Re: D-Link DUB-E100 new Revision does not work
Jonathan Gray schrieb: On Thu, Jul 06, 2006 at 04:14:12PM +0200, Guido Tschakert wrote: Guido Tschakert schrieb: Hello, don't know if this is the right place, but I post it anyway. I bought an D-Link DUB-E100 which should work on OpenBSD accordingly to the web site. But it doesn't. Our lovely vendor D-Link changed the chipset and called it H/W Ver.:B1 here comes the part of the dmesg ugen0 at uhub4 port 4 ugen0: vendor 0x07d1 product 0x3c05, rev 2.00/0.01, addr 2 Maybe the info on http://www.openbsd.org/i386.html#hardware should be changed to D-Link DUB-E100 (Revision A) or something like that. Btw, I don't need this thing to work on openbsd but I plug every piece of hardware in one of our openbsd boxes to check if it works ;-) If I can give you more info, please let me know. At this time I try to open the case of the adaper, hoping to see a label with the name of the chipset. guido PS: also on Linux which should support the old DUB-E100 the new one doesn't work. A colleague has opened this box, the chipset is AX88772 LF. (The old one had AX88172). Hope that anyone can use this information. guido Please try this diff: Index: usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.204 diff -u -p -r1.204 usbdevs --- usbdevs 27 Jun 2006 09:19:09 - 1.204 +++ usbdevs 6 Jul 2006 15:52:11 - @@ -903,6 +903,7 @@ product DLINK DWL120F 0x3702 DWL-120 re product DLINK RT2570 0x3c00 RT2570 product DLINK2 DWLG122C1 0x3c03 DWL-G122 rev C1 product DLINK2 WUA1340 0x3c04 WUA-1340 +product DLINK2 DUBE100B1 0x3c05 DUB-E100 rev B1 product DLINK DSB650C0x4000 10Mbps ethernet product DLINK DSB650TX1 0x4001 10/100 ethernet product DLINK DSB650TX 0x4002 10/100 ethernet Index: usbdevs.h === RCS file: /cvs/src/sys/dev/usb/usbdevs.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs.h --- usbdevs.h 27 Jun 2006 09:19:58 - 1.208 +++ usbdevs.h 6 Jul 2006 15:52:19 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -910,6 +910,7 @@ #define USB_PRODUCT_DLINK_RT25700x3c00 /* RT2570 */ #define USB_PRODUCT_DLINK2_DWLG122C10x3c03 /* DWL-G122 rev C1 */ #define USB_PRODUCT_DLINK2_WUA1340 0x3c04 /* WUA-1340 */ +#define USB_PRODUCT_DLINK2_DUBE100B10x3c05 /* DUB-E100 rev B1 */ #define USB_PRODUCT_DLINK_DSB650C 0x4000 /* 10Mbps ethernet */ #define USB_PRODUCT_DLINK_DSB650TX1 0x4001 /* 10/100 ethernet */ #define USB_PRODUCT_DLINK_DSB650TX 0x4002 /* 10/100 ethernet */ Index: usbdevs_data.h === RCS file: /cvs/src/sys/dev/usb/usbdevs_data.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs_data.h --- usbdevs_data.h27 Jun 2006 09:19:58 - 1.208 +++ usbdevs_data.h6 Jul 2006 15:52:28 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs_data.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -1041,6 +1041,10 @@ const struct usb_known_product usb_known { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_WUA1340, WUA-1340, + }, + { + USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1, + DUB-E100 rev B1, }, { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DSB650C, Index: if_axe.c === RCS file: /cvs/src/sys/dev/usb/if_axe.c,v retrieving revision 1.53 diff -u -p -r1.53 if_axe.c --- if_axe.c 23 Jun 2006 06:27:11 - 1.53 +++ if_axe.c 6 Jul 2006 15:52:29 - @@ -160,6 +160,7 @@ Static const struct axe_type axe_devs[] { { USB_VENDOR_CISCOLINKSYS, USB_PRODUCT_CISCOLINKSYS_USB200MV2}, AX772 }, { { USB_VENDOR_COREGA, USB_PRODUCT_COREGA_FETHER_USB2_TX }, 0}, { { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DUBE100}, 0 }, + { { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1}, AX772 }, { { USB_VENDOR_GOODWAY, USB_PRODUCT_GOODWAY_GWUSB2E}, 0 }, { { USB_VENDOR_JVC, USB_PRODUCT_JVC_MP_PRX1}, 0 }, { { USB_VENDOR_LINKSYS2, USB_PRODUCT_LINKSYS2_USB200M}, 0 }, Ok, I will try that out next week (today there is not so much time and at home I have no testing machine and btw, as I wrote I'm not in that hurry). To be honest I never worked with cvs and at this moment I don't know how to patch this diff to the source tree, but I will find out. thanks guido
Re: Venda, compre o alquile su propiedad por este medio
On 7/7/06, Epropiedades [EMAIL PROTECTED] wrote: This e-mail message is an advertisement and/or solicitation.Este mensaje de correo electronico es una publicidad y/o solicitada. BR Si las imaacute;genes no son visibles en este correo, por favor visite la versioacute;n en linea. BR If images are not visible in this email, please visit the online version. BR a href=http://www.envios-cr.com/mail.php?s=20member=92553612members=31d81af3; http://www.envios-cr.com/mail.php?s=20member=92553612members=31d81af3 /a Polite at least... -Nick
Re: hexdump observation
On Thu, 6 Jul 2006, Peter Philipp wrote: I just tested running hexdump -x on two different systems. One system is a macppc and the other and amd64. On the same file the order (endian) of the hexpairs are swapped. Is this supposed to be like that? If there was an effort to make hexdump -x endian safe, which order should it prefer (little or big)? And if it shouldn't be changed is there a chance for an extra flag that would make it endian-safe? I think hexdump should dump in the native format. Thwere's no such thing as a single endian safe format. What about pdp11 byte order, alignments, float formats, etc? -Otto
Re: BGP questions
On Thu, Jul 06, 2006 at 09:02:47PM -0500, Jacob Yocom-Piatt wrote: (1) i have 2 blocks of 8 static IPs at my disposal, one at home and one at work, So two /29's ? and both connections are 3Mb/512Kb ADSL via PPPoE. the upstream traffic at work is beginning to saturate the connection and i would like to share some of the load with the home connection. would BGP allow me to multihome a site across both connections to split the load? would i need an AS number if this would work? Yup. That's not all. You need at least a /20 (AFAIK) to be able for large backbones to even consider routing your advertisement. But this was heresay years ago, I don't know if it still holds. The investment though is in the thousands of dollars a year though (ARIN fees http://www.arin.net/billing/fee_schedule.html) and you have to justify using that much IP space. (2) are there any particular online docs that are recommended reading for BGP? RFC's, NANOG archives perhaps too what about books? (3) the home gateway machine is a PII-350 w/ 64MB ram. is this too slow for doing what i have asked about in (1)? Dunno. I suspect you won't be able to load a full BGP table. BGP is really a big boys(tm) protocol not sure if 2 ADSL connection classifies you as that. If it did then they would quickly run out of the 16 bit ASN space wouldn't you think? Perhaps considering a protocol like CARP is more what you want? -peter -- Here my ticker tape .signature My name is Peter Philipp lynx -dump http://en.wikipedia.org/w/index.php?title=Pufferfisholdid=20768394; | sed -n 131,136p So long and thanks for all the fish!!!
Re: Question related to automaticly encrypted /tmp /vat/tmp (like swap..?)
Daniel A. Ramaley wrote: I have not seen documented how mfs allocates memory, so i just did a quick test. On a machine with 205 MB of RAM free i mounted a 128 MB mfs. Free RAM dropped to 199 MB; only 6 MB used! So OpenBSD must only allocate RAM for sectors that have actually been written to. Since the system is not using any more RAM than it has to, i think i'll switch to using mfs for /tmp as well. mount_mfs uses mmap(), which in turn will only use those pages which the program actually touches. An unused (large) mfs will not take up much ram, and if it does, it can swap out seldom used pages too.
Re: hints for scanning msdosfs patters?
Seems like a small tax on people who don't keep decent backups. Yeah, thats thats me. Thank you all so much for the links. vladas
Re: BGP questions
On 07/07/06, Peter Philipp [EMAIL PROTECTED] wrote: On Thu, Jul 06, 2006 at 09:02:47PM -0500, Jacob Yocom-Piatt wrote: (1) i have 2 blocks of 8 static IPs at my disposal, one at home and one at work, So two /29's ? and both connections are 3Mb/512Kb ADSL via PPPoE. the upstream traffic at work is beginning to saturate the connection and i would like to share some of the load with the home connection. would BGP allow me to multihome a site across both connections to split the load? would i need an AS number if this would work? Yup. That's not all. You need at least a /20 (AFAIK) to be able for large backbones to even consider routing your advertisement. But this was heresay years ago, I don't know if it still holds. The investment though is in the thousands of dollars a year though (ARIN fees http://www.arin.net/billing/fee_schedule.html) and you have to justify using that much IP space. /24 work fine across the net. Smaller than that will likely be filtered in lots of places. You need an AS of your own and provider independent addresses to multihome properly. If both links go to the same provider and they're flexible you may be able to implement a bgp setup with your /29's and without an AS of your own. In the end complexity and cost of running a bgp setup will hurt a lot more than just upgrading your bandwidth. With BGP you can connect to multiple providers, and also inheret problems from all of them. (2) are there any particular online docs that are recommended reading for BGP? RFC's, NANOG archives perhaps too Goto Cisco's website and dig around, they have lots of good documentation regarding most flavors of ip routing. http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00804fa120.shtml#wp4050 http://www.cisco.com/en/US/tech/tk365/tk80/tsd_technology_support_sub-protocol_home.html what about books? Internet Routing Architetures by Sam Halabi. 2nd edition for $39 on amazon. (3) the home gateway machine is a PII-350 w/ 64MB ram. is this too slow for doing what i have asked about in (1)? With more memory it could in theory do what you want, but in reality BGP is not the tool to use to when you run out bandwidth on your 0.5M dsl line. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: HTTP Load balancer
Pete Vickers wrote: On 7. jul. 2006, at 00.11, Clint Pachl wrote: Richard Wilson wrote: Hulloo list, Can anyone recommend a load balancer for http/https for OpenBSD? Currently I'm using Pound, from http://www.apsis.ch/pound/ which runs under OpenBSD, and supports connection tracking via IP, cookie and request ID (eg PHPSESSID) and seems to do everything I need. pf: see pf(4) pf.conf(5) pfctl(8) pfsync(4) It can balance using round-robin, random, and source-hash. Stickiness can be applied to the round-robin and random methods. The stickiness option and source-hash method will satisfy https, and http if you are not sharing session data among servers. Best of all, pf is is built right in and simple as hell to use. All you need to do is config your existing firewall or put a pf box in front of your webservers. Hell, you could probably even run it on all of your webservers in a carp group (haven't done this, but seems feasible). Added bonus, pf inherently balances other services, not just http! Oh, another bonus, you can easily have automatic fail-over using pfsync and carp! I'm not sure you can beat the simplicity and robustness of pf. As far as I'm concerned, pf obsoleted all load balancers for me. I used to use pen to balance http traffic. Because of pen's design, there were discrepancies in the web logs, where all connections, from the webservers POV, were coming from the pen load balancer. So there was an add on program, a hack, that was needed to later resolve web logs. It worked well, but what a mess. I would like to hear why people would not desire pf over some other load balancing option. -pachl pound can 1. operate ( route, alter, etc) on/at L7, e.g HTTP headers/URLs 2. do https--http forwarding, e.g SSL off-loading 3. log URLs with source/dest IP etc none of these can be done via pf (unless i'm mistaken) /Pete Those are almost an exact summary of why we use pound. We do certain things based on the content of the headers, so we need 1), but admittedly we could probably find a better way if we had to. All the annoyances of SSL, multiple IPs, and the like, are handled on the balancer, giving us one place to manage certificates and keeping the web servers themselves nice and simple, which uses 2). Some of the clients we host for are big on logging, web stats and the like, and so having all the logs in an apache-style format in one place is damn handy, and uses 3). In addition to these things, the feature that really wins us over is the connection tracking. Our main piece of software is a corporate CRM package, and because we host a few instances of it for customers, we can find that we might get 50 connections all from the same IP, because there are many people all from the same company, behind NAT, using our servers at the same time. We have to have connection tracking, otherwise many things break in interesting ways when someone's session jumps to another apache node, but if we do say source hashing, we end up with all 50 users on one server, rather than spread around. Pound's ability to track based on either cookie or a variable in the request header is exactly what we need. We have two balancers, for redundancy, and so OpenBSD and CARP were the clear choice. I would have thought, given it is seems to fill a space not occupied by anything else, it would be good to have pound in the ports tree. Is there some reason that it isn't? Perhaps because it requires threaded OpenSSL? Or is it that no-one has had the time? I would love to help out, but by my own admission I'm no coder. That said, if anyone is trying to make a port, and needs help with testing or some other not-requiring-C-skills assistance, I'd happily do all I can :-) Richard W
How to compile DHCPD source code
Hi, I need to make some minute changes to db.c file comes under DHCP source code . I wanted to know that how can i run dhcp now with these changes. Plz tell me for this whether I have to recompile whole source code(Kernel) again or if there is any way to just compile only this DHCP code. What I have done so far is I have downloaded all files needed for DHCPD from http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/ After that i had made changes to file db.c. Now I strucked here. Any one Plz Help. Tell me what to do. Thanks for reading this mail anyay. Rahul
Re: BGP questions
* Peter Philipp [EMAIL PROTECTED] [2006-07-07 08:47]: would i need an AS number if this would work? Yup. That's not all. You need at least a /20 (AFAIK) to be able for large backbones to even consider routing your advertisement. But this was heresay years ago, I don't know if it still holds. no. more than half the table is /24s and /23s. (3) the home gateway machine is a PII-350 w/ 64MB ram. is this too slow for doing what i have asked about in (1)? Dunno. I suspect you won't be able to load a full BGP table. BGP is really a big boys(tm) protocol not sure if 2 ADSL connection classifies you as that. If it did then they would quickly run out of the 16 bit ASN space wouldn't you think? foremost, running bgp requires your upstreams speaking bgp with you. in general, DSL companies don't do that. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: How to compile DHCPD source code
First, *don't* download source from the cvsweb website. That source is handy for browsing, but you should be getting your code from a cvs repository. Look at the instructions for a given patch for guidance: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch And then rebuild and install sendmail: cd gnu/usr.sbin/sendmail make obj make depend make make install On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote: Hi, I need to make some minute changes to db.c file comes under DHCP source code . I wanted to know that how can i run dhcp now with these changes. Plz tell me for this whether I have to recompile whole source code(Kernel) again or if there is any way to just compile only this DHCP code. What I have done so far is I have downloaded all files needed for DHCPD from http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/ After that i had made changes to file db.c. Now I strucked here. Any one Plz Help. Tell me what to do. Thanks for reading this mail anyay. Rahul
Re: Some though and more detail
On 2006/07/06 09:50, Joachim Schipper wrote: We are now in the days of being able to make a complete OS install onto a flashcard which costs less than the cheapest hard drive. Is this still the case if you include the controller? I don't know, just asking... DiskOnModule are cheap if you buy them from the right place, and they plug straight into IDE. CF seems cheaper for bigger modules (and adapters aren't _that_ expensive - pretty simple, just a PCB and couple of connectors usually). Well, given a good RAID card or software RAID implementation, a clueful admin, and decent disks, it should be pretty good. Or do you have other experiences? I am quite happy with RAIDframe... Add (at least): decent cables, taking care when swapping failed disks, good power supplies...
Re: htaccess + skey?
On Thu, Jul 06, 2006 at 03:23:40PM +0200, Rogier Krieger wrote: On 7/6/06, Bernd Schoeller [EMAIL PROTECTED] wrote: On Thu, Jul 06, 2006 at 01:33:52PM +0200, [EMAIL PROTECTED] wrote: Is there any way to combine htaccess with one-time-pads? Looks like a difficult task, as http is not session based. So, the brower would ask for a new OTP on every GET request. Sounds like a good point. I'd suppose adding session information in the web service (e.g. using Perl's Apache::Session, PHP, etc.) can alleviate that problem. Or am I in need of a good clue by four here? No, this should work. Just be sure to actually use sessions that work - far too many can be trivially spoofed. Joachim
Re: hints for scanning msdosfs patters?
On Thu, Jul 06, 2006 at 08:56:55PM +0900, vladas wrote: Hi all. I have fd up the first 10Mb of the 3Gb fat disk (not partition, the whole 3Gb disk) full of windoze shit. Then, due to time limits, made some of sort of backup of the mess with dd and put Puffy into that disk (dedicated install). The problem is that management needs some of that stuff back ... I would be grateful if anybody could give any hints on how to grep the 3Gb backup image for any msdosfs patterns so that I could get at least some of the individual files back. Sorry for asking it like that instead of just reading mount_msdos src silently - maybe someone had this before.. I am posting this to misc@ because Puffy is the only OS I run. Would be grateful for any hint etc. 'Keep backups' is the best one, but probably a bit late. (Unless you were told you could delete the data, in which case a clue by four might be appropriate.) Several good suggestions have already been given, so I'll not repeat them. Aside from Wietse Venema's The Coroner's Toolkit (TCT), there is also the Sleuth Kit. It's more modern and presumably has a more friendly interface (TCT, while a good tool, does not quite shine there). I am fairly certain it does FAT as well, but I have no clue if it would work in this case - it's really meant for finding deleted/hidden files in intact filesystems. However, at least 'sigfind' from the Sleuth Kit might be useful, if you know what you are looking for (and willing to spend lots of time). However, in case you only destroyed the partition table, but not the partition in question (i.e., the partition you want to recover data from), I have had personal success with a Knoppix disk, a loopback device with an offset (this does not seem to be supported on OpenBSD), and just mounting it. Of course, one could simulate this on OpenBSD by exploiting the magic of dd(1), vnd(4), and mount_msdos(8), too. Of course, this requires you to know the exact starting byte of the filesystem, but other tools exist to help with that. In this case, someone who shut down Partition Magic because it was taking too long, it worked just fine, over the phone no less. Joachim
Re: hints for scanning msdosfs patters?
On 07/07/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Thu, Jul 06, 2006 at 08:56:55PM +0900, vladas wrote: Hi all. I have fd up the first 10Mb of the 3Gb fat disk (not partition, the whole 3Gb disk) full of windoze shit. Then, due to time limits, made some of sort of backup of the mess with dd and put Puffy into that disk (dedicated install). The problem is that management needs some of that stuff back ... I would be grateful if anybody could give any hints on how to grep the 3Gb backup image for any msdosfs patterns so that I could get at least some of the individual files back. Sorry for asking it like that instead of just reading mount_msdos src silently - maybe someone had this before.. I am posting this to misc@ because Puffy is the only OS I run. Would be grateful for any hint etc. 'Keep backups' is the best one, but probably a bit late. (Unless you were told you could delete the data, in which case a clue by four might be appropriate.) Several good suggestions have already been given, so I'll not repeat them. Aside from Wietse Venema's The Coroner's Toolkit (TCT), there is also the Sleuth Kit. It's more modern and presumably has a more friendly interface (TCT, while a good tool, does not quite shine there). I am fairly certain it does FAT as well, but I have no clue if it would work in this case - it's really meant for finding deleted/hidden files in intact filesystems. However, at least 'sigfind' from the Sleuth Kit might be useful, if you know what you are looking for (and willing to spend lots of time). However, in case you only destroyed the partition table, but not the partition in question (i.e., the partition you want to recover data from), I have had personal success with a Knoppix disk, a loopback device with an offset Tried this in the very first place with no result. First 10Mb appeared to be a lot:) (this does not seem to be supported on OpenBSD), and just mounting it. Of course, one could simulate this on OpenBSD by exploiting the magic of dd(1), vnd(4), and mount_msdos(8), too. Of course, this requires you to know the exact starting byte of the filesystem, but other tools exist to help with that. In this case, someone who shut down Partition Magic because it was taking too long, it worked just fine, over the phone no less. Joachim Thank you for all these good ideas. I will check them out. vladas
Re: How to compile DHCPD source code
Rahul: You don't need the sendmail patch, but it does outline the steps required to (re-)compile and install system software. -Pete P.S. Don't forget to CC misc@ On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote: Hi Peter, Thanks for ur reply. It seems confusing to me that for recompiling dhcpd code i require sendmail patch. Can u Plz explain me that. Warm regards Rahul On 7/7/06, Peter Blair [EMAIL PROTECTED] wrote: First, *don't* download source from the cvsweb website. That source is handy for browsing, but you should be getting your code from a cvs repository. Look at the instructions for a given patch for guidance: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.9/common/001_sendmail.patch And then rebuild and install sendmail: cd gnu/usr.sbin/sendmail make obj make depend make make install On 7/7/06, Rahul Sharma [EMAIL PROTECTED] wrote: Hi, I need to make some minute changes to db.c file comes under DHCP source code . I wanted to know that how can i run dhcp now with these changes. Plz tell me for this whether I have to recompile whole source code(Kernel) again or if there is any way to just compile only this DHCP code. What I have done so far is I have downloaded all files needed for DHCPD from http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/dhcpd/ After that i had made changes to file db.c. Now I strucked here. Any one Plz Help. Tell me what to do. Thanks for reading this mail anyay. Rahul
Re: D-Link DUB-E100 new Revision does not work
Jonathan Gray schrieb: On Thu, Jul 06, 2006 at 04:14:12PM +0200, Guido Tschakert wrote: Guido Tschakert schrieb: Hello, don't know if this is the right place, but I post it anyway. I bought an D-Link DUB-E100 which should work on OpenBSD accordingly to the web site. But it doesn't. Our lovely vendor D-Link changed the chipset and called it H/W Ver.:B1 here comes the part of the dmesg ugen0 at uhub4 port 4 ugen0: vendor 0x07d1 product 0x3c05, rev 2.00/0.01, addr 2 Maybe the info on http://www.openbsd.org/i386.html#hardware should be changed to D-Link DUB-E100 (Revision A) or something like that. Btw, I don't need this thing to work on openbsd but I plug every piece of hardware in one of our openbsd boxes to check if it works ;-) If I can give you more info, please let me know. At this time I try to open the case of the adaper, hoping to see a label with the name of the chipset. guido PS: also on Linux which should support the old DUB-E100 the new one doesn't work. A colleague has opened this box, the chipset is AX88772 LF. (The old one had AX88172). Hope that anyone can use this information. guido Please try this diff: Index: usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.204 diff -u -p -r1.204 usbdevs --- usbdevs 27 Jun 2006 09:19:09 - 1.204 +++ usbdevs 6 Jul 2006 15:52:11 - @@ -903,6 +903,7 @@ product DLINK DWL120F 0x3702 DWL-120 re product DLINK RT2570 0x3c00 RT2570 product DLINK2 DWLG122C1 0x3c03 DWL-G122 rev C1 product DLINK2 WUA1340 0x3c04 WUA-1340 +product DLINK2 DUBE100B1 0x3c05 DUB-E100 rev B1 product DLINK DSB650C0x4000 10Mbps ethernet product DLINK DSB650TX1 0x4001 10/100 ethernet product DLINK DSB650TX 0x4002 10/100 ethernet Index: usbdevs.h === RCS file: /cvs/src/sys/dev/usb/usbdevs.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs.h --- usbdevs.h 27 Jun 2006 09:19:58 - 1.208 +++ usbdevs.h 6 Jul 2006 15:52:19 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -910,6 +910,7 @@ #define USB_PRODUCT_DLINK_RT25700x3c00 /* RT2570 */ #define USB_PRODUCT_DLINK2_DWLG122C10x3c03 /* DWL-G122 rev C1 */ #define USB_PRODUCT_DLINK2_WUA1340 0x3c04 /* WUA-1340 */ +#define USB_PRODUCT_DLINK2_DUBE100B10x3c05 /* DUB-E100 rev B1 */ #define USB_PRODUCT_DLINK_DSB650C 0x4000 /* 10Mbps ethernet */ #define USB_PRODUCT_DLINK_DSB650TX1 0x4001 /* 10/100 ethernet */ #define USB_PRODUCT_DLINK_DSB650TX 0x4002 /* 10/100 ethernet */ Index: usbdevs_data.h === RCS file: /cvs/src/sys/dev/usb/usbdevs_data.h,v retrieving revision 1.208 diff -u -p -r1.208 usbdevs_data.h --- usbdevs_data.h27 Jun 2006 09:19:58 - 1.208 +++ usbdevs_data.h6 Jul 2006 15:52:28 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs_data.h,v 1.208 2006/06/27 09:19:58 jsg Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -1041,6 +1041,10 @@ const struct usb_known_product usb_known { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_WUA1340, WUA-1340, + }, + { + USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1, + DUB-E100 rev B1, }, { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DSB650C, Index: if_axe.c === RCS file: /cvs/src/sys/dev/usb/if_axe.c,v retrieving revision 1.53 diff -u -p -r1.53 if_axe.c --- if_axe.c 23 Jun 2006 06:27:11 - 1.53 +++ if_axe.c 6 Jul 2006 15:52:29 - @@ -160,6 +160,7 @@ Static const struct axe_type axe_devs[] { { USB_VENDOR_CISCOLINKSYS, USB_PRODUCT_CISCOLINKSYS_USB200MV2}, AX772 }, { { USB_VENDOR_COREGA, USB_PRODUCT_COREGA_FETHER_USB2_TX }, 0}, { { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_DUBE100}, 0 }, + { { USB_VENDOR_DLINK2, USB_PRODUCT_DLINK2_DUBE100B1}, AX772 }, { { USB_VENDOR_GOODWAY, USB_PRODUCT_GOODWAY_GWUSB2E}, 0 }, { { USB_VENDOR_JVC, USB_PRODUCT_JVC_MP_PRX1}, 0 }, { { USB_VENDOR_LINKSYS2, USB_PRODUCT_LINKSYS2_USB200M}, 0 }, Hello, here is what I've done. installed an openbsd put src.tar.gz on it made an cvs-update applied the diffs (by hand, as it were just a few lines and I didn't find the right way to do this with patch/cvs, maybe some can tell me) rebuild kernel booted the system rebuild userland booted the system now I have done -current for the first
Re: News From HiFn
On Wed, 5 Jul 2006 08:23:51 -0400, Peter Blair [EMAIL PROTECTED] wrote: Ya, that'd be nice if I ever made it to a prompt to enter 'anonymous', but the connection fails well before that point. $ ping ftp.hifn.com PING ftp.hifn.com (208.10.194.169): 56 data bytes 64 bytes from 208.10.194.169: icmp_seq=0 ttl=117 time=100.851 ms 64 bytes from 208.10.194.169: icmp_seq=1 ttl=117 time=100.228 ms ^C --- ftp.hifn.com ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 100.228/100.540/100.851/0.311 ms $ ftp ftp.hifn.com ftp: connect: Connection refused ftp Nice :) I just checked this morning and the server is up again. jcr -- Free, Open Source CAD, CAM and EDA Tools http://www.DesignTools.org
Re: BGP questions
Original message Date: Fri, 7 Jul 2006 12:54:24 +0200 From: Henning Brauer [EMAIL PROTECTED] Subject: Re: BGP questions To: misc@openbsd.org * Peter Philipp [EMAIL PROTECTED] [2006-07-07 08:47]: would i need an AS number if this would work? Yup. That's not all. You need at least a /20 (AFAIK) to be able for large backbones to even consider routing your advertisement. But this was heresay years ago, I don't know if it still holds. no. more than half the table is /24s and /23s. (3) the home gateway machine is a PII-350 w/ 64MB ram. is this too slow for doing what i have asked about in (1)? Dunno. I suspect you won't be able to load a full BGP table. BGP is really a big boys(tm) protocol not sure if 2 ADSL connection classifies you as that. If it did then they would quickly run out of the 16 bit ASN space wouldn't you think? foremost, running bgp requires your upstreams speaking bgp with you. in general, DSL companies don't do that. peter, tony and henning, thx for the info about the scale at which BGP is useful. i now see that the scale i was considering it isn't useful. the motivation for asking this is that i'm running an ecommerce website from work and am interested in having a failover and/or loadbalancing for it in the event that the power goes out at work, etc. colocating the machine that serves it is probably the best idea, but i was trying to be cheap and work with what i already have available (the 2 ADSL connections + old hw). i think CARPing machines when they're in different public IP blocks won't work, i.e. x.y.z.w/29 and a.b.c.d/29 cannot have a single address CARPed across blocks. do tell if i'm wrong on this one since this would work nicely for the situation i've described. cheers, jake -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: BGP questions
On Thu, Jul 06, 2006 at 09:02:47PM -0500, Jacob Yocom-Piatt wrote: | i've started doing some background reading on how BGP works and am adrift in a | sea of acronyms. i'm confident that i'll learn how to swim, but there are a few | questions that i'd like answers to before i make the time investment to learn | more. boolean answers are acceptable, more information wouldn't hurt though. | | (1) i have 2 blocks of 8 static IPs at my disposal, one at home and one at work, | and both connections are 3Mb/512Kb ADSL via PPPoE. the upstream traffic at work | is beginning to saturate the connection and i would like to share some of the | load with the home connection. would BGP allow me to multihome a site across | both connections to split the load? | | would i need an AS number if this would work? Generally, BGP is used to serve a set of IP addresses over multiple links two one location. You have two different sets of IP addresses and two links to two different locations, this smells like trouble. | (2) are there any particular online docs that are recommended reading for BGP? The RFC (I think it's 1771) is very good, check it out. | what about books? Try O'Reilly's book by Iljitsch van Beijnum, BGP (ISBN: 0596002548). | (3) the home gateway machine is a PII-350 w/ 64MB ram. is this too slow for | doing what i have asked about in (1)? Seems to be a bit low on RAM, but for just two /29's it would suffice. At a pervious company we used to setup BGP over private AS'es to customers who wanted a failover internet connection. If you don't get a full feed, but just part of the IP space your provider has allocated to you, this works very well indeed. You give them your /29's, they give you a /0. Your machine would be very capable of handling such BGP sessions and the traffic 2 DSL lines can generate. The good thing is that you don't need your own (public) ASN and that your /29's will not be filtered by just about every ISP on the planet. The downside is that you have to get your IP space from one ISP and this ISP has to cooperate in your little BGP scheme. This is usually not very easy with your average consumer ISP. In your situation, you may be better off using multiple A records in DNS, one to your office location and the other to your home location. Note that this does not gracefully failover when one of the two DSL connections fail for whatever reason. Maybe you can do very evil stuff with tunneling and bridging and carp and bgp, but that's too disgusting for me to think about ;) Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: BGP questions
On Fri, Jul 07, 2006 at 10:56:11AM -0500, Jacob Yocom-Piatt wrote: i think CARPing machines when they're in different public IP blocks won't work, i.e. x.y.z.w/29 and a.b.c.d/29 cannot have a single address CARPed across blocks. do tell if i'm wrong on this one since this would work nicely for the situation i've described. With enough abuse - some l2tp implementation, or something - CARP can probably be made to do this. However, it would not change the routing tables of any upstream hosts, and thus not be very useful. Joachim
Re: BGP questions
On Fri, Jul 07, 2006 at 10:56:11AM -0500, Jacob Yocom-Piatt wrote: already have available (the 2 ADSL connections + old hw). i think CARPing machines when they're in different public IP blocks won't work, i.e. x.y.z.w/29 and a.b.c.d/29 cannot have a single address CARPed across blocks. do tell if i'm wrong on this one since this would work nicely for the situation i've described. cheers, jake I think you can do it with the following: Get 2 cheap routers that can pass 3Mb/s, no big functionality needed except that they do ethernet (Cisco 2500's? they should be cheap by now..), 2 switches for the etherlink between the two locations (if a direct ethernet link can't be established perhaps use an OpenBSD bridge with ethernet over gif(4)?) and then the existing routers configured with carp. In ascii it would look like so: 0.0.0.0/0 (cloud) | +--++ | | | ADSL 1| ADSL 2 +---+ +---+ | | CARP| | +---+ +---+ | | | 192.168.0.0/24 | +---{ ethernet (gif) }--+ | | | | +---+ +---+ | | Cisco 2500| | Cisco 2500 +---+ +---+ | | | | x.y.z.w/29 a.b.c.d/29 With this setup you can ensure that OUTGOING ip packets make their destination on a redundant setup, provided the ADSL links do not filter egress traffic, which they might (worth checking). For INCOMING traffic to both x.y.z.w/29 and a.b.c.d/29 to work the upstream ISP must have similar failover on their end to re-route traffic into the ADSL 2 router if ADSL 1 link is detected as down. This may be harder to set up, but maybe it is not. If you're wondering why the RFC1918 address within the switch, don't worry about it. Those IP's aren't expected to talk to anything anyhow they just route. @HOME used to do it years ago, and people bitched but they got over it. Just filter any packets with a TTL of 1 and noone will know either way, except that traceroute has a small pause on that hop. regards, -peter -- Here my ticker tape .signature My name is Peter Philipp lynx -dump http://en.wikipedia.org/w/index.php?title=Pufferfisholdid=20768394; | sed -n 131,136p So long and thanks for all the fish!!!
switch Radio on in order to use iwi0?
Hello everyone, I want to use my wireless card and everything seems to be well configured except one thing: how to switch Radio on? I have a Joybook 5200G (Benq) and if I want to switch Radio on by using the keyboard it isnt working! Perhaps this is a very noob-question ... but its my first notebook .-) Is there a way to switch Radio on by using the commandline? Regards, Andreas Burghardt
Sizing an IMAP Server on OpenBSD
Hi everyone, I'm planning to deploy a SMTP(Sendmail) and IMAP(Cyrus) server on a mid-sized organization(~300 remote users, dunno about messages/day), and since is my first IMAP server (until now we do only POP), I have some questions about sizing. First, about hardware requirements. I had tought to use a Dell 1850, 2GB RAM with two controllers: a PERC4e/Si for system + sendmail queue, and a PERC 4e/DC connected to a PV220s, with 7x300GB (half of backplane) for imap data (4 or 6 discs in RAID-10 + 1 hot spare) . I think it should be enough, but it's really? (the hardware it's already bought, so I really hope so). Any recommendations about stripe size or raid configuration?, which ami version to use? -stable one? How ami's performance compares with FreeBSD's amr? I understand that is advisable to run softupdates on the imap and /var/spool partitions, and to disable fsck on boot, but what about increasing buffer cache size? 5% of physical memory seems a bit low for an I/O intensive app as Cyrus is. About resource limits of _cyrus user and sysctl values, are there well known values? Should I increase kern.maxfiles for example? I wouldn't like to learn it at production time. Well, this are my questions. May be the hardware is overkill for our load, but sizing hardware without prior experience it's always a difficult task, so if anybody wants to share their experience... Thanks in advance, Samuel
Re: BGP questions
On Fri, Jul 07, 2006 at 06:30:06PM +0200, Peter Philipp wrote: I think you can do it with the following: Get 2 cheap routers that can pass 3Mb/s, no big functionality needed except that they do ethernet (Cisco 2500's? they should be cheap by now..), 2 switches for the etherlink between the two locations (if a direct ethernet link can't be established perhaps use an OpenBSD bridge with ethernet over gif(4)?) and then the existing routers configured with carp. In ascii it would look like so: You may even do it cheaper than that with a bit of programming and it doesn't require a purchase of any network gear, however the functionality may not be there in the tun(4) driver. Basically what I'm thinking of is the following: The x.y.z.w/29 and a.b.c.d/29 interfaces have a rdr pf rule that redirects everything inbound into a daemon that runs a tun(4) interface in layer 3 mode, this daemon writes the incoming packets out another tun(4) interface that is in layer 2 mode which is also bridged within a set of ethernet interfaces (192.168.0.0/24) that also have CARP devices on each end. This is where I'm unsure if this is functional, (bridging a layer 2 tun(4) device), anyhow the MAC address that it writes to is the CARP virtual Address (or you could implement rudimentary ARP into the daemon as well) and you should have failover as long as the firewalls themselves don't fail. Required on each firewall is 4 ethernet interfaces and the tun(4) userland daemon. You should see some overhead with this due to copying the packets into userland and then back to kernel via the tun(4) interfaces. Gee I'm feeling really creative today. Let the imagination flow. -peter -- Here my ticker tape .signature My name is Peter Philipp lynx -dump http://en.wikipedia.org/w/index.php?title=Pufferfisholdid=20768394; | sed -n 131,136p So long and thanks for all the fish!!!
Re: BGP questions
From: [EMAIL PROTECTED] | (2) are there any particular online docs that are recommended reading for BGP? The RFC (I think it's 1771) is very good, check it out. Superseded by RFC4271. I also found http://www.iana.org/assignments/bgp-parameters to be a good reference, with other related RFCs indicated there. DS
Re: Sizing an IMAP Server on OpenBSD
IF you're only talking about around 300 users, you've probably not got to worry about these questions - what you have will work very well for what you are proposing, likely without any tweaks. -Bob * Samuel Moqux [EMAIL PROTECTED] [2006-07-07 10:56]: Hi everyone, I'm planning to deploy a SMTP(Sendmail) and IMAP(Cyrus) server on a mid-sized organization(~300 remote users, dunno about messages/day), and since is my first IMAP server (until now we do only POP), I have some questions about sizing. First, about hardware requirements. I had tought to use a Dell 1850, 2GB RAM with two controllers: a PERC4e/Si for system + sendmail queue, and a PERC 4e/DC connected to a PV220s, with 7x300GB (half of backplane) for imap data (4 or 6 discs in RAID-10 + 1 hot spare) . I think it should be enough, but it's really? (the hardware it's already bought, so I really hope so). Any recommendations about stripe size or raid configuration?, which ami version to use? -stable one? How ami's performance compares with FreeBSD's amr? I understand that is advisable to run softupdates on the imap and /var/spool partitions, and to disable fsck on boot, but what about increasing buffer cache size? 5% of physical memory seems a bit low for an I/O intensive app as Cyrus is. About resource limits of _cyrus user and sysctl values, are there well known values? Should I increase kern.maxfiles for example? I wouldn't like to learn it at production time. Well, this are my questions. May be the hardware is overkill for our load, but sizing hardware without prior experience it's always a difficult task, so if anybody wants to share their experience... Thanks in advance, Samuel -- | | | The ASCII Fork Campaign \|/ against gratuitous use of threads. |
Re: Sizing an IMAP Server on OpenBSD
thus Bob Beck spake: IF you're only talking about around 300 users, you've probably not got to worry about these questions - what you have will work very well for what you are proposing, likely without any tweaks. -Bob * Samuel Moqux [EMAIL PROTECTED] [2006-07-07 10:56]: Hi everyone, I'm planning to deploy a SMTP(Sendmail) and IMAP(Cyrus) server on a mid-sized organization(~300 remote users, dunno about messages/day), and since is my first IMAP server (until now we do only POP), I have some questions about sizing. First, about hardware requirements. I had tought to use a Dell 1850, 2GB RAM with two controllers: a PERC4e/Si for system + sendmail queue, and a PERC 4e/DC connected to a PV220s, with 7x300GB (half of backplane) for imap data (4 or 6 discs in RAID-10 + 1 hot spare) . I think it should be enough, but it's really? (the hardware it's already bought, so I really hope so). Any recommendations about stripe size or raid configuration?, which ami version to use? -stable one? How ami's performance compares with FreeBSD's amr? I understand that is advisable to run softupdates on the imap and /var/spool partitions, and to disable fsck on boot, but what about increasing buffer cache size? 5% of physical memory seems a bit low for an I/O intensive app as Cyrus is. About resource limits of _cyrus user and sysctl values, are there well known values? Should I increase kern.maxfiles for example? I wouldn't like to learn it at production time. Well, this are my questions. May be the hardware is overkill for our load, but sizing hardware without prior experience it's always a difficult task, so if anybody wants to share their experience... Thanks in advance, Samuel hm, two years ago i had to migrate a 20 user advertising company (not very small mails ;) from 'exchange' to cyrus. because of weird circumstances, i had to use a temporary setup for about two months. this was an Amiga 1200 with 68040 turbo board, external SCSI HD, and 256MByte RAM running Cyrus 2.2.x, Postfix 2.x, clamav and amavisd-new on NetBSD. that's a really true story :) without amavisd-new, even less memory would have been sufficient ;) timo
Re: Sizing an IMAP Server on OpenBSD
First, about hardware requirements. What you're proposing is absolute overkill for such a small client load. You won't need to upgrade the hardware :-) About resource limits of _cyrus user and sysctl values, are there well known values? Should I increase kern.maxfiles for example? I wouldn't like to learn it at production time. Again, given the minimal load from IMAP, the out of the box defaults will do just fine. Well, this are my questions. May be the hardware is overkill for our load, but sizing hardware without prior experience it's always a difficult task, so if anybody wants to share their experience... Cyrus has a very small CPU and memory footprint. All you need to ensure is that you have enough I/O bandwidth from the disk, through the imapd process, and out the network interface. From what you're describing, you have nothing to worry about. Sendmail can want memory when delivering messages with large numbers of recipients (e.g. mailing list expansion), but again, it's doubtful your load will even begin to stress the hardware. --lyndon
Re: switch Radio on in order to use iwi0?
On Fri, Jul 07, 2006 at 06:32:57PM +0200, Andreas Burghardt wrote: Hello everyone, I want to use my wireless card and everything seems to be well configured except one thing: how to switch Radio on? I have a Joybook 5200G (Benq) and if I want to switch Radio on by using the keyboard it isnt working! Perhaps this is a very noob-question ... but its my first notebook .-) Is there a way to switch Radio on by using the commandline? If you are referring to WiFi, typically this is done by ifconfig(8). If you aren't, or the above (or any of the likely other answers) was not the answer you were looking for, feel free to post again; apparently, I/nobody understood what you meant... Joachim
Re: BGP questions
On 2006/07/07 10:56, Jacob Yocom-Piatt wrote: the motivation for asking this is that i'm running an ecommerce website from work and am interested in having a failover and/or loadbalancing for it in the event that the power goes out at work, etc. colocating the machine that serves it is probably the best idea, but i was trying to be cheap and work with what i already have available (the 2 ADSL connections + old hw). Colo sounds simpler. If you want to loadbalance/failover incoming connections over dual ADSL, you'll either need ISP support, or your own colo'd machine and run tunnels. If you _just_ want more bandwidth up, and don't care about the resilience, you might get away with two ADSLs and sending packets out both (probably using route-to in pf.conf; this does not involve natting and assumes the ISP doesn't ingress-filter too carefully: you'll probably find that most don't - and needs you to work out a way to split the outgoing traffic up). Probably not what you want for a high-reliability setup...
Re: switch Radio on in order to use iwi0?
Andreas Burghardt wrote: Hello everyone, I want to use my wireless card and everything seems to be well configured except one thing: how to switch Radio on? I have a Joybook 5200G (Benq) and if I want to switch Radio on by using the keyboard it isnt working! Perhaps this is a very noob-question ... but its my first notebook .-) Is there a way to switch Radio on by using the commandline? hint: man ifconfig(8)
Re: hints for scanning msdosfs patters?
vladas wrote: Thank you for all these good ideas. I will check them out. vladas Foremost might help too. It find for file headers/footers. Don't know if it will help on a very fragmented FAT, but it worked for me on an ext3 partition, where i deleted some files. The only problem is that it does not recover the name of the file (not much a problem), and it find a lot of duplicate files. Many of them are parts of the other and/or vice-versa. I've used a tool called fdupes, that checks for size, md5 and other things to find duplicates, them delete one (or more) of the duplicated files, leaving just one of them. My 2 cents, -- Giancarlo Razzolini Linux User 172199 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: tutorial for securing wifi networks with ipsec and openbsd, somewhere?
For those who are interested and have wifi windows xp clients. Recently I came across a tool called smartvpn dial-up connection management from draytek. It is a freeware (ipsec) client that makes it very simple to configure ipsec on windows 2k/xp. You will not have to use mmc + ipsec policy editor or ipseccmd.exe. It is available here: http://217.160.102.141/data/RouterTools/win/SmartVPN/SMARTVPN09_05.zip I just tried to get this file and ooops, it didn't work. Error 404: Datei nicht gefunden! Das angegebene Dokument konnte auf diesem Server leider nicht gefunden werden. I did find a version of the DrayTek SmartVPN client on the company FTP site here, ftp://ftp.draytek.com/tools/VPN/3.2.5/VPN.zip Is this the same one? diana
Re: BGP questions
On 7/7/06, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: the motivation for asking this is that i'm running an ecommerce website from work and am interested in having a failover and/or loadbalancing for it in the event that the power goes out at work, etc. colocating the machine that serves it is probably the best idea, but i was trying to be cheap and work with what i already have available (the 2 ADSL connections + old hw). save yourself the grief and just get 2 dsls at one location. If you are fortunate you'll be able to convince your isp to add a backup route for your /29 on your second dsl in case the first goes, or maybe even get rudimentary bgp/ospf load balancing on the two.
bash-static on OpenBSD 3.9
If anyone has been lamenting the loss of the bash-static package, this evening i took the time to figure out how to create something that works just as well. I peeked in the Makefile for bash on an older version of OpenBSD to see how the static version differs. The difference is when compiling bash the CONFIGURE_ENV variable needs to be set. The full steps i used to build a bash-static package were: First install the ports tarball from the install CD. You will also need to have the compilers install set installed (it is by default). Then: # cd /usr/ports/shells/bash # make print-build-depends This will print a list of dependencies. Install them from packages. You could also compile them from ports, but why when other people have already done the excellent work of providing the packages? # export CONFIGURE_ENV=LDFLAGS=-static # make package That's it! The new bash package will be in /usr/ports/packages/i386/all (of course, i386 will be different for other platforms). It won't have -static in the name, but you can always rename the file before installing on other systems if you really want. -- Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: Chrooted sftp-server and /dev/null
On Friday 23 June 2006 22:24, Joachim Schipper wrote: You could set up a named pipe (mkfifo(1)), and have a process continually drain it (cat /home/john/dev/null /dev/null ); however, while this would work for the most likely use (writing to /dev/null), it wouldn't allow for reading. I'm not sure if sftp-server ever reads from /dev/null, but it is not impossible. Strange errors will occur if this is the case. Im thinking it might just be easier to make a copy of the /dev/null device, but i need to investigate and test this... Yes, make sure you also set real uid. A small part of /usr/src/usr.sbin/tcpdump/privsep.c: /* Child - drop suid privileges */ gid = getgid(); uid = getuid(); if (setresgid(gid, gid, gid) == -1) err(1, setresgid() failed); if (setresuid(uid, uid, uid) == -1) err(1, setresuid() failed); Do note that this is only necessary if the shell is suid and/or sgid; however, normal users don't have the rights to call chroot(2), so these additional priviliges are necessary. Also, you are aware that you perform chroot(), setresuid() and setresgid(), and only then execve()? This means that you'll need some binaries in the home directories... So, be aware that deleting a file or directory requires write priviliges on the parent directory; i.e., john can replace /home/john/bin/sftp-server by an arbitrary binary if john has write priviliges on his home directory, hence my suggestion to use /home (which is typically only writable by root) above. (An alternate solution is to make /home/john owned by root, group john, and with priviliges 0750; this would break too many things to be feasible if shells are allowed, but just might work if only considering sftp.) Finally, be aware of the many other options sshd allows, like various ways of tunneling. For the same reason as above, those cannot be disabled in /home/john/.ssh/authorized_keys only (disabling them there works iff the user cannot mess with this file, which is clearly not the case if the user has access to sftp). Either disable them sshd-wide or set AuthorizedKeysFile (see sshd_config(5)) to something like /home/.keys/%u/authorized_keys. Note that running any number of ssh daemons in parallel works just fine, subject to some caveats (they can, of course, not listen on the same ports on the same interfaces; they are quite CPU intensive; and random number quality may degrade if the pool is drained sufficiently fast). Joachim I am going to write another program which is used to setup, check, and update the chroot environments with the right files and permissions. Im going to have it chown the home dirs to root/wheel, and there will only be a single writeable dir owned by the user ( which will contain their website files for example ). Here is a copy of the code ive got so far... its by no means finished, or formatted in the proper way, or even checked over properly again: #include stdio.h #include stdlib.h #include errno.h #include string.h #include syslog.h #include stdarg.h #include unistd.h #include fcntl.h #include sys/types.h #include sys/wait.h #include pwd.h char home_dir[1024]; int argc; char **argv; void print_arguments(void); void check_arguments(void); void check_user(void); char * find_end_part(char *buff); void setup_env(void); int main(int _argc, char **_argv) { char *exec_args[2]; argc = _argc; argv = _argv; openlog(jshell, LOG_PID | LOG_NDELAY, LOG_AUTH); check_arguments(); check_user(); if (chroot(home_dir) != 0 || chdir(/) != 0) { syslog(LOG_ERR, chroot(%s) failed: %s, home_dir, strerror(errno)); return 1; } /* drop privledges */ if (seteuid(getuid()) != 0 || setuid(getuid()) != 0) { syslog(LOG_ERR, setuid(%d) failed: %s, getuid(), strerror(errno)); return 1; } exec_args[1] = NULL; exec_args[0] = find_end_part(argv[2]); execve(argv[2], exec_args, NULL); syslog(LOG_ERR, execve failed); return 1; } /* print arguments to syslog */ void print_arguments(void) { int x; for (x = 0; x argc; x++) { syslog(LOG_ERR, %d arg is '%s', x, argv[x]); } } /* * for now we only allow -c /usr/libexec/sftp-server as an argument */ void check_arguments(void) { /* compare second argument ( should be -c ) */ if (argc != 3 || strcmp(-c, argv[1]) != 0) { syslog(LOG_ERR, invalid arguments\n); print_arguments(); exit(1); } /* compare third argument */ if (strcmp(/usr/libexec/sftp-server, argv[2]) != 0) { syslog(LOG_ERR, invalid arguments\n); print_arguments(); exit(1); } } /* * check the user has some sane permissions and settings * and what not on their home dir. */ void check_user(void) { struct passwd *pw = NULL; /* * do we bother checking for a root login? * why would root be