Re: it has arrived!
dyin over here on the west coast. In desperation I attached a puffy I'm about 25 miles from the Pacific. Ordered on 10/1. I ordered my CDs on 09/20/06 OpenBSD shipped my CDs on 10/13/06 I received my CDs on 10/16/06 Shipped to SF Bay Area in Northern California. The OpenBSD people say what they mean. First come, first served.
mixmaster and anonymous mailing
Guys, Anonymous e-mailing and mixmaster framework piqued my interest and I have been doing some reading/browsing. However even wikipedia does not give me enough detail though I get the context and architecture. But my mind has more doubts than comfort. Can someone elucidate the design and educate me on how the different pieces work together to send and receive mail anonymously? Thanks. regards, Girish -- Be different. conform.
Re: Microsoft Optical USB mouse
On 10/26/06, Jon Simola <[EMAIL PROTECTED]> wrote: I've been playing with my USB mouse, trying to get it to work. I've found one message in the archives (unanswered) asking about this exact mouse, a Microsoft Comfort Optical Mouse 3000. Just an update, if this attracts anyone with more USB knowledge than myself. I've rebuilt the kernel with all the appropriate USB debugging turned on (in ums.c and uhidev.c, build with -DUSB_DEBUG and -DUHIDEV_DEBUG), and followed through the whole uhid initialize and attach functions. I've been able to figure out that it might be possible to make it work by following the method used for the Graphire tablets, but that is obviously not desirable. I've stuck the dmesg output when plugging the mouse in up at (30KB): http://proteus.mecha.com/laptop/MSOpt3K.txt Hopefully I've provided enough useful details for someone to give me a kick in the right direction. -- Jon
Problems with we* ISA NICs
Hi guys. I am new to OpenBSD. I am trying to transform my Linux gateway + firewall into OpenBSD gateway + firewall. Currently i've 2 PCI NICs - both Realtek 8139 (correctly recognized by OBSD) and 2 ISA NICs - both SMC EtherEZ 8416 (now recognized but not working). After some work disabling PnP on both of the ISA NICs, adjusting IRQ and IO address, setting BIOS memory to handle ISA instead of PCI/PnP, and saving the config changed at UKC, i got them recognized: $ dmesg |grep -i smc we0 at isa0 port 0x240/32 iomem 0xd/8192 irq 15: SMC8416T (16-bit) we1 at isa0 port 0x260/32 iomem 0xcc000/8192 irq 5: SMC8416T (16-bit) but i can't make them work ! I can set IPs at the ISA NICs, but when i try to communicate with other hosts, i get the following error in my logs - or ehile other hosts are sending packets. we1: length does not match next packet pointer we1: len nlen 1200 start 06 first 07 curr 08 next 00 stop 20 we1: NIC memory corrupt - invalid packet length 4608 when i try to ping an IP on the other side of the wire, the packets aren't generated correctly (captured with tcpdump) - even the own ISA NIC MAC address isn't correct: 23:35:09.088037 54:55:55:15:59:75 > 55:55:01:55:45:45, ethertype Unknown (0xd545), length 98: 0x: 1555 5554 0555 5455 5441 4555 .UUT.UUUTUUUTAEU 0x0010: 4455 5515 1535 545d 555c 5554 1055 DUU..5T]U\UTUU.U 0x0020: 5057 5545 5455 1555 5145 5575 1555 4115 PWUETU.UQEUu.UA. 0x0030: 4575 515d 5155 5115 5455 5577 1555 7055 EuQ]QUQ.TUUw.UpU 0x0040: 0055 5514 1155 0455 5575 5755 1141 .UU.UU.U.UUuWU.A 0x0050: 0555 and the MAC address of the other interface i am pinging isn't learned well. I've to set them statically with "arp" - but network still doesn't works. After A LOT OF browsing, i saw this NetBSD patch: http://groups.google.com.br/group/mailing.netbsd.bugs/browse_thread/thread/9cf8e8e6e12cf637/f9337a5e87acb375?lnk=st&q=we.c+freebsd+%22length+does+not+match%22&rnum=1&hl=pt-BR#f9337a5e87acb375 There is a know way / workaround to put these cards working on OpenBSD ? Machine: Pentium 200Mhz MMX @ 32Mb RAM OS: OpenBSD 3.9 dmesg: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium/MMX ("GenuineIntel" 586-class) 200 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX cpu0: F00F bug workaround installed real mem = 33136640 (32360K) avail mem = 22138880 (21620K) using 430 buffers containing 1761280 bytes (1720K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 07/15/95, BIOS32 rev. 0 @ 0xfdb10 apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled) apm0: APM power management enable: power management disabled (1) apm0: APM engage (device 1): power management disabled (1) apm0: AC on, battery charge unknown apm0: flags b0102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI BIOS has 4 Interrupt Routing table entries pcibios0: no compatible PCI ICU found pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 5 function 0 "Hint Host" rev 0x00 pcib0 at pci0 dev 5 function 1 "Hint ISA" rev 0x00 pciide0 at pci0 dev 5 function 2 "Hint EIDE" rev 0x00: no DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 8-sector PIO, LBA, 515MB, 1055020 sectors atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable pciide0: channel 1 ignored (not responding; disabled or no drives?) vga1 at pci0 dev 9 function 0 "Trident TGUI 9660" rev 0xd3 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) rl0 at pci0 dev 10 function 0 "Realtek 8139" rev 0x10: irq 10, address 00:02:2a:d9:d6:ab rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 11 function 0 "Realtek 8139" rev 0x10: irq 11, address 00:30:4f:33:89:02 rlphy1 at rl1 phy 0: RTL internal PHY isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 isapnp0 at isa0 port 0x279: read port 0x203 "SMC EtherEZ (8416), SMC8416, , " Thanks in advance -- FC3sforo Blog: http://insanenetworks.blogspot.com Bcz sex is like hacking.. you get in, you get out,
Re: pf load balancing and failover
Pete Vickers wrote: Hi Berk, I'm really intereted in this. I have a load of legacy tcp session based load balancing with I'd love to migrate to an OpenBSD/pf based solution. Do you have a patch with applies cleanly to 4.0 ? /Pete Anyone caring about the patch, please see my recent post to tech@ w/ subject "kill src nodes for pf(4) and pfctl(8)". I'm impressed with the number of private mails requesting the patch for 4.0 or even for unsupported 3.7. I'm sorry for not replying in private. Success or error reports goes to tech@ or directly to me please.
Re: AirCard 860 Lockups
On Thu, Oct 05, 2006 at 09:19:19PM -0700, Bryan Vyhmeister wrote: : I am attempting to get my Sierra Wireless AirCard 860 working properly : under OpenBSD. I have been corresponding with jolan@ regarding the issue : but we haven't been able to figure anything out. The details are as : follows: I'm sending this from an airport using a cingular-branded 860 running 4.0 on X41. pccom3 at pcmcia0 function 1 "Sierra Wireless, AC860, 3G Network Adapter" port 0xa3f8/8: ns16550a, 16 byte fifo However all is not perfect. I am using pppd, not ppp (though I have done some testing with ppp). And I am also testing with a net4521. My config is below. What I have observed on both the X41 and net4521: - It seems to work only once after its ejected the first time; subsequent use by pppd will hang the box Oct 27 11:31:28 steam pppd[26644]: pppd 2.3.5 started by stevesk, uid 0 [box hung; eject card] Oct 27 11:31:42 steam /bsd: pccom3 detached Oct 27 11:31:42 steam pppd[26644]: Couldn't reset non-blocking mode on device: Inappropriate ioctl for device Oct 27 11:31:42 steam pppd[26644]: Couldn't restrict write permissions to /dev/cua03: Bad file descriptor Oct 27 11:31:42 steam pppd[26644]: tcgetattr: Inappropriate ioctl for device - Most of the time ejecting the card will recover, but the card won't work after that - If you reboot it will work one time again - Need more time to dig deeper /etc/ppp/peers/cingular: cua03 115200 debug noauth nocrtscts :10.254.254.1 ipcp-accept-remote defaultroute user [EMAIL PROTECTED] connect "/usr/sbin/chat -v -f /etc/ppp/cingular-chat" /etc/ppp/cingular-chat: TIMEOUT 10 REPORT CONNECT ABORT BUSY ABORT 'NO CARRIER' ABORT ERROR '' ATZ OK AT&F OK AT+CGDCONT=1,"IP","isp.cingular" OK ATD*99***1# CONNECT
Re: problems installing mysql-python
On Fri, Oct 27, 2006 at 05:25:50PM +0200, Joerg Zinke wrote: > mysql-python is in ports/packages. When I tried to install the package, it wanted a newer version of MySQL. > i assume you want to install or have already installed all this versions > from source on 3.9? a bleeding edge python version vs. a historic mysql- > version, why? I like MySQL 3.23.58. It's easy to use, fast, and meets my needs. > why did you not take the versions from ports in -current or the > packages from 3.9? I wanted the newest Python and mysql-python.
Re: ifconfig question
Stuart Henderson wrote: > On 2006/10/27 09:44, Richard P. Koett wrote: >> I received some very useful advice from this list a short while ago >> when I was having problems with throughput on a Soekris firewall. >> The issue turned out to be a problem with Ethernet autoselect and >> I thought I had worked around it effectively. The problem has now >> reappeared, however, and I would appreciate some further advice. > > smells like > http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=4139 Smells a LOT like that :) Thanks for the pointer. RPK.
Re: ifconfig question
On 2006/10/27 09:44, Richard P. Koett wrote: > I received some very useful advice from this list a short while ago > when I was having problems with throughput on a Soekris firewall. > The issue turned out to be a problem with Ethernet autoselect and > I thought I had worked around it effectively. The problem has now > reappeared, however, and I would appreciate some further advice. smells like http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=4139
Re: problems installing mysql-python
On Thu, 26 Oct 2006 17:36:14 -0500 Patrick McNamee <[EMAIL PROTECTED]> wrote: > Hi all, > > I've been unable to successfully install mysql-python. > mysql-python is in ports/packages. > Here are the details: > > > ## > # versions: > ## > OpenBSD 3.9 stable > Python 2.5 > MySQL 3.23.58 > MySQL-python-1.2.1_p2 > i assume you want to install or have already installed all this versions from source on 3.9? a bleeding edge python version vs. a historic mysql- version, why? why did you not take the versions from ports in -current or the packages from 3.9? regards, joerg
Re: OpenBSD AJAX
Joachim Schipper <[EMAIL PROTECTED]> wrote: > > Any decent hosting company can handle perl/python/etc. Wether it be in > > the form of mod_${LANG} or fastcgi apps. > > Yes, but the cheapest offer only PHP. ;-) Why do you need the cheapest? Is $10/month instead of $5/month really going to blow your budget? > But the real reason is that PHP is the most widely-used language; it's > quite a bit more likely that we can find someone who has written a PHP > script or two to replace me than pretty much anything else. Learning > a new language is a non-trivial time investment, after all. Its not hard to find people who know perl, or even python these days. Adam
Oldest hardware running OpenBSD 4.0
I had forgotten about this dns cache my 20 PC lab uses. Did a reinstall last night. All is well OpenBSD 4.0-current (GENERIC) #1172: Sun Oct 22 20:45:57 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel OverDrive Pentium (P24T) ("GenuineIntel" 586-class) 84 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,CX8 cpu0: F00F bug workaround installed real mem = 41512960 (40540K) avail mem = 29241344 (28556K) using 537 buffers containing 2199552 bytes (2148K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(f2) BIOS, date 01/25/95 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xe/0x8000 cpu0 at mainbus0 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard vga0 at isa0 port 0x3b0/48 iomem 0xa/131072 wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation), using wskbd0 wsdisplay0: screen 1-5 added (80x25, vt100 emulation) wdc0 at isa0 port 0x1f0/8 irq 14 wd0 at wdc0 channel 0 drive 0: wd0: 16-sector PIO, LBA, 2015MB, 4127760 sectors wd0(wdc0:0:0): using BIOS timings ep0 at isa0 port 0x300/16 irq 10: address 00:60:8c:b9:62:9a, utp/aui (default utp) pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 lpt2 at isa0 port 0x3bc/4: polled npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fbe5 netmask ffe5 ttymask ffe7 pctr: 586-class performance counters and user-level cycle counter enabled nvram: invalid checksum dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 clock: unknown CMOS layout Bob D
Re: Disconnection php4 from the builds.
* Marc Balmer <[EMAIL PROTECTED]> [2006-10-27 19:07]: > Todd T. Fries wrote: > > >I definately agree with those previously stating that not all php code > >supports php5 yet. > > disconnecting php4 will help them speed up the transition. bullshit. it leads to pplz building from source, thus having things not visible for pkg_*, and they won't get updated at all. yeah, great idea.
Re: Disconnection php4 from the builds.
Todd T. Fries wrote: I definately agree with those previously stating that not all php code supports php5 yet. disconnecting php4 will help them speed up the transition. phpBB.com states 'running phpBB 2.0.x with PHP5 is not supported' phpBB is notorious for security problems of all kinds, we should disconnect this to or move it to the mbone category... ;) That said, I do agree at some point that php4 should be deprecated. I'm not convinced that time is yet. After OpenBSD 4.1 seems like a good time to me. For those not tracking current, that would give approximately a year when 4.2 comes out to have things working with php5. We can wait forever, but PHP4 is not really maintained anymore, do you realise this? It puts servers at risk, unnecessary, I'd say. -mb
Re: Disconnection php4 from the builds.
I definately agree with those previously stating that not all php code supports php5 yet. phpBB.com states 'running phpBB 2.0.x with PHP5 is not supported' .. though there is evidence in their changelogs that they are working on support for php5. This is definately not the only codebase in the same boat that does not yet work on php5. That said, I do agree at some point that php4 should be deprecated. I'm not convinced that time is yet. After OpenBSD 4.1 seems like a good time to me. For those not tracking current, that would give approximately a year when 4.2 comes out to have things working with php5. On Saturday 21 October 2006 12:29, Robert Nagy wrote: > Hi. > > A couple of us thing that people should switch to php5 > because the php4 ports is not going to be updated. > Everything in the ports tree uses php5 now and we do not > see any reasons to ship whit it. > > It is possible that a lot of people are relying on php4 > so we are still going to keep it in the tree but we are > not going to build the packages. > > If you have objections, please tell me. -- Todd Fries .. [EMAIL PROTECTED] _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
ifconfig question
I received some very useful advice from this list a short while ago when I was having problems with throughput on a Soekris firewall. The issue turned out to be a problem with Ethernet autoselect and I thought I had worked around it effectively. The problem has now reappeared, however, and I would appreciate some further advice. Background: My OS version is: OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC My original problem showed up when sis0 was configured like this: sis0: flags=8843 mtu 1500 media: Ethernet autoselect (100baseTX full-duplex) I changed /etc/hostname.sis0 from "dhcp NONE NONE NONE" to "dhcp media 10baseT". This resulted in ifconfig showing this: sis0: flags=8843 mtu 1500 media: Ethernet 10baseT With these settings things were working great. Yesterday we had to reboot a few things and users later reported throughput problems again. I checked ifconfig and found the following: sis0: flags=8843 mtu 1500 media: Ethernet 10baseT (100baseTX full-duplex) I thought that my hostname.sis0 would prevent "100baseTX full-duplex" but apparently not. The man page says to use ifconfig -m to see the available options: # ifconfig -m sis0 sis0: flags=8843 mtu 1500 lladdr 00:00:24:c6:df:34 groups: egress media: Ethernet 10baseT (100baseTX full-duplex) status: active supported media: media none media 10baseT media 10baseT mediaopt full-duplex media 100baseTX media 100baseTX mediaopt full-duplex media autoselect There is no option for "media 10baseT mediaopt half-duplex" so tried to correct the settings by doing "ifconfig sis0 media 10baseT". The settings didn't change, however: sis0: flags=8843 mtu 1500 media: Ethernet 10baseT (100baseTX full-duplex) Then I did "ifconfig sis0 media 100baseTX" followed by "ifconfig sis0 10baseT" and things went back to normal: sis0: flags=8843 mtu 1500 media: Ethernet 10baseT What I don't understand is how I ended up getting "100baseTX full- duplex" to begin with having "DHCP media 10baseT" in hostname.sis0. Is there something else I can do to ensure that the correct setting is always applied? Thanks, RPK.
Re: Soundblaster Audigy LS (SE, PCI subsys id = 0x100a1102)
On Fri, Oct 27, 2006 at 05:10:44PM +0200, Alexandre Ratchov wrote: > hi, > > I'm insterested. If no other developpers want it, i'd like to try to > make it work on openbsd. > > thanks, > > -- Alexandre Ok, I just need an address where to drop it off. Thanks for taking this off my hands. -peter -- Here my ticker tape .signature My name is Peter Philipp lynx -dump "http://en.wikipedia.org/w/index.php?title=Pufferfish&oldid=20768394"; | sed -n 131,137p http://centroid.eu So long and thanks for all the fish!!!
Re: OpenBSD AJAX
On Wed, Oct 25, 2006 at 02:21:55PM +0200, ropers wrote: > On 25/10/06, bofh <[EMAIL PROTECTED]> wrote: > >On 10/24/06, ropers <[EMAIL PROTECTED]> wrote: > >> > >> You mentioned that you dislike PHP. > >> I would be curious to learn your reasons for this. > > > >If you look back at the history of PHP, it was created so that > >"non-programmers" can easily program. Well, if you want to see the > >results > >of a non-programmer writing scripts, go google "Not Matt's Scripts" and > >read > >the reason it was created. Then look again at the library of PHP scripts > >out there, and consider them in light of Not Matt's Scripts. > > It's prolly worth noting that both Matt's scripts and nms are written > in Perl, not PHP. > > However, I still do take your point, which I understand to be a > **general** point about the very concept of "allowing" non-programmers > to easily churn out code, and the way that PHP facilitates that. Ropers, I recently recommended python as a nice way to start programming but that was for a very young person with little exposure to computing. In your case I am not sure if it is relevant but I completely agree with the case for python. Best of luck! regards, Girish
Re: Lenovo notebooks
Johan P. Lindstrvm wrote: Shame on everyone who dont buy their CD's. Try it out from a local FTP and when the time comes, twice a year so far, get your release on CD, plenty of nice stickers and the artwork is always amazing. I never buy the CDs because I don't have a use for them. I agree that, like everything else about the project, they are of a very high quality. It's just that I'm a minimalist. However, I do donate to the project regularly. There have been a few years where I haven't, but unemployment coupled with medical bills can be a bitch. I think your statement may be a little too broad. Not everyone who avoids the CDs deserves shame. It's the people who only take from the project, and never give back in kind for the high value that they have received, who should feel ashamed. Breeno
Re: Soundblaster Audigy LS (SE, PCI subsys id = 0x100a1102)
On Fri, Oct 27, 2006 at 12:04:55AM +0300, Peter Philipp wrote: > Hi, > > Any poor soul living in Frankfurt and running Linux or Windows needing a > Soundblaster (PCI) card? I have a Soundblaster Audigy LE card to give > away as there is no BSD support for this one (checked FreeBSD project as > well). > > I tried "fool"ing around with it, putting support into it, after pretty well > copying the Linux driver but it didn't seem to work. This card doesn't seem > to be ac97 compatible so no ac97 driver could attach to it. I'm giving it > away as it's completely worthless to me. > hi, I'm insterested. If no other developpers want it, i'd like to try to make it work on openbsd. thanks, -- Alexandre
Re: shell script (background ogg-stream dumping) - "no such process"
Hi Jan, Jan Stary wrote: [ skipped ] *Usually* (I know) it finishes OK, and the *ogg is a valid ogg stream. In this failing case, it *also* is a valid ogg stream, but much shorter than usual. So I suppose the background nc dies before I try to kill it myself (that is, after sleeping for $LENGTH seconds). One reason for this to happen is that the ogg being streamed out just finishes before $LENGTH (a special case being it returns immediately, possibly getting a HTTP error and an immediate EOF. But I doubt that - it's a continuously streamed radio station). Or the running nc(1) loses connection? Or maybe the inner structure of live-streamed OGG's is such that the (in fact) HTTP response is EOFed when one show finishes and another starts? Or, obviously, my script is somehow wrong - any hints? Sorry if this is trivial. Thanks for your time Jan Since only happens infrequently, I'd start 'nc' under trace, and preserve the trace file in the case when 'kill' has nothing to kill. Trace file should show what 'nc' encountered on the network...
Re: NOD32 Antivirus and OpenBSD?
Hello List, Guess I have to weigh in on this one. My shop runs ClamAV on the (OpenBSD) mail server and NOD32 on the win* file servers and desktops (yes I know an OpenBSD file server would be neat, I'm working on it). The reason we run AV at the border AND on the inside boxes is quite simply that I have seen way too many times in my carreer a virus be ignored by one AV package but caught by another. Security is a must where I work and the added protection (for free i might add) is a very small price to pay for a little bit more. Remember, Security is like onions lots of layers... stuart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Berk D. Demir Sent: Friday, October 27, 2006 4:49 AM To: smith Cc: misc@openbsd.org Subject: Re: NOD32 Antivirus and OpenBSD? smith wrote: > > I second that. Why waste server resources and decrease server security, when > all Windows machines should be running their own antivirus software to begin with. > That's the difference between border defense and field defense. Running anti-malware software on border machines, such as STMP servers, proxies, etc. is an important countermeasure for network wide infection. It's very much possible to have an outdated or undefended node in the network but in border defense line, that's not the case. You shouldn't get this as "waste of resources". Security is a process and it's not cheap to achieve. Field defense (node is protecting itself) and border defense are complemental approach to so-called "self defending network" (Hello, Cizzz-coeee)
Re: OpenBSD Wiki
On Thu, Oct 26, 2006 at 08:52:20PM -0500, Kenny Mann wrote: > Dudes, > > Many months ago I started a website called OpenBSD-Wiki (located at > http://www.openbsd-wiki.org). > > The orginal goal was pretty selfish: Document what it took to get my > systems going so I wouldn't forget. > > I'm not a complete moron (eek! I hope!) , but I'm no where near as > skilled as many on this list -- so I needed some documentation for > myself. Wiki seemed to make the most sense, especially considering that > many articles on the web are out of date and could use some minor (and > sometimes major) adjustments. > > As I lurked the misc@ list, I found some pretty helpful things, emailed > the offer off-list asking if their works can be placed on that site > released under the BSD license and so far everyone I've asked has been > kind enough to say yes. > > Anyone is welcome to create articles or create content they think is > useful for other people to know (so long as either you or the original > author will release it under the BSD license). > > As far as how thinks should be organized and all that, I haven't > entirely thought that through and am open to suggestions. My orginal > thoughts where to make it close to the Gentoo-Wiki project (located at: > http://www.gentoo-wiki.org). > > I've been pretty busy lately and haven't had time to produce as many > articles as I'd like but I'm also waiting for the 4.0 CD to arrive (it's > already shipped and I have a tracking number! yay! I'm excited!) and I > will update as many articles to that as possible. > > I lack design abilities, so any criticism is welcome. Well _any_ > criticism is welcome. > > I'm trying to figure out a sane method to extract the articles into > being a plain-text dump, so everyone can take copies if they need, once > I get that figured out I'll post on the site. > > Those that have already contributed or allowed me to take their articles > and place them their, I thank you very much and would like to say: You rock! > > One final thing, this is hosted off of my SBC DSL Business Elite line. > This means I have 3-6mb down and 384-618 up (static IP's), so if the > lines start getting clogged too hard then I'm willing to pay for some > real hosting -- so no worries. Count me in but give me some time. I may not be a star but I can certainly help. :-) regards, Girish -- Be different. conform.
Re: bridge(4) RSTP
Hi, A nice start could be to teach our tcpdump about RSTP. At present it just pukes: 20:30:14.196199 802.1d unknown protocol ver(0x2) /Pete On 27. okt. 2006, at 13.35, Stuart Henderson wrote: FreeBSD have early support for rapid STP in bridge(4): http://lists.freebsd.org/pipermail/freebsd-current/2006-October/ 066535.html http://people.freebsd.org/~thompsa/bridge_rstp.20061012.diff I'll try and look at it sometime, but knowing how far I got last time I tried porting any kernel code (not very...and they have made quite a few changes to bridge(4) since importing it via NetBSD last year) I thought it may be worth drawing attention to here in case anyone else is interested.
bridge(4) RSTP
FreeBSD have early support for rapid STP in bridge(4): http://lists.freebsd.org/pipermail/freebsd-current/2006-October/066535.html http://people.freebsd.org/~thompsa/bridge_rstp.20061012.diff I'll try and look at it sometime, but knowing how far I got last time I tried porting any kernel code (not very...and they have made quite a few changes to bridge(4) since importing it via NetBSD last year) I thought it may be worth drawing attention to here in case anyone else is interested.
Re: pf load balancing and failover
Hi Berk, I'm really intereted in this. I have a load of legacy tcp session based load balancing with I'd love to migrate to an OpenBSD/pf based solution. Do you have a patch with applies cleanly to 4.0 ? /Pete On 26. okt. 2006, at 22.16, Berk D. Demir wrote: Pete Vickers wrote: 1) When using sticky-address in the rdr rules client-server associations are added to the internal Sources table. It is impossible to remove entries for a single backend from this table. If a backend fails and is removed from the rdr destination table this table will have to be flushed, making all clients end up on new backends, wich is unacceptable in many configurations. If this table is not cleared then the rdr destination table is not inspected for client IP's found in the Sources table. These clients will still be sent to the failed and removed backend. Preferably entries could be removed from this table based on source-IP and backend-IP:backend-port, and maybe even the virtual service IP:port or a pf rule number. 2) TCP sessions to a failed backend will continue to exist after the backend is removed from the rdr destination table. As of today these sessions can be removed with pfctl by specifying the source and destination IP addresses. Since different services can run on differerent port numbers on the same machines it should be possible to specify a destination port number as well. I guess that if a backend dies then the client is notified about this just as if it had been speaking directly to the backend, so it might not be necessary to clean out these sessions at all, and maybe even the tcpdrop tool will do the trick? Anyway, main issue is with removing single sessions from the internal Sources table (as it is called in pfctl(8)). I've submitted a patch, adding a new ioctl to pf and an implementation to clear src-track entries likewise states (-k 1.1.1.1 -k 2.3.5.0/23). A patched build (smt. between 4.0 and -current) is running in many DCs in my county right now. pfctl.c changed after my submission. I have to fix the patches and post here in case it helps. It needs to get OKs from developers to get into the tree. Last touch with a developer about this patch was with dhartmei on Jul 25. (I'll post it tomorrow)
Re: [PATCH] NTLM/winbind support for squid
sorry, should go to ports@ On Fri, Oct 27, 2006 at 01:07:55PM +0200, Thomas Schoeller wrote: > i have not tried you patch. but i did something similar to this. and it > runs fine in production for 6months. PLIST should be updated. i will do > this when i got some time. > i would be really happy if this goes into the cvs. > > thomas > > On Thu, Oct 26, 2006 at 04:30:06PM -0200, Eduardo Alvarenga wrote: > > 2006/9/25, Eduardo Alvarenga <[EMAIL PROTECTED]>: > > >2006/9/25, Antoine Jacoutot <[EMAIL PROTECTED]>: > > >> On Mon, 25 Sep 2006, Eduardo Alvarenga wrote: > > >> > +FLAVORS= transparent snmp ntlm-winbind > > >> > > >> I don't think "ntlm-winbind" is a correct syntax. > > >> Either use "ntlm" or "winbind". > > > > > >Well, It can be ntlm or even ntlmssp. > > >But just "winbind" may confuse people I think. > > > > > >I'd like to have feedbacks about the patch. > > >Since I'm not subscribed to ports@, please be gentle and CC me too. > > > > Did anyone cared about this patch? > > It is really useful. Worth trying. > > > > -- > > Eduardo Alvarenga
Re: [PATCH] NTLM/winbind support for squid
i have not tried you patch. but i did something similar to this. and it runs fine in production for 6months. PLIST should be updated. i will do this when i got some time. i would be really happy if this goes into the cvs. thomas On Thu, Oct 26, 2006 at 04:30:06PM -0200, Eduardo Alvarenga wrote: > 2006/9/25, Eduardo Alvarenga <[EMAIL PROTECTED]>: > >2006/9/25, Antoine Jacoutot <[EMAIL PROTECTED]>: > >> On Mon, 25 Sep 2006, Eduardo Alvarenga wrote: > >> > +FLAVORS= transparent snmp ntlm-winbind > >> > >> I don't think "ntlm-winbind" is a correct syntax. > >> Either use "ntlm" or "winbind". > > > >Well, It can be ntlm or even ntlmssp. > >But just "winbind" may confuse people I think. > > > >I'd like to have feedbacks about the patch. > >Since I'm not subscribed to ports@, please be gentle and CC me too. > > Did anyone cared about this patch? > It is really useful. Worth trying. > > -- > Eduardo Alvarenga
Re: shell script (background ogg-stream dumping) - "no such process"
On Fri, Oct 27, 2006 at 11:12:08AM +0200, Jan Stary wrote: > I have this little sh script which saves an ogg audio stream, > streamed by an internet radio. It's short enough to quote it: > > > --- cut -- > > #!/bin/sh > > # $1 is length in seconds, $2 is the output filename. > > # The stream itself is prefixed by a HTTP header, which needs to be > # trimmed off up to (and not including) the ^OggS > > # HTTP/1.0 200 OK > > # Content-Type: application/ogg > > # icy-br:128 > > # icy-description:European-style cultural station > > # icy-genre:classical > > # icy-name:CRo3 - Vltava > > # icy-pub:1 > > # Server: Icecast 2.2.0 > > # > > # OggS.. > > if test $# -lt 2 ; then > echo "usage: $0 length output" 2>&1 > exit 1 > fi > > NC=`which nc` 2>/dev/null > test -x $NC || exit 1 > > HOST="amp1.cesnet.cz" > FILE="cro3.ogg" > PORT="8000" > > LENGTH="$1" > OUTPUT="$2" > STREAM="/tmp/vltava.$$" > > test -e $OUTPUT && { echo "$OUTPUT already exists" >&2 ; exit 1 ; } > mkfifo $STREAM || { echo "Cannot create output stream $STREAM" >&2; exit 1; } > > sed -n -e '/^OggS/,$ p' < $STREAM > $OUTPUT & > { echo "GET /$FILE HTTP/1.0" ; echo ; } \ > | $NC $HOST $PORT > $STREAM & > > PID=$! && sleep $LENGTH && kill $PID > rm -f $STREAM > > echo "Recorded $LENGTH seconds of http://$HOST:$PORT/$FILE"; > echo "into $OUTPUT" > > --- cut -- > > > The idea is that the stream is just dumped by nc(1) to a fifo, > from which a sed one-liner copies everything starting with the > ^OggS header (so that we trim off the HTTP header). > > > I run this script from cron, obviously, as in > > 05 00 * * 7 $HOME/bin/vltava 5100 $HOME/vltava/`date > +\%Y\%m\%d`-jazzclub.ogg > > > Now, *sometimes* (I know) the script results in cron saying > > /home/hans/bin/vltava[43]: kill: 15062: No such process > Recorded 5100 seconds of http://amp1.cesnet.cz:8000/cro3.ogg > into /home/hans/vltava/20061024-jazzclub.ogg > > *Usually* (I know) it finishes OK, and the *ogg is a valid ogg stream. > In this failing case, it *also* is a valid ogg stream, but much > shorter than usual. > > So I suppose the background nc dies before I try to kill it myself > (that is, after sleeping for $LENGTH seconds). > > One reason for this to happen is that the ogg being streamed out just > finishes before $LENGTH (a special case being it returns immediately, > possibly getting a HTTP error and an immediate EOF. But I doubt that > - it's a continuously streamed radio station). Or the running nc(1) > loses connection? > > Or maybe the inner structure of live-streamed OGG's is such that the > (in fact) HTTP response is EOFed when one show finishes and another > starts? > > Or, obviously, my script is somehow wrong - any hints? > Sorry if this is trivial. Hi Jan, I would suspect not the script but the inner workings of HTTP protocol instead. Your script seems fine; moreover it is simple and also working reliably under most situations as you testify. It will be hard to predict what goes wrong unless we have some statistics or data. For instance, how often does this occur? And by what amount does it fall short? Let us assume the radio station is playing 24 / 7. In which case we need to test it and obtain enuf stats. Not to say that stats mean anything but I find them very good for debugging. Since I don't have the luxury of data, let me make a few guesses. a) There are several situations in which the TCP connection can get terminated, or cause a buffer underrun which might affect streaming b) Your network card/kernel buffers might overflow There are many other possibilities. Could you get back with some test statistics please? regards, Girish -- Be different. conform.
shell script (background ogg-stream dumping) - "no such process"
Hi all, I have this little sh script which saves an ogg audio stream, streamed by an internet radio. It's short enough to quote it: --- cut -- #!/bin/sh # $1 is length in seconds, $2 is the output filename. # The stream itself is prefixed by a HTTP header, which needs to be # trimmed off up to (and not including) the ^OggS # HTTP/1.0 200 OK # Content-Type: application/ogg # icy-br:128 # icy-description:European-style cultural station # icy-genre:classical # icy-name:CRo3 - Vltava # icy-pub:1 # Server: Icecast 2.2.0 # # OggS.. if test $# -lt 2 ; then echo "usage: $0 length output" 2>&1 exit 1 fi NC=`which nc` 2>/dev/null test -x $NC || exit 1 HOST="amp1.cesnet.cz" FILE="cro3.ogg" PORT="8000" LENGTH="$1" OUTPUT="$2" STREAM="/tmp/vltava.$$" test -e $OUTPUT && { echo "$OUTPUT already exists" >&2 ; exit 1 ; } mkfifo $STREAM || { echo "Cannot create output stream $STREAM" >&2; exit 1; } sed -n -e '/^OggS/,$ p' < $STREAM > $OUTPUT & { echo "GET /$FILE HTTP/1.0" ; echo ; } \ | $NC $HOST $PORT > $STREAM & PID=$! && sleep $LENGTH && kill $PID rm -f $STREAM echo "Recorded $LENGTH seconds of http://$HOST:$PORT/$FILE"; echo "into $OUTPUT" --- cut -- The idea is that the stream is just dumped by nc(1) to a fifo, from which a sed one-liner copies everything starting with the ^OggS header (so that we trim off the HTTP header). I run this script from cron, obviously, as in 05 00 * * 7 $HOME/bin/vltava 5100 $HOME/vltava/`date +\%Y\%m\%d`-jazzclub.ogg Now, *sometimes* (I know) the script results in cron saying /home/hans/bin/vltava[43]: kill: 15062: No such process Recorded 5100 seconds of http://amp1.cesnet.cz:8000/cro3.ogg into /home/hans/vltava/20061024-jazzclub.ogg *Usually* (I know) it finishes OK, and the *ogg is a valid ogg stream. In this failing case, it *also* is a valid ogg stream, but much shorter than usual. So I suppose the background nc dies before I try to kill it myself (that is, after sleeping for $LENGTH seconds). One reason for this to happen is that the ogg being streamed out just finishes before $LENGTH (a special case being it returns immediately, possibly getting a HTTP error and an immediate EOF. But I doubt that - it's a continuously streamed radio station). Or the running nc(1) loses connection? Or maybe the inner structure of live-streamed OGG's is such that the (in fact) HTTP response is EOFed when one show finishes and another starts? Or, obviously, my script is somehow wrong - any hints? Sorry if this is trivial. Thanks for your time Jan
Re: NOD32 Antivirus and OpenBSD?
smith wrote: I second that. Why waste server resources and decrease server security, when all Windows machines should be running their own antivirus software to begin with. That's the difference between border defense and field defense. Running anti-malware software on border machines, such as STMP servers, proxies, etc. is an important countermeasure for network wide infection. It's very much possible to have an outdated or undefended node in the network but in border defense line, that's not the case. You shouldn't get this as "waste of resources". Security is a process and it's not cheap to achieve. Field defense (node is protecting itself) and border defense are complemental approach to so-called "self defending network" (Hello, Cizzz-coeee)