ugen.4 patch
Here's another. Is misc@ really the right place for silly patches like these? Graham --- ugen.4.orig Sat May 13 16:57:59 2006 +++ ugen.4 Sat May 13 16:58:23 2006 @@ -281,7 +281,7 @@ .Fa interface_desc-*(GtbNumEndpoints . The .Fa config_index -should set to +should be set to .Dv USB_CURRENT_CONFIG_INDEX and .Fa alt_index
Re: ugen.4 patch
On Sat, May 13, 2006 at 05:02:16PM +0930, Graham Gower wrote: Here's another. Is misc@ really the right place for silly patches like these? you can post doc fixes to bugs@, or mail them directly to me. --- ugen.4.orig Sat May 13 16:57:59 2006 +++ ugen.4 Sat May 13 16:58:23 2006 @@ -281,7 +281,7 @@ .Fa interface_desc-*(GtbNumEndpoints . The .Fa config_index -should set to +should be set to .Dv USB_CURRENT_CONFIG_INDEX and .Fa alt_index this one fixed. thanks. jmc
Porting some IPTables conn_track extension to OpenBSD
Hi all, Dispite this silly object, I'm interesting in porting some iptables conn_track listed here : http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-5.html. I'm mostly interested in the pptp conntrack, which I need for my nat-box. I'd like an advise : what's the most appropriate place to run such extensions ? If using pf kernel space, the kernel will grow with many suported protocols. If using userland proxy and some pf rdr, it's sometimes ugly : I'm thinking to PPTP, where you need to configure a target PPTP server per proxy, so you need n proxy for n target server, which is ugly. On the other hand, ftp-proxy works great in userland. Or PPPoE which can run in both... Is there a rule of thumb to determine the good place for some connection tracking/proxy for a given protocol ? Best regards, Bruno.
Re: Firefox keeps crashing
Just adding some more info to the topic... I've had some problems while running Firefox (tried on elightenment and fvwm) on OpenBSD 3.8-release and OpenBSD 3.9-snapshot from around february-2006. It was painfully slow, and switching between tabs was like watching a turtle trying to run. However, when I switched to 3.9-release and 3.9-snapshot (around april-2006), the problem was solved, and firefox now runs smooth. Don't know why though =) By the way, I find it funny that firefox, being open-source and all that, initializes slower on Unix machines than on WindowsXP for example... -- An OpenBSD user... and that's all you need to know =)
Re: is openntpd 3.9 real?
On 13/05/06, Matthew R. Dempsky [EMAIL PROTECTED] wrote: On Sat, May 13, 2006 at 03:44:41AM +0200, Henning Brauer wrote: * Matthew R. Dempsky [EMAIL PROTECTED] [2006-05-13 03:00]: Will it include the leap second patch Thorsten Glaser posted earlier this week? no. Can I ask why his patch has been rejected? If your question is why it's not included in 3.9, then it's because OpenNTPD 3.9 is taken from OPENBSD_3_9 branch. http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/ P.S. You didn't really expect a one-week-old new-feature patch to be incorporated into a release, did you? :)
Re: To forward, or not to forward
My goal with the bridge is to filter all traffic coming in from the outside world, while allowing servers my servers behind the bridge to connect freely even if their traffic has to travel out to the router and back(keep state?). My point of confusion is whether or not to turn on forwarding. I have heard arguments for both. I have a transparent bridging firewall setup in the same configuration on 3.8.. IP forwarding is not enabled and the two bridge interfaces pass traffic just fine. Don't enable IP forwarding - you don't need it or want it and it opens up the opportunity for misconfiguration elsewhere to break the security on your admin interface. The bridge interface will take care of all your forwarding needs. IP forwarding is required if you want your box to route IP packets using the routing table - this is not relevant to you because your firewall interfaces do not have IP addresses. Bridging uses a MAC forwarding database to forward Ethernet frames... IP doesn't even come into it.
Re: PF references
you used the excellent tools as google and http://marc.theaimsgroup.com I guess... I made some searching for you, here you go http://marc.theaimsgroup.com/?l=openbsd-miscm=114345514930017w=2 http://www.countersiege.com/doc/pfsync-carp/ http://www.unix-tutorials.com/go.php?id=280 /bkw On 12/05/06, News Collector [EMAIL PROTECTED] wrote: Hello: Where (what) is the canonical site (or book) for PF. Are there any site where talk about PF is a application (like for OS X). One Last, has anyone done any work on using CARP, I know synchronizations depends on similar cpus with similar clocks and constrained clock drift. Just wonder.
Raid 1 and 2 Disks: kernel panic with init: not found when reboot into broken mirror
Hello misc, I spent two days to read man and how-tos, but today I don't succeed again to make raid 1 to work. I want to install openbsd 3.9 on two ide disks (wd0,wd1) of 10 gb with raidframe raid 1. Following the main steps that I have executed: 1. regular installation of openbsd 3.9 on wd0 2. compiled a new kernel with raidframe autoconfigure support 3. reboot with the new kernel into wd0 4. initialized and partitioned wd1 # fdisk -I wd1 # disklabel -E wd1 wd1a 4.2BSD 64MB wd1d RAID * 5. make wd1 bootable # newfs wd1a # mount /dev/wd1a /mnt # cp /bsd.raid /usr/mdec/boot /mnt # /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd1 # umount /mnt 5. realized and initialized the array # cat /etc/raid0.conf START array 1 2 0 START disks /dev/wd2d /dev/wd1d START layout 128 1 1 1 START queue fifo 100 # raidctl -C /etc/raid0.conf # raidctl -I 060500 raid0 # raidctl -A root raid0 6. partitioned and populated raid0 # disklabel -E raid0 raid0a / 4.2BSD raid0b swap raid0d /usr 4.2BSD raid0e /tmp 4.2BSD raid0f /var 4.2BSD raid0g /home 4.2BSD # for i in a d e f g; do newfs raid0${i}; done # mount /dev/raid0a /mnt # cd /mnt; mkdir usr tmp var home # mount /dev/raid0d /mnt/usr # mount /dev/raid0e /mnt/tmp etc... # (cd /; tar -Xcpf - .) | (cd /mnt; tar -xpf -) # (cd /usr; tar -cpf - .) | (cd /mnt/usr; tar -xpf -) etc... # cat /mnt/etc/fstab /dev/raid0a / ffs rw 1 1 /dev/raid0d /usr ffs rw 1 2 etc... Ok...umount all and reboot into broken mirror. At prompt: boot wd1a:/bsd the kernel go up succesfully until I received: ... Kernelized RAIDFrame activated dkcsum wd0 matches BIOS drive 0x80 dkcsum wd1 matches BIOS drive 0x81 root on wd1a rootdev=0x10 rrootdev=0x320 rawdev=0x312 warning: /dev/console does not exist init: not found panic: no init ... ddb Well, where I have make a mistake ? Thanks in andvance and sorry for the english... -- ip
Re: PF references
On 2006-05-12 14:37:07 -0700, News Collector wrote: Nick Holland wrote: Thanks Nick I should have said I checked all the usual suspects. Sorry. News Collector wrote: Hello: Where (what) is the canonical site (or book) for PF. documentation-wise? Yeah that would be the OpenBSD man pages. They are authoritative. When things change, they get updated, or people get beaten. In particular, see pf.conf(5), pfct.(8), pf(4) and the SEE ALSOs in each. Beyond that, there are several websites and books. My personal favorite website is the OpenBSD website itself, but I may be biased. :) OK what book? I'm a PF users and I used it for non-trivial tasks. So I all (take with gain of salt) most at the level of many docs. Also PF is a moving target. I wished (wish is the correct word) all authoritative document. Give to prefect my PF chops. Are there any site where talk about PF is a application (like for OS X). probably. There's a website for just about everything. Talk is cheap. OS X has PF, but there's a interface that limits what you can do. They don't document their interface to it. OS X has lot of fancy way to do trivial thinks you meant not want done. Mac OS X have ipfw(8) (actually IPFW2) from FreeBSD. Not PF. And you can, mostly, override the GUI configuration stuff: http://www.macdevcenter.com/lpt/a/5719 Have a nice day Morten -- http://m.mongers.org/weblog/ -- http://flickr.com/photos/morten_liebach/
pf label issue
Hi list, hy rules: pass in quick on $extif ... pass in quick on $extif ... pass out quick on $extif ... an so on about 100 rules the order of the rules is optimized the first rules are the rules with the most traffic now a want to do accouting with labels after this rules i place pass in quick on $extif from any to $server1 label in server1 pass out quick on $extif from $server1 to any label out server1 ok, this doesn't work if i've in my 100 of rules the quick keyword. if i remove the quick keyword it works. quick in the label rules are ok. after removing the quick keywords my optimized order is unprofitable. each packet will be evalutate in each rule :-(. is there a way to optimize this construct ? My next problem is: After adding or removing some of my rules in pf.conf and reloading pf with pfctl -f pf.conf the label statistics will be reset :-(. Is there a way to reload pf.conf without to untouch the statistics of existing labels ? (the label rules are not changed). Thanks ! Thomas -- Mit freundlichen Gr|_en Best regards Thomas Bvrnert Geschdftsf|hrer Senior IT Consultant Manager BSI lizenzierter ISO27001 Auditor auf Basis IT-Grundschutz DO NOT GIVE OUR ADDRESS TO THIRD PARTYS, WE HATE JUNK-MAIL ___ TBits.net GmbH | Telefon: +49 (0)7172 18391-0 Thomas Bvrnert | Telefax: +49 (0)7172 18391-99 Seeweg 6| Service: +49 (0)700 TBITSNET D-73553 Alfdorf | Auto: +49 (0)170 6744415 www.tbits.net | eMail:[EMAIL PROTECTED] Key fingerprint = 8602 2EF5 78FD 3C04 B148 2506 5D4F 6A49 E4E2 9D15
Re: To forward, or not to forward
Dear Steve, At the moment, I have forwarding and pf turned off and allowing packets to flow freely until I can figure out the multiple subnet issue. The router that handles our subnets is outside of our network. Somehow the server cannot communicate freely when they have to send packets out to the router and back in. Any clues on that? Thanks to all who have email me so far. -Orlando On Saturday, May 13, 2006, Steve Welham wrote: My goal with the bridge is to filter all traffic coming in from the outside world, while allowing servers my servers behind the bridge to connect freely even if their traffic has to travel out to the router and back(keep state?). My point of confusion is whether or not to turn on forwarding. I have heard arguments for both. I have a transparent bridging firewall setup in the same configuration on 3.8.. IP forwarding is not enabled and the two bridge interfaces pass traffic just fine. Don't enable IP forwarding - you don't need it or want it and it opens up the opportunity for misconfiguration elsewhere to break the security on your admin interface. The bridge interface will take care of all your forwarding needs. IP forwarding is required if you want your box to route IP packets using the routing table - this is not relevant to you because your firewall interfaces do not have IP addresses. Bridging uses a MAC forwarding database to forward Ethernet frames... IP doesn't even come into it. -- Best regards, Orlando L. Castro
Re: security bug in x86 hardware (thanks to X WIndows)
It seems XFree people disagree... Marc Aurele La France: Contrary to what too many security pundits think, limiting root's power doesn't solve anything. Like bugs, security issues will forever be uncovered, whether they be in setuid applications like an X server or in a kernel itself. The trick, it seems, is to understand where to properly fix them, instead of sowing workarounds all over the place... ( http://marc.theaimsgroup.com/?t=11473584346r=1w=2 ) ...and some Linux developers too... Alan Cox: What it essentially says is if you can hack the machine enough to get the ability to issue raw i/o accesses you can get any other power you want. Thats always been true. Using SMM to do this seems awfully hard work. ( http://marc.theaimsgroup.com/?t=11473584324r=1w=2 )
Re: is openntpd 3.9 real?
* Matthew R. Dempsky [EMAIL PROTECTED] [2006-05-13 05:17]: On Sat, May 13, 2006 at 03:44:41AM +0200, Henning Brauer wrote: * Matthew R. Dempsky [EMAIL PROTECTED] [2006-05-13 03:00]: Will it include the leap second patch Thorsten Glaser posted earlier this week? no. Can I ask why his patch has been rejected? I haven't made up my mind on this patch at all yet. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: iwi driver (Problem with Intel 2200BG and PC-engines WRAP)
Problems with the 2200BG continue... I changed to OpenBSD 3.9. The interface looks like this on the box: # ifconfig iwi0 iwi0: flags=8803UP,BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr *** media: IEEE802.11 autoselect ibss (autoselect adhoc) status: no network ieee80211: nwid lala chan 1 100dBm inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 However whenever I use ifconfig to configure it I get these errors in the console: iwi0: timeout processing cb iwi0: could not load main firmware May 13 14:06:20 sphinx /bsd: iwi0: timeout processing cb May 13 14:06:20 sphinx /bsd: iwi0: timeout processing cb May 13 14:06:20 sphinx /bsd: iwi0: could not load main firmware May 13 14:06:20 sphinx /bsd: iwi0: could not load main firmware I have 2.3 firmware installed with 3.0 installed on top of it: # ls -la etc/firmware/ total 1306 drwxr-xr-x 2 root wsrc 512 May 13 13:22 . drwxr-xr-x 5 root wsrc1024 May 13 13:24 .. -rw-r--r-- 1 root wsrc6472 May 18 2005 iwi-boot -rwxr-xr-x 1 root wsrc 191142 Mar 26 15:29 iwi-bss -rwxr-xr-x 1 root wsrc 185660 Mar 26 15:29 iwi-ibss -rwxr-xr-x 1 root wsrc 12007 Mar 26 15:29 iwi-license -rwxr-xr-x 1 root wsrc 187836 Mar 26 15:29 iwi-monitor -rw-r--r-- 1 root wsrc 16334 May 18 2005 iwi-ucode-bss -rw-r--r-- 1 root wsrc 16312 May 18 2005 iwi-ucode-ibss -rw-r--r-- 1 root wsrc 16344 May 18 2005 iwi-ucode-monitor When I scan with the Nokia 770, I cannot find this WLAN network. Any suggestions? PS. Intel is working on hostAP mode for their ipw2200 driver for Linux, so that might be possible on this card in the future. Risto Varanka http://icct.blogspot.com/ ... Luukku Plus paketilla pddset eroon tila- ja turvallisuusongelmista. Hanki Luukku Plus ja helpotat eldmddsi. http://www.mtv3.fi/luukku
Re: Firefox keeps crashing
On 5/13/06, Leonardo Rodrigues [EMAIL PROTECTED] wrote: By the way, I find it funny that firefox, being open-source and all that, initializes slower on Unix machines than on WindowsXP for example... hey, it even has *different* menu option placements for unix and for windows! Edit - Preferences (in unix), vs Tools - Options (in windows). Now why would anybody even try to do this sort of idiotic thing?? to make it easier on the windows users??? IE - Tools - Internet Options -jf
hostapd small bug
Hi all, looking at /var/log/daemon, it seems that hostapd syslog timestamp does not take care of local timezone : May 13 16:49:12 puffy test_syslog[6582]: This is just a test for my c studies May 13 16:49:18 puffy hostapd[18915]: ural0: (rate: 100/8 sec) 00:0d:0b:c3:cb:bb 00:0d:93:ed:ee:2b, bssid 00:0d:0b:c3:cb:bb, DS : data, radiotap v0, chan 11, 11g May 13 16:49:18 puffy hostapd[18915]: May 13 16:49:22 puffy test_syslog[6582]: This is just a test for my c studies May 13 20:49:38 puffy dhcpd: DHCPREQUEST for 192.168.13.32 from 00:0d:93:ed:ee:2b via ural0 May 13 20:49:38 puffy dhcpd: DHCPACK on 192.168.13.32 to 00:0d:93:ed:ee:2b via ural0 May 13 20:49:48 puffy test_syslog[21638]: This is just a test for my c studies My small program test_syslog does so. I've fixed it with just calling tzset() in main(). Maybe the same problem in hostapd... Best regards, Bruno.
ksh and X windows.
If you install a new 3.9 system, and enable X windows (The only package I installed was emacs) Create a new userid with ksh as its shell and sign on though X. ~/.profile does not get executed Nor does ~/.profile get executed then a new xterm is created using the left click menu in the background. I expect this related to my earlier messages about .profile and ksh.
Help Vampires: A Spotters Guide -- Why I Like OpenBSD and Its Community
I found this practical blog entry by Amy Hoy on her blog, slash7.com http://www.slash7.com/pages/vampires.In the post Amy describes how to identify Help Vampires how to reform yourself if you are one, and how to quit enabling them if they show up in your community. She writes: It's so regular you could set your watch by it. The decay of a community is just as predictable as the decay of certain stable nuclear isotopes. As soon as an open source project, language, or what-have-you achieves a certain notorietyits half-life, if you will*they* swarm in, seemingly draining the very life out of the community itself. *They* are the Help Vampires. And I'm here to stop them. Amy offers the following tips for identifying Help Vampires: * Does he ask the same, tired questions others ask (at a rate of once or more per minute)? * Does he clearly lack the ability or inclination to ask the almighty Google? * Does he refuse to take the time to ask coherent, specific questions? * Does he think helping him must be the high point of your day? * Does he get offensive, as if *you* need to prove to *him* why he should use Ruby on Rails? * Is he obviously just waiting for some poor, well-intentioned person to do all his thinking for him? * Can you tell he really isn't interested in having his question answered, so much as getting someone else to do his work? Rather than advocating putting a stake through the heart of Help Vampires, she offers practical guidance for helping them reform. What I found particularly interesting about her advice is how this community already practices what she suggests: 1. Create resources for Help Vampires (and regular folks) to help themselves. 2. Cease all behavior which enables Help Vampires' vampy behavior. 3. Meet Help Vampires head-on. Which brings me to what I like about OpenBSD. I've recently switched to OpenBSD. Despite a fare amount of experience with Linux, OS X and Windows like anything I've had to find my legs with OpenBSD. The OS and the community have made that almost painless. The man pages are up-to-date and useful. The online FAQ address practically everything a new user will run into or ask. And the mailing lists are mature forums for serious folks to learn about and/or help others learn about this powerful system. I mentioned Amy's post because I've noticed several others who've joined the community around the same time I did are having some trouble acclimating themselves to such a serious and professional community. I suggest all new members take a few minutes to read Amy's post, especially focusing on the self-help section. I think we all will find that the terse answers and sharply pointed requests to fead the FAQ, use google or provide useful debugging information is the reasonable request of helpful but busy people helping us help ourselves to become self-reliant and perhaps even expert users of this awesome OS. And if that's too much to ask then perhaps we should be looking for a different OS and community to participate in. Thanks to everyone who make OpenBSD and the community a joy to use and participate in! --Aaron
Re: ksh and X windows.
On 2006/05/13 13:16, Peter Fraser wrote: Create a new userid with ksh as its shell and sign on though X. ~/.profile does not get executed Nor does ~/.profile get executed then a new xterm is created using the left click menu in the background. that's normal; see xterm(1) about -ls
Re: ksh and X windows.
On Sat 2006.05.13 at 13:16 -0400, Peter Fraser wrote: If you install a new 3.9 system, and enable X windows (The only package I installed was emacs) Create a new userid with ksh as its shell and sign on though X. ~/.profile does not get executed Nor does ~/.profile get executed then a new xterm is created using the left click menu in the background. I expect this related to my earlier messages about .profile and ksh. man xterm - see loginShell you can change defaults here: /etc/X11/app-defaults/XTerm or in ~/.Xresources
Re: ksh and X windows.
Peter Fraser wrote: If you install a new 3.9 system, and enable X windows (The only package I installed was emacs) Create a new userid with ksh as its shell and sign on though X. ~/.profile does not get executed Nor does ~/.profile get executed then a new xterm is created using the left click menu in the background. http://www.openbsd.org/faq/ I expect this related to my earlier messages about .profile and ksh. Got me, I see you have asked a lot of questions, often in the tone of a remarkable discovery that most of us already knew about. A little time doing some research on your own will be far more educational. For that reason, I deleted the rest of the link above. The answer to your quest..er..statement is very much in there. Start reading. Nick.
Re: ksh and X windows.
My apologies, for not noticing that faq entry. But is is not a solution in general. I had a menu entry for emacs, The effect I got was the shell inside emacs didn't have ENV set, and by that time ksh is not going to look at .profile. I tried to come up with a simple example of the problem. Why doesn't Xsession just do a . ~/.profile before calling /usr/X11R6/bin/fvwm ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick Holland Sent: Saturday, May 13, 2006 1:33 PM To: misc Subject: Re: ksh and X windows. Peter Fraser wrote: If you install a new 3.9 system, and enable X windows (The only package I installed was emacs) Create a new userid with ksh as its shell and sign on though X. ~/.profile does not get executed Nor does ~/.profile get executed then a new xterm is created using the left click menu in the background. http://www.openbsd.org/faq/ I expect this related to my earlier messages about .profile and ksh. Got me, I see you have asked a lot of questions, often in the tone of a remarkable discovery that most of us already knew about. A little time doing some research on your own will be far more educational. For that reason, I deleted the rest of the link above. The answer to your quest..er..statement is very much in there. Start reading. Nick.
Re: hostapd small bug
On Sat, May 13, 2006 at 08:56:20PM +0400, Bruno Carnazzi wrote: Hi all, looking at /var/log/daemon, it seems that hostapd syslog timestamp does not take care of local timezone : thanks, just commited the fix using tzset() reyk May 13 16:49:12 puffy test_syslog[6582]: This is just a test for my c studies May 13 16:49:18 puffy hostapd[18915]: ural0: (rate: 100/8 sec) 00:0d:0b:c3:cb:bb 00:0d:93:ed:ee:2b, bssid 00:0d:0b:c3:cb:bb, DS : data, radiotap v0, chan 11, 11g May 13 16:49:18 puffy hostapd[18915]: May 13 16:49:22 puffy test_syslog[6582]: This is just a test for my c studies May 13 20:49:38 puffy dhcpd: DHCPREQUEST for 192.168.13.32 from 00:0d:93:ed:ee:2b via ural0 May 13 20:49:38 puffy dhcpd: DHCPACK on 192.168.13.32 to 00:0d:93:ed:ee:2b via ural0 May 13 20:49:48 puffy test_syslog[21638]: This is just a test for my c studies My small program test_syslog does so. I've fixed it with just calling tzset() in main(). Maybe the same problem in hostapd... Best regards, Bruno.
Re: Help Vampires: A Spotters Guide -- Why I Like OpenBSD and Its Community
Interesting article but hardly applicable to most of the people I see posting to the @ lists. I don't believe in such entities but even were it the case energy vampires truly exist and in some natural or supernatural way suck the psychic force of others you'll note that they feed on the weak. If you can demonstrate to me that the OpenBSD lists in particular or the user population in general are psychic weaklings then we'll talk. Otherwise your reply is pointless. If you think I'm wrong, then contradict the post with useful facts. If you think I have no right or standing to address such an article to other OpenBSD neophytes (and I do include myself in that list), then say that and backup your assertions. If you're just offended then learn to deal with it. That's the upshot of my post. OpenBSD appears to *me* to be a system and community aimed at mature people who take responsibility for themselves and wouldn't let an energy vampire suck them dry. Cheers, Aaron Peter Philipp wrote: Before you go looking for or spotting Help Vampires perhaps you should analyze yourself whether you are an Energy Vampire. URL: http://en.wikipedia.org/wiki/Energy_vampire Willing or not, pointing out to people what annoys them is downright depressing. Cheers, -p
systemtrash.com plans to review OpenBSD
And they are looking for input from the user community: http://www.bsdforums.org/forums/showthread.php?t=41225
OpenBSD 3.9 current, AMD Geode SC1200UFH-266, kontron on a scandisk 128mb
hi. I'm working on a openbsd kernel and an image for an AMD Geode SC1200UHF-266. I got a cpu-module and the eval-board. The manufactor is kontor. I configured a kernel similar to my wrap-boxe and changed some entries for the network and console. The kernel will be loaded and after the loading he tries to find the root system on the wd0a and the system dumps. I wrote an image on a scandisk cf 128 mb with flashdist. I can mount and manipulate. It seem ok. Sorry, I can't get the log because there is no way to stop the reboot. I wrote some messages down. Maybe there is something, someone can see enough to give me a hint. --- rootdev 0x0 rrootdev 0x300 rawdev 0x302 biomask fded netmask ffed ttymask ffed root on wd0a --- thanks for you interest and maybe your help. Karl-Heinz ps: the kernel config looks like ... - machine i386 # architecture, used by config; REQUIRED option I586_CPU option SMALL_KERNEL option NO_PROPOLICE maxusers 4 # estimated number of users option FFS # UFS option MFS # Linux ext2fs option TCP_SACK option FIFO # FIFOs; RECOMMENDED option INET # IP + ICMP + TCP + UDP option BOOT_CONFIG config bsd root on wd0 mainbus0 at root cpu0 at mainbus? bios0 at mainbus0 apm0 at bios0 flags 0x # flags 0x0101 to force protocol version 1.1 pcibios0 at bios0 flags 0x isa0 at mainbus0 isa0 at pcib? isa0 at ichpcib? isa0 at gscpcib? eisa0 at mainbus0 pci* at mainbus0 option PCIVERBOSE option USER_PCICONF ppb* at pci?# PCI-PCI bridges pci* at ppb? pcib* at pci?# PCI-ISA bridge ichpcib* at pci? # Intel ICHx/ICHx-M LPC bridges gscpcib* at pci? # NS Geode SC1100 PCI-ISA bridge # PCI PCMCIA controllers pcic* at pci? # PCMCIA bus support pcmcia* at pcic? npx0 at isa? port 0xf0 irq 13 # math coprocessor isadma0 at isa? pckbc0 at isa?# PC keyboard controller pckbd* at pckbc? # PC keyboard wskbd* at pckbd? mux 1 vga0 at isa? vga* at pci? pcdisplay0 at isa?# CGA, MDA, EGA, HGA wsdisplay* at vga? wsdisplay* at pcdisplay? pccom0 at isa? port 0x3f8 irq 4 # standard PC serial ports # IDE controllers pciide* at pci? flags 0x wdc0 at isa? port 0x1f0 irq 14 flags 0x00 wdc* at pcmcia? # IDE hard drives wd* at wdc? flags 0x wd* at pciide? flags 0x fxp* at pci? # EtherExpress 10/100B ethernet cards sis* at pci? # SiS 900/7016 ethernet inphy* at mii? # Intel 82555 PHYs iophy* at mii? # Intel 82553 PHYs nsphyter* at mii?# NS and compatible PHYs pseudo-device loop 1 # network loopback pseudo-device bpfilter 1 # packet filter pseudo-device wsmux 2 pseudo-device pty 32
Re: security bug in x86 hardware (thanks to X WIndows)
Marc Aurele La France: Contrary to what too many security pundits think, limiting root's power doesn't solve anything. Like bugs, security issues will forever be uncovered, whether they be in setuid applications like an X server or in a kernel itself. The trick, it seems, is to understand where to properly fix them, instead of sowing workarounds all over the place... ( http://marc.theaimsgroup.com/?t=11473584346r=1w=2 ) I think that's been agreed to many times by the OpenBSD developers: you can't effectively limit root's ability to do bad things, and pretending you did is just fooling the good guys and making the bad guys giggle. Wrong. You can limit roots ability to do some bad things. We try to do that. Even root cannot open /dev/*mem for write. We are trying to be protective, but the requirements of X stops us from doing so. This isn't about root. Or at least, it shouldn't be. Except it is, because of how much of the X code is doing root-like things. X is not doing root-like things. X is talking to IO devices. Root does not talk to IO devices. Root only talks to the kernel. If you are going to ran on a topic like this, you HAVE TO KNOW WHAT YOU ARE TALKING ABOUT. Nick, you don't know what you are talking about. But Ed, you interviewed someone in detail about the issue, and you still managed to get it wrong and you still don't understand it. Get a grip, please. In the Unix system view, anything which needs to talk to raw devices INSTEAD OF THE KERNEL DOING SO is broken. There are no apologies to be made. Period. If you want X to talk to IO devices, what next? ls?
Confirmation From ATI Developer
Dear Theo de Raadt and Richard Stallman, Thank you for visiting ATI.COM ! This is an AUTOMATIC RESPONSE which confirms that your request has been successfully received by our server and will be processed. Please do not reply to this message, any replies to this email will not be responded to or forwarded. This service is used for outgoing e-mail only and cannot respond to technical support or customer service inquiries === USEFUL LINKS ATI HOMEPAGE See: http://www.ati.com ATI CONTACT INFO See: http://www.ati.com/companyinfo/contact/congeneral.html === Copyright (c) 2005, ATI Technologies Inc. All Rights Reserved END OF AUTOMATIC RESPONSE
Re: ALTQ priq: bandwidth or no?
Thus spake Jeff Quast ([EMAIL PROTECTED]) [11/05/06 09:22]: : On 5/11/06, Damian Gerow [EMAIL PROTECTED] wrote: : I'm not interested in bandwidth limitations, so it looks like priq is : likely my best bet. : [...] : Then I create a queue with a bandwidth limit of 700Kbps. : : The man page is a little vague on this point : The priq scheduler does not support band-width specification. : : huh? Exactly my point. The man page states that priq does /not/ support bandwidth-restricted queues, yet the altq statement has a bandwidth setting in it (and seems to require it). So: does priq do bandwidth queueing at all? Is the altq definition wrong, or is the manpage misleading? (Or am I completely missing something here?) : Use cbq if you want to throttle bandwidth to a limit, something like: I don't. That's the point.
Re: ALTQ priq: bandwidth or no?
Damian Gerow wrote: Thus spake Jeff Quast ([EMAIL PROTECTED]) [11/05/06 09:22]: On 5/11/06, Damian Gerow [EMAIL PROTECTED] wrote: I'm not interested in bandwidth limitations, so it looks like priq is likely my best bet. Then I create a queue with a bandwidth limit of 700Kbps. The man page is a little vague on this point The priq scheduler does not support band-width specification. huh? Exactly my point. The man page states that priq does /not/ support bandwidth-restricted queues, yet the altq statement has a bandwidth setting in it (and seems to require it). So: does priq do bandwidth queueing at all? Is the altq definition wrong, or is the manpage misleading? (Or am I completely missing something here?) Use cbq if you want to throttle bandwidth to a limit, something like: I don't. That's the point. It would seem altq wants a bandwidth declaration. However, from man 5 pf.conf: If bandwidth is not specified, the interface bandwidth is used. In any event, all my priq queues appear to simply be prioritized and the overall outbound bandwidth of all queues, collectively, never exceeds the altq bandwidth keyword--and this works well for me with the exception of the annoying PR 4312.
Re: ALTQ priq: bandwidth or no?
Thus spake Melameth, Daniel D. ([EMAIL PROTECTED]) [13/05/06 20:06]: : It would seem altq wants a bandwidth declaration. However, from man 5 : pf.conf: : : If bandwidth is not specified, the interface bandwidth is used. And OpenBSD complains bitterly when not defining the bandwidth on a pppoe virtual interface: # pfctl -F queue -f /etc/pf.conf altq cleared cannot determine interface bandwidth for pppoe0, specify an absolute bandwidth altq not defined on pppoe0 /etc/pf.conf:73: errors in queue definition more specific queue errors here pfctl: Syntax error in config file: pf rules not loaded # : In any event, all my priq queues appear to simply be prioritized and the : overall outbound bandwidth of all queues, collectively, never exceeds : the altq bandwidth keyword--and this works well for me with the : exception of the annoying PR 4312. The way I'm reading 4312 is that priq is doing something it isn't supposed to do -- bandwidth throttling. No? And yes, it looks like I've run into 4312 as well. Annoying. The answer to my previous question leads me to one followup: My altq definition: altq on $ext_if priq bandwidth 700Kb queue { default, high, bittorrent, vpn, pubservices } queue default priority 3 priq(default) queue high priority 7 queue bittorrent priority 0 queue vpn priority 4 queue pubservices priority 5 is subsequently applied to the interface as such: pass in quick on $ext_if inet proto tcp from any to $mailserver port $mailports flags S/SA modulate state queue (pubservices, high) pass in quick on $ext_if inet proto tcp from any to $webserver port $webports flags S/SA modulate state queue (default, high) pass in quick on $ext_if inet proto tcp from any to $btserver port $btports flags S/SA modulate state queue (bittorrent, default) pass in quick on $ext_if inet proto gre from any to $ian modulate state queue (vpn, high) pass out quick on $ext_if inet proto tcp from $external_addr to any flags S/SA modulate state queue (default, high) pass out quick on $ext_if inet proto { udp, icmp } from $external_addr to any modulate state queue (default) pass out quick on $ext_if inet proto gre from $external_addr to any modulate state queue (vpn, high) As priq seems to be doing bandwidth throttling, does this not place an artificial bandwidth restriction of 700Kb/s on my /inbound/ traffic as well (which is something more in the order of a raw 3Mbps)? Yes, I fully recognize that by the time it gets here it's already traversed the pipe, but if altq only allows the OS to process at 700Kbps, then the pipe is effectively 700Kbps. (FWIW, I've done a few bandwidth tests that conradict that directly -- i.e. I transfer close to the practical maximum of 3Mbps, not the artificial maximum of 700Kbps. Hence my question.)