Re: pf.conf for WoW and L2 Games
Sam Fourman Jr. wrote: Would anyone happen to have a pf.conf file that will prioritize World of Warcraft (Multi User) and Liniage 2 packets For Lineage 2, http://support.plaync.com/cgi-bin/plaync.cfg/php/enduser/std_adp.php?p_faqid=1713 lists the ports as 2009, 2106, and . I don't know about World of Warcraft. -- Matthew Weigel
Re: pf.conf for WoW and L2 Games
Thank you all for your help Sam Fourman Jr. On 11/12/06, Matthew Weigel [EMAIL PROTECTED] wrote: Sam Fourman Jr. wrote: Would anyone happen to have a pf.conf file that will prioritize World of Warcraft (Multi User) and Liniage 2 packets For Lineage 2, http://support.plaync.com/cgi-bin/plaync.cfg/php/enduser/std_adp.php?p_faqid=1713 lists the ports as 2009, 2106, and . I don't know about World of Warcraft. -- Matthew Weigel
NFS very slow in 4.0
I have just upgraded an i386 from 3.9 to 4.0. It's an MX mail server that writes emails to another PC via NFS. The delivery of the email via NFS is now VERY slow. I noticed that when more then one precess try to access the filesystem via NFS it is very slow. Even a simple ls of a small directory takes a few seconds. If I kill all processes, then accessing that directory is again very fast. Please note that CPU usage is usually low (a great percentage of idle CPU) but Load Averages are very high (20 and more) due to the many processes trying to write via NFS. To increase NFS throughput I had increased (many months ago) the number of nfsio to 20 in sysctl.conf (vfs.nfs.iothreads=20). Here is their current status: 10109 ?? IKL 0:00.03 (nfsio) 23992 ?? DKL 0:01.20 (nfsio) 15951 ?? IKL 0:00.57 (nfsio) 16583 ?? IKL 0:00.28 (nfsio) 15549 ?? IKL 0:00.13 (nfsio) 1027 ?? IKL 0:00.09 (nfsio) 10957 ?? IKL 0:00.07 (nfsio) 25036 ?? IKL 0:00.06 (nfsio) 12032 ?? IKL 0:00.05 (nfsio) 6440 ?? IKL 0:00.04 (nfsio) 17435 ?? IKL 0:00.03 (nfsio) 8590 ?? IKL 0:00.02 (nfsio) 15924 ?? IKL 0:00.02 (nfsio) 24621 ?? IKL 0:00.02 (nfsio) 7798 ?? IKL 0:00.02 (nfsio) 26897 ?? IKL 0:00.02 (nfsio) 26366 ?? IKL 0:00.02 (nfsio) 15218 ?? IKL 0:00.02 (nfsio) 24631 ?? IKL 0:00.02 (nfsio) 31798 ?? IKL 0:00.02 (nfsio) Please note that I upgraded only the client PC, no changes on the NFS server (an OpenBSD i386 3.9). There have been changes in 4.0 that can explain this behavior? Is there something I can do to solve it? Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
Re: openbsd + external sensor (t°, humidity, ...)
Julien TOUCHE wrote: i'm currently looking for solution to monitor external environment from an openbsd server. I'm currently developing a soekris add-on board board which will allows (among other things) to connect 16 external sensors. The driver will integrate nicely with OpenBSD sensor and GPIO framework. Development is not completed, so I don't have much more to say publicly, but if you are interested and like testing new stuff, drop me an e-mail privately. Cedric
PF state problem
Hello, I am using OpenBSD 4.0 with pf. On my machine I run some services including ssh. Since I want access to my machine from outside I opened the ssh port and created a rule that allows outgoing traffic: pass in on $ext_if proto tcp to ($ext_if) port 22 pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state So long, from two of my PCs outside the network I can connect to the ssh service but from exactly one PC it does not work because I get no response back from the ssh server. If I add 'keep state' to the pass in rule it works. Why do I need 'keep state' although the pass out rule already defines 'modulate state'? As I mentioned above: it works for all of my PCs outside except for one. cheers, Gerald
Re: crash on 4.0 (but no ddb)
Stephen Takacs wrote: On Sun, Nov 05, 2006 at 05:27:05PM -0500, Kyle George wrote: Actually, what I should have said was uncomment the ddb.console=1 line in sysctl.conf. That's where it should go. It will work in either place though. Yeah that's what I did. :-) Unfortunately the machine crashed again tonight while I was using it, and the ddb.console key sequence didn't work, because the keyboard was totally dead. I had just started up xpdf, and it was taking forever to load the file (lots of graphics on this PDF) when I realized after a couple minutes that this time it wasn't going to finish loading... Ever since 3.9 was Is there any way to troubleshoot this further in this kind of situation? I don't think it's the hardware, because I'm subjecting the machine to the same stress levels as always, and it started acting strange the next morning after the 3.9 - 4.0 upgrade. Try a serial console, if possible. I have not been able to view the ddb output if the machine crashed while running X. Not sure if the caps lock etc was unresponsive, though. I am on a Dell Inspiron 4100. Or try typing boot crash or so, and see if anything happens, but you maybe tried that earlier. /Alexander
how to use infrared remote control with openbsd ?
Hello, I'm using lirc on linux and i want to switch to openbsd but i can not find some equivalent package to lirc; Have i miss something or have some body a good idea ? Regard's Claude -- View this message in context: http://www.nabble.com/how-to-use-infrared-remote-control-with-openbsd---tf2616357.html#a7301750 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: NFS very slow in 4.0
On Sun, Nov 12, 2006 at 10:46:17AM +0100, Federico Giannici wrote: There have been changes in 4.0 that can explain this behavior? No. Is there something I can do to solve it? Try playing with the NIC. See if you get the same amount of throughput with 4.0 that you got with 3.9. -p.
Re: NFS very slow in 4.0
Pedro Martelletto wrote: On Sun, Nov 12, 2006 at 10:46:17AM +0100, Federico Giannici wrote: There have been changes in 4.0 that can explain this behavior? No. Is there something I can do to solve it? Try playing with the NIC. See if you get the same amount of throughput with 4.0 that you got with 3.9. I have the same NICs in a couple of other PCs, with no visible change in throughput. Sniffing at the NFS traffic I have seen that when everything slow down a lot of traffic is present with the listing of the directory of some delivery. Is there any case that makes NFS in 4.0 read the listing of a directory? Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it Presidente del CDA - Neomedia S.r.l. ___
Re: PF state problem
On 2006/11/12 11:24, Gerald Holl wrote: pass in on $ext_if proto tcp to ($ext_if) port 22 pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state So long, from two of my PCs outside the network I can connect to the ssh service but from exactly one PC it does not work because I get no response back from the ssh server. If I add 'keep state' to the pass in rule it works. Why do I need 'keep state' although the pass out rule already defines 'modulate state'? As I mentioned above: it works for all of my PCs outside except for one. modulate state is creating state from a packet after the connection setup, which doesn't have all the relevant information to validate the sequence numbers correctly. You should use flags S/SA keep state or ...modulate state on all your rules unless there's a special reason to do otherwise (quite unlikely).
Re: NFS very slow in 4.0
On Sun, Nov 12, 2006 at 01:59:47PM +0100, Federico Giannici wrote: Is there any case that makes NFS in 4.0 read the listing of a directory? Yes, the getcwd() change. I wonder if it exposed any other bug in our NFS code (as it did in the past, but those got fixed, since they were reported). Anyway, I'm working on trying to find a reason for what you're seeing, along with a fix. Can you please provide a dmesg? -p.
Re: PF state problem
Stuart Henderson wrote: On 2006/11/12 11:24, Gerald Holl wrote: pass in on $ext_if proto tcp to ($ext_if) port 22 pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state So long, from two of my PCs outside the network I can connect to the ssh service but from exactly one PC it does not work because I get no response back from the ssh server. If I add 'keep state' to the pass in rule it works. Why do I need 'keep state' although the pass out rule already defines 'modulate state'? As I mentioned above: it works for all of my PCs outside except for one. modulate state is creating state from a packet after the connection setup, which doesn't have all the relevant information to validate the sequence numbers correctly. You should use flags S/SA keep state or ...modulate state on all your rules unless there's a special reason to do otherwise (quite unlikely). Since the OP is using 4.0, this might be of interest: flags S/SA keep state is default [0]. [0] http://archives.neohapsis.com/archives/openbsd/2006-10/0549.html Regards, Martin
Re: NFS very slow in 4.0
On Sun, Nov 12, 2006 at 02:31:59PM +0100, Federico Giannici wrote: The NEOMEDIA kernel is GENERIC with the following two options (I used them in 3.9 to avoid kernel freezes): maxusers 64 option NKMEMPAGES_MAX=32768 These problems are still there, so keep using them. -p.
Re: NFS very slow in 4.0
Pedro Martelletto wrote: On Sun, Nov 12, 2006 at 01:59:47PM +0100, Federico Giannici wrote: Is there any case that makes NFS in 4.0 read the listing of a directory? Yes, the getcwd() change. I wonder if it exposed any other bug in our NFS code (as it did in the past, but those got fixed, since they were reported). Anyway, I'm working on trying to find a reason for what you're seeing, along with a fix. Can you please provide a dmesg? Here it is. The NEOMEDIA kernel is GENERIC with the following two options (I used them in 3.9 to avoid kernel freezes): maxusers 64 option NKMEMPAGES_MAX=32768 Bye. OpenBSD 4.0-stable (NEOMEDIA) #0: Sat Nov 11 19:27:33 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/NEOMEDIA cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (AuthenticAMD 686-class, 1024KB L2 cache) 2.21 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3 real mem = 2146725888 (2096412K) avail mem = 1949990912 (1904288K) using 4256 buffers containing 107438080 bytes (104920K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 11/03/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf0530 (67 entries) bios0: ASUSTeK Computer Inc. A8V pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf5980/192 (10 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8237 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x5200! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA K8HTB Host rev 0x00 pchb1 at pci0 dev 0 function 1 VIA K8HTB Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA K8HTB Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA K8HTB Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA K8HTB Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA K8HTB Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA K8HTB AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon VE QY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) skc0 at pci0 dev 10 function 0 Marvell Yukon 88E8001/8003/8010 rev 0x13, Marvell Yukon Lite (0x9): irq 10 sk0 at skc0 port A, address 00:13:d4:66:6a:a6 eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5 gdt0 at pci0 dev 13 function 0 Intel GDT RAID rev 0x00: irq 5 dpmem eff0 2-bus 1 cache device gdt0: ver 222, cache on, strategy 2, writeback on, blksz 32 gdt0: raw feat 1 cache feat 101 scsibus0 at gdt0: 35 targets sd0 at scsibus0 targ 0 lun 0: ICP, Host drive #00, SCSI2 0/direct fixed sd0: 69931MB, 69931 cyl, 64 head, 32 sec, 512 bytes/sec, 143219475 sec total scsibus1 at gdt0: 16 targets scsibus2 at gdt0: 16 targets pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 0 drive 1 scsibus3 at atapiscsi0: 2 targets cd0 at scsibus3 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8164B, 0L06 SCSI0 5/cdrom removable cd0(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide1: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 VIA VT83C572 USB rev 0x81: irq 10 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 VIA VT83C572 USB rev 0x81: irq 10 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x86: irq 5 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered viapm0 at pci0 dev 17 function 0 VIA VT8237 ISA rev 0x00 iic0 at viapm0 unknown at iic0 addr 0x18 not configured auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x60: irq 5 ac97: codec id 0x414c4790 (Avance Logic ALC850 rev 0) audio0 at auvia0 pchb6 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb7 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb8 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb9 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console
Re: PF state problem
Martin Toft wrote: Since the OP is using 4.0, this might be of interest: flags S/SA keep state is default [0]. [0] http://archives.neohapsis.com/archives/openbsd/2006-10/0549.html Hmm, sorry, I didn't read it right. It's only in -current. Regards, Martin
Re: PF state problem
Stuart Henderson wrote: On 2006/11/12 11:24, Gerald Holl wrote: pass in on $ext_if proto tcp to ($ext_if) port 22 pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state So long, from two of my PCs outside the network I can connect to the ssh service but from exactly one PC it does not work because I get no response back from the ssh server. If I add 'keep state' to the pass in rule it works. Why do I need 'keep state' although the pass out rule already defines 'modulate state'? As I mentioned above: it works for all of my PCs outside except for one. modulate state is creating state from a packet after the connection setup, which doesn't have all the relevant information to validate the sequence numbers correctly. You should use flags S/SA keep state or ...modulate state on all your rules unless there's a special reason to do otherwise (quite unlikely). Ok, I changed the above rules into following ones: pass in on $ext_if proto tcp to ($ext_if) port 22 flags S/SA modulate state pass out on $ext_if proto { tcp, udp, icmp } from any to any flags S/SA modulate state With these rules, pf only keeps state when the SYN flag is set, is that right? cheers, Gerald -- http://holl.co.at
4.0 - Upgrading without install media
I have some boxen in colo, and while I can go there to upgrade it's not nearly as convenient as sitting at my desk. So I chose to upgrade over ssh, knowing that if something goes horribly wrong I *can* drive down and fix it on-site. I just wanted to say that the process as documented in the FAQ (hi, Nick!) is clear, concise, and has worked flawlessly every time I have done it. Thanks for the efforts at documenting a process that is not recommended but is still useful to many and necessary to some! This is also a tribute to the developers in producing releases that hardly ever have ANY regression problems. Kudos! -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
systrace: vi policy
i've read through all the docs that i can find on systrace policy generation and enforcement and have hit a snag when trying to generate a working policy for vi that restricts the files that can be read and written by a user. the policy is generated by running systrace -A vi test.txt for an unprivileged user in their home directory, performing some edits, quitting vi and editing the policy to wildcard file paths where appropriate. running the same command with enforcement of the auto-generated policy, systrace -a vi test.txt, yields the following: $ systrace -a vi test.txt ex/vi: Error: Unable to create temporary file: Operation not permitted when this occurs there is a corresponding series of log entries Nov 12 08:29:36 served systrace: deny user: systest, prog: /usr/bin/vi, pid: 2684(0)[0], policy: /usr/bin/vi, filters: 60, syscall: native-fswrite(5), filename: /tmp/bt.lP2684 Nov 12 08:29:36 served systrace: deny user: systest, prog: /usr/bin/vi, pid: 2684(0)[0], policy: /usr/bin/vi, filters: 60, syscall: native-fsread(291), filename: /home/systest/test.txt Nov 12 08:29:36 served systrace: deny user: systest, prog: /usr/bin/vi, pid: 2684(0)[0], policy: /usr/bin/vi, filters: 60, syscall: native-fswrite(5), filename: /tmp/vi.HgVcdq2684 the denials of these syscalls is confusing to me since the systrace policy, /etc/systrace/usr_bin_vi [0], contains wildcarded permit statements that should, AFAICT, allow these syscalls. the two lines in usr_bin_vi that are meant to allow these syscalls are marked with a in [0] below. since systrace obviously works for other folks, i'm missing something here. i suspect it has to with wildcarding or environment variables. clues appreciated. cheers, jake [0] - /etc/systrace/usr_bin_vi Policy: /usr/bin/vi, Emulation: native native-issetugid: permit native-mprotect: permit native-mmap: permit native-__sysctl: permit native-fsread: filename eq /var/run/ld.so.hints then permit native-fstat: permit native-close: permit native-fsread: filename eq /usr/lib/libcurses.so.10.0 then permit native-read: permit native-mquery: permit native-fsread: filename eq /usr/lib/libc.so.39.0 then permit native-munmap: permit native-sigprocmask: permit native-fsread: filename eq /etc/malloc.conf then permit native-ioctl: permit native-fsread: filename eq $HOME/.terminfo.db then permit native-fsread: filename eq $HOME/.terminfo then permit native-fsread: filename eq /usr/share/misc/terminfo.db then permit native-fcntl: permit native-pread: permit native-sigaction: permit native-fsread: filename eq /usr/share/vi/catalog then permit native-getpid: permit native-fsread: filename eq /tmp then permit native-fswrite: filename eq /tmp/* then permit native-lseek: permit native-fsread: filename eq /etc/vi.exrc then permit native-fsread: filename eq $HOME/.nexrc then permit native-fsread: filename eq $HOME/.exrc then permit native-fsread: filename eq $HOME/* then permit native-fsread: filename eq /var/tmp/vi.recover then permit native-fswrite: filename eq /var/tmp/vi.recover/* then permit native-fchmod: fd eq 3 and mode eq 700 then permit native-flock: permit native-write: permit native-poll: permit native-select: permit native-getuid: permit native-fsread: filename eq /etc/spwd.db then permit native-fsread: filename eq /etc/pwd.db then permit native-fchmod: fd eq 6 and mode eq 600 then permit native-gettimeofday: permit native-fsread: filename eq /usr/share/zoneinfo/US/Central then permit native-pwrite: permit native-fsync: permit native-chmod: filename eq /var/tmp/vi.recover/vi.* and mode eq 600 then permit native-fswrite: filename eq $HOME/* then permit native-exit: permit native-fchmod: fd eq 3 and mode eq 600 then permit native-fsread: filename eq /usr/share/nls/C/libc.cat then permit native-fsread: filename eq /non-existent filename: /usr/share/nls/libc/C then permit
Re: PF state problem
On 2006/11/12 15:40, Gerald Holl wrote: modulate state is creating state from a packet after the connection setup, which doesn't have all the relevant information to validate the sequence numbers correctly. You should use flags S/SA keep state or ...modulate state on all your rules unless there's a special reason to do otherwise (quite unlikely). Ok, I changed the above rules into following ones: pass in on $ext_if proto tcp to ($ext_if) port 22 flags S/SA modulate state pass out on $ext_if proto { tcp, udp, icmp } from any to any flags S/SA modulate state With these rules, pf only keeps state when the SYN flag is set, is that right? Yes, exactly. Other packets (those which don't only have SYN out of SYN+ACK) don't create state at all, but they're allowed through when they match an existing state (src/dest port+address, as you'd expect, and sequence numbers must also be within a reasonable window). I think one of the main reasons people used to avoid keeping state was so that a newly-booted firewall could synchronize with existing packet flows - say, if you want to replace one firewall with a new one - but we have CARP/PFSYNC for that now so it's less important). Generally keeping state saves cpu time, and increases security.
Re: systrace: vi policy
On Sun 2006.11.12 at 08:55 -0600, Jacob Yocom-Piatt wrote: consider sorting your policies...also, try to be more generic in other places, for example, match /usr/lib/libc.so.* Policy: /usr/bin/vi, Emulation: native native-issetugid: permit native-mprotect: permit native-mmap: permit native-__sysctl: permit native-fsread: filename eq /var/run/ld.so.hints then permit native-fstat: permit native-close: permit native-fsread: filename eq /usr/lib/libcurses.so.10.0 then permit native-read: permit native-mquery: permit native-fsread: filename eq /usr/lib/libc.so.39.0 then permit native-munmap: permit native-sigprocmask: permit native-fsread: filename eq /etc/malloc.conf then permit native-ioctl: permit native-fsread: filename eq $HOME/.terminfo.db then permit native-fsread: filename eq $HOME/.terminfo then permit native-fsread: filename eq /usr/share/misc/terminfo.db then permit native-fcntl: permit native-pread: permit native-sigaction: permit native-fsread: filename eq /usr/share/vi/catalog then permit native-getpid: permit native-fsread: filename eq /tmp then permit native-fswrite: filename eq /tmp/* then permit use match native-lseek: permit native-fsread: filename eq /etc/vi.exrc then permit native-fsread: filename eq $HOME/.nexrc then permit native-fsread: filename eq $HOME/.exrc then permit native-fsread: filename eq $HOME/* then permit use match native-fsread: filename eq /var/tmp/vi.recover then permit native-fswrite: filename eq /var/tmp/vi.recover/* then permit native-fchmod: fd eq 3 and mode eq 700 then permit native-flock: permit native-write: permit native-poll: permit native-select: permit native-getuid: permit native-fsread: filename eq /etc/spwd.db then permit native-fsread: filename eq /etc/pwd.db then permit native-fchmod: fd eq 6 and mode eq 600 then permit native-gettimeofday: permit native-fsread: filename eq /usr/share/zoneinfo/US/Central then permit native-pwrite: permit native-fsync: permit native-chmod: filename eq /var/tmp/vi.recover/vi.* and mode eq 600 then permit native-fswrite: filename eq $HOME/* then permit native-exit: permit native-fchmod: fd eq 3 and mode eq 600 then permit native-fsread: filename eq /usr/share/nls/C/libc.cat then permit native-fsread: filename eq /non-existent filename: /usr/share/nls/libc/C then permit
Re: NFS very slow in 4.0
Pedro Martelletto wrote: On Sun, Nov 12, 2006 at 01:59:47PM +0100, Federico Giannici wrote: Is there any case that makes NFS in 4.0 read the listing of a directory? Yes, the getcwd() change. I wonder if it exposed any other bug in our NFS code (as it did in the past, but those got fixed, since they were reported). Anyway, I'm working on trying to find a reason for what you're seeing, along with a fix. I have just noticed that at the same time of these NFS problems there has been a big decrease of traffic in our DNS server... After some investigation I found that the DNS server (recently upgraded to 4.0) had reached the maximum of memory (there was a datasize 200M option). Now that the DNS problem is solved, it SEEMS that the problem with NFS is reduced. So I have two questions: 1) Is NFS activity in some way related to DNS? Anyway it could be that my mail delivery program depends on DNS, and so it delayed the delivery... 2) Is it possible that, if a certain number of processes are already using NFS, subsequent attempts by other processes is STOPPED, until some other process RELEASE the use of NFS??? If this is true, what I can do to increase the number of concurrent processes writing via NFS? I increased vfs.nfs.iothreads to 20, but it seems not be enough... Thanks. -- ___ __ |- [EMAIL PROTECTED] |ederico Giannici http://www.neomedia.it ___
Re: Troubles trying to configure non-default VPN
On Fri, Nov 10, 2006 at 05:50:54AM +1100, nuffnough wrote: On 11/9/06, jared r r spiegel [EMAIL PROTECTED] wrote: No Phase one. Just a packet to initiate, then a packet back to say that the far end doesn't like me. Debug on the other end indicated that when my end initiates, it does it with 128bit key length and a lifetime of one hour. Of course, I didn't have the brilliant idea of just setting my end up as passive, to make sure that the other end initiates. The required parameters fall within the ranges of the default AES-SHA config. that reminds me of having the same kind of issue at times; where if i was passive it would come up, but if i was the initiator, it would not. that's part of the reason i chose to switch my configs to hard values for the proposals, instead of that want,min:max syntax. i am very glad that syntax is available, but as i didn't have to support a big wide range of incoming clients piloted by knob twiddlers, i found it to be a benefit to move to just want for the different params. got rid of the 'sometimes works/sometimes doesn't/seems to matter if i init or am inited upon' stuff. without running it through isakmpd to parse it, and given that i'm a bit rusty with isakmpd.conf, nothing jumps out at me. The real (prolly newbie) question that I think I need the answer to is: After I define a custom transform, am I still able to call the standard pre-defined transforms at the same time? i bet $10 that yes, you can. cannot say with certainty/hard reference examples at the moment, but i believe that once isakmpd is running, the predefined transform jobbies are no different to isakmpd than any you specify. perhaps it would be an issue if you collided names for the transform/proto/suite, but iirc you weren't doing that. I have about 20 other vpns with diverse encryption parameters. It would be moderately painful if I had to manually configure them all just to make this new one work. Is there something I am missing about the structure of isakmpd.conf about the placement or reference of these new sections for lifetime and XX-AES-SHA? tbh i don't recall if order matters. here's a c/p of an isakmpd.conf w/custom phase-1 and phase-2 i had running stable up until i switched over to an ipsecctl-based scheme. ( we had our own X509 fqdn certs from back in the certpatch days ). either end of the tunnel was OK to initiate the negotiation, and the intent was for the tunnels to be always up. Was this the only definition in your isakmpd.conf at the time..? at one point i had added another peer who was using pre-shared keys for phaseI; that peer had its own set of transform/proto/suites defined in a similar fashion as the first ones, but little different params ( longer lifetime, 128b key length on phaseI, whatever default keylen is on phaseII, if that's even applicable there ). i don't think i had one that was strictly one of the predefined transforms at any point along side one using a custom transform... makes me wish i had /etc in CVS a long long time ago. Just at the moment the guy configuring the other end has stepped it down to 128bit with a 1 hour timeout for me and we now get Phase-1 okay. This is a little unfortunate, because it means I can't run any of these ipsecadm/ipsecctl tests to get the output to give you so you can help me. I expect that he'll be back on deck in a few hours, and I will dump it in here then. iow, either side can init the tunnel OK, doesn't matter who starts it? if he did that and you still have the XX-phase-1-lifetime and XX-AES-SHA thing in there, try doing the setting where you only specify the 128 and 3600; then see if the tunnel comes up with you init'ing as that again, then do the lifetime to 86400 and restart, see if you still get tunnel with either person init'ing. if that still works, bump the 128 up. i have this nagging in the back of my head i can't get rid of that is telling me there's one of the parameters where you think you're adjusting the cipher strength but in reality the parameter ends up ignored and doesn't matter. fwiw, when i've gotten to the point of sitting there banging my head on a wall because 'no proposal chosen', and everything looks like it should be working, it's 9/10 times been because of the damn lifetimes (mismatch). ( i think the other 1/10 has something to do with the key_length that for some reason i can't stop thinking doesn't matter in either phaseI or phaseII, but i don't have the details on hand ) the bitch is when you don't know what the other side is using as a default, but i think that -dDAblahbla one up there will catch those (expected/recv'd). but yeah, if you both work ok at 128/3600, try 128/86400 first and then move up the 128. -- jared
Re: NFS very slow in 4.0
On Sun, Nov 12, 2006 at 04:32:27PM +0100, Federico Giannici wrote: Now that the DNS problem is solved, it SEEMS that the problem with NFS is reduced. Interesting... let me know what else you find out. 1) Is NFS activity in some way related to DNS? Not really. Well, both go through the network. :-) Anyway it could be that my mail delivery program depends on DNS, and so it delayed the delivery... Possibly. 2) Is it possible that, if a certain number of processes are already using NFS, subsequent attempts by other processes is STOPPED, until some other process RELEASE the use of NFS??? Not the use of NFS, but of certain resources. It's like that all over the kernel. If this is true, what I can do to increase the number of concurrent processes writing via NFS? I increased vfs.nfs.iothreads to 20, but it seems not be enough... Well, it would be nice to have real locking for NFS, so some polling constructions could be avoided. But given the amount of people interested in helping, that's too far of a goal. So yeah, try bumping that for now, if you feel the server (and the network) are comfortable with the load. -p.
Re: how to use infrared remote control with openbsd ?
On Sun, Nov 12, 2006 at 03:31:30AM -0800, Claude Brassel wrote: Hello, I'm using lirc on linux and i want to switch to openbsd but i can not find some equivalent package to lirc; I am planning to port it to get it to work but I am not sure when I will be done. Do you want to sponsor it? :) Have i miss something or have some body a good idea ? But I only want to support user space serial drivers to begin with as that is the remote I want to get working and that is the hardware I have. After that you should pick up and run. :) Hopefully I should be done within a fortnight's time. (But it might take longer considering my present schedule) Best, Girish -- Linux is for folks who hate Windoze. FreeBSD is for folks who love UNIX. OpenBSD is for folks who can't live without UNIX.
Dead lm-sensor??
Hi, Here is two dmegs from two identically pcengines WRAP 2E boxes that until today had lm77-sensors providing the temperature, but today on of them don't and I get this: unknown at iic1 addr 0x48 not configured --- lmtemp0 at iic1 addr 0x48: lm77 Is this a hardware failure?? Other than this they are both working fine. /Rickard. OpenBSD 3.9 (WRAP12) #0: Mon Sep 4 17:45:51 CEST 2006 [EMAIL PROTECTED]:/home/rd/flashboot/flashboot/obj/WRAP12 cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 133804032 (130668K) avail mem = 108634112 (106088K) using 331 buffers containing 1355776 bytes (1324K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(fa) BIOS, date 05/02/05, BIOS32 rev. 0 @ 0xfc5f2 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 14 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:0d:b9:01:91:7c nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 15 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 9, address 00:0d:b9:01:91:7d nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 16 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:0d:b9:01:91:7e nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: STI Flash 7.2.0 wd0: 1-sector PIO, LBA, 122MB, 250880 sectors wd0(pciide0:0:0): using PIO mode 4 NS SCx200 AUDIO rev 0x00 at pci0 dev 18 function 3 not configured geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 9, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered isa0 at gscpcib0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 midi0 at pcppi0: PC speaker gscsio0 at isa0 port 0x2e/2: SC1100 SIO rev 1: ACB1 ACB2 iic0 at gscsio0 iic1 at gscsio0 unknown at iic1 addr 0x48 not configured npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console biomask f3ef netmask ffef ttymask ffef rd0: fixed, 30720 blocks dkcsum: wd0 matches BIOS drive 0x80 root on rd0a rootdev=0x1100 rrootdev=0x2f00 rawdev=0x2f02 clock: unknown CMOS layout OpenBSD 3.9 (WRAP12) #0: Mon Sep 4 17:45:51 CEST 2006 [EMAIL PROTECTED]:/home/rd/flashboot/flashboot/obj/WRAP12 cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 133804032 (130668K) avail mem = 108634112 (106088K) using 331 buffers containing 1355776 bytes (1324K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(fa) BIOS, date 05/02/05, BIOS32 rev. 0 @ 0xfc5f2 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xe/0x8000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 14 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:0d:b9:01:94:ec nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 15 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 9, address 00:0d:b9:01:94:ed nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 16 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:0d:b9:01:94:ee nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: STI Flash 7.2.0 wd0: 1-sector PIO, LBA, 122MB, 250880 sectors wd0(pciide0:0:0): using PIO mode 4 NS SCx200 AUDIO rev 0x00 at pci0 dev 18 function 3 not configured geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 9WDRST,WDOVF isa0 at gscpcib0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 midi0 at pcppi0: PC speaker gscsio0 at isa0 port 0x2e/2: SC1100 SIO rev 1: ACB1 ACB2 iic0 at gscsio0 iic1 at gscsio0
Re: Just one more cisco... please
On Sat, 11 Nov 2006 08:40:23 -0600 (CST) Jacob Yocom-Piatt [EMAIL PROTECTED] spake: Original message Date: Sat, 11 Nov 2006 00:44:13 -0500 From: Bill [EMAIL PROTECTED] Subject: Just one more cisco... please To: misc@openbsd.org I just found out that to add a 4th interface to our PIX firewall will cost $100 for the card, and $3,000 for the license upgrade to allow us to do that. WTF is all that about the cost of license upgrades on proprietary crapware are so ridiculous. it reminds me of the ~500 USD that sonicwall wants just to support vlans on its enhanced OS. corporate network is coming together nicely... Sn my pretty pix, sn you shall be on Ebay... Any takers? If not, anyone got a six pack and some thermite? hop online and order the magnesium strip, iron (III) oxide and powdered aluminum and get busy! if you do this, please videotape it and post it to the list for all to enjoy. Seriously though - OpenBSD has been incredibly solid - Thanks much to everyone involved from the FAQ guys to the coders, to the planners and the doers. Well, I got a note saying the project itself could use the hardware to hack on, so it may be a tough call... I can use it for good, or for enjoyment... Blowing up stuff (well... melting) or packaging and mailing. I dunno... of course this all assumes I can get it released into my hands...
Problems applying 002_openssl.patch for OpenBSD 4.0
Hi. After updating from OpenBSD 3.9 to 4.0 I extracted the new tarballs src.tar.gz and sys.tar.gz and got the patches for OpenBSD 4.0 from openbsd.org/errata.html I had no problem applying the patches except for 002_openssl which stops while make with: # make [... snipp ...] === crypto cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c -o rsa_eay.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_err.c -o rsa_err.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c -o rsa_x931.o /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c: In function `RSA_X931_hash_id': /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: `NID_sha256' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: (Each undeclared identifier is reported only once /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: for each function it appears in.) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:168: error: `NID_sha384' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:171: error: `NID_sha512' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/lib/libssl/crypto. *** Error code 1 Stop in /usr/src/lib/libssl. All previous commands for this patch ( cd lib/libssl, make obj make depend make includes ) didn't produce any errors. Can someone give me some hints about this? Thanks, Andreas. -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?
Re: Problems applying 002_openssl.patch for OpenBSD 4.0
rm -rf /usr/obj/* and then try again. P.S. I have an error code 71 on one of my boxes on the make install...think my disk is now full of cruft from countless upgrades, it's time to wipe it and start over. -- ~Allie D. On Sun, November 12, 2006 09:28, Andreas Maus wrote: Hi. After updating from OpenBSD 3.9 to 4.0 I extracted the new tarballs src.tar.gz and sys.tar.gz and got the patches for OpenBSD 4.0 from openbsd.org/errata.html I had no problem applying the patches except for 002_openssl which stops while make with: # make [... snipp ...] === crypto cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c -o rsa_eay.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_err.c -o rsa_err.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c -o rsa_x931.o /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c: In function `RSA_X931_hash_id': /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: `NID_sha256' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: (Each undeclared identifier is reported only once /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: for each function it appears in.) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:168: error: `NID_sha384' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:171: error: `NID_sha512' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/lib/libssl/crypto. *** Error code 1 Stop in /usr/src/lib/libssl. All previous commands for this patch ( cd lib/libssl, make obj make depend make includes ) didn't produce any errors. Can someone give me some hints about this? Thanks, Andreas. -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?
Re: Problems applying 002_openssl.patch for OpenBSD 4.0
From: Andreas Maus [EMAIL PROTECTED] Subject: Problems applying 002_openssl.patch for OpenBSD 4.0 Hi. After updating from OpenBSD 3.9 to 4.0 I extracted the new tarballs src.tar.gz and sys.tar.gz and got the patches for OpenBSD 4.0 from openbsd.org/errata.html I had no problem applying the patches except for 002_openssl which stops while make with: http://marc.theaimsgroup.com/?l=openbsd-miscm=116327103731240w=2
Re: how to use infrared remote control with openbsd ?
Hello, I am planning to port it to get it to work but I am not sure when I will be done. Do you want to sponsor it? :) Sure i can sponsor you with some old remote controls :)) But I only want to support user space serial drivers to begin with as that is the remote I want to get working and that is the hardware I have. I need only the serial driver (I have make some basic serial ir receivers) After that you should pick up and run. :) That sound's great ! Hopefully I should be done within a fortnight's time. That sound's great to ! I can wait ! (But it might take longer considering my present schedule) Best, Girish Regard's Claude -- View this message in context: http://www.nabble.com/how-to-use-infrared-remote-control-with-openbsd---tf2616357.html#a7305177 Sent from the openbsd user - misc mailing list archive at Nabble.com.
About useing (pkg_add -u -r)
I wonder what do (pkg_add -u -r) exactly, is it supposed to notify me with the new v. of my installed pkgs or update it recursively? thanks all -- M.Salah
Re: systrace: vi policy
Original message Date: Sun, 12 Nov 2006 10:26:10 -0500 From: Okan Demirmen [EMAIL PROTECTED] Subject: Re: systrace: vi policy To: misc@openbsd.org On Sun 2006.11.12 at 08:55 -0600, Jacob Yocom-Piatt wrote: consider sorting your policies...also, try to be more generic in other places, for example, match /usr/lib/libc.so.* native-fswrite: filename eq /tmp/* then permit use match okan, that did the trick, thx for the syntax advice. is there any particular utility you recommend for sorting the syscalls? cheers, jake
Re: Problems applying 002_openssl.patch for OpenBSD 4.0
Hi Allie. Thanks. Clearing /usr/obj did it. I guess running make clean (as suggested by Christopher [EMAIL PROTECTED]) would also a solution. Thanks, Andreas. On 11/12/06, Allie D. [EMAIL PROTECTED] wrote: rm -rf /usr/obj/* and then try again. P.S. I have an error code 71 on one of my boxes on the make install...think my disk is now full of cruft from countless upgrades, it's time to wipe it and start over. -- ~Allie D. On Sun, November 12, 2006 09:28, Andreas Maus wrote: Hi. After updating from OpenBSD 3.9 to 4.0 I extracted the new tarballs src.tar.gz and sys.tar.gz and got the patches for OpenBSD 4.0 from openbsd.org/errata.html I had no problem applying the patches except for 002_openssl which stops while make with: # make [... snipp ...] === crypto cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_eay.c -o rsa_eay.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_err.c -o rsa_err.o cc -O2 -pipe -g -DL_ENDIAN -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_IDEA -DTERMIOS -DANSI_SOURCE -DNO_ERR -DOPENSSL_NO_ASM -DOPENSSL_NO_RC5 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_MDC2 -DNO_WINDOWS_BRAINDEATH -DOPENSSL_NO_HW_CSWIFT -DOPENSSL_NO_HW_NCIPHER -DOPENSSL_NO_HW_ATALLA -DOPENSSL_NO_HW_NURON -DOPENSSL_NO_HW_UBSEC -DOPENSSL_NO_HW_AEP -DOPENSSL_NO_HW_SUREWARE -DOPENSSL_NO_HW_4758_CCA -I/usr/src/lib/libssl/crypto/../src -I/usr/src/lib/libssl/crypto/../src/crypto -I/usr/src/lib/libssl/crypto/obj -DAES_ASM -DMD5_ASM -DSHA1_ASM -DRMD160_ASM -DOPENBSD_CAST_ASM -DOPENBSD_DES_ASM -c /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c -o rsa_x931.o /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c: In function `RSA_X931_hash_id': /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: `NID_sha256' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: (Each undeclared identifier is reported only once /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:165: error: for each function it appears in.) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:168: error: `NID_sha384' undeclared (first use in this function) /usr/src/lib/libssl/src/crypto/rsa/rsa_x931.c:171: error: `NID_sha512' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/lib/libssl/crypto. *** Error code 1 Stop in /usr/src/lib/libssl. All previous commands for this patch ( cd lib/libssl, make obj make depend make includes ) didn't produce any errors. Can someone give me some hints about this? Thanks, Andreas. -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy? -- Hobbes : Shouldn't we read the instructions? Calvin : Do I look like a sissy?
NFS and suspend
Half the time after resuming my T40 laptop from suspend my NFS connection hangs. If I do a df or do shell file name completion on the mounted directory name my xterm hangs: [EMAIL PROTECTED] df -k nfs server grits:/home: not responding [EMAIL PROTECTED] ls donfs server grits:/home: not responding [EMAIL PROTECTED] ls DownloadsMusicdocs photos sigs GNUstep bin packages.txt ports_list stuff docs is the NFS mounted directory. And I get processes I can't kill, even with with SIGKILL: ethant9923 0.0 0.0 284 140 p1- D 9:50AM0:00.02 df -k [EMAIL PROTECTED] cat /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd0b /tmp mfs rw,nodev,nosuid,-s=512000 0 0 /dev/wd0f /home ffs rw,nodev,nosuid,softdep 1 2 /dev/wd0e /usr ffs rw,nodev 1 2 /dev/wd0d /var ffs rw,nodev,nosuid 1 2 grits:/home /home/grits nfs rw,nodev,nosuid,tcp,soft,intr 0 0 I haven't used NFS in quite some time. Is this expected behaviour or should it fail more gracefully with the soft mount? And even if it's not expected behaviour is there anyway to clear this without a reboot? OpenBSD 4.0-current (GENERIC) #0: Sat Oct 28 01:18:09 PDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1300MHz (GenuineIntel 686-class) 1.30 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,EST,TM2 cpu0: Enhanced SpeedStep 1300 MHz (1388 mV): speeds: 1300, 1200, 1000, 800, 600 MHz real mem = 535719936 (523164K) avail mem = 480722944 (469456K) using 4256 buffers containing 26910720 bytes (26280K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(a4) BIOS, date 06/02/06, BIOS32 rev. 0 @ 0xfd750, SMBIOS rev. 2.33 @ 0xe0010 (61 entries) bios0: IBM 237314U apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 99% apm0: AC on, battery charge high apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #6 is the last bus bios0: ROM list: 0xc/0x1 0xdc000/0x4000! 0xe/0x1 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82855PE Hub rev 0x03 ppb0 at pci0 dev 1 function 0 Intel 82855PE AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M7 LW rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 11 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x81 pci2 at ppb1 bus 2 cbb0 at pci2 dev 0 function 0 TI PCI1520 CardBus rev 0x01: irq 11 cbb1 at pci2 dev 0 function 1 TI PCI1520 CardBus rev 0x01: irq 11 iwi0 at pci2 dev 2 function 0 Intel PRO/Wireless 2200BG rev 0x05: irq 11, address 00:12:f0:9e:f8:4b cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 3 device 0 cacheline 0x8, lattimer 0xb0 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 6 device 0 cacheline 0x8, lattimer 0xb0 pcmcia1 at cardslot1 ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: FUJITSU MHS2030AT wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR8083N, 0008 SCSI05/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801DB SMBus rev 0x01: irq 11 iic0 at ichiic0 auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x01: irq 11, CH4 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 Intel 82801DB Modem rev 0x01 at pci0 dev 31 function 6 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5
Re: systrace: vi policy
On Sun 2006.11.12 at 12:15 -0600, Jacob Yocom-Piatt wrote: Original message Date: Sun, 12 Nov 2006 10:26:10 -0500 From: Okan Demirmen [EMAIL PROTECTED] Subject: Re: systrace: vi policy To: misc@openbsd.org On Sun 2006.11.12 at 08:55 -0600, Jacob Yocom-Piatt wrote: consider sorting your policies...also, try to be more generic in other places, for example, match /usr/lib/libc.so.* native-fswrite: filename eq /tmp/* then permit use match okan, that did the trick, thx for the syntax advice. is there any particular utility you recommend for sorting the syscalls? no problem. not to state the obvious, but use sort(1). call it within your favorite editor ;) cheers.
Missing checksums on FTP server?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi! I already searched the archives for that, but only found out that the missing xorg sets checksums have something to do with the build process. But why aren't they just added after the build? Where can I get the checksums for the xorg sets? And why not sign the packages, using gzsign for example? An operation system that calls it's self secure is only useful when you can be sure that you got it from good sources. - -- Jonathan -BEGIN PGP SIGNATURE- iQGVAwUBRVd0l11Xpe24xp0rAQNoqwwAkmikk7Env/cFeaV4syllb/U5mTxmX849 XsjPDpdPDsKcn3yn+FHz3RDxdt5wCtYnzeahCsNgNU/sTKFNTnkKB7fC03rP0vVN cel/NqNK93XBuLYB4wYL7sPhbZmV3xD4RNyc+Kii76sX/loQu5bwdkW5KlgbGf3T 1QdDBB9Mu4jUW7kykpxssRGUz5QWhzpnUfcxXoELhiiWZjbOZEkVN9d4swT5ZnhY n5c8VcyGGDAmrvT1bH0Htbdkhh3JqBoYH2QhV+HYlzcrs3GLV4EE8hEtVR49Zjfo W4w4G8L2CjPnc1BPaQDfnwWezeGEs1V181iTCWL/gngP+2pQK7Ct2RS/wnGn2Lvf 0W3odyA5fFnitE1Vf7Nq7TcV6l3zzUFYoDjSM8niiNDbM+EzT73WRwxo5IhQ0z71 RvZS5oNXihGx63e0BOJ+Z3N3ZviFOGdVciQTc5t2R1Uvrehw/vAmrylShcRfx+7b JA54TsOtaE9n5st91lNs9ccJm9F1xd32 =zqJJ -END PGP SIGNATURE-
Re: systrace: vi policy
On Sun, 12 Nov 2006 12:15:39 -0600 (CST) Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: Original message Date: Sun, 12 Nov 2006 10:26:10 -0500 From: Okan Demirmen [EMAIL PROTECTED] Subject: Re: systrace: vi policy To: misc@openbsd.org On Sun 2006.11.12 at 08:55 -0600, Jacob Yocom-Piatt wrote: consider sorting your policies...also, try to be more generic in other places, for example, match /usr/lib/libc.so.* native-fswrite: filename eq /tmp/* then permit use match okan, that did the trick, thx for the syntax advice. is there any particular utility you recommend for sorting the syscalls? have you tried sort(1) ? cheers, jake Ben - I'm also not very analytical. You know I don't spend a lot of time thinking about myself, about why I do things. George W. Bush June 4, 2003 Aboard Air Force One
OpenBSD isakmpd connectivity problem (or misunderstanding?)
Salut, I have a problem with direct connection of two servers using IPsec. The IKE key exchange always comes up, but then it seems that both the routing and the encryption go entirely wrong. The host exchange their internal addresses (10.16.1.1 and 10.1.1.1) as ID tokens for phase 2. However, if I try to ping 10.16.1.1 from 10.1.1.1, the packets go out the external interface - unencrypted. If, however, I replace the ID tokens with the corresponding IP subnets (10.16.0.0/16 and 10.1.0.0/16), I get an even more weird effect: * 10.16.0.0/16 can communicate with 10.1.0.0/16 just fine * 10.1.0.0/16 can communicate with 10.16.0.0/16 just as well * 10.16.1.1 can not reach 10.1.0.0/16, however, people in 10.1.0.0/16 can connect to 10.16.1.1 just fine * 10.1.1.1 can not reach 10.16.0.0/16, however, people in 10.16.0.0/16 can connect to 10.1.1.1 just fine [EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf [General] Default-phase-1-lifetime= 120,60:3600 Default-phase-2-lifetime= 120,60:3600 Retransmits= 5 Check-interval= 5 Exchange-max-time= 120 Listen-on= external_ip_address_of_wg Policy-File= /etc/isakmpd/isakmpd.policy [Phase 1] external_ip_address_of_sygroup= ISAKMP-peer-sygroup [Phase 2] Connections= IPsec-wg-sygroup [ISAKMP-peer-sygroup] Phase= 1 Transport= udp Local-address= external_ip_address_of_wg Address=external_ip_address_of_sygroup [IPsec-wg-sygroup] Phase= 2 ISAKMP-peer=ISAKMP-peer-sygroup Configuration= Default-quick-mode Local-ID= Net-wg Remote-ID= Net-sygroup [Net-wg] ID-type=IPV4_ADDR_SUBNET Network=10.16.0.0 Netmask=255.255.0.0 [Net-sygroup] ID-type=IPV4_ADDR_SUBNET Network=10.1.0.0 Netmask=255.255.0.0 # Quick mode description [Default-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-TWOFISH-SHA-PFS-SUITE [EMAIL PROTECTED] cat /etc/isakmpd/isakmpd.conf [General] Default-phase-1-lifetime= 120,60:3600 Default-phase-2-lifetime= 120,60:3600 Retransmits= 5 Check-interval= 5 Exchange-max-time= 120 Listen-on= external_ip_of_sygroup Policy-File= /etc/isakmpd/isakmpd.policy [Phase 1] external_ip_of_wg= ISAKMP-peer-wg [Phase 2] Connections= IPsec-sygroup-wg [ISAKMP-peer-wg] Phase= 1 Transport= udp Local-address= external_ip_of_sygroup Address=external_ip_of_wg [IPsec-sygroup-wg] Phase= 2 ISAKMP-peer=ISAKMP-peer-wg Configuration= Default-quick-mode Local-ID= Net-sygroup Remote-ID= Net-wg [Net-wg] ID-type=IPV4_ADDR_SUBNET Network=10.16.0.0 Netmask=255.255.0.0 [Net-sygroup] ID-type=IPV4_ADDR_SUBNET Network=10.1.0.0 Netmask=255.255.0.0 # Quick mode description [Default-quick-mode] EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-BLF-SHA-PFS-SUITE (This is the config where the clients can actually connect to each other. If I replace the Network= with Address= and set ID-type to IPV4_ADDR, the two routers still can't connect to each others, but neither can the clients.) The point of the whole exercise is that I have a lot of IPsec nodes and should propagate their routes using some routing protocol. Any ideas on how to make the two routers talk to each other? Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD isakmpd connectivity problem (or misunderstanding?)
Tonnerre LOMBARD schrieb: Salut, I have a problem with direct connection of two servers using IPsec. The IKE key exchange always comes up, but then it seems that both the routing and the encryption go entirely wrong. The host exchange their internal addresses (10.16.1.1 and 10.1.1.1) as ID tokens for phase 2. However, if I try to ping 10.16.1.1 from 10.1.1.1, the packets go out the external interface - unencrypted. You realy do a ping -I 10.1.1.1 10.16.1.1 or only a ping 10.16.1.1? You must have the 10.1.1.1 as source ip. A normal ping on the gateway ueses the external ip as source! If, however, I replace the ID tokens with the corresponding IP subnets (10.16.0.0/16 and 10.1.0.0/16), I get an even more weird effect: * 10.16.0.0/16 can communicate with 10.1.0.0/16 just fine * 10.1.0.0/16 can communicate with 10.16.0.0/16 just as well * 10.16.1.1 can not reach 10.1.0.0/16, however, people in 10.1.0.0/16 can connect to 10.16.1.1 just fine * 10.1.1.1 can not reach 10.16.0.0/16, however, people in 10.16.0.0/16 can connect to 10.1.1.1 just fine Sound like the same problem :) Ralph
Re: OpenBSD isakmpd connectivity problem (or misunderstanding?)
Salut, On Sun, Nov 12, 2006 at 10:24:23PM +0100, Ralph Gessner wrote: You realy do a ping -I 10.1.1.1 10.16.1.1 or only a ping 10.16.1.1? You must have the 10.1.1.1 as source ip. A normal ping on the gateway ueses the external ip as source! Yes, this one works so far. However, how would one configure this statically? Is there any way other than route add -host 10.1.1.1 10.16.1.1 ? Sound like the same problem :) I imagined. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: spamd delay times
From the spamd man page: GREYLISTING When run in greylisting mode, spamd will run in the normal mode for any addresses blacklisted by spamd-setup(8). Connections from addresses not blacklisted by spamd-setup(8) will be considered for greylisting. Such connections will not be stuttered at (though see the -S option above) -S secs Stutter at greylisted connections for the specified amount of seconds, after which the connection is not stuttered at. De- faults to 10. On Sun, 2006-11-12 at 08:03 +0059, Han Boetes wrote: So I was looking through the spamd logs and noticed that the usual connection time for spamd is quite low. Nov 12 07:48:56 haddock spamd[15350]: 70.19.196.10: disconnected after 3 seconds. Nov 12 07:48:58 haddock spamd[15350]: 211.55.172.149: disconnected after 3 seconds. Nov 12 07:49:11 haddock spamd[15350]: 87.14.244.249: disconnected after 5 seconds. Nov 12 07:49:14 haddock spamd[15350]: 121.141.166.94: disconnected after 3 seconds. Nov 12 07:49:19 haddock spamd[15350]: 70.19.196.10: disconnected after 3 seconds. Nov 12 07:49:23 haddock spamd[15350]: 81.190.109.130: disconnected after 3 seconds. Nov 12 07:49:26 haddock spamd[15350]: 59.21.1.177: disconnected after 3 seconds. Nov 12 07:49:57 haddock spamd[15350]: 127.0.0.1: disconnected after 25 seconds. Especially if you find claims like from http://www.benzedrine.cx/relaydb.html Aug 24 23:10:13 spamd: 213.30.181.11: disconnected after 2864 seconds. So I connected to spamdb: ~% nc localhost 8025 220 haddock ESMTP spamd IP-based SPAM blocker; Sun Nov 12 08:01:56 2006 helo dood 250 Hello, spam sender. Pleased to be wasting your time. And to my surprise only the first 10 chars are delayed with the standard delay of 1 second. The rest is returned at full speed. Is this OK? Shouldn't the whole connection be delayed? I'm running spamd like this: /usr/libexec/spamd -v -G7:4:864 -r451 -g # Han
Re: OpenBSD isakmpd connectivity problem (or misunderstanding?)
Tonnerre LOMBARD wrote: You must have the 10.1.1.1 as source ip. A normal ping on the gateway ueses the external ip as source! Yes, this one works so far. However, how would one configure this statically? Is there any way other than route add -host 10.1.1.1 10.16.1.1 ? I know no way of configure this as a default. And I dont think the route will do what you want. But most tools have a option to set the address to bind. (i.e. ssh -b address; ping -I address) Most applications like named, sendmail, apache have also a configuration option to select the bind address. Maybe another way is setting up a second tunnel to encrypt the traffic between the two outside interfaces of your gatways. Ralph
Re: OpenBSD isakmpd connectivity problem (or misunderstanding?)
I wrote: Maybe another way is setting up a second tunnel to encrypt the traffic between the two outside interfaces of your gatways. If you are using 4.0 then it is worth reading the manpage of ipsec.onf(5). It has greatly improved since 3.9 and there is almost no need to use isakmpd.conf/isakmpd.policy. In your case, maybe a: ike esp from ourside-gw1 to outside-gw2 ike esp from 10.16.0.0/16 to 10.1.0.0/16 peer outside-gw2 in the first gatways ipsec.conf and a corresponding configuration on the second gatway will do the work. Ralph -- --- Ralph Gessner PGP: RSA:0xAEB9DC31 S/MIME: [EMAIL PROTECTED] DSS:0x566405B9 http://www.shryke.de/ca[EMAIL PROTECTED] --
Re: ftp-proxy issues
(Note: since most of this could be relevant, I snipped very little. Scroll down some.) On Sat, Nov 11, 2006 at 03:43:18PM +0100, Marc Peters wrote: hi folks. i have issues with the ftp-proxy. i am using openbsd 4.0 which i fetch during the release-phase, so i think it is on status of -release. this box is the firewall of our network, with three interfaces. xl0 is for the internal lan, xl1 is for our dmz and xl2 is connected to internet. for all ftp-transactions to the dmz we use the ftp-proxy. on one server, everything is working fine. on the other server, ftp-proxy shows a strange behaviour. let me show you an example, to make things clearer. the working host: logging in, everythings fine. now if i want to cd some directories deeper at once, ftp-proxy is working and contacting the ftp-server, which is running proftpd, correctly: the commands i use: ftp pwd 257 / is current directory. ftp cd internet/foo-com/staging/htdocs/leistungen 250 CWD command successful ftp pwd 257 /internet/foo-com/staging/htdocs/leistungen is current directory. ftp here comes the log from proftpd: 194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:06:57 +0100] PWD 257 - 194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:08:09 +0100] CWD internet/foo-com/staging/htdocs/leistungen 250 - 194.245.32.254 UNKNOWN ftpuser [11/Nov/2006:15:08:09 +0100] PWD 257 - and now the output from the ftp-proxy host i tool with tcpdump -Xttti xl0 (lan): Nov 11 15:08:10.069206 192.168.0.14.49210 workinghost.domain.com.ftp: P 128:183(55) ack 403 win 65535 nop,nop,timestamp 74216628 3435911183 (DF) [tos 0x10] : 4510 006b 1f95 4000 4006 23ba c0a8 530e [EMAIL PROTECTED]@.#B:CB(S. 0010: c2f5 2082 c03a 0015 0fad 434a eff6 19c4 CC5 .C:...B-CJC/C6.C 0020: 8018 0ad8 0101 080a 046c 74b4 ..C?C?.C...ltB4 0030: cccb d80f 4357 4420 696e 7465 726e 6574 CCC.CWD internet 0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f /foo-com/ 0050: 7374 st Nov 11 15:08:10.070428 workinghost.domain.com.ftp 192.168.0.14.49210: P 403:431(28) ack 183 win 17376 nop,nop,timestamp 3435911328 74216628 (DF) : 4500 0050 7ac4 4000 4006 c8b5 c2f5 2082 [EMAIL PROTECTED]@.CB5CC5 . 0010: c0a8 530e 0015 c03a eff6 19c4 0fad 4381 CB(S...C:C/C6.C.B-C. 0020: 8018 43e0 4d63 0101 080a cccb d8a0 ..CC Mc..CCC 0030: 046c 74b4 3235 3020 4357 4420 636f 6d6d .ltB4250 CWD comm 0040: 616e 6420 7375 6363 6573 7366 756c 0d0a and successful.. Nov 11 15:08:10.070715 192.168.0.14.49210 workinghost.domain.com.ftp: . ack 431 win 65535 nop,nop,timestamp 74216628 3435911328 (DF) [tos 0x10] : 4510 0034 1f96 4000 4006 23f0 c0a8 530e [EMAIL PROTECTED]@.#C0CB(S. 0010: c2f5 2082 c03a 0015 0fad 4381 eff6 19e0 CC5 .C:...B-C.C/C6.C 0020: 8010 43ad 0101 080a 046c 74b4 ..C?C?CB-...ltB4 0030: cccb d8a0CCC Nov 11 15:08:10.072944 192.168.0.14.49210 workinghost.domain.com.ftp: P 183:188(5) ack 431 win 65535 nop,nop,timestamp 74216628 3435911328 (DF) [tos 0x10] : 4510 0039 1f97 4000 4006 23ea c0a8 530e [EMAIL PROTECTED]@.#C*CB(S. 0010: c2f5 2082 c03a 0015 0fad 4381 eff6 19e0 CC5 .C:...B-C.C/C6.C 0020: 8018 a53b 0101 080a 046c 74b4 ..C?C?B%;...ltB4 0030: cccb d8a0 5057 440d 0a CCC PWD.. Nov 11 15:08:10.073491 workinghost.domain.com.ftp 192.168.0.14.49210: P 431:511(80) ack 188 win 17376 nop,nop,timestamp 3435911328 74216628 (DF) : 4500 0084 6e1b 4000 4006 d52a c2f5 2082 [EMAIL PROTECTED]@.C*CC5 . 0010: c0a8 530e 0015 c03a eff6 19e0 0fad 4386 CB(S...C:C/C6.C .B-C. 0020: 8018 43e0 58e5 0101 080a cccb d8a0 ..CC XC%..CCC 0030: 046c 74b4 3235 3720 222f 696e 7465 726e .ltB4257 /intern 0040: 6574 2f7a 6569 747a 6272 6579 6572 2d64 et/foo-com 0050: 652f / and the outgoing part on the dmz-interface: Nov 11 15:08:10.069396 ftp-proxy.domain.com.10146 workinghost.domain.com.ftp: P 128:183(55) ack 403 win 16384 nop,nop,timestamp 4038516918 1475073962 (DF) : 4500 006b 73e1 4000 4006 ff40 c2f5 20fe [EMAIL PROTECTED]@[EMAIL PROTECTED] C 0010: c2f5 2082 27a2 0015 8ee7 5ff7 482f c21e CC5 .'B...C'_C7H/C. 0020: 8018 4000 13b1 0101 080a f0b6 e0b6 [EMAIL PROTECTED] B6 0030: 57eb d7aa 4357 4420 696e 7465 726e 6574 WC+CB*CWD internet 0040: 2f7a 6569 747a 6272 6579 6572 2d64 652f /foo-com/ 0050: 7374 st Nov 11 15:08:10.070341 workinghost.domain.com.ftp ftp-proxy.domain.com.10146: P 403:431(28) ack 183 win 1448 nop,nop,timestamp 1475146718 4038516918 (DF) [tos 0x10] : 4510 0050 2287 4000 4006 50a6 c2f5 2082 E..P[EMAIL PROTECTED]@.PBCC5 . 0010: c2f5 20fe 0015 27a2 482f c21e 8ee7 602e CC5 C..'BH/C..C'`. 0020: 8018 05a8 b8d0 0101 080a 57ec f3de
Re: NFS and suspend
On Sun, Nov 12, 2006 at 10:31:40AM -0800, Greg Thomas wrote: Half the time after resuming my T40 laptop from suspend my NFS connection hangs. If I do a df or do shell file name completion on the mounted directory name my xterm hangs: [EMAIL PROTECTED] df -k nfs server grits:/home: not responding [EMAIL PROTECTED] ls donfs server grits:/home: not responding [EMAIL PROTECTED] ls DownloadsMusicdocs photos sigs GNUstep bin packages.txt ports_list stuff docs is the NFS mounted directory. And I get processes I can't kill, even with with SIGKILL: ethant9923 0.0 0.0 284 140 p1- D 9:50AM0:00.02 df -k [EMAIL PROTECTED] cat /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd0b /tmp mfs rw,nodev,nosuid,-s=512000 0 0 /dev/wd0f /home ffs rw,nodev,nosuid,softdep 1 2 /dev/wd0e /usr ffs rw,nodev 1 2 /dev/wd0d /var ffs rw,nodev,nosuid 1 2 grits:/home /home/grits nfs rw,nodev,nosuid,tcp,soft,intr 0 0 I haven't used NFS in quite some time. Is this expected behaviour or should it fail more gracefully with the soft mount? And even if it's not expected behaviour is there anyway to clear this without a reboot? snip dmesg No, you either have to use UDP, or mount it again (i.e. mount /home/grits again, you'll have 2 mounts, 1 dead the new, alive one on top). Regards, ahb
Re: OpenBSD Audio series other than bsdtalk ?
On Sat, Nov 11, 2006 at 09:12:37PM -0500, Jason Dixon wrote: Thank you very much. In spite of bob@'s heckling, it was a lot of fun. Dear Jason, I must admit than when I heard the audio I found the talk to be somewhat superficial though humorous. However once I saw the video I got convinced that your talk has immense technical meat as well. If you talk only tech that scares folks away and their attention will not stick. Anyway I have one important question. What software did you use for your slides? I know it is not magicpoint and of course not Monkeysoft stuff. What is it? Thanks. Nice job done! :) regards, Girish -- Linux is for folks who hate Windoze. FreeBSD is for folks who love UNIX. OpenBSD is for folks who can't live without UNIX.
Re: NFS and suspend
On 11/12/06, Andreas Bihlmaier [EMAIL PROTECTED] wrote: On Sun, Nov 12, 2006 at 10:31:40AM -0800, Greg Thomas wrote: Half the time after resuming my T40 laptop from suspend my NFS connection hangs. If I do a df or do shell file name completion on the mounted directory name my xterm hangs: [EMAIL PROTECTED] df -k nfs server grits:/home: not responding [EMAIL PROTECTED] ls donfs server grits:/home: not responding [EMAIL PROTECTED] ls DownloadsMusicdocs photos sigs GNUstep bin packages.txt ports_list stuff docs is the NFS mounted directory. And I get processes I can't kill, even with with SIGKILL: ethant9923 0.0 0.0 284 140 p1- D 9:50AM0:00.02 df -k [EMAIL PROTECTED] cat /etc/fstab /dev/wd0a / ffs rw 1 1 /dev/wd0b /tmp mfs rw,nodev,nosuid,-s=512000 0 0 /dev/wd0f /home ffs rw,nodev,nosuid,softdep 1 2 /dev/wd0e /usr ffs rw,nodev 1 2 /dev/wd0d /var ffs rw,nodev,nosuid 1 2 grits:/home /home/grits nfs rw,nodev,nosuid,tcp,soft,intr 0 0 I haven't used NFS in quite some time. Is this expected behaviour or should it fail more gracefully with the soft mount? And even if it's not expected behaviour is there anyway to clear this without a reboot? snip dmesg No, you either have to use UDP, or mount it again (i.e. mount /home/grits again, you'll have 2 mounts, 1 dead the new, alive one on top). Ah, I'll try UDP. BTW, I get the same nfs server grits:/home: not responding when I try to mount it again. Thanks, Greg
Re: OpenBSD Audio series other than bsdtalk ?
On Nov 12, 2006, at 8:23 PM, Girish Venkatachalam wrote: On Sat, Nov 11, 2006 at 09:12:37PM -0500, Jason Dixon wrote: Thank you very much. In spite of bob@'s heckling, it was a lot of fun. Dear Jason, I must admit than when I heard the audio I found the talk to be somewhat superficial though humorous. However once I saw the video I got convinced that your talk has immense technical meat as well. If you talk only tech that scares folks away and their attention will not stick. Anyway I have one important question. What software did you use for your slides? I know it is not magicpoint and of course not Monkeysoft stuff. What is it? Apple Keynote. I can't imagine creating the same thing in PowerPoint or OO Impress. It simply would have been too painful. I'm not sure how well either would have handled all 260 slides. Thanks. Nice job done! :) Thank you. :) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
openbsd on cisco hardware?
i know this is likely not possible for a number of reasons but i figured i'd ask: are there or have there been any plans to port openbsd to run on cisco hardware? googling for something like this is not very productive since the CARP vs. VRRP and firewall interoperation links dominate searches with cisco openbsd in them. cheers, jake
Re: openbsd on cisco hardware?
i know this is likely not possible for a number of reasons but i figured i'd ask: are there or have there been any plans to port openbsd to run on cisco hardware? Someone correct me if I'm wrong Last time I had a look, the platform was essentially a PII, with fxp NICs and a PCI (or was it ISA?) flash card for the OS. -- Craig
Re: openbsd on cisco hardware?
i know this is likely not possible for a number of reasons but i figured i'd ask: are there or have there been any plans to port openbsd to run on cisco hardware? googling for something like this is not very productive since the CARP vs. VRRP and firewall interoperation links dominate searches with cisco openbsd in them. Older Cisco routers will typically have a Motorola 68k or some MIPS-based processor. These devices will also usually have minimal RAM (1 to 4M). Not exactly a great setup for a target platform... I seem to recall that the 030-based Mot systems may have also be lacking in a proper MMU, but I could be wrong. I'm sure I'll be corrected by someone on the list. Newer gear will have a MIPS or PowerPC processor in them. x86 PIX boxes could conceivably be a target platform, but their lack of storage would require a flashboot-style installation, and thus would not be supported in an official manner, if even they were made to boot successfully. The same would go for the non-x86 modern gear. Frankly, Cisco's devices aren't even price-attractive, so as much as it would be mildly interesting to run OpenBSD on some PIX 515 boxes, it's a waste of time and money. --Jason
Re: how to use infrared remote control with openbsd ?
On 11/12/06, Girish Venkatachalam [EMAIL PROTECTED] wrote: On Sun, Nov 12, 2006 at 03:31:30AM -0800, Claude Brassel wrote: Hello, I'm using lirc on linux and i want to switch to openbsd but i can not find some equivalent package to lirc; I am planning to port it to get it to work but I am not sure when I will be done. Do you want to sponsor it? :) Have i miss something or have some body a good idea ? But I only want to support user space serial drivers to begin with as that is the remote I want to get working and that is the hardware I have. After that you should pick up and run. :) Great to see you in action buddy :-) Go on full speed ahead! luv Siju
Re: openbsd on cisco hardware?
Salut, On Mon, Nov 13, 2006 at 02:04:20PM +1100, Craig Barraclough wrote: Someone correct me if I'm wrong Last time I had a look, the platform was essentially a PII, with fxp NICs and a PCI (or was it ISA?) flash card for the OS. Most Cisco hardware I'm aware of is either MIPS or PowerPC based. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: OpenBSD Audio series other than bsdtalk ?
On Sun, Nov 12, 2006 at 09:18:31PM -0500, Jason Dixon wrote: On Nov 12, 2006, at 8:23 PM, Girish Venkatachalam wrote: On Sat, Nov 11, 2006 at 09:12:37PM -0500, Jason Dixon wrote: What software did you use for your slides? I know it is not magicpoint and of course not Monkeysoft stuff. What is it? Apple Keynote. I can't imagine creating the same thing in PowerPoint or OO Impress. It simply would have been too painful. I'm not sure how well either would have handled all 260 slides. Hey Dixon, What apples and oranges man? :) Give me some free software tool. My mission in life is to kick the butt of all proprietary companies.:) Ok, I think we will not have to wait long before we have such stuff available open source... For now I plan to stick to mgp and S5. Thanks. regards, Girish -- Linux is for folks who hate Windoze. FreeBSD is for folks who love UNIX. OpenBSD is for folks who can't live without UNIX.