Re: Problem with freshclam (maybe a port problem)
No, I am not. But freshclam runs as user _clamav (I think this should be
no problem).
Maybe I have a problem with my DNS? Or with file/directory permissons?
It's the first time this happens and I really don't know what
to do... (I really need this antivirus filter).
I've set the debug flag and the verbose output of freshclam is (I must
mention that the following output is obtained when logged as root
on the system console - well, after su to root (i.e. su -), because only
normal users can login directly on the console and I login as a normal
user - in the wheel group - and then su -):
Current working dir is /var/db/clamav
Max retries == 3
ClamAV update process started at Sat Feb 25 11:32:39 2006
Querying current.cvd.clamav.net
TTL: 256
Software version from DNS: 0.88
LibClamAV debug: Can't open CVD file main.cvd
ERROR: Can't get information about db.ro.clamav.net: Host not found
Connection with db.ro.clamav.net (IP: ???) failed.
Trying again in 5 secs...
ClamAV update process started at Sat Feb 25 11:32:44 2006
Querying current.cvd.clamav.net
TTL: 251
Software version from DNS: 0.88
LibClamAV debug: Can't open CVD file main.cvd
ERROR: Can't get information about db.ro.clamav.net: Host not found
Connection with db.ro.clamav.net (IP: ???) failed.
Trying again in 5 secs...
ClamAV update process started at Sat Feb 25 11:32:49 2006
Querying current.cvd.clamav.net
TTL: 246
ETC, ETC...
and then (at the end, some output skipped):
TTL: 236
Software version from DNS: 0.88
LibClamAV debug: Can't open CVD file main.cvd
ERROR: Can't get information about database.clamav.net: Host not found
Connection with database.clamav.net (IP: ???) failed.
Giving up on database.clamav.net...
ERROR: Update failed. Your network may be down or none of the mirrors
listed in freshclam.conf is working.
Freeing option list...done
Now, an even stranger problem! I open X11 (I'm running Windowmaker
0.80.1), then I start an xterm (of course, I run X as an usual user),
then I do a su - and I switch to the root account. As a result to the
freshclam command I receive (commands included):
# echo ${USER}
root
# freshclam --version
LibClamAV debug: Can't open CVD file /var/db/clamav/daily.cvd
ClamAV 0.88
#
Is there someone who had this problem or who can tell me where should I
look in order to solve the problem? I started to think that there is
a problem with the port of clamav (although, other people would have
signalled the problem as well...). The packages that I have installed (and
that might have something to do with my problem:
curl-7.15.1
clamav-0.88
clamsmtp-1.4.1
Maybe there's only a depency/version mismatch.
Respectfully yours,
Gabriel George POPA
Peter wrote:
--- Gabriel George POPA [EMAIL PROTECTED] wrote:
Hello all,
I have the following problem when running freshclam:
# freshclam
ClamAV update process started at Fri Feb 24 17:58:29 2006
ERROR: Can't get information about db.ro.clamav.net: Host not found
Connection with db.ro.clamav.net (IP: ???) failed.
Trying again in 5 secs...
ClamAV update process started at Fri Feb 24 17:58:34 2006
ERROR: Can't get information about db.ro.clamav.net: Host not found
Connection with db.ro.clamav.net (IP: ???) failed.
Trying again in 5 secs...
Or even better:
# freshclam
ClamAV update process started at Fri Feb 24 17:59:02 2006
ERROR: Can't get information about database.clamav.net: Host not found
Connection with database.clamav.net (IP: ???) failed.
Trying again in 5 secs...
BUT:
# ping database.clamav.net
PING db.northeu.clamav.net (83.148.101.196): 56 data bytes
64 bytes from 83.148.101.196: icmp_seq=0 ttl=47 time=115.432 ms
--- db.northeu.clamav.net ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 115.432/115.432/115.432/0.000 ms
AND:
# ping db.ro.clamav.net
PING db.ro.clamav.net (192.129.4.120): 56 data bytes
64 bytes from 192.129.4.120: icmp_seq=0 ttl=60 time=81.649 ms
--- db.ro.clamav.net ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 81.649/81.649/81.649/0.000 ms
(I am from Romania, obviously)
I really don't know what's wrong. Could someone tell me? Oh, and it
would be very nice to find out from you if there is a
tutorial treating clamav, freshclam, clamd and clamsmtpd with Sendmail
on a usual mail server (with POP3 and IMAP enabled).
Are you running freshclam in a chroot jail?
Re: how to hunt for suspected memory leaks?
Hello, On Fri, 24.02.2006 at 21:49:16 +, Nick Guenther [EMAIL PROTECTED] wrote: On 2/24/06, Gabriel George POPA [EMAIL PROTECTED] wrote: I understand your problem. In fact a closer analysis will show that there is no problem. Probably the memory you are reporting as filled is used for caching/memory. Caching RAM is space reserved for data being used by the system currently, such as open files, right? But if the machine is just idling why would any extra memory be used? that's what I ask myself, too. In fact, a P4-2.4 + 1gig memory running only some 30-60 processes, the most resource intensive one currently being sshd (at most one user, remember), I don't actually see a legitimate use for all that memory. Before asking yesterday, I checked with ps alx to find out where that memory might have been used, but found nothing. What's even more puzzling is that today, that same machine shows 882 megs free when it hat 258 megs free yesterday. Looks like there is some cleaning task going on in the background (how/where?) that recovers unused memory, but I'd still like to know what on earth is going on. At least, the base system doesn't seem to be the culprit (phew!), but I should find ways to investigate my applications. TIA! Best, --Toni++
OpenBSD's AFS informations
Hi misc, I come to you because my enterprise will need some distributed file system in the mounths to come. We need to distribute a big file system between 2 main sites, accessed by multiples clients spreaded across differents sites. A client is nearly always a thinclient running RDP to some TSE cluster for office'ing. We got 1 TSE farm on each main site. And a file server on each site too (actually a HS20 blade running Windows 2003). We do not synchronize these file server, which make them fault-untolerant. Each contains user profiles documents. The Microsoft solution, DFS, seems ok but I'd like to know if AFS could be smartly used in that case. So, I'd like to know if OpenBSD's AFS could do the following (I assume that our actual file servers are replaced by OpenBSD AFS cells) : * Gently synchronize/distribute 2 physical file servers in 1 logical file server (real time is not needed) * Does it scale well (new AFS cells, new clients) ? * Does it support a quota mechnism ? * Implementation and Administration cost (we are 2 bright guys :) ? * What about the file permissions ? Is that Windows 2k3-friendly (ACL) ? * Why OpenBSD devs re-writed an AFS instead of reusing OpenAFS ? * Integration with ActiveDirectory for authentication ? * Recovery of a lost cell ? Wow... Hard work to come :) Best regards, Bruno.
Broadcom BCM4401 not configured
Hi all I'm trying to install 3.8 on an ASUS P4PE with onboard Broadcom BCM4401 chip, however it doesn't seem to be detecting it. At boot I get the following... Broadcom BCM4410 rev 0x01 at pci2 dev 5 function 0 not configured I've Googled around but most reports seem to be from before the driver was released. I don't think it's hardware since I had the same system running Linux fine previously. Thanks Brendan
Re: Problem with freshclam (maybe a port problem)
On Sat, Feb 25, 2006 at 11:44:57AM +0200, Gabriel George POPA wrote:
No, I am not. But freshclam runs as user _clamav (I think this should be
no problem).
Maybe I have a problem with my DNS? Or with file/directory permissons?
It's the first time this happens and I really don't know what
to do... (I really need this antivirus filter).
I've set the debug flag and the verbose output of freshclam is (I must
mention that the following output is obtained when logged as root
on the system console - well, after su to root (i.e. su -), because only
normal users can login directly on the console and I login as a normal
user - in the wheel group - and then su -):
Current working dir is /var/db/clamav
Max retries == 3
ClamAV update process started at Sat Feb 25 11:32:39 2006
Querying current.cvd.clamav.net
TTL: 256
Software version from DNS: 0.88
LibClamAV debug: Can't open CVD file main.cvd
ERROR: Can't get information about db.ro.clamav.net: Host not found
Connection with db.ro.clamav.net (IP: ???) failed.
Trying again in 5 secs...
ClamAV update process started at Sat Feb 25 11:32:44 2006
Querying current.cvd.clamav.net
TTL: 251
Software version from DNS: 0.88
LibClamAV debug: Can't open CVD file main.cvd
ERROR: Can't get information about db.ro.clamav.net: Host not found
Connection with db.ro.clamav.net (IP: ???) failed.
Trying again in 5 secs...
ClamAV update process started at Sat Feb 25 11:32:49 2006
Querying current.cvd.clamav.net
TTL: 246
ETC, ETC...
and then (at the end, some output skipped):
TTL: 236
Software version from DNS: 0.88
LibClamAV debug: Can't open CVD file main.cvd
ERROR: Can't get information about database.clamav.net: Host not found
Connection with database.clamav.net (IP: ???) failed.
Giving up on database.clamav.net...
ERROR: Update failed. Your network may be down or none of the mirrors
listed in freshclam.conf is working.
Freeing option list...done
Now, an even stranger problem! I open X11 (I'm running Windowmaker
0.80.1), then I start an xterm (of course, I run X as an usual user),
then I do a su - and I switch to the root account. As a result to the
freshclam command I receive (commands included):
# echo ${USER}
root
# freshclam --version
LibClamAV debug: Can't open CVD file /var/db/clamav/daily.cvd
ClamAV 0.88
#
Is there someone who had this problem or who can tell me where should I
look in order to solve the problem? I started to think that there is
a problem with the port of clamav (although, other people would have
signalled the problem as well...). The packages that I have installed (and
that might have something to do with my problem:
curl-7.15.1
clamav-0.88
clamsmtp-1.4.1
Maybe there's only a depency/version mismatch.
Just a guess, but could it be that your pf configuration only allow
outgoing DNS queries to the nameservers in /etc/resolv.conf? freshclam
makes DNS queries to some other servers, too.
Joachim
Re: Broadcom BCM4401 not configured
Hi Brandan, Check http://www.openbsd.org/i386.html The boot floppies do not include support for the Broadcom BCM4401. Either use the .iso, or buy the CD. I've got that network card in my Acer laptop and it works great. //mts -- Playing safe is only playing. Fortune Cookie from Simon's Wok List: openbsd-misc Subject:Broadcom BCM4401 not configured From: Brendan Grossman brendan () grossman ! id ! au Date: 2006-02-25 13:51:38 Message-ID: 1140875374.20762.255247396 () webmail ! messagingengine ! com Hi all I'm trying to install 3.8 on an ASUS P4PE with onboard Broadcom BCM4401 chip, however it doesn't seem to be detecting it. At boot I get the following... Broadcom BCM4410 rev 0x01 at pci2 dev 5 function 0 not configured I've Googled around but most reports seem to be from before the driver was released. I don't think it's hardware since I had the same system running Linux fine previously. Thanks Brendan
Re: pf.conf to log specific but block all
Harry Putnam wrote:
Melameth, Daniel D. [EMAIL PROTECTED] writes:
Thanks for the nifty summary. I want to pester you just a little more
then I'll get to work on this and see if I get really stuck
somewhere.
Sounds good ;-) .
# Address translation for machines on your LAN
nat on $ext_if from $int_if:network to any - ($ext_if)
This looks like its designed to allow my other boxes to be (NATed) to
from the open bsd box. But that won't be happening. That happens at
the netgear right now. I'm only wanting to aim the same network
traffic at the obsd box as hits the netgear. Not actually do anything
with it such as NATing. (only log or handle OBSD boxes own traffic
to/from internet)
All bets are off if you don't replace the Netgear with OpenBSD.
I haven't googled on the mirror thing you mentioned yet so maybe I'm
not understanding what will happen when I enable sending traffic to
obsd from Netgear box.
# Block and log all traffic
block log all
Well yeah, but this can get to be a very lot of data very soon. I'd
like to see just one general example of blocking all but logging only
say ssh or a few other specific things. In my tinkerings it appeared
that it matters a lot where the log flag appears in the syntax.
On a consumer-class Internet connection, I don't expect too much.
However, the following should only log ssh:
# Block all traffic and block and log ssh
block all
block in log on $ext_if inet proto tcp from any to $ext_if port ssh
# Allow internal machines to use the Internet
pass out on $ext_if proto { tcp, udp, icmp } all keep state
Again this won't be happening for the other machines but I kind of
figured something like this would be necessary for the OBSD box
itself.
You're on your own if you want to keep the Netgear as your bastion host
to the Internet. I understand you don't feel comfortable putting the
OpenBSD box there yet, but that's the only scenario I'll likely spend my
time providing assistance with.
This all reminded me I meant to ask one thing about networking this.
My net is currently all on 192.168.0/24. I'm wondering if this can
all be done still in that network. That is, set both nics on the obsd
box to that network. Where one side talks to the NETGEAR and the
other talks to the rest of the lan.
While you can do this, here's where I'll stop with my reply as anything
beyond this is somewhat different from the example ruleset in the PF
guide and might become confusing for you. However, if you really don't
want to use the OpenBSD machine as a bastion host, I recommend just
using one NIC, as the external NIC, and going from there--someone else
on the list is more than welcome to chime in further.
The first few rules in example1 from FAQ/PF. Appear to be able to be
applied to make that happen.
Some vars first:
$ext_if=rl0 (192.168.0.19)
$int_if=dc0 (192.168.0.18)
$priv_nets=192.168.0/24
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
So some kind of adjustment would have to happen here since the NETGEAR
inside IF talking to obsd outside IF would both be $priv_nets.
I'm thinking I could just use actual IPs:
(NETGEAR and OBSD)
sel_hosts = { 192.168.0.20, 192.168.0.19 }
nosel_hosts =
{ 192.168.0.4, 192.168.0.5 [...] }
(Keep everybody but NETGEAR and OBSD box [sel_hosts] out of $ext_if
traffic)
block drop in quick on $ext_if from $nosel_hosts to any
block drop out quick on $ext_if from any to $nosel_hosts
But I'm getting out of my league here already...
IPSEC negotiation on demand
Rather than have isakmpd bring up all tunnels when the daemon starts up, is there a way to have it bring up the tunnels on demand? For example. host_a router_b router_c - host_d Is there a way to setup isakmpd so that if host_a tries to send a packet to host_d, router_b will start IPSEC negotiation with router_c at that point, instead of as soon as isakmpd starts? Thanks, -Matt-
Re: Broadcom BCM4401 not configured
Thanks! That would explain it, I'm trying to do an FTP install. On Sat, 25 Feb 2006 09:20:02 -0500, marius [EMAIL PROTECTED] said: Hi Brandan, Check http://www.openbsd.org/i386.html The boot floppies do not include support for the Broadcom BCM4401. Either use the .iso, or buy the CD. I've got that network card in my Acer laptop and it works great. //mts -- Playing safe is only playing. Fortune Cookie from Simon's Wok List: openbsd-misc Subject:Broadcom BCM4401 not configured From: Brendan Grossman brendan () grossman ! id ! au Date: 2006-02-25 13:51:38 Message-ID: 1140875374.20762.255247396 () webmail ! messagingengine ! com Hi all I'm trying to install 3.8 on an ASUS P4PE with onboard Broadcom BCM4401 chip, however it doesn't seem to be detecting it. At boot I get the following... Broadcom BCM4410 rev 0x01 at pci2 dev 5 function 0 not configured I've Googled around but most reports seem to be from before the driver was released. I don't think it's hardware since I had the same system running Linux fine previously. Thanks Brendan
Re: pf.conf to log specific but block all
Melameth, Daniel D. [EMAIL PROTECTED] writes: There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. This might not work the way you are expecting it to. What you really want is a device that can mirror a switched port. I've done some googling now as you suggested and what I'm seeing is this mirroring facility is only available on high end switches/routers. Not ones in my price range of $2-300. Plus, I already have this NETGEAR so loath to spend another pile of cash. And I know from experimenting a year or so ago that enabling what they call DMZ functionality will show me the traffic I want to see on whatever machine I aim it at. And finally, the objective here is to learn enough PF usage to be confident I'm not opening my box for public perusal. So not willing to spend more on hardware. Except maybe a soekris box but then I'm back to needing to gain some confidence thru experience again.
Re: pf.conf to log specific but block all
Melameth, Daniel D. [EMAIL PROTECTED] writes: On a consumer-class Internet connection, I don't expect too much. However, the following should only log ssh: That is what got me going on this... By negligence I'd left ssh open after coming home from a trip where I had it open for connectiong to home machine. Normally I turn it back off when I'm home. I saw over a 5 day period some 13,000 hits on ssh port. Apparently some half configured dictionary attacks. I say half configured because the attemted user names don't seem to be in any recognizable order. My passwords are good so I didn't get too worried but it did cause me to wonder what is going on that my ssh port got so interesting suddenly. Of coures I turned it off, but that leaves me with the sorry logging facilities of the NETGEAR # Block all traffic and block and log ssh block all block in log on $ext_if inet proto tcp from any to $ext_if port ssh Thanks, thats the one I was stumbling around with. I read your comments about further help and want to thank you for the help already given. I think it may be all I needed to get this done. But I'll be back to pester people once I've gotten up my nerve and put the OBSD box up to the plate.
Re: pf.conf to log specific but block all
On Fri, Feb 24, 2006 at 08:58:11PM -0600, Harry Putnam wrote:
I want to use pf.conf in what may be an unusual place.
Not the usual sheild between private net and internet.
It would be more as a logging service but will need some config to
allow two private net machines to access it.
A network picture:
INTERNET
|
DSLmodem
|
NETGEAR FW/router
---
| | | | | | |
m1 m2 m3m4 m5m6 m7
m6 is an obsd-3.8 machine now running current
The ports on the Netgear are switched ports so not like a simple
hub.
There is a facility on the NETGEAR to send all traffic to an inside
machine for whatever reason. Its called a DMZ Server although I don't
think that is the normal usage of DMZ, but not experienced enough to
know for sure.
That would probably send all outside-initiated traffic to your OpenBSD
box, from the sound of it. I.e., you will only see the hacks the Netgear
would have stopped anyway.
At any rate I want to enable that feature and send all traffic to the
obsd machine. I want to see more of what is happening at the actual
firewall. It has poor logging facilities. None in realtime. And the
fastest is daily by mail unless you want to logon to the router and do
the cumbersom scanning by eye with the sorry java based interface.
However, if I read this, you also want to see the traffic to/from
m[1-5,7].
I don't really want to accept any traffic from the INTERNET via
NETGEAR on the obsd box but want to be able to log specific stuff as
it hits the pf.conf filter. I want to start analyzing what is coming
at me more.
I will need to be able to access the obsd box via ssh from one other local
(priv) lan machine and it will need to be accessable to the private
side of the NETGEAR.
I'm not skilled enough with pf.conf to set this up just from the
examples provided in the PF section of FAQ. And man pages, But I'm
hoping to gain enough knowledge about using PF to eventually replace
the NETGEAR with an old beater running obsd or maybe even a soekris
box.
I hoped someone might provide a rough outline of what something like
this would need to look like.
That is possible, but some things to consider:
1. You are logging stuff which is blocked by any firewall, NAT
router, or even Windows-based software firewall a la ZoneAlarm. In other
words, stuff that couldn't ever harm you unless you are being very, very
clueless (and are running Windows). And, most likely, stuff that isn't
very interesting either.
2. Unless you go with a full honeypot setup (see
www.honeynet.com or Google), you are not likely to see more than a SYN
packet being dropped by pf.
3. There is some stuff that *can* harm you - notably, hacks in
response to connections initiated by the machines behind your firewall.
The most common form would be yet another problem in a web browser. Your
proposed setup would not catch this.
4. Unless you are willing to spend *a lot* of time on the
honeypot, reading a good security list (Bugtraq, Full-Disclosure,
whatever) will tell you more about where the problems are than reading
pf logs.
If you *really* want to know what attacks are out there, the following
setup would make more sense:
INTERNET
|
OpenBSD w/ snort
|
Netgear (optional; OpenBSD could filter, too)
|
- clients -
Of course, one should keep in mind that Snort has its limitations, and
should be kept up to date. It has three uses:
1. If a new vulnerability is found, and no patch is available,
and a Snort signature *is* available, Snort could tell you what machines
to disconnect.
2. If Snort catches a return packet that looks like a
compromised machine (for instance, a reverse shell), Snort could, again,
tell you what machines to disconnect.
3. If Snort is installed in IPS mode (ISTR this being only
possible on Linux, with some people working on a pf (*BSD) version but
not yet having production-quality code); it's called Snort-inline), it
could conceivably block attacks on unpatched machines.
That means that, for instance, the recent WMF vulnerability would have
been neatly blocked by this setup (or not - I recall quite a bit of
doubt about many signatures, as quite a few were by-passable). However,
almost all vulnerabilities in the *nix world are disclosed together with
the patch to fix them, and patching is typically faster than getting
Snort to recognize them.
Not to mention the fact that there exist many, many ways to confuse
('evade') Snort (not that it's impossible to block some/most of them,
but new ones are always springing up and it's not exactly easy), and
Re: IPSEC negotiation on demand
On Sat, 25 Feb 2006, Joachim Schipper wrote: On Sat, Feb 25, 2006 at 10:29:11AM -0500, Matthew Closson wrote: Rather than have isakmpd bring up all tunnels when the daemon starts up, is there a way to have it bring up the tunnels on demand? For example. host_a router_b router_c - host_d Is there a way to setup isakmpd so that if host_a tries to send a packet to host_d, router_b will start IPSEC negotiation with router_c at that point, instead of as soon as isakmpd starts? Why would you want to do that? It's not like keeping a tunnel up will use any significant amount of resources, while on-demand tunneling will prove to impose quite a bit of delay. Joachim Some of my IKE-peers seem to operate this way. For example more than one cisco admin has called me to ask why we have active tunnels but no data going through them. And some remote implementations such as Sonicwall seem to take the tunnel down when there is being no data passed back and forth without sending me a teardown notify message. I realize that on-demand tunneling will present a delay to startup the tunnel, but I am still curious to know if it is possible to do this on OpenBSD/isakmpd and how I might go about doing it. Thanks, -Matt-
Re: pf.conf to log specific but block all
Joachim Schipper [EMAIL PROTECTED] writes: There is a facility on the NETGEAR to send all traffic to an inside machine for whatever reason. Its called a DMZ Server although I don't think that is the normal usage of DMZ, but not experienced enough to know for sure. That would probably send all outside-initiated traffic to your OpenBSD box, from the sound of it. I.e., you will only see the hacks the Netgear would have stopped anyway. Yeah, that what I'm after. As you say further along that will get boring quickly but right now I'm interested to see what is happening at my ssh port. I received 13,000 hits on it over a 5 day period after leaving it open (but with good password) inadvertantly. At any rate I want to enable that feature and send all traffic to the obsd machine. I want to see more of what is happening at the actual firewall. It has poor logging facilities. None in realtime. And the fastest is daily by mail unless you want to logon to the router and do the cumbersom scanning by eye with the sorry java based interface. However, if I read this, you also want to see the traffic to/from m[1-5,7]. No, I mean yes, but not with current subject of setting up obsd in the way I've been asking about. [...] I hoped someone might provide a rough outline of what something like this would need to look like. [...] 3. There is some stuff that *can* harm you - notably, hacks in response to connections initiated by the machines behind your firewall. The most common form would be yet another problem in a web browser. Your proposed setup would not catch this. 4. Unless you are willing to spend *a lot* of time on the honeypot, reading a good security list (Bugtraq, Full-Disclosure, whatever) will tell you more about where the problems are than reading pf logs. Yes, as you've noted very time consuming and probably a bit over my head as well. All in all, reading the logs daily (which tell you what happened to the stuff that actually got through the firewall) is much more useful. And if you really want more, install Snort. Telling you what packets have been blocked by the firewall is only good for gathering statistics to impress management into letting you buy more toys. Which is a worthy goal, but not a misc@ subject... Well as you've noted, the firewall is turning back the real harmfull stuff, unless I get really stupid inside. (not unheard of here). And being able to read and understand what I'm seeing about traffic coming thru is at present largely over my thick skull. The windows machines inside, like my wifes and 2 that are heavy gauge video edit crunchers, are likely to be the destinations of the kind of stuff you mentioned, but my main desktop is a gentoo linux box running IPtables so I do get to see that traffic. I'm hoping to gain enough from the setup I've asked about so that skull factor gets trimmed down a bit. And eventually setup the OBSD box as you and others have suggested. Between Internet and inside net.
Re: OpenBSD's AFS informations
You are in luck. -current has an openafs port. It contains a script to setup a single server cell. OpenBSD also comes with arla in the base system which allows for easy setup for clients. -Ober Richard Chesler: [Reading a piece of paper] The first rule of Fight Club is you don't talk about Fight Club? Narrator: [Voice-over] I'm half asleep again; I must've left the original in the copy machine. Richard Chesler: The second rule of Fight Club - is this yours? Narrator: Huh? Richard Chesler: Pretend you're me, make a managerial decision: you find this, what would you do? On Sat, 25 Feb 2006, Bruno Carnazzi wrote: Date: Sat, 25 Feb 2006 15:54:48 +0400 From: Bruno Carnazzi [EMAIL PROTECTED] To: misc misc@openbsd.org Subject: OpenBSD's AFS informations Hi misc, I come to you because my enterprise will need some distributed file system in the mounths to come. We need to distribute a big file system between 2 main sites, accessed by multiples clients spreaded across differents sites. A client is nearly always a thinclient running RDP to some TSE cluster for office'ing. We got 1 TSE farm on each main site. And a file server on each site too (actually a HS20 blade running Windows 2003). We do not synchronize these file server, which make them fault-untolerant. Each contains user profiles documents. The Microsoft solution, DFS, seems ok but I'd like to know if AFS could be smartly used in that case. So, I'd like to know if OpenBSD's AFS could do the following (I assume that our actual file servers are replaced by OpenBSD AFS cells) : * Gently synchronize/distribute 2 physical file servers in 1 logical file server (real time is not needed) Yes, replication allows multiple readonly copies. Releasing is the sync process between the readwrite, and readonly clones. * Does it scale well (new AFS cells, new clients) ? It scales extremely well, and is used by IBM, Intel, and many other Universities on a large scales. (dozens of servers, and hundreds of clients) * Does it support a quota mechnism ? Yes. Quotas are enforced on each volume. * Implementation and Administration cost (we are 2 bright guys :) ? It's free. :D * What about the file permissions ? Is that Windows 2k3-friendly (ACL) ? It has acls that are very friendly. Win32 port fully supports local disk cache, and acls. As well as a very nice administration gui. * Why OpenBSD devs re-writed an AFS instead of reusing OpenAFS ? We did not rewrite it. We just happen to have arla in our base. Arla was a freeware solution, before IBM opensourced Afs. Our port IS OpenAFS. * Integration with ActiveDirectory for authentication ? I am not sure about ActiveDirectory, but I have seen backend authentication to KerberosV, and ldap domains. * Recovery of a lost cell ? Fairly simple to restore a Cell if you have all the database files, and volumes backuped somewhere. Wow... Hard work to come :) cd /usr/ports/net/openafs make install Best regards, Bruno.
pf on bridge
All documentation I have seen about configuring pf on a bridge states
to pass in/out all on one interface and filter in/out on the other.
Why not just 'set skip on { lo, $bridge_int_1 }', then filter on
$bridge_int_0?
Luke
Re: pf on bridge
On 2/25/06, Luke Eckley [EMAIL PROTECTED] wrote:
All documentation I have seen about configuring pf on a bridge states
to pass in/out all on one interface and filter in/out on the other.
Why not just 'set skip on { lo, $bridge_int_1 }', then filter on
$bridge_int_0?
Why not filter inbound on both, and pass all policy-based traffic out
unconditionally? That will keep your rules much cleaner.
Here's a quick example:
# Interface definitions
ext_if = bge0
int_if = bge1
# Server definitions
ssh_server = 172.16.30.30
smtp_server = 172.16.30.31
# Default deny
block drop log
# pass local traffic
pass quick on lo inet
# pass tagged traffic out
pass out quick inet tagged FILTERED modulate state
# filter rules for ext_if - int_if
pass in on $ext_if inet proto tcp to $ssh_server port 22 flags S/SA
modulate state tag FILTERED
pass in on $ext_if inet proto tcp to $smtp_server port 25 flags S/SA
modulate state tag FILTERED
# filter rules for int_if - ext_if
pass in on $int_if inet proto tcp to port {80,443} flags S/SA modulate
state tag FILTERED
pass in on $int_if inet proto {tcp,udp} to port 53 flags S/SA modulate
state tag FILTERED
pass in on $int_if inet proto tcp from $smtp_server to port 25 flags
S/SA modulate state tag FILTERED
Experimentation (in a non-production environment) will serve you well.
Re: JPMorgan Chase Co.- Suspension Notice :159246495
Notice Chase [EMAIL PROTECTED] writes: Chase staff, Could you please fix the help and support links.
Unsafe Sockets
Hi Having some trouble with mail filters. Using this filter cvgfilter.c Compile with cc -I/usr/include -I/usr/share/sendmail -c cvgfilter.c compiles to cvgfilter.o This line below not sure what to do with and your linking command line will look something like cc -o cvgfilter [object-files] -L[library-location] -lmilter -pthread I am using Openbsd 3.8 sendmail 8.13 I put the filter cvgfilter.o in /var/run/cvgfilter/ The following line is added to my sendmail.mc file INPUT_MAIL_FILTER(`dislib', `S=local:/var/run/cvgfilter/cvgfilter.sock') Then I build the sendmail.cf. If I am missing something would appreciate the help. When I send and email I get these errors in the log file Feb 25 13:53:22 bua2 sendmail[13279]: k1PKrMv5013279: Milter (cvgfilter): local socket name /var/run/cvgfilter/cvgfilter.sock unsafe Feb 25 13:53:22 bua2 sendmail[13279]: k1PKrMv5013279: Milter (cvgfilter): to error state Not sure what permissions are to be on the directories Jay
Re: pf.conf to log specific but block all
On 2/25/06, Harry Putnam [EMAIL PROTECTED] wrote: Melameth, Daniel D. [EMAIL PROTECTED] writes: On a consumer-class Internet connection, I don't expect too much. However, the following should only log ssh: That is what got me going on this... By negligence I'd left ssh open after coming home from a trip where I had it open for connectiong to home machine. Normally I turn it back off when I'm home. I saw over a 5 day period some 13,000 hits on ssh port. Apparently some half configured dictionary attacks. I say half configured because the attemted user names don't seem to be in any recognizable order. My passwords are good so I didn't get too worried but it did cause me to wonder what is going on that my ssh port got so interesting suddenly. you worry too much. either choose good passwords, or better, setup login with ssh-keys only. its worth reading and googling for maybe an hour or two, if you're not familiar with it. if this is in place, you don't have to worry, and you also don't have to log connections to your ssh port. --knitti
manual vs. crontab execution
I have a weird problem I cannot find a solution to. I've written a small
script (attached below) that I put on the dozen or so systems that I
maintain for friends and clients, that daily sends some basic information to
my web server. This data is then stored in a MySQL database and viewed via
another script. All the systems are running OpenBSD version 3.5 to 3.8, and
the one in question here is 3.8.
The problem is this. On one remote system (identical in every respect to
about 8 others out there), the script when executed manually (either as root
or as a non-privileged user) runs normally and uploads its data as it
should. However when the cron job hits at midnight the script always fails
and without any error message that I can get. As you can see the script is
quite simple, the only active component is a call to CURL which hits a
specific address. The local log entry lists my error message but $result is
always empty so I have no specific error to go by. By looking through the
logs of my own web server at the same time that the local log entry is made,
I know that the connection to my system is never established.
Here is the script:
--
#!/bin/sh
name=`uname -n`
ip=`ifconfig sis0 | grep 'inet ' | awk '{ print $2 }'`
space=`df | tail -1 | awk '{ print $4 }'`
ver=`uname -r`
data=http://xxx.yyy.com/fw/fwin.php?NAME=$nameIP=$ipFREE=$spaceVER=$ver;
result=`/usr/local/bin/curl -s $data`
case $result in
good)
`logger Info sucessfully logged!`
exit 0
;;
*)
`logger Unable to log system info! Error: $result`
exit 1
;;
esac
-
The cron job that launches it is added to root's crontab (crontab -u root
-e) and looks like this:
-
@daily/usr/local/fwreport
-
I've tried leaving the -s flag off of the CURL call to get some kind of an
error out, but whatever might come back does not make it out to the $result
variable. Again this identical script works on over a dozen other systems,
most totally identical to this unit down to the hardware and OS version, so
it has to be more or less correct.
Any suggestion, ideas, etc. are appreciated.
Peter
Custom kernel = sk transmit failures
I know custom kernels aren't supported, but I ran into some odd issues when I tried to make a new stripped-down 3.8-stable kernel for my new hardware (a 3com 3C2000-T card). I generate kernel configs with dmassage (-s option) to remove unused drivers and a bit of hand-tweaking to remove features I don't use (emulation). My old custom config was for my xl and rl cards, and worked just fine. For the new config, I simply removed the rl references and uncommented the necessary sk ones. The compile went normally, but on boot there appeared to be something wrong with the sk card. It wouldn't transmit traffic. CUSTOM's dmesg showed that it found hardware identical to GENERIC except that it used vga0 instead of vga1. The GENERIC dmesg is appended below. Everything was just fine on the xl0 interface, but sk0 was another story. Pings complained that remote hosts were down, and traceroutes died with host unreachable. The routing table had all the right entries, and running ifconfig down/up didn't change anything. ARP tables showed that no MAC addresses were discovered for any host on the sk0 side. Oddly enough, named errors indicated that incoming DNS requests were being recieved, but transmit was a problem. I got a large number of these in /var/log/messages: Feb 25 22:25:38 dell named[21218]: client 10.0.0.2#1037: error sending response: host unreachable Since GENERIC works fine, I am going to stick with that for the time being. However, this could be indicative of some kind of dependency not being handled correctly? I figured it might be worth bringing up. Thanks. --david OpenBSD 3.8-stable (GENERIC) #3: Fri Feb 3 23:16:47 EST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 512KB L2 cache) 599 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 268005376 (261724K) avail mem = 237662208 (232092K) using 3297 buffers containing 13504512 bytes (13188K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(af) BIOS, date 10/13/00, BIOS32 rev. 0 @ 0xfd790 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd790/0x870 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x9800 0xc9800/0x800 0xca000/0x800 0xe/0x4000! 0xe4000/0xc000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Nvidia Riva TNT2 rev 0x11 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 52049H3 wd0: 16-sector PIO, LBA, 19473MB, 39882528 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CD-ROM SC-148C, C002 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered Intel 82371AB Power rev 0x02 at pci0 dev 7 function 3 not configured skc0 at pci0 dev 16 function 0 3Com 3c940 rev 0x10: irq 9 skc0: Marvell Yukon (0x1) sk0 at skc0 port A: address 00:0a:5e:5c:50:41 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 xl0 at pci0 dev 17 function 0 3Com 3c905C 100Base-TX rev 0x74: irq 10, address 00:01:03:c3:66:4e bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 6 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fb6d netmask ff6d ttymask ffef pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
