) but I don't fully understand how to setup correctly isakmpd to work with X509 certificates. In isakmpd(8), it is said that client certificates must be put in /etc/isakmpd/certs. Why would isakmpd need those certificates ? I think the CA should be sufficient to check that the certificate presented by the other peer is correct. Here is how I would setup isakmpd with x509 certificates : - Put the CA in /etc/isakmpd/ca/. - Modify /etc/isakmpd/isakmpd.policy with the DN of the CA in Licensee field: this way, only certificates signed by the CA would be accepted. - Modify /etc/isakmpd/isakmpd.conf to use ID instead of Authentication. Remote IP is left blank for phase 1. Remote ID is left blank for phase 2 : AltSubjectName from the certificate will be used instead. Is it correct ? Moreover, I am not sure that I have really understood what purpose AltSubjectName serves in the certificate. From what I think, this is the IP (or the FQDN) that will be used by the remote end of the IPsec tunnel. With such a setup, I should be able to have as many client as I want without copying their certs in /etc/isakmpd/certs and without altering /etc/isakmpd/isakmpd.conf to add them. Right ? If someone has a working setup of a VPN gateway that authenticates roadwarrior clients with x509 certificates without need to add each of them in /etc/isakmpd/isakmpd.conf, I would be happy to see the configuration files. -- printk(Illegal format on cdrom. Pester manufacturer.\n); 2.2.16 /usr/src/linux/fs/isofs/inode.c
Re: The Apache Question
Well as far as I know, Apache 1.3 is an openBSD modified version and not the 1.3 apache releases but the licensing on apache 2.0 is the reason I see OpenBSD not packaging it. http://apache.org/licenses/LICENSE-2.0 Also search back into the mailing list archives or the site for more specific reasons. Correct me if i'm wrong. On 2/7/06, RedShift [EMAIL PROTECTED] wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn
Re: systat vm question
On Tue, 7 Feb 2006, Henning Brauer wrote: * Jason Houx [EMAIL PROTECTED] [2006-02-07 18:53]: Interrupts are at 489 total with CISS0 doing over 200 no, 200 int/s doesn't even remotely smell like a problem. Great thanks for providing me a baseline. I guess I will just try the next snapshot for the improved CISS driver. systat vm is really nice - thanks again for the post. Jason Houx
Re: The Apache Question
Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: rdist notify@ broken?
On Tue, Feb 07, 2006 at 08:18:57AM -0600, Matthew S Elmore wrote: At the very least, it does make me feel better that it is not just me. :) Perhaps we should file a bug report on the issue? I think so. Since you found it first, the honour is yours... ;-) Joachim
Re: The Apache Question
Steven Day wrote: Well as far as I know, Apache 1.3 is an openBSD modified version and not the 1.3 apache releases but the licensing on apache 2.0 is the reason I see OpenBSD not packaging it. http://apache.org/licenses/LICENSE-2.0 Also search back into the mailing list archives or the site for more specific reasons. Correct me if i'm wrong. Your correct and that was sure beat up big time in the archive as well. I think you have way more chance to ever see lighttpd replace apache 1.3 oppose to have apache 2.x for sure. I am not talking for the project what so ever, but the archive make it very obvious that apache is not going to go higher then where it is now. Plus lighttpd does have a BSD license, so that would be my bet. But don't expect that to change soon I think. Just my $0.02 worth.
Re: The Apache Question
From: [EMAIL PROTECTED] Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? No, because that's what it is. What you're talking about is marketing drivel. You don't have to keep up with the Joneses, especially when the Joneses introduced a shoddy license and are going a different way. DS
Re: The Apache Question
Hello! On Tue, Feb 07, 2006 at 03:59:22PM -0500, Steven Day wrote: Well as far as I know, Apache 1.3 is an openBSD modified version and not the 1.3 apache releases but the licensing on apache 2.0 is the reason I see OpenBSD not packaging it. http://apache.org/licenses/LICENSE-2.0 Also search back into the mailing list archives or the site for more specific reasons. Correct me if i'm wrong. IIRC that's correct, the licensing is at least one of the reasons why apache 2 will probably never make it into base. However, I'd guess a port submission would be accepted in principle - but not now, because the consolidation phase for the next release has already started wrt ports. Kind regards, Hannah.
Re: OpenBSD security could be tightened up easily
On 2/7/06, Dave Feustel [EMAIL PROTECTED] wrote: Since all six x11/kde sockets that I chmod to 600 have me as the owner, I assume that no one else should be connecting to those sockets. that's not true in general.
Re: The Apache Question
Why change that It is apache, but with some pathes. But still iti s apache (changing name may be bad for futurre coders, that wouldl ike to make somep lugin for OpenBSD http server, before they will start to make it, theyw ill have to learn, that httpd in OBSD is just apache 1.3). Besides i don't understand why so many people would like to change current web server, when it's working fine well it is enough secure? Is there any realy nice argument besides the digit ? I think no, so, why people always ask that At 22:11 2006-02-07, you wrote: Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: The Apache Question
On Tue, 7 Feb 2006, Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? No, because that's what it is. What you're talking about is marketing drivel. You don't have to keep up with the Joneses, especially when the Joneses introduced a shoddy license and are going a different way. DS Hmmm... [EMAIL PROTECTED]:/home/jross $ whois openhttpd.org (As pointed out to me quite a while back ...) :-)
Re: openbsd's future plans?
On 2/7/06, Antonios Anastasiadis [EMAIL PROTECTED] wrote: I have been wondering what are the openbsd team's long term-plans (if any at all,of course) regarding future smp support. I am aware that openbsd currently supports smp under the big kernel lock, which offers some advantages for userland applications but generally things like interrupt and io load don't scale at all. I understand it is an enormous task, judging by the other os'es struggle to remove the bkl by various techniques. What are the developers thinking about the future regarding this matter, and what are their opinions about the other os'es paths as well. i think we should rewrite the kernel in java since it has good support for threads.
Re: openbsd's future plans?
Hello! On Tue, Feb 07, 2006 at 02:01:38PM -0800, Ted Unangst wrote: [...] i think we should rewrite the kernel in java since it has good support for threads. ;-) How about erlang (once we've got a working port)? Erlang's threads (called processes) are much more lightweight, and OpenBSD is, as we all know, not so fond of bloat. Kind regards (with tongue in cheek, of course), Hannah.
Re: openbsd's future plans?
i think we should rewrite the kernel in java since it has good support for threads. Remember we opted for C++ during c2k2 (or was it c2k3), but not until ddb has proper name demangling code. Miod
Re: openbsd's future plans?
On 07/02/06, Ted Unangst [EMAIL PROTECTED] wrote: On 2/7/06, Antonios Anastasiadis [EMAIL PROTECTED] wrote: I have been wondering what are the openbsd team's long term-plans (if any at all,of course) regarding future smp support. I am aware that openbsd currently supports smp under the big kernel lock, which offers some advantages for userland applications but generally things like interrupt and io load don't scale at all. I understand it is an enormous task, judging by the other os'es struggle to remove the bkl by various techniques. What are the developers thinking about the future regarding this matter, and what are their opinions about the other os'es paths as well. i think we should rewrite the kernel in java since it has good support for threads. Get real Ted. You know that python is the way to go. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: OpenBSD security could be tightened up easily
Just for reference, here is the original post in this thread, which for some reason, I do not find in the reverse misc archive. --- OpenBSD security could be tightened up easily Date: 2006-02-05 08:09 From: Dave Feustel [EMAIL PROTECTED] To: misc@ OpenBSD's handling of file permissions needs work. Good security practice requires that root's default permission set by umask should be 077. But setting root's umask to this value breaks the package install mechanism since all files installed by root with umask 077 are unavailable to users. Also, all x11 and kde sockets are created with permissions up to and including 777 that can be restricted with no loss of functionality. I now routinely chmod all sockets in /tmp and $TMPDIR to 600 immediately upon starting up kde and have seen no errors generated by this. The problem with insecure [tp]ty allocation in kde is still not fixed as far as I know, although I see a new kdelibs in errata. (this problem occurs only in OpenBSD so far as I know), It might also be a good idea to run pf by default with the rule block all in to prevent intruders taking advantage of undiagnosed security problems in kde or x11. ALL of my strange problems with kde have ceased since I started running pf with this rule. Having said this, I would like to add that OpenBSD looks better than ever to me now and I recommend it highly to people I talk to. OpenBSD is the Rock upon which I build everything else. Dave Feustel
Re: The Apache Question
RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know.
Re: openbsd's future plans?
i think we should rewrite the kernel in java since it has good support for threads. Get real Ted. You know that python is the way to go. What's the point of re-writing in either language? emacs already has a kernel.
Re: openbsd's future plans?
On 07/02/06, Bryan Irvine [EMAIL PROTECTED] wrote: i think we should rewrite the kernel in java since it has good support for threads. Get real Ted. You know that python is the way to go. What's the point of re-writing in either language? emacs already has a kernel. I don't want to make us loose focus in this important dicussion, or start a flamewar, but someone has to say it. Emacs sucks, vi rules. /Tony
Re: The Apache Question
On 2/7/06, Joe S [EMAIL PROTECTED] wrote: RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know. http://www.openbsd.org/faq/faq1.html#HowAbout That was referenced from the list reply where someone claimed there was no problem. A quick web search will probably give the reason too.
Re: openbsd's future plans?
Damn. I shouldn't have asked.
Re: The Apache Question
Sure OpenBSD's modified Apache 1.3 is way more secure than most stuff out there, and is working great. However, the Subversion versioning control system (which my project uses) demands Apache2 in order to do DAV checkouts and commits, better authentication and more. So, my only choice was to manually install Apache2 and compile mod_dav_svn.so in order to use these features in OpenBSD. No big deal, but I would surely appreciate a port for Apache2, it would have made my life much easier. Anyway, I agree with the other guys: no way Apache2 will make it to the base system, its license is a major issue against that. -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: The Apache Question
On 2/7/06, Joe S [EMAIL PROTECTED] wrote: I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know. wc L* 58 4082827 LICENSE-1.1 2021581 11358 LICENSE-2.0.txt
Re: openbsd's future plans?
Aside from all (somewhat funny, especially the java one) jokes, what are the plans regarding SMP? Recently I had to install FreeBSD on a dual-Xeon server because it's SMP support is kinda better than OpenBSD's, but that did not please me at all, so that is indeed a good question. -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: The Apache Question
On 2/7/06, Joe S [EMAIL PROTECTED] wrote: RedShift wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? Glenn I couldn't find anything in the misc archives, but perhaps I didn't really look that hard. But the biggest issue is the Apache 2.0 license. I'm not sure what the problem is with the license, but I believe it may be that Apache 2 license is more restrictive. In what way? I don't know. It was the first link in google. agree or disagree there it is. :-) http://www.monkey.org/openbsd/archive/misc/0406/msg00438.html --Bryan
Re: sun quad hme performance
I am able to max out my sun qfe at around 9.3MB/second on my lan when passing through the interface twice (two seperate subnets where the qfe is used as the router interfaces). Used http to test the speed of the interface. The part number/model of my interface is SUN QUAD FAST ETHERNET PCS X1034A 501-5406; Using a 32bit pci slot though the card is 64-bit. Machine is a sunblade 100 with a 500mhz ultrasparc [EMAIL PROTECTED] w/ 768mb ram. pf was managing 25 states at the time of the test. Axton Grams -- Miguel wrote Hi, i read in the archives a lot of references about poor performance with the sun quad ethernet (hme) on diferent servers (netras and sunfires), is this still an issue or has been addressed in 3.8 or 3.9-current, i have two sunfire v120 that are losing packets between their ports, when i activate the pf rules the ping response time si very high, around 1253 ms,so our whatsup monitor report then down, the cpu load is very low (0.12) and the memory usage is 70mb, total memory of 512 mb , so this is not a resource problem,. What can i check? --- thanks
Re: OpenBSD hardware router
On 2/7/06, z0mbix [EMAIL PROTECTED] wrote: On 2/7/06, Sven Wolf [EMAIL PROTECTED] wrote: Don't forget the wrap: http://www.pcengines.ch/wrap.htm They're slightly cheaper than the soekris. I use one with 3.8 and it runs as a cable router/firewall and runs ipsec between home and work. Hi z0mbix, how did you install OpenBSD on a wrap? Like: http://wiki.bsdforen.de/index.php/OpenBSD_-_WRAP and the links on the bottom (websites of Jonathan Weiss Thomas Kaschwig) Thanks, Sven Yes, I just followed information from the websites of Jonathan Weiss Thomas Kaschwig. I didn't have any success with pxebooting, but I gather someone has got that working now with a later bios version. Search the archives if you want to find out more about this. I couldn't be happier with my OpenBSD wrap setup. This might a little late/offtopic, but has anyone tried using flashing a commercial router? Via my work on PSP homebrews I just stumbled upon http://www.angelfire.com/droid/ahman/. It seems like all it is is a disk image that then gets written direct to whatever counts as a harddrive in those routers. Now I'm wondering if that is how all commercial routers work (it would seem to make sense...). In that case you could create a tempory mfs drive in RAM, fdisk and disklabel it, copy the install sets for OpenBSD on it, and then use dd to save it to a disk image for ready uploading. You could set up sshd (which is the standard install anyway) and do further config via it. The troubles I can see are: +you'd have you figure out a way to make it bring up the interfaces/bridges on boot without knowing what driver they use, and thus what name they get (perhaps a rc.local script that runs down all available interfaces and does ifconfig $IF 192.168.0.1 up on them all). +the router might use some sort of checksumming in order to insure firmware files are not corrupt so you'd have to figure out what the format of the firmware files is. Commercial routers generally run for 50$ here in Canada (or cheaper if you're lucky: I'm using a 3$ one right now in fact) which is cheaper than Soekris and WRAP and any of the other options, and they are much more plentiful as well. Does anyone see any problems with this idea? Suggestions? I have 3 useless commercial routers sitting around right now but if I could get OpenBSD on them they could be awesome. -Kousu
Re: error on ifconfig, bssid
On 2/6/06, Lucas Reddinger [EMAIL PROTECTED] wrote: one more question about the same thing. i got my access point i wish to use on a NWID that noone else uses. i specify this nwid using ifconfig on my clients. however, as soon as i get a better signal from another access point on a different NWID, my card switches, and my clients lose their connection. here's what it looks like: = $ ifconfig wi0 wi0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:80:c6:e3:1c:ff description: dhcp groups: egress media: IEEE802.11 autoselect (DS11) status: active ieee80211: nwid linksys_9f 2dBm (auto) inet6 fe80::280:c6ff:fee3:1cff%wi0 prefixlen 64 scopeid 0x2 inet 192.168.1.75 netmask 0xff00 broadcast 192.168.1.255 $ wicontrol NIC serial number: [ 3841 ] Station name: [ WaveLAN/IEEE node ] SSID for IBSS creation: [ IBSS ] Current netname (SSID): [ greenmonster ] Desired netname (SSID): [ linksys_9f ] Current BSSID: [ 00:0c:41:68:70:f8 ] Channel list: [ 2047 ] IBSS channel: [ 1 ] Current channel:[ 4 ] Comms quality/signal/noise: [ 36 67 4 ] Promiscuous mode: [ Off ] Process 802.11b Frame: [ Off ] Port type (1=BSS, 3=ad-hoc, 6=Host AP): [ 1 ] MAC address:[ 00:80:c6:e3:1c:ff ] TX rate (selection):[ 3 ] TX rate (actual speed): [ 11 ] Maximum data length:[ 2304 ] RTS/CTS handshake threshold:[ 2347 ] Create IBSS:[ Off ] Antenna diversity (0=auto,1=pri,2=aux): [ ] Microwave oven robustness: [ On ] Roaming mode(1=firm,3=disable): [ 1 ] Access point density: [ 1 ] Power Management: [ Off ] Max sleep time: [ 100 ] Enhanced Security mode: [ ] Intersil Prism2-based card: [ 1 ] Card info: [ PRISM2 HWB3163 rev.B, Firmware 1.4.9 ] Encryption: [ Off ] Encryption algorithm: [ Firmware WEP ] Authentication type (1=OpenSys, 2=Shared Key): [ 1 ] TX encryption key: [ 1 ] Encryption keys:[ ][ ][ ][ ] $ sudo wicontrol -L AP Information ap[0]: netname (SSID): [ greenmonster ] BSSID: [ 00:0c:41:68:70:f8 ] Channel:[ 4 ] Beacon Interval:[ 100 ] Quality/Signal/Noise [signal]: [ 12 / 22 / 10 ] Capinfo:[ ESS PRIV ] DataRate [Mbps]:[ 11.0 ] AvailableRates [Mbps]: [ 1.0 5.5 11.0 11.0 ] ap[1]: netname (SSID): [ linksys_9f ] BSSID: [ 00:13:10:e8:9f:44 ] Channel:[ 6 ] Beacon Interval:[ 100 ] Quality/Signal/Noise [signal]: [ 11 / 21 / 10 ] Capinfo:[ ESS ] DataRate [Mbps]:[ 11.0 ] AvailableRates [Mbps]: [ 1.0 2.0 5.5 11.0 18.0 24.0 36.0 54.0 ] $ = notice the: Current netname (SSID): [ greenmonster ] Desired netname (SSID): [ linksys_9f ] but wicontrol -L proves that the other access point is still there. this just happens when greenmonster's signal is stronger than linksys_9f's. sorry, but this is so frustrating to me, i can tell ifconfig to use a certain nwid, channel, c; but as soon as it gets a better signal from another access point, it's game over. any help is _much_ appreciated. lucas reddinger The wi(4) driver is _very_ old. Here is what I use to get my Prism2.5 card up: #ifconfig wi0 nwkey key up #wicontrol -n nwid -e 1 #dhclient wi0 It took me about a week to stumble across this sequence of commands. I think the wi(4) driver will jump access points if you don't explicitly tell it the nwid to use. That's what the -n flag is for. It is annoying that you have to use two programs to configure one card but there it is. It is not a very happy face. -Kousu
Re: The Apache Question
Since it's an open source project in which anyone can commit to the repository anytime, it's not possible to add each and every user as a system user. Instead, we're using Plone to write user information on the htaccess-style file that Subversion reads. However, I guess I'm going to use your strategy on another server that is not wide open to commits, looks more than enough. Anyway, an Apache2 port wouldn't be a bad idea... I'll study some more and try to work on that on the near future. On 2/7/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Feb 07, 2006 at 09:26:31PM -0200, Felipe Scarel wrote: Sure OpenBSD's modified Apache 1.3 is way more secure than most stuff out there, and is working great. However, the Subversion versioning control system (which my project uses) demands Apache2 in order to do DAV checkouts and commits, better authentication and more. So, my only choice was to manually install Apache2 and compile mod_dav_svn.so in order to use these features in OpenBSD. No big deal, but I would surely appreciate a port for Apache2, it would have made my life much easier. Anyway, I agree with the other guys: no way Apache2 will make it to the base system, its license is a major issue against that. I don't know about you, but I had the same svn-over-apache-2 setup. I switched to svn+ssh, and all seems well. It has the added advantage of taking version control further away from my very untrusted web scripts and somewhat untrusted web server. sshd is a trusted component, at least in the sense that anyone who can break that essentially owns the system. Joachim -- Felipe Brant Scarel PATUX/OpenBSD Project Leader (http://www.patux.cic.unb.br)
Re: Problem with HP NetRAID Controller
Dirk Fohrenkamm wrote: Have you tried upgrading the firmware? Yes, I did (firmware 4.03 is the newest that I've found...) I've successfully flashed HP Netraids with the current equivalent LSI firmware, although it's probably a one-way process and you may wind up with a doorstop.
You Must Update Your Account
Bank of America Higher Standards [IMAGE] Online Banking Alert Security Update Notification Dear Valued Customer : Bank Of America is constantly working to increase security for all Online Banking users. To ensure the integrity of our online payment system, we periodically review accounts. Click here to continue , Security Bank Of America . Due to concerns, for the safety and integrity of the Bank of America account we have issued this warning message It has come to our attention that your account information needs to be updated due to inactive members, frauds and spoof reports If you could please take 5-10 minutes out of your online experience and renew your records you will not run into any future problems with the online service However, failure to update your records will result in account suspension This notification expires on Jun 9, 2006 Once you have updated your account records your Bank of America account service will not be interrupted and will continue as normal Please follow the link above and update your account information Sincerely, Bank Of America customer department Because your reply will not be transmitted via secure e-mail, the e-mail address that generated this alert will not accept replies. If you would like to contact Bank of America with questions or comments, please sign in to Online Banking and visit the customer service section. Olympic Logo Bank of America, N.A. Member FDIC. Equal Housing Lender [IMAGE] ) 2006 Bank of America Corporation. All rights reserved
Re: openbsd's future plans?
Felipe Scarel wrote: Aside from all (somewhat funny, especially the java one) jokes, what are the plans regarding SMP? Same as always. Wait for someone to show REAL CODE. Evaluate the merits of that code. If it is up to OpenBSD standards, commit the code. Note that the real code comes first. Academic discussions are for people who don't produce. We don't talk about things that aren't ready for use, for the simple fact that if it doesn't exist, IT DOESN'T EXIST. You can't (er.. shouldn't!) make your decisions based on products that don't exist, so what's the point in idle talk? Recently I had to install FreeBSD on a dual-Xeon server because it's SMP support is kinda better than OpenBSD's, but that did not please me at all, so that is indeed a good question. That's...interesting. Long ago, when I started in the computer business, the rule was, let the application pick the hardware. Apparently, that is obsolete (ok, to be fair, people rarely followed it twenty five years ago) What you are saying is using that preferred the box over the OS and application, that using that machine defined a good job more than using OpenBSD. Of course, that's fine if that's what your priorities are. A couple years ago, I was giving an Internet Safety Training talk to a group of high school students. These were mostly refugees from the local failed public school district -- these kids didn't have much opportunity to become rocket scientists. One of the kids asked me why his computer at home crashed a lot, and I answered that it was basically because he and most of the rest of the world pick flash over quality. I digressed a bit (I'm sure that surprises everyone here that I'd do that), and told them about my involvement in the OpenBSD project, a group that puts quality and security at Task #1 in reality, not just in slogan. I told them we regularly get people that say things like, I'd really like to run OpenBSD for the security, but I want to run ProductX, and that doesn't run with/on OpenBSD. That was the biggest laugh line of the day! I think these kids actually understood my point -- saying security is most important doesn't mean a thing if you aren't willing to compromise anything else in order to get it. While many people will say, Security and quality is important, what they are saying by their actions is, Security and quality is the LEAST IMPORTANT CRITERIA to me, but I'll happily accept it if it doesn't conflict with my real priorities.. Again...talk is cheap. Nick.
Re: openbsd's future plans?
On Wednesday, February 8, Felipe Scarel wrote: Just to explain better what happened, I was willing to install OpenBSD on the machine even if it somewhat lost some power because of the SMP stuff. However, my boss doesn't share the same views regarding security with me, so I had no choice. Since this is a CS Department, it's rather impossible to disagree with the people here when it comes to computers. Bull. You can always disagree. Run on the system what is needed. If you need high-performance SMP, see what there is available that will give you the performance you need. Stick it behind a decent firewall. If this is to be a firewall... well, you makes your choices... --Toby.
Re: openbsd's future plans?
On Wednesday 08 February 2006 04:20, Diana Eichert wrote: On Tue, 7 Feb 2006, Miod Vallat wrote: i think we should rewrite the kernel in java since it has good support for threads. Remember we opted for C++ during c2k2 (or was it c2k3), but not until ddb has proper name demangling code. Miod I cast a vote for re-writing the kernel in Ruby because of it's robust threads implementation. You are misled, Diana. The kernel should be written in SNOBOL4. --STeve Andre'
Re: The Apache Question (lighttp remote holes just fixed)
paul dansing wrote: lighttpd just fixed a remote hole (case insensitive file systems) in the CURRENT VERSION! Does this inspire confidence? I mean for fck sake, the version just before they fixed %00 append bug! Next thing they will discover directory traversal. o_O YEAH, yeah I want this FINE PIECE OF SOFTWARE running on my production servers. Bummer too, because the hype had it sounded pretty cool until I realized how recent those remote holes were :( I didn't put a judgment on the quality of the software, but it is not as bad as you want to make it look like, plus you would be surprise how many developers are running it anyway. If it ever make it to the default install, don't you think there would be a nice audit on it first? I am not putting it down, I simply stated the BSD license oppose to the new more restrictive Apache to answer the question, that's all. In the end, I fully trust that if anyone from the project put it in, they will have looked at the implications of it and I fully trust their judgments! I have to say, if Apache would ever be release, I would love to see the replacement be part of the kernel if you asked me. Benchmark on web server built in kernel are just amazing! But again, I am not talking for the project, nor would I pretend to know what they would do either! I was only answering the question at the risk of been flame doing so as this was beat up to death many times in the archive. Peace...
Re: The Apache Question (lighttp remote holes just fixed)
lighttpd just fixed a remote hole (case insensitive file systems) in the CURRENT VERSION! Does this inspire confidence? I mean for fck sake, the version just before they fixed %00 append bug! Next thing they will discover directory traversal. o_O YEAH, yeah I want this FINE PIECE OF SOFTWARE running on my production servers. Bummer too, because the hype had it sounded pretty cool until I realized how recent those remote holes were :( I think you have way more chance to ever see lighttpd replace apache 1.3 oppose to have apache 2.x for sure. I am not talking for the project what so ever, but the archive make it very obvious that apache is not going to go higher then where it is now. Plus lighttpd does have a BSD license, so that would be my bet. But don't expect that to change soon I think. -- Best regards, paulmailto:[EMAIL PROTECTED]
Re: httpd question - solved (ProutDNS)
Hello Frank, here ya go buddy: http://www.prout.be/ProutDNS/ http://www.prout.be/ProutDNS/download/ProutDNS-0.6.2.tar.gz Tuesday, February 7, 2006, 10:54:33 AM, you wrote: At 04:17 AM 2/6/06, Alexander Farber wrote: And there is also ipcheck.py On 2/6/06, Keith Richardson [EMAIL PROTECTED] wrote: This will handle the pesty case of your IP changing. 1. dyndns.org - get a free subdomain to map to your IP. 2. ddclient package - updates your DNS whenever your IP changes. Are there scripts available to do what dyndns.org does at the server side? I have an OpenBSD box with a static ip address hosting a few domains. I'd like to setup several machines as subdomains that are behind dynamic ip addresses. I'd like to install something on the system with static ip address to provide the same service dyndns.org does, but cannot seem to find thos scripts. Frank -- Best regards, paulmailto:[EMAIL PROTECTED]
Re: The Apache Question
On 2/8/06, RedShift [EMAIL PROTECTED] wrote: Hi everyone I've noticed OpenBSD still uses Apache httpd 1.3. While it is good that on the OpenBSD side of things, it is maintained and there's an additional focus on security for httpd. However, sooner or later, httpd 1.3 *will be deprecated* in favor of newer versions (2.0, 2.2), and now certainly with 2.2 released. Are there any plans about when 2.2 (or 2.0) will be included in the base fileset? Or remove apache out of the fileset and let the users install it themselfs with a port? http://marc.theaimsgroup.com/?l=openbsd-techm=110242455717049w=2 The Apache Software people refused to incorporates a lot of security features because it would make their Apache release incompatible with the Netware Operating System. So the Apache shipped with OpenBSD is not really the same as the one released by the Apache Project with the same version number. a lot while ago Henning had said that there was about 4000 lines of Code difference between the OpenBSD Apache and the one from Apache Project and Also that Apache2 is a Design Fault. Just some Info :-) Kind Regards -- Siju Oommen George, Network Consultant. HiFX IT MEDIA SERVICES PVT. LTD. http://www.hifx.net
Re: The Apache Question
Siju George wrote: a lot while ago Henning had said that there was about 4000 lines of Code difference between the OpenBSD Apache and the one from Apache Project and Also that Apache2 is a Design Fault. It is way pass that now. Back in May 2005 it was already at 32,582 lines. http://marc.theaimsgroup.com/?l=openbsd-miscm=111635541507728w=2 I would bet, it is easy pass 40K by now.
Re: openbsd's future plans?
-Original Message- From: STeve Andre' [mailto:[EMAIL PROTECTED] Sent: 08 February 2006 01:40 AM To: Diana Eichert Cc: misc@openbsd.org Subject: Re: openbsd's future plans? On Wednesday 08 February 2006 04:20, Diana Eichert wrote: On Tue, 7 Feb 2006, Miod Vallat wrote: i think we should rewrite the kernel in java since it has good support for threads. Remember we opted for C++ during c2k2 (or was it c2k3), but not until ddb has proper name demangling code. Miod I cast a vote for re-writing the kernel in Ruby because of it's robust threads implementation. You are misled, Diana. The kernel should be written in SNOBOL4. --STeve Andre' Intercal!!! [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: systat vm question
You can also try to update to -rOPENBSD_3_8. All noticeable performance problems went away with some important patches since the release. I bet you'll see the load go away. And yes, as Henning said, 200 interrupts/second is nothing. My ciss(4) controllers go up to 5000 interrupts/seconds. But hey, I'm also writing 100 MB/sec, and the load is negligible. On 2/7/06, Jason Houx [EMAIL PROTECTED] wrote: On Tue, 7 Feb 2006, Henning Brauer wrote: * Jason Houx [EMAIL PROTECTED] [2006-02-07 18:53]: Interrupts are at 489 total with CISS0 doing over 200 no, 200 int/s doesn't even remotely smell like a problem. Great thanks for providing me a baseline. I guess I will just try the next snapshot for the improved CISS driver. systat vm is really nice - thanks again for the post. Jason Houx