Re: BIND forwarding
On the USENET I've learnt that forwarders shouldn't be used... -Original Message- From: Brendan Grossman [mailto:[EMAIL PROTECTED] Sent: Sunday, 16 April 2006 6:17 AM To: 'misc@openbsd.org' Subject: BIND forwarding I have a simple BIND setup that forwards requests for non-local domains to my ISP's name servers.
Re: OpenBSD todo list?
On 4/11/06, Ted Unangst [EMAIL PROTECTED] wrote: rewrite units. it can convert euros to dollars at an awesome rate of 94 cents per euro, but can't convert temperature. What's worse is it *does* recognize 'degF' and 'degC' units, but the conversion between them only does the multiply/divide by 9/5, but not the add/subtract 32 part, so it gives incorrect results. While this inability is mentioned in the man page, it would be better to not include 'degF' at all than to have it be incorrect. Most equations would use SI units anyway, right? (When I first discovered the degF/degC units grep'ing through the units library, my first thought was that the man page was outdated and it did handle them now; unfortunately that is not the case.) Similarly, currencies fluctuate enough to not be worth including. Unfortunately, this limitation of multiplicative scales only most likely runs rather deep, and would probably require a large amount of work to fix. -Andrew
Google Summer of Code
Google is doing their Summer of code this year also and since OpenBSD missed it last year I thought maybe some official would wanted to sign up OpenBSD. The site is: http://code.google.com/summerofcode.html I'm not a student myself but I think this is a great way to get new people to contribute to the project. // Dunceor
Re: Google Summer of Code
I don't think so. In some cases the GSoC was not a real success. Just check the mozilla SoC. People create broken stuff and wanted their money. Then they just disappeared. OpenBSD wants people who love to hack on stuff and not just hack because of the money they can get after the work is done.
OpenBSD as workstation...yes!
Hi list, Quite useless thread indeed ... :-/ Due to hard disk crash i decided to migrate the only machine not running OpenBSD to OpenBSD. But tired hearing here and there than OpenBSD is only useful and reliable on servers i made few screenshots on my main workstation ... Here it is http://www.chatou-informatic.com/opendesktop Thanks again OpenBSD for this to be possible .
sshd: all users but root fails to login
Hi, Running last snapshot 3.9 and have a strange problem: Just root can login using ssh, all other users fails with access denined. /etc/ttys seems to be ok. A newly added user (with adduser) gets the same error as well as existing old users. I am out of ideas, so any suggestion would be appreciated. Below is a dump of sshd -d (for a failing user) # /usr/sbin/sshd -d debug1: sshd version OpenSSH_4.3 debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-d' debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: fd 6 clearing debug1: Server will not fork when running in debugging mode. debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9 debug1: inetd sockets after dupping: 4, 4 Connection from 172.16.90.253 port 1152 debug1: Client protocol version 2.0; client software version PuTTY_Release_0.58 debug1: no match: PuTTY_Release_0.58 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.3 debug1: permanently_set_uid: 27/27 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEX debug1: SSH2_MSG_KEXINIT received debug1: kex: client-server aes256-cbc hmac-sha1 none debug1: kex: server-client aes256-cbc hmac-sha1 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user linner service ssh-connection method none debug1: attempt 0 failures 0 debug1: Approval failure for linner input_userauth_request: invalid user linner Failed none for invalid user linner from 172.16.90.253 port 1152 ssh2 debug1: userauth-request for user linner service ssh-connection method keyboard- interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=linner devs= debug1: kbdint_alloc: devices 'bsdauth' debug1: auth2_challenge_start: trying authentication method 'bsdauth' debug1: userauth-request for user linner service ssh-connection method password debug1: attempt 2 failures 2 Failed password for invalid user linner from 172.16.90.253 port 1152 ssh2 /Johan
Re: sshd: all users but root fails to login
Johan skrev: Hi, Running last snapshot 3.9 and have a strange problem: Just root can login using ssh, all other users fails with access denined. /etc/ttys seems to be ok. A newly added user (with adduser) gets the same error as well as existing old users. I am out of ideas, so any suggestion would be appreciated. snip Solved: Sometimes it's to obvious... Had an old /etc/nologin which now is removed and everything works as expected. Sorry for the noise... /Johan
Google Summer of Code 2006: OpenBSD will take part?
Hi everybody, I just read about Google Summer of Code 2006. (http://code.google.com/soc/) Will openbsd apply to be a mentoring organization? This can be a good opportunity to get fresh people working on openbsd. Fabio Varesano
Re: Google Summer of Code 2006: OpenBSD will take part?
I just read about Google Summer of Code 2006. (http://code.google.com/soc/) Will openbsd apply to be a mentoring organization? This can be a good opportunity to get fresh people working on openbsd. you don't really read misc@, do you? there was the same question about 5 hours ago... -- ciao, lev
Re: Google Summer of Code
Too bad summer is gone... -p.
Re: Google Summer of Code
On 16/04/06, Robert Nagy [EMAIL PROTECTED] wrote: I don't think so. In some cases the GSoC was not a real success. Just check the mozilla SoC. People create broken stuff and wanted their money. Then they just disappeared. OpenBSD wants people who love to hack on stuff and not just hack because of the money they can get after the work is done. Mozdev have accepted wrong proposals, stuff that no-one was interested in, or stuff that was impossible to complete by one person in one summer. And after all, mozilla.org was not involved, only mozdev.org was, and that was a huge difference IMHO. From what I saw on NetBSD web-pages a while ago, there were quite some useful outcomes of the SoC 2005. Gerv's blog also reveals one other SoC participant that stayed with his mentoring organisation and was given 'official member' status sometime thereafter. Cheers, Constantine.
Re: OpenBSD as workstation...yes!
Hi Johan, interesting. How much disk space would I need to get the same or similiar setup? Regards Andrew On Sun, 16 Apr 2006 12:42:06 +0200, Johan SANCHEZ [EMAIL PROTECTED] said: Hi list, Quite useless thread indeed ... :-/ Due to hard disk crash i decided to migrate the only machine not running OpenBSD to OpenBSD. But tired hearing here and there than OpenBSD is only useful and reliable on servers i made few screenshots on my main workstation ... Here it is http://www.chatou-informatic.com/opendesktop Thanks again OpenBSD for this to be possible . -- Andrew Ng [EMAIL PROTECTED] -- http://www.fastmail.fm - mmm... Fastmail...
Re: Google Summer of Code
Indeed. If the intention was to only cover northern countries, Summer of Cold might have been a more appropriate name. :-) -p.
openbsd 3.9-current and php setlocale
hi, php setlocale(LC_ALL,'some-locale') returns 'C/some-locale/C/C/C/C' string on openbsd 3.8. OpenBSD manual (setlocale.3) says that LC_ALL category is not supported and setlocale should return null or false. some months ago I've talked about it on #openbsd channel and people said that it should be fixed in 3.9-current today I've got report that 'OpenBSD 3.9-current (GENERIC) #670' does same thing if openbsd does not support LC_ALL category, then why do you return locale name on setlocale call? Maybe you can explain setlocale output string format? -- Tomas
Re: OpenBSD as workstation...yes!
Hi Less than 1.5 GB :) root and home fs are inside wdO which is : wd0 at pciide0 channel 0 drive 0: FUJITSU MPB3064ATU E Cheers Hi Johan, interesting. How much disk space would I need to get the same or similiar setup? Regards Andrew On Sun, 16 Apr 2006 12:42:06 +0200, Johan SANCHEZ [EMAIL PROTECTED] said: Hi list, Quite useless thread indeed ... :-/ Due to hard disk crash i decided to migrate the only machine not running OpenBSD to OpenBSD. But tired hearing here and there than OpenBSD is only useful and reliable on servers i made few screenshots on my main workstation ... Here it is http://www.chatou-informatic.com/opendesktop Thanks again OpenBSD for this to be possible . -- Andrew Ng [EMAIL PROTECTED] -- http://www.fastmail.fm - mmm... Fastmail...
Re: OpenBSD todo list?
On 4/16/06, Andrew Daugherity [EMAIL PROTECTED] wrote: On 4/11/06, Ted Unangst [EMAIL PROTECTED] wrote: rewrite units. it can convert euros to dollars at an awesome rate of 94 cents per euro, but can't convert temperature. What's worse is it *does* recognize 'degF' and 'degC' units, but the conversion between them only does the multiply/divide by 9/5, but not the add/subtract 32 part, so it gives incorrect results. While this inability is mentioned in the man page, it would be better to not include 'degF' at all than to have it be incorrect. Most equations would use SI units anyway, right? (When I first discovered the degF/degC units grep'ing through the units library, my first thought was that the man page was outdated and it did handle them now; unfortunately that is not the case.) Similarly, currencies fluctuate enough to not be worth including. Unfortunately, this limitation of multiplicative scales only most likely runs rather deep, and would probably require a large amount of work to fix. Why not just redesign the program then, and allow arbitrary conversions (eg additive, multiplicative, exponential)? As for money, a script could be written to pull data from somewhere and update the definitions. http://www.xe.com/dfs/ provides such a service, but for an extraordinary fee, but I've just found that http://www.imf.org provides any data you want for any of the 184 currencies they oversee for any date for free. This sounds like a fun project. If no one else wants it, I'll do it. -Nick
Re: OpenBSD todo list?
On 4/16/06, Nick Guenther [EMAIL PROTECTED] wrote: On 4/16/06, Andrew Daugherity [EMAIL PROTECTED] wrote: I've just found that http://www.imf.org provides any data you want for any of the 184 currencies they oversee for any date for free. Oh, I lied, it's only 52 countries. Still useful, but does anyone know of a more complete source? Where do exchange rates come from anyway? -Nick
FYI: sch5017
It's looking good. Thanks Roman for letting me help out. Only two problems persist: 1) we get the list twice due to the nviic detecting two iic's 2) register 0x20 is +5 VTR, which differs from the adt chip Here are the results as of pulling down the CVS this weekend: hw.sensors.0=adt0, +2.5Vin, 1.32 V DC hw.sensors.1=adt0, Vccp, 1.43 V DC hw.sensors.2=adt0, Vcc, 3.35 V DC hw.sensors.3=adt0, +5V, 5.13 V DC hw.sensors.4=adt0, +12V, 12.00 V DC hw.sensors.5=adt0, Remote1 Temp, 31.00 degC hw.sensors.6=adt0, Internal Temp, 38.00 degC hw.sensors.7=adt0, Remote2 Temp, 33.00 degC hw.sensors.8=adt0, TACH1, 3832 RPM hw.sensors.9=adt0, TACH2, 2204 RPM hw.sensors.12=adt1, +2.5Vin, 1.32 V DC hw.sensors.13=adt1, Vccp, 1.43 V DC hw.sensors.14=adt1, Vcc, 3.35 V DC hw.sensors.15=adt1, +5V, 5.10 V DC hw.sensors.16=adt1, +12V, 12.06 V DC hw.sensors.17=adt1, Remote1 Temp, 31.00 degC hw.sensors.18=adt1, Internal Temp, 38.00 degC hw.sensors.19=adt1, Remote2 Temp, 33.00 degC hw.sensors.20=adt1, TACH1, 3829 RPM hw.sensors.21=adt1, TACH2, 2204 RPM here's the dmesg: OpenBSD 3.9-current (GENERIC) #26: Fri Apr 14 16:10:03 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2 cache) 1.81 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 real mem = 1073246208 (1048092K) avail mem = 972591104 (949796K) using 4278 buffers containing 53764096 bytes (52504K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(ad) BIOS, date 02/17/05, BIOS32 rev. 0 @ 0xfa780 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 3.0 @ 0xf/0xcc54 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcb20/288 (16 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 17 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #5 is the last bus bios0: ROM list: 0xc/0xf000 0xd/0x1800 0xd2000/0x1600 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 adt0 at iic0 addr 0x2e: sch5017 rev 0x89 iic1 at nviic0 adt1 at iic1 addr 0x2e: sch5017 rev 0x89 ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 5, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 10 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 5, nForce4 AC97 ac97: codec id 0x414c4760 (Avance Logic ALC655) audio0 at auich0 pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4163B, A103 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide1: using irq 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: WDC WD360GD-00FLA2 wd0: 16-sector PIO, LBA48, 35304MB, 72303840 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide1 channel 1 drive 0: WDC WD3200KS-00PFB0 wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5 pciide2 at pci0 dev 8 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide2: using irq 11 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 ATI Rage XL rev 0x27 at pci1 dev 5 function 0 not configured VIA VT6306 FireWire rev 0x80 at pci1 dev 6 function 0 not configured skc0 at pci1 dev 10 function 0 D-Link Systems DGE-530T rev 0x11, Marvell Yukon Lite (0x9): irq 5 sk0 at skc0 port A, address 00:15:e9:2e:28:e6 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 11, address 00:e0:81:56:8f:67 eephy1 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 1 ppb1 at pci0 dev 11 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 ppb2 at pci0 dev 12 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci3 at ppb2 bus 3 ppb3 at pci0 dev 13 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): irq 11, address 00:e0:81:56:8f:66 brgphy0 at
Re: 'set skip on' being inconsistent
On 4/13/06, Chris Cameron [EMAIL PROTECTED] wrote: In my pf.conf I have: set skip on tun0 set skip on enc0 set skip on lo0 tun0 is for OpenVPN. If I run pfctl -f /etc/pf.conf, I can connect with OpenVPN and telnet to a server. If I disconnect OpenVPN, wait for a couple of minutes, then try connecting with telnet again, pf blocks the connection. If I run pfctl -f /etc/pf.conf, I can connect again. OpenVPN connects fine, it's just the telnet after that doesn't work. tcpdump -i tun0 shows the packets coming in. The connection attempt in my pflog: Apr 13 14:03:37.157867 rule 0/(match) block in on tun0: 192.168.123.6.1160 192.168.120.50.23: S 648098994:648098994(0) win 16384 mss 1368,nop,nop,sackOK (DF) Apr 13 14:03:43.092857 rule 0/(match) block in on tun0: 192.168.123.6.1160 192.168.120.50.23: S 648098994:648098994(0) win 16384 mss 1368,nop,nop,sackOK (DF) Anyone know what's going on? This is a patched Sparc64/3.8 in a carp setup. I think, after reading the manpage, that this behavior is because you can 'set skip on' only one time. If you want to specify more than one interface, the proper way to do it is : 'set skip on { tun0, enc0, lo0 }' If anybody knows better correct me. Chris Arnaud -- i think we should rewrite the kernel in java since it has good support for threads. - Ted Unangst
Re: OpenBSD as workstation...yes!
Hello Johan, Sunday, April 16, 2006, 5:42:06 AM, you wrote: JS Due to hard disk crash i decided to migrate the only machine not running OpenBSD to OpenBSD. JS But tired hearing here and there than OpenBSD is only useful and reliable on servers i made JS few screenshots on my main workstation ... JS Here it is http://www.chatou-informatic.com/opendesktop JS Thanks again OpenBSD for this to be possible . I think I am going to do this too... I have three OBSD servers, and would like to run it on the desktop as well, primarily for Internet interface... web, mail, etc. -wittig http://www.robertwittig.com/ . http://robertwittig.net/
Re: OpenBSD as workstation...yes!
A couple of weeks ago the computer my wife uses became so bad in terms of performance and maintenance that I decided to replace WinXP with OpenBSD. I'd wanted to do it a long time ago, but I was worried that the transition would be too much. My wife is not a technical person, and has only ever used Windows, but she was willing to try. I installed OpenBSD and KDE, with Firefox and Mozilla. She had already been using Firefox and Mozilla, so I copied her old configs data. She kept her mail, settings, bookmarks, and everything! I had to hand-edit a touch to make them look in the right place for the profiles, but that was easy enough. Since the switch she's had nothing but good to say about it. That's from a non-technical Windows user. Only problem so far: I had to set the user agent override in Firefox so that TurboTax online would think we were running Windoze. Of course their site worked fine with OpenBSD. They were just too braindead to consider anything except consumer versions of Windows or Mac. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: OpenBSD as workstation...yes!
On Sun, 16 Apr 2006 12:25:33 -0500 Robert C Wittig [EMAIL PROTECTED] wrote: Hello Johan, Sunday, April 16, 2006, 5:42:06 AM, you wrote: JS Due to hard disk crash i decided to migrate the only machine not running OpenBSD to OpenBSD. JS But tired hearing here and there than OpenBSD is only useful and reliable on servers i made JS few screenshots on my main workstation ... JS Here it is http://www.chatou-informatic.com/opendesktop JS Thanks again OpenBSD for this to be possible . I think I am going to do this too... I have three OBSD servers, and would like to run it on the desktop as well, primarily for Internet interface... web, mail, etc. I already used OpenBSD as workstation past few years on mk68 and sparc/sparc64 but here is much hardware and apps to deal with. I only have pain to use my old mach64 all in wonder (PCI) as tv with gatos/gatitv/xatitv Cheers
Re: a little success in vnc over openvpn
Perhaps this is easier than using a redirect statement in pf.conf. Set `sysctl -w net.inet.ip.forwarding=1` on both servers if it not already set. vncviewer 192.168.1.122 thanks for your advice . but i have already setup net.inet.ip.forwarding=1 in /etc/sysctl.conf for nat of pf.conf . Unfortunately,vncviewer 192.168.1.122 does not go well . my vnc on openvpn has next route . i acsess from gentoo to windows2000 by vnc on openvpn . vnc client openvpn client openvpn server vnc server gentoo---lan--openbsd firewall--internet--openbsd firewall--windows2000. 192.168.72.66 192.168.1.222 i rewote http://nakajin.dyndns.org/pikara.html . sorry for my poor english . takesima
4 port pf setup - comments?
Hi all, Just wanted some comments on this pf.conf design. Mostly, I am hoping a second pair of eyes to spot any major over-sight on my part. I've not tested this set-up, yet! Just some scratch-pad design/brain-storming. Thanks :-) --patrick # Pseudo PF design: # # I'm preparing to replace a current firewall with a PF firewall. # I've been reading through PF User's Guide again to refresh # my memory of what can and cannot be done with PF. The PF # firewall will have 4 interfaces in bridge mode. One connects # to the DSL router. One to the DMZ. One to the LAN and the # last to the Wireless router (not yet in place -- planned for # near future). The last interface will probably need an # IP since I plan to use IPsec over the wireless (I don't yet # know much about this process and skipping it in this discussion). # Potentailly using PF firewall as the access-point (have to # research this further as well). # # I just wanted to present what I'm thinking of doing in semi- # pseudo PF code, and get your feedback on whether I'm thinking # through this straight or do I need to adjust my thinking. # # Static IP Subnet: # x.x.x.0/28 # Divided into 4 sections # a) DSL router # b) Wifi router (planned for near future with IPsec) # c) LAN section (workstations, laptops) # d) DMZ section: servers (www, dns, mail) # # DSL Router: # has a WAN side IP # has a LAN side IP (x.x.x.1) # # PF server: # has 4 interfaces: a, b, c and d # 1 static IP on interface b: x.x.x.6 (for IPsec and possibly hostap) # # __DMZ__: # 4 static IPs x.x.x.2-.5 # # __WIFI__: # 4 static IPs x.x.x.7-.10 # # __LAN__: # 4 static IPs x.x.x.11-.14 # # # /Internet/ # | # [DSL Router] # .1 | # | # __WIFI__ (a) ___DMZ___ # .7 +++ .2 dns1 / mail1 # .8 -(b)| PF|(d)- .3 dns2 / mail2 # .9 .6 +++ .4 www1 # .10 (c) .5 www2 # | # | #__LAN__ #.11 .12 .13 .14 dsl_if = de0 dmz_if = ... lan_if = ... wifi_if = ath0 # maybe... # but maybe xl0 connecting to a port on a wifi router # Local network locnet = x.x.x.0/28 # DSL Router dsl_router = x.x.x.1 # VPN interface for IPsec path for Wifi users (or even as the access-point # interface) vpn = x.x.x.6 # DMZ servers dns1 = x.x.x.2 mail1 = x.x.x.2 dns2 = x.x.x.3 mail2 = x.x.x.3 www1 = x.x.x.4 www2 = x.x.x.5 dmz_grp = { $dns1 $dns2 $www1 $www2 } # Wifi users mobile1 = x.x.x.7 mobile2 = x.x.x.8 mobile3 = x.x.x.9 mobile4 = x.x.x.10 wifi_grp = { $mobile1 $mobile2 $mobile3 $mobile4 } # LAN clients desk1 = x.x.x.11 desk2 = x.x.x.12 desk3 = x.x.x.13 desk4 = x.x.x.14 lan_grp = { $desk1 $desk2 $desk3 $desk4 } wifi2net_ports = { 80 443 5190 } wifi2dmz_ports = { 53 80 } ping = echoreq # Shorthand dns = { $dns1 $dns2 } port 53 mail = { $mail1 $mail2 } port 25 flags S/SA www = { $www1 $www2 } port {80 443} flags S/SA keep_sane = keep state (max-src-conn 50, max-src-conn-rate 15/5, \ overload abusers flush global) table abusers persist table spamd persist table spamd-white persist set skip on { lo } set block-policy return scrub in rdr pass on $lan_if proto tcp to port ftp - 127.0.0.1 port 8021 rdr pass on $dsl_if proto tcp from spamd to port smtp \ - 127.0.0.1 port spamd rdr pass on $dsl_if proto tcp from !spamd-white to port smtp \ - 127.0.0.1 port spamd block in quick from abusers block all antispoof quick for { lo } #-- # Interface a / $dsl_if # - LAN workstations are trusted more than those on WIFI pass out on $dsl_if proto {tcp udp} from $lan_grp to any keep state pass out on $dsl_if proto tcp from $wifi_grp to \ any port $wifi2net_ports keep state # # Any traffic coming in on $dsl_if should be destined for DMZ only! pass in on $dsl_if proto tcp from any to $mail $keep_sane pass in on $dsl_if proto tcp from any to $www $keep_sane pass in on $dsl_if proto udp from any to $dns $keep_sane # Allow pings to DMZ pass in on $dsl_if proto icmp from any to $dmz_grp icmp-type $ping $keep_sane #--- # Interface b / $wifi_if # - Nothing should be connecting to wifi clients # (default block all) # - WIFI group only gets to use DMZ DNS and Web servers (no mail!) pass in on $wifi_if proto tcp from $wifi_grp to $www keep state pass in on $wifi_if proto udp from $wifi_grp to $dns keep state # This should cover any out-bound traffic (to the net) pass in on $wifi_if from $wifi_grp to !$locnet #--- # Interface c / $lan_if # - Nothing should be connecting to lan workstations # (default block all) # LAN workstations should be able to connect to all DMZ servers pass in on $lan_if from $lan_grp to $dmz_grp keep state # Covers out-bound
Re: FYI: sch5017
1) we get the list twice due to the nviic detecting two iic's Some vendors make an error of wiring the same chip to both i2c busses. Other vendors use two of the same chips, one on each i2c bus. Obviously we cannot tell these situations apart, so we error on the side of displaying more, even if that means we sometimes display duplicate information. In the past I have even run into a machine where I thought there were duplicated machines but after putting something behind the fan (to stop airflow) was able to tell that they were in fact different chips. Anyways, I am basically telling you this will remain like that. 2) register 0x20 is +5 VTR, which differs from the adt chip OK, I have mailed you a diff to help with this.
mkfifo: Invalid Argument
Hi, This is probably simple, but google doesn't have much on it. If, on a FAT filesystem, I do: #mkfifo pipe I get mkfifo: pipe: Invalid Argument If I cd up to / and try again: #mkfifo pipe #ls -L pipe* prw-r--r-- 1 root wheel 0 Apr 17 09:15 pipe I'm guessing pipes can't be made on FAT systems, but why not? And where is the source for mkfifo so that I could make it less cryptic? According to whence it's in /sbin but ls /usr/src/sbin | grep mk only shows mknod. -Nick
Re: Set up root partition as read only.
On Saturday 15 April 2006 11:17, Joco Salvatti wrote: To increase the security level of my OpenBSD system I have defined at /etc/fstab that the root partition should be read only. /etc/fstab follows: While there are advantages of read-only / security isnt one of them. If you still want to do this be aware that you need to do some minor modifications to /etc/rc to get it to work and you'll also need to use a separate partition (preferably mfs) for /dev, with all the implications that has (need to create devices on boot, etc). To sum it up, while read-only / is possible it's no walk in the park and you should take the time to understand the OpenBSD startup process before attempting it. --- Lars Hansson
Apache mod_webkit
Does anyone have any experience running this on OpenBSD? It's basically an apache module for dispatching incoming requests to Webware's Webkit application server. On OpenBSD it compiles fine and runs fine - for about four days. Then it starts giving errors like the following: [error] mod_ssl: Cannot open SSLSessionCache DBM file `/logs/ssl_scache' for writing (store) (System error follows) [error] System: Too many open files (errno: 24) [error] (24)Too many open files: Couldn't connect to AppServer, attempt 1 of 10 ... I've tried increasing file limits both in the kernel via sysctl and at boot via login.conf, with no success. Also, using either fstat or lsof, the number of open files at error time for both the system as a whole and for the http daemon are well below the limits I've set. I assume the SSLSessionCache error is due to the failure to connect to the Webkit AppServer. Any assistance greatly appreciated. -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security You guys, I don't hear any noise. Are you sure you're doing it right? --My Life With The Thrill Kill Kult
Re: Apache mod_webkit
there was a diff to fix a file leak in ssl on tech a few days ago. On 4/16/06, Jeff Simmons [EMAIL PROTECTED] wrote: Does anyone have any experience running this on OpenBSD? It's basically an apache module for dispatching incoming requests to Webware's Webkit application server. On OpenBSD it compiles fine and runs fine - for about four days. Then it starts giving errors like the following: [error] mod_ssl: Cannot open SSLSessionCache DBM file `/logs/ssl_scache' for writing (store) (System error follows) [error] System: Too many open files (errno: 24) [error] (24)Too many open files: Couldn't connect to AppServer, attempt 1 of 10 ... I've tried increasing file limits both in the kernel via sysctl and at boot via login.conf, with no success. Also, using either fstat or lsof, the number of open files at error time for both the system as a whole and for the http daemon are well below the limits I've set. I assume the SSLSessionCache error is due to the failure to connect to the Webkit AppServer. Any assistance greatly appreciated. -- Jeff Simmons [EMAIL PROTECTED] Simmons Consulting - Network Engineering, Administration, Security You guys, I don't hear any noise. Are you sure you're doing it right? --My Life With The Thrill Kill Kult
Re: mkfifo: Invalid Argument
On 4/16/06, Nick Guenther [EMAIL PROTECTED] wrote: I'm guessing pipes can't be made on FAT systems, but why not? And because fat doesn't support them. where is the source for mkfifo so that I could make it less cryptic? According to whence it's in /sbin but ls /usr/src/sbin | grep mk only shows mknod. mkfifo is mknod. ls -li mkfifo mknod