Re: VIA C7 hardware AES support in IPSEC(ctl)
Bihlmaier Andreas wrote: ## openssl speed aes-128-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128 cbc 17311.15k18319.00k18569.35k18893.09k 18765.02k ## openssl speed aes-256-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-256 cbc 13658.21k14272.24k14446.41k14594.65k 14587.05k This is AES running in software. ## openssl speed -evp aes-128-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 50807.21k 181629.43k 493014.94k 823907.91k 1029947.70k ## openssl speed -evp aes-256-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-256-cbc 50317.60k 179579.03k 426484.45k 655755.44k 777427.43k This is AES running on the VIA hardware accelerator. Just compare AES-128 on 8192 bytes: 18765.02k vs 1029947.70k That is more than 50 times quicker. Cheers, Dries
Re: pkg_add -u not working
On 6/21/06, Benjamin Collins [EMAIL PROTECTED] wrote: What I expect the tool to do if I invoke it like $ sudo pkg_add -u is to do this (from pkg_add(1)): If no pkgname is given, pkg_add will update all installed packages. What actually happens after the above invocation is what Sebastian pointed out - updatable package names are printed, but nothing is actually updated. This is exactly what happens in my 3.9-stable on i386 as well. But if I do: pkg_add -ui pkg_name it updates the pkg_name + dependencies just fine.
CVE-1999-0166 bug in NFS
I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: --- The remote NFS server allows users to use a 'cd ..' command to access other directories besides the NFS file system. The listing of /mnt/gamma is : - . - .. - gamma.packages - dir1 - dir2 - pack - subow - sub After having sent a 'cd ..' request, the list of files is : - . - .. - gamma - file1 An attacker may use this flaw to read every file on this host Solution : Contact your vendor for a patch Risk factor : High CVE : CVE-1999-0166 --- This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? M.Marusak
Re: CVE-1999-0166 bug in NFS
On Wed, 21 Jun 2006, Martin Marusak wrote: I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: --- The remote NFS server allows users to use a 'cd ..' command to access other directories besides the NFS file system. The listing of /mnt/gamma is : - . - .. - gamma.packages - dir1 - dir2 - pack - subow - sub After having sent a 'cd ..' request, the list of files is : - . - .. - gamma - file1 An attacker may use this flaw to read every file on this host Please be more precise. Where is file1 located? What is this host? On the server or the client? Also, you do not describe how the filesystem is mounted. -Otto Solution : Contact your vendor for a patch Risk factor : High CVE : CVE-1999-0166 --- This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? M.Marusak
Re: Clock Drift - VMWare
Adrian Close schrieb: On Tue, 20 Jun 2006, Justin Blackmore wrote: Im running several OpenBSD 3.9 VM's on a GSX server and the clocks on the OBSD vm's drift pretty bad, the real time host hardware clock is How much drift? The guest hardware clock generally won't be stable enough for NTP to keep things in sync (it might look like it's OK for a bit, but it won't be). Hello, I had the same problem with GSX Server and a linux guest, about 3 hours in one day. (After stopping the java process from the developers, the drift was only some minutes in a day :-) But the developers need their crappy java stuff ;-) ). You might be able to use the Linux vmware-guestd tool (I haven't tried on OpenBSD), which will sync the time to the host hardware if you ask it (but you need X11 to config that, from memory). I installed the vmware tools, don't have X running and started the vmwaretools from another machine by ssh -X [EMAIL PROTECTED] vmware-tools. Don't know If the vmware-tools work on openbsd (with linux or freebsd emul) but you don't need X on the openbsd Client, just a ssh-Connection and X Forwarding will help you to open the vmware-toolbox (if it run on openbsd which I don't believe by now, but I am very interested if it works :-) ) Maybe you need tcl/tk. I also had a look throug the vmware-dirs on my machine but didn't find where vmware-tool stored if to synchronize time with host or not. I once had a GSX setup where guest hardware clocks typically ran at 1/3 - 1/10th of realtime, and sped up when the guest OS was eating lots of CPU, but that doesn't sound like what you have... Adrian Closeemail:[EMAIL PROTECTED] 107 Essex St, Pascoe Valeweb:http://www.close.wattle.id.au/~adrian VIC, 3044, Australiamobile:+61 417 346 094 thanks guido
Re: independence from dependencies
On Tue, Jun 20, 2006 at 05:26:51PM -0700, prad wrote: i'm running koffice which wants postgre8.1.3 but i want to use postgre8.1.4 (not sure why other than because the postgre site told me to) however, when i pkg_add we get a conflict with the postgresql-client-8.1.3 which has already occupied its spot. if we do a pkg_add -u koffice will complain again just as it does going from python2.3 to 2.4 i can use -F, but that won't solve the problem from koffice's end right? how does one get by a problem like this? Read about -stable (which has several fixes, including, I believe, one for PostgreSQL) and pkg_add(8), especially the -r option. If you are not on i386, you'll have to compile from ports(7). Joachim
Re: CVE-1999-0166 bug in NFS
I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: [...] This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? If /mnt/gamma is not a standalone filesystem, you are hitting the caveat documented in the BUGS section of exports(5): `` The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local server mount point. It is recommended that all exported directories within the same server filesystem be specified on adjacent lines going down the tree. You cannot specify a hostname that is also the name of a netgroup. Specifying the full domain specification for a hostname can normally circumvent the problem.'' i.e. by exporting /mnt/gamma, you are really exporting /mnt, hence the whole /mnt filesystem is accessible via nfs, but you can't go up further. Miod
vpn gateway question
I have a quick question. I want to try to setup a vpn gateway. It would need vpn connections with several clients (using the same subnets!!). I want to somehow map each vpn connection to another IP range, so we can contact all networks at the same time. I think I can accomplish this using NAT or bidirectional mappings ? I do not know however if its possible to create several vpn connections which have the same network on the otherside. Is this possible ?! Most clients use 192.168.1.x. For each client I want to define a 10.1.1.x and map all addresses to the 192.168.1.x range of that client. Somthing like: 10.1.1.x 192.168.1.x 10.2.2.x 192.168.1.x 10.3.3.x 192.168.1.x But it looks like this would mess up routing tables. How would you do this ?! Is it even possible ? Regards, Frans
Re: Clock Drift - VMWare
On Wed, Jun 21, 2006 at 02:45:01PM +1000, Adrian Close wrote: On Tue, 20 Jun 2006, Justin Blackmore wrote: Im running several OpenBSD 3.9 VM's on a GSX server and the clocks on the OBSD vm's drift pretty bad, the real time host hardware clock is How much drift? The guest hardware clock generally won't be stable enough for NTP to keep things in sync (it might look like it's OK for a bit, but it won't be). You might be able to use the Linux vmware-guestd tool (I haven't tried on OpenBSD), which will sync the time to the host hardware if you ask it (but you need X11 to config that, from memory). I once had a GSX setup where guest hardware clocks typically ran at 1/3 - 1/10th of realtime, and sped up when the guest OS was eating lots of CPU, but that doesn't sound like what you have... I don't have GSX, but I'm running some of my OpenBSD under WS5.5.1 on a Linux amd64 (Dapper), and have clock drift there. vmware says it's at least partly due to CPU speed shifting on the underlying hardware. For my limited purposes, frequent usage of rdate is adequate. Did you consider trying timed, with master nailed to one of the machines which can do ntp right? -- Christopher Vance
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Wed, Jun 21, 2006 at 09:18:14AM +0200, Dries Schellekens wrote: Bihlmaier Andreas wrote: ## openssl speed aes-128-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128 cbc 17311.15k18319.00k18569.35k18893.09k 18765.02k ## openssl speed aes-256-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-256 cbc 13658.21k14272.24k14446.41k14594.65k 14587.05k This is AES running in software. ## openssl speed -evp aes-128-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-128-cbc 50807.21k 181629.43k 493014.94k 823907.91k 1029947.70k ## openssl speed -evp aes-256-cbc type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes aes-256-cbc 50317.60k 179579.03k 426484.45k 655755.44k 777427.43k This is AES running on the VIA hardware accelerator. Just compare AES-128 on 8192 bytes: 18765.02k vs 1029947.70k That is more than 50 times quicker. I dont mean to offend you, but ... Doh, I know that and these are VERY nice figures, BUT my problem is that I have to slow (== no acceleration) speed in IPSEC. I thought that OPenBSD would just make use of it (again in IPSEC) if it detects it. Regards, ahb
Re: VIA C7 hardware AES support in IPSEC(ctl)
Bihlmaier Andreas wrote: I dont mean to offend you, but ... Doh, I know that and these are VERY nice figures, BUT my problem is that I have to slow (== no acceleration) speed in IPSEC. I thought that OPenBSD would just make use of it (again in IPSEC) if it detects it. IPSEC always uses the kernel crypto API. So it *is* being used. The performance bottle neck is somewhere else: the kernel crypto interface itself, the network interface, ... Cheers, Dries
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Wed, 2006-06-21 at 13:48 +0200, Bihlmaier Andreas wrote: I dont mean to offend you, but ... Doh, I know that and these are VERY nice figures, BUT my problem is that I have to slow (== no acceleration) speed in IPSEC. I thought that OPenBSD would just make use of it (again in IPSEC) if it detects it. You haven't specified the network setup and how did you conduced the tests. -- Massimo.run();
Re: release email in amavis temp
some email detect spam also most importan email ,so how to restore email in /var/virusmail/xxx because taht email is important. also any body have some tip to make amavisd-new in openbsd 3.9 most faster working because they a lot delay when send and receive with attachment. my regard You can, however, configure amavisd to save pretty much exactly what you want to a temporary directory. As to the tmp directory and the directory amavisd saves to, set up a cron job to clean it out unless you want to do so manually (I don't; but mail get saved to guard against a possible false positive on really important mail). Joachim
Re: Opinion of MySQL 5.xx on OpenBSD 3.9...
At 04:54 PM 6/20/06, Daniel Ouellet wrote: Bryan Irvine wrote: Works ok for me. Hasn't crashed or anything like that. I use mysql 5 on OpenBSD that some web apps talk too. I just did an import of a previous dump, and it took somewhere in the neighboorhood of 7 hours give or take. (for a few tens of million INSERTS that's not bad). This is run on a slighlty older sun 220r (450Mhz), and 10K rpm disks. Interesting. It takes me ~25 minutes for 9.5 millions records in many databases/tables. But my dump is/was done with --opt as to not create the index when you do the import, but only when all data is imported. This saves many hours if not use. Are you sure you do your dump with the --opt flag? If I don't do this, it sure will take me about 8 1/2 hours to do the same. Just a side note that might help, or it may not, but just thought to pass it along in case it help you. Actually, the option is really --disable-keys. The --opt option is just a shorthand for several options (including --disable-keys). WARNING: the man page for mysqldump says that defaults have changed in V5.
Re: release email in amavis temp
sonjaya schrieb: some email detect spam also most importan email ,so how to restore email in /var/virusmail/xxx because taht email is important. also any body have some tip to make amavisd-new in openbsd 3.9 most faster working because they a lot delay when send and receive with attachment. my regard Hello, amavis works much more faster if its tempdir is mounted on a ramdisk. (but at this moment I don't know how to configure a ramdisk with OpenBSD but surely google will know) guido
Re: 256 color support for terminals under X
On Tue, Jun 20, 2006 at 09:29:24PM +, Christian Weisgerber wrote: Bihlmaier Andreas [EMAIL PROTECTED] wrote: I stumbled across a problem with all X terminal emulators in OpenBSD (that is xterm and aterm, eterm and rxvt from ports). None of the above seems to support 256 colors. I tried various combinations of $TERM (xterm, xterm-color, xterm-xfree86, xterm-256color) with all the terminals, running and not running screen. xterm as distributed with OpenBSD is *not* built with 256-color support. I googled for about 3 hours last night, but without a definite answer whether OpenBSD supports 256colors in terminal under X. The argument I read (sorry can't seem to find the link anymore) was that the 256color support had some issues and was removed. It is simply not enabled by default in the xterm upstream distribution. -- Christian naddy Weisgerber [EMAIL PROTECTED] Thanks for confirming this, since I don't want to make a custom xterm build for every one of my desktop boxes, I'll just drop the idea and use another colorscheme. ahb
Re: vpn gateway question
Frans Haarman wrote: I have a quick question. I want to try to setup a vpn gateway. It would need vpn connections with several clients (using the same subnets!!). I want to somehow map each vpn connection to another IP range, so we can contact all networks at the same time. I think I can accomplish this using NAT or bidirectional mappings ? I do not know however if its possible to create several vpn connections which have the same network on the otherside. Is this possible ?! Most clients use 192.168.1.x. For each client I want to define a 10.1.1.x and map all addresses to the 192.168.1.x range of that client. Somthing like: 10.1.1.x 192.168.1.x 10.2.2.x 192.168.1.x 10.3.3.x 192.168.1.x But it looks like this would mess up routing tables. How would you do this ?! Is it even possible ? Regards, Frans I would think that the simplest way to do this would be to do a NAT on each of the remote GW devices. So your central device _has_ a vpn to three unique subnets. Otherwise I think you are in for some really ugly kludges.
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Wed, Jun 21, 2006 at 02:24:18PM +0200, Massimo Lusetti wrote: On Wed, 2006-06-21 at 13:48 +0200, Bihlmaier Andreas wrote: I dont mean to offend you, but ... Doh, I know that and these are VERY nice figures, BUT my problem is that I have to slow (== no acceleration) speed in IPSEC. I thought that OPenBSD would just make use of it (again in IPSEC) if it detects it. You haven't specified the network setup and how did you conduced the tests. Sorry, for that but I thought it wouldn't matter: All hosts are in the same network and can talk directly to each other, but for unsecure protocols (NFS, HTTP) I run a VPN between them. host1 router host2 10.0.0.110.0.0.254 10.0.0.8// Real IP // VPN 10.2.0.110.2.0.254 10.2.0.8// alias used for VPN +-+ host1---+ | | Switch +--- router host2---+ | +-+ I use iperf -w 256k for testing purposes. The speed between hosts/router using their real IPs (-B 10.0.0.*) is about 70-80 Mb/s. ~22 Mb/s between host1 and host2 using their VPN IPs. Hope this made some stuff more clear. Thanks everyone for helping, I hope this can be fixed. ahb
Re: release email in amavis temp
On Wed, Jun 21, 2006 at 04:30:20PM +0200, Guido Tschakert wrote: sonjaya schrieb: some email detect spam also most importan email ,so how to restore email in /var/virusmail/xxx because taht email is important. also any body have some tip to make amavisd-new in openbsd 3.9 most faster working because they a lot delay when send and receive with attachment. my regard Hello, amavis works much more faster if its tempdir is mounted on a ramdisk. (but at this moment I don't know how to configure a ramdisk with OpenBSD but surely google will know) You are thinking about mount_mfs(8), I suppose. But the usual caveats about slow lookups still apply, and amavisd does a *lot* of lookups. In particular, a misconfigured network of some kind will make it very, very slow. Joachim
Re: release email in amavis temp
On Wed, Jun 21, 2006 at 08:23:11PM +0700, sonjaya wrote: You can, however, configure amavisd to save pretty much exactly what you want to a temporary directory. As to the tmp directory and the directory amavisd saves to, set up a cron job to clean it out unless you want to do so manually (I don't; but mail get saved to guard against a possible false positive on really important mail). some email detect spam also most importan email ,so how to restore email in /var/virusmail/xxx because taht email is important. Depends on the MTA and mail storage mechanism used, I suppose. also any body have some tip to make amavisd-new in openbsd 3.9 most faster working because they a lot delay when send and receive with attachment. Looks like the virus scanner, unpacker, or something similiar is taking a long time. This can be caused by anything from a busy CPU to a slow disk (in which case mount_mfs(8) may indeed work). Joachim
FYI SK(4) D-Link DGE-530T Rev B1 does not appear in dmesg.
Hello list, Just an FYI on the B1 revision of the D-Link DGE-530T. I recently purchased another D-Link DGE-530T and noticed when I got it home that it is a Rev B1 card, unlike all my others which are Rev A1. The Rev B1 card is not shown in the dmesg and thus does not yet work. The chips on the cards are marked with these numbers: Rev A1: 88E8003-LKJ Rev B1: 88E8001-LKJ1 The dmesg with the B1 card only lacks the three appropriate lines which appear for the Rev A1 card when it is inserted in the same PCI slot: dmesg with DGE-530T Rev A1: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 349 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 402235392 (392808K) avail mem = 359677952 (351248K) using 4278 buffers containing 20213760 bytes (19740K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(c7) BIOS, date 04/14/98, BIOS32 rev. 0 @ 0xec700 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf69e0/176 (9 entries) pcibios0: PCI Interrupt Router at 000:20:0 (Intel 82371AB PIIX4 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xe/0x8000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 16 function 0 D-Link Systems DGE-530T rev 0x11, Marvell Yukon (0x1): irq 11 sk0 at skc0 port A, address 00:11:95:f7:3c:5e eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 pcib0 at pci0 dev 20 function 0 Intel 82371AB PIIX4 ISA rev 0x02 pciide0 at pci0 dev 20 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST320430A wd0: 16-sector PIO, LBA, 19470MB, 39876480 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: COMPAQ, CD-ROM CR-589, GC4K SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 uhci0 at pci0 dev 20 function 2 Intel 82371AB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered piixpm0 at pci0 dev 20 function 3 Intel 82371AB Power rev 0x02: SMI iic0 at piixpm0 unknown at iic0 addr 0x18 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01 midi0 at sb0: SB MIDI UART audio0 at sb0 opl0 at sb0: model OPL3 midi1 at opl0: SB Yamaha OPL3 pcppi0 at isa0 port 0x61 midi2 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask ff45 netmask ff45 ttymask ffc7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support uhidev0 at uhub0 port 1 configuration 1 interface 0 uhidev0: Microsoft Basic Optical Mouse, rev 1.10/0.00, addr 2, iclass 3/1 ums0 at uhidev0: 3 buttons and Z dir. wsmouse0 at ums0 mux 0 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 dmesg with DGE-530T Rev B1 is the same but without these: skc0 at pci0 dev 16 function 0 D-Link Systems DGE-530T rev 0x11, Marvell Yukon (0x1): irq 11 sk0 at skc0 port A, address 00:11:95:f7:3c:5e eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 3 I noticed while Googl'ing for info on this, that NetBSD has added support for the B1. Here are links to the entries if it helps at all: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/pci/if_sk.c?rev=1.7.2.3.2.9content-type=text/x-cvsweb-markup http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/pci/if_skreg.h?rev=1.7content-type=text/x-cvsweb-markup I hope D-Link don't go radically changing chipsets on these cheap sk's like they have been known to do with their wireless cards. Bye for now, Shane This email was sent from Netspace Webmail: http://www.netspace.net.au
Crashes and HDD params
Hi, How to change HDD parameters like this: wd1 at pciide0 channel 1 drive 0: FUJITSU MPD3084AT wd1: 16-sector PIO, LBA, 8063MB, 16514064 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 to get rid off the crashes I register several times a day? With very bad results on my files. Cheers, warpman (Przemys3aw Pawe3czyk) http://warpman.kv.net.pl
Re: VIA C7 hardware AES support in IPSEC(ctl)
Bihlmaier Andreas wrote: I use iperf -w 256k for testing purposes. The speed between hosts/router using their real IPs (-B 10.0.0.*) is about 70-80 Mb/s. ~22 Mb/s between host1 and host2 using their VPN IPs. Hope this made some stuff more clear. Thanks everyone for helping, I hope this can be fixed. What speed do you get when using ssh/sftp? You can disable the userland support of the hardware accelerator using sysctl kern.usercrypto=0 to see if it makes a big difference. Cheers, Dries
Doubts about OpenBSD security.
My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? An real example: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. Thanks for the time wasted reading this e-mail and I'm sorry if my questions are too silly. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
FW: technical help
Hello, I have a question about firewall rules on openbsd. Should I ask here for help? Tony
sendmail question
Hi, I'm trying to modify my outgoing Message-Id, with my mailer MUA (mutt) I can configure this. However when I try to use mail(1) it does not update the Message-Id, I read a bit in the source and it doesn't seem to be set in mail(1), and a ktrace shows that it pipes everything to sendmail directly. Here is what I stuck in my sendmail .mc file: define(`confMESSAGEID_HEADER', `[EMAIL PROTECTED]')dnl That's how I'd like it to look here is how it looks in the H config in the .cf file: H?M?Resent-Message-Id: [EMAIL PROTECTED] H?M?Message-Id: [EMAIL PROTECTED] I read up what the ?M? means.. it means that if the flags M are set, Mlocal, P=/usr/local/bin/procmail, F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, Mprog, P=/bin/sh, F=lsDFMoqeu9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/, Msmtp, P=[IPC], F=mDFMuX, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990, Mesmtp, P=[IPC], F=mDFMuXa, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990, Msmtp8, P=[IPC], F=mDFMuX8, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990, Mdsmtp, P=[IPC], F=mDFMuXa%, S=EnvFromSMTP/HdrFromSMTP, R=EnvToSMTP, E=\r\n, L=990, Mrelay, P=[IPC], F=mDFMuXa8, S=EnvFromSMTP/HdrFromSMTP, R=MasqSMTP, E=\r\n, L=2040, ... and so they are. But it still doesn't overwrite the Message-Id: to how I want it. What am I missing? Thanks for any useful replies, -peter
Re: Doubts about OpenBSD security.
My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? Oh come on. Are you serious? Why ask for the old password when that same user can just rm -rf / 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? This can be changed very easily by removing the keyword secure from the console line in /etc/ttys For now, we ship with it open for the root password by default, because too many people want it so.
Re: FW: technical help
On Wed, Jun 21, 2006 at 10:12:53AM -0600, Leung, Tony wrote: I have a question about firewall rules on openbsd. Should I ask here for help? Here is a good place, and there's also a pf mailing list as well (pf@benzedrine.cx). You may want to see if your questions have already been answered by searching the archives, reading the FAQ at www.openbsd.org/faq/pf/, and reading the man pages for pf(4) and pf.conf(5). Chances are *very* good that whatever your question, it has come up before. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Configuring pppoe during installation?
Would it be possible that the installer asks if you may wanna use the NIC for pppoe-Connections and then maybe also asks for User/PW for the connection-settings? :) In my oppinion this little change may would maybe bring more usebillity (or how that`s written...) and it would save some time wich is needed to create a hostname.pppoe. :) I think that change for the installer is very small and may would be usefull too since OpenBSD can do kernel-pppoe. Kind regards, Sebastian
Re: Doubts about OpenBSD security.
Joco Salvatti [EMAIL PROTECTED] wrote: 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? No, it may not. Why would that matter at all? 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? If the local console is not secure, then remove the secure flag from it in /etc/ttys. This still doesn't do much, people can just boot some other media and then do whatever they want to your openbsd install if the machine is not physically secured. Adam
Re: Doubts about OpenBSD security.
Joco Salvatti wrote: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. He can also boot from cdrom or usb and then install everything you described. He can also remove the hard drive and mount it in a laptop. He can install a hardware key logger. etc. Nonce someone has physical access, all is lost with current hardware. Cheers, Dries
Re: Doubts about OpenBSD security.
On 6/21/06, Joco Salvatti [EMAIL PROTECTED] wrote: Let's suppose an attacker entered the room where an OpenBSD server is why didn't you lock the door? located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. or the attacker could take his super 1337 hax0rix0ragizzlerotfl usb key out of his pocket, plug it in, and boot from that. really, it's very simple: if you don't control access to the server, you don't control the server.
Re: Doubts about OpenBSD security.
On Wed, Jun 21, 2006 at 02:23:20PM -0300, Joco Salvatti wrote: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? Root could easily get around such a thing, being root and all. Don't log in as root. If you must log in as root, don't when someone else can walk up and change the root password. 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? If you have physical access to the computer then you literally own it. You can pop out the disk and put in into another computer. You can pour vodka into the machine. If you can't physically secure your important computers then you are not secure. Period. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Doubts about OpenBSD security.
Thanks for all. On 6/21/06, Peter Landry [EMAIL PROTECTED] wrote: I think that when you've given an attacker physical access to a machine with a root session open, there's not a whole lot OpenBSD (or any OS) can do... The attacker could also, with physical, attach a keystroke logger, unplug your machine, or any number of other bad/humorous things I'm not clever enough to think of -- no matter what OS is running on the system. Hope that allays some of your fears regarding OpenBSD in particular... Peter L. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joco Salvatti Sent: Wednesday, June 21, 2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? An real example: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. Thanks for the time wasted reading this e-mail and I'm sorry if my questions are too silly. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED] -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: Doubts about OpenBSD security.
* Joco Salvatti [EMAIL PROTECTED] [2006-06-21 11:38]: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? No. you're already root. You can also do: vipw cat /etc/master.passwd | sed s/root:.+:/root::/ /tmp/shit mv /tmp/shit /etc/master.passwd pwd_mkdb etc. etc. etc. 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? No, because if you have single user mode you have physical access to the machine. if I have physical access to the machine I can plug in the usb key around my neck, boot the system on it instead, mount your disk and do the above from case one. An real example: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. No, because even if you didn't forget to log out, read the above. If I have physical access to your machine, you are fucked. it's that simple. I don't need to have you logged in as root to get single user - I simply hit the power button, and boot single user, or boot up the usb key/cdrom/floppy/zaurus-set-up-as-a-boot-server-in-me-pocket that is in my pocket, which I already have root and all the malicious shit I want on it and can copy on to your disk. And face it, your machine's bios is *not* openbsd and is *not* secure. period. IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this question*. - Now I'm not just crapping on you, every new sysadmin I know asks this. The point is, if OpenBSD put a root password on single user, you might be tempted to think that somehow, someway, a not-physically secured machine was secure, and be tempted to deploy it that way. And don't laugh, I've seen the assumption made (I work at a university). My point is that putting security measures in place that do not do anything because of equivalent access make people believe that they *do* do something, and therefore people make incorrect assumptions and do things insecurely. Physical access is everything highness. Anyone who says differently is selling something. -Bob
Re: FW: technical help
On Wed, Jun 21, 2006 at 10:12:53AM -0600, Leung, Tony wrote: Hello, I have a question about firewall rules on openbsd. Should I ask here for help? You can ask here or you can ask on pf@benzedrine.cx just make sure you do your research first. -- Terry http://tyson.homeunix.org
Re: Configuring pppoe during installation?
I don't like this idea. I think it is the wrong assumption that most machines run PPPoE. The folks that use this can easily update the appropriate files after the initial install is complete. On Wed, Jun 21, 2006 at 07:45:45PM +0200, [EMAIL PROTECTED] wrote: Would it be possible that the installer asks if you may wanna use the NIC for pppoe-Connections and then maybe also asks for User/PW for the connection-settings? :) In my oppinion this little change may would maybe bring more usebillity (or how that`s written...) and it would save some time wich is needed to create a hostname.pppoe. :) I think that change for the installer is very small and may would be usefull too since OpenBSD can do kernel-pppoe. Kind regards, Sebastian
Re: Doubts about OpenBSD security.
That's why I always hardware hack my servers with a fragmentation grenade. And, for good measure, anti-personnel mines underneath the raised flooring. On 6/21/06, Dries Schellekens [EMAIL PROTECTED] wrote: Nonce someone has physical access, all is lost with current hardware. -- Try to do nothing for money that you wouldn't do for free. --Paul Krassner
Re: ifconfig -l feature
Em Qua, 2006-06-21 as 10:15 -0300, Pedro Martelletto escreveu: please add a -p too, that would make the output be in pink and a -b to blink while at it you know, it's hard to script that You are a joke Pedro Martelletto. I remember you, other day, asking for a stupid howto for squid, and others stupid things. So, how do you prefer we call you ? Pedro Bastos [1] ? Pedro M de A Bastos [2] ? Pedro Marteleto de Alvarenga Bastos [3] ? Pedro Martelletto [4] ? I think we need: ifconfig -truth Show me the truth, no more lies here. [1] http://marc.theaimsgroup.com/?l=openbsd-miscm=96173811200916w=2 [2] http://marc.theaimsgroup.com/?l=openbsd-miscm=99534253611414w=2 [3] http://marc.theaimsgroup.com/?l=openbsd-miscm=102181894418315w=2 [4] http://marc.theaimsgroup.com/?l=openbsd-miscm=108048785313517w=2 -- I was wondering if anybody could tell me where can I find a how-to or how to (duh) make an OpenBSD box running squid act as a transparent proxy ? - Pedro Martel[l]et[t]o [de Alvarenga Bastos], aka Mister the Truth, OpenBSD Developer since Pedro Marttelleto.
Re: Doubts about OpenBSD security.
Joco Salvatti [EMAIL PROTECTED] wrote: Let's suppose an attacker entered the room where an OpenBSD server is located in, Most would argue that at this point you've already lost the security game. So the attacker could enter in single user mode, without the need for the root password, He could also boot off of removable media with any OS that has support for FFS, mount your partitions, and copy over or change any file he wishes. Of if it is a typically-sized micro, he can just leave with it. Or if it's a vax, he may ride away with it (http://buscaluz.org/photos/Misc/vax.png). Computer security has to include physical security, too. -mj
Re: Doubts about OpenBSD security.
On 6/21/06, Gabriel Puliatti [EMAIL PROTECTED] wrote: On 6/21/06, Theo de Raadt [EMAIL PROTECTED] wrote: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? Oh come on. Are you serious? Why ask for the old password when that same user can just rm -rf / Besides, by the time you get root, you already have complete control of the system. Do you really need to be protected from the attacker doing something that will only nag, since the system is compromised already?
Re: Doubts about OpenBSD security.
Joco Salvatti wrote: My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? This would not really improve security. Given access as root, an attacker could simply delete the master password file and create a new one to effect the same thing. 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? The /etc/ttys file controls this. The console may be either secure or insecure. It the console is secure then physical access controls are assumed. If insecure, password authentication is required. Physically secure siting of the computer is necessary. Otherwise, for example, the disk could be removed, modified, and replaced. The question is whether or not the console is also physically secured. -- John R. Shannon
Re: ifconfig -l feature
You are a joke No, the only people who are jokes around here are those who don't help improve things. Some think they can go futher, and are complete assholes. Can we please focus on technology improvements?
Re: Doubts about OpenBSD security.
I think that when you've given an attacker physical access to a machine with a root session open, there's not a whole lot OpenBSD (or any OS) can do... The attacker could also, with physical, attach a keystroke logger, unplug your machine, or any number of other bad/humorous things I'm not clever enough to think of -- no matter what OS is running on the system. Hope that allays some of your fears regarding OpenBSD in particular... Peter L. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joco Salvatti Sent: Wednesday, June 21, 2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? An real example: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. Thanks for the time wasted reading this e-mail and I'm sorry if my questions are too silly. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: ifconfig -l feature
Em Qua, 2006-06-21 as 15:12 -0300, Douglas Santos escreveu: Em Qua, 2006-06-21 as 10:15 -0300, Pedro Martelletto escreveu: please add a -p too, that would make the output be in pink and a -b to blink while at it you know, it's hard to script that You are a joke Pedro Martelletto. I remember you, other day, asking for a stupid howto for squid, and others stupid things. So, how do you prefer we call you ? Pedro Bastos [1] ? Pedro M de A Bastos [2] ? Pedro Marteleto de Alvarenga Bastos [3] ? Pedro Martelletto [4] ? I think we need: ifconfig -truth Show me the truth, no more lies here. [1] http://marc.theaimsgroup.com/?l=openbsd-miscm=96173811200916w=2 [2] http://marc.theaimsgroup.com/?l=openbsd-miscm=99534253611414w=2 [3] http://marc.theaimsgroup.com/?l=openbsd-miscm=102181894418315w=2 [4] http://marc.theaimsgroup.com/?l=openbsd-miscm=108048785313517w=2 -- I was wondering if anybody could tell me where can I find a how-to or how to (duh) make an OpenBSD box running squid act as a transparent proxy ? - Pedro Martel[l]et[t]o [de Alvarenga Bastos], aka Mister the Truth, OpenBSD Developer since Pedro Marttelleto. Oops, wrong list. I mean tech@
Re: Opinion of MySQL 5.xx on OpenBSD 3.9...
Frank Bax wrote: Actually, the option is really --disable-keys. The --opt option is just a shorthand for several options (including --disable-keys). There is more as well and refer to the man page for all the details: http://dev.mysql.com/doc/refman/5.0/en/mysqldump.html The --opt Doesn't only do the disable keys but the following as well: Quote This option is shorthand; it is the same as specifying --add-drop-table --add-locks --create-options --disable-keys --extended-insert --lock-tables --quick --set-charset. It should give you a fast dump operation and produce a dump file that can be reloaded into a MySQL server quickly. One very nice and quicker import is also the extended-insert, use compress if you do between two servers as well. The dump with lock will also speed up your dump and locking the table when you insert if you database is live is also a good thing, etc. Obviously you use it as you see fit and the options you want, but if you do want to get the maximum efficiency, you the --opt, not only the --disable-keys. I offer it as a suggestions, but if you want to help the users that will do this, let them use the proper feature to do this and also let them read the mysqldump man page to see what else the may see fit. The observation was on speed of import and using the --opt instead of just the --disable-keys will be more efficient, specially if you do have a lots of entry. Even more you can even speed this more by increasing the max_allowed_packet in mysql_dump as well as in the mysqld sections, or your extended-insert will stop in the import mode if your dump is much bigger then your mysqld setup and you do have many records in tables. Anyway, there is more then this, but that's not the list do talk about all of it. In any case, it would be nice if you do not provide wrong information to correct proper one. Just my $0.02 worth. The the option is really --disable-keys. will not give you the full benefit, but that's left for the reader. Your suggestion will only add problem and delay in import on a live system that may already have data on it and got corrupted data in one database or table that you need to restore quickly, or worst multiple table if the mysqlcheck can't fix it. I don't know about you, but if I restore database from dump, I hell sure want to start with empty tables and database first. So, the --opt will also add as well --add-drop-table --add-locks --create-options in your dump making your restore even more painless and quicker as well. But again, do it as you see fit. You do not have to do it the way I suggest by any mean, but don't cut it short for some users that may not have tested their restore scenario and think what they may do is good for them and when they will need it, that time, they will be stuck. Best, Daniel
Re: Doubts about OpenBSD security.
Wouldn't this be the main reason to use sudo? On 6/21/06, Joco Salvatti [EMAIL PROTECTED] wrote: Thanks for all. On 6/21/06, Peter Landry [EMAIL PROTECTED] wrote: I think that when you've given an attacker physical access to a machine with a root session open, there's not a whole lot OpenBSD (or any OS) can do... The attacker could also, with physical, attach a keystroke logger, unplug your machine, or any number of other bad/humorous things I'm not clever enough to think of -- no matter what OS is running on the system. Hope that allays some of your fears regarding OpenBSD in particular... Peter L. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joco Salvatti Sent: Wednesday, June 21, 2006 1:23 PM To: Misc OpenBSD Subject: Doubts about OpenBSD security. My doubts may seem fool, so thanks in advance for those who will read this e-mail and may help me with my doubts. 1. Why doesn't passwd ask superuser's current password when it's run by the superuser to change its own password? May not it be considered a serious security flaw? 2. Why doesn't the system ask the password, as a default action, to log in the system, when entering in single user mode? May not it also be considered a serious security flaw? And why doesn't exist a different password to log in single user mode, instead of using root's password? An real example: Let's suppose an attacker entered the room where an OpenBSD server is located in, and by mistake the system administrator has forgotten to logout the root login session. So the attacker could enter in single user mode, without the need for the root password, and load a malicious kernel module. He also could do millions of other things, but changing root's password, because the system administrator would notice it immediatelly. I believe it could be more difficult for the attacker if there were a different password to log in the system in single user mode. Thanks for the time wasted reading this e-mail and I'm sorry if my questions are too silly. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED] -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Netgear FA311v1: sis0: watchdog timeout with 3.9
Hi, since upgrading from 3.8 to 3.9, my firewall (which has one Netgear FA311v1) from time to time spews this: May 31 13:46:33 gryphon /bsd: sis0: watchdog timeout Jun 2 20:31:11 gryphon /bsd: sis0: watchdog timeout Jun 2 22:25:12 gryphon /bsd: sis0: watchdog timeout Jun 3 15:40:17 gryphon /bsd: sis0: watchdog timeout Jun 6 11:55:47 gryphon /bsd: sis0: watchdog timeout Jun 7 17:32:55 gryphon /bsd: sis0: watchdog timeout Jun 7 19:51:59 gryphon /bsd: sis0: watchdog timeout Jun 15 15:43:57 gryphon /bsd: sis0: watchdog timeout Jun 20 13:05:19 gryphon /bsd: sis0: watchdog timeout I haven't noticed any other problems and since swapped the card with another FA311v1 (bought at the same time, but a different board revision :-() without success. The machine had been running 3.8 without these messages for some months, and I upgraded to 3.9 on 05-29, so I'm reasonably sure that the cards are not the problem. Have there been any changes in the sis driver that cause these messages to appear in 3.9 but not 3.8? And do I have to be worried or is it a driver bug? Here's the ob dmesg: OpenBSD 3.9-stable (GENERIC) #0: Sun May 28 22:13:18 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD-K6(tm) 3D+ Processor (AuthenticAMD 586-class) 401 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX real mem = 133799936 (130664K) avail mem = 115363840 (112660K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(12) BIOS, date 04/12/00, BIOS32 rev. 0 @ 0xfb380 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb808 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdde0/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C598 PCI rev 0x04 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 VIA VT82C596A ISA rev 0x23 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x10: ATA66, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340016A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets pciide0:1:0: device timeout waiting to send SCSI packet cd0 at scsibus0 targ 0 lun 0: BCD 24XM, CD-ROM, U2.1 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x11: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered VIA VT82C596 Power rev 0x30 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 18 function 0 Cirrus Logic CL-GD5434-8 rev 0xf9 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) sis0 at pci0 dev 19 function 0 NS DP83815 10/100 rev 0x00, DP83815D: irq 10, address 00:40:f4:51:4b:43 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 rl0 at pci0 dev 20 function 0 Realtek 8139 rev 0x10: irq 12, address 00:14:6c:76:32:32 rlphy0 at rl0 phy 0: RTL internal PHY isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb65 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled mtrr: K6-family MTRR support (2 registers) dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 /var/squid: optimization changed from TIME to SPACE sis0: watchdog timeout sis0: watchdog timeout Best Martin
Re: ifconfig -l feature
Douglas Santos wrote: You are a joke Pedro Martelletto. You are the person adding a stupid extra flag to ifconfig, while Pedro is working on very useful stuff like VFS and file system support. Cheers, Dries
OT: Notebook explosion (DELL)
Because I know some peoples here own DELL Notebooks: It happened that such a notebook explode. The little storry is avaiable at The Inquirer http://www.theinquirer.net/?article=32550 Would be very bad if such stuff would happen if you4ve ya Notebook on ya knees or so... Kind regards, Sebastian
/etc/resolv.conf.tail
Hi, This is not really worth the bug report; I'm thinking a template file of /etc/resolv.conf.tail in the default system would be a great thing. This file is used by the dhclient script, here is a sample: # /etc/resolv.conf.tail is appended to /etc/resolv.conf by dhclient script. # A sample entry would look like this... lookup file bind --- This file is appended to /etc/resolv.conf which is built by the dhclient program when it receives nameserver information from the DHCP server. I believe it's better that hosts like localhost are forced to look into /etc/hosts than use DNS, don't you? Cheers, -peter
Re: Configuring pppoe during installation?
I don't like this idea. I think it is the wrong assumption that most machines run PPPoE. The folks that use this can easily update the appropriate files after the initial install is complete. It`s the same assumption like asking the guy who installs OpenBSd if he wanna use dhcp. :-) I wont start a fight I just said it would be neat (and maybe helpfull for peoples comming from Linux where they where asked during install fi they wanna configure pppoe). :-) But I understand your critic. I just don4t think to enable this in the installer would cost so much space. :) Kind regards, Sebastian
Re: Doubts about OpenBSD security.
Quoting Jared Solomon [EMAIL PROTECTED]: That's why I always hardware hack my servers with a fragmentation grenade. And, for good measure, anti-personnel mines underneath the raised flooring. I prefer to have the doors automatically locked and then have the halon deployed. Much cleaner. ; ) This email was sent from Netspace Webmail: http://www.netspace.net.au
Re: OT: Notebook explosion (DELL)
thus [EMAIL PROTECTED] spake: Because I know some peoples here own DELL Notebooks: It happened that such a notebook explode. The little storry is avaiable at The Inquirer http://www.theinquirer.net/?article=32550 Would be very bad if such stuff would happen if you4ve ya Notebook on ya knees or so... Kind regards, Sebastian apple notebooks catch fire on a regular basis or burn your lap due to the *cough* very efficient Core Duo (TM) architecture *cough*. :)
Re: Configuring pppoe during installation?
On Wed, Jun 21, 2006 at 09:03:43PM +0200, [EMAIL PROTECTED] wrote: I don't like this idea. I think it is the wrong assumption that most machines run PPPoE. The folks that use this can easily update the appropriate files after the initial install is complete. It`s the same assumption like asking the guy who installs OpenBSd if he wanna use dhcp. :-) It is safe to assume people want network functionality. Your arguments are, as usual, not thought through.
XF4 Patches (Again) :(
Okay, I read the threads on misc@ and I'm still confused. The XF4 patch (3_9.002) says: Apply by doing: cd /usr/src/XF4 patch -p0 002_xorg.patch The website (http://openbsd.org/anoncvs.html) says: # cd /usr # tar xzf XF4.tar.gz which puts XF4 in /usr/XF4 Should I make a link to X4 in /usr/src or just build in /usr/X4? Thanks (before I screw up my system).
How to pass mount protocol traffic (mountd/NFS) using pf?
Because portmap(8) dynamically assigns the mountd(8) port, how would one write a pass rule in pf for mountd(8) traffic? My problem is that every time mountd(8) is re/started, it operates on a different port and my fixed pf rules block the mount protocol and, consequently, my clients cannot mount an NFS share. I read through RFC1094 NFS: Network File System Protocol Specification and RFC1057 RPC: Remote Procedure Call Protocol Specification looking for ways to statically bind the mount protocol to a port number. It doesn't look possible. -pachl
Re: Curious on NAT traversal possibility on PF
Nick Guenther wrote: On 6/13/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/06/13 22:07, Nick Guenther wrote: What is the prefered method for NAT-traversal these days? The options I know are: UPnP I suppose this one doesn't work unless the protocol bends well to it, and both ends support it too, which means running clunky XML and HTTP code. Sorry that it took so long to answer back. Got very busy. Anyway, there is many different ways suggested so far to do this. The current proposals are: * Universal Plug and Play (UPnP) * Simple Traversal of UDP Through Network Address Translation devices (STUN) * Application Layer Gateway * Manual Configuration * Tunnel Techniques * Automatic Channel Mapping Some interesting reading is available here: http://www.newport-networks.com/whitepapers/nat-traversal1.html http://www.ietf.org/rfc/rfc3489.txt http://www.voip-info.org/wiki-STUN Looks like the one that is use the most is the STUN server, but that doesn't cover all possibility. a proxy having the in-kernel NAT code do the work itself Look at how /usr/sbin/ftp-proxy works with anchors - it's a nice hybrid, keeping L7 work out of the kernel, and bulk-packet-shifting out of userland. Ah, thank you! That makes for a lot of reading up to do. Skimming the code it seems that there's a lot of framework-code shoved in alongside the proxying, is that right? I guess my questions are more on the design side of it. I would think that having it part of PF still was the best way, but may be not. I am not saying I understand all of this to see the benefit of it other then having a great piece of software working very well already and built upon that. May be to put a STUN server together, it may well be much better to do it in the ftp-proxy way and tie it with PF. But then even having a great STUN server proxy wouldn't cover all possibility. Any feedback as to the pro and cons of having STUN stand alone, in PF, or like ftp-proxy tie with PF? What might be the best approaches here to follow and the less likely to re write what's already done in PF and at the same time taking advantage of the current design? Is the STUN approaches is still the best one and the one that should be the start of this NAT traversal for SIP VoIP solutions, even knowing the limitations of it at this time? Any thoughts at a better idea or angle to take on this? I am looking at some feedback of good/bad or pitfall not to follow. I learn a long time ago from OpenBSD that simpler is better, so I am really looking at the simplest way to do this and feedback on it to would be greatly appreciated too! Thanks Daniel
Re: Netgear FA311v1: sis0: watchdog timeout with 3.9
You are not alone with watchdog timeouts on sis(sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91). For now I switched to fxp. On Wednesday 21 June 2006 20:49, Martin Schrvder wrote: Hi, since upgrading from 3.8 to 3.9, my firewall (which has one Netgear FA311v1) from time to time spews this: May 31 13:46:33 gryphon /bsd: sis0: watchdog timeout Jun 2 20:31:11 gryphon /bsd: sis0: watchdog timeout Jun 2 22:25:12 gryphon /bsd: sis0: watchdog timeout Jun 3 15:40:17 gryphon /bsd: sis0: watchdog timeout Jun 6 11:55:47 gryphon /bsd: sis0: watchdog timeout Jun 7 17:32:55 gryphon /bsd: sis0: watchdog timeout Jun 7 19:51:59 gryphon /bsd: sis0: watchdog timeout Jun 15 15:43:57 gryphon /bsd: sis0: watchdog timeout Jun 20 13:05:19 gryphon /bsd: sis0: watchdog timeout I haven't noticed any other problems and since swapped the card with another FA311v1 (bought at the same time, but a different board revision :-() without success. The machine had been running 3.8 without these messages for some months, and I upgraded to 3.9 on 05-29, so I'm reasonably sure that the cards are not the problem. Have there been any changes in the sis driver that cause these messages to appear in 3.9 but not 3.8? And do I have to be worried or is it a driver bug? Here's the ob dmesg: OpenBSD 3.9-stable (GENERIC) #0: Sun May 28 22:13:18 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD-K6(tm) 3D+ Processor (AuthenticAMD 586-class) 401 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,PGE,MMX real mem = 133799936 (130664K) avail mem = 115363840 (112660K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(12) BIOS, date 04/12/00, BIOS32 rev. 0 @ 0xfb380 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb808 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdde0/144 (7 entries) pcibios0: PCI Exclusive IRQs: 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT82C598 PCI rev 0x04 ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 VIA VT82C596A ISA rev 0x23 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x10: ATA66, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST340016A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets pciide0:1:0: device timeout waiting to send SCSI packet cd0 at scsibus0 targ 0 lun 0: BCD 24XM, CD-ROM, U2.1 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x11: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered VIA VT82C596 Power rev 0x30 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 18 function 0 Cirrus Logic CL-GD5434-8 rev 0xf9 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) sis0 at pci0 dev 19 function 0 NS DP83815 10/100 rev 0x00, DP83815D: irq 10, address 00:40:f4:51:4b:43 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 rl0 at pci0 dev 20 function 0 Realtek 8139 rev 0x10: irq 12, address 00:14:6c:76:32:32 rlphy0 at rl0 phy 0: RTL internal PHY isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask eb65 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled mtrr: K6-family MTRR support (2 registers) dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 /var/squid: optimization changed from TIME to SPACE sis0: watchdog timeout sis0: watchdog timeout Best Martin
Re: Doubts about OpenBSD security.
On Wed, Jun 21, 2006 at 11:54:37AM -0600, Bob Beck wrote: IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this question*. - Now I'm not just crapping on you, every new sysadmin I know asks this. The point is, if OpenBSD put a root password on single user, you might be tempted to think that somehow, someway, a not-physically secured machine was secure, and be tempted to deploy it that way. For those that don't know, many Linux distros do require a password for single user mode, so this question will be asked again many people migrating to OpenBSD. As an example of physical security, when I was a lowly tech support operator at an ISP and worked alone in the data centre at weekends: I got into the habbit of hitting the w key when ever I logged onto a box via ssh, one day I found that the technical director had logged onto the 4th console of a server as himself, and then su'd to root, then went home. Natrually, I hooked the keyboard back up, got the 4th console and played about for a few hours, reading his mail, etc, etc. Oh, those were the days.. Cheers, -- Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]
Re: Trouble with Cisco Aironet 350 (PCM352)
Matt Van Mater wrote: I ran into a very similar (maybe same) problem here: http://marc.theaimsgroup.com/?l=openbsd-miscm=113236417207016w=2 I have not found a solution to my problem yet unfortunately. One thing I noticed is that my an0 card worked just find in 3.7 and 3.8 broke it, you might want to verify if that is the case with you as well. Another thing I noticed is that the an0 card gets a dhcp address and works properly during the initial install via cd or the ram disk off of a floppy, but stops working upon first reboot. I have noticed the exact same problem as the link above. Card worked with OpenBSD 3.7. I did an upgrade from 3.7 - 3.8 - 3.9 following the OpenBSD upgrade guides. After the upgrade to 3.8, I also saw the error an0: failed to enable MAC, but wifi access still worked. After the upgrade to 3.9, I got the following in my dmesg at startup: an0 at pcmcia1 function 0 Cisco Systems, 350 Series Wireless LAN Adapter an0: record buffer is too small, rid=ff00, size=198, len=258 an0: read caps failed an0: failed to attach controller I also do not see the an0 device anymore with ifconfig -a, probably because of the failed to attach controller message. I am unable to transfer a full dmesg from this laptop at the moment. Wifi access was the only network connection... The laptop itself is a Dell Latitude CPt (Celeron 330 Mhz, 256 RAM, 10 GB HD...) which closely resembles the laptop in the URL above. Kind regards, Laurens
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Wed, Jun 21, 2006 at 06:49:09PM +0200, Dries Schellekens wrote: Bihlmaier Andreas wrote: I use iperf -w 256k for testing purposes. The speed between hosts/router using their real IPs (-B 10.0.0.*) is about 70-80 Mb/s. ~22 Mb/s between host1 and host2 using their VPN IPs. Hope this made some stuff more clear. Thanks everyone for helping, I hope this can be fixed. What speed do you get when using ssh/sftp? direct scp (without vpn): 100% 86MB 6.6MB/s 00:13 via vpn: 100% 86MB 2.9MB/s 00:30 You can disable the userland support of the hardware accelerator using sysctl kern.usercrypto=0 to see if it makes a big difference. Well, it does make a huge difference for openssl speed, but none for IPSEC: kern.usercrypto=0 aes-128-cbc 16509.92k18243.74k18760.55k18931.63k 18977.59k kern.usercrypto=1 aes-128-cbc 51475.06k 184199.05k 497290.91k 831042.14k 1033285.89k Regards, ahb
Re: XF4 Patches (Again) :(
it doesn't matter. you can drop XF4 anywhere that's convenient. just follow simple instructions in release(8) and it works. On 6/21/06, Jack J. Woehr [EMAIL PROTECTED] wrote: Okay, I read the threads on misc@ and I'm still confused. The XF4 patch (3_9.002) says: Apply by doing: cd /usr/src/XF4 patch -p0 002_xorg.patch The website (http://openbsd.org/anoncvs.html) says: # cd /usr # tar xzf XF4.tar.gz which puts XF4 in /usr/XF4 Should I make a link to X4 in /usr/src or just build in /usr/X4? Thanks (before I screw up my system).
Re: XF4 Patches (Again) :(
Hi, I asked exactly the same question a couple of weeks ago, by the time the patch was released. You should be able to find the answers to your question in the archives ;-) kind regards, Tobias W. On Jun 21, 2006, at 10:56 PM, Jack J. Woehr wrote: Okay, I read the threads on misc@ and I'm still confused. The XF4 patch (3_9.002) says: Apply by doing: cd /usr/src/XF4 patch -p0 002_xorg.patch The website (http://openbsd.org/anoncvs.html) says: # cd /usr # tar xzf XF4.tar.gz which puts XF4 in /usr/XF4 Should I make a link to X4 in /usr/src or just build in /usr/X4? Thanks (before I screw up my system).
Re: XF4 Patches (Again) :(
On Jun 21, 2006, at 3:44 PM, Ted Unangst wrote: it doesn't matter. you can drop XF4 anywhere that's convenient. just follow simple instructions in release(8) and it works. Thanks, Ted. From release(8): $ cd XF4SRC cvs up -r TAG -Pd Is the revision tag for XF4 the same as the corresponding OpenBSD release (in this case OPENBSD_3_9)? --- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Re: Configuring pppoe during installation?
[EMAIL PROTECTED] wrote: Would it be possible that the installer asks if you may wanna use the NIC for pppoe-Connections and then maybe also asks for User/PW for the connection-settings? :) In my oppinion this little change may would maybe bring more usebillity (or how that`s written...) and it would save some time wich is needed to create a hostname.pppoe. :) I think that change for the installer is very small and may would be usefull too since OpenBSD can do kernel-pppoe. Kind regards, Sebastian Sounds great in theory, but as Theo gently reminded me when I asked this a year or two ago, there's only so much space on a single 1.44M floppy. Including even rudimentary PPPoE would crowd out other drivers and tools that are much more useful during an install.
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Wed, Jun 21, 2006 at 06:49:09PM +0200, Dries Schellekens wrote: Bihlmaier Andreas wrote: I use iperf -w 256k for testing purposes. The speed between hosts/router using their real IPs (-B 10.0.0.*) is about 70-80 Mb/s. ~22 Mb/s between host1 and host2 using their VPN IPs. Hope this made some stuff more clear. Thanks everyone for helping, I hope this can be fixed. I found a post in misc@ form 2005 about somebody having a similar problem with IPSEC and VIA hardware acceleration: http://marc.theaimsgroup.com/?l=openbsd-miscm=112275803416870w=2 Could somebody official _PLEASE_ state if it is supposed to work, or isn't? If it should there is a bug, if it doesn't that is bad, but at least it would give me a definite ANSWER. Sorry for bugging (with bugs), ahb
Re: XF4 Patches (Again) :(
On 6/21/06, Jack J. Woehr [EMAIL PROTECTED] wrote: $ cd XF4SRC cvs up -r TAG -Pd Is the revision tag for XF4 the same as the corresponding OpenBSD release (in this case OPENBSD_3_9)? yes, all tags are matched.
Re: How to pass mount protocol traffic (mountd/NFS) using pf?
Because portmap(8) dynamically assigns the mountd(8) port, how would one write a pass rule in pf for mountd(8) traffic? My problem is that every time mountd(8) is re/started, it operates on a different port and my fixed pf rules block the mount protocol and, consequently, my clients cannot mount an NFS share. I have looked into this in the past, to teach rudimentary RPC - UDP/TCP mapping support in the pf code, by having it talk to the portmap. But there are a whole lot of vile issues, and quite frankly there is not much security to be gained from this. You cannot really provide any real security on a local net when doing RPC at the same time.
Re: Chrooted sftp-server and /dev/null
Can anyone help here? Ive played wih fcntl's FD_CLOEXEC and what not.. it was set to 0, and yeah... If someone can help solve this mystery then there is one less file required in the chroot environment. A cleaner scponly shell :) On Wednesday 21 June 2006 09:41, Joshua Sandbrook wrote: Gidday Im writing a shell at the moment that chroots into a users home dir and then runs only the sftp-server program ( which is in the uses home dir ). Anyway, it wont work unless /dev/null is present in the chroot... I am using execve to run sftp-server, and I am wondering if it has something to do with stdout / stdin / stderr fd's being closed on execve? Can anyone help me here? Thanks, Josh
Re: sendmail question
On Wed, Jun 21, 2006 at 07:22:28PM +0200, Peter Philipp wrote: Hi, I'm trying to modify my outgoing Message-Id, with my mailer MUA (mutt) I can configure this. However when I try to use mail(1) it does not update the Message-Id, I read a bit in the source and it doesn't seem to be set in mail(1), and a ktrace shows that it pipes everything to sendmail directly. Here is what I stuck in my sendmail .mc file: define(`confMESSAGEID_HEADER', `[EMAIL PROTECTED]')dnl Put that in submit.mc and recreate submit.cf. Sendmail doesn't allow the rewriting of message-id, that rule is used when one needs to be created. -- Hugo Villeneuve [EMAIL PROTECTED] http://EINTR.net/
Re: Configuring pppoe during installation?
[EMAIL PROTECTED] wrote: Would it be possible that the installer asks if you may wanna use the NIC for pppoe-Connections and then maybe also asks for User/PW for the connection-settings? :) In my oppinion this little change may would maybe bring more usebillity (or how that`s written...) and it would save some time wich is needed to create a hostname.pppoe. :) I think that change for the installer is very small and may would be usefull too since OpenBSD can do kernel-pppoe. I`m sorry that`s not what I ment. I did not asked to include pppoe to the Kernel but to provide to create a configuration file. So if somebody got a CD, he simply installs, configures the pppoe during the install and reboots and hurai... he gets connected. It`s _not_ ment to instal over DSL-Lines (because I know the space is limited). It was realy just ment to may provide more luxus. So let me repeat: I did not asked to include pppoe into the little floppy-image. But would it be possible to may let the installer create the config-file needed for pppoe so that it is useable out of the box after the install (and the reboot) was done? :) Sorry for the confusion. Kind regards, Sebastian
Re: Configuring pppoe during installation?
On Wed, Jun 21, 2006 at 09:03:43PM +0200, [EMAIL PROTECTED] wrote: I don't like this idea. I think it is the wrong assumption that most machines run PPPoE. The folks that use this can easily update the appropriate files after the initial install is complete. It`s the same assumption like asking the guy who installs OpenBSd if he wanna use dhcp. :-) It is safe to assume people want network functionality. Your arguments are, as usual, not thought through. pppoe IS network stuff but you did not understood what I`ve requested. I repeated (and rephrased) my request and hopefully this solves the confusion. I did nto asked to add the pppoe-Code but to add a little mask into the installer to create the hostname.pppoe. Like: Wich device should be used for pppoe? [fxp0] : pppoe protocol? [bla]: User ID for pppoe: foo Password for pppoe: bar PPPOE-Successfully configured and useable after reboot Just like: Start sshd? [Yes]: Is it such a heavy change? You don`t have ntfs-Code int he floppy-Kernels but I can still edit the /etc/fstab before the system reboots. So I hope I pointed out what I think is maybe usefull. :) Kind regards, Sebastian -- Don't buy anything from YeongYang. Their Computercases are expensiv, they WTX-powersuplies start burning and their support refuse any RMA even there's still some warenty.
Scott Meenen Autoresponder
!---Begin [EMAIL PROTECTED] autoresponder-- Do you want it done right, fast or cheap? Pick two... If you have been trying to use my services and I have been un responsive, I have been helping a friend try to save his farm. Please click here to learn more. http://www.lifeprinciplestrust.org/page11.html If you did not include a phone number with your message, please resend and include contact numbers. Greetings I use this email address for both business and personal uses so feel free to send me whatever information you wish. I you can reach us in to the evening at 301-591-1646. If you are waiting for service and sent an e-mail please follow it up with phone calls. This informational autoresponder is automaticaly generated. To avoid this autoresponder in the future set your mail filters to remove the words (Scott Meenen Autoresponder) in the subject line. Or send e-mail to [EMAIL PROTECTED] Which is an alias for toad.net Because of gross abuse I ask that you do not send large images )over 500k) or .PDF files as attachments unless you ask permission first. If you cannot upload your images to the web and point to them then please do not send them as attachments. If you have the choice of sending mail as HTML or plain text, please choose plain text. Scott Meenen !---End [EMAIL PROTECTED] autoresponder-- Automatic Response Generated by ToadMail -- E-Mail @ ToadNet ToadNet -- want to go fast? -- http://www.toad.net
Re: Configuring pppoe during installation?
On 6/21/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Like: Wich device should be used for pppoe? [fxp0] : pppoe protocol? [bla]: User ID for pppoe: foo Password for pppoe: bar PPPOE-Successfully configured and useable after reboot Just like: Start sshd? [Yes]: how many people run sshd? how many people use pppoe? i use sshd, never pppoe. adding more questions to the installer for things most people don't want just annoys them.
Re: CVE-1999-0166 bug in NFS
On 6/21/06, Miod Vallat [EMAIL PROTECTED] wrote: I have installes OpenBSD 3.8. I exported a directory with /mnt/gamma -maproot=root 192.168.1.14 line in /etc/exports Next I tested the server with Nessus vulnerability scaner and it found a hole in NFS: [...] This seems like an old (1999) hole. Is there any patch for it or did I do anything wrong? If /mnt/gamma is not a standalone filesystem, you are hitting the caveat documented in the BUGS section of exports(5): `` The export options are tied to the local mount points in the kernel and must be non-contradictory for any exported subdirectory of the local server mount point. It is recommended that all exported directories within the same server filesystem be specified on adjacent lines going down the tree. You cannot specify a hostname that is also the name of a netgroup. Specifying the full domain specification for a hostname can normally circumvent the problem.'' i.e. by exporting /mnt/gamma, you are really exporting /mnt, hence the whole /mnt filesystem is accessible via nfs, but you can't go up further. Why is it like this though? Seems like if you tell it to export /mnt/gamma you want it to export /mnt/gamma, not /mnt. -Nick
Re: Configuring pppoe during installation?
On Thu, Jun 22, 2006 at 01:03:33AM +0200, [EMAIL PROTECTED] wrote: | I did nto asked to add the pppoe-Code but to add a little mask into the | installer to create the hostname.pppoe. | | Like: | | Wich device should be used for pppoe? [fxp0] : | pppoe protocol? [bla]: | User ID for pppoe: foo | Password for pppoe: bar | PPPOE-Successfully configured and useable after reboot | | Just like: | | Start sshd? [Yes]: | | Is it such a heavy change? It is quite intrusive and contra intuitive. The installer asks questions that are relevant to most installs. I wouldn't consider pppoe to be relevant to most installs. ssh and ntpd *are* relevant to most installs (IMO). If we're adding pppoe support, why not gif ? vlan ? carp ? pfsync ? trunk ? bridge ? A myriad of other networking devices ? How about IPsec ? | You don`t have ntfs-Code int he floppy-Kernels but I can still edit the | /etc/fstab before the system reboots. You can still edit /etc/hostname.pppoe0 before the system reboots. Just like you can create similar files for your gif, vlan, carp, pfsync, trunk, bridge and whatnot devices. Nothing is changed. Why should pppoe be special cased ? Why should you be special cased ? I want vlan(4) support in the installer, I want to be special cased. Try to write a shell script that asks the questions you proposed and generates a sane hostname.if file from the answers. See how large it is. Try to fit in on the install media (1.44M *is* a tight fit). If it works for you, post it here so others can use it if they so desire, but I doubt it would get included. OK, I admit .. you're quite a special case... Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Blade 1000/2000 still wanted for .nl
We have found a blade 1000 for Jason in Washington DC (thanks) but are still trying to find one for Mark Kettenis in the Netherlands. If someone can help, please mail [EMAIL PROTECTED] and [EMAIL PROTECTED] thanks.
Re: CVE-1999-0166 bug in NFS
On 6/21/06, Nick Guenther [EMAIL PROTECTED] wrote: Why is it like this though? Seems like if you tell it to export /mnt/gamma you want it to export /mnt/gamma, not /mnt. because the only thing that identifies a file is a number. every file has a number. guess the number, and now you can open the file. assuming the entirety of any exported filesystem gets exported is basic nfs best practice. try searching for words like nfs filehandle spoofing guessing.
Re: Configuring pppoe during installation?
| Wich device should be used for pppoe? [fxp0] : | pppoe protocol? [bla]: I can add ppooe to the floppy, but to make it fit I am going to have to remove the fxp driver. OK?
Re: FW: technical help
--- Darrin Chandler [EMAIL PROTECTED] wrote: ... Here is a good place, and there's also a pf mailing list as well (pf@benzedrine.cx). ... Is this mailing list still active? I subscribed about a month ago and have yet to receive a single e-mail. The archives show no messages after Nov '05. Thanks, Allen Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
T1 and DSL failover? redundancy?
I was hoping to get some suggestions on the best way to handle this. We just put a DSL line for inet backup and I'd like to have it automagically failover. We are running OpenBSD 3.9 -stable on a box with four interfaces. Currently we have one interface connected to our private network and one interface connected to our router. I could connect the DSL router and the t-1 router directly to my firewall on two seperate interfaces and maintain two seperate pf.conf files and manually change the active interface. this isn't what I want to do but I know it will work. What are my other options? I'd like to have it automatically fail over but I'm not sure what is required to do that. Thanks, John
Re: FW: technical help
On Wed, Jun 21, 2006 at 05:41:27PM -0700, Allen Theobald wrote: --- Darrin Chandler [EMAIL PROTECTED] wrote: ... Here is a good place, and there's also a pf mailing list as well (pf@benzedrine.cx). ... Is this mailing list still active? I subscribed about a month ago and have yet to receive a single e-mail. The archives show no messages after Nov '05. Hmm. You might try subscribing again. I've been getting messages (as of today)... -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: FYI SK(4) D-Link DGE-530T Rev B1 does not appear in dmesg.
[EMAIL PROTECTED] wrote: ... The dmesg with the B1 card only lacks the three appropriate lines which appear for the Rev A1 card when it is inserted in the same PCI slot: IF that is true, your card wasn't inserted properly. PCI cards show up. SOMETHING will show up...even if it isn't recognized. The only exceptions are if the card is behind a broken or unrecognized bridge. Nick.
Re: T1 and DSL failover? redundancy?
On 6/21/06, John Brahy [EMAIL PROTECTED] wrote: What are my other options? I'd like to have it automatically fail over but I'm not sure what is required to do that. Have you considered using a WAN card for your T1 natively on OpenBSD? As well, you might have a look at ifstated(8) if that's the case -- this would be a cinch to configure with PF. I believe there are several manufacturers of WAN cards, including art(4), lmc(4) and san(4). I have used the Sangoma cards before with good luck. Otherwise, depending on the router (Cisco?), you might be able to setup tracking on the T1 WAN interface to bring down the ethernet interface (assumption?) that points towards your OpenBSD firewall. This in turn would trigger an ifstated event that manages your pf.conf configuration(s). Or... routing metrics. There are so many ways to solve this with OpenBSD. Good luck!
Re: Doubts about OpenBSD security.
Bob Beck wrote: ... IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this question*. - Now I'm not just crapping on you, every new sysadmin I know asks this. The point is, if OpenBSD put a root password on single user, you might be tempted to think that somehow, someway, a not-physically secured machine was secure, and be tempted to deploy it that way. And don't laugh, I've seen the assumption made (I work at a university). My point is that putting security measures in place that do not do anything because of equivalent access make people believe that they *do* do something, and therefore people make incorrect assumptions and do things insecurely. Physical access is everything highness. Anyone who says differently is selling something. -Bob Here's another example: My boss feels that it is important that he have a list of administrative passwords to all servers in our company. Now, call me no fun, but the idea of a password for the perimeter security firewalls sitting in an Excel spreadsheet on a laptop he selected because it was small and expensive and he likes to carry around to impress people scares the hell out of me..and thus, the PWs are not there. Now, he's got a point...yes, we have multiple administrators, but we are friends outside of work, so we are not infrequently in the same place at the same time, so the possibility of us both being killed in the same Celtic Music Riot or explosion of the same Mongolian Grill can't be discounted. If something happens to both of us, someone will need to be able to get into those systems. So...I just wrote up and showed him (and had him try) the lost my PW process in the FAQ, and had him force the root PW. And he was satisfied (other than the look on his face that seemed to be slightly pissed that I was denying him something he wanted, even though he knows I satisfied the goal of the demand he made). NOW...if we had something that had some kind of master password that was required even with physical access, we'd probably have to have either created an unused account for him (bad idea) or recorded a master password on his magic Excel spreadsheet (another bad idea). I don't think that would have improved security one bit. Sometimes, you got to make it easy to get in in a controlled way to make it harder for the wrong people to get in in a less controlled way. Nick.
Re: Doubts about OpenBSD security.
Nick Holland wrote: Bob Beck wrote: ... IMNSHO, a root password for single user makes the system *LESS* secure, and I'm dead serious. I would object to any attempt to commit changes to OpenBSD to have one by default. Why? Real simple: *because you asked this question*. - Now I'm not just crapping on you, every new sysadmin I know asks this. The point is, if OpenBSD put a root password on single user, you might be tempted to think that somehow, someway, a not-physically secured machine was secure, and be tempted to deploy it that way. And don't laugh, I've seen the assumption made (I work at a university). My point is that putting security measures in place that do not do anything because of equivalent access make people believe that they *do* do something, and therefore people make incorrect assumptions and do things insecurely. Physical access is everything highness. Anyone who says differently is selling something. -Bob Here's another example: My boss feels that it is important that he have a list of administrative passwords to all servers in our company. Now, call me no fun, but the idea of a password for the perimeter security firewalls sitting in an Excel spreadsheet on a laptop he selected because it was small and expensive and he likes to carry around to impress people scares the hell out of me..and thus, the PWs are not there. Now, he's got a point...yes, we have multiple administrators, but we are friends outside of work, so we are not infrequently in the same place at the same time, so the possibility of us both being killed in the same Celtic Music Riot or explosion of the same Mongolian Grill can't be discounted. If something happens to both of us, someone will need to be able to get into those systems. So...I just wrote up and showed him (and had him try) the lost my PW process in the FAQ, and had him force the root PW. And he was satisfied (other than the look on his face that seemed to be slightly pissed that I was denying him something he wanted, even though he knows I satisfied the goal of the demand he made). NOW...if we had something that had some kind of master password that was required even with physical access, we'd probably have to have either created an unused account for him (bad idea) or recorded a master password on his magic Excel spreadsheet (another bad idea). I don't think that would have improved security one bit. Sometimes, you got to make it easy to get in in a controlled way to make it harder for the wrong people to get in in a less controlled way. Nick. ?? odds the laptop winds up on eBay, drive intact ??
Re: Crashes and HDD params
Przemys3aw Pawe3czyk wrote: Hi, How to change HDD parameters like this: wd1 at pciide0 channel 1 drive 0: FUJITSU MPD3084AT wd1: 16-sector PIO, LBA, 8063MB, 16514064 sectors wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 to get rid off the crashes I register several times a day? With very bad results on my files. What parameters are you trying to change? Why do you think it will have ANYTHING to do with fixing your crashes? The disk's parameters are what they are. The disk knows what they are, the OS asks, the disk responds. The OS reports and utilizes them. Other than the DMA and PIO modes, there isn't much to change. Yes, crashes are bad on lots of things. Altering the disk parameters is bad in much the same way...you will just add problems, not fix them. Nick.
Re: FYI SK(4) D-Link DGE-530T Rev B1 does not appear in dmesg.
Hello Nick, Quoting Nick Holland [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: ... The dmesg with the B1 card only lacks the three appropriate lines which appear for the Rev A1 card when it is inserted in the same PCI slot: IF that is true, your card wasn't inserted properly. I saved each dmesg to a file and then ran diff to make sure of it before posting to the list. PCI cards show up. SOMETHING will show up...even if it isn't recognized. The only exceptions are if the card is behind a broken or unrecognized bridge. I'll try it in some other slots and I'll also see if it works at all under Windows XP just to eliminate the card. Thanks, Shane This email was sent from Netspace Webmail: http://www.netspace.net.au
Re: CVE-1999-0166 bug in NFS
On 6/21/06, Ted Unangst [EMAIL PROTECTED] wrote: On 6/21/06, Nick Guenther [EMAIL PROTECTED] wrote: Why is it like this though? Seems like if you tell it to export /mnt/gamma you want it to export /mnt/gamma, not /mnt. because the only thing that identifies a file is a number. every file has a number. guess the number, and now you can open the file. assuming the entirety of any exported filesystem gets exported is basic nfs best practice. try searching for words like nfs filehandle spoofing guessing. Ah, thank you. I forget NFS was not designed with security in mind, though now it is widely used and quite popular -Nick
Re: FYI SK(4) D-Link DGE-530T Rev B1 does not appear in dmesg. (SOLVED)
Quoting [EMAIL PROTECTED]: Quoting Nick Holland [EMAIL PROTECTED]: [EMAIL PROTECTED] wrote: ... The dmesg with the B1 card only lacks the three appropriate lines which appear for the Rev A1 card when it is inserted in the same PCI slot: IF that is true, your card wasn't inserted properly. I tried it in all the other slots and neither OpenBSD nor Windows detected it. PCI cards show up. SOMETHING will show up...even if it isn't recognized. The only exceptions are if the card is behind a broken or unrecognized bridge. I tried it in a different PC and the card was shown in the dmesg as a DGE-560T_2. So it seems that first PC is a quirky one. Sorry about the bogus FYI. Shane This email was sent from Netspace Webmail: http://www.netspace.net.au
kein Betreff
__ Verschicken Sie romantische, coole und witzige Bilder per SMS! Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193
re0: eeprom autoload timeout
Hi, I have a problem with re0 Realtek 8169 Network card and OpenBSD 3.9. When OpenBSD starts up, it recognizes the card, I can configure IP address... But ifconfig -m re0 shows: none as the only available media option. the part of dmesg where the re0 is initialized: re0 at pci0 dev 13 function 0 Realtek 8169 rev 0x10:irq10re0: eeprom autoload timed out , address ff:ff:ff:ff:ff:ff re0: no PHY found! re0: reset never completed! re0:diagnostic failed, received short packet re0:attach aborted due to hardware diag failure the full dmesg (screenshots) are here: https://212.204.53.48/dmesg is there anything I can do about that? kind regards Sebastian _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0071
Re: Packet overload?
Well it is a simple ruleset (see below). As for the ISP blocking stuff -
not likely, since the email server is run by me at another location. Since
I have more users connecting to this server from other locations I've ruled
the problem out from that end. It is only from this one location that this
problem occurs
-
#
# cat /etc/pf.conf
#
# pf.rules
#
#-Interfaces---
#
# sis0 - external
# sis1 - internal
# sis2 - not used
#
#-Variables
#
ExtIF=sis0
IntIF=sis1
IntRange=192.168.22.0/24
table scanners persist file /etc/scanners
#
#-Options--
#
#
#-Normalize Traffic
#
scrub in on $ExtIF all
#scrub out on $ExtIF all random-id
#
#-NAT Rules
#
nat on $ExtIF from $IntRange to any - $ExtIF
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
rdr on $IntIF proto tcp from any to any port 21 - 127.0.0.1 port 8021
#
#-Antispoof
#
antispoof for { $ExtIF, $IntIF}
#
#-Firewall Rules---
#
# Drop IPv6 packets immediately
block in quick inet6 all
block out quick inet6 all
# Drop SSH port scanners immediately
block quick from scanners
# Block in all inbound and outbound packets
block in on $ExtIF all
block out on $ExtIF all
# Anchor for FTP Proxy
anchor ftp-proxy/*
# Drop hackers
block in quick on $ExtIF inet proto tcp from any to any flags /SFRA
block in quick on $ExtIF inet proto tcp from any to any flags F/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags U/SFRAU
block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags SAFRU/SAFRU
block in quick on $ExtIF inet proto tcp from any to any flags SF/SF
block in quick on $ExtIF inet proto tcp from any to any flags SR/SR
block in on $ExtIF inet proto tcp from any to any flags S/SFRA
block in on $ExtIF inet proto tcp from any to any flags SA/SFRA
# Allow SSH in
pass in quick log on $ExtIF inet proto tcp from any to any port 22 modulate
state (max-src-conn-rate 3/15, overload scanners flush global)
# Allow normal traffic out
pass out on $ExtIF inet proto tcp from any to any modulate state
pass out on $ExtIF inet proto udp from any to any keep state
pass out on $ExtIF inet proto icmp from any to any keep state
-
That's it!
Peter
-Original Message-
From: Alexander Hall [mailto:[EMAIL PROTECTED]
Sent: Monday, June 19, 2006 9:07 PM
To: Peter Bako
Cc: misc@openbsd.org
Subject: Re: Packet overload?
Peter Bako wrote:
I have a Soekris net4801 box running as a firewall for a friend of
mine that runs a small business (about 5 employees). The ruleset is
quite simple in that he does not run any internal servers, so I pretty
much block all inbound traffic and allow all traffic back out. For
inbound traffic I have the scrub command enabled and for outbound
traffic (tcp and udp) I have keep state flag on.
However I've noticed that if more than one or two people are getting
email from their ISP (standard pop3), then the third person to try to
get email will get an error that the server could not be reached.
Until recently they have not received enough email for the email check
and subsequent downloads to take long, so whenever anyone got this
error they would just wait a few seconds and try again. However
lately they have been getting a larger volume of email (expected due
to an upturn in business), so this problem is getting much more noticed
and annoying.
Anyone have any idea as to the cause and a solution for this? I've
though it might be that the Soekris box is underpowered, but the
processor is basically a PII/266 with 128M of RAM, which should be
enough for such a small site.
Now, I have not seen your pf.conf, but only using a simple ruleset that you
describe, my bet is that it is not the firewall that is causing the problem.
Does the ISP/mailserver have restrictions by any chance?
I cannot imagine that the 4801 would have ANY performance problem in the
situation you describe, unless it is en/de-crypting stuff that passes
through it. Even so, it would just make stuff go slower - not block stuff.
/Alexander
