Re: Is OpenBSD good/best for my 486?

[Jonathan Thornburg]

In message http://marc.info/?l=openbsd-miscm=117452881511952w=1,
Douglas Allan Tutty dtutty () porchlight ! ca asked
 I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB
 and 1280 MB IDE.  Currently running Debian GNU/Linux Sarge.
 
 Box has two uses:
 
 under normal cirumstance, as a thin client to my
 athlon box elsewhere in the house.
 
 As a toolbox incase anything goes wrong with my new athlon, I
 still can dial out to the net for help and downloads.
[[...]]
 Is there any reason that OpenBSD wouldn't be my best choice for this
 box?

OpenBSD would be fine for this -- I use a very similar system
(1995-vintage 486DX4-75 laptop with 32MB memory) as a home firewall.
It has 2 PCMCIA ISA-bus NICs, both ultra-cheap ne2000 clones (the
latest one bought a couple of months ago for 3 Euros (around US$4)
on Ebay).  One NIC talks to the DSL, the other to my home network.
The system has a new-in-2001 10GB disk, with loads of free space;
you should have no problem fitting a full OpenBSD install into either
one of your disks.

My firewall's main limitation is the poor performance of the ultra-cheap
ISA-bus NICs.  Right now it's limited to around 150-200K bytes/second
http/scp downloads even though my DSL will do 2-3 times that (checked
by hooking faster systems directly to the DSL).  I suspect that better
NICs would help, but I'm moving in a few months so I haven't bothered.

My only worry in the past has been how to install patches quickly,
since rebuilding from source is a bit slow (I typed 'make build' 2
days ago, and it's still running...).  I like Nick Holland's suggestion
http://marc.info/?l=openbsd-miscm=117453369215436w=1 of running
-current, and may try it on my firewall.

ciao,

-- 
-- Jonathan Thornburg (remove -animal to reply) [EMAIL PROTECTED]
   School of Mathematics, U of Southampton, England
   Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral.
  -- quote by Freire / poster by Oxfam

df reports capacity 100%

[Stephan A. Rickauer]

Our Soekris (4.0-stable) NFS mounts a remote share:

# df -h /projects
FilesystemSizeUsed   Avail Capacity  Mounted on
linsrv01:/projects410G2.0T   417G  498%  /projects

# grep projects /etc/fstab
linsrv01:/projects /projects nfs rw,auto 0 0


where linsrv01 is a SLES10 NFS server (amd64). Probably /projects has
been increased there using LVM/xfs_grow and the nfs mount hasn't been
renewed ever since. However, if I do remount the remote NFS share on the
soekries, the Size is not updated.

on linsrv01, df reports:
Filesystem   Size  Used Avail Use% Mounted on
/projects2.4T  2.0T  418G  84% /projects


Not a problem at all, but maybe some developer is interested in
understanding this phenomena or knows what one can do to cleanly update
the Size information.

Thanks.

-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWeb  www.ini.unizh.ch

 RSA public key:  https://www.ini.uzh.ch/~stephan/pubkey.asc
 ---

Re: Is OpenBSD good/best for my 486?

[Liviu Daia]

On 21 March 2007, Travers Buda [EMAIL PROTECTED] wrote:
 * Douglas Allan Tutty [EMAIL PROTECTED] [2007-03-21 22:37:01]:
 
  Hello,
  
  I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB
  and 1280 MB IDE.  Currently running Debian GNU/Linux Sarge.
  
 *snip*
  
  Is there any reason that OpenBSD wouldn't be my best choice for this
  box?
 
 I've run OpenBSD on a 486DX2 with 20 megs of ram.  When you're
 talking about the 486es, you're going to want a FPU with openbsd.
[...]

The DX series did have FPU.  The SX didn't.

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: df reports capacity 100%

[Otto Moerbeek]

On Thu, 22 Mar 2007, Stephan A. Rickauer wrote:

 Our Soekris (4.0-stable) NFS mounts a remote share:
 
 # df -h /projects
 FilesystemSizeUsed   Avail Capacity  Mounted on
 linsrv01:/projects410G2.0T   417G  498%  /projects
 
 # grep projects /etc/fstab
 linsrv01:/projects /projects nfs rw,auto 0 0
 
 
 where linsrv01 is a SLES10 NFS server (amd64). Probably /projects has
 been increased there using LVM/xfs_grow and the nfs mount hasn't been
 renewed ever since. However, if I do remount the remote NFS share on the
 soekries, the Size is not updated.
 
 on linsrv01, df reports:
 Filesystem   Size  Used Avail Use% Mounted on
 /projects2.4T  2.0T  418G  84% /projects
 
 
 Not a problem at all, but maybe some developer is interested in
 understanding this phenomena or knows what one can do to cleanly update
 the Size information.

This is a known bug and not fixable until we change the statfs
structure. 

http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5169

-Otto

Re: df reports capacity 100%

[Stephan A. Rickauer]

Otto Moerbeek wrote:
 This is a known bug and not fixable until we change the statfs
 structure. 
 
 http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5169

Awesome. I wish other software had such a high quality of support.

Thanks Otto.

-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWeb  www.ini.unizh.ch

 RSA public key:  https://www.ini.uzh.ch/~stephan/pubkey.asc
 ---

Saving memory on small machines

[David Given]

I have a machine with 48MB of RAM that I want to use as a server.

The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
and is not swappable, giving me 43MB left, which isn't a lot.

Is it worth recompiling the kernel to remove support for features I'm not
using --- IPv6, say, or the Microchannel bus --- on the principle that
reducing the size of the kernel will give more memory for doing other things,
and therefore generally speed the system up? Or will not using GENERIC cause
more problems than it's worth?

And if it is worth recompiling the kernel, can anyone recommend any
particularly big features it would be worth taking out?

--
bbb o=o=o o=o=o=o=o=
o=o=oo=o=o=
 bbb
http://www.cowlark.com
bbbbbbbbbbbbbbbbbbb
b Wizards get cranky, / Dark days dawn, / Riders smell manky, / The road
b goes on. / Omens are lowering, / Elves go West; / The Shire needs
b scouring, / You may as well quest. - John M. Ford

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: IPsec gone assymetric

[Jacob Yocom-Piatt]

RW wrote:
 I have a simple setup.
 Sydney to Melbourne and the ipsec.conf is one of the nice easy ones
 whilst I learn to do more complex setups. It has been working for
 months.

 Today doing ipsecctl -s all at either end generates the expected
 output. Each is a mirror of the other.

 netstat -rnf encap shows expected output at both ends. Again mirrors of
 the other.

 However sshing into each and doing a traceroute to t'other end gives
 madly assymetric results.

 With the distant gateway as the target Syd gets to Mel in one hop, as
 expected.
 Mel gets to Syd going out the $ext_if rather than the encap. As the
 LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel.

   

i wouldn't expect you to have a route not set on the isakmpd endpoints,
but i have a route add remote net internal private IP in the
hostname.if files for the internal interfaces on both endpoints. that's
the only thing i can think of that would work for a while (manually
added routes) and then stop working after, say, a reboot of one endpoint.

cheers,
jake


 Killing (desperation set in) isakmpd and restarting both ends did
 nothing to change the situation.

 What kind of diagnostics can I use to debug this? Extra points for a
 correct guess as to the cause all this time after installation.

 Thanks,
 Rod.

 From the land down under: Australia.
 Do we look umop apisdn from up over?

Re: Saving memory on small machines

[Kamil Monticolo]

 The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
 and is not swappable, giving me 43MB left, which isn't a lot.

You can turn off ipv6, altq if not needed, and of course lots of hardware that 
you don't need also. For example I have a 2 x smaller kernel that GENERIC on my 
laptop:
$ uname -a
OpenBSD squirrel 4.1 BIRKOFF#0 i386
$ ls -lh /bsd{,.orig} 
-rw-r--r--  1 root  wheel   2.9M Mar  9 00:39 /bsd
-rw-r--r--  1 root  wheel   5.8M Feb 22 13:32 /bsd.orig

You may also stripe nearly all of your libraries, for example:

# ls -lhS /usr/lib/libcrypto*a
-r--r--r--  1 root  bin  11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a
-r--r--r--  1 root  bin  11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a
-r--r--r--  1 root  bin  11.5M Mar 22 13:53 /usr/lib/libcrypto.a
# strip -s /usr/lib/libcrypto*a
# ls -lhS /usr/lib/libcrypto*a  
-r--r--r--  1 root  bin   909K Mar 22 13:53 /usr/lib/libcrypto_pic.a
-r--r--r--  1 root  bin   865K Mar 22 13:53 /usr/lib/libcrypto_p.a
-r--r--r--  1 root  bin   835K Mar 22 13:53 /usr/lib/libcrypto.a

looks fine? Hope this helps.

Kamil Monticolo aka birkoff

Disk Load

[Tang Tse]

Hello,

Maybe it is an stupid question, but since 1 week ago i got my HDD led
allways powered on. Is it possible with something like top to see hdd % load
o something like?

Thanks.

Re: Disk Load

[Andreas Kahari]

Use systat and read the systat(1) manual.

Regards,
Andreas

On 22/03/07, Tang Tse [EMAIL PROTECTED] wrote:

Hello,

Maybe it is an stupid question, but since 1 week ago i got my HDD led
allways powered on. Is it possible with something like top to see hdd % load
o something like?

Thanks.





--
Andreas Kahari
Somewhere in the general Cambridge area, UK

Re: Saving memory on small machines

[RedShift]

Kamil Monticolo wrote:

The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
and is not swappable, giving me 43MB left, which isn't a lot.


You can turn off ipv6, altq if not needed, and of course lots of hardware that 
you don't need also. For example I have a 2 x smaller kernel that GENERIC on my 
laptop:
$ uname -a
OpenBSD squirrel 4.1 BIRKOFF#0 i386
$ ls -lh /bsd{,.orig} 
-rw-r--r--  1 root  wheel   2.9M Mar  9 00:39 /bsd

-rw-r--r--  1 root  wheel   5.8M Feb 22 13:32 /bsd.orig

You may also stripe nearly all of your libraries, for example:

# ls -lhS /usr/lib/libcrypto*a
-r--r--r--  1 root  bin  11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a
-r--r--r--  1 root  bin  11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a
-r--r--r--  1 root  bin  11.5M Mar 22 13:53 /usr/lib/libcrypto.a
# strip -s /usr/lib/libcrypto*a
# ls -lhS /usr/lib/libcrypto*a  
-r--r--r--  1 root  bin   909K Mar 22 13:53 /usr/lib/libcrypto_pic.a

-r--r--r--  1 root  bin   865K Mar 22 13:53 /usr/lib/libcrypto_p.a
-r--r--r--  1 root  bin   835K Mar 22 13:53 /usr/lib/libcrypto.a

looks fine? Hope this helps.

Kamil Monticolo aka birkoff





Interesting, does this stripping also have a speed increase during usage?

Re: Disk Load

[Tang Tse]

Thanks!!

2007/3/22, Andreas Kahari [EMAIL PROTECTED]:

 Use systat and read the systat(1) manual.

 Regards,
 Andreas

 On 22/03/07, Tang Tse [EMAIL PROTECTED] wrote:
  Hello,
 
  Maybe it is an stupid question, but since 1 week ago i got my HDD led
  allways powered on. Is it possible with something like top to see hdd %
 load
  o something like?
 
  Thanks.
 
 


 --
 Andreas Kahari
 Somewhere in the general Cambridge area, UK

Re: Saving memory on small machines

[Stefan Sperling]

On Thu, Mar 22, 2007 at 01:47:11PM +0100, RedShift wrote:
 You may also stripe nearly all of your libraries, for example:
 
 # ls -lhS /usr/lib/libcrypto*a
 -r--r--r--  1 root  bin  11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a
 -r--r--r--  1 root  bin  11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a
 -r--r--r--  1 root  bin  11.5M Mar 22 13:53 /usr/lib/libcrypto.a
 # strip -s /usr/lib/libcrypto*a
 # ls -lhS /usr/lib/libcrypto*a
 -r--r--r--  1 root  bin   909K Mar 22 13:53 /usr/lib/libcrypto_pic.a
 -r--r--r--  1 root  bin   865K Mar 22 13:53 /usr/lib/libcrypto_p.a
 -r--r--r--  1 root  bin   835K Mar 22 13:53 /usr/lib/libcrypto.a
 Interesting, does this stripping also have a speed increase during usage?

No. Stripping only saves disk space.
Debugging symbols are not loaded into RAM unless you run gdb.

--
stefan
http://stsp.in-berlin.de PGP Key: 0xF59D25F0

Re: Saving memory on small machines

[Stuart Henderson]

On 2007/03/22 13:54, Kamil Monticolo wrote:
  The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
  and is not swappable, giving me 43MB left, which isn't a lot.

If you're going to do things like this, you have extra steps when you
find a problem, because you need to tell whether it's due to the changes
you made.

imho if you need to ask if you can do it, you probably don't know enough
about the system to do this without causing yourself problems.

Dropping cachepct, via config(8), *might* be appropriate.

 You may also stripe nearly all of your libraries, for example:

How is stripping library archives going to help save RAM? (if you want
to save disk space, you might as well just not install compXX.tgz)

Microsoft gets the Most Secure Operating Systems award

[Siju George]

Hi,

http://www.internetnews.com/security/article.php/3667201

Just for some entertainment, no troll :-)

--Siju

Re: Saving memory on small machines

[David Terrell]

On Thu, Mar 22, 2007 at 11:11:22AM +, David Given wrote:
 And if it is worth recompiling the kernel, can anyone recommend any
 particularly big features it would be worth taking out?

I wouldn't bother, unless you find yourself actually running low on
memory.  Not running GENERIC means any problems you report to the
obsd team will probably be ignored.

Just run with generic, unless you find it to be an actual problem.
48M is more than enough for a bsd kernel.

-- 
David Terrell
[EMAIL PROTECTED]
((meatspace)) http://meat.net/

Re: openbsd current?

[Nick !]

On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote:

how do i know if im using openbsd current?


If you have to ask you aren't.

Current is installed by installing snapshots and compiling from CVS.
The learning curve is very steep.

-Nick

cannot make mod_auth_bsd work

[Thierry Lacoste]

After a default 4.0 install I installed www/mod_auth_bsd
but all users are rejected.
I have the following line in my /var/www/logs/error_log:
httpd: invalid script: /usr/libexec/auth/login_passwd

Same results wether apache is chrooted or not.

Any help would be appreciated.

Regards,
Thierry.

Re: Microsoft gets the Most Secure Operating Systems award

[Sunnz]

Nice, let's all now switch our servers to Windows!!!

Oh but it doesn't run on ultrasparc...

Nevermind...

:D

2007/3/23, Siju George [EMAIL PROTECTED]:

Hi,

http://www.internetnews.com/security/article.php/3667201

Just for some entertainment, no troll :-)

--Siju





--
Please avoid sending me Word or PowerPoint attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Re: Saving memory on small machines

[Limaunion]

David Given wrote:

I have a machine with 48MB of RAM that I want to use as a server.

The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
and is not swappable, giving me 43MB left, which isn't a lot.

Is it worth recompiling the kernel to remove support for features I'm not
using --- IPv6, say, or the Microchannel bus --- on the principle that
reducing the size of the kernel will give more memory for doing other things,
and therefore generally speed the system up? Or will not using GENERIC cause
more problems than it's worth?

And if it is worth recompiling the kernel, can anyone recommend any
particularly big features it would be worth taking out?


Hi! My Internet firewall machine is a 486DX with 48MB of RAM and a 10GB 
HD inside a plastic box. I used to recompile the kernel removing almost 
everything using a tool called dmassage (google for it) which helps you 
to prepare the configuration file. Anyway during the last two releases I 
didn't bother compiling the kernel, my reason is that I'm not seeing a 
huge difference in memory saving using a self-compiled kernel, perhaps a 
couple of MB. Righ now I have 15MB of free RAM and in the worst case 
(when pfstat is run) I have about 12MB free, that's enough. The main 
processes that're running are: postfix + httpd + ntpd + noip2 + dnsmasq, 
uptime is 90 days. This is a rock solid OS, you won't find any memory 
leaks. HTH.


Regars, Jorge.

Re: Is OpenBSD good/best for my 486?

[Douglas Allan Tutty]

On Wed, Mar 21, 2007 at 10:16:24PM -0500, Travers Buda wrote:
 * Douglas Allan Tutty [EMAIL PROTECTED] [2007-03-21 22:37:01]:
 
  I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB
  and 1280 MB IDE.  Currently running Debian GNU/Linux Sarge.
  
 *snip*
  
  Is there any reason that OpenBSD wouldn't be my best choice for this
  box?
 
 I've run OpenBSD on a 486DX2 with 20 megs of ram.  When you're
 talking about the 486es, you're going to want a FPU with openbsd.
 It does not look like there is any emulation (however, I remember
 seeing something in the GENERIC config a year or so back...) or
 else it won't work.  The system was fine, and quite responsive for
 just ssh, tip, etc.  OpenBSD is a fine choice, the biggest bottleneck
 you're probably going to see is virtual memory-related stuff like
 the encrypted swap, which you can turn off via the vm.swapencrypt.enable
 sysctl.  You're probably not going to be swapping too darn much
 unless you decide to use X, then it's going to be a bit over the
 line, however, this does not mean it's not going to work. =)

486DX4-100 has FPU.  All I need is a basic X window manager (for moving
windows around), an xterm, and ssh that port forwards X11.  Right now, I
have no problem sshing to my athlon in the basement and running
Konqueror for web browsing when I need java and https.  

The only other memory and compute intensive thing I do is run debian's
aptitude package manager.  

You mean OpenBSD has encrypted swap out-of-the-box?  That's fantastic.
It took a while to set up on my debian etch box.

Thanks,
Doug.

Re: Microsoft gets the Most Secure Operating Systems award

[Ben Calvert]

On Thu, 22 Mar 2007 18:58:31 +0530, Siju George [EMAIL PROTECTED] wrote:
 Hi,
 
 http://www.internetnews.com/security/article.php/3667201

From the article:

 Microsoft is doing better overall than its leading commercial competitors.
^^

No wonder.  they stacked the deck before doing the comparison


 
 Just for some entertainment, no troll :-)
 
 --Siju
---
Ben Calvert
Flying Walrus Communications

Re: is the Thinkpad T30 supported?

[Igor Sobrado]

Hello!

Joachim.  I think that the problem you had with your Thinkpad happened
to the son of a friend I have at Illinois too (on a slightly different
variant).  On his laptop (a T20) the display CCF lamp did not turn on.

Indeed, buying at least two similar laptops is a smart idea.  That is
the reason I am looking for two units of the same -or similar- Thinkpads.

Thanks a lot for your feedback.  I will get at least two units of the
same laptop.

OpenBSD fan.  Sure!  I will certainly install the tpb and tphdisk
packages on the Thinkpad.  I like the ability to use the Access IBM
button, changing/muting the volume and screen brightness.  Hibernation
is an excellent feature if it is supported (it hanged sometimes on
my Latitude when running both NetBSD and OpenBSD).  As Bob Beck says
that it suspends and resumes very well, I certainly believe that
hibernation will be a useful feature.  On-screen messages provided
by these tools will be valuable too.  Thanks a lot!

Greg.  I certainly believe that the chassis on the Latitude CPi is
much better than the chassis on the HP Omnibook 4100, but it can
be certainly improved.  I supposed that hinges on the Latitude
were excellent ones until one broke.  After opening the display,
I found an annoying thin hinge.  Nice to know that Thinkpads have
better chassis and hinges.

Well, I really care about my computers.  But a laptop is just
required for anything I do and after carrying a computer with me
four years and opening/closing the computer at least four times
each day I believe that good hinges are just a requirement.
Thanks four your feedback, now I see that Thinkpads are the
computers to buy.

Darren.  Nice to know that you confirm the construction quality
of the Thinkpad laptops.  Probably Greg was not very lucky with
his laptop, but I know someone that had a similar problem too.
In any case, I believe that weak hinges are the real challenge
for me.  I want a laptop that works for a lot of years.

Hopefully, when someone buys high quality hardware OpenBSD does
a nice job supporting that machine for years.  I think that on
the BSDs world the term obsolete is unknown when applied to
hardware.  I will certainly look for a good Thinkpad right now.

Someone in a private email (I will not put his name here, as he
wrote directly to me) said that IBM sells certified used equipments.
I have looked at the excellent prices IBM has on these refurbished
units.  Even better, they sell these items with one year guarantee.
Sadly, these computers are only available for U.S. citizens.  I can
ask a good friend I have in the United States to send the computer
to me, but sadly payment must be done with a U.S. credit card too,
my Visa card cannot be used to pay these items.  So, it will be
difficult buying these units from IBM right now.  In any case,
I will look for an american unit, as I do not like the Spanish
keyboard layout a lot.  Laptops have too few keys to waste them
with special characters, and the right keyboard layout is not
choosed until booting multi-user.

Thanks to all the people on this thread for the excellent
advices and feedback on this matter.  I will buy a used Thinkpad
and install the tpb and tphdisk packages.

Cheers,
Igor.

Re: Microsoft gets the Most Secure Operating Systems award

[RedShift]

Siju George wrote:

Hi,

http://www.internetnews.com/security/article.php/3667201

Just for some entertainment, no troll :-)

--Siju





IMHO it's not a fair comparison, most linux distributions ship with alot 
more software than microsoft windows does, and most bugreports indicate 
an issue with third-party software.

Re: Microsoft gets the Most Secure Operating Systems award

[Karsten McMinn]

On 3/22/07, Ben Calvert [EMAIL PROTECTED] wrote:


 Microsoft is doing better overall than its leading commercial competitors.
^^

No wonder.  they stacked the deck before doing the comparison


doesn't this mean that they now have more coders on payroll
to fix stuff than they do to write the os? kinda scary.

Re: Microsoft gets the Most Secure Operating Systems award

[Neil Joseph Schelly]

On Thursday 22 March 2007 11:29 am, RedShift wrote:
 Siju George wrote:
  Hi,
 
  http://www.internetnews.com/security/article.php/3667201
 
  Just for some entertainment, no troll :-)
 
  --Siju

 IMHO it's not a fair comparison, most linux distributions ship with alot
 more software than microsoft windows does, and most bugreports indicate
 an issue with third-party software.

If you read the article past the summary, they mention that.  While Windows 
had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208) 
considered high/severe.  Windows had a very high percentage of its bugs 
labelled as high or severe (12 out of 39).  Similarly, I'm sure if you looked 
at the time-to-fix for just the high and severe bugs from each side, you'd 
see that the Microsoft ones were slower to get patched.  I'm just betting 
that the 200+ less unimportant bugs included many that really just didn't 
warrant any priority to fix.

Unfortunately, the article doesn't really show this in the light that suggests 
the findings of Windows being the most secure commercial OS might be false, 
but it's not too hard to read between the lines.  78% of statistics are made 
up and 103% of statistics can say the exact opposite of what you think they 
should mean.

-- 
Regards,
Neil Schelly
Senior Systems Administrator

W: 978-667-5115 x213
M: 508-410-4776

OASIS Open http://www.oasis-open.org
Advancing E-Business Standards Since 1993

Re: Microsoft gets the Most Secure Operating Systems award

[stuartv]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] Behalf Of
 Siju George
 Sent: Thursday, March 22, 2007 8:29 AM
 To: OpenBSD Misc
 Subject: Microsoft gets the Most Secure Operating Systems award
 
 
 Hi,
 
 http://www.internetnews.com/security/article.php/3667201
 
 Just for some entertainment, no troll :-)
 
 --Siju
 

I think I'll print out this article for use any time my boss gets
a wild hair up his ass and wants to convert to windows.  The stats
for number of vulnerabilities and turn around time have always 
been abysmal for windows and this article just proves that nothing
has changed.  Maybe I could admit that this is marginally better 
than previous windows versions (maybe) but it is still very sloppy
when compared to OpenBSD.  

A special thanks to Theo and the OpenBSD team for making me look
so good all these years.

stuart

Re: Saving memory on small machines

[Artur Grabowski]

Kamil Monticolo [EMAIL PROTECTED] writes:

 # ls -lhS /usr/lib/libcrypto*a
 -r--r--r--  1 root  bin  11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a
 -r--r--r--  1 root  bin  11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a
 -r--r--r--  1 root  bin  11.5M Mar 22 13:53 /usr/lib/libcrypto.a
 # strip -s /usr/lib/libcrypto*a
 # ls -lhS /usr/lib/libcrypto*a  
 -r--r--r--  1 root  bin   909K Mar 22 13:53 /usr/lib/libcrypto_pic.a
 -r--r--r--  1 root  bin   865K Mar 22 13:53 /usr/lib/libcrypto_p.a
 -r--r--r--  1 root  bin   835K Mar 22 13:53 /usr/lib/libcrypto.a

I'm speechless. This is the low water mark on misc@ this week.

//art

Re: Microsoft gets the Most Secure Operating Systems award

[stuartv]

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] Behalf Of
 RedShift
 Sent: Thursday, March 22, 2007 10:30 AM
 To: misc@openbsd.org
 Subject: Re: Microsoft gets the Most Secure Operating Systems award
 
 
 Siju George wrote:
  Hi,
  
  http://www.internetnews.com/security/article.php/3667201
  
  Just for some entertainment, no troll :-)
  
  --Siju
  
  
  
 
 IMHO it's not a fair comparison, most linux distributions 
 ship with alot 
 more software than microsoft windows does, and most 
 bugreports indicate 
 an issue with third-party software.


First, these types of articles (generally) have nothing to do
with making a fair compairison. They are made up by marketing
guys for marketing reasons.

Second, It just goes to show that an OS that doesn't ship
with a bunch of extra fluff that most people aren't going to
need anyway is always the best choice.  That was one of the
first things that attracted me to OpenBSD.  I remember saying
to myself What? You have to enable the web server?  It isn't
on right out of the box?  WOW! What a concept!  Needless to 
say, I threw away my Red Hat CDs and haven't looked back.

Re: Microsoft gets the Most Secure Operating Systems award

[Nick !]

On 3/22/07, Neil Joseph Schelly [EMAIL PROTECTED] wrote:

On Thursday 22 March 2007 11:29 am, RedShift wrote:
 Siju George wrote:
  Hi,
 
  http://www.internetnews.com/security/article.php/3667201
 
  Just for some entertainment, no troll :-)
 
  --Siju

 IMHO it's not a fair comparison, most linux distributions ship with alot
 more software than microsoft windows does, and most bugreports indicate
 an issue with third-party software.

If you read the article past the summary, they mention that.  While Windows
had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208)
considered high/severe.  Windows had a very high percentage of its bugs
labelled as high or severe (12 out of 39).  Similarly, I'm sure if you looked
at the time-to-fix for just the high and severe bugs from each side, you'd
see that the Microsoft ones were slower to get patched.  I'm just betting
that the 200+ less unimportant bugs included many that really just didn't
warrant any priority to fix.

Unfortunately, the article doesn't really show this in the light that suggests
the findings of Windows being the most secure commercial OS might be false,
but it's not too hard to read between the lines.  78% of statistics are made
up and 103% of statistics can say the exact opposite of what you think they
should mean.


And *anyway*, measuring security by number of patches for bugs and
time it takes to patch is silly. Every OS, even OpenBSD as we just
saw, is probably full of undetected exploits that are constantly
getting fixed indirectly as overall code quality is improved.

-Nick

Re: Microsoft gets the Most Secure Operating Systems award

[Lars D . Noodén]

On Thu, 22 Mar 2007, RedShift wrote:
 Siju George wrote:
 http://www.internetnews.com/security/article.php/3667201
 Just for some entertainment, no troll :-)

 IMHO it's not a fair comparison, most linux distributions ship with alot
more
 software than microsoft windows does, and most bugreports indicate an issue
 with third-party software.

It's even more bullshit than that.

Among other things, it compares the number of 'patches', which for non-MS
systems tend to be 1:1 or close to it whereas MS has be making a point of
rolling as many vulnerabilities into a single patch as possible.

The metrics are not described.  Terms like 'patch', 'vulnerability',
'advisory' are intermingled in a most unclear manner.  Patch 'development
time' seems undefined as well.

Symantic makes its living selling paper bailing cups in a leaky boat.
The media actively participates in obfuscating the issues, the causes and
the solutions by publicizing such crap from Symantic and MS.

-Lars
Lars NoodC)n ([EMAIL PROTECTED])
 Ensure access to your data now and in the future
 http://opendocumentfellowship.org/about_us/contribute

Re: Saving memory on small machines

[Otto Moerbeek]

On Thu, 22 Mar 2007, Kamil Monticolo wrote:

  The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
  and is not swappable, giving me 43MB left, which isn't a lot.
 
 You can turn off ipv6, altq if not needed, and of course lots of hardware 
 that you don't need also. For example I have a 2 x smaller kernel that 
 GENERIC on my laptop:
 $ uname -a
 OpenBSD squirrel 4.1 BIRKOFF#0 i386
 $ ls -lh /bsd{,.orig} 
 -rw-r--r--  1 root  wheel   2.9M Mar  9 00:39 /bsd
 -rw-r--r--  1 root  wheel   5.8M Feb 22 13:32 /bsd.orig
 
 You may also stripe nearly all of your libraries, for example:
 
 # ls -lhS /usr/lib/libcrypto*a
 -r--r--r--  1 root  bin  11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a
 -r--r--r--  1 root  bin  11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a
 -r--r--r--  1 root  bin  11.5M Mar 22 13:53 /usr/lib/libcrypto.a
 # strip -s /usr/lib/libcrypto*a
 # ls -lhS /usr/lib/libcrypto*a  
 -r--r--r--  1 root  bin   909K Mar 22 13:53 /usr/lib/libcrypto_pic.a
 -r--r--r--  1 root  bin   865K Mar 22 13:53 /usr/lib/libcrypto_p.a
 -r--r--r--  1 root  bin   835K Mar 22 13:53 /usr/lib/libcrypto.a
 
 looks fine? Hope this helps.
 
 Kamil Monticolo aka birkoff

It saves even more space if you do

alias strip=rm

-Otto

binat questions

[Bruce Bauer]

Using OpenBSD 4.0
Using binat for the first time in the real world
Questions:
binat pass on fxp0 from $server_int to any - $server_ext
does this bypass all other pf filter rules?
binat on fxp0 from $server_int to any - $server_ext
does this form allow filtering?
Googleing comes up with many different opinions

Re: Saving memory on small machines

[Bret Lambert]

On Thu, 2007-03-22 at 11:11 +, David Given wrote:
 I have a machine with 48MB of RAM that I want to use as a server.
 
 The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
 and is not swappable, giving me 43MB left, which isn't a lot.
 
 Is it worth recompiling the kernel to remove support for features I'm not
 using --- IPv6, say, or the Microchannel bus --- on the principle that
 reducing the size of the kernel will give more memory for doing other things,
 and therefore generally speed the system up? Or will not using GENERIC cause
 more problems than it's worth?
 
 And if it is worth recompiling the kernel, can anyone recommend any
 particularly big features it would be worth taking out?

well, you could always compile with the small kernel option (forget the
actual #define that needs to be made, but grep is god's gift to
everybody).

Re: Microsoft gets the Most Secure Operating Systems award

[Bob Beck]

 Siju George wrote:
 Hi,
 
 http://www.internetnews.com/security/article.php/3667201
 
 Just for some entertainment, no troll :-)
 
 --Siju
 
 
 IMHO it's not a fair comparison, most linux distributions ship with alot 
 more software than microsoft windows does, and most bugreports indicate 
 an issue with third-party software.

I think it's a very fair comparison. Hmm. let's see, An OS that ships
with a big pile of stinking garbage written quickly to dangle the
prettiest shiny things in front of users little brains before anyone
else does.  Linux distros do the first to market and damn the
consequences game just as well as Microsoft ever has. 

Third party software - in linux? fuck in Linux distributions
everything in userland is third party software. Linux is a kernel. The
operating system is then a collection of things put together by
bundlers. 

Do I think either vendor does a good job, no, but is Microsoft doing
a better job of it than say, Red Hat? Yep. You betcha. If you right
now took a magic fairy wand and replaced windows in all the broadband
connected machines out there with a full featured (and that means all
the bells and whistles, not spending half a day turning all the shit
off and un-setuiding all the inane shit that is setuid root) Red Hat
install with similar tools, I'm pretty sure you'd have a virus and
worm shitstorm that would make what we see now hitting our mailservers
from windows machines look like a tiny little unoffensive fart - from
a vegetarian at that. And yes a big chunk of the problem is the knuckle
dragging mouth breather in front of the keyboard - thank god that's
not OpenBSD's targeted userbase, although some days reading misc@
I wonder.

-Bob

Re: Microsoft gets the Most Secure Operating Systems award

[Douglas Allan Tutty]

On Thu, Mar 22, 2007 at 08:12:23AM -0700, Ben Calvert wrote:
 On Thu, 22 Mar 2007 18:58:31 +0530, Siju George
 [EMAIL PROTECTED] wrote:
  Hi,
  
  http://www.internetnews.com/security/article.php/3667201
 
 From the article:
 
  Microsoft is doing better overall than its leading commercial
  competitors.  ^^
 
 No wonder.  they stacked the deck before doing the comparison

As I see it they compared:

Microsoft:  12 serious vulnerabilities in the OS
Red Hat: 2 serious vulnerabilities in the kernel + packages
Mac OS X:1 serious vulnerability in the OS
HP-UX:  ?? _serious_ out of 98 total
Solaris:?? _serious_ out of 36 total for OS + third-party apps

The article seems to rank by the number of patches.  If a vendor waits
and sends out a mega-patch even monthly, to fix more bugs than anyone
else, then that's only two patches over a 6 month period.

Its a poorly constructed survey.


Doug.

Re: Is OpenBSD good/best for my 486?

[Open Phugu]

On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote:


You mean OpenBSD has encrypted swap out-of-the-box?  That's fantastic.
It took a while to set up on my debian etch box.

That is why we call it ``secure by default''

Re: Microsoft gets the Most Secure Operating Systems award

[Greg Thomas]

On 3/22/07, Bob Beck [EMAIL PROTECTED] wrote:


And yes a big chunk of the problem is the knuckle
dragging mouth breather in front of the keyboard - thank god that's
not OpenBSD's targeted userbase,


Damn, I wonder how I stumbled onto OpenBSD then.

Greg

Re: binat questions

[Dag Richards]

A quick read of the faq shows the pass keyword causes a bypass all 
filtering ...so don't use it if you want your filters to be applied .



Bruce Bauer wrote:

Using OpenBSD 4.0
Using binat for the first time in the real world
Questions:
binat pass on fxp0 from $server_int to any - $server_ext
does this bypass all other pf filter rules?
binat on fxp0 from $server_int to any - $server_ext
does this form allow filtering?
Googleing comes up with many different opinions

Re: openbsd current?

[STeve Andre']

On Thursday 22 March 2007 10:01:23 Nick ! wrote:
 On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote:
  how do i know if im using openbsd current?

 If you have to ask you aren't.

 Current is installed by installing snapshots and compiling from CVS.
 The learning curve is very steep.

 -Nick

Um, thats not true.  I've now encountered three people who got
snapshots and got their systems working,  not realizing that 
they had -current.  One of them even managed to get -current
packages, so was by chance in sync, happy and didn't know
what he was doing exactly.  So there are ways of being on
-current and not quite knowing that you are.

--STeve Andre'

Re: Saving memory on small machines

[Woodchuck]

On Thu, 22 Mar 2007, David Given wrote:

 I have a machine with 48MB of RAM that I want to use as a server.
 
 The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
 and is not swappable, giving me 43MB left, which isn't a lot.

I sent a longer ramble offlist, but onlist, the bottom line is this:
you'll save some memory, a few megabytes, but if they are the tipping
point between usefulness and non-usefulness of the machine, spend
your time and money on Ebay, finding more memory.  Sometimes you
can find a couple of hundred MB for cheap, with a faster CPU, large
discs, snappy ethernet and video cards, a new case and power supply,
and other cool stuff still attached to it ;-).

Other point: swapping (i.e. paging) is perfectly acceptable behavior
in some circumstances.  It used to be the way things were.

The Golden Age of cheap servers (and laptops and ...) is almost
upon us, just as soon as the lemmings start going to Vista.

Dave

my new email / nowy adres email

[sizu]

Currently im using the following email address: / Moj nowy adres email:
http://toya.net.pl/~pirama/email.jpg

regards,
TTR

Re: Saving memory on small machines

[Bob Beck]

* Artur Grabowski [EMAIL PROTECTED] [2007-03-22 10:32]:
 Kamil Monticolo [EMAIL PROTECTED] writes:
 
  # ls -lhS /usr/lib/libcrypto*a
  -r--r--r--  1 root  bin  11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a
  -r--r--r--  1 root  bin  11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a
  -r--r--r--  1 root  bin  11.5M Mar 22 13:53 /usr/lib/libcrypto.a
  # strip -s /usr/lib/libcrypto*a
  # ls -lhS /usr/lib/libcrypto*a  
  -r--r--r--  1 root  bin   909K Mar 22 13:53 /usr/lib/libcrypto_pic.a
  -r--r--r--  1 root  bin   865K Mar 22 13:53 /usr/lib/libcrypto_p.a
  -r--r--r--  1 root  bin   835K Mar 22 13:53 /usr/lib/libcrypto.a
 
 I'm speechless. This is the low water mark on misc@ this week.
 
 //art
 

How can you call it a low water mark art? I wasn't speechless,
I laughed my ass off. I needed the humor this morning, I'm hung 
over and spent the morning in a stupid meeting. That message made
my day. 

Definately not a low water mark ;)

-Bob

Re: openbsd current?

[Nick !]

On 3/22/07, STeve Andre' [EMAIL PROTECTED] wrote:

On Thursday 22 March 2007 10:01:23 Nick ! wrote:
 On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote:
  how do i know if im using openbsd current?

 If you have to ask you aren't.

 Current is installed by installing snapshots and compiling from CVS.
 The learning curve is very steep.

 -Nick

Um, thats not true.  I've now encountered three people who got
snapshots and got their systems working,  not realizing that
they had -current.  One of them even managed to get -current
packages, so was by chance in sync, happy and didn't know
what he was doing exactly.  So there are ways of being on
-current and not quite knowing that you are.


I sent this to the wrong list. Damn you gmail. It got an interesting
response though, so it was worth it.

-Nick

Re: openbsd current?

[Jeremy David]

Perhaps the better thing to say is that it takes know-how to run
current *correctly and well*.

If you're just dipping your toes into OpenBSD. Running -current might
not be for you.

On 3/22/07, STeve Andre' [EMAIL PROTECTED] wrote:

On Thursday 22 March 2007 10:01:23 Nick ! wrote:
 On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote:
  how do i know if im using openbsd current?

 If you have to ask you aren't.

 Current is installed by installing snapshots and compiling from CVS.
 The learning curve is very steep.

 -Nick

Um, thats not true.  I've now encountered three people who got
snapshots and got their systems working,  not realizing that
they had -current.  One of them even managed to get -current
packages, so was by chance in sync, happy and didn't know
what he was doing exactly.  So there are ways of being on
-current and not quite knowing that you are.

--STeve Andre'

Re: openbsd current?

[STeve Andre']

Very good point, Jeremy.

OpenBSD-current is *not* the way to start off.  This is the only
op system I've ever used which has generally been stable
enough to use on a production machine, but that does not
mean that newcommers should use it.

Start with the stock release, and then get some extra peice of
junk to run -current on, and learn from there...

--STeve Andre'

On Thursday 22 March 2007 14:18:44 Jeremy David wrote:
 Perhaps the better thing to say is that it takes know-how to run
 current *correctly and well*.

 If you're just dipping your toes into OpenBSD. Running -current might
 not be for you.

 On 3/22/07, STeve Andre' [EMAIL PROTECTED] wrote:
  On Thursday 22 March 2007 10:01:23 Nick ! wrote:
   On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote:
how do i know if im using openbsd current?
  
   If you have to ask you aren't.
  
   Current is installed by installing snapshots and compiling from CVS.
   The learning curve is very steep.
  
   -Nick
 
  Um, thats not true.  I've now encountered three people who got
  snapshots and got their systems working,  not realizing that
  they had -current.  One of them even managed to get -current
  packages, so was by chance in sync, happy and didn't know
  what he was doing exactly.  So there are ways of being on
  -current and not quite knowing that you are.
 
  --STeve Andre'

Re: Saving memory on small machines

[David Given]

Woodchuck wrote:
[...]
 I sent a longer ramble offlist

Indeed. Ta.

 , but onlist, the bottom line is this:
 you'll save some memory, a few megabytes, but if they are the tipping
 point between usefulness and non-usefulness of the machine, spend
 your time and money on Ebay, finding more memory.

Unfortunately the box is currently maxed out on memory (it's a laptop).

It won't be serving very much; I'm looking to replace my existing NSLU2
running Debian, which is doing thttpd, postfix, samba, nfsd, spamprobe, spey,
dovecot, and dnsmasq. (I'd actually quite like to continue using the NSLU2
but
it doesn't turn on automatically --- which is a pain in the arse whenever
there's a power cut --- and I'd rather use OpenBSD, anyway. Is anyone working
on an NSLU2 port?)

The only thing I can expand it with now is hard disk space, via a USB2
Cardbus
adaptor. Unfortunately, I haven't been able to get the EHCI interface working
--- I posted a dmesg a few days ago, but it may have been eaten by the
mailing
list software; I'd only just subscribed.

--
bbb o=o=o o=o=o=o=o=
o=o=oo=o=o=
 bbb
http://www.cowlark.com
bbbbbbbbbbbbbbbbbbb
b Wizards get cranky, / Dark days dawn, / Riders smell manky, / The road
b goes on. / Omens are lowering, / Elves go West; / The Shire needs
b scouring, / You may as well quest. - John M. Ford

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: Saving memory on small machines

[Douglas Allan Tutty]

On Thu, Mar 22, 2007 at 12:09:04PM -0600, Bob Beck wrote:
 * Artur Grabowski [EMAIL PROTECTED] [2007-03-22 10:32]:
  Kamil Monticolo [EMAIL PROTECTED] writes:
  
   # ls -lhS /usr/lib/libcrypto*a
   -r--r--r--  1 root  bin  11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a
   -r--r--r--  1 root  bin  11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a
   -r--r--r--  1 root  bin  11.5M Mar 22 13:53 /usr/lib/libcrypto.a
   # strip -s /usr/lib/libcrypto*a
   # ls -lhS /usr/lib/libcrypto*a  
   -r--r--r--  1 root  bin   909K Mar 22 13:53 /usr/lib/libcrypto_pic.a
   -r--r--r--  1 root  bin   865K Mar 22 13:53 /usr/lib/libcrypto_p.a
   -r--r--r--  1 root  bin   835K Mar 22 13:53 /usr/lib/libcrypto.a
  
  I'm speechless. This is the low water mark on misc@ this week.
 
   How can you call it a low water mark art? I wasn't speechless,
 I laughed my ass off. I needed the humor this morning, I'm hung 
 over and spent the morning in a stupid meeting. That message made
 my day. 
 
   Definately not a low water mark ;)

My applogies.  I don't get the humour.

Take a lib, strip the debugging symbols, you get a functional lib that's
10% of the size.  However, since BSD relies on the ability to recompile
things, don't you need those libs to have the debugging symbols?

Or is it that strip -s removes all symbols and it was only intended to
remove the debug symbols.  The libs won't work?

Sorry, I'm from debian.  I never compile C.  The last thing I compiled
was Fortran 77.  I try not to mouth-breathe but, when I do, at least I
don't drool.

Could some kind soul gently explain the humour?

Thanks,

Doug.

Re: Saving memory on small machines

[Miod Vallat]

 It won't be serving very much; I'm looking to replace my existing NSLU2
 running Debian, which is doing thttpd, postfix, samba, nfsd, spamprobe, spey,
 dovecot, and dnsmasq. (I'd actually quite like to continue using the NSLU2
 but
 it doesn't turn on automatically --- which is a pain in the arse whenever
 there's a power cut --- and I'd rather use OpenBSD, anyway. Is anyone working
 on an NSLU2 port?)

I am not aware of anyone working on running OpenBSD on the NSLU2, but if
you want a nice pet project to spend time on, NetBSD runs on it and
porting their code should be relatively easy to do. Of course this won't
help with the fact that the NSLU2 is horribly slow (it's not nicknamed
``slug'' without a good reason).

Miod

Re: Saving memory on small machines

[Pedro Martelletto]

On Thu, Mar 22, 2007 at 12:09:04PM -0600, Bob Beck wrote:
   How can you call it a low water mark art? I wasn't speechless,
 I laughed my ass off. I needed the humor this morning, I'm hung 
 over and spent the morning in a stupid meeting. That message made
 my day.

Because what was `early morning good laugh' to you was probably 'end of
day utter deception' for him. :-)

-p.

Re: binat questions

[Bruce Bauer]

Yes, it shows that for a nat rule but doesn't mention anything about pass on
a binat rule.  I only discovered that binat accepts pass from the grammer
section of pf.conf(5).
I can't find any authority that states that binat pass... causes a bypass
of all filtering as it does with nat pass...


On 3/22/07, Dag Richards [EMAIL PROTECTED] wrote:

 A quick read of the faq shows the pass keyword causes a bypass all
 filtering ...so don't use it if you want your filters to be applied .


 Bruce Bauer wrote:
  Using OpenBSD 4.0
  Using binat for the first time in the real world
  Questions:
  binat pass on fxp0 from $server_int to any - $server_ext
  does this bypass all other pf filter rules?
  binat on fxp0 from $server_int to any - $server_ext
  does this form allow filtering?
  Googleing comes up with many different opinions

Re: binat questions

[Stuart Henderson]

On 2007/03/22 13:01, Bruce Bauer wrote:
 Yes, it shows that for a nat rule but doesn't mention anything about pass on
 a binat rule.  I only discovered that binat accepts pass from the grammer
 section of pf.conf(5).

Packets that match a translation rule are only automatically passed
if the pass modifier is given, otherwise they are still subject to block
and pass rules.

Translation rules are binat, rdr, nat.

One thing to watch out for with binat: you can't use it with
ftp-proxy(8), since binat is of higher priority than the rdr or
nat rules which are added to the anchor. The workaround there
is to list nat and rdr separately.

quick test of netbeans pkg

[llx]

for testing proposes i installed a current snapshoot. i saw 
the announcement of the netbean pkg thus i complied jdk 1.5 
and installed netbeans. 

when i build/run a project the output in the output/console 
of netbeans is mostly not readable. it prints targets like 
  init:
  deps-jar:
but the output form the compiler or the application looks
like it prints a square for each character. looks like a
font and or encoding problem?


the snapshot was downloaded on the 20. march. the base system was 
was dated 18. march the packages 12.march (sunsite.cnlab-switch.ch). 

  OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

  netbeans-5.5NetBeans Java IDE
  jdk-1.5.0p28Java2(TM) Standard Edition Dev Kit v1.5.0


any idea what went wrong?

Support for USB wireless device RTL8187B?

[Darth Lists]

Hello list,

I bought a TEW-424UB usb wireless adapter to use with my landisk 
(Plextor EH40L).  I recommend that you go out and get one of these.  In 
Canada, TigerDirect.ca has the 400GB model for $315CDN after rebate.


The supported hardware list indicates that the TEW-424UB is supported 
but that it uses the ZyDAS ZD1211 chipset.
I have rev 3.0 of the hardware which as it turns out uses the Realtek 
RTL8187B chipset.
At present, this does not appear to be supported.  Here is what I see 
upon device insertion:


ugen0 at uhub2 port 1
ugen0: Realtek RTL8187B_WLAN_Adapte, rev 2.00/2.00, addr 2

More info on the chip and a Linux driver is available here
http://www.realtek.com.tw/search/default.aspx?keyword=rtl8187b

Is anyone working on a driver for this device?
Will access to hardware help?


Cheers,

/Jason

Re: Saving memory on small machines

[Ted Unangst]

On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote:

Or is it that strip -s removes all symbols and it was only intended to
remove the debug symbols.  The libs won't work?


yes, libs without symbols aren't especially useful for future development.

streaming program...

[poncenby smythe]

list,

i am looking for a video streaming program and noticed ffmpeg did it 
over http. installing ffmpeg from packages gave the following...


4.0 GENERIC i386, no X11

 sudo pkg_add -v ${PKG_PATH}ffmpeg-20060312p1.tgz
Password:
parsing ffmpeg-20060312p1
Dependencies for ffmpeg-20060312p1 resolve to: sdl-1.2.9p1-sun (todo: 
sdl-1.2.9p1-sun)

ffmpeg-20060312p1:parsing sdl-1.2.9p1-sun
Can't install sdl-1.2.9p1-sun: lib not found X11.9.0
Even by looking in the dependency tree:

Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.
Can't install sdl-1.2.9p1-sun: lib not found Xext.9.0
Can't install 
ftp://spargel.kd85.com/pub/OpenBSD/4.0/packages/i386/ffmpeg-20060312p1.tgz: 
can't resolve sdl-1.2.9p1-sun


PKG_PATH=ftp://spargel.kd85.com/pub/OpenBSD/4.0/packages/i386/

it seems strange to me that ffmpeg requires X11 by default.

so which streaming program that can do RTP would the list recommend?

many thanks

poncenby

Re: Microsoft gets the Most Secure Operating Systems award

[Marc Espie]

On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
 Their challenge is that they need to provide choice so they
 have what they call reasonable defaults. 

No, they don't need to provide choice. At least not that many. They decide 
to do so.  That's most of what's wrong with OS stuff these days. Too 
many choices.  Too many knobs. Every day, I see people shoot themselves in 
the foot, not managing to administer boxes and networks in a simple way,
making stupid decisions that don't serve any purpose.

ACL, enforced security policies, reverse proxy setups, user accounts, 
network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... 
so many choices. So many wrong choices.

At some point, the people who package the software need to make editorial
decisions. Remove knobs. Provide people with stuff that just works.
Remove options. Or definitely give them the means to do the trade-off
correctly.

Okay, it's a losing battle. I'm an old grumpy fart.

Okay, a lot of IT people are just earning their wages by managing the 
incredibly too complex setups we face nowadays (and not screwing too badly 
in front of a multitude of stupide innane choices).

Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
managers. Never decide which one you want to install, never give you a
default installation that just works. Cater to the techy, nerdy culture
of people who want to spend *days* just making choices.

We try not to be as bad, to provide default configs that work, and not
so many choices.

Re: Microsoft gets the Most Secure Operating Systems award

[Andreas Bihlmaier]

On Thu, Mar 22, 2007 at 09:40:57PM +0100, Marc Espie wrote:
 On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
  Their challenge is that they need to provide choice so they
  have what they call reasonable defaults. 
 
 No, they don't need to provide choice. At least not that many. They decide 
 to do so.  That's most of what's wrong with OS stuff these days. Too 
 many choices.  Too many knobs. Every day, I see people shoot themselves in 
 the foot, not managing to administer boxes and networks in a simple way,
 making stupid decisions that don't serve any purpose.
 
 ACL, enforced security policies, reverse proxy setups, user accounts, 
 network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... 
 so many choices. So many wrong choices.
 
 At some point, the people who package the software need to make editorial
 decisions. Remove knobs. Provide people with stuff that just works.
 Remove options. Or definitely give them the means to do the trade-off
 correctly.
 
 Okay, it's a losing battle. I'm an old grumpy fart.
 
 Okay, a lot of IT people are just earning their wages by managing the 
 incredibly too complex setups we face nowadays (and not screwing too badly 
 in front of a multitude of stupide innane choices).
 
 Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
 managers. Never decide which one you want to install, never give you a
 default installation that just works. Cater to the techy, nerdy culture
 of people who want to spend *days* just making choices.
 
 We try not to be as bad, to provide default configs that work, and not
 so many choices.

I agree with you that secure/sane defaults are very important, they are
a big pro for OpenBSD. Featurism violates KISS and we all know that KISS
is the only way to handle ever growing complexity.
BUT choices are important as well, everything else is world domination
tour aka dictatorship (and not the good kind).
Imagine not having a choice in hardware, wait don't just imagine look at
the high-end graphics card market.

Sorry, but I just couldn't leave the one size HAS TO fit all alone
without any restraints.

Regards,
ahb

Re: cannot make mod_auth_bsd work

[Vijay Sankar]

On Thursday 22 March 2007 08:09, Thierry Lacoste wrote:
 After a default 4.0 install I installed www/mod_auth_bsd
 but all users are rejected.
 I have the following line in my /var/www/logs/error_log:
 httpd: invalid script: /usr/libexec/auth/login_passwd

 Same results wether apache is chrooted or not.

 Any help would be appreciated.


I tried to recreate your error message and when I removed AuthBSDGroup
auth in httpd.conf, I got the exact error you mention. So it is
possible that this is the cause for your error message.

The README file in /usr/local/share/doc/mod_auth_bsd explicitly mentions
this point and states that you should have something like:

AuthBSDGroup auth

Directory /var/www/vhosts/foo/login
 SSLRequireSSL   # required by default
 AuthType Basic  # only HTTP Basic supported
 AuthName Foo Login
 AuthBSD On
 Require valid-user  # restrict to system accounts
/Directory

Hope this helps,

Vijay

--
Vijay Sankar
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]

Re: Microsoft gets the Most Secure Operating Systems award

[Greg Thomas]

On 3/22/07, Marc Espie [EMAIL PROTECTED] wrote:

On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
 Their challenge is that they need to provide choice so they
 have what they call reasonable defaults.

No, they don't need to provide choice. At least not that many. They decide
to do so.  That's most of what's wrong with OS stuff these days.


That's exactly why I switched long ago.  Poking around at 1000
different little apps all doing the same thing was fun for awhile on
Linux but I eventually realized that all the choices actually reduced
my productivity.

A second reason I switched was because of OS cohesion.

Greg

Re: Saving memory on small machines

[David Terrell]

On Thu, Mar 22, 2007 at 01:29:33PM -0700, Ted Unangst wrote:
 On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote:
 Or is it that strip -s removes all symbols and it was only intended to
 remove the debug symbols.  The libs won't work?
 
 yes, libs without symbols aren't especially useful for future development.

Also, stripping static libs has ZERO impact on your installed 
system, it only affects things you compile from source on that
box.  (and, as you mention -- negatively).

-- 
David Terrell
[EMAIL PROTECTED]
((meatspace)) http://meat.net/

Do symlinks exist? (sh, ksh, /bin/test documentation ambiguity)

[Stefek Zaba]

I expect it's old, old news to those with more shell scripting scars: but
the results of the [ -e ] test are at variance with my allegedly reasonable
reading of the documentation.

For all three of sh, ksh, and the /bin/test manpages, the description of the
-e test reads file exists, unlike the other file-related tests which read
file exists and further condition, with further condition being
is-writable, is-exucatable, is-readable, and the like. The manpage for
/bin/test is even more emphatic in suggesting it's going to be true for a
strict superset of the files for which the other tests return true - True
if file exsits (regardless of type).

However, there are arguments for which -e returns false, but a different
file-related test returns true. These arguments are symlinks which don't
resolve to an existing file - both symlinks that point 'nowhere', i.e. to
non-existent targets (directly or indirectly), and symlinks which will error
with ELOOP if stat()ed.

Changing the behaviour of -e for non-resolving symlinks is almost certainly
a Really Bad Idea: the existing behaviour of -e is doubtless relied on by a
few million shellscripts, all more or less strongly bound to the idea that
if -e returns true, there's Something There, and a strong expectation that
the Something is stat()able rather than merely lstat()able. But perhaps a
small change to the venerable text of the sh, ksh, and /bin/test manpages
might be in order? Some form of words like exists (target exists if a
symbolic link) might capture the actual behaviour more accurately.

Yes, it's a picky point - and one I wouldn't bother raising in the Linux
world, where manpages are at best impressionistic; but the pithy clarity of
OpenBSD manpages is a pearl beyond price, and thus worth cleaning of even
small specks.

As far as testing in shell scripts whether 'things' are present - using
[ -e $file -o -h $file ] catches the 'exists, maybe as a symlink which
doesn't resolve' case; as could the use of stat(1) with suitable
format-strings, -q, -L, and related incantatia...

Cheers, Stefek

Re: Microsoft gets the Most Secure Operating Systems award

[Jeff Rollin]

On 22/03/07, Marc Espie [EMAIL PROTECTED] wrote:

On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
 Their challenge is that they need to provide choice so they
 have what they call reasonable defaults.

No, they don't need to provide choice. At least not that many. They decide
to do so.  That's most of what's wrong with OS stuff these days. Too
many choices.  Too many knobs. Every day, I see people shoot themselves in
the foot, not managing to administer boxes and networks in a simple way,
making stupid decisions that don't serve any purpose.

ACL, enforced security policies, reverse proxy setups, user accounts,
network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs...
so many choices. So many wrong choices.


Multiple user accounts and a journalling facility on a filesystem ==
wrong: Interesting perspective.



At some point, the people who package the software need to make editorial
decisions. Remove knobs. Provide people with stuff that just works.
Remove options. Or definitely give them the means to do the trade-off
correctly.

Okay, it's a losing battle. I'm an old grumpy fart.

Okay, a lot of IT people are just earning their wages by managing the
incredibly too complex setups we face nowadays (and not screwing too badly
in front of a multitude of stupide innane choices).

Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
managers. Never decide which one you want to install, never give you a
default installation that just works. Cater to the techy, nerdy culture
of people who want to spend *days* just making choices.


Wrong. Unix is the culture of choice, and that includes Linux and
OpenBSD. It's been the same ever since Berkely includled csh. That, by
the way, is why YOU have the option to run OpenBSD, and others have
the option to run Linux.



We try not to be as bad, to provide default configs that work, and not
so many choices.




I was happy with the choices in Linux ten years ago. Some still aren't
happy with it. That's the nature of people these days. If you want to
try to change their behaviour you have to provide for them in the
meantime.


Jeff
--
Q: What will happen in the Aftermath?

A: Impossible to tell, since we're still in the Beforemath.

http://latedeveloper.org.uk

Re: Microsoft gets the Most Secure Operating Systems award

[Greg Thomas]

On 3/22/07, Jeff Rollin [EMAIL PROTECTED] wrote:

On 22/03/07, Marc Espie [EMAIL PROTECTED] wrote:
 On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
  Their challenge is that they need to provide choice so they
  have what they call reasonable defaults.

 No, they don't need to provide choice. At least not that many. They decide
 to do so.  That's most of what's wrong with OS stuff these days. Too
 many choices.  Too many knobs. Every day, I see people shoot themselves in
 the foot, not managing to administer boxes and networks in a simple way,
 making stupid decisions that don't serve any purpose.

 ACL, enforced security policies, reverse proxy setups, user accounts,
 network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs...
 so many choices. So many wrong choices.

Multiple user accounts and a journalling facility on a filesystem ==
wrong: Interesting perspective.


 At some point, the people who package the software need to make editorial
 decisions. Remove knobs. Provide people with stuff that just works.
 Remove options. Or definitely give them the means to do the trade-off
 correctly.

 Okay, it's a losing battle. I'm an old grumpy fart.

 Okay, a lot of IT people are just earning their wages by managing the
 incredibly too complex setups we face nowadays (and not screwing too badly
 in front of a multitude of stupide innane choices).

 Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window
 managers. Never decide which one you want to install, never give you a
 default installation that just works. Cater to the techy, nerdy culture
 of people who want to spend *days* just making choices.

Wrong. Unix is the culture of choice, and that includes Linux and
OpenBSD.


How many MTAs, MUAs, http servers, text editors, DNS servers, FTP
servers, etc. are included with OpenBSD?

Greg

Re: Saving memory on small machines

[David Given]

Miod Vallat wrote:
[...]
 I am not aware of anyone working on running OpenBSD on the NSLU2, but if
 you want a nice pet project to spend time on, NetBSD runs on it and
 porting their code should be relatively easy to do. Of course this won't
 help with the fact that the NSLU2 is horribly slow (it's not nicknamed
 ``slug'' without a good reason).

There's a simple hardware mod you can do with a pair of nail clippers that
removes the single resistor that's underclocking it to 133MHz. Then it runs
twice as fast, at a semi-respectable 266. It's still not going to win any
records, but it's more than adequate as a house router.

I have had a bit of a look at the NetBSD version, but to be totally honest,
all the BSDs are so similar that I don't want to look too hard unless it
confuses me. My BSD-fu is certainly not sufficient to port OpenBSD myself.

--
bbb o=o=o o=o=o=o=o=
o=o=oo=o=o=
 bbb
http://www.cowlark.com
bbbbbbbbbbbbbbbbbbb
b I have always wished for my computer to be as easy to use as my
b telephone; my wish has come true because I can no longer figure out how
to
b use my telephone. --- Bjarne Stroustrup

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

isakmpd gateway-to-gateway VPN woes...

[Jack Bates]

If you can help, please feel free to CC: me directly:
[EMAIL PROTECTED]

My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN
working with OpenBSD-4.0-stable isakmpd.  Both firewalls have a relatively
unaltered install.  Both firewalls still have pf, ipsec and isakmpd_flags
unset in rc.conf (we are configuring and starting manually - is this a
problem?).  We have followed the directions from the Zero to IPSec on 4
minutes webpage.  I hope that this error report is thorough.

Here is a picture of the configuration:

   10.0.0.2/24 --- 10.0.0.1/24
L1 F1   F2 L2
10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1

L1,L2 - laptops
F1,F2 - Soekris net4801 firewalls

What works:

L1-F1 lan communication
L2-F2 lan communication
F1-F2 lan communication
F1-F2 IPSec communication (evidenced by F1 running ping 10.0.0.1 and
seeing only esp packets in tcpdump)

What doesn't work:

F1-L2 gateway'd VPN
F2-L1 gateway'd VPN
L1-L2 gateway-to-gateway'd VPN

What is interesting is that the routing tables have a section named
Encap: that seem to contain valid routes for the flows that do not work
above, but when attempting to use ping on addresses on a broken flow we
get No route to host.  This has got to be something simple. Thanks in
advance for your help.

Here are the pf.conf files from both firewalls:

###
F1: pf.conf
###

# jack
ext_if=sis0
int_if=sis1
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.1
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

###
F2: pf.conf
###

# sabino
ext_if=sis0
int_if=sis1
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.2
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

##
F1: ipsec.conf
##

# jack to sabino
sabino_ext = 10.0.0.1
sabino_int = 10.2.12.0/22
jack_ext   = 10.0.0.2
jack_int   = 10.4.12.0/22
ike esp from $jack_int to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_ext

##
F2: ipsec.conf
##

# sabino to jack
sabino_ext=10.0.0.1
sabino_int=10.2.12.0/22
jack_ext=10.0.0.2
jack_int=10.4.12.0/22
ike passive esp from $sabino_int to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_ext

###
F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
164953.991350 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1
164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
165058.199701 Default isakmpd: shutting down...
165058.219397 Default isakmpd: exit

###
F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
171251.878157 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2
171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171356.739110 Default isakmpd: shutting down...
171356.741411 Default isakmpd: exit

##
F1: routing table after isakmpd negotiates tunnels
##

# ipsecctl -f /etc/ipsec.conf
# netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface
10.0.0/24  link#1 UC  10  -   sis0
10.0.0.1   00:00:24:c8:1d:60  UHLc2  125  -   sis0
10.4.12/22 link#2 UC  10  -   sis1
10.4.14.1  00:e0:00:c2:6e:2c  UHLc4  644  -   sis1
10.4.16/22 link#3 UC  00  -   sis2
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  14  33224   lo0
224/4  127.0.0.1  URS 00  33224   lo0

Internet6:
...abbreviated - irrelevant...

Encap:
Source Port  DestinationPort  Proto
SA(Address/Proto/Type/Direction)
10.0.0.1/320 10.0.0.2/320 0 

Running OpenOffice on OpenBSD-How do I start it?

[Robert Goulding]

First, I am an absolute newbie.  I purchased the OpenBSD 4.0 cd's and got it
loaded and running and succesfully added the Samba and KDE packages.
Installing OpenOffice and getting mail working are my next two projects with
it. I am running an i386 machine with a 1.2 GHz AMD Athlon processor.

To load OpenOffice with linux emulation I went to
http://www.xs4all.nl/~hanb/documents/openoffice_on_openbsd.html
Running OpenOffice on OpenBSD

First, edit /etc/fstab and add: /proc /proc procfs rw,linux 0 0
 I did that and everything was fine.

Next step:  Then create /proc and mount it: mkdir /proc
   mount /proc

I got the directory made allright, in /, Was I supposed to create it in /etc?

Mount /proc gave me the following error:

fstab: /etc/fstab: Inappropriate file type or format
(line repeats once)

/proc is now full of numbers in mostly 5 character groups with with
cpuinfo,curproc,meminfo, and self on the right hand side of the numbers.  It
looks like a table.

I would cut and paste but I do not have mail set up yet.  I am a newbie so
every step is hard and I wanted OpenOffice first.

Working on the assumption that mount /proc worked, even with the error
message, I continue on.

I get all done and have it installed in /opt/openoffice.org2.1

Where do I go to start it and how do I get it into applications on the K Menu?

I don't have a Start OpenOffice.org icon or anything.

Please and thank you.l

Re: isakmpd gateway-to-gateway VPN woes...

[Dag Richards]

Do your firewalls forward ip 4?

sysctl net.inet.ip.forwarding=1


Jack Bates wrote:

If you can help, please feel free to CC: me directly:
[EMAIL PROTECTED]

My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN
working with OpenBSD-4.0-stable isakmpd.  Both firewalls have a relatively
unaltered install.  Both firewalls still have pf, ipsec and isakmpd_flags
unset in rc.conf (we are configuring and starting manually - is this a
problem?).  We have followed the directions from the Zero to IPSec on 4
minutes webpage.  I hope that this error report is thorough.

Here is a picture of the configuration:

   10.0.0.2/24 --- 10.0.0.1/24
L1 F1   F2 L2
10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1

L1,L2 - laptops
F1,F2 - Soekris net4801 firewalls

What works:

L1-F1 lan communication
L2-F2 lan communication
F1-F2 lan communication
F1-F2 IPSec communication (evidenced by F1 running ping 10.0.0.1 and
seeing only esp packets in tcpdump)

What doesn't work:

F1-L2 gateway'd VPN
F2-L1 gateway'd VPN
L1-L2 gateway-to-gateway'd VPN

What is interesting is that the routing tables have a section named
Encap: that seem to contain valid routes for the flows that do not work
above, but when attempting to use ping on addresses on a broken flow we
get No route to host.  This has got to be something simple. Thanks in
advance for your help.

Here are the pf.conf files from both firewalls:

###
F1: pf.conf
###

# jack
ext_if=sis0
int_if=sis1
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.1
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

###
F2: pf.conf
###

# sabino
ext_if=sis0
int_if=sis1
set skip on { lo $int_if enc0 }
nat on $ext_if from !($ext_if) - ($ext_if:0)
block in
pass quick on $ext_if from 10.0.0.2
pass out keep state
pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

##
F1: ipsec.conf
##

# jack to sabino
sabino_ext = 10.0.0.1
sabino_int = 10.2.12.0/22
jack_ext   = 10.0.0.2
jack_int   = 10.4.12.0/22
ike esp from $jack_int to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_int peer $sabino_ext
ike esp from $jack_ext to $sabino_ext

##
F2: ipsec.conf
##

# sabino to jack
sabino_ext=10.0.0.1
sabino_int=10.2.12.0/22
jack_ext=10.0.0.2
jack_int=10.4.12.0/22
ike passive esp from $sabino_int to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_int peer $jack_ext
ike passive esp from $sabino_ext to $jack_ext

###
F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
164953.991350 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1
164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1
165058.199701 Default isakmpd: shutting down...
165058.219397 Default isakmpd: exit

###
F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf
###

# isakmpd -K -d -v
171251.878157 Default isakmpd: phase 1 done: initiator id 0a02:
10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2
171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2
171356.739110 Default isakmpd: shutting down...
171356.741411 Default isakmpd: exit

##
F1: routing table after isakmpd negotiates tunnels
##

# ipsecctl -f /etc/ipsec.conf
# netstat -rn
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface

10.0.0/24  link#1 UC  10  -   sis0
10.0.0.1   00:00:24:c8:1d:60  UHLc2  125  -   sis0
10.4.12/22 link#2 UC  10  -   sis1
10.4.14.1  00:e0:00:c2:6e:2c  UHLc4  644  -   sis1
10.4.16/22 link#3 UC  00  -   sis2
127/8  127.0.0.1  UGRS00  33224   lo0
127.0.0.1  127.0.0.1  UH  14  33224   lo0
224/4  127.0.0.1  URS 00  33224   lo0

Internet6:
...abbreviated - irrelevant...

Encap:
Source Port  DestinationPort  Proto

Re: Saving memory on small machines

[Douglas Allan Tutty]

On Thu, Mar 22, 2007 at 04:42:57PM -0500, David Terrell wrote:
 On Thu, Mar 22, 2007 at 01:29:33PM -0700, Ted Unangst wrote:
  On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote:
  Or is it that strip -s removes all symbols and it was only intended to
  remove the debug symbols.  The libs won't work?
  
  yes, libs without symbols aren't especially useful for future development.
 
 Also, stripping static libs has ZERO impact on your installed 
 system, it only affects things you compile from source on that
 box.  (and, as you mention -- negatively).

So the laugh was that the poor fellow has hosed his machine and won't
know it until the next time he has to compile a patch?

Sort of like /bin/rm -rf / instead of rm -f /bin/laden?

Doug.

Re: Microsoft gets the Most Secure Operating Systems award

[Todd Alan Smith]

On 3/22/07, Bob Beck [EMAIL PROTECTED] wrote:
snip

from a vegetarian at that.


The fallacy that is this clause undermines your broader argument.
Promise yourself not to spread such falsity again, and you will be
well served.

-Todd

CARP flip flop problems

[Nigel Roberts]

Hi,

We're running carp on two Openbsd 4.0 routers on vlan interfaces and
we're observing a state change from backup to master to backup on the
host that should stay as the backup. This happens periodically and
adjusting the advbase and advskew seems to have no effect apart from
adjusting the periodicity of the state change.

Here's what a tcpdump looks like:

17:26:35.892363 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:36.902391 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:37.248384 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=2 advskew=100 demote=0 (DF) [tos 0x60]
17:26:37.248387 0:0:5e:0:1:2 33:33:0:0:0:12 86dd 90: fe80::211:43ff:fecd:3cbe  
ff02::12: ip-proto-112 36 [class 0x60]
17:26:37.912426 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:38.922447 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:39.932482 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:40.942505 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:41.952534 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:42.962565 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:43.972590 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:44.318530 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=2 advskew=100 demote=0 (DF) [tos 0x60]
17:26:44.318534 0:0:5e:0:1:2 33:33:0:0:0:12 86dd 90: fe80::211:43ff:fecd:3cbe  
ff02::12: ip-proto-112 36 [class 0x60]
17:26:44.982625 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:45.992650 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:47.002679 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]
17:26:48.012707 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 
advbase=1 advskew=0 demote=0 (DF) [tos 0x10]

You can see when the state change happens. The backup host advertises
with advskew of 100, advbase of 2 and promptly decides it's the master
until the next advertisment arrives from the machine that really
should be the master. The backup also issues a CARP IPv6 announcement,
which is strange because we don't have IPv6 configured.

It's also random ie. after a reboot of either of the routers it might
work fine, but one of the other carp instances might start misbehaving
in the same way (we have 3 configured altogether). When carp is
working fine, there are no IPv6 announcements. pf is eplicitly set to
allow carp on the interfaces concerned.

Has anyone else seen this before? It's times like this I wish CARP was
actually documented in some sort of RFC type fashion :)

Regards,
Nigel

zaurus bootstrapping

[Nick !]

So I picked up my shiny 6gig zaurus from the post office today (glee!)
and I'm preparing to blow away the terribly primitive UI that comes
with it and make it an awesome OpenBSD-in-my-pocket; but I have a few
questions. This isn't entirely on-topic, but google hasn't helped.
Please, feel free to direct me elsewhere.

-I've discovered that the power button is really a standby button,
like on Palms. However, I did `shutdown -h now` from the shell and
afterwards it wouldn't turn back on. In order to make it come back I
had to take off the battery cover, press the reset button, take out
the battery, and put everything back. Is it like this under OpenBSD
too? Is taking out the battery really a necessary step (it wouldn't
turn on until after I did that, but perhaps it was actually just that
the battery lock switch was 'open' that it was rejecting)?

-I don't have a CF Wifi card yet, so I'll be installing from the
harddrive. However, I want to blow away the partition table and set it
up nicely. I'm not sure if this is logistically possible. What have
other people done? I thought, perhaps I could put the install sets on
an SD card but does the ramdisk kernel have support for that compiled
in?

-How do you people with zaurii trade data from them with other
computers? Purely over the network? With SD cards? USB hubs +
thumbdrives?

Thanks in advance,
~Nick (so excited)

HP SA P400/P800 ciss support and caveats

[Boris Golberg]

Hello guys,

  We  are  looking  to  buy  an  HP  ProLiant  DL320s server with about 5-8
terabyte  of  storage  and  Smart Array P400 or P800 for a backup purposes.
According to www.openbsd.org/cgi-bin/man.cgi?query=cissarch=i386sektion=4
it should be supported in -current, but the current code only supports one
logical   volume  per  controller. This scared me because according to the
FAQ  there  is a 1T limit on the size of the physical disk, but I need to
utilize much more.

  What does logical volume mean here - RAID set or LUN ?

  In the other words, is there any way to use that storage with OBSD ?

-- 
Best regards,
 Boris  mailto:[EMAIL PROTECTED]

Re: zaurus bootstrapping

[Theo de Raadt]

 -I've discovered that the power button is really a standby button,
 like on Palms. However, I did `shutdown -h now` from the shell and
 afterwards it wouldn't turn back on. In order to make it come back I
 had to take off the battery cover, press the reset button, take out
 the battery, and put everything back. Is it like this under OpenBSD
 too?

Not exactly.  But you will find you take the battery out once in a
while for problems just like this.  It is a problem with all
soft-power-button devices, I suppose.

 Is taking out the battery really a necessary step (it wouldn't
 turn on until after I did that, but perhaps it was actually just that
 the battery lock switch was 'open' that it was rejecting)?

That switch must be closed for it to power on.

 -I don't have a CF Wifi card yet, so I'll be installing from the
 harddrive. However, I want to blow away the partition table and set it
 up nicely. I'm not sure if this is logistically possible. What have
 other people done? I thought, perhaps I could put the install sets on
 an SD card but does the ramdisk kernel have support for that compiled
 in?

A wide variety of USB peripherals are supported, but you will need the
additionally-purchased host USB cable and potentially a powered hub,
since the zaurus does not supply a lot of power on the USB port.  As
well, in recent code it is also possible to use cdcef -- using the
slave USB cable that is included another machine will see it is as a
network device.

The SD support is brand new, post-4.1 code, and still has issues.  I
would be cautious with that.

 -How do you people with zaurii trade data from them with other
 computers? Purely over the network? With SD cards? USB hubs +
 thumbdrives?

We sync our repositories and commit over wireless we find in the bars
where we drink, of course.

Re: zaurus bootstrapping

[Chris Kuethe]

On 3/22/07, Nick ! [EMAIL PROTECTED] wrote:

-I've discovered that the power button is really a standby button,
like on Palms. However, I did `shutdown -h now` from the shell and
afterwards it wouldn't turn back on. In order to make it come back I
had to take off the battery cover, press the reset button, take out
the battery, and put everything back. Is it like this under OpenBSD
too? Is taking out the battery really a necessary step (it wouldn't
turn on until after I did that, but perhaps it was actually just that
the battery lock switch was 'open' that it was rejecting)?


man zkbd
http://www.openbsd.org/cgi-bin/man.cgi?query=zkbdarch=zaurus


-I don't have a CF Wifi card yet, so I'll be installing from the
harddrive. However, I want to blow away the partition table and set it
up nicely. I'm not sure if this is logistically possible. What have
other people done? I thought, perhaps I could put the install sets on
an SD card but does the ramdisk kernel have support for that compiled
in?


you can install from an ms-dos formatted CF card. read the
INSTALL.zaurus file. carefully. several times. carefully. several
times.

think long and hard before you trash the partition table. hint: you
don't want to use the whole disk for openbsd.


-How do you people with zaurii trade data from them with other
computers? Purely over the network? With SD cards? USB hubs +
thumbdrives?


ethernet or wi-fi.
CF cards.
usb sticks.
you could probably use the usb-client ethernet emulation (man cdce cdcef)
sd cards are close, but not quite there yet

CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: zaurus bootstrapping

[Nick !]

On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote:


man zkbd
http://www.openbsd.org/cgi-bin/man.cgi?query=zkbdarch=zaurus



Thanks for the tip, but that only talks about when the zaurus is on.
I'd turned it completely off. I'm hoping it was just a fluke though.


 -I don't have a CF Wifi card yet[...]

you can install from an ms-dos formatted CF card.


Don't have one. But I suppose I'll be hitting the stores soon for some
sort of supplies to do this.


read the
INSTALL.zaurus file. carefully. several times. carefully. several
times.


:)


think long and hard before you trash the partition table. hint: you
don't want to use the whole disk for openbsd.


I don't? I mean, I know to save the first few sectors for the
partition table, but isn't the rest fair game?



 -How do you people with zaurii trade data from them with other
 computers? Purely over the network? With SD cards? USB hubs +
 thumbdrives?

ethernet or wi-fi.


With a USB ethernet card?


CF cards.
usb sticks.
you could probably use the usb-client ethernet emulation (man cdce cdcef)


The one you need the special driver on Windows for?


sd cards are close, but not quite there yet



Thank you and Theo for your quick replies.

-Nick

Re: Microsoft gets the Most Secure Operating Systems award

[Shane J Pearson]

On 23/03/2007, at 3:19 AM, Lars D. Noodin wrote:


Symantic makes its living selling paper bailing cups in a leaky boat.


;-)


The media actively participates in obfuscating the issues, the
causes and
the solutions by publicizing such crap from Symantic and MS.


Yes. Symantec make their money from a long-term open wound. Symantec
then provides creative research that makes that open wound look
best. Talk about a conflict of interest.

Symantec have been trying to demonise OS X for a long while.


Shane J Pearson
shanejp netspace net au

Re: Microsoft gets the Most Secure Operating Systems award

[Theo de Raadt]

 Symantec have been trying to demonise OS X for a long while.

And it is going to work soon.

Because OS X has no Propolice-like compiler stack protection, nor
anything like W^X which makes parts of the address space
non-executable, nor anything like address space randomization which
makes certain attacks very difficult, especially with the previous two
techniques.

So when they have a bug, it is exploitable just like bugs are on any
other powerpc or i386 machine running some other operating system.

These days even operating systems like Vista have the above 3 security
technologies.

But can we get back to OpenBSD discussions?

OpenBSD webserver partitioning schemes

[Bray Mailloux]

I'm not too knowledgeable in the security arena so this question may 
prompt flogging.


My server has three hard drives, one contains the OpenBSD system and the 
other two are blank and will be a raid mirror of the /var/www directory. 
Is it wise to give over the entire drive for the mount point /var/www or 
should I not be assigning mount points to entire drives?

Re: Microsoft gets the Most Secure Operating Systems award

[Open Phugu]

On 3/22/07, Marc Espie [EMAIL PROTECTED] wrote:

On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote:
 Their challenge is that they need to provide choice so they
 have what they call reasonable defaults.

No, they don't need to provide choice. At least not that many. They decide
to do so.  That's most of what's wrong with OS stuff these days. Too
many choices.  Too many knobs. Every day, I see people shoot themselves in
the foot, not managing to administer boxes and networks in a simple way,
making stupid decisions that don't serve any purpose.

ACL, enforced security policies, reverse proxy setups, user accounts,
network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs...
so many choices. So many wrong choices.

At some point, the people who package the software need to make editorial
decisions. Remove knobs. Provide people with stuff that just works.
Remove options. Or definitely give them the means to do the trade-off
correctly.

Security comes from this. As Bruce Schneier and Niels Ferguson write
in ``Practical Cryptography'', on page 12,
``There are no complex systems that are secure.
Complexity is the worst enemy of security, and it almost always comes
in the form of features or options.''

We try not to be as bad, to provide default configs that work, and not
so many choices.

Again, from the same book,
``One of the things we have tried to do in this book is to define
simple interfaces for cryptographic primitives. No features, no
options, no special cases, no extra things to remember.''

The fact that an OpenBSD system is secure out of the box is the main
reason I started using it.

Request for links to BSD adminstration docs

[Douglas Allan Tutty]

Hello,

I'm considering moving my 486 from Debian to OpenBSD.  I haven't the
money to spend on a new e.g. UNIX System Administration.  4.4 BSD System
Manager's Manual is out of print.  I haven't been able to google
anything freely available on the internet.  My local library has had
their only UNIX book stolen (not by me).

Since BSD came from a university, did they ever publish under the BSD
licence a SMM, and if so is it avilable free anywhere?  Is there a BSD
repository of free documents similar to IBM's for AIX?

I've got the basic Linux CLI admin skills.  What I'm looking for is
indoctrination into the BSD way of doing things and the wisdom behind
it.  I'm looking for a bit of the historical culture; the wisdom of ages
past.

As a simple example.  I'm used to Debian where updates can happen
without disturbing users (clones of myself mostly).  On a new fast box,
one can build a patch in a short time, but then the system has to be
brought down, install the patch, then bring it back up.  In years past,
how did a sysadmin with one VAX handle that?  Take the computer off line
at 1700, do the build, install, and hope to have everything back up by
0800?  

I figure that if I get an old BSD book and combine it with the
OpenBSD FAQ plus man pages, I'll be off to a good start.

I'm not, as someone here referred to themselves as, an old fart.  I'm
not _that_ old (40), but I don't want a book that starts off Click
on  I wouldn't mind one that starts Turn on your terminal and hit
enter.

Thanks,

Doug.

List your properties for rent or sale for free / Annoncez vos proprietes à louer ou a vendre gratuitement

[support]

Window to the world for waterfront real estate

Advertise free of charge your property for sell or rent

VERSION FRANGAISE PLUS BAS

Owner of a waterfront property for rent or sale ?
Did you know that there is now a specialized site to sell or rent
properties on a waterfront site.

Targeting only people that want to rent or buy property on a waterfront
site.

Find what you want fast Only one operation and you are certain to find a
property on a waterfront site, and nothing else.

Only one site offers you this unique opportunity www.waterfrontsite.com

If you list your property before June, 30th 2007, you will enjoy a free
promotional offer

Make the most of the opportunity!

The Waterfront Site team

Thank you for your interest and... We wish you success!

If you don't want to receive these e-mail anymore please click He re

La fenetre mondiale de l'immobilier avec vue sur l'eau

Annoncez gratuitement vos propriitis ` vendre ou ` louer avec vue sur
l'eau au meilleur endroit.

Possidez-vous une propriiti ` vendre ou ` louer avec vue sur leau ?

Inscrivez gratuitement autant de propriitis que vous disirez avant le 30
juin 2007.

Saviez-vous qu'il existe maintenant un site spicialisi pour vendre ou
louer des propriitis avec vue sur l'eau.

En effet, uniquement des gens qui disirent louer ou acheter une propriiti
avec vue sur l'eau

Une recherche des plus rapides...Une seule opiration et vous jtes certain
de trouver une propriiti avec vue sur l'eau, rien d'autre.

Visitez www.vuesurleau.com et inscrivez-vous dhs maintenant en cliquant
sur le bouton [Vendre ou inscrire en location] de la page d'accueil.
Protitez-en ... Cette offre est valide jusqu'au 30 juin 2007 seulement.

Merci de votre intirjt et... Bonnes transactions !

Si vous disirez vous disabonner de nos envois promotionnels, veuillez
cliquer ic i

Re: Request for links to BSD adminstration docs

[Greg Thomas]

On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote:



I figure that if I get an old BSD book and combine it with the
OpenBSD FAQ plus man pages, I'll be off to a good start.


If you know your way around Linux just start with the FAQ and
manpages.  That's what I started with and the FAQ is even better now
than when I started.

You can supplement with the books at the top of this page:

http://openbsd.org/books.html

when you feel like delving deeper.

Greg

Re: Request for links to BSD adminstration docs

[Darrin Chandler]

On Thu, Mar 22, 2007 at 11:30:06PM -0400, Douglas Allan Tutty wrote:
 Hello,
 
 I'm considering moving my 486 from Debian to OpenBSD.  I haven't the
 money to spend on a new e.g. UNIX System Administration.  4.4 BSD System
 Manager's Manual is out of print.  I haven't been able to google
 anything freely available on the internet.  My local library has had
 their only UNIX book stolen (not by me).
 
 Since BSD came from a university, did they ever publish under the BSD
 licence a SMM, and if so is it avilable free anywhere?  Is there a BSD
 repository of free documents similar to IBM's for AIX?
 
 I've got the basic Linux CLI admin skills.  What I'm looking for is
 indoctrination into the BSD way of doing things and the wisdom behind
 it.  I'm looking for a bit of the historical culture; the wisdom of ages
 past.
 
 As a simple example.  I'm used to Debian where updates can happen
 without disturbing users (clones of myself mostly).  On a new fast box,
 one can build a patch in a short time, but then the system has to be
 brought down, install the patch, then bring it back up.  In years past,
 how did a sysadmin with one VAX handle that?  Take the computer off line
 at 1700, do the build, install, and hope to have everything back up by
 0800?  
 
 I figure that if I get an old BSD book and combine it with the
 OpenBSD FAQ plus man pages, I'll be off to a good start.

Since you've already found the FAQ, you've got a good start. Add the
Books that help page. If you don't have much money to spend, look for
them used. I've got both Building Firewalls with OpenBSD and PF by
Jacek Artymiak, and Secure Architectures with OpenBSD by Palmer and
Nazario. Both are good, both walk you through quite a bit from
installing to typical administration, and a bit of history thrown in.
Though I knew most of what was in both books, I learned more than a few
things I'm glad to know.

As for your simple example above, I've seen more than once someone
talk about bringing a box down for extended periods to update. I just
don't get that. It's easy enough to update sources or apply the patch
and rebuild while the system is up. Sure, it can add a lot of load, but
OpenBSD is fairly stable under load in terms of still serving web pages,
or doing mail, etc. Then the only total downtime is during reboot if
you've updated the kernel, or restart time on daemons if you've only
updated userland.

Last, but not least, check for a user group in your area! Also check out
http://metabug.org/, where you can get streaming and recorded
presentations (one coming in a week).

-- 
Darrin Chandler   |  Phoenix BSD Users Group
[EMAIL PROTECTED]  |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/darrin/  |

Re: zaurus bootstrapping

[Nick !]

On 3/22/07, Theo de Raadt [EMAIL PROTECTED] wrote:


 -How do you people with zaurii trade data from them with other
 computers? Purely over the network? With SD cards? USB hubs +
 thumbdrives?

We sync our repositories and commit over wireless we find in the bars
where we drink, of course.



Good to know.

Another semi-offtopic question: I assume the IR port works via com(4)
like on my laptop, and so I could transfer data to and from my laptop,
but what about IrDA? There's mention of  some birda package from
2002 in the archives

Is there any way to control the backlight? I don't see in the manpages
any reference to it, but maybe I'm looking in the wrong places.

What's the upgrading procedure? Is it something like: put bsd.rd on
the / filesystem somewhere and the filesets somewhere (else), reboot,
at boot type the path to the upgrade kernel?

-Nick

Re: IPsec gone assymetric

[RW]

On Thu, 22 Mar 2007 05:30:45 -0600, Jacob Yocom-Piatt wrote:

RW wrote:
 I have a simple setup.
 Sydney to Melbourne and the ipsec.conf is one of the nice easy ones
 whilst I learn to do more complex setups. It has been working for
 months.

 Today doing ipsecctl -s all at either end generates the expected
 output. Each is a mirror of the other.

 netstat -rnf encap shows expected output at both ends. Again mirrors of
 the other.

 However sshing into each and doing a traceroute to t'other end gives
 madly assymetric results.

 With the distant gateway as the target Syd gets to Mel in one hop, as
 expected.
 Mel gets to Syd going out the $ext_if rather than the encap. As the
 LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel.

   

i wouldn't expect you to have a route not set on the isakmpd endpoints,
but i have a route add remote net internal private IP in the
hostname.if files for the internal interfaces on both endpoints. that's
the only thing i can think of that would work for a while (manually
added routes) and then stop working after, say, a reboot of one endpoint.

No, not the problem here. It works without any extra route lines, but
read the update at the bottom of the quoted stuff.

cheers,
jake


 Killing (desperation set in) isakmpd and restarting both ends did
 nothing to change the situation.

 What kind of diagnostics can I use to debug this? Extra points for a
 correct guess as to the cause all this time after installation.

 Thanks,

OK, a night's sleep led to an early morning Eureka moment.

I should have said What changed? and I did. The mistake that dummy me
made was not to consider a change made ages ago. That change did not
break ipsec for the clients but did for the firewall endpoint at one
end.

For the benefit of others here is the detail:

Originally Mel (bourne) was on an ADSL connection running half-bridge
so the OpenBSD firewall had the WAN IP on $ext_if and the first
(usable) of a /29 on the server LAN NIC.

Due to problems with the modem we swapped it out for one that does not
do half-bridge.

So I gave $ext_if 192.168 addr to mate with the one on the modem. I
then did  all the NAT stuff based on $svrlan_if
e.g.
nat on $ext_if from $fwext to any - $svr_if
nat on $ext_if from $lan_ip to any - $svr_if
where fwext is the IP on $ext_if and lan_ip is the /24 for the LAN
users.
So all outbound packets look like they come from the svr_lan nic.
That works sweetly and I have a similar setup at home. Neither of those
has the /30 that would be preferred to make everything work but that's
IP scarcity for you.

So ipsec works just fine for everything on Mel and its mate, Syd.
Except for packets I generated at Mel using ssh login. Until I woke up
and used the -I flag in ping and the -s flag in traceroute to source
the packets from the svrlan_if address, that is.

I don't know what, if anything, can be done to ensure that packets
generated in the firewall Mel can be forced to use the tunnel when the
destination is Syd, but it isn't a showstopper (fingers crossed!)

So, there was a change ages ago and I had never after it, until now,
tried to ping up the tunnel from the firewall so I didn't know that it
was kinda broken, and if anybody knows how to unbreak it I'll be
pleased just in case

Thanks Jacob for your reply.

Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Re: Request for links to BSD adminstration docs

[Douglas Allan Tutty]

On Thu, Mar 22, 2007 at 09:00:01PM -0700, Darrin Chandler wrote:
 On Thu, Mar 22, 2007 at 11:30:06PM -0400, Douglas Allan Tutty wrote:
  
  I'm considering moving my 486 from Debian to OpenBSD.  I haven't the
  money to spend on a new e.g. UNIX System Administration.  4.4 BSD System
  Manager's Manual is out of print.  I haven't been able to google
  anything freely available on the internet.  My local library has had
  their only UNIX book stolen (not by me).
  
  I figure that if I get an old BSD book and combine it with the
  OpenBSD FAQ plus man pages, I'll be off to a good start.
 
 
 As for your simple example above, I've seen more than once someone
 talk about bringing a box down for extended periods to update. I just
 don't get that. It's easy enough to update sources or apply the patch
 and rebuild while the system is up. Sure, it can add a lot of load, but
 OpenBSD is fairly stable under load in terms of still serving web pages,
 or doing mail, etc. Then the only total downtime is during reboot if
 you've updated the kernel, or restart time on daemons if you've only
 updated userland.

Sounds similar to debian which also has to reboot a new kernel.  Do you
run the rebuild niced?

However, is it correct that when a new release comes out every six
months, you have to reboot into that?  How long does an upgrade from one
release to the next take? 

Thanks for your suggestions re used books.  I'll try some of Kingston's
used book stores and see what I can get at the Queen's book store.

Doug.

Re: zaurus bootstrapping

[Kyle George]

On Thu, 22 Mar 2007, Nick ! wrote:


On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote:


think long and hard before you trash the partition table. hint: you
don't want to use the whole disk for openbsd.


I don't? I mean, I know to save the first few sectors for the
partition table, but isn't the rest fair game?


I don't have one of these, but I believe he was talking about the question 
the install script asks.  In other words, say no to use the whole disk 
for OpenBSD (unless you're confident you don't need to use what comes on 
it right out of the box ever again).  Read INSTALL.zaurus.


--
Kyle George

Re: Request for links to BSD adminstration docs

[Marco Peereboom]

 However, is it correct that when a new release comes out every six
 months, you have to reboot into that?  How long does an upgrade from one
 release to the next take? 

Minutes on a fast machine.  I have seen a HPPA B180 take like 25 minutes
but that is the exception and not the norm.

 
 Thanks for your suggestions re used books.  I'll try some of Kingston's
 used book stores and see what I can get at the Queen's book store.

The OpenBSD man pages are outstanding.  Start with the FAQ and then move
on to the man pages and life will be good.

Re: Request for links to BSD adminstration docs

[Darrin Chandler]

On Fri, Mar 23, 2007 at 12:40:48AM -0400, Douglas Allan Tutty wrote:
 Sounds similar to debian which also has to reboot a new kernel.  Do you
 run the rebuild niced?

I don't. I want it to be done as soon as possible.

 However, is it correct that when a new release comes out every six
 months, you have to reboot into that?  How long does an upgrade from one
 release to the next take? 

Yes, you must reboot and perform the upgrade. If you read the upgrade
guide and get your ducks in a row you can be all done *easily* in 30
minutes. If there were some kind of contest with cash prizes it could
probably be done much quicker. However, it's much more important to get
the steps right than to do it quickly, IMHO.

 Thanks for your suggestions re used books.  I'll try some of Kingston's
 used book stores and see what I can get at the Queen's book store.

Not to take away from that, but if you're interested in learning BSD
history you can pick up some interesting bits around the net. The
Wikipedia pages on this aren't as bad as they could be.

http://en.wikipedia.org/wiki/OpenBSD
http://en.wikipedia.org/wiki/Berkeley_Software_Distribution

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: zaurus bootstrapping

[Nick !]

On 3/23/07, Kyle George [EMAIL PROTECTED] wrote:

On Thu, 22 Mar 2007, Nick ! wrote:

 On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote:

 think long and hard before you trash the partition table. hint: you
 don't want to use the whole disk for openbsd.

 I don't? I mean, I know to save the first few sectors for the
 partition table, but isn't the rest fair game?

I don't have one of these, but I believe he was talking about the question
the install script asks.  In other words, say no to use the whole disk
for OpenBSD (unless you're confident you don't need to use what comes on
it right out of the box ever again).  Read INSTALL.zaurus.


Yeah, I got that that's what he meant. In fact I've never used that
option, I've always partitioned all my installs by hand. But I am sure
I don't want any of the linux left over, it's a bunch of stupid and
the crud Qtopia interface is full of brokenness. I'm worried that I do
need to keep some of the linux though, for failsafe purposes or
something.

Actually, how does the zaurus boot? Is it a MBR @ sector 0 + second
stage bootloader or something else? INSTALL.zaurus says by
effectively converting Linux into a bootloader but is this only for
the install or is it forever? It also says that hdd[12] are converted
from ext3 to ext2, so the implies that those two partitions are saved
by the default install, but is this *necessary* or just *convenient*
(in case you had files on those partitions)?

-Nick

Re: zaurus bootstrapping

[Chris Kuethe]

On 3/22/07, Kyle George [EMAIL PROTECTED] wrote:

On Thu, 22 Mar 2007, Nick ! wrote:

 On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote:

 think long and hard before you trash the partition table. hint: you
 don't want to use the whole disk for openbsd.

 I don't? I mean, I know to save the first few sectors for the
 partition table, but isn't the rest fair game?

I don't have one of these, but I believe he was talking about the question
the install script asks.  In other words, say no to use the whole disk
for OpenBSD (unless you're confident you don't need to use what comes on
it right out of the box ever again).  Read INSTALL.zaurus.


Trust me, you really do need to carefully read INSTALL.zaurus, and you
really don't want to use the whole disk for openbsd - that'll set you
up for a world of hurt. The linux environment that ships with the
zaurus is quite brittle and depends on some of the stuff on the disk.

A lot of work went into writing the INSTALL file, if you read it
carefully before trying anything you should save yourself a bunch of
aggravation.

CK

--
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: zaurus bootstrapping

[Theo de Raadt]

 Trust me, you really do need to carefully read INSTALL.zaurus, and you
 really don't want to use the whole disk for openbsd - that'll set you
 up for a world of hurt. The linux environment that ships with the
 zaurus is quite brittle and depends on some of the stuff on the disk.

I really don't agree.  That was mostly in the past.  These days I
always install a zaurus without any Linux on the drive.  That linux
stuff is not neccessary anymore.

Re: zaurus bootstrapping

[Nick !]

On 3/23/07, Theo de Raadt [EMAIL PROTECTED] wrote:

 Trust me, you really do need to carefully read INSTALL.zaurus, and you
 really don't want to use the whole disk for openbsd - that'll set you
 up for a world of hurt. The linux environment that ships with the
 zaurus is quite brittle and depends on some of the stuff on the disk.

I really don't agree.  That was mostly in the past.  These days I
always install a zaurus without any Linux on the drive.  That linux
stuff is not neccessary anymore.



Oh excellent! So then I install it just like an i386?

It would be helpful to add a mention of this to INSTALL.zaurus, if
you don't want to have linux, you can just ...


This amuses me:
In these cases below we avoid using vi because Linux quality is of
such high caliber that vi locks up the console.

-Nick

named stopped with error

[RW]

On a firewall that is not mine but where the admins run to me for help
8-) somebody noticed that name resolution was not working.
rc.conf.local says:
named_flags=
named.conf is the default (caching with recursion only for local
clients)
uname says:
OpenBSD fw.example.com.au 3.9 GENERIC#617 i386
/var/log/daemon says:
Mar 23 00:13:03 fw named[13888]:
/usr/src/usr.sbin/bind/lib/isc/mem.c:628
: INSIST(((unsigned char *)mem)[size] == 0xbe) failed
Mar 23 00:13:03 fw named[13888]: exiting (due to assertion failure)

It started up manually and ran as it has for the past (nearly) year, so
it looks like a one-off but I'd love to hear of possible causes.

Thanks,
Rod/

From the land down under: Australia.
Do we look umop apisdn from up over?

Installing Skype

[Rafael Morales]

I have OpenBSD 4.0 on a HP laptop and I need to
install Skype because is for the comunication in my
job and I have the freedom for install my lovely
OpenBSD.
This what I have done:

1. I installed the redhat_base-8.0p8.tgz for the
emulation.
2. Download the skype-0_90_0_1.rpm and installed it
with the /emul/linux/bin/rpm, all seemed good.
3. If I try to run it, I just see a error message
looking for the lib file libXss.so.1.

If someone has installed the skype could help me
please ???.

Regards

openbsd acpi help

[Jay Jesus Amorin]

good day!

can anyone here help me on how i can enable acpi on my laptop?

my laptop is running openbsd 4.1-current.

thanks for your help


long live openbsd.


--jay--

Re: openbsd acpi help

[Sam Fourman Jr.]

at the boot prompt type boot -c

then type enable acpi then type quit


Sam Fourman Jr.

On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote:

good day!

can anyone here help me on how i can enable acpi on my laptop?

my laptop is running openbsd 4.1-current.

thanks for your help


long live openbsd.


--jay--