Re: BIND forwarding

[Alexander Farber]

On the USENET I've learnt that forwarders shouldn't be used...

  -Original Message-
  From: Brendan Grossman [mailto:[EMAIL PROTECTED]
  Sent: Sunday, 16 April 2006 6:17 AM
  To: 'misc@openbsd.org'
  Subject: BIND forwarding
 
  I have a simple BIND setup that forwards requests for
  non-local domains to my ISP's name servers.

Re: OpenBSD todo list?

[Andrew Daugherity]

On 4/11/06, Ted Unangst [EMAIL PROTECTED] wrote:
 rewrite units.  it can convert euros to dollars at an awesome rate of
 94 cents per euro, but can't convert temperature.

What's worse is it *does* recognize 'degF' and 'degC' units, but the
conversion between them only does the multiply/divide by 9/5, but not
the add/subtract 32 part, so it gives incorrect results.  While this
inability is mentioned in the man page, it would be better to not
include 'degF' at all than to have it be incorrect.  Most equations
would use SI units anyway, right?  (When I first discovered the
degF/degC units grep'ing through the units library, my first thought
was that the man page was outdated and it did handle them now;
unfortunately that is not the case.)

Similarly, currencies fluctuate enough to not be worth including.

Unfortunately, this limitation of multiplicative scales only most
likely runs rather deep, and would probably require a large amount of
work to fix.

-Andrew

Google Summer of Code

[Dunceor]

Google is doing their Summer of code this year also and since OpenBSD missed
it last year I thought maybe some official would wanted to sign up OpenBSD.
The site is: http://code.google.com/summerofcode.html

I'm not a student myself but I think this is a great way to get new people
to contribute to the project.

// Dunceor

Re: Google Summer of Code

[Robert Nagy]

I don't think so. In some cases the GSoC was not a real success.
Just check the mozilla SoC. People create broken stuff and wanted
their money. Then they just disappeared.
OpenBSD wants people who love to hack on stuff and not just hack
because of the money they can get after the work is done.

OpenBSD as workstation...yes!

[Johan SANCHEZ]

Hi list,

Quite useless thread indeed ... :-/
Due to hard disk crash i decided to migrate the only machine not running 
OpenBSD to OpenBSD.
But tired hearing here and there than OpenBSD is only useful and reliable on 
servers i made
few screenshots on my main workstation ...
Here it is  http://www.chatou-informatic.com/opendesktop

Thanks again OpenBSD for this to be possible .

sshd: all users but root fails to login

[Johan]

Hi,

Running last snapshot 3.9 and have a strange problem:
Just root can login using ssh, all other users fails with access denined.
/etc/ttys seems to be ok.
A newly added user (with adduser) gets the same error as well as 
existing old users.

I am out of ideas, so any suggestion would be appreciated.
Below is a dump of sshd -d (for a failing user)

# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_4.3
debug1: read PEM private key done: type RSA 

debug1: private host key: #0 type 1 RSA 

debug1: read PEM private key done: type DSA 

debug1: private host key: #1 type 2 DSA 


debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing
debug1: Server will not fork when running in debugging mode. 

debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9 

debug1: inetd sockets after dupping: 4, 4 

Connection from 172.16.90.253 port 1152 

debug1: Client protocol version 2.0; client software version 
PuTTY_Release_0.58 


debug1: no match: PuTTY_Release_0.58
debug1: Enabling compatibility mode for protocol 2.0 

debug1: Local version string SSH-2.0-OpenSSH_4.3 


debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss 


debug1: SSH2_MSG_KEX
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client-server aes256-cbc hmac-sha1 none 

debug1: kex: server-client aes256-cbc hmac-sha1 none 


debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user linner service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Approval failure for linner
input_userauth_request: invalid user linner
Failed none for invalid user linner from 172.16.90.253 port 1152 ssh2
debug1: userauth-request for user linner service ssh-connection method 
keyboard-

interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=linner devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
debug1: userauth-request for user linner service ssh-connection method 
password

debug1: attempt 2 failures 2
Failed password for invalid user linner from 172.16.90.253 port 1152 ssh2

/Johan

Re: sshd: all users but root fails to login

[Johan]

Johan skrev:

Hi,

Running last snapshot 3.9 and have a strange problem:
Just root can login using ssh, all other users fails with access denined.
/etc/ttys seems to be ok.
A newly added user (with adduser) gets the same error as well as 
existing old users.

I am out of ideas, so any suggestion would be appreciated.


snip

Solved:

Sometimes it's to obvious...
Had an old /etc/nologin which now is removed and everything works as 
expected.


Sorry for the noise...

/Johan

Google Summer of Code 2006: OpenBSD will take part?

[Fabio Varesano]

Hi everybody,

I just read about Google Summer of Code 2006.
(http://code.google.com/soc/)

Will openbsd apply to be a mentoring organization?

This can be a good opportunity to get fresh people
working on openbsd.

Fabio Varesano

Re: Google Summer of Code 2006: OpenBSD will take part?

[Tobias Kirschstein]

 I just read about Google Summer of Code 2006.
 (http://code.google.com/soc/)
 
 Will openbsd apply to be a mentoring organization?
 
 This can be a good opportunity to get fresh people
 working on openbsd.

you don't really read misc@, do you?
there was the same question about 5 hours ago...

-- 
ciao,
lev

Re: Google Summer of Code

[Pedro Martelletto]

Too bad summer is gone...

-p.

Re: Google Summer of Code

[Constantine A. Murenin]

On 16/04/06, Robert Nagy [EMAIL PROTECTED] wrote:
 I don't think so. In some cases the GSoC was not a real success.
 Just check the mozilla SoC. People create broken stuff and wanted
 their money. Then they just disappeared.
 OpenBSD wants people who love to hack on stuff and not just hack
 because of the money they can get after the work is done.

Mozdev have accepted wrong proposals, stuff that no-one was interested
in, or stuff that was impossible to complete by one person in one
summer. And after all, mozilla.org was not involved, only mozdev.org
was, and that was a huge difference IMHO.

From what I saw on NetBSD web-pages a while ago, there were quite some
useful outcomes of the SoC 2005. Gerv's blog also reveals one other
SoC participant that stayed with his mentoring organisation and was
given 'official member' status sometime thereafter.

Cheers,
Constantine.

Re: OpenBSD as workstation...yes!

[Andrew Ng]

Hi Johan,

interesting. How much disk space would I need to get the same or
similiar setup?

Regards
Andrew

On Sun, 16 Apr 2006 12:42:06 +0200, Johan SANCHEZ [EMAIL PROTECTED]
said:
 Hi list,
 
 Quite useless thread indeed ... :-/
 Due to hard disk crash i decided to migrate the only machine not running
 OpenBSD to OpenBSD.
 But tired hearing here and there than OpenBSD is only useful and reliable
 on servers i made
 few screenshots on my main workstation ...
 Here it is  http://www.chatou-informatic.com/opendesktop
 
 Thanks again OpenBSD for this to be possible .
 
-- 
  Andrew Ng
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - mmm... Fastmail...

Re: Google Summer of Code

[Pedro Martelletto]

Indeed. If the intention was to only cover northern countries, Summer
of Cold might have been a more appropriate name. :-)

-p.

openbsd 3.9-current and php setlocale

[Tomas Kuliavas]

hi,

php setlocale(LC_ALL,'some-locale') returns 'C/some-locale/C/C/C/C' string
on openbsd 3.8. OpenBSD manual (setlocale.3) says that LC_ALL category is
not supported and setlocale should return null or false.

some months ago I've talked about it on #openbsd channel and people said
that it should be fixed in 3.9-current

today I've got report that 'OpenBSD 3.9-current (GENERIC) #670' does same
thing

if openbsd does not support LC_ALL category, then why do you return locale
name on setlocale call? Maybe you can explain setlocale output string
format?

-- 
Tomas

Re: OpenBSD as workstation...yes!

[Johan SANCHEZ]

Hi
Less than 1.5 GB :) 
root and home fs are inside wdO which is :
wd0 at pciide0 channel 0 drive 0: FUJITSU MPB3064ATU E
Cheers 



 Hi Johan,
 
 interesting. How much disk space would I need to get the same or
 similiar setup?
 
 Regards
 Andrew
 
 On Sun, 16 Apr 2006 12:42:06 +0200, Johan SANCHEZ [EMAIL PROTECTED]
 said:
  Hi list,
  
  Quite useless thread indeed ... :-/
  Due to hard disk crash i decided to migrate the only machine not running
  OpenBSD to OpenBSD.
  But tired hearing here and there than OpenBSD is only useful and reliable
  on servers i made
  few screenshots on my main workstation ...
  Here it is  http://www.chatou-informatic.com/opendesktop
  
  Thanks again OpenBSD for this to be possible .
  
 -- 
   Andrew Ng
   [EMAIL PROTECTED]
 
 -- 
 http://www.fastmail.fm - mmm... Fastmail...

Re: OpenBSD todo list?

[Nick Guenther]

On 4/16/06, Andrew Daugherity [EMAIL PROTECTED] wrote:
 On 4/11/06, Ted Unangst [EMAIL PROTECTED] wrote:
  rewrite units.  it can convert euros to dollars at an awesome rate of
  94 cents per euro, but can't convert temperature.

 What's worse is it *does* recognize 'degF' and 'degC' units, but the
 conversion between them only does the multiply/divide by 9/5, but not
 the add/subtract 32 part, so it gives incorrect results.  While this
 inability is mentioned in the man page, it would be better to not
 include 'degF' at all than to have it be incorrect.  Most equations
 would use SI units anyway, right?  (When I first discovered the
 degF/degC units grep'ing through the units library, my first thought
 was that the man page was outdated and it did handle them now;
 unfortunately that is not the case.)

 Similarly, currencies fluctuate enough to not be worth including.

 Unfortunately, this limitation of multiplicative scales only most
 likely runs rather deep, and would probably require a large amount of
 work to fix.

Why not just redesign the program then, and allow arbitrary
conversions (eg additive, multiplicative, exponential)? As for money,
a script could be written to pull data from somewhere and update the
definitions. http://www.xe.com/dfs/ provides such a service, but for
an extraordinary fee, but I've just found that http://www.imf.org
provides any data you want for any of the 184 currencies they oversee
for any date for free.

This sounds like a fun project. If no one else wants it, I'll do it.

-Nick

Re: OpenBSD todo list?

[Nick Guenther]

On 4/16/06, Nick Guenther [EMAIL PROTECTED] wrote:
 On 4/16/06, Andrew Daugherity [EMAIL PROTECTED] wrote:
 I've just found that http://www.imf.org
 provides any data you want for any of the 184 currencies they oversee
 for any date for free.

Oh, I lied, it's only 52 countries. Still useful, but does anyone know
of a more complete source? Where do exchange rates come from anyway?

-Nick

FYI: sch5017

[Brian]

It's looking good.  Thanks Roman for letting me help out.  Only two problems
persist:

1) we get the list twice due to the nviic detecting two iic's
2) register 0x20 is +5 VTR, which differs from the adt chip

Here are the results as of pulling down the CVS this weekend:

hw.sensors.0=adt0, +2.5Vin, 1.32 V DC
hw.sensors.1=adt0, Vccp, 1.43 V DC
hw.sensors.2=adt0, Vcc, 3.35 V DC
hw.sensors.3=adt0, +5V, 5.13 V DC
hw.sensors.4=adt0, +12V, 12.00 V DC
hw.sensors.5=adt0, Remote1 Temp, 31.00 degC
hw.sensors.6=adt0, Internal Temp, 38.00 degC
hw.sensors.7=adt0, Remote2 Temp, 33.00 degC
hw.sensors.8=adt0, TACH1, 3832 RPM
hw.sensors.9=adt0, TACH2, 2204 RPM
hw.sensors.12=adt1, +2.5Vin, 1.32 V DC
hw.sensors.13=adt1, Vccp, 1.43 V DC
hw.sensors.14=adt1, Vcc, 3.35 V DC
hw.sensors.15=adt1, +5V, 5.10 V DC
hw.sensors.16=adt1, +12V, 12.06 V DC
hw.sensors.17=adt1, Remote1 Temp, 31.00 degC
hw.sensors.18=adt1, Internal Temp, 38.00 degC
hw.sensors.19=adt1, Remote2 Temp, 33.00 degC
hw.sensors.20=adt1, TACH1, 3829 RPM
hw.sensors.21=adt1, TACH2, 2204 RPM

here's the dmesg:
OpenBSD 3.9-current (GENERIC) #26: Fri Apr 14 16:10:03 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 Processor 3000+ (AuthenticAMD 686-class, 512KB L2
cache) 1.81 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3
real mem  = 1073246208 (1048092K)
avail mem = 972591104 (949796K)
using 4278 buffers containing 53764096 bytes (52504K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ad) BIOS, date 02/17/05, BIOS32 rev. 0 @ 0xfa780
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 3.0 @ 0xf/0xcc54
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfcb20/288 (16 entries)
pcibios0: bad IRQ table checksum
pcibios0: PCI BIOS has 17 Interrupt Routing table entries
pcibios0: PCI Exclusive IRQs: 5 10 11
pcibios0: no compatible PCI ICU found
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0xf000 0xd/0x1800 0xd2000/0x1600
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3
nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2
iic0 at nviic0
adt0 at iic0 addr 0x2e: sch5017 rev 0x89
iic1 at nviic0
adt1 at iic1 addr 0x2e: sch5017 rev 0x89
ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 5, version
1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1
uhub0: 10 ports with 10 removable, self powered
ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 10
usb1 at ehci0: USB revision 2.0
uhub1 at usb1
uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1
uhub1: 10 ports with 10 removable, self powered
auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 5, nForce4
AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655)
audio0 at auich0
pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xa2: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4163B, A103 SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: WDC WD360GD-00FLA2
wd0: 16-sector PIO, LBA48, 35304MB, 72303840 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1 at pciide1 channel 1 drive 0: WDC WD3200KS-00PFB0
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 5
pciide2 at pci0 dev 8 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA
pciide2: using irq 11 for native-PCI interrupt
ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2
pci1 at ppb0 bus 1
ATI Rage XL rev 0x27 at pci1 dev 5 function 0 not configured
VIA VT6306 FireWire rev 0x80 at pci1 dev 6 function 0 not configured
skc0 at pci1 dev 10 function 0 D-Link Systems DGE-530T rev 0x11, Marvell
Yukon Lite (0x9): irq 5
sk0 at skc0 port A, address 00:15:e9:2e:28:e6
eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5
nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 11, address
00:e0:81:56:8f:67
eephy1 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 1
ppb1 at pci0 dev 11 function 0 NVIDIA nForce4 PCIE rev 0xa3
pci2 at ppb1 bus 2
ppb2 at pci0 dev 12 function 0 NVIDIA nForce4 PCIE rev 0xa3
pci3 at ppb2 bus 3
ppb3 at pci0 dev 13 function 0 NVIDIA nForce4 PCIE rev 0xa3
pci4 at ppb3 bus 4
bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101):
irq 11, address 00:e0:81:56:8f:66
brgphy0 at 

Re: 'set skip on' being inconsistent

[Arnaud Bergeron]

On 4/13/06, Chris Cameron [EMAIL PROTECTED] wrote:
 In my pf.conf I have:

 set skip on tun0
 set skip on enc0
 set skip on lo0


 tun0 is for OpenVPN. If I run pfctl -f /etc/pf.conf, I can connect with
 OpenVPN and telnet to a server.

 If I disconnect OpenVPN, wait for a couple of minutes, then try
 connecting with telnet again, pf blocks the connection. If I run pfctl
 -f /etc/pf.conf, I can connect again.

 OpenVPN connects fine, it's just the telnet after that doesn't work.
 tcpdump -i tun0 shows the packets coming in.


 The connection attempt in my pflog:

 Apr 13 14:03:37.157867 rule 0/(match) block in on tun0:
 192.168.123.6.1160  192.168.120.50.23: S 648098994:648098994(0) win
 16384 mss 1368,nop,nop,sackOK (DF)
 Apr 13 14:03:43.092857 rule 0/(match) block in on tun0:
 192.168.123.6.1160  192.168.120.50.23: S 648098994:648098994(0) win
 16384 mss 1368,nop,nop,sackOK (DF)


 Anyone know what's going on? This is a patched Sparc64/3.8 in a carp
 setup.

I think, after reading the manpage, that this behavior is because you
can 'set skip on' only one time.  If you want to specify more than one
interface, the proper way to do it is : 'set skip on { tun0, enc0, lo0
}'

If anybody knows better correct me.

 Chris


Arnaud
--
i think we should rewrite the kernel in java since it has good
support for threads. - Ted Unangst

Re: OpenBSD as workstation...yes!

[Robert C Wittig]

Hello Johan,

Sunday, April 16, 2006, 5:42:06 AM, you wrote:

JS Due to hard disk crash i decided to migrate the only machine not running 
OpenBSD to OpenBSD.
JS But tired hearing here and there than OpenBSD is only useful and reliable 
on servers i made
JS few screenshots on my main workstation ...
JS Here it is  http://www.chatou-informatic.com/opendesktop

JS Thanks again OpenBSD for this to be possible .

I think I am going to do this too... I have three OBSD servers,  and
would like to run it on the desktop as well, primarily for Internet
interface... web, mail, etc.


-wittig http://www.robertwittig.com/
.   http://robertwittig.net/

Re: OpenBSD as workstation...yes!

[Darrin Chandler]

A couple of weeks ago the computer my wife uses became so bad in terms
of performance and maintenance that I decided to replace WinXP with
OpenBSD. I'd wanted to do it a long time ago, but I was worried that the
transition would be too much. My wife is not a technical person, and has
only ever used Windows, but she was willing to try.

I installed OpenBSD and KDE, with Firefox and Mozilla. She had already
been using Firefox and Mozilla, so I copied her old configs  data. She
kept her mail, settings, bookmarks, and everything! I had to hand-edit a
touch to make them look in the right place for the profiles, but that
was easy enough.

Since the switch she's had nothing but good to say about it. That's from
a non-technical Windows user.

Only problem so far: I had to set the user agent override in
Firefox so that TurboTax online would think we were running Windoze. Of
course their site worked fine with OpenBSD. They were just too braindead
to consider anything except consumer versions of Windows or Mac.

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Re: OpenBSD as workstation...yes!

[Johan SANCHEZ]

On Sun, 16 Apr 2006 12:25:33 -0500
Robert C Wittig [EMAIL PROTECTED] wrote:

 Hello Johan,
 
 Sunday, April 16, 2006, 5:42:06 AM, you wrote:
 
 JS Due to hard disk crash i decided to migrate the only machine not running 
 OpenBSD to OpenBSD.
 JS But tired hearing here and there than OpenBSD is only useful and reliable 
 on servers i made
 JS few screenshots on my main workstation ...
 JS Here it is  http://www.chatou-informatic.com/opendesktop
 
 JS Thanks again OpenBSD for this to be possible .
 
 I think I am going to do this too... I have three OBSD servers,  and
 would like to run it on the desktop as well, primarily for Internet
 interface... web, mail, etc.

I already used OpenBSD as workstation past few years on mk68 and sparc/sparc64
but here is much hardware and apps to deal with.
I only have pain to use my old mach64 all in wonder (PCI) as tv with 
gatos/gatitv/xatitv

Cheers

Re: a little success in vnc over openvpn

[OS rider]

Perhaps this is easier than using a redirect statement in pf.conf. 
Set `sysctl -w net.inet.ip.forwarding=1` on both servers if it not already 
set.
vncviewer 192.168.1.122

  

thanks for your advice .
but i have already setup net.inet.ip.forwarding=1 in /etc/sysctl.conf
for nat of pf.conf .
Unfortunately,vncviewer 192.168.1.122 does not go well .
my vnc on openvpn has next route .
i acsess from gentoo to windows2000 by vnc on openvpn .

vnc client openvpn client openvpn server vnc server
gentoo---lan--openbsd firewall--internet--openbsd
firewall--windows2000.
192.168.72.66 192.168.1.222

i rewote http://nakajin.dyndns.org/pikara.html .
sorry for my poor english . takesima

4 port pf setup - comments?

[patrick ~]

Hi all,

Just wanted some comments on this pf.conf design.  Mostly,
I am hoping a second pair of eyes to spot any major over-sight
on my part.  I've not tested this set-up, yet!  Just some
scratch-pad design/brain-storming.

Thanks :-)
--patrick



# Pseudo PF design:
#
# I'm preparing to replace a current firewall with a PF firewall.
# I've been reading through PF User's Guide again to refresh
# my memory of what can and cannot be done with PF.  The PF
# firewall will have 4 interfaces in bridge mode.  One connects
# to the DSL router. One to the DMZ. One to the LAN and the
# last to the Wireless router (not yet in place -- planned for
# near future).  The last interface will probably need an
# IP since I plan to use IPsec over the wireless (I don't yet
# know much about this process and skipping it in this discussion).
# Potentailly using PF firewall as the access-point (have to
# research this further as well).
#
# I just wanted to present what I'm thinking of doing in semi-
# pseudo PF code, and get your feedback on whether I'm thinking
# through this straight or do I need to adjust my thinking.
#
# Static IP Subnet:
# x.x.x.0/28
# Divided into 4 sections
# a) DSL router
# b) Wifi router (planned for near future with IPsec)
# c) LAN section (workstations, laptops)
# d) DMZ section: servers (www, dns, mail)
#
# DSL Router:
# has a WAN side IP
# has a LAN side IP (x.x.x.1)
#
# PF server:
# has 4 interfaces: a, b, c and d
# 1 static IP on interface b: x.x.x.6 (for IPsec and possibly hostap)
#
# __DMZ__:
# 4 static IPs x.x.x.2-.5
#
# __WIFI__:
# 4 static IPs x.x.x.7-.10
#
# __LAN__:
# 4 static IPs x.x.x.11-.14
#
#
#   /Internet/
#   |
#  [DSL Router]
#   .1  |
#   |
#   __WIFI__   (a) ___DMZ___
#  .7  +++ .2  dns1 / mail1
#  .8  -(b)|   PF|(d)- .3  dns2 / mail2
#  .9   .6 +++ .4  www1
# .10  (c) .5  www2
#   |
#   |
#__LAN__
#.11 .12 .13 .14


dsl_if = de0
dmz_if = ...
lan_if = ...
wifi_if = ath0 # maybe...
 # but maybe xl0 connecting to a port on a wifi router

# Local network
locnet = x.x.x.0/28

# DSL Router
dsl_router = x.x.x.1

# VPN interface for IPsec path for Wifi users (or even as the access-point
# interface)
vpn = x.x.x.6

# DMZ servers
dns1  = x.x.x.2
mail1 = x.x.x.2
dns2  = x.x.x.3
mail2 = x.x.x.3
www1  = x.x.x.4
www2  = x.x.x.5
dmz_grp = { $dns1 $dns2 $www1 $www2 }

# Wifi users
mobile1 = x.x.x.7
mobile2 = x.x.x.8
mobile3 = x.x.x.9
mobile4 = x.x.x.10
wifi_grp = { $mobile1 $mobile2 $mobile3 $mobile4 }

# LAN clients
desk1 = x.x.x.11
desk2 = x.x.x.12
desk3 = x.x.x.13
desk4 = x.x.x.14
lan_grp = { $desk1 $desk2 $desk3 $desk4 }

wifi2net_ports = { 80 443 5190 }
wifi2dmz_ports = { 53 80 }
ping = echoreq

# Shorthand
dns  = { $dns1 $dns2 } port 53
mail = { $mail1 $mail2 } port 25 flags S/SA
www  = { $www1 $www2 } port {80 443} flags S/SA 
keep_sane = keep state (max-src-conn 50, max-src-conn-rate 15/5,  \
overload abusers flush global)

table abusers persist

table spamd persist
table spamd-white persist


set skip on { lo }
set block-policy return

scrub in

rdr pass on $lan_if proto tcp to port ftp - 127.0.0.1 port 8021
rdr pass on $dsl_if proto tcp from spamd to port smtp \
- 127.0.0.1 port spamd
rdr pass on $dsl_if proto tcp from !spamd-white to port smtp \
- 127.0.0.1 port spamd

block in quick from abusers
block all

antispoof quick for { lo }

#--
# Interface a / $dsl_if
# - LAN workstations are trusted more than those on WIFI
pass out on $dsl_if proto {tcp udp} from $lan_grp to any keep state
pass out on $dsl_if proto tcp from $wifi_grp to \
any port $wifi2net_ports keep state
#
# Any traffic coming in on $dsl_if should be destined for DMZ only!
pass in on $dsl_if proto tcp from any to $mail $keep_sane
pass in on $dsl_if proto tcp from any to $www $keep_sane
pass in on $dsl_if proto udp from any to $dns $keep_sane
# Allow pings to DMZ
pass in on $dsl_if proto icmp from any to $dmz_grp icmp-type $ping $keep_sane

#---
# Interface b / $wifi_if
# - Nothing should be connecting to wifi clients
#   (default block all)
# - WIFI group only gets to use DMZ DNS and Web servers (no mail!)
pass in on $wifi_if proto tcp from $wifi_grp to $www keep state
pass in on $wifi_if proto udp from $wifi_grp to $dns keep state
# This should cover any out-bound traffic (to the net)
pass in on $wifi_if from $wifi_grp to !$locnet

#---
# Interface c / $lan_if
# - Nothing should be connecting to lan workstations
#   (default block all)
# LAN workstations should be able to connect to all DMZ servers
pass in on $lan_if from $lan_grp to $dmz_grp keep state
# Covers out-bound 

Re: FYI: sch5017

[Theo de Raadt]

 1) we get the list twice due to the nviic detecting two iic's

Some vendors make an error of wiring the same chip to both i2c
busses.

Other vendors use two of the same chips, one on each i2c bus.

Obviously we cannot tell these situations apart, so we error on the
side of displaying more, even if that means we sometimes display
duplicate information.  In the past I have even run into a machine
where I thought there were duplicated machines but after putting
something behind the fan (to stop airflow) was able to tell that
they were in fact different chips.

Anyways, I am basically telling you this will remain like that.

 2) register 0x20 is +5 VTR, which differs from the adt chip

OK, I have mailed you a diff to help with this.

mkfifo: Invalid Argument

[Nick Guenther]

Hi,

This is probably simple, but google doesn't have much on it.

If, on a FAT filesystem, I do:
#mkfifo pipe
I get
mkfifo: pipe: Invalid Argument

If I cd up to / and try again:
#mkfifo pipe
#ls -L pipe*
prw-r--r--  1  root  wheel  0 Apr  17 09:15 pipe

I'm guessing pipes can't be made on FAT systems, but why not? And
where is the source for mkfifo so that I could make it less cryptic?
According to whence it's in /sbin but ls /usr/src/sbin | grep mk only
shows mknod.

-Nick

Re: Set up root partition as read only.

[Lars Hansson]

On Saturday 15 April 2006 11:17, Joco Salvatti wrote:
 To increase the security level of my OpenBSD system I have defined at
 /etc/fstab that the root partition should be read only. /etc/fstab
 follows:

While there are advantages of read-only / security isnt one of them.
If you still want to do this be aware that you need to do some minor 
modifications to /etc/rc to get it to work and you'll also need to use a 
separate partition (preferably mfs) for /dev, with all the implications that 
has (need to create devices on boot, etc).
To sum it up, while read-only / is possible it's no walk in the park and you 
should take the time to understand the OpenBSD startup process before 
attempting it.

---
Lars Hansson

Apache mod_webkit

[Jeff Simmons]

Does anyone have any experience running this on OpenBSD? It's basically an 
apache module for dispatching incoming requests to Webware's Webkit 
application server.

On OpenBSD it compiles fine and runs fine - for about four days. Then it 
starts giving errors like the following:

[error] mod_ssl: Cannot open SSLSessionCache DBM file `/logs/ssl_scache' for 
writing (store) (System error follows)
[error] System: Too many open files (errno: 24)
[error] (24)Too many open files: Couldn't connect to AppServer, attempt 1 of 
10
...

I've tried increasing file limits both in the kernel via sysctl and at boot 
via login.conf, with no success. Also, using either fstat or lsof, the number 
of open files at error time for both the system as a whole and for the http 
daemon are well below the limits I've set. I assume the SSLSessionCache error 
is due to the failure to connect to the Webkit AppServer.

Any assistance greatly appreciated.

-- 
Jeff Simmons   [EMAIL PROTECTED]
Simmons Consulting - Network Engineering, Administration, Security
You guys, I don't hear any noise. Are you sure you're doing it right?
--My Life With The Thrill Kill Kult

Re: Apache mod_webkit

[Ted Unangst]

there was a diff to fix a file leak in ssl on tech a few days ago.

On 4/16/06, Jeff Simmons [EMAIL PROTECTED] wrote:
 Does anyone have any experience running this on OpenBSD? It's basically an
 apache module for dispatching incoming requests to Webware's Webkit
 application server.

 On OpenBSD it compiles fine and runs fine - for about four days. Then it
 starts giving errors like the following:

 [error] mod_ssl: Cannot open SSLSessionCache DBM file `/logs/ssl_scache' for
 writing (store) (System error follows)
 [error] System: Too many open files (errno: 24)
 [error] (24)Too many open files: Couldn't connect to AppServer, attempt 1 of
 10
 ...

 I've tried increasing file limits both in the kernel via sysctl and at boot
 via login.conf, with no success. Also, using either fstat or lsof, the number
 of open files at error time for both the system as a whole and for the http
 daemon are well below the limits I've set. I assume the SSLSessionCache error
 is due to the failure to connect to the Webkit AppServer.

 Any assistance greatly appreciated.

 --
 Jeff Simmons   [EMAIL PROTECTED]
 Simmons Consulting - Network Engineering, Administration, Security
 You guys, I don't hear any noise. Are you sure you're doing it right?
 --My Life With The Thrill Kill Kult

Re: mkfifo: Invalid Argument

[Ted Unangst]

On 4/16/06, Nick Guenther [EMAIL PROTECTED] wrote:
 I'm guessing pipes can't be made on FAT systems, but why not? And

because fat doesn't support them.

 where is the source for mkfifo so that I could make it less cryptic?
 According to whence it's in /sbin but ls /usr/src/sbin | grep mk only
 shows mknod.

mkfifo is mknod.
ls -li mkfifo mknod