Re: IPSec roadwarrior configuration?
On Thu, Oct 12, 2006 at 10:07:27AM +0200, viq wrote: Say, VPN-A is the VPN box, VPN-B is the roadwarrior. On VPN-A you need to enable packet forwarding, and pf as you will need NAT: nat on $ext_if from !($ext_if) - ($ext_if:0) This is because packets from VPN-B will leave VPN-A with VPN-B's source address, which most of the time no computer on VPN-A's network will know how to reach. I didn't play with certificates yet, I just copied the keys to appropriate UFQDN. Now VPN-A has this in ipsec.conf: ike passive esp from any to any srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] And VPN-B's ipsec.conf: ike dynamic esp from vpn-b.my.domain to any peer vpn-a.my.domain srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] So every roadwarrior has one key, [EMAIL PROTECTED] -- albert chin ([EMAIL PROTECTED])
Re: Why Sendmail?
Thanks, I get it now. Have installed my favourite MTA (it was so much easier on openBSD than other systems I have tried (gentoo/redhat/netBSD) which is nice). I will set up all important root/postmaster mail accounts etc to make sure I get the system emails (they are a bonus too). BTW the openBSD docs are brilliant. Conrad On 23 Nov 2006, at 13:45, Cristiano Deana wrote: 2006/11/23, Conrad Winchester [EMAIL PROTECTED]: I do have one question though and I apologize if people always ask this: At the end of the install I asked whether I want to run sshd and ntpd by default - very nice BUT why am I not given the option to turn off Sendmail at this point? I NEVER use sendmail and for an OS that prides itself on being as minimal as possible I would have thought giving you the option to not run sendmail would also be there right from the start. Any system needs a MTA running, at least to manage email from nightly/weekly/monthly check. So, default MUST be mta running (you can choose to stop it). Why sendmail? Why not? p.s. i usually use another MTA -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: demystify enc interface
On Thu, Nov 23, 2006 at 02:47:14PM +0100, Camiel Dobbelaar wrote: I think this tells me that I can see unencrypted/unencapsulated traffic on enc0. yes. However, with tcpdump I see this: 14:09:27.894326 (authentic,confidential): SPI 0x728aafc9: 86.90.xx.xx 62.58.xx.xx: 192.168.2.3.1264 192.168.1.7.8194: . [tcp sum ok] ack 139 win 64431 (DF) (ttl 128, id 45685, len 40) (ttl 118, id 45685, len 60) 14:09:27.915205 (authentic,confidential): SPI 0x021e1fcd: 62.58.xx.xx 86.90.xx.xx: 192.168.1.131.3389 192.168.2.3.1182: . [tcp sum ok] ack 177 win 65075 (ttl 127, id 59080, len 40) (ttl 64, id 46361, len 60, bad cksum 0!) The encapsulation is included... that's pretty cool and handy, but I'm not sure if that's what the manpage says. no, the encapsulation is not included, only the _information_ about the encapsulation is (it's special information in the pcap header) So inbound traffic passes twice: first with encapsulation, and the second time without. However, outbound traffic only passes _once_, without the encapsulation. that's an artefact of openbsd's ipsec implementation. de-encapsulation happens in two steps, where the first step removes the esp-layer, while the 2nd step removes the ip-in-ip encapsulation for tunnel mode. So I think the pf rules for filtering on enc0 should look like this: # pass encapsulated traffic pass in quick log on enc0 proto ipencap from $ext_peer_ip to $ext_if keep state (other.single 3600) # rules on decrypted traffic pass in quick on enc0 from 192.168.28.28 to 192.168.42.10 port 993 keep state block in quick on enc0 ipsec.conf(5) tells you how to filter on enc(4) All in all: - the bpf view is different from the pf view - the inbound pf view is different from outbound not really. the only difference is that pf sees both decapsulation steps. Should pf even see the inbound ipencap traffic? Nothing much that can be done with it, that cannot also be done on the physical interfaces... it would require some special hacks and flags and heuristics in the kernel. i don't know if this would justify the extra code, but perhaps there's a simple solution. Shouldn't enc just carry the unencrypted/unencapsulated traffic like the manpage says? That would make it behave far more like a normal interface. it already does. you could argue, that the encapsulation information should only be printed on '-e', but that breaks backward compatibility. -m
ipsecctl setting up multiple SAs
Hello, I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP over IPSEC tunnels]. Each SA is between the same two IP endpoints but specifies a different UDP port pair. I was able to get a single SA up using ipsecctl, after making this small fix: --- sbin/ipsecctl/ike.c.origThu Nov 23 22:48:23 2006 +++ sbin/ipsecctl/ike.c Thu Nov 23 22:48:37 2006 @@ -526,7 +526,7 @@ fprintf(fd, SET [lid-%s]:Port=%d force\n, src-name, ntohs(sport)); if (dport) - fprintf(fd, SET [rid-%s]:Port=%d force\n, src-name, + fprintf(fd, SET [rid-%s]:Port=%d force\n, dst-name, ntohs(dport)); } However, what I'm trying to do now is set up multiple SAs. Here's my test config with 4 SAs, /etc/ipsec.conf.4 (the OpenBSD box is 10.1.1.6 and the Cisco is 10.1.1.1) ike esp transport proto udp from 10.1.1.6 port 1 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk mypresharedkey ike esp transport proto udp from 10.1.1.6 port 10001 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk mypresharedkey ike esp transport proto udp from 10.1.1.6 port 10002 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk mypresharedkey ike esp transport proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 \ main auth hmac-md5 enc 3des group modp1024 \ quick auth hmac-md5 enc 3des group none \ psk mypresharedkey Here's how I'm running isakmpd: # isakmpd -K -4 -v -d -L And here's how I trigger the process: # ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4 [output pasted below] However, when I do this, only a single quick mode SA is set up. ipsecctl shows this: # ipsecctl -s all FLOWS: flow esp in proto udp from 10.1.1.1 port 1701 to 10.1.1.6 port 10003 peer 10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type use flow esp out proto udp from 10.1.1.6 port 10003 to 10.1.1.1 port 1701 peer 10.1.1.1 srcid 10.1.1.6/32 dstid 10.1.1.1/32 type require SAD: esp transport from 10.1.1.6 to 10.1.1.1 spi 0x09b364d2 auth hmac-md5 enc 3des-cbc \ authkey 0x... \ enckey 0x... esp transport from 10.1.1.1 to 10.1.1.6 spi 0x0a6994af auth hmac-md5 enc 3des-cbc \ authkey 0x... \ enckey 0x... # and the same SAs are shown on the Cisco side too. isakmpd says only: 093109.047718 Default isakmpd: phase 1 done: initiator id 0a010106: 10.1.1.6, responder id 0a010101: 10.1.1.1, src: 10.1.1.6 dst: 10.1.1.1 093109.056238 Default isakmpd: quick mode done: src: 10.1.1.6 dst: 10.1.1.1 'tcpdump -nxr /var/log/isakmpd.pcap' shows that only one quick mode exchange took place; crypto debug output on the Cisco shows the same. Looking at this, it seems that the last entry in /etc/ipsec.conf has taken precedence over the others. Is there a way to achieve what I'm trying to do, either using ipsecctl, or manually configuring isakmpd? Thanks, Brian Candler. P.S. I can paste the IOS config if you like, but I'm pretty sure it is correct. I can set up multiple SAs from UDP port X to UDP port 1701 under Linux using setkey and racoon from ipsec-tools, and run separate l2tpd instances over them bound to separate ports. Here is the output of ipsecctl: # ipsecctl -F; ipsecctl -vvf /etc/ipsec.conf.4 @1 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force C set [peer-10.1.1.1]:Phase=1 force C set [peer-10.1.1.1]:Address=10.1.1.1 force C set [peer-10.1.1.1]:Authentication=mypresharedkey force C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force C set [mm-10.1.1.1]:EXCHANGE_TYPE=ID_PROT force C add [mm-10.1.1.1]:Transforms=3DES-MD5-GRP2 force C set [IPsec-10.1.1.6-10.1.1.1]:Phase=2 force C set [IPsec-10.1.1.6-10.1.1.1]:ISAKMP-peer=peer-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Configuration=qm-10.1.1.6-10.1.1.1 force C set [IPsec-10.1.1.6-10.1.1.1]:Local-ID=lid-10.1.1.6 force C set [IPsec-10.1.1.6-10.1.1.1]:Remote-ID=rid-10.1.1.1 force C set [qm-10.1.1.6-10.1.1.1]:EXCHANGE_TYPE=QUICK_MODE force C set [qm-10.1.1.6-10.1.1.1]:Suites=QM-ESP-TRP-3DES-MD5-SUITE force C set [lid-10.1.1.6]:ID-type=IPV4_ADDR force C set [lid-10.1.1.6]:Address=10.1.1.6 force C set [rid-10.1.1.1]:ID-type=IPV4_ADDR force C set [rid-10.1.1.1]:Address=10.1.1.1 force C set [lid-10.1.1.6]:Protocol=17 force C set [rid-10.1.1.1]:Protocol=17 force C set [lid-10.1.1.6]:Port=1 force C set [rid-10.1.1.1]:Port=1701 force C add [Phase 2]:Connections=IPsec-10.1.1.6-10.1.1.1 @3 C set [Phase 1]:10.1.1.1=peer-10.1.1.1 force C set [peer-10.1.1.1]:Phase=1 force C set [peer-10.1.1.1]:Address=10.1.1.1 force C set [peer-10.1.1.1]:Authentication=mypresharedkey force C set [peer-10.1.1.1]:Configuration=mm-10.1.1.1 force C set
[EMAIL PROTECTED]:/cvs
cvs -q -d [EMAIL PROTECTED]:/cvs up -r OPENBSD_4_0 -Pd No space left on device Can someone please clean up ? Thanks ! Uwe
Re: IPSec roadwarrior configuration?
On 24/11/06, Albert Chin [EMAIL PROTECTED] wrote: On Thu, Oct 12, 2006 at 10:07:27AM +0200, viq wrote: Say, VPN-A is the VPN box, VPN-B is the roadwarrior. On VPN-A you need to enable packet forwarding, and pf as you will need NAT: nat on $ext_if from !($ext_if) - ($ext_if:0) This is because packets from VPN-B will leave VPN-A with VPN-B's source address, which most of the time no computer on VPN-A's network will know how to reach. I didn't play with certificates yet, I just copied the keys to appropriate UFQDN. Now VPN-A has this in ipsec.conf: ike passive esp from any to any srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] And VPN-B's ipsec.conf: ike dynamic esp from vpn-b.my.domain to any peer vpn-a.my.domain srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] So every roadwarrior has one key, [EMAIL PROTECTED] That's the idea, if you want to have control over who is allowed to connect and who's not. Besides, of you would want to have them all use one key, you would have to replace the automatically generated private key each box has. I want to play with certificates, tinyCA makes that easier, but I didn't get to that yet. -- albert chin ([EMAIL PROTECTED]) -- viq
syslog.conf question: log into a separate file, but not into /var/log/messages
Hi, I've read man syslog.conf several times, especially this passage: !!prog causes the subsequent block to abort evaluation when a message matches, ensuring that only a single set of actions is taken. !* can be used to ensure that any ensuing blocks are further evaluated (i.e. can- celling the effect of a !prog or !!prog). but don't understand it and how to adapt it for my purpose: I have a program called pref which does following: openlog(__progname, LOG_CONS | LOG_PID, LOG_DAEMON); ... syslog(LOG_INFO, %s, msg); ... syslog(LOG_WARNING, %s, msg); ... syslog(LOG_ERR, %s, msg); I'd like all of those messages to go into separate file /var/log/pref but not into the /var/log/messages. So first I've appended !pref *.*/var/log/pref to the /etc/syslog.conf, touched the /var/log/pref, adapted newsyslog.conf and pkill -HUPped syslogd. This worked, but the messages also were written into /var/log/messages. Then I've added a second ! and moved those 2 lines to the top of /etc/syslog.conf: !!pref *.*/var/log/pref Now no messages at all are written into /var/log/messages :-/ Can anyone please give me a hint? Regards Alex -- http://preferans.de
Re: on the remote root login in OpenSSH
In message [EMAIL PROTECTED], chefren writes: Hello Igor, Hello Chefren. You missed the crux of quite a few important points that Nick tried to explain to you. Indeed, I have carefully read his post. He certainly explains some important points related with sshd. He is certainly right. You evidently don't know me. I am not a security expert, why should I be? Please understand that was just a joke. Ok, please, accept my apologies. I say the same to Nick, he was certainly providing very good points on his post. believe was unsolvable. I was one of the youngest speakers at a plenary session of the ACM SIGCOMM. That might be fully true but you still missed some inportant basics from Nick. Agreed, I missed some important comments from Nick. It is just that I do not like the way he answered to my post and stop reading. As I said, I am not an expert on computer security at all, and I certainly do not want to be one. My research field is a different one. I just observed what seems to me a bad default setting in ssh. Obviously, I was not aware that most developers are against this change and missed the thread from march 2005. Nick is certainly right. Honestly, you have a wicked meaning for the word friendly. Nick is definitely very friendly. Please follow this list some time and you will agree with me. I certainly will do. This mailing list is an excellent reference for OpenBSD users. By the way, on an unrelated matter... now that I write about good references for OpenBSD users... when are updated the FAQs (in both text and PDF)? I see the FAQ for OpenBSD 4.0 available on-line, but I would like to get the text version of the FAQ for 4.0... the only one I found on the ~/pub/OpenBSD/doc directory of the anonymous FTP server (or as a link from the on-line FAQ) is for 3.9. Is there an estimated time for the text and PDF versions to be upgraded? I understand that both the OpenBSD and pf FAQs will probably have some changes in the next months... I am just awaiting for the updates to be publicly available. I really think that the text version of these FAQs are very handly, Igor.
Re: ipsecctl setting up multiple SAs
On Fri, Nov 24, 2006 at 09:45:45AM +, Brian Candler wrote: Looking at this, it seems that the last entry in /etc/ipsec.conf has taken precedence over the others. Is there a way to achieve what I'm trying to do, either using ipsecctl, or manually configuring isakmpd? To answer my own question: inspired by the output of ipsecctl, I wrote a perl program (attached) to generate a suitable isakmpd.conf (also attached), and this appears to work just fine. It would be nice if ipsecctl could do this too. It could easily generate the lid-addr-port and rid-addr-port sections; the only slightly awkward part is having to generate the Connections list, i.e. [phase 2] Connections=IPsec-addr-port-addr-port,IPsec-addr-port-addr-port,... Regards, Brian. [demime 1.01d removed an attachment of type text/x-perl] [Phase 1] 10.1.1.1=peer-10.1.1.1 [peer-10.1.1.1] Phase=1 Address=10.1.1.1 Authentication=mypresharedkey Configuration=mm-10.1.1.1 [mm-10.1.1.1] EXCHANGE_TYPE=ID_PROT Transforms=3DES-MD5-GRP2 [qm-10.1.1.6-10.1.1.1] EXCHANGE_TYPE=QUICK_MODE Suites=QM-ESP-TRP-3DES-MD5-SUITE [Phase 2] Connections=\ IPsec-10.1.1.6-1-10.1.1.1-1701,\ IPsec-10.1.1.6-10001-10.1.1.1-1701,\ IPsec-10.1.1.6-10002-10.1.1.1-1701,\ IPsec-10.1.1.6-10003-10.1.1.1-1701 [IPsec-10.1.1.6-1-10.1.1.1-1701] Phase=2 ISAKMP-peer=peer-10.1.1.1 Configuration=qm-10.1.1.6-10.1.1.1 Local-ID=lid-10.1.1.6-1 Remote-ID=rid-10.1.1.1-1701 [IPsec-10.1.1.6-10001-10.1.1.1-1701] Phase=2 ISAKMP-peer=peer-10.1.1.1 Configuration=qm-10.1.1.6-10.1.1.1 Local-ID=lid-10.1.1.6-10001 Remote-ID=rid-10.1.1.1-1701 [IPsec-10.1.1.6-10002-10.1.1.1-1701] Phase=2 ISAKMP-peer=peer-10.1.1.1 Configuration=qm-10.1.1.6-10.1.1.1 Local-ID=lid-10.1.1.6-10002 Remote-ID=rid-10.1.1.1-1701 [IPsec-10.1.1.6-10003-10.1.1.1-1701] Phase=2 ISAKMP-peer=peer-10.1.1.1 Configuration=qm-10.1.1.6-10.1.1.1 Local-ID=lid-10.1.1.6-10003 Remote-ID=rid-10.1.1.1-1701 [lid-10.1.1.6-1] ID-type=IPV4_ADDR Address=10.1.1.6 Protocol=17 Port=1 [lid-10.1.1.6-10001] ID-type=IPV4_ADDR Address=10.1.1.6 Protocol=17 Port=10001 [lid-10.1.1.6-10002] ID-type=IPV4_ADDR Address=10.1.1.6 Protocol=17 Port=10002 [lid-10.1.1.6-10003] ID-type=IPV4_ADDR Address=10.1.1.6 Protocol=17 Port=10003 [rid-10.1.1.1-1701] ID-type=IPV4_ADDR Address=10.1.1.1 Protocol=17 Port=1701
Re: on the remote root login in OpenSSH
On Fri, Nov 24, 2006 at 07:06:17AM +0100, Bill Maas wrote: Hi, how about this one: PermitRootLogin 192.168.1 Should any of the SSH maintainers be reading this: possible new SSH feature? I believe you can actually do this with the Match directive, although I'd need to spend more time looking at the man page than I currently have to be sure. Joachim
Problem with Routerboard 44 quad port ethernet card
Hi, I'm building a firewall with 6 ethernet interfaces. It's a Tyan S2425 mobo with 2 onboard NICs and added quad port Routerboard 44 card on a 1U PCI riser card. The problem is that vr0 does not work. It's detected with MAC address ff:ff:ff:ff:ff:ff and the PHY for vr0 is not detected. vr1, vr2, vr3, as well as onboard fxp0 and fxp1 work just fine. Any ideas what could be wrong here? Here's the dmesg: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) III CPU - S 1266MHz (GenuineIntel 686-class) 1.27 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 535261184 (522716K) avail mem = 480309248 (469052K) using 4256 buffers containing 26865664 bytes (26236K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 05/01/03, BIOS32 rev. 0 @ 0xfdb80, SMBIOS rev. 2.3 @ 0xf06 40 (131 entries) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3b10/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801AA LPC rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x1000 0xcd000/0x1800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82815 Hub rev 0x04 vga1 at pci0 dev 2 function 0 Intel 82815 Graphics rev 0x04: aperture at 0xfc00, size 0x20 0 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x05 pci1 at ppb0 bus 1 ppb1 at pci1 dev 5 function 0 vendor Hint, unknown product 0x0021 rev 0x15 pci2 at ppb1 bus 2 vr0 at pci2 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address ff:ff:ff:ff:ff:ff vr1 at pci2 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:0c:42:02:2b:43 ukphy0 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci2 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:0c:42:02:2b:44 ukphy1 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci2 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:0c:42:02:2b:45 ukphy2 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 fxp0 at pci1 dev 8 function 0 Intel 82562 rev 0x03, i82562: irq 11, address 00:e0:81:29:da:16 inphy0 at fxp0 phy 1: i82562EM 10/100 PHY, rev. 0 fxp1 at pci1 dev 11 function 0 Intel 8255x rev 0x08, i82559: irq 5, address 00:e0:81:29:da:17 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05 pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 wired to compatibilit y, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) wd0 at pciide0 channel 1 drive 0: ST340016A wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 10 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 10: GPIO VLM TMS gpio0 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo biomask f745 netmask ff65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302
Re: ipsecctl setting up multiple SAs
Hi, On Fri, Nov 24, 2006 at 09:45:45AM +, Brian Candler wrote: I'm trying to set up multiple transport mode SAs between an OpenBSD 4.0 box and a Cisco 7301 running IOS [ultimate reason is to load test multiple L2TP over IPSEC tunnels]. Each SA is between the same two IP endpoints but specifies a different UDP port pair. I was able to get a single SA up using ipsecctl, after making this small fix: --- sbin/ipsecctl/ike.c.origThu Nov 23 22:48:23 2006 +++ sbin/ipsecctl/ike.c Thu Nov 23 22:48:37 2006 @@ -526,7 +526,7 @@ fprintf(fd, SET [lid-%s]:Port=%d force\n, src-name, ntohs(sport)); if (dport) - fprintf(fd, SET [rid-%s]:Port=%d force\n, src-name, + fprintf(fd, SET [rid-%s]:Port=%d force\n, dst-name, ntohs(dport)); } this has been already commited, thanks! Could you please try the diff below? It's just a quick hack but might solve that problem. HJ. Index: ike.c === RCS file: /cvs/src/sbin/ipsecctl/ike.c,v retrieving revision 1.54 diff -u -p -r1.54 ike.c --- ike.c 24 Nov 2006 08:07:18 - 1.54 +++ ike.c 24 Nov 2006 10:28:33 - @@ -38,12 +38,13 @@ static void ike_section_peer(struct ipse static voidike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *, FILE *, u_int8_t); static int ike_get_id_type(char *); -static voidike_section_ipsec(struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); +static voidike_section_ipsec(struct ipsec_addr_wrap *, u_int16_t, struct + ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *, + char *, FILE *); static int ike_section_p1(struct ipsec_addr_wrap *, struct ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t); -static int ike_section_p2(struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, u_int8_t, u_int8_t, struct +static int ike_section_p2(struct ipsec_addr_wrap *, u_int16_t, struct + ipsec_addr_wrap *, u_int16_t, u_int8_t, u_int8_t, struct ipsec_transforms *, FILE *, u_int8_t); static voidike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *); @@ -174,33 +175,45 @@ ike_get_id_type(char *string) } static void -ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, -struct ipsec_addr_wrap *peer, FILE *fd) +ike_section_ipsec(struct ipsec_addr_wrap *src, u_int16_t sport, +struct ipsec_addr_wrap *dst, u_int16_t dport, struct ipsec_addr_wrap *peer, +char *tag, FILE *fd) { - fprintf(fd, SET [IPsec-%s-%s]:Phase=2 force\n, src-name, dst-name); + char*p; + + if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name, + ntohs(dport)) == -1) + err(1, ike_section_ipsec); + + fprintf(fd, SET [IPsec-%s]:Phase=2 force\n, p); if (peer) - fprintf(fd, SET [IPsec-%s-%s]:ISAKMP-peer=peer-%s force\n, - src-name, dst-name, peer-name); + fprintf(fd, SET [IPsec-%s]:ISAKMP-peer=peer-%s force\n, p, + peer-name); else fprintf(fd, SET - [IPsec-%s-%s]:ISAKMP-peer=peer-default force\n, - src-name, dst-name); + [IPsec-%s]:ISAKMP-peer=peer-default force\n, p); + + fprintf(fd, SET [IPsec-%s]:Configuration=qm-%s force\n, p, p); + fprintf(fd, SET [IPsec-%s]:Local-ID=lid-%s force\n, p, src-name); + fprintf(fd, SET [IPsec-%s]:Remote-ID=rid-%s force\n, p, dst-name); - fprintf(fd, SET [IPsec-%s-%s]:Configuration=qm-%s-%s force\n, - src-name, dst-name, src-name, dst-name); - fprintf(fd, SET [IPsec-%s-%s]:Local-ID=lid-%s force\n, src-name, - dst-name, src-name); - fprintf(fd, SET [IPsec-%s-%s]:Remote-ID=rid-%s force\n, src-name, - dst-name, dst-name); + if (tag) + fprintf(fd, SET [IPsec-%s]:PF-Tag=%s force\n, p, tag); + + free(p); } static int -ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, -u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, -u_int8_t ike_exch) +ike_section_p2(struct ipsec_addr_wrap *src, u_int16_t sport, +struct ipsec_addr_wrap *dst, u_int16_t dport, u_int8_t satype, +u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, u_int8_t ike_exch) { - char *tag, *exchange_type, *sprefix; + char*p, *tag, *exchange_type, *sprefix; + + if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name, + ntohs(dport)) == -1) + err(1, ike_section_p2); switch (ike_exch) { case IKE_QM: @@ -213,10 +226,9 @@ ike_section_p2(struct
Re: IPSec roadwarrior configuration?
Now VPN-A has this in ipsec.conf: ike passive esp from any to any srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] If you need to support more than one user in you roadwarrior setup. Then don't set dstid. -- Mathieu Sauve-Frankel
Re: syslog.conf question: log into a separate file, but not into /var/log/messages
On 2006/11/24 10:50, Alexander Farber wrote: I've read man syslog.conf several times, especially this passage: ... but don't understand it and how to adapt it for my purpose: see the 'examples' section where this is demonstrated.
Re: pflogd: Failed to initialize: /dev/bpf0
On Wed, 22 Nov 2006 22:19:37 +0200, Berk D. Demir wrote: This permission problem smells like a mixed kernel and userland match or a version spaghetti to me. Please try a recent snapshot if possible. In case you want to run -stable, make a _clean_ build. Sounds reasonable. Only, I didn't do *any* install on it for the last 18 months; no build ever; it is a vanilla stable 3.7; waiting for the update.
Re: syslog.conf question: log into a separate file, but not into /var/log/messages
Hi Alexander, On 2006-11-24T10:50, Alexander Farber wrote: Then I've added a second ! and moved those 2 lines to the top of /etc/syslog.conf: !!pref *.*/var/log/pref Now no messages at all are written into /var/log/messages :-/ Can anyone please give me a hint? read man syslog.conf !!prog causes the subsequent block to abort evaluation when a message matches, ensuring that only a single set of actions is taken. !* can be used to ensure that any ensuing blocks are further evaluated (i.e. can- celling the effect of a !prog or !!prog). hth, Marcus.
Re: on the remote root login in OpenSSH
On 2006/11/23 17:07, Igor Sobrado wrote: ... to set up a firewall with an ever-growing list of hostile machines. ... I think you misunderstand me. I mean to restrict direct SSH access to only those networks which need access, not to block attackers when you see them. Authorized users would either connect from an approved IP address, or by using authpf. (for this, I'm assuming use of a separate firewall to protect a number of other machines, not 'self- protecting'). There aren't a lot of cases where you need to leave SSH access open to the world.
Re: syslog.conf question: log into a separate file, but not into /var/log/messages
On Fri, 24 Nov 2006, Alexander Farber wrote: Hi, I've read man syslog.conf several times, especially this passage: !!prog causes the subsequent block to abort evaluation when a message matches, ensuring that only a single set of actions is taken. !* can be used to ensure that any ensuing blocks are further evaluated (i.e. can- celling the effect of a !prog or !!prog). but don't understand it and how to adapt it for my purpose: I have a program called pref which does following: openlog(__progname, LOG_CONS | LOG_PID, LOG_DAEMON); ... syslog(LOG_INFO, %s, msg); ... syslog(LOG_WARNING, %s, msg); ... syslog(LOG_ERR, %s, msg); I'd like all of those messages to go into separate file /var/log/pref but not into the /var/log/messages. So first I've appended !pref *.*/var/log/pref to the /etc/syslog.conf, touched the /var/log/pref, adapted newsyslog.conf and pkill -HUPped syslogd. This worked, but the messages also were written into /var/log/messages. Then I've added a second ! and moved those 2 lines to the top of /etc/syslog.conf: !!pref *.*/var/log/pref Now no messages at all are written into /var/log/messages :-/ Add the end marker !* after the *.* line -Otto
Re: syslog.conf question: log into a separate file, but not into /var/log/messages
Hi Marcus, On 11/24/06, Marcus Popp [EMAIL PROTECTED] wrote: Can anyone please give me a hint? read man syslog.conf read my original mail. Can you imagine, that I've read the man page, but it is just not good enough for me (or vice versa)? Regards Alex -- http://preferans.de
Re: ipsecctl setting up multiple SAs
more correct diff: Index: ike.c === RCS file: /cvs/src/sbin/ipsecctl/ike.c,v retrieving revision 1.54 diff -u -p -r1.54 ike.c --- ike.c 24 Nov 2006 08:07:18 - 1.54 +++ ike.c 24 Nov 2006 10:46:19 - @@ -38,17 +38,18 @@ static void ike_section_peer(struct ipse static voidike_section_ids(struct ipsec_addr_wrap *, struct ipsec_auth *, FILE *, u_int8_t); static int ike_get_id_type(char *); -static voidike_section_ipsec(struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, struct ipsec_addr_wrap *, FILE *); +static voidike_section_ipsec(struct ipsec_addr_wrap *, u_int16_t, struct + ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *, + char *, FILE *); static int ike_section_p1(struct ipsec_addr_wrap *, struct ipsec_transforms *, FILE *, struct ike_auth *, u_int8_t); -static int ike_section_p2(struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, u_int8_t, u_int8_t, struct +static int ike_section_p2(struct ipsec_addr_wrap *, u_int16_t, struct + ipsec_addr_wrap *, u_int16_t, u_int8_t, u_int8_t, struct ipsec_transforms *, FILE *, u_int8_t); static voidike_section_p2ids(u_int8_t, struct ipsec_addr_wrap *, u_int16_t, struct ipsec_addr_wrap *, u_int16_t, FILE *); -static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, struct - ipsec_addr_wrap *, FILE *); +static int ike_connect(u_int8_t, struct ipsec_addr_wrap *, u_int16_t, + struct ipsec_addr_wrap *, u_int16_t, FILE *); static int ike_gen_config(struct ipsec_rule *, FILE *); static int ike_delete_config(struct ipsec_rule *, FILE *); @@ -174,33 +175,45 @@ ike_get_id_type(char *string) } static void -ike_section_ipsec(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, -struct ipsec_addr_wrap *peer, FILE *fd) +ike_section_ipsec(struct ipsec_addr_wrap *src, u_int16_t sport, +struct ipsec_addr_wrap *dst, u_int16_t dport, struct ipsec_addr_wrap *peer, +char *tag, FILE *fd) { - fprintf(fd, SET [IPsec-%s-%s]:Phase=2 force\n, src-name, dst-name); + char*p; + + if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name, + ntohs(dport)) == -1) + err(1, ike_section_ipsec); + + fprintf(fd, SET [IPsec-%s]:Phase=2 force\n, p); if (peer) - fprintf(fd, SET [IPsec-%s-%s]:ISAKMP-peer=peer-%s force\n, - src-name, dst-name, peer-name); + fprintf(fd, SET [IPsec-%s]:ISAKMP-peer=peer-%s force\n, p, + peer-name); else fprintf(fd, SET - [IPsec-%s-%s]:ISAKMP-peer=peer-default force\n, - src-name, dst-name); + [IPsec-%s]:ISAKMP-peer=peer-default force\n, p); - fprintf(fd, SET [IPsec-%s-%s]:Configuration=qm-%s-%s force\n, - src-name, dst-name, src-name, dst-name); - fprintf(fd, SET [IPsec-%s-%s]:Local-ID=lid-%s force\n, src-name, - dst-name, src-name); - fprintf(fd, SET [IPsec-%s-%s]:Remote-ID=rid-%s force\n, src-name, - dst-name, dst-name); + fprintf(fd, SET [IPsec-%s]:Configuration=qm-%s force\n, p, p); + fprintf(fd, SET [IPsec-%s]:Local-ID=lid-%s force\n, p, src-name); + fprintf(fd, SET [IPsec-%s]:Remote-ID=rid-%s force\n, p, dst-name); + + if (tag) + fprintf(fd, SET [IPsec-%s]:PF-Tag=%s force\n, p, tag); + + free(p); } static int -ike_section_p2(struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst, -u_int8_t satype, u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, -u_int8_t ike_exch) -{ - char *tag, *exchange_type, *sprefix; +ike_section_p2(struct ipsec_addr_wrap *src, u_int16_t sport, +struct ipsec_addr_wrap *dst, u_int16_t dport, u_int8_t satype, +u_int8_t tmode, struct ipsec_transforms *qmxfs, FILE *fd, u_int8_t ike_exch) +{ + char*p, *tag, *exchange_type, *sprefix; + + if (asprintf(p, %s:%d-%s:%d, src-name, ntohs(sport), dst-name, + ntohs(dport)) == -1) + err(1, ike_section_p2); switch (ike_exch) { case IKE_QM: @@ -213,10 +226,9 @@ ike_section_p2(struct ipsec_addr_wrap *s return (-1); } - fprintf(fd, SET [%s-%s-%s]:EXCHANGE_TYPE=%s force\n, - tag, src-name, dst-name, exchange_type); - fprintf(fd, SET [%s-%s-%s]:Suites=%s-, tag, src-name, - dst-name, sprefix); + fprintf(fd, SET [%s-%s]:EXCHANGE_TYPE=%s force\n, tag, p, + exchange_type); + fprintf(fd, SET [%s-%s]:Suites=%s-, tag, p, sprefix); switch (satype) { case IPSEC_ESP: @@ -339,6 +354,8 @@ ike_section_p2(struct ipsec_addr_wrap *s fprintf(fd, -PFS);
Re: syslog.conf question: log into a separate file, but not into /var/log/messages
Thanks Otto, that was it On 11/24/06, Otto Moerbeek [EMAIL PROTECTED] wrote: !!pref *.*/var/log/pref Now no messages at all are written into /var/log/messages :-/ Add the end marker !* after the *.* line -Otto
Re: ipsecctl setting up multiple SAs
On Fri, Nov 24, 2006 at 10:22:26AM +, Brian Candler wrote: To answer my own question: inspired by the output of ipsecctl, I wrote a perl program (attached) to generate a suitable isakmpd.conf (also attached), and this appears to work just fine. And now I seem to have hit some sort of scalability problem. Generating 1,000 transport mode SAs, and monitoring them with ipsecctl -s flow | grep wc -l gives the following after isakmpd has been started: Time(s) Num flows --- - 10 606 20 976 30 1286 40 1384 50 1768 60 1946 70 1946 .. And there it stops, never reaching 2000 (in+out). But I find the following in /var/log/messages: Nov 24 11:12:45 gw isakmpd[32720]: pf_key_v2_set_spi: UPDATE: No such process Nov 24 11:12:45 gw last message repeated 26 times 1946 + 27*2 = 2000, so that's where the missing flows have gone. For some reason some of them are not known; maybe some earlier messages to the kernel were silently dropped? A bit more background: * The OpenBSD machine is a HP/Compaq desktop, single 2.8GHz processor, 512MB, rl0 interface * The Cisco is a 7301 with VAM2+ crypto accelerator. It barely breaks a sweat (peak CPU usage around 25% with all these SAs coming in) * Connected via cheap 100M switch I'm using isakmpd.conf as generated by the Perl script posted before, setting up separate SAs for UDP ports 1 to 10999 inclusive. I've also added [General] Exchange-max-time=180 Retransmits=10 at the top. OK, so next I tried # isakmpd -c /etc/isakmpd/isakmpd.conf.1000 -K -4 -v -d -D 5=99 log.out 21 but that actually made the problem go away - all 2000 flows were set up correctly :-( I think that the extra work of writing debug info slowed it down sufficiently that whatever was overflowing before is not overflowing now. About 16MB of logs were generated. Next I tried less debugging, with # isakmpd -c /etc/isakmpd/isakmpd.conf.1000 -K -4 -v -d -D 5=50 log.out3 21 With this the number of flows maxed out at 1840. The logs include things like: ... 113517.306433 Sdep 50 pf_key_v2_get_spi: spi: 113517.306449 Sdep 50 856af6c7 ... 113630.081939 Sdep 40 pf_key_v2_convert_id: IPv4 address 10.1.1.6/32 113630.081951 Sdep 40 pf_key_v2_convert_id: IPv4 address 10.1.1.1/32 113630.081966 Sdep 10 pf_key_v2_set_spi: satype 2 dst 10.1.1.6 SPI 0x856af6c7 113630.082048 Default pf_key_v2_set_spi: UPDATE: No such process I can upload this whole log file if anyone wants to see it (~1MB uncompressed). But perhaps an IPSEC guru can suggest some better way to pin this down. Finally, I thought I'd give it a go with 10,000 SAs, which is the sort of scale I wanted to test the Cisco with anyway. # isakmpd -c /etc/isakmpd/isakmpd.conf.1 -K -4 -v -d -D 5=50 log.out4 21 It takes a few minutes for isakmpd to get going (although the OpenBSD box remains responsive throughout). Its size grows to 133MB, after which it starts to shrink, and then grow again. The number of flows is low: after 5 minutes it shows # ipsecctl -s flow | wc -l 492 # grep No such process log.out4 | wc -l 33 After 10 minutes: # ipsecctl -s flow | wc -l 2568 After 20 minutes: # ipsecctl -s flow | wc -l 2992 The machine isn't swapping, and remains responsive although isakmpd is using 100% CPU. But the rate of successful SA setups is much lower than it was with 1,000. Anyway, I think OpenBSD aquits itself pretty well, and I'm not too worried about it being able to set up 10,000 SAs, but with 1,000 SAs I think it would be worth trying to nail down the pf_key UPDATE problem. Regards, Brian Candler.
Re: syslog.conf question: log into a separate file, but not into /var/log/messages
Alexander Farber wrote: I've read man syslog.conf several times, especially this passage: !!prog causes the subsequent block to abort evaluation when a message matches, ensuring that only a single set of actions is taken. !* can be used to ensure that any ensuing blocks are further evaluated (i.e. can- celling the effect of a !prog or !!prog). you might consider simply replacing syslog with syslog-ng. Rob Urban
Has anyone tried to install OpenBSD (PPC) on PS3?
Eventhough I know OpenBSD main purpose isn't game related, it would be interesting to see it running on a PS3, even for benchmark-only purposes. Did anyone already get one?
Re: ipsecctl setting up multiple SAs
Hans-Joerg Hoexer wrote: more correct diff: Cool. It occurs to me that the protocol ought to be included as well though: e.g. [IPsec-10.1.1.6:1-10.1.1.1:1701-17] That's because (in theory) you might have one SA for UDP and another SA for TCP. Other possibilities would be: [IPsec-10.1.1.6-10.1.1.1-17] or [IPsec-10.1.1.6:0-10.1.1.1:0-17] # protocol specified but ports not specified [IPsec-10.1.1.6-10.1.1.1] or [IPsec-10.1.1.6:0-10.1.1.1:0-0] # no protocol specified Regards, Brian.
Re: on the remote root login in OpenSSH
[2006-11-24 11:26] Woodchuck [EMAIL PROTECTED] wrote: You know, I seem to recall that many versions ago (maybe even as far back as 2.xx) root login on ssh *was* disallowed by default. I recall being bitten by it, too, on remote (other-side-of-the-room) installations on headless machines. just happened to me the day before yesterday pkg_delete(d) bash (login shell of the only user in group wheel) .. so i was indeed very happy to be able to do a ssh root:[EMAIL PROTECTED] christian bahls [1] i do not trust this workstation
X.org on Sun Ultra 10
i post this to the list so it shows up in the web should somebody have the some problem (if you see any mistake please do not hesitate to contact me) i hat problems setting up X.org for an Ultra 10 (i normally use that machine remote so X is less important) this machine has a Creator3D Framebuffer as well as an ATI Mach64 GP Graphics Card dmesg: vgafb0 at pci1 dev 2 function 0 ATI Mach64 GP rev 0x5c wsdisplay0 at vgafb0 wsdisplay0: screen 0 added (std, sun emulation) creator0 at mainbus0 addr 0xfebee000: Creator3D, model SUNW,501-4788, dac 10 wsdisplay1 at creator0: console (std, sun emulation), using wskbd0 the Monitor is connected to the Creator3D /usr/X11R6/README helped for the first steps (with 4.0 stable the keyboard did not work) somehow i wasn't able to make X.org use the creator3d as display device .. so i disabled the vgafb in the kernel config with following xorg.conf at least i the display works: (!notice the FbBpp!) Section ServerLayout Identifier X.org Configured Screen 0 Screen0 0 0 InputDeviceMouse0 CorePointer InputDeviceKeyboard0 CoreKeyboard EndSection Section Files RgbPath /usr/X11R6/lib/X11/rgb FontPath /usr/X11R6/lib/X11/fonts/misc/ FontPath /usr/X11R6/lib/X11/fonts/TTF/ FontPath /usr/X11R6/lib/X11/fonts/Type1/ FontPath /usr/X11R6/lib/X11/fonts/CID/ FontPath /usr/X11R6/lib/X11/fonts/75dpi/ FontPath /usr/X11R6/lib/X11/fonts/100dpi/ EndSection Section Module EndSection Section InputDevice Identifier Keyboard0 Driver kbd Option Protocol wskbd Option Device /dev/wskbd0 EndSection Section InputDevice Identifier Mouse0 Driver mouse OptionProtocol SunMouse OptionDevice /dev/tty00 OptionBaudRate 1200 EndSection Section Monitor Identifier Monitor VendorName Unknown ModelNameUnknown # Adjust those to your monitor before using another device than wsfb # or you can destroy it !! HorizSync31.5-60 VertRefresh 50-70 EndSection # All framebuffers Section Device Identifier Wsdisplay0 Driver wsfb Option device /dev/ttyC0 EndSection # All framebuffers Section Screen Identifier Screen0 Device Wsdisplay0 MonitorMonitor DefaultDepth 24 SubSection Display Depth 24 FbBpp 32 Weight 8 8 8 EndSubSection EndSection # yours christian bahls -- personal reaches me at gmx.de [EMAIL PROTECTED]
Re: IPSec roadwarrior configuration?
On Fri, Nov 24, 2006 at 07:35:10PM +0900, Mathieu Sauve-Frankel wrote: Now VPN-A has this in ipsec.conf: ike passive esp from any to any srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] If you need to support more than one user in you roadwarrior setup. Then don't set dstid. But, according to ipsec.conf: dstid is similar to srcid, but instead specifies the ID to be used by the remote peer. So, if I want multiple roadwarriors to connect, with X.509 certificates, and I leave srcid blank, won't the authentication occur with the client IP, for which I certainly won't have a CERTIP certificate because the IP is undetermined? -- albert chin ([EMAIL PROTECTED])
Re: raidctl: ioctl (RAIDFRAME_CONFIGURE) failed on 4.0 amd64 for RAID 1 (mirroring)
I am not sure whether this is relevant or not, but in my conf pseudo-device raid 4 is defined before option RAID_AUTOCONFIG. Vijay On Fri, 2006-24-11 at 11:17 +0530, Siju George wrote: On 11/24/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Wed, Nov 22, 2006 at 10:35:52PM +0530, Siju George wrote: On 11/22/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Nov 21, 2006 at 08:22:20PM -0600, Vijay Sankar wrote: Good day, I am pretty sure I was booting from /dev/raid0a on the old server but couldn't repeat that with this desktop. Here is my df -h raidctl -A root raid0? Nope it didn't work for me :-( relevant part from my mail earlier === # raidctl -A root raid0 raid0: Autoconfigure: Yes raid0: Root: Yes # #reboot Did you check that you have `option RAID_AUTOCONFIG' enabled? Even a typo will result in interesting behaviour (as I just found out an hour ago, bsd.rd is useful...) Joachim # cat /usr/src/sys/arch/amd64/conf/GENERIC.RAID include arch/amd64/conf/GENERIC option RAID_AUTOCONFIG pseudo-device raid 4 # Yes I had this config file :-) kind Regards Siju -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: SFTP only access to sshd
Damien Miller wrote on Fri, Nov 24, 2006 at 12:04:15PM +1100: On Thu, 23 Nov 2006, Ingo Schwarze wrote: From time to time, people come here to ask: How can i set up an account for SFTP only, forbidding shell access? One common answer is scponly, http://sublimation.org/scponly/wiki/ This looks quite powerful, in particular if you intend to chroot. I just had to implement SFTP only access myself. Reading the scponly sources, i realized that the task is nearly trivial as long as you only want SFTP, no other protocols, and need no chroot. So i thought i might as well share with the list. In case i overlooked anything serious, chances are i shall be beaten... ;-) In OpenSSH-4.5: Match user djm X11Forwarding no AllowTCPForwarding no ForceCommand /usr/libexec/sftp-server Oops, advertising hacks is certainly a bad idea when standard solutions are already implemented... Sorry for the noise... What happened is this: I first tried the ForceCommand solution (which i do like for commands either redirecting stdio from /dev/null or expecting ASCII input), but didn't much like the fact that users erroneously using ssh(1) instead of sftp(1) will get no error message, but a chance to type into a binary SFTP connection. Doing harm by some ill chance appears improbable as the SSH_FXP_* packet type codes are all below 32, so they do not correspond to printable ASCII characters. All the same, i feared such users might get rather confused. While searching for alternative solutions, i completely forgot about ForceCommand. In some situations, just executing /bin/sh -c ForceCommand, regardless of the command supplied to the sshd(8), certainly is the best thing to do. In this speacial case, returning an error message in case of a command mismatch might even be nicer. But that probably won't warrant adding yet another option to sshd_config(5).
Re: crash on 4.0 (but no ddb)
This machine has been locking up randomly once or twice a day on average, but always when X is running. So I've been leaving it in console mode at night, hoping it crashes into ddb... Last night it crashed, but unfortunately, it didn't go into ddb on its own, and the ddb.console Ctl-Alt-Esc key sequence didn't work either. Once again, the keyboard was completely dead (CapsLock key doesn't even toggle the LED). Actually that's not entirely true, I had left the LCD backlight turned off, and hitting a random key turned it back on. But that's the extent of the keyboard functionality. It looks like there was no activity when the machine crashed. I don't have cron jobs that run at night, other than fetchmail (0,30 * * * *) and it crashed sometime between 02:03:30 and 02:23:29: Nov 24 01:03:29 icicle -- MARK -- Nov 24 01:23:29 icicle -- MARK -- Nov 24 01:43:30 icicle -- MARK -- Nov 24 02:03:30 icicle -- MARK -- Nov 24 08:59:58 icicle syslogd: restart Nov 24 08:59:58 icicle /bsd: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 Nov 24 08:59:58 icicle /bsd: [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC I'm not sure what to do at this point. I'll run memtest86 tonight, but I'm very skeptical that it will reveal any hardware problems. This machine started acting strange the next day after I upgraded it to 4.0, and I can't recall a single crash during the 3.7 - 3.9 releases.
Mail to 'misc' being forwarded to 'ports'?
I'm getting the following when posting to 'misc'. Is this known and/or intentional? I'm not bcc'ing to 'ports' - honest! Regards, Brian. Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Fri, 24 Nov 2006 14:50:00 + Received: from [127.0.0.1] (helo=mappit.linnet.org) by localhost with esmtp (Exim 4.60) (envelope-from [EMAIL PROTECTED]) id 1GncNM-0004P6-1m for [EMAIL PROTECTED]; Fri, 24 Nov 2006 14:50:00 + Received: from pop3.linnet.org by mappit.linnet.org with POP3 (fetchmail-6.3.2) for [EMAIL PROTECTED] (single-drop); Fri, 24 Nov 2006 14:50:00 + (GMT) Received: from [208.210.124.73] (helo=gold.pobox.com) by mk-mx-1.b2b.uk.tiscali.com with esmtp (Exim 4.24) id 1GnbXf-000OfK-2r for [EMAIL PROTECTED]; Fri, 24 Nov 2006 13:56:35 + Received: from localhost.localdomain (localhost [127.0.0.1]) by gold.pobox.com (Postfix) with ESMTP id 0BDB2D0592 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:56:57 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163]) by gold.pobox.com (Postfix) with ESMTP id A7234D4AFE for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:45:01 -0500 (EST) Received: from openbsd.org (localhost.ucar.edu [127.0.0.1]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAjW7022092 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 06:10:45 -0700 (MST) MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) Date: Fri, 24 Nov 2006 06:10:45 -0700 From: [EMAIL PROTECTED] To: Brian Candler [EMAIL PROTECTED] Subject: Message rejected X-Security: message sanitized on shear.ucar.edu See http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 1.147 $Date: 2004-10-02 11:16:26-07 Content-Type: text/plain; charset=us-ascii Message-ID: [EMAIL PROTECTED] X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d X-Converted-To-Plain-Text: Alternative section used was text/plain Your message to ports@openbsd.org was rejected because it was not explicitly addressed to the ports mailing list. If you intended to send a blind carbon copy, you must include a valid Bcc: header. X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on shear.ucar.edu X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=unavailable version=3.1.4 Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAZrY018222 for ports@openbsd.org; Fri, 24 Nov 2006 06:10:36 -0700 (MST) Received: by wx-out-0506.google.com with SMTP id t4so779681wxc for ports@openbsd.org; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: by 10.90.105.20 with SMTP id d20mr7297753agc.1164373835788; Fri, 24 Nov 2006 05:10:35 -0800 (PST) X-Forwarded-To: ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org X-Forwarded-For: [EMAIL PROTECTED] ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org X-Gmail-Received: a3fb48cf952e9fe93945d81618c431fb9d58bb76 Delivered-To: [EMAIL PROTECTED] Received: by 10.90.104.12 with SMTP id b12cs26662agc; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: by 10.70.33.7 with SMTP id g7mr10044496wxg.1164373835522; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163]) by mx.google.com with ESMTP id i12si12406432wxd.2006.11.24.05.10.33; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received-SPF: neutral (google.com: 192.43.244.163 is neither permitted nor denied by domain of [EMAIL PROTECTED]) Received: from openbsd.org (localhost.ucar.edu [127.0.0.1]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCjfa9014739; Fri, 24 Nov 2006 05:45:41 -0700 (MST) Received: from rune.pobox.com (rune.pobox.com [208.210.124.79]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCgCOY015553 for misc@openbsd.org; Fri, 24 Nov 2006 05:42:12 -0700 (MST) Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 92A15964BF for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST) Received: from mappit.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 5007A95325 for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST) Received: from brian by mappit.linnet.org with local (Exim 4.60) (envelope-from [EMAIL PROTECTED]) id 1GnaOj-0002nE-FV for misc@openbsd.org; Fri, 24 Nov 2006 12:43:17 + Date: Fri, 24 Nov 2006 12:43:17 + From: Brian Candler [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: ipsecctl setting up multiple SAs Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: [EMAIL
SCSI and several adapters on the same bus
Hello, does OpenBSD handle several adapters on the same SCSI bus? Clarifying: Several adapters of course with different SCSI ids, but connected via one cable on the same SCSI bus. It may happen that I have a need for this, so would be fine to read which experiences [EMAIL PROTECTED] have. Have a nice day Michael -- Michael Schmidt MIRRORS: DJGPP ftp://ftp.fh-koblenz.de/pub/CompilerTools/DJGPP/ Watcom ftp://ftp.fh-koblenz.de/pub/CompilerTools/Watcom/ OpenOffice ftp://ftp.fh-koblenz.de/pub/OpenOffice/
Re: Mail to 'misc' being forwarded to 'ports'?
Brian Candler wrote: I'm getting the following when posting to 'misc'. Is this known and/or intentional? I'm not bcc'ing to 'ports' - honest! Regards, Brian. ... Yeah, someone did something annoying with their mail account. The right people to fix it are trying to be contacted...in the mean time, don't worry about it... Nick.
Re: IPSec roadwarrior configuration?
On Fri, Nov 24, 2006 at 07:54:49AM -0600, Albert Chin wrote: On Fri, Nov 24, 2006 at 07:35:10PM +0900, Mathieu Sauve-Frankel wrote: Now VPN-A has this in ipsec.conf: ike passive esp from any to any srcid [EMAIL PROTECTED] dstid [EMAIL PROTECTED] If you need to support more than one user in you roadwarrior setup. Then don't set dstid. But, according to ipsec.conf: dstid is similar to srcid, but instead specifies the ID to be used by the remote peer. So, if I want multiple roadwarriors to connect, with X.509 certificates, and I leave srcid blank, won't the authentication occur with the client IP, for which I certainly won't have a CERTIP certificate because the IP is undetermined? Ok, if I specify srcid but no dstid, then multiple clients can connect. Maybe I missed something but it wasn't obvious that this would work, reading ipsec.conf(5) and isakmpd(8). -- albert chin ([EMAIL PROTECTED])
Re: Mail to 'misc' being forwarded to 'ports'?
On Fri, Nov 24, 2006 at 02:52:23PM +, Brian Candler wrote: I'm getting the following when posting to 'misc'. Is this known and/or intentional? I'm not bcc'ing to 'ports' - honest! Something weird is going on, and various things are ending up in ports@ that don't belong there. Someone has already noted this on ports@, and I assume someone is looking into it. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: on the remote root login in OpenSSH
Hi Dave, On Fri, Nov 24, 2006 at 01:50:52AM -0500, Woodchuck wrote: | At worst you have a small window during installation in which root | logins are allowed, before you shut them off by chroot'ing as Paul | outlined in his post. I'm not sure I understand, what window is this ? Before (and after) chroot'ing into your system, sshd is not running so root logins are not allowed. At most, they're configured to be allowed when sshd starts up (this is exactly what everybody is free to change after install, in the chroot (or without chrooting using ed(1))). | btw, that chroot to /mnt may not be obvious to some, and a little | advisory (or even a menu choice) at the end of the install script | might be a good use of a 100 bytes or so. | | Halt now (H), Chroot to installed system (C) or shell (S)? [S] It's in the FAQ, these days. See section 4.5.7. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: X.org on Sun Ultra 10
Christian Ruediger Bahls wrote: i post this to the list so it shows up in the web should somebody have the some problem (if you see any mistake please do not hesitate to contact me) i hat problems setting up X.org for an Ultra 10 (i normally use that machine remote so X is less important) this machine has a Creator3D Framebuffer as well as an ATI Mach64 GP Graphics Card dmesg: vgafb0 at pci1 dev 2 function 0 ATI Mach64 GP rev 0x5c wsdisplay0 at vgafb0 wsdisplay0: screen 0 added (std, sun emulation) creator0 at mainbus0 addr 0xfebee000: Creator3D, model SUNW,501-4788, dac 10 wsdisplay1 at creator0: console (std, sun emulation), using wskbd0 ^^ | the Monitor is connected to the Creator3D /usr/X11R6/README helped for the first steps (with 4.0 stable the keyboard did not work) somehow i wasn't able to make X.org use the creator3d as display device .. so i disabled the vgafb in the kernel config There's a better way... :) ... # All framebuffers Section Device Identifier Wsdisplay0 ^^ | Driver wsfb Option device /dev/ttyC0 ^^ make that /dev/ttyD0 EndSection i.e., set up X to drive the second device, not the first device. See the section in /usr/X11R6/README about ..systems with both UPA and VGA framebuffers ... What you did works, but in general, mod'ding the kernel (even with config(8)) is less desirable than running completely stock, 'specially when it comes to upgrades/updates. Nick.
Re: Mail to 'misc' being forwarded to 'ports'?
This happens to me as well and unfortunately I don't know how to remedy this problem. Regards, Alden Brian Candler wrote: I'm getting the following when posting to 'misc'. Is this known and/or intentional? I'm not bcc'ing to 'ports' - honest! Regards, Brian. Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Fri, 24 Nov 2006 14:50:00 + Received: from [127.0.0.1] (helo=mappit.linnet.org) by localhost with esmtp (Exim 4.60) (envelope-from [EMAIL PROTECTED]) id 1GncNM-0004P6-1m for [EMAIL PROTECTED]; Fri, 24 Nov 2006 14:50:00 + Received: from pop3.linnet.org by mappit.linnet.org with POP3 (fetchmail-6.3.2) for [EMAIL PROTECTED] (single-drop); Fri, 24 Nov 2006 14:50:00 + (GMT) Received: from [208.210.124.73] (helo=gold.pobox.com) by mk-mx-1.b2b.uk.tiscali.com with esmtp (Exim 4.24) id 1GnbXf-000OfK-2r for [EMAIL PROTECTED]; Fri, 24 Nov 2006 13:56:35 + Received: from localhost.localdomain (localhost [127.0.0.1]) by gold.pobox.com (Postfix) with ESMTP id 0BDB2D0592 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:56:57 -0500 (EST) Delivered-To: [EMAIL PROTECTED] Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163]) by gold.pobox.com (Postfix) with ESMTP id A7234D4AFE for [EMAIL PROTECTED]; Fri, 24 Nov 2006 08:45:01 -0500 (EST) Received: from openbsd.org (localhost.ucar.edu [127.0.0.1]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAjW7022092 for [EMAIL PROTECTED]; Fri, 24 Nov 2006 06:10:45 -0700 (MST) MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) Date: Fri, 24 Nov 2006 06:10:45 -0700 From: [EMAIL PROTECTED] To: Brian Candler [EMAIL PROTECTED] Subject: Message rejected X-Security: message sanitized on shear.ucar.edu See http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 1.147 $Date: 2004-10-02 11:16:26-07 Content-Type: text/plain; charset=us-ascii Message-ID: [EMAIL PROTECTED] X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d X-Converted-To-Plain-Text: Alternative section used was text/plain Your message to ports@openbsd.org was rejected because it was not explicitly addressed to the ports mailing list. If you intended to send a blind carbon copy, you must include a valid Bcc: header. X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on shear.ucar.edu X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,FORGED_RCVD_HELO autolearn=unavailable version=3.1.4 Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAZrY018222 for ports@openbsd.org; Fri, 24 Nov 2006 06:10:36 -0700 (MST) Received: by wx-out-0506.google.com with SMTP id t4so779681wxc for ports@openbsd.org; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: by 10.90.105.20 with SMTP id d20mr7297753agc.1164373835788; Fri, 24 Nov 2006 05:10:35 -0800 (PST) X-Forwarded-To: ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org X-Forwarded-For: [EMAIL PROTECTED] ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org X-Gmail-Received: a3fb48cf952e9fe93945d81618c431fb9d58bb76 Delivered-To: [EMAIL PROTECTED] Received: by 10.90.104.12 with SMTP id b12cs26662agc; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: by 10.70.33.7 with SMTP id g7mr10044496wxg.1164373835522; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163]) by mx.google.com with ESMTP id i12si12406432wxd.2006.11.24.05.10.33; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received-SPF: neutral (google.com: 192.43.244.163 is neither permitted nor denied by domain of [EMAIL PROTECTED]) Received: from openbsd.org (localhost.ucar.edu [127.0.0.1]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCjfa9014739; Fri, 24 Nov 2006 05:45:41 -0700 (MST) Received: from rune.pobox.com (rune.pobox.com [208.210.124.79]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCgCOY015553 for misc@openbsd.org; Fri, 24 Nov 2006 05:42:12 -0700 (MST) Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 92A15964BF for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST) Received: from mappit.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 5007A95325 for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST) Received: from brian by mappit.linnet.org with local (Exim 4.60) (envelope-from [EMAIL PROTECTED]) id 1GnaOj-0002nE-FV for misc@openbsd.org; Fri, 24 Nov 2006 12:43:17 + Date: Fri, 24 Nov 2006 12:43:17 + From: Brian Candler [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: ipsecctl setting up multiple SAs Message-ID: [EMAIL PROTECTED] References: [EMAIL PROTECTED]
Re: Why Sendmail?
Martin, Why being so nice? Fear of widening openbsd customer base? /Paolo On Nov 23, 2006, at 2:44 PM, Martin Schrvder wrote: Search the archives, you troll
Re: crash on 4.0 (but no ddb)
From: Stephen Takacs [EMAIL PROTECTED] Sent: Friday, November 24, 2006 9:35 AM ---snip--- I'm not sure what to do at this point. I'll run memtest86 tonight, but I'm very skeptical that it will reveal any hardware problems. This machine started acting strange the next day after I upgraded it to 4.0, and I can't recall a single crash during the 3.7 - 3.9 releases. If you haven't done it already, check your motherboard hardware for signs of heat creep. A system I recently troubleshot had an unsecured DIMM memory ejector clip and the memory module was slightly lifted up on one side causing random system lockups.
Re: ipsecctl setting up multiple SAs
On 24 nov 2006, at 13.12, Brian Candler wrote: ... Time(s) Num flows --- - 10 606 20 976 30 1286 40 1384 50 1768 60 1946 70 1946 .. And there it stops, never reaching 2000 (in+out). But I find the following in /var/log/messages: Nov 24 11:12:45 gw isakmpd[32720]: pf_key_v2_set_spi: UPDATE: No such process Nov 24 11:12:45 gw last message repeated 26 times 1946 + 27*2 = 2000, so that's where the missing flows have gone. For some reason some of them are not known; maybe some earlier messages to the kernel were silently dropped? This particular part of the IKE implementation works something like the following: 1. start a negotiation (here: start 1000 negotiations simultaneously) 2. each negotiation starts by reserving a SPI value (for every proposal) in the kernel, the SPI is a 32-bit number but has to be unique. If you do debug logging, you'll see a number of GETSPI calls here. 3. isakmpd starts to send out IKE packets to the other host(s) 4. the other side responds, and assuming everything is ok one proposal (per negotiation) is selected 5. the selected SPI (or larval SA state) on the local system is updated with the keying material, timeouts etc - i.e the real SA is finalized This continues until all negotiations are complete -- however there is a limit on how long this larval SA lives in the kernel... as you may guess it's 60 seconds. (The idea being if a negotiation has not completed in 60 seconds something has probably failed.) Since the hosts seems to be a bit slow in running IKE negotiations, you hit the 60 second limit before all negotiations are complete, all remaining larval SAs are dropped and when isakmpd tries to update them into real SAs this of course fails. (No such process approx means no SA found here.) /H PS When I tried between two ~700Mhz P-III machines a while back, setting up 4096 (or was it 8k) SAs was no problem. Another developer had a scenario setting up 40960 SAs over loopback on his laptop -- mainly a test of kernel memory usage, but he did not hit the 60s larval-SA time limit there either.
powerpc package updates
I notice that while some platforms ( i386, amd64, sparc64 ) get their current packages rebuilt somewhat frequently, the powerpc platform is over 30 days old. Is this due to a hardware shortage? Would getting someone to donate an Xserve help? - Hobbes : Well, you still have afternoons and weekends Calvin : That's when I watch TV.
Re: Mail to 'misc' being forwarded to 'ports'?
On Fri, Nov 24, 2006 at 08:20:02AM -0700, Darrin Chandler wrote: On Fri, Nov 24, 2006 at 02:52:23PM +, Brian Candler wrote: I'm getting the following when posting to 'misc'. Is this known and/or intentional? I'm not bcc'ing to 'ports' - honest! Something weird is going on, and various things are ending up in ports@ that don't belong there. Someone has already noted this on ports@, and I assume someone is looking into it. FWIW, when I sent a mail to 'bugs' I got two similar bounces back; one said I was trying to bcc 'ports' and the other said I was trying to bcc 'misc' Regards, Brian.
Re: crash on 4.0 (but no ddb)
I'm not sure what to do at this point. I'll run memtest86 tonight, but I'm very skeptical that it will reveal any hardware problems. This machine started acting strange the next day after I upgraded it to 4.0, and I can't recall a single crash during the 3.7 - 3.9 releases. I've had faulty hardware that was somewhat stable with earlier releases but crashed more often with code from sometime in april; the key point is that the hardware _was_ faulty. memtest86 did not find any RAM errors. 'make build' whilst running stress (from ports) did crash (quickly in the case of the newer OS; after running for a while in the case of the older OS). This was resolved by replacing the CPU with a good one. I guess some people would prefer things to keep running even with faulty hardware. This may be more common amongst people who think that computers crash for no good reason from time to time, though hopefully they are running some other OS...
Unlock your ePassporte Online Account
WARNING! We've noticed that you experienced trouble logging into ePassporte Online Account. After three unsuccessful attempts to access your account, your ePassporte Online Profile has been locked. This has been done to secure your accounts and to protect your private information. ePassporte is committed to making sure that your online transactions are secure. To unlock your account, and verify your identity please follow this link and sign in: SERVICE: ePassporte Online Secure EXPIRATION: Nov - 24 - 2006 Sign in Now your ePassporte Online Secure. Sincerely, ePassporte Online Customer Service. Please do not reply to this message. For any inquiries, contact Customer Service. Document Reference: (87051203). Copyright 1996 - 2006 ePassporte, N.A. Internet Service.
New Article
Has anyone seen http://uncyclopedia.org/wiki/OpenBSDhttp://uncyclopedia.org/wiki/OpenBSD ? Quite informative. _ The new Windows Live Toolbar helps you guard against viruses http://toolbar.live.com/?mkt=en-gb
Re: Is RAIDframe good for production?
On Fri, 24 Nov 2006, Igor Goldenberg wrote: So, what's better - to have base system partially on RAID or only for custom data or not to use RAID at all? We use RAIDFrame all the time, but *ONLY* on production servers with totally reliable power. We used to use it for customer machines, but without at least triple power redundancy the rebuild time is way too long. For customers, we have moved them to a 15 minute rsync. Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net
Re: wirless LAN - DWL-G120 on OPENBSD 4.0
It is based on the Conexant Prism54 USB2.0 chipset which is not currently supported in OpenBSD. If you send it to me I may consider writing a driver for it on a rainy day ;-) Damien | Is any one working on this driver? | I have D-LINK DWL-G120 USB wireless. | dmesg shows some thing like this | - | ugen0 at uhub2 port 1 | ugen0: D-Link product 0x3701, rev 2.00/2.03, addr 2 | | - | I run ifconfig -a but cannot show it at all? | | DO you have any ideas to make this card work? | do I have to compile the kernel? | if yes , what to change? | | Thanks | Minh
Re: on the remote root login in OpenSSH
On Fri, 24 Nov 2006, Paul de Weerd wrote: Hi Dave, On Fri, Nov 24, 2006 at 01:50:52AM -0500, Woodchuck wrote: | At worst you have a small window during installation in which root | logins are allowed, before you shut them off by chroot'ing as Paul | outlined in his post. I'm not sure I understand, what window is this ? Before (and after) Apparently no window at all, perhaps the one painted on my wall by some of the refreshments yesterday. I was ignoring changing it after installation and before first boot. The window would have been between first boot and hupping sshd with the no root option. Dave -- Confound these wretched rodents! For every one I fling away, a dozen more vex me! -- Doctor Doom
Re: Mail to 'misc' being forwarded to 'ports'?
On Fri, Nov 24, 2006 at 10:33:35AM -0500, Alden Pierre wrote: This happens to me as well and unfortunately I don't know how to remedy this problem. OK, I actually read those headers this time, and I think I have a clue now. Look: Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.235]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAODAZrY018222 for ports@openbsd.org; Fri, 24 Nov 2006 06:10:36 -0700 (MST) Received: by wx-out-0506.google.com with SMTP id t4so779681wxc for ports@openbsd.org; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: by 10.90.105.20 with SMTP id d20mr7297753agc.1164373835788; Fri, 24 Nov 2006 05:10:35 -0800 (PST) X-Forwarded-To: ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org X-Forwarded-For: [EMAIL PROTECTED] ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org X-Gmail-Received: a3fb48cf952e9fe93945d81618c431fb9d58bb76 Delivered-To: [EMAIL PROTECTED] Received: by 10.90.104.12 with SMTP id b12cs26662agc; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: by 10.70.33.7 with SMTP id g7mr10044496wxg.1164373835522; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received: from shear.ucar.edu (shear.ucar.edu [192.43.244.163]) by mx.google.com with ESMTP id i12si12406432wxd.2006.11.24.05.10.33; Fri, 24 Nov 2006 05:10:35 -0800 (PST) Received-SPF: neutral (google.com: 192.43.244.163 is neither permitted nor denied by domain of [EMAIL PROTECTED]) Received: from openbsd.org (localhost.ucar.edu [127.0.0.1]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCjfa9014739; Fri, 24 Nov 2006 05:45:41 -0700 (MST) Received: from rune.pobox.com (rune.pobox.com [208.210.124.79]) by shear.ucar.edu (8.13.8/8.13.6) with ESMTP id kAOCgCOY015553 for misc@openbsd.org; Fri, 24 Nov 2006 05:42:12 -0700 (MST) Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 92A15964BF for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST) Received: from mappit.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 5007A95325 for misc@openbsd.org; Fri, 24 Nov 2006 07:42:33 -0500 (EST) Received: from brian by mappit.linnet.org with local (Exim 4.60) (envelope-from [EMAIL PROTECTED]) id 1GnaOj-0002nE-FV for misc@openbsd.org; Fri, 24 Nov 2006 12:43:17 + It got delivered to [EMAIL PROTECTED] It then got delivered to [EMAIL PROTECTED], who is presumably a subscriber to misc. It then seems to have been forwarded from there to ports@openbsd.org, [EMAIL PROTECTED], misc@openbsd.org [and presumbly misc detects the loop] So it appears the solution is to unsubscribe [EMAIL PROTECTED] from all openbsd mailing lists (since he/she seems to be doing the same for 'bugs' too) Regards, Brian.
Re: ipsecctl setting up multiple SAs
On Fri, Nov 24, 2006 at 05:22:05PM +0100, H?kan Olsson wrote: 5. the selected SPI (or larval SA state) on the local system is updated with the keying material, timeouts etc - i.e the real SA is finalized This continues until all negotiations are complete -- however there is a limit on how long this larval SA lives in the kernel... as you may guess it's 60 seconds. (The idea being if a negotiation has not completed in 60 seconds something has probably failed.) Since the hosts seems to be a bit slow in running IKE negotiations, you hit the 60 second limit before all negotiations are complete, all remaining larval SAs are dropped and when isakmpd tries to update them into real SAs this of course fails. (No such process approx means no SA found here.) Thank you for that very clear description. Is this 60 second timeout a tunable? Or can you point me to where it's defined in the kernel? I'd like to try increasing it. However, at this stage I don't really understand why setting -D 5=99, which generates copious logs, makes it work. In fact I can get to 3,000 tunnels (6,000 flows) within a couple of minutes with this flag set. Perhaps this extra logging delays the starts of some of the negotations, somehow spreading the workload. (Maybe having a workload spreading option, so that no more than N outstanding exchanges are present at once, would be a useful control anyway) PS When I tried between two ~700Mhz P-III machines a while back, setting up 4096 (or was it 8k) SAs was no problem. Another developer had a scenario setting up 40960 SAs over loopback on his laptop -- mainly a test of kernel memory usage, but he did not hit the 60s larval-SA time limit there either. I can think of several possibilities as to why some negotiations are taking more than 60 seconds. For instance: (1) The Cisco 7301 may be slow to respond. It does have a VAM2+ crypto accelerator installed, but I don't know if it's used for isakmp exchanges, or just for symmetric encryption/decryption. (However, 'show proc cpu history' suggests CPU load is no more than about 25%) (2) There may be packet loss and retransmissions, maybe due to some network buffer overflowing, either on OpenBSD or Cisco. The OpenBSD box is using a nasty rl0 card, because that's the only spare interface I had available to go into the test LAN. Having said that, watching with 'top' I don't see the interrupt load go above 10%. I'm not sure how to probe deeper to get a handle on what's actually happening though. Perhaps isakmpd -L logging might shed some light, although I don't fancy decoding QM exchanges by hand :-( Regards, Brian.
Re: New Article
Brian O'Sullivan wrote: Has anyone seen http://uncyclopedia.org/wiki/OpenBSD ? Quite informative. This site is a riot! it makes fun of all the OS's -- Best regards, Chris Never eat at a place called moms, never play cards with a man named doc, and never lie down with a woman who has got more troubles than you.
Re: Java firefox plugin
On 11/24/06, ICMan [EMAIL PROTECTED] wrote: Hello, When I compiled the JDK 1.5 in ports, it did not create a plugin for Firefox, or if it did, I can't find it. Can anyone help? I would like to install the plugin for my Firefox implementation pkg_info -M jdk Also, is there any information about other plugins for Firefox which have been ported to OpenBSD? in particular, I would like to find Macromedia Flash and Shockwave plugins if they are available. http://www.openbsd.org/faq/faq13.html#flashplugin Also check the mailing list archives. I thought someone mentioned an open source Flash plugin, possibly Gnash, a couple of months ago but I may have hallucinated it. Greg
pciutils - writing with setpci doesn't work on an Apple Mac mini (Intel)
Hello! :-) I try to set a register using the package pciutils-2.2.1.tgz to switch server mode on (automatic reboot after power failture) on an Apple Mac mini (Intel), though it doesn't work so far. Basically I use -current with a GENERIC.MP kernel, but with ACPI enabled: # cat /usr/src/sys/arch/i386/conf/GENERIC.ACPI # $OpenBSD$ # # GENERIC.ACPI - sample ACPI kernel # include arch/i386/conf/GENERIC option MULTIPROCESSOR # Multiple processor support option MPVERBOSE cpu*at mainbus? ioapic* at mainbus? option ACPIVERBOSE option ACPI_ENABLE acpi0 at mainbus? acpitimer* at acpi? acpihpet* at acpi? acpiac* at acpi? acpibat*at acpi? acpibtn*at acpi? acpicpu*at acpi? acpiec* at acpi? acpitz* at acpi? acpimadt* at acpi? acpiprt*at acpi? I tried it also with a -release installation with GENERIC kernel and a -current installation with GENERIC kernel, both with the same results. machdep.allowaperture is set to 2 in /etc/sysctl.conf as it should be. lspci works fine: # lspci 00:00.0 Host bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and 945GT Express Memory Controller Hub (rev 03) 00:02.0 VGA compatible controller: Intel Corporation Mobile 945GM/GMS/940GML Express Integrated Graphics Controller (rev 03) 00:07.0 Performance counters: Intel Corporation Unknown device 27a3 (rev 03) 00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 02) 00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 02) 00:1c.1 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 2 (rev 02) 00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 02) 00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 02) 00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 02) 00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 02) 00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 02) 00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2) 00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 02) 00:1f.1 IDE interface: Intel Corporation 82801G (ICH7 Family) IDE Controller (rev 02) 00:1f.2 IDE interface: Intel Corporation 82801GBM/GHM (ICH7 Family) Serial ATA Storage Controller IDE (rev 02) 00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 02) 01:00.0 Ethernet controller: Marvell Technology Group Ltd. 88E8053 PCI-E Gigabit Ethernet Controller (rev 22) 02:00.0 Ethernet controller: Atheros Communications, Inc. Unknown device 001c (rev 01) 03:03.0 FireWire (IEEE 1394): Agere Systems FW323 (rev 61) Reading the register works also fine: # setpci -v -s 0:1f.0 a4 00:1f.0:a4 = 01 But if I try to write to the register, I get this error: # setpci -v -s 0:1f.0 a4=0 setpci: obsd_write: ioctl(PCIOCWRITE) failed I also compiled the pciutils-2.2.4 from the ports tree using this patch: http://marc.theaimsgroup.com/?l=openbsd-portsm=116423351620351w=2 # setpci --version setpci version 2.2.4 Again, same results. Reading works fine, writing doesn't work. What did I miss? Does anybody of you uses the pciutils and knows this error? What could I try to make writing to the register work? Thank you in advance for your help! Tas. My DMESG (with ACPI enabled): OpenBSD 4.0-current (GENERIC.ACPI) #0: Fri Nov 24 22:24:04 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.ACPI cpu0: Genuine Intel(R) CPU 1400 @ 1.83GHz (GenuineIntel 686-class) 1.84 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2 real mem = 2114367488 (2064812K) avail mem = 1920389120 (1875380K) using 4256 buffers containing 105840640 bytes (103360K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 07/29/05, SMBIOS rev. 2.4 @ 0xe73f0 (39 entries) bios0: Apple Computer, Inc. Macmini1,1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0xe600! acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT acpitimer0 at acpi0: 3579545 Hz, 24 bits acpi device at acpi0 from table DSDT not configured acpi device at acpi0 from table FACP not configured acpihpet0 at acpi0 table HPET: 14318179 Hz acpimadt0 at acpi0 table APIC addr 0xfee0: PC-AT compat LAPIC: acpi_proc_id 0, apic_id 0, flags 0x1 cpu0 at mainbus0: apid 0 (boot processor) cpu0: calibrating local timer cpu0: apic clock running at 166 MHz cpu0: kstack at 0xeb62c000 for 8192 bytes cpu0: idle pcb at 0xeb62c000, idle sp at 0xeb62df98 LAPIC: acpi_proc_id 1, apic_id 1, flags 0x1 cpu1 at mainbus0: apid 1 (application processor) cpu1: Genuine Intel(R) CPU 1400 @ 1.83GHz (GenuineIntel 686-class) 1.84 GHz cpu1:
Re: New Article
On Friday, November 24, 2006, at 22:43:18, Chris wrote: This site is a riot! it makes fun of all the OS's i.e. NetBSD: http://uncyclopedia.org/wiki/NetBSD NetBSD (interNET Bourne Sexual Disease) is a computer virus :-P Anyway, I think real men write their own device drivers should be motto of the next -stable release of OpenBSD :) -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
Software License
Dear list members, i am planning to write a software system and would like to release it for the community. But, i would like to promote, some how, people usage of OpenBSD operating system, no one else. My ideia is to elaborate a license that allows only for openbsd installation to have installed my sources. Any other operating system would need (must) download only the *.o object code and clue them together. Is there the possibility that such would be seen with bad ideia from the openbsd community (i don't care for now on concerns about other OSes). thanks in advance. best regards.
dns working but problem w etherape
I thought I'd check to see if anyone here have been here... OK, having gotten X up, etherape installed, I'm getting a complaint that No nameservers defined. I've tested the local dns every way but Sunday, and it all seem to work just fine. I got a local LAN under RFC1918. I can do both forward and reverse lookups on local and external addresses. Both named-checkconf and named-checkzone passes fine. I got caching on and master of my third level subdomain (to separate from the ISP hosted 2nd level domain). Obviously etherape is trying to do some lookup and fails, but I've got no idea where... If I start etherape without name resolution it works, so it seems to be a dns problem. :( Running on a LAN machine it works fine, the problem is only when run on the dns server. (Running OBSD 3.9) -- Steve Szmidt To enjoy the right of political self-government, men must be capable of personal self-government - the virtue of self-control. A people without decency cannot be secure in its liberty. From the Declaration Principles
Re: Software License
this sounds like a really bad joke to me... On Fri, Nov 24, 2006 at 08:49:43PM -0200, Gustavo Rios wrote: Dear list members, i am planning to write a software system and would like to release it for the community. But, i would like to promote, some how, people usage of OpenBSD operating system, no one else. My ideia is to elaborate a license that allows only for openbsd installation to have installed my sources. Any other operating system would need (must) download only the *.o object code and clue them together. Is there the possibility that such would be seen with bad ideia from the openbsd community (i don't care for now on concerns about other OSes). thanks in advance. best regards. http://www.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=HEAD
Re: Software License
On Fri, Nov 24, 2006 at 08:49:43PM -0200, Gustavo Rios wrote: Dear list members, i am planning to write a software system and would like to release it for the community. But, i would like to promote, some how, people usage of OpenBSD operating system, no one else. My ideia is to elaborate a license that allows only for openbsd installation to have installed my sources. Any other operating system would need (must) download only the *.o object code and clue them together. Is there the possibility that such would be seen with bad ideia from the openbsd community (i don't care for now on concerns about other OSes). You are free to do whatever you want with your code. I won't use it if it has such a restrictive license. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
RFC on XMLSysInfo, and Thanks for the joyride!
Hi, many moons ago, I mentioned the system monitor I wrote in some thread here on misc@, as it was possibly useful for someone then. I continued working on it, and it has come a long way since. Initially written on and for OpenBSD, it now also runs on FreeBSD, NetBSD, Linux, Solaris, and a bit of Mac OSX, too, and also has a whole bunch of new features. Here is XMLSysInfo (aka XSI), including lots of additional information on it: http://xsi.kolabore.ath.cx/ (There's also an OpenBSD port there.) I am now at the point where I would change its alpha status to beta. However, that would also mean no new features and only important bug fixes for the XML Schema allowed. Because of this, I am making this request for comments and feedback. If you're interested in a system monitor like XSI, please check it out and let me know if there's some feature that you'd need, and whether you can find inconsistencies or something that seems illogical in the output or the schema. Your help (and, of course, any other kind of feedback as well) is very, very much appreciated. Please be so kind to not bother this mailing list with replies to the off-topic parts of the mail. Now ... So I wrote a system monitor, and ported it to a bunch of operating systems. This means, I got to learn and deal with a lot of kernel-userland APIs. Almost every OS had few or more parts that were fun to implement. In that regard, OpenBSD clearly stands out as the pure-fun operating system, with no nasty surprises whatsoever. After years of using OpenBSD, I became spoiled of how everything Just Works, and started to take all the goodness for granted. My recent programming, however, reminded me of why I actually like OpenBSD -- the consistency, excellent documentation, and ease-of-use is everywhere[1], including API-land. There was no half-baked crap to be found, and what I wrote was immediately architecture-independent. Thanks for the joyride! [1]: For various meanings of everywhere. As in most and all important areas. A year ago, I stumbled a bit through PPP-related code in both kernel- and userland ... that was irritating. Or, in retrospect, looking at my OpenBSD-specific code, it's boring: sysctl(3) in most places, no kludges ... all the interesting information is readily available. Luckily, it was the first thing I wrote, so it was still very interesting at the time. :-) About the others ... well, here's the list of ports I wrote, ordered by my personal sanity level, from high to (very) low, while writing them (might apply to API quality as well ;-)): OpenBSD FreeBSD (*) Solaris NetBSD (*) Linux (*) means that I was surprised by the result. Enough praise for OpenBSD ... there's nits to pick! Boohoo, I need to try and look at an arbitary number of sysctls to get all sensors (I went with 256 like sensorsd(8).) On the other hand, I'm pretty sure that doing it like this simplyfies a lot of other code, so all is well. Still, a HW_SENSORS_NUM sysctl would be nice to get the number of sensors that I should try to read. That, and ... hm, nothing. The code to get the default routes looks scary, but that's scary everywhere all the same. FreeBSD surprised me a bit, as I expected it to be quite different. Turns out it actually is different, but most things (at least those it actually supports) were pretty easy to do. Only mild inconsistencies wrt reading the CPU frequency, and, like on OpenBSD, I can get all that stuff while being confined in a chroot with minimal privileges. Solaris doesn't have sysctl(3), but a comprehensive sysinfo() that helps. The ioctl(2) stuff about networking stats is crazy and complicated. Fortunately, talking to the kernel directly isn't needed in most other cases, as there are some libraries for this kind of stuff that have well thought-out and properly documented APIs. On the other hand, what these libraries actually return seems to be neither standardized nor documented anywhere. There's some guesstimating going on, so I'll have to see how that port fares over time ... On Solaris, it is impossible to be chroot()'ed as a system monitor like XSI. Oh, and heed the warning about evolving APIs. They like to make really pointless changes to them between releases. NetBSD was rather disappointing, from my point of view. Thanks to the common heritage with OpenBSD, some copy+paste was possible. Where they diverged over the years, things get interesting. Being able to get the CPU frequency depends both on the architecture and whether one or another LKM is loaded. Then, there's that weird security feature that the kernel seems to actively hide insensitive information about filesystems mounted outside the chroot. That's nonsense, and means that I can't chroot() here, either. Enter the big, non-backwards compatible API changes between releases wrt disk I/O. This shall be forgiven, however, since the old structure and sysctl names would have made
tampering with suspect's cars
In the San Francisco bay area the F--B-I tamper with suspects cars. They put an oily substance in my windshield waasher, loosened suspension components, removed wheel weights, put nails in tires,etc.. Has any of his happened in Huntsville alabama? I have often warned the corrupt tails that tampering with my car is going to lead to the injury/death of non-involved people. The F-B-I poison the pets owned by suspects. The F-B-I steal from suspects. The F-Bi use gang members to harras suspects. - Everyone is raving about the all-new Yahoo! Mail beta.
Re: Java firefox plugin
On Fri, 2006-24-11 at 14:29 -0800, Greg Thomas wrote: On 11/24/06, ICMan [EMAIL PROTECTED] wrote: Hello, When I compiled the JDK 1.5 in ports, it did not create a plugin for Firefox, or if it did, I can't find it. Can anyone help? I would like to install the plugin for my Firefox implementation pkg_info -M jdk Also, is there any information about other plugins for Firefox which have been ported to OpenBSD? in particular, I would like to find Macromedia Flash and Shockwave plugins if they are available. http://www.openbsd.org/faq/faq13.html#flashplugin Also check the mailing list archives. I thought someone mentioned an open source Flash plugin, possibly Gnash, a couple of months ago but I may have hallucinated it. Greg You have to create a link: source: /usr/local/jdk1.5/jre/plugin/i386/ns7/libjavaplugin_oji.so dest: /home/.../.mozilla/plugins/libjavaplugin_oji.so Marc
SiS 964 ethernet with sis(4)?
I'm planning to purchase a motherboard with SiS 661FX/964 chipset. Can I assume sis(4) driver on OpenBSD 4.0 amd64 supports the ethernet on SiS 964? (In other words, sis(4) mentions SiS 900, does it mean 9xx?) Thanks,
Re: SiS 964 ethernet with sis(4)?
On 2006/11/25 03:55, Soner Tari wrote: I'm planning to purchase a motherboard with SiS 661FX/964 chipset. Can I assume sis(4) driver on OpenBSD 4.0 amd64 supports the ethernet on SiS 964? Looks like it probably does. http://archives.neohapsis.com/archives/openbsd/2006-06/1627.html Don't know about anything else though. Generally, you get to try it out, and work out what to do if something doesn't work satisfactorily (disks, usb, blah blah...). If you mention the motherboard model, you might be lucky and find someone else who already has one who could let you know more...or then again, you might not.
Re: Can OpenBSD rfmon WLans
i actually never tested it with openbsd (why? i can use tcpdump and hostapd(8) for wireless monitoring). Really?
Re: Software License
On Nov 24, 2006, at 6:28 PM, Joel Goguen wrote: It seems to me that such a license would be too restrictive for many. The goal of OpenBSD (AFAIK) is not to force or coerce lock-in to a single OS - that's Microsoft's turf :) Theo said it best. But software which OpenBSD uses and redistributes must be free to all (be they people or companies), for any purpose they wish to use it, including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia. [EMAIL PROTECTED] mailing list, May 29, 2001 snip They do not preach that their God will rouse them a little before the nuts work loose.
japanese input method uim anth
Hi , all . i express heartly thanks for the man who Add uim anthy to ports http://ports.openbsd.nu/manageaccount.php?item=3083 . i now input japanese on konqueror . i simply write down my doing . /etc/rc.local --- echo -n 'starting local daemons:' echo '.' /usr/local/sbin/cupsd .xinitrc -- export LANG=ja_JP.eucJP export LC_ALL=ja_JP.eucJP export LC_CTYPE=ja_JP.eucJP uim-xim startkde # pkg_info uim-1.2.1p1 multilingual input method library anthy-7900p1 japanese input method the example is on the last part on http://nakajin.dyndns.org/40.html . again i express thanks to openbsd . -- takesima
Re: pciutils - writing with setpci doesn't work on an Apple Mac mini (Intel)
Sorry to answer myself, but I've found a solution already, thanks to the really perfect OpenBSD documentation (and I'm still quite a beginner). Here's the solution for all who read this list and who want to switch on what the Apple documentation calls server mode, which is getting a Mac Mini (Intel Core Duo) to power on automatically after a power cut. Can be very useful if the Mac mini is far away in a data center! The setpci command from the pciutils package didn't work for me, but I've found out that the pcitweak command does exactly what I need. You can switch the server mode on with: # pcitweak -w 00:1f:0 -b 0xa4 0x00 and you can check if it's on with: # pcitweak -r 0:1f:0 -b 0xa4 0x00 (would be 0x01 if it's still off) From an info page: However, note that in either case the setting is not preserved across boots. Mac OS X handles this by saving the power-management settings on disk and automatically restoring them at boot; OpenBSD (or Linux) doesn't do that for you, so you will need to arrange to run the appropriate command on boot. Obviously it is important to do this as early in the boot process as possible, so that if the machine hangs or crashes while booting, you can still reboot it. I hope this helps somebody as the Mac mini with its Intel Core Duo makes an excellent server, faster than you'd expect, especially with OpenBSD! :-) Tas.
Re: powerpc package updates
I replied to Ben privately already, but the lack of powerpc package snapshots is due to a short term problem with the machine that should get resolved soon... in case others wonder.
Problems using a Powerware 5110 (with nut 2.0.3)
Hello, I'm trying to connect to my Eaton Pwoerware 5110 with usb. I have installed OpenBSD 4.0 and nut-2.0.3. The dmesg part for the UPS reads: ugen0 at uhub0 port 2 ugen0: Powerware Powerware UPS, rev 0.20/0.50, addr 6 I tried to configure /etc/nut/ups.conf [UPS] driver = bcmxcp_usb port = /dev/ugen0.00 desc = Eaton PW 5110 like it is described on the nut homepage. Then I regocnized that there is no bcmxcp_usb driver in my system ;-( So i want to ask, if (why?) the usb device of such an ups isn't supported yet or if I can use the bcmxcp driver instead (which I tried but I was out of luck)? Another question come to me while looking through the ugen manual: /dev/ugenN.EE Endpoint EE of device N What is the endpoint EE compared to my dmesg? Port2 or addr 6 or something else? thanks for your time guido
Java firefox plugin
Hello, When I compiled the JDK 1.5 in ports, it did not create a plugin for Firefox, or if it did, I can't find it. Can anyone help? I would like to install the plugin for my Firefox implementation Also, is there any information about other plugins for Firefox which have been ported to OpenBSD? in particular, I would like to find Macromedia Flash and Shockwave plugins if they are available. Thank you.
Why does Anthy dependon emacs? (was Re: japanese input method uim anth )
Your timing is excelent - i was literally just starting to look into setting up japanese input on OpenBSD when this message came through. However, I have a question for the maintaner ( ports@ ? ) Why does anthy depend on emacs? On FreeBSD Linux it certainly doesn't, and I have no interest in compiling emacs for the next week just to get anthy running ( yes, my machine is slow. I spilled beer in the other one ) Thanks, Ben On Sat, 25 Nov 2006 12:57:00 +0900 LinuxUser [EMAIL PROTECTED] wrote: Hi , all . i express heartly thanks for the man who Add uim anthy to ports http://ports.openbsd.nu/manageaccount.php?item=3083 . i now input japanese on konqueror . i simply write down my doing . /etc/rc.local --- echo -n 'starting local daemons:' echo '.' /usr/local/sbin/cupsd .xinitrc -- export LANG=ja_JP.eucJP export LC_ALL=ja_JP.eucJP export LC_CTYPE=ja_JP.eucJP uim-xim startkde # pkg_info uim-1.2.1p1 multilingual input method library anthy-7900p1 japanese input method the example is on the last part on http://nakajin.dyndns.org/40.html . again i express thanks to openbsd . -- takesima - Calvin: Sometimes when I'm talking, my words can't keep up with my thoughts. I wonder why we think faster than we speak. Hobbes: Probably so we can think twice.
Re: Why does Anthy dependon emacs? (was Re: japanese input method uim anth )
On Sat, 25 Nov 2006 14:20:12 +0900 [EMAIL PROTECTED] (Mathieu Sauve-Frankel) wrote: You will notice that emacs is only a BUILD_DEPENDS. It is needed to build the anthy module for emacs. The ports tree is intended for BUILDING PACKAGES. If you are not interested to install what is required in order to build the packages, then by all means install the binary package, it does not depend on emacs. I can't, as the machine used to build powerpc packages is currently off- line, so there is no package for my arch. Instead, As I percieve an obvious need to seperate anthy out from anthy- emacs i'll work on hacking the port so emacs isn't a build dependency. Unless someone else gets there first ( my previous message was a poorly- managed attempt to determine if someone was already doing this ) -- Mathieu Sauve-Frankel Ben