Re: Is OpenBSD good/best for my 486?
In message http://marc.info/?l=openbsd-miscm=117452881511952w=1, Douglas Allan Tutty dtutty () porchlight ! ca asked I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB and 1280 MB IDE. Currently running Debian GNU/Linux Sarge. Box has two uses: under normal cirumstance, as a thin client to my athlon box elsewhere in the house. As a toolbox incase anything goes wrong with my new athlon, I still can dial out to the net for help and downloads. [[...]] Is there any reason that OpenBSD wouldn't be my best choice for this box? OpenBSD would be fine for this -- I use a very similar system (1995-vintage 486DX4-75 laptop with 32MB memory) as a home firewall. It has 2 PCMCIA ISA-bus NICs, both ultra-cheap ne2000 clones (the latest one bought a couple of months ago for 3 Euros (around US$4) on Ebay). One NIC talks to the DSL, the other to my home network. The system has a new-in-2001 10GB disk, with loads of free space; you should have no problem fitting a full OpenBSD install into either one of your disks. My firewall's main limitation is the poor performance of the ultra-cheap ISA-bus NICs. Right now it's limited to around 150-200K bytes/second http/scp downloads even though my DSL will do 2-3 times that (checked by hooking faster systems directly to the DSL). I suspect that better NICs would help, but I'm moving in a few months so I haven't bothered. My only worry in the past has been how to install patches quickly, since rebuilding from source is a bit slow (I typed 'make build' 2 days ago, and it's still running...). I like Nick Holland's suggestion http://marc.info/?l=openbsd-miscm=117453369215436w=1 of running -current, and may try it on my firewall. ciao, -- -- Jonathan Thornburg (remove -animal to reply) [EMAIL PROTECTED] School of Mathematics, U of Southampton, England Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
df reports capacity 100%
Our Soekris (4.0-stable) NFS mounts a remote share: # df -h /projects FilesystemSizeUsed Avail Capacity Mounted on linsrv01:/projects410G2.0T 417G 498% /projects # grep projects /etc/fstab linsrv01:/projects /projects nfs rw,auto 0 0 where linsrv01 is a SLES10 NFS server (amd64). Probably /projects has been increased there using LVM/xfs_grow and the nfs mount hasn't been renewed ever since. However, if I do remount the remote NFS share on the soekries, the Size is not updated. on linsrv01, df reports: Filesystem Size Used Avail Use% Mounted on /projects2.4T 2.0T 418G 84% /projects Not a problem at all, but maybe some developer is interested in understanding this phenomena or knows what one can do to cleanly update the Size information. Thanks. -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWeb www.ini.unizh.ch RSA public key: https://www.ini.uzh.ch/~stephan/pubkey.asc ---
Re: Is OpenBSD good/best for my 486?
On 21 March 2007, Travers Buda [EMAIL PROTECTED] wrote: * Douglas Allan Tutty [EMAIL PROTECTED] [2007-03-21 22:37:01]: Hello, I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB and 1280 MB IDE. Currently running Debian GNU/Linux Sarge. *snip* Is there any reason that OpenBSD wouldn't be my best choice for this box? I've run OpenBSD on a 486DX2 with 20 megs of ram. When you're talking about the 486es, you're going to want a FPU with openbsd. [...] The DX series did have FPU. The SX didn't. Regards, Liviu Daia -- Dr. Liviu Daia http://www.imar.ro/~daia
Re: df reports capacity 100%
On Thu, 22 Mar 2007, Stephan A. Rickauer wrote: Our Soekris (4.0-stable) NFS mounts a remote share: # df -h /projects FilesystemSizeUsed Avail Capacity Mounted on linsrv01:/projects410G2.0T 417G 498% /projects # grep projects /etc/fstab linsrv01:/projects /projects nfs rw,auto 0 0 where linsrv01 is a SLES10 NFS server (amd64). Probably /projects has been increased there using LVM/xfs_grow and the nfs mount hasn't been renewed ever since. However, if I do remount the remote NFS share on the soekries, the Size is not updated. on linsrv01, df reports: Filesystem Size Used Avail Use% Mounted on /projects2.4T 2.0T 418G 84% /projects Not a problem at all, but maybe some developer is interested in understanding this phenomena or knows what one can do to cleanly update the Size information. This is a known bug and not fixable until we change the statfs structure. http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5169 -Otto
Re: df reports capacity 100%
Otto Moerbeek wrote: This is a known bug and not fixable until we change the statfs structure. http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5169 Awesome. I wish other software had such a high quality of support. Thanks Otto. -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWeb www.ini.unizh.ch RSA public key: https://www.ini.uzh.ch/~stephan/pubkey.asc ---
Saving memory on small machines
I have a machine with 48MB of RAM that I want to use as a server. The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. Is it worth recompiling the kernel to remove support for features I'm not using --- IPv6, say, or the Microchannel bus --- on the principle that reducing the size of the kernel will give more memory for doing other things, and therefore generally speed the system up? Or will not using GENERIC cause more problems than it's worth? And if it is worth recompiling the kernel, can anyone recommend any particularly big features it would be worth taking out? -- bbb o=o=o o=o=o=o=o=o=o=oo=o=o= bbb http://www.cowlark.com bbbbbbbbbbbbbbbbbbb b Wizards get cranky, / Dark days dawn, / Riders smell manky, / The road b goes on. / Omens are lowering, / Elves go West; / The Shire needs b scouring, / You may as well quest. - John M. Ford [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: IPsec gone assymetric
RW wrote: I have a simple setup. Sydney to Melbourne and the ipsec.conf is one of the nice easy ones whilst I learn to do more complex setups. It has been working for months. Today doing ipsecctl -s all at either end generates the expected output. Each is a mirror of the other. netstat -rnf encap shows expected output at both ends. Again mirrors of the other. However sshing into each and doing a traceroute to t'other end gives madly assymetric results. With the distant gateway as the target Syd gets to Mel in one hop, as expected. Mel gets to Syd going out the $ext_if rather than the encap. As the LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel. i wouldn't expect you to have a route not set on the isakmpd endpoints, but i have a route add remote net internal private IP in the hostname.if files for the internal interfaces on both endpoints. that's the only thing i can think of that would work for a while (manually added routes) and then stop working after, say, a reboot of one endpoint. cheers, jake Killing (desperation set in) isakmpd and restarting both ends did nothing to change the situation. What kind of diagnostics can I use to debug this? Extra points for a correct guess as to the cause all this time after installation. Thanks, Rod. From the land down under: Australia. Do we look umop apisdn from up over?
Re: Saving memory on small machines
The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. You can turn off ipv6, altq if not needed, and of course lots of hardware that you don't need also. For example I have a 2 x smaller kernel that GENERIC on my laptop: $ uname -a OpenBSD squirrel 4.1 BIRKOFF#0 i386 $ ls -lh /bsd{,.orig} -rw-r--r-- 1 root wheel 2.9M Mar 9 00:39 /bsd -rw-r--r-- 1 root wheel 5.8M Feb 22 13:32 /bsd.orig You may also stripe nearly all of your libraries, for example: # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a # strip -s /usr/lib/libcrypto*a # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a looks fine? Hope this helps. Kamil Monticolo aka birkoff
Disk Load
Hello, Maybe it is an stupid question, but since 1 week ago i got my HDD led allways powered on. Is it possible with something like top to see hdd % load o something like? Thanks.
Re: Disk Load
Use systat and read the systat(1) manual. Regards, Andreas On 22/03/07, Tang Tse [EMAIL PROTECTED] wrote: Hello, Maybe it is an stupid question, but since 1 week ago i got my HDD led allways powered on. Is it possible with something like top to see hdd % load o something like? Thanks. -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: Saving memory on small machines
Kamil Monticolo wrote: The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. You can turn off ipv6, altq if not needed, and of course lots of hardware that you don't need also. For example I have a 2 x smaller kernel that GENERIC on my laptop: $ uname -a OpenBSD squirrel 4.1 BIRKOFF#0 i386 $ ls -lh /bsd{,.orig} -rw-r--r-- 1 root wheel 2.9M Mar 9 00:39 /bsd -rw-r--r-- 1 root wheel 5.8M Feb 22 13:32 /bsd.orig You may also stripe nearly all of your libraries, for example: # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a # strip -s /usr/lib/libcrypto*a # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a looks fine? Hope this helps. Kamil Monticolo aka birkoff Interesting, does this stripping also have a speed increase during usage?
Re: Disk Load
Thanks!! 2007/3/22, Andreas Kahari [EMAIL PROTECTED]: Use systat and read the systat(1) manual. Regards, Andreas On 22/03/07, Tang Tse [EMAIL PROTECTED] wrote: Hello, Maybe it is an stupid question, but since 1 week ago i got my HDD led allways powered on. Is it possible with something like top to see hdd % load o something like? Thanks. -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: Saving memory on small machines
On Thu, Mar 22, 2007 at 01:47:11PM +0100, RedShift wrote: You may also stripe nearly all of your libraries, for example: # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a # strip -s /usr/lib/libcrypto*a # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a Interesting, does this stripping also have a speed increase during usage? No. Stripping only saves disk space. Debugging symbols are not loaded into RAM unless you run gdb. -- stefan http://stsp.in-berlin.de PGP Key: 0xF59D25F0
Re: Saving memory on small machines
On 2007/03/22 13:54, Kamil Monticolo wrote: The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. If you're going to do things like this, you have extra steps when you find a problem, because you need to tell whether it's due to the changes you made. imho if you need to ask if you can do it, you probably don't know enough about the system to do this without causing yourself problems. Dropping cachepct, via config(8), *might* be appropriate. You may also stripe nearly all of your libraries, for example: How is stripping library archives going to help save RAM? (if you want to save disk space, you might as well just not install compXX.tgz)
Microsoft gets the Most Secure Operating Systems award
Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju
Re: Saving memory on small machines
On Thu, Mar 22, 2007 at 11:11:22AM +, David Given wrote: And if it is worth recompiling the kernel, can anyone recommend any particularly big features it would be worth taking out? I wouldn't bother, unless you find yourself actually running low on memory. Not running GENERIC means any problems you report to the obsd team will probably be ignored. Just run with generic, unless you find it to be an actual problem. 48M is more than enough for a bsd kernel. -- David Terrell [EMAIL PROTECTED] ((meatspace)) http://meat.net/
Re: openbsd current?
On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote: how do i know if im using openbsd current? If you have to ask you aren't. Current is installed by installing snapshots and compiling from CVS. The learning curve is very steep. -Nick
cannot make mod_auth_bsd work
After a default 4.0 install I installed www/mod_auth_bsd but all users are rejected. I have the following line in my /var/www/logs/error_log: httpd: invalid script: /usr/libexec/auth/login_passwd Same results wether apache is chrooted or not. Any help would be appreciated. Regards, Thierry.
Re: Microsoft gets the Most Secure Operating Systems award
Nice, let's all now switch our servers to Windows!!! Oh but it doesn't run on ultrasparc... Nevermind... :D 2007/3/23, Siju George [EMAIL PROTECTED]: Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html
Re: Saving memory on small machines
David Given wrote: I have a machine with 48MB of RAM that I want to use as a server. The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. Is it worth recompiling the kernel to remove support for features I'm not using --- IPv6, say, or the Microchannel bus --- on the principle that reducing the size of the kernel will give more memory for doing other things, and therefore generally speed the system up? Or will not using GENERIC cause more problems than it's worth? And if it is worth recompiling the kernel, can anyone recommend any particularly big features it would be worth taking out? Hi! My Internet firewall machine is a 486DX with 48MB of RAM and a 10GB HD inside a plastic box. I used to recompile the kernel removing almost everything using a tool called dmassage (google for it) which helps you to prepare the configuration file. Anyway during the last two releases I didn't bother compiling the kernel, my reason is that I'm not seeing a huge difference in memory saving using a self-compiled kernel, perhaps a couple of MB. Righ now I have 15MB of free RAM and in the worst case (when pfstat is run) I have about 12MB free, that's enough. The main processes that're running are: postfix + httpd + ntpd + noip2 + dnsmasq, uptime is 90 days. This is a rock solid OS, you won't find any memory leaks. HTH. Regars, Jorge.
Re: Is OpenBSD good/best for my 486?
On Wed, Mar 21, 2007 at 10:16:24PM -0500, Travers Buda wrote: * Douglas Allan Tutty [EMAIL PROTECTED] [2007-03-21 22:37:01]: I've got a 486DX4-100 with 32 MB ram, ISA bus, with two drives: 840 MB and 1280 MB IDE. Currently running Debian GNU/Linux Sarge. *snip* Is there any reason that OpenBSD wouldn't be my best choice for this box? I've run OpenBSD on a 486DX2 with 20 megs of ram. When you're talking about the 486es, you're going to want a FPU with openbsd. It does not look like there is any emulation (however, I remember seeing something in the GENERIC config a year or so back...) or else it won't work. The system was fine, and quite responsive for just ssh, tip, etc. OpenBSD is a fine choice, the biggest bottleneck you're probably going to see is virtual memory-related stuff like the encrypted swap, which you can turn off via the vm.swapencrypt.enable sysctl. You're probably not going to be swapping too darn much unless you decide to use X, then it's going to be a bit over the line, however, this does not mean it's not going to work. =) 486DX4-100 has FPU. All I need is a basic X window manager (for moving windows around), an xterm, and ssh that port forwards X11. Right now, I have no problem sshing to my athlon in the basement and running Konqueror for web browsing when I need java and https. The only other memory and compute intensive thing I do is run debian's aptitude package manager. You mean OpenBSD has encrypted swap out-of-the-box? That's fantastic. It took a while to set up on my debian etch box. Thanks, Doug.
Re: Microsoft gets the Most Secure Operating Systems award
On Thu, 22 Mar 2007 18:58:31 +0530, Siju George [EMAIL PROTECTED] wrote: Hi, http://www.internetnews.com/security/article.php/3667201 From the article: Microsoft is doing better overall than its leading commercial competitors. ^^ No wonder. they stacked the deck before doing the comparison Just for some entertainment, no troll :-) --Siju --- Ben Calvert Flying Walrus Communications
Re: is the Thinkpad T30 supported?
Hello! Joachim. I think that the problem you had with your Thinkpad happened to the son of a friend I have at Illinois too (on a slightly different variant). On his laptop (a T20) the display CCF lamp did not turn on. Indeed, buying at least two similar laptops is a smart idea. That is the reason I am looking for two units of the same -or similar- Thinkpads. Thanks a lot for your feedback. I will get at least two units of the same laptop. OpenBSD fan. Sure! I will certainly install the tpb and tphdisk packages on the Thinkpad. I like the ability to use the Access IBM button, changing/muting the volume and screen brightness. Hibernation is an excellent feature if it is supported (it hanged sometimes on my Latitude when running both NetBSD and OpenBSD). As Bob Beck says that it suspends and resumes very well, I certainly believe that hibernation will be a useful feature. On-screen messages provided by these tools will be valuable too. Thanks a lot! Greg. I certainly believe that the chassis on the Latitude CPi is much better than the chassis on the HP Omnibook 4100, but it can be certainly improved. I supposed that hinges on the Latitude were excellent ones until one broke. After opening the display, I found an annoying thin hinge. Nice to know that Thinkpads have better chassis and hinges. Well, I really care about my computers. But a laptop is just required for anything I do and after carrying a computer with me four years and opening/closing the computer at least four times each day I believe that good hinges are just a requirement. Thanks four your feedback, now I see that Thinkpads are the computers to buy. Darren. Nice to know that you confirm the construction quality of the Thinkpad laptops. Probably Greg was not very lucky with his laptop, but I know someone that had a similar problem too. In any case, I believe that weak hinges are the real challenge for me. I want a laptop that works for a lot of years. Hopefully, when someone buys high quality hardware OpenBSD does a nice job supporting that machine for years. I think that on the BSDs world the term obsolete is unknown when applied to hardware. I will certainly look for a good Thinkpad right now. Someone in a private email (I will not put his name here, as he wrote directly to me) said that IBM sells certified used equipments. I have looked at the excellent prices IBM has on these refurbished units. Even better, they sell these items with one year guarantee. Sadly, these computers are only available for U.S. citizens. I can ask a good friend I have in the United States to send the computer to me, but sadly payment must be done with a U.S. credit card too, my Visa card cannot be used to pay these items. So, it will be difficult buying these units from IBM right now. In any case, I will look for an american unit, as I do not like the Spanish keyboard layout a lot. Laptops have too few keys to waste them with special characters, and the right keyboard layout is not choosed until booting multi-user. Thanks to all the people on this thread for the excellent advices and feedback on this matter. I will buy a used Thinkpad and install the tpb and tphdisk packages. Cheers, Igor.
Re: Microsoft gets the Most Secure Operating Systems award
Siju George wrote: Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software.
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Ben Calvert [EMAIL PROTECTED] wrote: Microsoft is doing better overall than its leading commercial competitors. ^^ No wonder. they stacked the deck before doing the comparison doesn't this mean that they now have more coders on payroll to fix stuff than they do to write the os? kinda scary.
Re: Microsoft gets the Most Secure Operating Systems award
On Thursday 22 March 2007 11:29 am, RedShift wrote: Siju George wrote: Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software. If you read the article past the summary, they mention that. While Windows had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208) considered high/severe. Windows had a very high percentage of its bugs labelled as high or severe (12 out of 39). Similarly, I'm sure if you looked at the time-to-fix for just the high and severe bugs from each side, you'd see that the Microsoft ones were slower to get patched. I'm just betting that the 200+ less unimportant bugs included many that really just didn't warrant any priority to fix. Unfortunately, the article doesn't really show this in the light that suggests the findings of Windows being the most secure commercial OS might be false, but it's not too hard to read between the lines. 78% of statistics are made up and 103% of statistics can say the exact opposite of what you think they should mean. -- Regards, Neil Schelly Senior Systems Administrator W: 978-667-5115 x213 M: 508-410-4776 OASIS Open http://www.oasis-open.org Advancing E-Business Standards Since 1993
Re: Microsoft gets the Most Secure Operating Systems award
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Siju George Sent: Thursday, March 22, 2007 8:29 AM To: OpenBSD Misc Subject: Microsoft gets the Most Secure Operating Systems award Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju I think I'll print out this article for use any time my boss gets a wild hair up his ass and wants to convert to windows. The stats for number of vulnerabilities and turn around time have always been abysmal for windows and this article just proves that nothing has changed. Maybe I could admit that this is marginally better than previous windows versions (maybe) but it is still very sloppy when compared to OpenBSD. A special thanks to Theo and the OpenBSD team for making me look so good all these years. stuart
Re: Saving memory on small machines
Kamil Monticolo [EMAIL PROTECTED] writes: # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a # strip -s /usr/lib/libcrypto*a # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a I'm speechless. This is the low water mark on misc@ this week. //art
Re: Microsoft gets the Most Secure Operating Systems award
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of RedShift Sent: Thursday, March 22, 2007 10:30 AM To: misc@openbsd.org Subject: Re: Microsoft gets the Most Secure Operating Systems award Siju George wrote: Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software. First, these types of articles (generally) have nothing to do with making a fair compairison. They are made up by marketing guys for marketing reasons. Second, It just goes to show that an OS that doesn't ship with a bunch of extra fluff that most people aren't going to need anyway is always the best choice. That was one of the first things that attracted me to OpenBSD. I remember saying to myself What? You have to enable the web server? It isn't on right out of the box? WOW! What a concept! Needless to say, I threw away my Red Hat CDs and haven't looked back.
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Neil Joseph Schelly [EMAIL PROTECTED] wrote: On Thursday 22 March 2007 11:29 am, RedShift wrote: Siju George wrote: Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software. If you read the article past the summary, they mention that. While Windows had far fewer bugs than say Red Hat, Red Hat only had 2 (out of 208) considered high/severe. Windows had a very high percentage of its bugs labelled as high or severe (12 out of 39). Similarly, I'm sure if you looked at the time-to-fix for just the high and severe bugs from each side, you'd see that the Microsoft ones were slower to get patched. I'm just betting that the 200+ less unimportant bugs included many that really just didn't warrant any priority to fix. Unfortunately, the article doesn't really show this in the light that suggests the findings of Windows being the most secure commercial OS might be false, but it's not too hard to read between the lines. 78% of statistics are made up and 103% of statistics can say the exact opposite of what you think they should mean. And *anyway*, measuring security by number of patches for bugs and time it takes to patch is silly. Every OS, even OpenBSD as we just saw, is probably full of undetected exploits that are constantly getting fixed indirectly as overall code quality is improved. -Nick
Re: Microsoft gets the Most Secure Operating Systems award
On Thu, 22 Mar 2007, RedShift wrote: Siju George wrote: http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software. It's even more bullshit than that. Among other things, it compares the number of 'patches', which for non-MS systems tend to be 1:1 or close to it whereas MS has be making a point of rolling as many vulnerabilities into a single patch as possible. The metrics are not described. Terms like 'patch', 'vulnerability', 'advisory' are intermingled in a most unclear manner. Patch 'development time' seems undefined as well. Symantic makes its living selling paper bailing cups in a leaky boat. The media actively participates in obfuscating the issues, the causes and the solutions by publicizing such crap from Symantic and MS. -Lars Lars NoodC)n ([EMAIL PROTECTED]) Ensure access to your data now and in the future http://opendocumentfellowship.org/about_us/contribute
Re: Saving memory on small machines
On Thu, 22 Mar 2007, Kamil Monticolo wrote: The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. You can turn off ipv6, altq if not needed, and of course lots of hardware that you don't need also. For example I have a 2 x smaller kernel that GENERIC on my laptop: $ uname -a OpenBSD squirrel 4.1 BIRKOFF#0 i386 $ ls -lh /bsd{,.orig} -rw-r--r-- 1 root wheel 2.9M Mar 9 00:39 /bsd -rw-r--r-- 1 root wheel 5.8M Feb 22 13:32 /bsd.orig You may also stripe nearly all of your libraries, for example: # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a # strip -s /usr/lib/libcrypto*a # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a looks fine? Hope this helps. Kamil Monticolo aka birkoff It saves even more space if you do alias strip=rm -Otto
binat questions
Using OpenBSD 4.0 Using binat for the first time in the real world Questions: binat pass on fxp0 from $server_int to any - $server_ext does this bypass all other pf filter rules? binat on fxp0 from $server_int to any - $server_ext does this form allow filtering? Googleing comes up with many different opinions
Re: Saving memory on small machines
On Thu, 2007-03-22 at 11:11 +, David Given wrote: I have a machine with 48MB of RAM that I want to use as a server. The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. Is it worth recompiling the kernel to remove support for features I'm not using --- IPv6, say, or the Microchannel bus --- on the principle that reducing the size of the kernel will give more memory for doing other things, and therefore generally speed the system up? Or will not using GENERIC cause more problems than it's worth? And if it is worth recompiling the kernel, can anyone recommend any particularly big features it would be worth taking out? well, you could always compile with the small kernel option (forget the actual #define that needs to be made, but grep is god's gift to everybody).
Re: Microsoft gets the Most Secure Operating Systems award
Siju George wrote: Hi, http://www.internetnews.com/security/article.php/3667201 Just for some entertainment, no troll :-) --Siju IMHO it's not a fair comparison, most linux distributions ship with alot more software than microsoft windows does, and most bugreports indicate an issue with third-party software. I think it's a very fair comparison. Hmm. let's see, An OS that ships with a big pile of stinking garbage written quickly to dangle the prettiest shiny things in front of users little brains before anyone else does. Linux distros do the first to market and damn the consequences game just as well as Microsoft ever has. Third party software - in linux? fuck in Linux distributions everything in userland is third party software. Linux is a kernel. The operating system is then a collection of things put together by bundlers. Do I think either vendor does a good job, no, but is Microsoft doing a better job of it than say, Red Hat? Yep. You betcha. If you right now took a magic fairy wand and replaced windows in all the broadband connected machines out there with a full featured (and that means all the bells and whistles, not spending half a day turning all the shit off and un-setuiding all the inane shit that is setuid root) Red Hat install with similar tools, I'm pretty sure you'd have a virus and worm shitstorm that would make what we see now hitting our mailservers from windows machines look like a tiny little unoffensive fart - from a vegetarian at that. And yes a big chunk of the problem is the knuckle dragging mouth breather in front of the keyboard - thank god that's not OpenBSD's targeted userbase, although some days reading misc@ I wonder. -Bob
Re: Microsoft gets the Most Secure Operating Systems award
On Thu, Mar 22, 2007 at 08:12:23AM -0700, Ben Calvert wrote: On Thu, 22 Mar 2007 18:58:31 +0530, Siju George [EMAIL PROTECTED] wrote: Hi, http://www.internetnews.com/security/article.php/3667201 From the article: Microsoft is doing better overall than its leading commercial competitors. ^^ No wonder. they stacked the deck before doing the comparison As I see it they compared: Microsoft: 12 serious vulnerabilities in the OS Red Hat: 2 serious vulnerabilities in the kernel + packages Mac OS X:1 serious vulnerability in the OS HP-UX: ?? _serious_ out of 98 total Solaris:?? _serious_ out of 36 total for OS + third-party apps The article seems to rank by the number of patches. If a vendor waits and sends out a mega-patch even monthly, to fix more bugs than anyone else, then that's only two patches over a 6 month period. Its a poorly constructed survey. Doug.
Re: Is OpenBSD good/best for my 486?
On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote: You mean OpenBSD has encrypted swap out-of-the-box? That's fantastic. It took a while to set up on my debian etch box. That is why we call it ``secure by default''
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Bob Beck [EMAIL PROTECTED] wrote: And yes a big chunk of the problem is the knuckle dragging mouth breather in front of the keyboard - thank god that's not OpenBSD's targeted userbase, Damn, I wonder how I stumbled onto OpenBSD then. Greg
Re: binat questions
A quick read of the faq shows the pass keyword causes a bypass all filtering ...so don't use it if you want your filters to be applied . Bruce Bauer wrote: Using OpenBSD 4.0 Using binat for the first time in the real world Questions: binat pass on fxp0 from $server_int to any - $server_ext does this bypass all other pf filter rules? binat on fxp0 from $server_int to any - $server_ext does this form allow filtering? Googleing comes up with many different opinions
Re: openbsd current?
On Thursday 22 March 2007 10:01:23 Nick ! wrote: On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote: how do i know if im using openbsd current? If you have to ask you aren't. Current is installed by installing snapshots and compiling from CVS. The learning curve is very steep. -Nick Um, thats not true. I've now encountered three people who got snapshots and got their systems working, not realizing that they had -current. One of them even managed to get -current packages, so was by chance in sync, happy and didn't know what he was doing exactly. So there are ways of being on -current and not quite knowing that you are. --STeve Andre'
Re: Saving memory on small machines
On Thu, 22 Mar 2007, David Given wrote: I have a machine with 48MB of RAM that I want to use as a server. The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory and is not swappable, giving me 43MB left, which isn't a lot. I sent a longer ramble offlist, but onlist, the bottom line is this: you'll save some memory, a few megabytes, but if they are the tipping point between usefulness and non-usefulness of the machine, spend your time and money on Ebay, finding more memory. Sometimes you can find a couple of hundred MB for cheap, with a faster CPU, large discs, snappy ethernet and video cards, a new case and power supply, and other cool stuff still attached to it ;-). Other point: swapping (i.e. paging) is perfectly acceptable behavior in some circumstances. It used to be the way things were. The Golden Age of cheap servers (and laptops and ...) is almost upon us, just as soon as the lemmings start going to Vista. Dave
my new email / nowy adres email
Currently im using the following email address: / Moj nowy adres email: http://toya.net.pl/~pirama/email.jpg regards, TTR
Re: Saving memory on small machines
* Artur Grabowski [EMAIL PROTECTED] [2007-03-22 10:32]: Kamil Monticolo [EMAIL PROTECTED] writes: # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a # strip -s /usr/lib/libcrypto*a # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a I'm speechless. This is the low water mark on misc@ this week. //art How can you call it a low water mark art? I wasn't speechless, I laughed my ass off. I needed the humor this morning, I'm hung over and spent the morning in a stupid meeting. That message made my day. Definately not a low water mark ;) -Bob
Re: openbsd current?
On 3/22/07, STeve Andre' [EMAIL PROTECTED] wrote: On Thursday 22 March 2007 10:01:23 Nick ! wrote: On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote: how do i know if im using openbsd current? If you have to ask you aren't. Current is installed by installing snapshots and compiling from CVS. The learning curve is very steep. -Nick Um, thats not true. I've now encountered three people who got snapshots and got their systems working, not realizing that they had -current. One of them even managed to get -current packages, so was by chance in sync, happy and didn't know what he was doing exactly. So there are ways of being on -current and not quite knowing that you are. I sent this to the wrong list. Damn you gmail. It got an interesting response though, so it was worth it. -Nick
Re: openbsd current?
Perhaps the better thing to say is that it takes know-how to run current *correctly and well*. If you're just dipping your toes into OpenBSD. Running -current might not be for you. On 3/22/07, STeve Andre' [EMAIL PROTECTED] wrote: On Thursday 22 March 2007 10:01:23 Nick ! wrote: On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote: how do i know if im using openbsd current? If you have to ask you aren't. Current is installed by installing snapshots and compiling from CVS. The learning curve is very steep. -Nick Um, thats not true. I've now encountered three people who got snapshots and got their systems working, not realizing that they had -current. One of them even managed to get -current packages, so was by chance in sync, happy and didn't know what he was doing exactly. So there are ways of being on -current and not quite knowing that you are. --STeve Andre'
Re: openbsd current?
Very good point, Jeremy. OpenBSD-current is *not* the way to start off. This is the only op system I've ever used which has generally been stable enough to use on a production machine, but that does not mean that newcommers should use it. Start with the stock release, and then get some extra peice of junk to run -current on, and learn from there... --STeve Andre' On Thursday 22 March 2007 14:18:44 Jeremy David wrote: Perhaps the better thing to say is that it takes know-how to run current *correctly and well*. If you're just dipping your toes into OpenBSD. Running -current might not be for you. On 3/22/07, STeve Andre' [EMAIL PROTECTED] wrote: On Thursday 22 March 2007 10:01:23 Nick ! wrote: On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote: how do i know if im using openbsd current? If you have to ask you aren't. Current is installed by installing snapshots and compiling from CVS. The learning curve is very steep. -Nick Um, thats not true. I've now encountered three people who got snapshots and got their systems working, not realizing that they had -current. One of them even managed to get -current packages, so was by chance in sync, happy and didn't know what he was doing exactly. So there are ways of being on -current and not quite knowing that you are. --STeve Andre'
Re: Saving memory on small machines
Woodchuck wrote: [...] I sent a longer ramble offlist Indeed. Ta. , but onlist, the bottom line is this: you'll save some memory, a few megabytes, but if they are the tipping point between usefulness and non-usefulness of the machine, spend your time and money on Ebay, finding more memory. Unfortunately the box is currently maxed out on memory (it's a laptop). It won't be serving very much; I'm looking to replace my existing NSLU2 running Debian, which is doing thttpd, postfix, samba, nfsd, spamprobe, spey, dovecot, and dnsmasq. (I'd actually quite like to continue using the NSLU2 but it doesn't turn on automatically --- which is a pain in the arse whenever there's a power cut --- and I'd rather use OpenBSD, anyway. Is anyone working on an NSLU2 port?) The only thing I can expand it with now is hard disk space, via a USB2 Cardbus adaptor. Unfortunately, I haven't been able to get the EHCI interface working --- I posted a dmesg a few days ago, but it may have been eaten by the mailing list software; I'd only just subscribed. -- bbb o=o=o o=o=o=o=o=o=o=oo=o=o= bbb http://www.cowlark.com bbbbbbbbbbbbbbbbbbb b Wizards get cranky, / Dark days dawn, / Riders smell manky, / The road b goes on. / Omens are lowering, / Elves go West; / The Shire needs b scouring, / You may as well quest. - John M. Ford [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Saving memory on small machines
On Thu, Mar 22, 2007 at 12:09:04PM -0600, Bob Beck wrote: * Artur Grabowski [EMAIL PROTECTED] [2007-03-22 10:32]: Kamil Monticolo [EMAIL PROTECTED] writes: # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 11.7M Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 11.6M Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 11.5M Mar 22 13:53 /usr/lib/libcrypto.a # strip -s /usr/lib/libcrypto*a # ls -lhS /usr/lib/libcrypto*a -r--r--r-- 1 root bin 909K Mar 22 13:53 /usr/lib/libcrypto_pic.a -r--r--r-- 1 root bin 865K Mar 22 13:53 /usr/lib/libcrypto_p.a -r--r--r-- 1 root bin 835K Mar 22 13:53 /usr/lib/libcrypto.a I'm speechless. This is the low water mark on misc@ this week. How can you call it a low water mark art? I wasn't speechless, I laughed my ass off. I needed the humor this morning, I'm hung over and spent the morning in a stupid meeting. That message made my day. Definately not a low water mark ;) My applogies. I don't get the humour. Take a lib, strip the debugging symbols, you get a functional lib that's 10% of the size. However, since BSD relies on the ability to recompile things, don't you need those libs to have the debugging symbols? Or is it that strip -s removes all symbols and it was only intended to remove the debug symbols. The libs won't work? Sorry, I'm from debian. I never compile C. The last thing I compiled was Fortran 77. I try not to mouth-breathe but, when I do, at least I don't drool. Could some kind soul gently explain the humour? Thanks, Doug.
Re: Saving memory on small machines
It won't be serving very much; I'm looking to replace my existing NSLU2 running Debian, which is doing thttpd, postfix, samba, nfsd, spamprobe, spey, dovecot, and dnsmasq. (I'd actually quite like to continue using the NSLU2 but it doesn't turn on automatically --- which is a pain in the arse whenever there's a power cut --- and I'd rather use OpenBSD, anyway. Is anyone working on an NSLU2 port?) I am not aware of anyone working on running OpenBSD on the NSLU2, but if you want a nice pet project to spend time on, NetBSD runs on it and porting their code should be relatively easy to do. Of course this won't help with the fact that the NSLU2 is horribly slow (it's not nicknamed ``slug'' without a good reason). Miod
Re: Saving memory on small machines
On Thu, Mar 22, 2007 at 12:09:04PM -0600, Bob Beck wrote: How can you call it a low water mark art? I wasn't speechless, I laughed my ass off. I needed the humor this morning, I'm hung over and spent the morning in a stupid meeting. That message made my day. Because what was `early morning good laugh' to you was probably 'end of day utter deception' for him. :-) -p.
Re: binat questions
Yes, it shows that for a nat rule but doesn't mention anything about pass on a binat rule. I only discovered that binat accepts pass from the grammer section of pf.conf(5). I can't find any authority that states that binat pass... causes a bypass of all filtering as it does with nat pass... On 3/22/07, Dag Richards [EMAIL PROTECTED] wrote: A quick read of the faq shows the pass keyword causes a bypass all filtering ...so don't use it if you want your filters to be applied . Bruce Bauer wrote: Using OpenBSD 4.0 Using binat for the first time in the real world Questions: binat pass on fxp0 from $server_int to any - $server_ext does this bypass all other pf filter rules? binat on fxp0 from $server_int to any - $server_ext does this form allow filtering? Googleing comes up with many different opinions
Re: binat questions
On 2007/03/22 13:01, Bruce Bauer wrote: Yes, it shows that for a nat rule but doesn't mention anything about pass on a binat rule. I only discovered that binat accepts pass from the grammer section of pf.conf(5). Packets that match a translation rule are only automatically passed if the pass modifier is given, otherwise they are still subject to block and pass rules. Translation rules are binat, rdr, nat. One thing to watch out for with binat: you can't use it with ftp-proxy(8), since binat is of higher priority than the rdr or nat rules which are added to the anchor. The workaround there is to list nat and rdr separately.
quick test of netbeans pkg
for testing proposes i installed a current snapshoot. i saw the announcement of the netbean pkg thus i complied jdk 1.5 and installed netbeans. when i build/run a project the output in the output/console of netbeans is mostly not readable. it prints targets like init: deps-jar: but the output form the compiler or the application looks like it prints a square for each character. looks like a font and or encoding problem? the snapshot was downloaded on the 20. march. the base system was was dated 18. march the packages 12.march (sunsite.cnlab-switch.ch). OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC netbeans-5.5NetBeans Java IDE jdk-1.5.0p28Java2(TM) Standard Edition Dev Kit v1.5.0 any idea what went wrong?
Support for USB wireless device RTL8187B?
Hello list, I bought a TEW-424UB usb wireless adapter to use with my landisk (Plextor EH40L). I recommend that you go out and get one of these. In Canada, TigerDirect.ca has the 400GB model for $315CDN after rebate. The supported hardware list indicates that the TEW-424UB is supported but that it uses the ZyDAS ZD1211 chipset. I have rev 3.0 of the hardware which as it turns out uses the Realtek RTL8187B chipset. At present, this does not appear to be supported. Here is what I see upon device insertion: ugen0 at uhub2 port 1 ugen0: Realtek RTL8187B_WLAN_Adapte, rev 2.00/2.00, addr 2 More info on the chip and a Linux driver is available here http://www.realtek.com.tw/search/default.aspx?keyword=rtl8187b Is anyone working on a driver for this device? Will access to hardware help? Cheers, /Jason
Re: Saving memory on small machines
On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote: Or is it that strip -s removes all symbols and it was only intended to remove the debug symbols. The libs won't work? yes, libs without symbols aren't especially useful for future development.
streaming program...
list, i am looking for a video streaming program and noticed ffmpeg did it over http. installing ffmpeg from packages gave the following... 4.0 GENERIC i386, no X11 sudo pkg_add -v ${PKG_PATH}ffmpeg-20060312p1.tgz Password: parsing ffmpeg-20060312p1 Dependencies for ffmpeg-20060312p1 resolve to: sdl-1.2.9p1-sun (todo: sdl-1.2.9p1-sun) ffmpeg-20060312p1:parsing sdl-1.2.9p1-sun Can't install sdl-1.2.9p1-sun: lib not found X11.9.0 Even by looking in the dependency tree: Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. Can't install sdl-1.2.9p1-sun: lib not found Xext.9.0 Can't install ftp://spargel.kd85.com/pub/OpenBSD/4.0/packages/i386/ffmpeg-20060312p1.tgz: can't resolve sdl-1.2.9p1-sun PKG_PATH=ftp://spargel.kd85.com/pub/OpenBSD/4.0/packages/i386/ it seems strange to me that ffmpeg requires X11 by default. so which streaming program that can do RTP would the list recommend? many thanks poncenby
Re: Microsoft gets the Most Secure Operating Systems award
On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote: Their challenge is that they need to provide choice so they have what they call reasonable defaults. No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. Too many choices. Too many knobs. Every day, I see people shoot themselves in the foot, not managing to administer boxes and networks in a simple way, making stupid decisions that don't serve any purpose. ACL, enforced security policies, reverse proxy setups, user accounts, network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... so many choices. So many wrong choices. At some point, the people who package the software need to make editorial decisions. Remove knobs. Provide people with stuff that just works. Remove options. Or definitely give them the means to do the trade-off correctly. Okay, it's a losing battle. I'm an old grumpy fart. Okay, a lot of IT people are just earning their wages by managing the incredibly too complex setups we face nowadays (and not screwing too badly in front of a multitude of stupide innane choices). Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window managers. Never decide which one you want to install, never give you a default installation that just works. Cater to the techy, nerdy culture of people who want to spend *days* just making choices. We try not to be as bad, to provide default configs that work, and not so many choices.
Re: Microsoft gets the Most Secure Operating Systems award
On Thu, Mar 22, 2007 at 09:40:57PM +0100, Marc Espie wrote: On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote: Their challenge is that they need to provide choice so they have what they call reasonable defaults. No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. Too many choices. Too many knobs. Every day, I see people shoot themselves in the foot, not managing to administer boxes and networks in a simple way, making stupid decisions that don't serve any purpose. ACL, enforced security policies, reverse proxy setups, user accounts, network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... so many choices. So many wrong choices. At some point, the people who package the software need to make editorial decisions. Remove knobs. Provide people with stuff that just works. Remove options. Or definitely give them the means to do the trade-off correctly. Okay, it's a losing battle. I'm an old grumpy fart. Okay, a lot of IT people are just earning their wages by managing the incredibly too complex setups we face nowadays (and not screwing too badly in front of a multitude of stupide innane choices). Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window managers. Never decide which one you want to install, never give you a default installation that just works. Cater to the techy, nerdy culture of people who want to spend *days* just making choices. We try not to be as bad, to provide default configs that work, and not so many choices. I agree with you that secure/sane defaults are very important, they are a big pro for OpenBSD. Featurism violates KISS and we all know that KISS is the only way to handle ever growing complexity. BUT choices are important as well, everything else is world domination tour aka dictatorship (and not the good kind). Imagine not having a choice in hardware, wait don't just imagine look at the high-end graphics card market. Sorry, but I just couldn't leave the one size HAS TO fit all alone without any restraints. Regards, ahb
Re: cannot make mod_auth_bsd work
On Thursday 22 March 2007 08:09, Thierry Lacoste wrote: After a default 4.0 install I installed www/mod_auth_bsd but all users are rejected. I have the following line in my /var/www/logs/error_log: httpd: invalid script: /usr/libexec/auth/login_passwd Same results wether apache is chrooted or not. Any help would be appreciated. I tried to recreate your error message and when I removed AuthBSDGroup auth in httpd.conf, I got the exact error you mention. So it is possible that this is the cause for your error message. The README file in /usr/local/share/doc/mod_auth_bsd explicitly mentions this point and states that you should have something like: AuthBSDGroup auth Directory /var/www/vhosts/foo/login SSLRequireSSL # required by default AuthType Basic # only HTTP Basic supported AuthName Foo Login AuthBSD On Require valid-user # restrict to system accounts /Directory Hope this helps, Vijay -- Vijay Sankar ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Marc Espie [EMAIL PROTECTED] wrote: On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote: Their challenge is that they need to provide choice so they have what they call reasonable defaults. No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. That's exactly why I switched long ago. Poking around at 1000 different little apps all doing the same thing was fun for awhile on Linux but I eventually realized that all the choices actually reduced my productivity. A second reason I switched was because of OS cohesion. Greg
Re: Saving memory on small machines
On Thu, Mar 22, 2007 at 01:29:33PM -0700, Ted Unangst wrote: On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote: Or is it that strip -s removes all symbols and it was only intended to remove the debug symbols. The libs won't work? yes, libs without symbols aren't especially useful for future development. Also, stripping static libs has ZERO impact on your installed system, it only affects things you compile from source on that box. (and, as you mention -- negatively). -- David Terrell [EMAIL PROTECTED] ((meatspace)) http://meat.net/
Do symlinks exist? (sh, ksh, /bin/test documentation ambiguity)
I expect it's old, old news to those with more shell scripting scars: but the results of the [ -e ] test are at variance with my allegedly reasonable reading of the documentation. For all three of sh, ksh, and the /bin/test manpages, the description of the -e test reads file exists, unlike the other file-related tests which read file exists and further condition, with further condition being is-writable, is-exucatable, is-readable, and the like. The manpage for /bin/test is even more emphatic in suggesting it's going to be true for a strict superset of the files for which the other tests return true - True if file exsits (regardless of type). However, there are arguments for which -e returns false, but a different file-related test returns true. These arguments are symlinks which don't resolve to an existing file - both symlinks that point 'nowhere', i.e. to non-existent targets (directly or indirectly), and symlinks which will error with ELOOP if stat()ed. Changing the behaviour of -e for non-resolving symlinks is almost certainly a Really Bad Idea: the existing behaviour of -e is doubtless relied on by a few million shellscripts, all more or less strongly bound to the idea that if -e returns true, there's Something There, and a strong expectation that the Something is stat()able rather than merely lstat()able. But perhaps a small change to the venerable text of the sh, ksh, and /bin/test manpages might be in order? Some form of words like exists (target exists if a symbolic link) might capture the actual behaviour more accurately. Yes, it's a picky point - and one I wouldn't bother raising in the Linux world, where manpages are at best impressionistic; but the pithy clarity of OpenBSD manpages is a pearl beyond price, and thus worth cleaning of even small specks. As far as testing in shell scripts whether 'things' are present - using [ -e $file -o -h $file ] catches the 'exists, maybe as a symlink which doesn't resolve' case; as could the use of stat(1) with suitable format-strings, -q, -L, and related incantatia... Cheers, Stefek
Re: Microsoft gets the Most Secure Operating Systems award
On 22/03/07, Marc Espie [EMAIL PROTECTED] wrote: On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote: Their challenge is that they need to provide choice so they have what they call reasonable defaults. No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. Too many choices. Too many knobs. Every day, I see people shoot themselves in the foot, not managing to administer boxes and networks in a simple way, making stupid decisions that don't serve any purpose. ACL, enforced security policies, reverse proxy setups, user accounts, network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... so many choices. So many wrong choices. Multiple user accounts and a journalling facility on a filesystem == wrong: Interesting perspective. At some point, the people who package the software need to make editorial decisions. Remove knobs. Provide people with stuff that just works. Remove options. Or definitely give them the means to do the trade-off correctly. Okay, it's a losing battle. I'm an old grumpy fart. Okay, a lot of IT people are just earning their wages by managing the incredibly too complex setups we face nowadays (and not screwing too badly in front of a multitude of stupide innane choices). Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window managers. Never decide which one you want to install, never give you a default installation that just works. Cater to the techy, nerdy culture of people who want to spend *days* just making choices. Wrong. Unix is the culture of choice, and that includes Linux and OpenBSD. It's been the same ever since Berkely includled csh. That, by the way, is why YOU have the option to run OpenBSD, and others have the option to run Linux. We try not to be as bad, to provide default configs that work, and not so many choices. I was happy with the choices in Linux ten years ago. Some still aren't happy with it. That's the nature of people these days. If you want to try to change their behaviour you have to provide for them in the meantime. Jeff -- Q: What will happen in the Aftermath? A: Impossible to tell, since we're still in the Beforemath. http://latedeveloper.org.uk
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Jeff Rollin [EMAIL PROTECTED] wrote: On 22/03/07, Marc Espie [EMAIL PROTECTED] wrote: On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote: Their challenge is that they need to provide choice so they have what they call reasonable defaults. No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. Too many choices. Too many knobs. Every day, I see people shoot themselves in the foot, not managing to administer boxes and networks in a simple way, making stupid decisions that don't serve any purpose. ACL, enforced security policies, reverse proxy setups, user accounts, network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... so many choices. So many wrong choices. Multiple user accounts and a journalling facility on a filesystem == wrong: Interesting perspective. At some point, the people who package the software need to make editorial decisions. Remove knobs. Provide people with stuff that just works. Remove options. Or definitely give them the means to do the trade-off correctly. Okay, it's a losing battle. I'm an old grumpy fart. Okay, a lot of IT people are just earning their wages by managing the incredibly too complex setups we face nowadays (and not screwing too badly in front of a multitude of stupide innane choices). Linux is the `culture of choice'. Provide ten MTA, ten MUA. Twenty window managers. Never decide which one you want to install, never give you a default installation that just works. Cater to the techy, nerdy culture of people who want to spend *days* just making choices. Wrong. Unix is the culture of choice, and that includes Linux and OpenBSD. How many MTAs, MUAs, http servers, text editors, DNS servers, FTP servers, etc. are included with OpenBSD? Greg
Re: Saving memory on small machines
Miod Vallat wrote: [...] I am not aware of anyone working on running OpenBSD on the NSLU2, but if you want a nice pet project to spend time on, NetBSD runs on it and porting their code should be relatively easy to do. Of course this won't help with the fact that the NSLU2 is horribly slow (it's not nicknamed ``slug'' without a good reason). There's a simple hardware mod you can do with a pair of nail clippers that removes the single resistor that's underclocking it to 133MHz. Then it runs twice as fast, at a semi-respectable 266. It's still not going to win any records, but it's more than adequate as a house router. I have had a bit of a look at the NetBSD version, but to be totally honest, all the BSDs are so similar that I don't want to look too hard unless it confuses me. My BSD-fu is certainly not sufficient to port OpenBSD myself. -- bbb o=o=o o=o=o=o=o=o=o=oo=o=o= bbb http://www.cowlark.com bbbbbbbbbbbbbbbbbbb b I have always wished for my computer to be as easy to use as my b telephone; my wish has come true because I can no longer figure out how to b use my telephone. --- Bjarne Stroustrup [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
isakmpd gateway-to-gateway VPN woes...
If you can help, please feel free to CC: me directly: [EMAIL PROTECTED] My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN working with OpenBSD-4.0-stable isakmpd. Both firewalls have a relatively unaltered install. Both firewalls still have pf, ipsec and isakmpd_flags unset in rc.conf (we are configuring and starting manually - is this a problem?). We have followed the directions from the Zero to IPSec on 4 minutes webpage. I hope that this error report is thorough. Here is a picture of the configuration: 10.0.0.2/24 --- 10.0.0.1/24 L1 F1 F2 L2 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1 L1,L2 - laptops F1,F2 - Soekris net4801 firewalls What works: L1-F1 lan communication L2-F2 lan communication F1-F2 lan communication F1-F2 IPSec communication (evidenced by F1 running ping 10.0.0.1 and seeing only esp packets in tcpdump) What doesn't work: F1-L2 gateway'd VPN F2-L1 gateway'd VPN L1-L2 gateway-to-gateway'd VPN What is interesting is that the routing tables have a section named Encap: that seem to contain valid routes for the flows that do not work above, but when attempting to use ping on addresses on a broken flow we get No route to host. This has got to be something simple. Thanks in advance for your help. Here are the pf.conf files from both firewalls: ### F1: pf.conf ### # jack ext_if=sis0 int_if=sis1 set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) - ($ext_if:0) block in pass quick on $ext_if from 10.0.0.1 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ### F2: pf.conf ### # sabino ext_if=sis0 int_if=sis1 set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) - ($ext_if:0) block in pass quick on $ext_if from 10.0.0.2 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ## F1: ipsec.conf ## # jack to sabino sabino_ext = 10.0.0.1 sabino_int = 10.2.12.0/22 jack_ext = 10.0.0.2 jack_int = 10.4.12.0/22 ike esp from $jack_int to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_ext ## F2: ipsec.conf ## # sabino to jack sabino_ext=10.0.0.1 sabino_int=10.2.12.0/22 jack_ext=10.0.0.2 jack_int=10.4.12.0/22 ike passive esp from $sabino_int to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_ext ### F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 164953.991350 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1 164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 165058.199701 Default isakmpd: shutting down... 165058.219397 Default isakmpd: exit ### F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 171251.878157 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2 171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171356.739110 Default isakmpd: shutting down... 171356.741411 Default isakmpd: exit ## F1: routing table after isakmpd negotiates tunnels ## # ipsecctl -f /etc/ipsec.conf # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.0.0/24 link#1 UC 10 - sis0 10.0.0.1 00:00:24:c8:1d:60 UHLc2 125 - sis0 10.4.12/22 link#2 UC 10 - sis1 10.4.14.1 00:e0:00:c2:6e:2c UHLc4 644 - sis1 10.4.16/22 link#3 UC 00 - sis2 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 14 33224 lo0 224/4 127.0.0.1 URS 00 33224 lo0 Internet6: ...abbreviated - irrelevant... Encap: Source Port DestinationPort Proto SA(Address/Proto/Type/Direction) 10.0.0.1/320 10.0.0.2/320 0
Running OpenOffice on OpenBSD-How do I start it?
First, I am an absolute newbie. I purchased the OpenBSD 4.0 cd's and got it loaded and running and succesfully added the Samba and KDE packages. Installing OpenOffice and getting mail working are my next two projects with it. I am running an i386 machine with a 1.2 GHz AMD Athlon processor. To load OpenOffice with linux emulation I went to http://www.xs4all.nl/~hanb/documents/openoffice_on_openbsd.html Running OpenOffice on OpenBSD First, edit /etc/fstab and add: /proc /proc procfs rw,linux 0 0 I did that and everything was fine. Next step: Then create /proc and mount it: mkdir /proc mount /proc I got the directory made allright, in /, Was I supposed to create it in /etc? Mount /proc gave me the following error: fstab: /etc/fstab: Inappropriate file type or format (line repeats once) /proc is now full of numbers in mostly 5 character groups with with cpuinfo,curproc,meminfo, and self on the right hand side of the numbers. It looks like a table. I would cut and paste but I do not have mail set up yet. I am a newbie so every step is hard and I wanted OpenOffice first. Working on the assumption that mount /proc worked, even with the error message, I continue on. I get all done and have it installed in /opt/openoffice.org2.1 Where do I go to start it and how do I get it into applications on the K Menu? I don't have a Start OpenOffice.org icon or anything. Please and thank you.l
Re: isakmpd gateway-to-gateway VPN woes...
Do your firewalls forward ip 4? sysctl net.inet.ip.forwarding=1 Jack Bates wrote: If you can help, please feel free to CC: me directly: [EMAIL PROTECTED] My partner-in-crime and I are having some trouble getting a LAN-to-LAN VPN working with OpenBSD-4.0-stable isakmpd. Both firewalls have a relatively unaltered install. Both firewalls still have pf, ipsec and isakmpd_flags unset in rc.conf (we are configuring and starting manually - is this a problem?). We have followed the directions from the Zero to IPSec on 4 minutes webpage. I hope that this error report is thorough. Here is a picture of the configuration: 10.0.0.2/24 --- 10.0.0.1/24 L1 F1 F2 L2 10.4.14.1 --- 10.4.12.1/22 10.2.12.1/22 --- 10.2.14.1 L1,L2 - laptops F1,F2 - Soekris net4801 firewalls What works: L1-F1 lan communication L2-F2 lan communication F1-F2 lan communication F1-F2 IPSec communication (evidenced by F1 running ping 10.0.0.1 and seeing only esp packets in tcpdump) What doesn't work: F1-L2 gateway'd VPN F2-L1 gateway'd VPN L1-L2 gateway-to-gateway'd VPN What is interesting is that the routing tables have a section named Encap: that seem to contain valid routes for the flows that do not work above, but when attempting to use ping on addresses on a broken flow we get No route to host. This has got to be something simple. Thanks in advance for your help. Here are the pf.conf files from both firewalls: ### F1: pf.conf ### # jack ext_if=sis0 int_if=sis1 set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) - ($ext_if:0) block in pass quick on $ext_if from 10.0.0.1 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ### F2: pf.conf ### # sabino ext_if=sis0 int_if=sis1 set skip on { lo $int_if enc0 } nat on $ext_if from !($ext_if) - ($ext_if:0) block in pass quick on $ext_if from 10.0.0.2 pass out keep state pass in on $ext_if proto tcp to ($ext_if) port ssh keep state ## F1: ipsec.conf ## # jack to sabino sabino_ext = 10.0.0.1 sabino_int = 10.2.12.0/22 jack_ext = 10.0.0.2 jack_int = 10.4.12.0/22 ike esp from $jack_int to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_int peer $sabino_ext ike esp from $jack_ext to $sabino_ext ## F2: ipsec.conf ## # sabino to jack sabino_ext=10.0.0.1 sabino_int=10.2.12.0/22 jack_ext=10.0.0.2 jack_int=10.4.12.0/22 ike passive esp from $sabino_int to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_int peer $jack_ext ike passive esp from $sabino_ext to $jack_ext ### F1: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 164953.991350 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.2 dst: 10.0.0.1 164955.074708 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.283055 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 164955.652188 Default isakmpd: quick mode done: src: 10.0.0.2 dst: 10.0.0.1 165058.199701 Default isakmpd: shutting down... 165058.219397 Default isakmpd: exit ### F2: What isakmpd says after running ipsecctl -f /etc/ipsec.conf ### # isakmpd -K -d -v 171251.878157 Default isakmpd: phase 1 done: initiator id 0a02: 10.0.0.2, responder id 0a01: 10.0.0.1, src: 10.0.0.1 dst: 10.0.0.2 171253.351373 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.557425 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171253.566780 Default isakmpd: quick mode done: src: 10.0.0.1 dst: 10.0.0.2 171356.739110 Default isakmpd: shutting down... 171356.741411 Default isakmpd: exit ## F1: routing table after isakmpd negotiates tunnels ## # ipsecctl -f /etc/ipsec.conf # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.0.0/24 link#1 UC 10 - sis0 10.0.0.1 00:00:24:c8:1d:60 UHLc2 125 - sis0 10.4.12/22 link#2 UC 10 - sis1 10.4.14.1 00:e0:00:c2:6e:2c UHLc4 644 - sis1 10.4.16/22 link#3 UC 00 - sis2 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 14 33224 lo0 224/4 127.0.0.1 URS 00 33224 lo0 Internet6: ...abbreviated - irrelevant... Encap: Source Port DestinationPort Proto
Re: Saving memory on small machines
On Thu, Mar 22, 2007 at 04:42:57PM -0500, David Terrell wrote: On Thu, Mar 22, 2007 at 01:29:33PM -0700, Ted Unangst wrote: On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote: Or is it that strip -s removes all symbols and it was only intended to remove the debug symbols. The libs won't work? yes, libs without symbols aren't especially useful for future development. Also, stripping static libs has ZERO impact on your installed system, it only affects things you compile from source on that box. (and, as you mention -- negatively). So the laugh was that the poor fellow has hosed his machine and won't know it until the next time he has to compile a patch? Sort of like /bin/rm -rf / instead of rm -f /bin/laden? Doug.
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Bob Beck [EMAIL PROTECTED] wrote: snip from a vegetarian at that. The fallacy that is this clause undermines your broader argument. Promise yourself not to spread such falsity again, and you will be well served. -Todd
CARP flip flop problems
Hi, We're running carp on two Openbsd 4.0 routers on vlan interfaces and we're observing a state change from backup to master to backup on the host that should stay as the backup. This happens periodically and adjusting the advbase and advskew seems to have no effect apart from adjusting the periodicity of the state change. Here's what a tcpdump looks like: 17:26:35.892363 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:36.902391 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:37.248384 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=2 advskew=100 demote=0 (DF) [tos 0x60] 17:26:37.248387 0:0:5e:0:1:2 33:33:0:0:0:12 86dd 90: fe80::211:43ff:fecd:3cbe ff02::12: ip-proto-112 36 [class 0x60] 17:26:37.912426 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:38.922447 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:39.932482 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:40.942505 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:41.952534 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:42.962565 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:43.972590 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:44.318530 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=2 advskew=100 demote=0 (DF) [tos 0x60] 17:26:44.318534 0:0:5e:0:1:2 33:33:0:0:0:12 86dd 90: fe80::211:43ff:fecd:3cbe ff02::12: ip-proto-112 36 [class 0x60] 17:26:44.982625 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:45.992650 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:47.002679 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] 17:26:48.012707 0:0:5e:0:1:2 1:0:5e:0:0:12 0800 70: CARPv2-advertise 36: vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] You can see when the state change happens. The backup host advertises with advskew of 100, advbase of 2 and promptly decides it's the master until the next advertisment arrives from the machine that really should be the master. The backup also issues a CARP IPv6 announcement, which is strange because we don't have IPv6 configured. It's also random ie. after a reboot of either of the routers it might work fine, but one of the other carp instances might start misbehaving in the same way (we have 3 configured altogether). When carp is working fine, there are no IPv6 announcements. pf is eplicitly set to allow carp on the interfaces concerned. Has anyone else seen this before? It's times like this I wish CARP was actually documented in some sort of RFC type fashion :) Regards, Nigel
zaurus bootstrapping
So I picked up my shiny 6gig zaurus from the post office today (glee!) and I'm preparing to blow away the terribly primitive UI that comes with it and make it an awesome OpenBSD-in-my-pocket; but I have a few questions. This isn't entirely on-topic, but google hasn't helped. Please, feel free to direct me elsewhere. -I've discovered that the power button is really a standby button, like on Palms. However, I did `shutdown -h now` from the shell and afterwards it wouldn't turn back on. In order to make it come back I had to take off the battery cover, press the reset button, take out the battery, and put everything back. Is it like this under OpenBSD too? Is taking out the battery really a necessary step (it wouldn't turn on until after I did that, but perhaps it was actually just that the battery lock switch was 'open' that it was rejecting)? -I don't have a CF Wifi card yet, so I'll be installing from the harddrive. However, I want to blow away the partition table and set it up nicely. I'm not sure if this is logistically possible. What have other people done? I thought, perhaps I could put the install sets on an SD card but does the ramdisk kernel have support for that compiled in? -How do you people with zaurii trade data from them with other computers? Purely over the network? With SD cards? USB hubs + thumbdrives? Thanks in advance, ~Nick (so excited)
HP SA P400/P800 ciss support and caveats
Hello guys, We are looking to buy an HP ProLiant DL320s server with about 5-8 terabyte of storage and Smart Array P400 or P800 for a backup purposes. According to www.openbsd.org/cgi-bin/man.cgi?query=cissarch=i386sektion=4 it should be supported in -current, but the current code only supports one logical volume per controller. This scared me because according to the FAQ there is a 1T limit on the size of the physical disk, but I need to utilize much more. What does logical volume mean here - RAID set or LUN ? In the other words, is there any way to use that storage with OBSD ? -- Best regards, Boris mailto:[EMAIL PROTECTED]
Re: zaurus bootstrapping
-I've discovered that the power button is really a standby button, like on Palms. However, I did `shutdown -h now` from the shell and afterwards it wouldn't turn back on. In order to make it come back I had to take off the battery cover, press the reset button, take out the battery, and put everything back. Is it like this under OpenBSD too? Not exactly. But you will find you take the battery out once in a while for problems just like this. It is a problem with all soft-power-button devices, I suppose. Is taking out the battery really a necessary step (it wouldn't turn on until after I did that, but perhaps it was actually just that the battery lock switch was 'open' that it was rejecting)? That switch must be closed for it to power on. -I don't have a CF Wifi card yet, so I'll be installing from the harddrive. However, I want to blow away the partition table and set it up nicely. I'm not sure if this is logistically possible. What have other people done? I thought, perhaps I could put the install sets on an SD card but does the ramdisk kernel have support for that compiled in? A wide variety of USB peripherals are supported, but you will need the additionally-purchased host USB cable and potentially a powered hub, since the zaurus does not supply a lot of power on the USB port. As well, in recent code it is also possible to use cdcef -- using the slave USB cable that is included another machine will see it is as a network device. The SD support is brand new, post-4.1 code, and still has issues. I would be cautious with that. -How do you people with zaurii trade data from them with other computers? Purely over the network? With SD cards? USB hubs + thumbdrives? We sync our repositories and commit over wireless we find in the bars where we drink, of course.
Re: zaurus bootstrapping
On 3/22/07, Nick ! [EMAIL PROTECTED] wrote: -I've discovered that the power button is really a standby button, like on Palms. However, I did `shutdown -h now` from the shell and afterwards it wouldn't turn back on. In order to make it come back I had to take off the battery cover, press the reset button, take out the battery, and put everything back. Is it like this under OpenBSD too? Is taking out the battery really a necessary step (it wouldn't turn on until after I did that, but perhaps it was actually just that the battery lock switch was 'open' that it was rejecting)? man zkbd http://www.openbsd.org/cgi-bin/man.cgi?query=zkbdarch=zaurus -I don't have a CF Wifi card yet, so I'll be installing from the harddrive. However, I want to blow away the partition table and set it up nicely. I'm not sure if this is logistically possible. What have other people done? I thought, perhaps I could put the install sets on an SD card but does the ramdisk kernel have support for that compiled in? you can install from an ms-dos formatted CF card. read the INSTALL.zaurus file. carefully. several times. carefully. several times. think long and hard before you trash the partition table. hint: you don't want to use the whole disk for openbsd. -How do you people with zaurii trade data from them with other computers? Purely over the network? With SD cards? USB hubs + thumbdrives? ethernet or wi-fi. CF cards. usb sticks. you could probably use the usb-client ethernet emulation (man cdce cdcef) sd cards are close, but not quite there yet CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: zaurus bootstrapping
On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote: man zkbd http://www.openbsd.org/cgi-bin/man.cgi?query=zkbdarch=zaurus Thanks for the tip, but that only talks about when the zaurus is on. I'd turned it completely off. I'm hoping it was just a fluke though. -I don't have a CF Wifi card yet[...] you can install from an ms-dos formatted CF card. Don't have one. But I suppose I'll be hitting the stores soon for some sort of supplies to do this. read the INSTALL.zaurus file. carefully. several times. carefully. several times. :) think long and hard before you trash the partition table. hint: you don't want to use the whole disk for openbsd. I don't? I mean, I know to save the first few sectors for the partition table, but isn't the rest fair game? -How do you people with zaurii trade data from them with other computers? Purely over the network? With SD cards? USB hubs + thumbdrives? ethernet or wi-fi. With a USB ethernet card? CF cards. usb sticks. you could probably use the usb-client ethernet emulation (man cdce cdcef) The one you need the special driver on Windows for? sd cards are close, but not quite there yet Thank you and Theo for your quick replies. -Nick
Re: Microsoft gets the Most Secure Operating Systems award
On 23/03/2007, at 3:19 AM, Lars D. Noodin wrote: Symantic makes its living selling paper bailing cups in a leaky boat. ;-) The media actively participates in obfuscating the issues, the causes and the solutions by publicizing such crap from Symantic and MS. Yes. Symantec make their money from a long-term open wound. Symantec then provides creative research that makes that open wound look best. Talk about a conflict of interest. Symantec have been trying to demonise OS X for a long while. Shane J Pearson shanejp netspace net au
Re: Microsoft gets the Most Secure Operating Systems award
Symantec have been trying to demonise OS X for a long while. And it is going to work soon. Because OS X has no Propolice-like compiler stack protection, nor anything like W^X which makes parts of the address space non-executable, nor anything like address space randomization which makes certain attacks very difficult, especially with the previous two techniques. So when they have a bug, it is exploitable just like bugs are on any other powerpc or i386 machine running some other operating system. These days even operating systems like Vista have the above 3 security technologies. But can we get back to OpenBSD discussions?
OpenBSD webserver partitioning schemes
I'm not too knowledgeable in the security arena so this question may prompt flogging. My server has three hard drives, one contains the OpenBSD system and the other two are blank and will be a raid mirror of the /var/www directory. Is it wise to give over the entire drive for the mount point /var/www or should I not be assigning mount points to entire drives?
Re: Microsoft gets the Most Secure Operating Systems award
On 3/22/07, Marc Espie [EMAIL PROTECTED] wrote: On Thu, Mar 22, 2007 at 03:28:29PM -0400, Douglas Allan Tutty wrote: Their challenge is that they need to provide choice so they have what they call reasonable defaults. No, they don't need to provide choice. At least not that many. They decide to do so. That's most of what's wrong with OS stuff these days. Too many choices. Too many knobs. Every day, I see people shoot themselves in the foot, not managing to administer boxes and networks in a simple way, making stupid decisions that don't serve any purpose. ACL, enforced security policies, reverse proxy setups, user accounts, network user groups, PAM, openldap, reiserfs, ext3fs, ext2fs... so many choices. So many wrong choices. At some point, the people who package the software need to make editorial decisions. Remove knobs. Provide people with stuff that just works. Remove options. Or definitely give them the means to do the trade-off correctly. Security comes from this. As Bruce Schneier and Niels Ferguson write in ``Practical Cryptography'', on page 12, ``There are no complex systems that are secure. Complexity is the worst enemy of security, and it almost always comes in the form of features or options.'' We try not to be as bad, to provide default configs that work, and not so many choices. Again, from the same book, ``One of the things we have tried to do in this book is to define simple interfaces for cryptographic primitives. No features, no options, no special cases, no extra things to remember.'' The fact that an OpenBSD system is secure out of the box is the main reason I started using it.
Request for links to BSD adminstration docs
Hello, I'm considering moving my 486 from Debian to OpenBSD. I haven't the money to spend on a new e.g. UNIX System Administration. 4.4 BSD System Manager's Manual is out of print. I haven't been able to google anything freely available on the internet. My local library has had their only UNIX book stolen (not by me). Since BSD came from a university, did they ever publish under the BSD licence a SMM, and if so is it avilable free anywhere? Is there a BSD repository of free documents similar to IBM's for AIX? I've got the basic Linux CLI admin skills. What I'm looking for is indoctrination into the BSD way of doing things and the wisdom behind it. I'm looking for a bit of the historical culture; the wisdom of ages past. As a simple example. I'm used to Debian where updates can happen without disturbing users (clones of myself mostly). On a new fast box, one can build a patch in a short time, but then the system has to be brought down, install the patch, then bring it back up. In years past, how did a sysadmin with one VAX handle that? Take the computer off line at 1700, do the build, install, and hope to have everything back up by 0800? I figure that if I get an old BSD book and combine it with the OpenBSD FAQ plus man pages, I'll be off to a good start. I'm not, as someone here referred to themselves as, an old fart. I'm not _that_ old (40), but I don't want a book that starts off Click on I wouldn't mind one that starts Turn on your terminal and hit enter. Thanks, Doug.
List your properties for rent or sale for free / Annoncez vos proprietes à louer ou a vendre gratuitement
Window to the world for waterfront real estate Advertise free of charge your property for sell or rent VERSION FRANGAISE PLUS BAS Owner of a waterfront property for rent or sale ? Did you know that there is now a specialized site to sell or rent properties on a waterfront site. Targeting only people that want to rent or buy property on a waterfront site. Find what you want fast Only one operation and you are certain to find a property on a waterfront site, and nothing else. Only one site offers you this unique opportunity www.waterfrontsite.com If you list your property before June, 30th 2007, you will enjoy a free promotional offer Make the most of the opportunity! The Waterfront Site team Thank you for your interest and... We wish you success! If you don't want to receive these e-mail anymore please click He re La fenetre mondiale de l'immobilier avec vue sur l'eau Annoncez gratuitement vos propriitis ` vendre ou ` louer avec vue sur l'eau au meilleur endroit. Possidez-vous une propriiti ` vendre ou ` louer avec vue sur leau ? Inscrivez gratuitement autant de propriitis que vous disirez avant le 30 juin 2007. Saviez-vous qu'il existe maintenant un site spicialisi pour vendre ou louer des propriitis avec vue sur l'eau. En effet, uniquement des gens qui disirent louer ou acheter une propriiti avec vue sur l'eau Une recherche des plus rapides...Une seule opiration et vous jtes certain de trouver une propriiti avec vue sur l'eau, rien d'autre. Visitez www.vuesurleau.com et inscrivez-vous dhs maintenant en cliquant sur le bouton [Vendre ou inscrire en location] de la page d'accueil. Protitez-en ... Cette offre est valide jusqu'au 30 juin 2007 seulement. Merci de votre intirjt et... Bonnes transactions ! Si vous disirez vous disabonner de nos envois promotionnels, veuillez cliquer ic i
Re: Request for links to BSD adminstration docs
On 3/22/07, Douglas Allan Tutty [EMAIL PROTECTED] wrote: I figure that if I get an old BSD book and combine it with the OpenBSD FAQ plus man pages, I'll be off to a good start. If you know your way around Linux just start with the FAQ and manpages. That's what I started with and the FAQ is even better now than when I started. You can supplement with the books at the top of this page: http://openbsd.org/books.html when you feel like delving deeper. Greg
Re: Request for links to BSD adminstration docs
On Thu, Mar 22, 2007 at 11:30:06PM -0400, Douglas Allan Tutty wrote: Hello, I'm considering moving my 486 from Debian to OpenBSD. I haven't the money to spend on a new e.g. UNIX System Administration. 4.4 BSD System Manager's Manual is out of print. I haven't been able to google anything freely available on the internet. My local library has had their only UNIX book stolen (not by me). Since BSD came from a university, did they ever publish under the BSD licence a SMM, and if so is it avilable free anywhere? Is there a BSD repository of free documents similar to IBM's for AIX? I've got the basic Linux CLI admin skills. What I'm looking for is indoctrination into the BSD way of doing things and the wisdom behind it. I'm looking for a bit of the historical culture; the wisdom of ages past. As a simple example. I'm used to Debian where updates can happen without disturbing users (clones of myself mostly). On a new fast box, one can build a patch in a short time, but then the system has to be brought down, install the patch, then bring it back up. In years past, how did a sysadmin with one VAX handle that? Take the computer off line at 1700, do the build, install, and hope to have everything back up by 0800? I figure that if I get an old BSD book and combine it with the OpenBSD FAQ plus man pages, I'll be off to a good start. Since you've already found the FAQ, you've got a good start. Add the Books that help page. If you don't have much money to spend, look for them used. I've got both Building Firewalls with OpenBSD and PF by Jacek Artymiak, and Secure Architectures with OpenBSD by Palmer and Nazario. Both are good, both walk you through quite a bit from installing to typical administration, and a bit of history thrown in. Though I knew most of what was in both books, I learned more than a few things I'm glad to know. As for your simple example above, I've seen more than once someone talk about bringing a box down for extended periods to update. I just don't get that. It's easy enough to update sources or apply the patch and rebuild while the system is up. Sure, it can add a lot of load, but OpenBSD is fairly stable under load in terms of still serving web pages, or doing mail, etc. Then the only total downtime is during reboot if you've updated the kernel, or restart time on daemons if you've only updated userland. Last, but not least, check for a user group in your area! Also check out http://metabug.org/, where you can get streaming and recorded presentations (one coming in a week). -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/darrin/ |
Re: zaurus bootstrapping
On 3/22/07, Theo de Raadt [EMAIL PROTECTED] wrote: -How do you people with zaurii trade data from them with other computers? Purely over the network? With SD cards? USB hubs + thumbdrives? We sync our repositories and commit over wireless we find in the bars where we drink, of course. Good to know. Another semi-offtopic question: I assume the IR port works via com(4) like on my laptop, and so I could transfer data to and from my laptop, but what about IrDA? There's mention of some birda package from 2002 in the archives Is there any way to control the backlight? I don't see in the manpages any reference to it, but maybe I'm looking in the wrong places. What's the upgrading procedure? Is it something like: put bsd.rd on the / filesystem somewhere and the filesets somewhere (else), reboot, at boot type the path to the upgrade kernel? -Nick
Re: IPsec gone assymetric
On Thu, 22 Mar 2007 05:30:45 -0600, Jacob Yocom-Piatt wrote: RW wrote: I have a simple setup. Sydney to Melbourne and the ipsec.conf is one of the nice easy ones whilst I learn to do more complex setups. It has been working for months. Today doing ipsecctl -s all at either end generates the expected output. Each is a mirror of the other. netstat -rnf encap shows expected output at both ends. Again mirrors of the other. However sshing into each and doing a traceroute to t'other end gives madly assymetric results. With the distant gateway as the target Syd gets to Mel in one hop, as expected. Mel gets to Syd going out the $ext_if rather than the encap. As the LANs are RFC1918s Mel cannot get to Syd but Syd can get to Mel. i wouldn't expect you to have a route not set on the isakmpd endpoints, but i have a route add remote net internal private IP in the hostname.if files for the internal interfaces on both endpoints. that's the only thing i can think of that would work for a while (manually added routes) and then stop working after, say, a reboot of one endpoint. No, not the problem here. It works without any extra route lines, but read the update at the bottom of the quoted stuff. cheers, jake Killing (desperation set in) isakmpd and restarting both ends did nothing to change the situation. What kind of diagnostics can I use to debug this? Extra points for a correct guess as to the cause all this time after installation. Thanks, OK, a night's sleep led to an early morning Eureka moment. I should have said What changed? and I did. The mistake that dummy me made was not to consider a change made ages ago. That change did not break ipsec for the clients but did for the firewall endpoint at one end. For the benefit of others here is the detail: Originally Mel (bourne) was on an ADSL connection running half-bridge so the OpenBSD firewall had the WAN IP on $ext_if and the first (usable) of a /29 on the server LAN NIC. Due to problems with the modem we swapped it out for one that does not do half-bridge. So I gave $ext_if 192.168 addr to mate with the one on the modem. I then did all the NAT stuff based on $svrlan_if e.g. nat on $ext_if from $fwext to any - $svr_if nat on $ext_if from $lan_ip to any - $svr_if where fwext is the IP on $ext_if and lan_ip is the /24 for the LAN users. So all outbound packets look like they come from the svr_lan nic. That works sweetly and I have a similar setup at home. Neither of those has the /30 that would be preferred to make everything work but that's IP scarcity for you. So ipsec works just fine for everything on Mel and its mate, Syd. Except for packets I generated at Mel using ssh login. Until I woke up and used the -I flag in ping and the -s flag in traceroute to source the packets from the svrlan_if address, that is. I don't know what, if anything, can be done to ensure that packets generated in the firewall Mel can be forced to use the tunnel when the destination is Syd, but it isn't a showstopper (fingers crossed!) So, there was a change ages ago and I had never after it, until now, tried to ping up the tunnel from the firewall so I didn't know that it was kinda broken, and if anybody knows how to unbreak it I'll be pleased just in case Thanks Jacob for your reply. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: Request for links to BSD adminstration docs
On Thu, Mar 22, 2007 at 09:00:01PM -0700, Darrin Chandler wrote: On Thu, Mar 22, 2007 at 11:30:06PM -0400, Douglas Allan Tutty wrote: I'm considering moving my 486 from Debian to OpenBSD. I haven't the money to spend on a new e.g. UNIX System Administration. 4.4 BSD System Manager's Manual is out of print. I haven't been able to google anything freely available on the internet. My local library has had their only UNIX book stolen (not by me). I figure that if I get an old BSD book and combine it with the OpenBSD FAQ plus man pages, I'll be off to a good start. As for your simple example above, I've seen more than once someone talk about bringing a box down for extended periods to update. I just don't get that. It's easy enough to update sources or apply the patch and rebuild while the system is up. Sure, it can add a lot of load, but OpenBSD is fairly stable under load in terms of still serving web pages, or doing mail, etc. Then the only total downtime is during reboot if you've updated the kernel, or restart time on daemons if you've only updated userland. Sounds similar to debian which also has to reboot a new kernel. Do you run the rebuild niced? However, is it correct that when a new release comes out every six months, you have to reboot into that? How long does an upgrade from one release to the next take? Thanks for your suggestions re used books. I'll try some of Kingston's used book stores and see what I can get at the Queen's book store. Doug.
Re: zaurus bootstrapping
On Thu, 22 Mar 2007, Nick ! wrote: On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote: think long and hard before you trash the partition table. hint: you don't want to use the whole disk for openbsd. I don't? I mean, I know to save the first few sectors for the partition table, but isn't the rest fair game? I don't have one of these, but I believe he was talking about the question the install script asks. In other words, say no to use the whole disk for OpenBSD (unless you're confident you don't need to use what comes on it right out of the box ever again). Read INSTALL.zaurus. -- Kyle George
Re: Request for links to BSD adminstration docs
However, is it correct that when a new release comes out every six months, you have to reboot into that? How long does an upgrade from one release to the next take? Minutes on a fast machine. I have seen a HPPA B180 take like 25 minutes but that is the exception and not the norm. Thanks for your suggestions re used books. I'll try some of Kingston's used book stores and see what I can get at the Queen's book store. The OpenBSD man pages are outstanding. Start with the FAQ and then move on to the man pages and life will be good.
Re: Request for links to BSD adminstration docs
On Fri, Mar 23, 2007 at 12:40:48AM -0400, Douglas Allan Tutty wrote: Sounds similar to debian which also has to reboot a new kernel. Do you run the rebuild niced? I don't. I want it to be done as soon as possible. However, is it correct that when a new release comes out every six months, you have to reboot into that? How long does an upgrade from one release to the next take? Yes, you must reboot and perform the upgrade. If you read the upgrade guide and get your ducks in a row you can be all done *easily* in 30 minutes. If there were some kind of contest with cash prizes it could probably be done much quicker. However, it's much more important to get the steps right than to do it quickly, IMHO. Thanks for your suggestions re used books. I'll try some of Kingston's used book stores and see what I can get at the Queen's book store. Not to take away from that, but if you're interested in learning BSD history you can pick up some interesting bits around the net. The Wikipedia pages on this aren't as bad as they could be. http://en.wikipedia.org/wiki/OpenBSD http://en.wikipedia.org/wiki/Berkeley_Software_Distribution -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: zaurus bootstrapping
On 3/23/07, Kyle George [EMAIL PROTECTED] wrote: On Thu, 22 Mar 2007, Nick ! wrote: On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote: think long and hard before you trash the partition table. hint: you don't want to use the whole disk for openbsd. I don't? I mean, I know to save the first few sectors for the partition table, but isn't the rest fair game? I don't have one of these, but I believe he was talking about the question the install script asks. In other words, say no to use the whole disk for OpenBSD (unless you're confident you don't need to use what comes on it right out of the box ever again). Read INSTALL.zaurus. Yeah, I got that that's what he meant. In fact I've never used that option, I've always partitioned all my installs by hand. But I am sure I don't want any of the linux left over, it's a bunch of stupid and the crud Qtopia interface is full of brokenness. I'm worried that I do need to keep some of the linux though, for failsafe purposes or something. Actually, how does the zaurus boot? Is it a MBR @ sector 0 + second stage bootloader or something else? INSTALL.zaurus says by effectively converting Linux into a bootloader but is this only for the install or is it forever? It also says that hdd[12] are converted from ext3 to ext2, so the implies that those two partitions are saved by the default install, but is this *necessary* or just *convenient* (in case you had files on those partitions)? -Nick
Re: zaurus bootstrapping
On 3/22/07, Kyle George [EMAIL PROTECTED] wrote: On Thu, 22 Mar 2007, Nick ! wrote: On 3/22/07, Chris Kuethe [EMAIL PROTECTED] wrote: think long and hard before you trash the partition table. hint: you don't want to use the whole disk for openbsd. I don't? I mean, I know to save the first few sectors for the partition table, but isn't the rest fair game? I don't have one of these, but I believe he was talking about the question the install script asks. In other words, say no to use the whole disk for OpenBSD (unless you're confident you don't need to use what comes on it right out of the box ever again). Read INSTALL.zaurus. Trust me, you really do need to carefully read INSTALL.zaurus, and you really don't want to use the whole disk for openbsd - that'll set you up for a world of hurt. The linux environment that ships with the zaurus is quite brittle and depends on some of the stuff on the disk. A lot of work went into writing the INSTALL file, if you read it carefully before trying anything you should save yourself a bunch of aggravation. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: zaurus bootstrapping
Trust me, you really do need to carefully read INSTALL.zaurus, and you really don't want to use the whole disk for openbsd - that'll set you up for a world of hurt. The linux environment that ships with the zaurus is quite brittle and depends on some of the stuff on the disk. I really don't agree. That was mostly in the past. These days I always install a zaurus without any Linux on the drive. That linux stuff is not neccessary anymore.
Re: zaurus bootstrapping
On 3/23/07, Theo de Raadt [EMAIL PROTECTED] wrote: Trust me, you really do need to carefully read INSTALL.zaurus, and you really don't want to use the whole disk for openbsd - that'll set you up for a world of hurt. The linux environment that ships with the zaurus is quite brittle and depends on some of the stuff on the disk. I really don't agree. That was mostly in the past. These days I always install a zaurus without any Linux on the drive. That linux stuff is not neccessary anymore. Oh excellent! So then I install it just like an i386? It would be helpful to add a mention of this to INSTALL.zaurus, if you don't want to have linux, you can just ... This amuses me: In these cases below we avoid using vi because Linux quality is of such high caliber that vi locks up the console. -Nick
named stopped with error
On a firewall that is not mine but where the admins run to me for help 8-) somebody noticed that name resolution was not working. rc.conf.local says: named_flags= named.conf is the default (caching with recursion only for local clients) uname says: OpenBSD fw.example.com.au 3.9 GENERIC#617 i386 /var/log/daemon says: Mar 23 00:13:03 fw named[13888]: /usr/src/usr.sbin/bind/lib/isc/mem.c:628 : INSIST(((unsigned char *)mem)[size] == 0xbe) failed Mar 23 00:13:03 fw named[13888]: exiting (due to assertion failure) It started up manually and ran as it has for the past (nearly) year, so it looks like a one-off but I'd love to hear of possible causes. Thanks, Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Installing Skype
I have OpenBSD 4.0 on a HP laptop and I need to install Skype because is for the comunication in my job and I have the freedom for install my lovely OpenBSD. This what I have done: 1. I installed the redhat_base-8.0p8.tgz for the emulation. 2. Download the skype-0_90_0_1.rpm and installed it with the /emul/linux/bin/rpm, all seemed good. 3. If I try to run it, I just see a error message looking for the lib file libXss.so.1. If someone has installed the skype could help me please ???. Regards
openbsd acpi help
good day! can anyone here help me on how i can enable acpi on my laptop? my laptop is running openbsd 4.1-current. thanks for your help long live openbsd. --jay--
Re: openbsd acpi help
at the boot prompt type boot -c then type enable acpi then type quit Sam Fourman Jr. On 3/22/07, Jay Jesus Amorin [EMAIL PROTECTED] wrote: good day! can anyone here help me on how i can enable acpi on my laptop? my laptop is running openbsd 4.1-current. thanks for your help long live openbsd. --jay--