Re: bcw(4) is gone
On Mon, 9 Apr 2007 23:15:36 -0400 Adam [EMAIL PROTECTED] wrote: Tobias Weisserth [EMAIL PROTECTED] wrote: Who the hell do you think you are that you can impose a definition of free on me? Freedom is also a matter of perception and perspective. No, its the FSF trying to redefine the word free. The english language has had the word for a long time, and its meanings are quite clear. None of those meanings include being restricted. Its not a matter of perception or perspective, you can't just pretend words meaning other things and expect everyone to go along. GPL your code all you want, just stop claiming it has anything to do with freedom. Adam 1984. Newspeak. Slavery (GPL) is freedom. ;) timo
Re: Problem installing DSPAM (with postfix)
On Tue, 10 Apr 2007 00:36:08 -0400 Jean-Daniel Beaubien [EMAIL PROTECTED] wrote: Hi eveyrone, I am having a bit of trouble installing DSPAM with Postfix. The problem seems to be with the unix socket (and my lack of knowledge on the subjecT). Here is a small snippet of the config fordspam and postfix: # grep -R -e 'dspam.sock' /etc/* /etc/dspam.conf:ServerDomainSocketPath /tmp/dspam.sock /etc/dspam.conf:#ClientHost /tmp/dspam.sock /etc/postfix/master.cf:-o content_filter=lmtp:unix:/tmp/dspam.sock And here is the content of /tmp: -- # ls -l total 0 srwxrwxrwx 1 root wheel 0 Apr 9 20:11 dspam.sock And unfortunately I get the following errors in /var/log/maillog: Apr 10 00:22:17 mail_server postfix/lmtp[21514]: 2E9682B6: to=[EMAIL PROTECTED], orig_to=[EMAIL PROTECTED], relay=none, delay=15444, delays=15444/0.22/0/0, dsn=4.4.1, status=deferred (connect to mail_server.mydomain.com[/tmp/dspam.sock]: No such file or directory) This strikes me as odd since the file /tmp/dspam.sock seems to be there. Anyone has an idea what's going on? Thank you for your time, -Jd Check if your postfix runs chrooted(8) (check master.conf for this). If so, /tmp should be in /var/spool/postfix/tmp HTH, timo
Re: bcw(4) is gone
Marco Peereboom wrote: I have to reply to this horse shit. :-) *snip* Regarding freedom: Take the Linksys routing devices. They ship with GPL software. Taking what you said as an example, it would be OK if Linksys made proprietary changes to the free software and deliver a closed software on the device. If for example the proprietary changes make the free software work on the device in the first place, the software is in effect not free anymore, as the free version of the software is useless in effect. If there is no other option than to buy these Linksys devices or similar devices in the future and the originally free software cannot be used on any other device anymore, then the propriety changes to a free software has made this software unfree for users. What's the freedom of BSD software worth when it can't be used in its free form anymore? That can't happen with GPL'ed software. You are talking without saying anything. What is your fucking point? Have you actually read that piece of text?? *snip* There are many cases where a GPL license is the only sensible choice in my opinion. Of course, I don't reject the BSD license either. It all depends on what you want to bring about and secure. There is no one-and-only-free license. The only good use so for of the GPL is java. Sun gets to pretend to put free code out there and it is completely protected by the GPL. It will never take any patches from the community; it simply wants to retain full control. The joke is on GPL since it protects the companies it hates. One has got to love unforeseen consequences. Have you tried submitting patches to them? You are just being prejudist. Please don't say things you think, say things that are proven fact. *snip* Glenn
Re: bcw(4) is gone
Phew, what a load of animosity. I really hope humanity still has a chance. Now, regarding the bcw issue, let's leave this thread to die. Mistakes are meant to be forgiven, and life to be lived forwards =) -- An OpenBSD user... and that's all you need to know =)
Re: bcw(4) is gone
RedShift [EMAIL PROTECTED] writes: Have you tried submitting patches to them? You are just being prejudist. Please don't say things you think, say things that are proven fact. Is that a fact? Or just your opinion? I think it's a discussion that doesn't belong on this mailing list. //art
est setperf core 2
my laptop has a core 2 processor (T5500) but because my acpi dsdt lacks of PCT, PSS and PPC I can't use acpicpu for playing w/ setperf I've made these tiny changes Index: machdep.c === RCS file: /cvs/src/sys/arch/i386/i386/machdep.c,v retrieving revision 1.381 diff -u -b -r1.381 machdep.c --- machdep.c 3 Apr 2007 10:14:47 - 1.381 +++ machdep.c 9 Apr 2007 08:47:26 - @@ -1444,7 +1444,7 @@ #endif } -#if !defined(SMALL_KERNEL) defined(I686_CPU) !defined(MULTIPROCESSOR) +#if !defined(SMALL_KERNEL) defined(I686_CPU) /* !defined(MULTIPROCESSOR)*/ void intel686_setperf_setup(struct cpu_info *ci) { @@ -1468,9 +1468,9 @@ { #if !defined(SMALL_KERNEL) defined(I686_CPU) -#if !defined(MULTIPROCESSOR) +/*#if !defined(MULTIPROCESSOR)*/ setperf_setup = intel686_setperf_setup; -#endif +/*#endif*/ { extern void (*pagezero)(void *, size_t); extern void sse2_pagezero(void *, size_t); so now also w/ bsd.mp during boot, est is used by reporting I can use only HFS and LFH i.e 1667 and 1000 Mhz. if I'm not wrong I read that w/ core 2 by changing one msr affects also the other core. What I'm looking for are information for vid and related frequency for being able to use other setperf values (not only 0 and 100) but I'm not able to find out them. has anybody any hint? thanks, -- giovanni
Gagnez un GPS TomTom pendant 15 jours!
Ce message est au format HTML. Si vous ne parvenez pas ` le lire, cliquez ici. www.guidedesprestataires.com Gagnez un GPS TomTom tous les jours du 31 Mars 2007 au 15 Avril 2007 . Si votre demande de devis est la 126eme de la journie durant cette piriode vous recevrez sous 15 jours votre GPS. Jeux sans obligation d'achat - recevez le rhglement complet du jeux en le demandant par ecrit ` notre service marketing. Le Guide Des Prestataires est une activiti de la sociiti Midia Tilecom SAS - Rcs Criteil 482 024 825 - Premihre visite - Acchs membres - Devenir Prestataire - Conditions ginirales d'utilisation - Qui sommes nous - Plan du site - News-letters- Partenaires ) Midia Tilicom SAS 2007 Afin de vous tenir informi des offres de nos prestataires sans vous occasionner de gjnes,nous vous informons que vous recevrez uniquement 2 lettres d'informations par semaine. Seules les personnes qui disirent s'inscrire GRATUITEMENT ` nos lettres d'informations en recevront une par jour. Conformiment ` la loi Informatique et Libertis du 6 janvier 1978, vous binificiez d'un droit d'acchs, de modification, de suppression et d'opposition aux donnies vous concernant.Si vous souhaitez exercer ces droits, veuillez vous adresser ` MEDIA TELECOM SAS , service marketing, Voie Felix Eboui- 94 000 - Criteil- ou icrire ` [EMAIL PROTECTED] Nous nous engageons ` ne pas communiquer ` des tiers les informations vous concernant sauf si vous nous en donnez l'autorisation. Jeux sans obligation d'achat - recevez le rhglement complet du jeux en le demandant par ecrit ` notre service marketing. Diclaration CNIL N0 119 789. = Cliquez ici pour vous disinscrire
Re: Binary kernel and base update
On Tue, Apr 10, 2007 at 01:43:56AM +0200, [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? We have stated this numerous times, but maybe it's not easy to find in the archives because there is no obvious subject: not enough resources. Binary updates for the whole system would be desireable, but we simply do not have the time to do it right (for now). The infrastructure is totally geared towards -current. There are just few resources devoted to -stable packages, and almost none towards stable source. Some people external to the project are providing you with binpatch and binary updates. As long as you trust them, you can use their work...
Re: waitpid() thread race
On Mon, Apr 09, 2007 at 03:42:50PM -0600, Philip Guenther wrote: However, OpenBSD 4.0 doesn't actually comply with that: after waitpid() there will be no SIGCHLD pending, even if there are additional children to reap. So, if you're going to have multiple children, you need to call waitpid(-1, ret, WNOHANG) until it returns zero or -1/ECHILD before you loop back to sigsuspend() again. That way you can be sure that you haven't lost any SIGCHLDs before you reenter the sigsuspend(). I've actually confirmed that that loop does work as expected, unlike the original example which only works with one child. Hmm. OK, thanks for that. I think for now my preferred solution is to keep a linear list of child processes. Forking adds a child to the end of the list; reaping finds the first child in the list with a matching pid and removes that entry. This eliminates the need for dealing with signals. The extra overhead of a linear search is small, given that children don't die that often. Cheers, Brian.
Re: bcw(4) is gone
if someone is still reading the thread... 1. marcus makes mistake 2. michael tells the world 3. theo plays theater 1. it's not rocket science not to commit gpl licensed code into the public cvs tree under a bsd license and let it sit there for months. esp. with the openbsd kind of draconian license audits. it's not rocket science, and thus it's hard for linux people to believe it was not intentional, but again, its obviousness is the proof it couldn't have been intentional. pray, who wouldn't have noticed the gpl code in there? 2. let's stop for a moment, and think why michael would make a mistake like this, again, it's not rocket science, it was a mistake. let's play the associations game. i say openbsd developer you say the first three things that come into your mind. ready? go. mine were: theo, arrogant, and difficult. now let me state publicly after my fair share of flame wars on misc@ that i do not believe on any day, that all openbsd devs are like this. not even the majority. maybe no one is like that these days... but the thing is, that these are some of the attributes openbsd got associated with in the past, a stigma. so i wouldn't be surprised if michael just skipped the first step of the rules of engagement and called in the heavy artillery right away. it's not that far fetched, do you work in big company? the first thing you learn is to cc: all the managers if you want to get something done for real. so he did. at this point there could have been a nice and easy solution if markus just explained publicly what he did. 3. theo's repeated (to the point of shut up, already!, which he uses so frequently) cries for empathy, downplaying marcus's mistake and at the same time enlarging michael's is the most postmodern literature i have read this year. it's absurd. imagine theo with tears in his eyes calling for empathy because one of his developers has made a mistake and he's still managing to insult people in the process! just brilliant. reading the whole thread i find it easy to see that theo made it all worse. marcus has made a mistake, but obviously, he's not a thief. the linux people have decided to deal with it this way, not very nice but hey, life is not all cakes. stand up like a man, make a public answer, explain yourself and not hide behind theo to deal with the PR. and you almost did just that. and then you deleted the driver because ... because... what was it again? there is no public explanatory mail between your list of choices and then erasure. why was it really? because some people hurt your feelings? well, as theo used to say, v-v-very frequently: boo hoo, the world is a harsh place. the poetic justice of it all. -f -- to learn more about paranoids, follow them around!
ISDN PRI cards on openbsd?
Hi, does there exist any ISDN PRI card that is supported by OpenBSD and can be used with Asterisk? As far as I can read here: http://www.voip-info.org/wiki/index.php?page=Asterisk+OpenBSD , none is supported up to OpenBSD 3.8. I have seen, that there are zaptel drivers available on FreeBSD, but I doubt that there is any on OpenbSD. I searched the manuals on OpenBSD.org for more, but found nothing more. Is there any PRI card supported on OpenBSD which I might have overlooked? kind regards Sebastian
Re: bcw(4) is gone
On Tue, Apr 10, 2007 at 12:19:29PM +0200, frantisek holop wrote: if someone is still reading the thread... lalalala
Re: ISDN PRI cards on openbsd?
On Tue, Apr 10, 2007 at 12:23:02PM +0200, Sebastian Reitenbach wrote: Hi, does there exist any ISDN PRI card that is supported by OpenBSD and can be used with Asterisk? As far as I can read here: http://www.voip-info.org/wiki/index.php?page=Asterisk+OpenBSD , none is supported up to OpenBSD 3.8. I have seen, that there are zaptel drivers available on FreeBSD, but I doubt that there is any on OpenbSD. I searched the manuals on OpenBSD.org for more, but found nothing more. Is there any PRI card supported on OpenBSD which I might have overlooked? We will not support the zaptel interface. It is gross. But I plan to do some work on this, it is just taking way longer than expected. -- :wq Claudio
Re: ISDN PRI cards on openbsd?
On 2007/04/10 12:23, Sebastian Reitenbach wrote: does there exist any ISDN PRI card that is supported by OpenBSD and can be used with Asterisk? No, you'll need something else to support physical lines - maybe * on another OS, or some other type of gateway device (e.g. vegastream, cisco, quintum etc).
Re: bcw(4) is gone
Reyk Floeter [EMAIL PROTECTED] wrote: On Tue, Apr 10, 2007 at 12:19:29PM +0200, frantisek holop wrote: if someone is still reading the thread... lalalala Is it funny? Fuck off!!! lalalala
Re: carp, ospf can't see carp state
On Mon, Apr 09, 2007 at 02:03:21PM -0400, Frangois Rousseau wrote: Hi Claudio, I have double check on my lab and everything work fine for the OSPF part, sorry for my mistake. But at the end, I'm still having the same problem: the server didn't know the right route. OSPF see all the route correctly but the system didn't seem to be updated. If I do route show I only see the local route pointing directly to the CARP device instead of pointing to the other router. route show give me something like this when my cable is unplug from the carp interface: 83.201.77/24link#10UC 0 0 - carp1 What do you think it can be? ospfd will never overwrite already present routes (unless they have came from bgpd). So the carp route can not be changed. AFAIK you only get such a network if you are using a unnumbered parent device. Could you try to give the parent interface an IP address out of 83.201.77/24 -- this should change the link local route to this network to the real interface. This will solve the problem in case the box is BACKUP. There is still a problem when you unplug the network. In this case packets hitting that box will get dropped. This can only be fixed if the kernel is able to change the RTF_UP flag depending on the link state. -- :wq Claudio 2007/4/7, Claudio Jeker [EMAIL PROTECTED]: On Sat, Apr 07, 2007 at 12:21:19PM -0400, Frangois Rousseau wrote: But how I'm suppose to annonce the route for the right carp interface? Right now my servers can always reach the router because of the CARP interface but the router can't always reach the servers... If I unplug the cable of my CARP interface (bge2 for example), all traffic from this router (directly from him or from my upstream provider) can't reach the servers because the router still have only 1 route going directly to his bge2 interface (the interface with carp) and he have no clue of the MASTER interface. Maybe I'm worng and OSPF is not the solution. What I try to do is to have a redundant gateway for my servers (CARP) and I want to have 2 upstreams provider with BGP (multihoming) I need a way for this 2 routers to talk to each other and share their internal routes to know how to reach both of the exit point (route to both upstream provider) and how to reach the MASTER interface of every CARP group. Any idea? If you are just running with two routers you don't need to use OSPF. Use CARP for the inside network, setup the upstream sessions on each router (perhaps even using depend on carp to fail over the sessions) and setup a IBGP session between the two routers -- best via a dedicated interface. Set set nexthop self on the IBGP sessions and you should be fine. -- :wq Claudio
Re: how to configure bridge interface [WAS: snort any interface]
On 4/9/07, Soner Tari [EMAIL PROTECTED] wrote: My physical interfaces are already configured and have their own IP addresses. I need to assign different IPs to all 3 cards (LAN, WAN1, WAN2). And here is what I run on the command line to create a bridge interface (to use as a pseudo interface on snort command line for monitoring): ifconfig bridge0 create brconfig bridge0 add vr0 add rl0 add nfe0 up Am I not supposed to see the traffic on all of the physical interfaces (vr0, fxp0, nfe0) using tcpdump on bridge0? (I've tried with pf disabled too.) It is my understanding that only one or none may have an IP. Give vr0 or any single iface an ip address. For each other nic, only activate it using 'up': ifconfig vr0 192.168.0.1 netmask 255.255.255.0 up # this is the primary NIC ifconfig rl0 up # this could be what you are missing ifconfig nfe0 up ifconfig bridge0 create brconfig bridge0 add vr0 add rl0 add nfe0 up also maybe ifconfig bridge0 up -- 'up' goes in brconfig or ifconfig or both? Not sure. At this point, if you tcpdump on vr0, you should see the traffic on rl0 and nfe0 as well. Any endpoint can connect to any NIC and see the same 192.168.0.1 address, and reach any other PC connected to any of the other two NIC's. I do this with my router, because the switch ran out of ports :) Perhaps this is not possible at all with bridge intefaces? If so, how do I achieve such a monitoring interface? Any comments please? Does each port on a switch have an IP, for instance? Are you trying to make a transparent bridge? You have three NIC's here, and you seem to have to need of an IP address.. ? You should be able to assign no IP at all to vr0, and accomplish a transparent bridge without pf involved, where as you can split a cable in half, crimp each end, put them into each NIC, and you can see everything inbetween. pf can start to block at this point. I know nothing at all about the Snorter... Does it need to bind to an IP? It shouldn't.
Re: ISDN PRI cards on openbsd?
Hi all, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/04/10 12:23, Sebastian Reitenbach wrote: does there exist any ISDN PRI card that is supported by OpenBSD and can be used with Asterisk? No, you'll need something else to support physical lines - maybe * on another OS, or some other type of gateway device (e.g. vegastream, cisco, quintum etc). thanks a lot, Claudio too, for your answers, I just wanted to make sure that I did not missed anything. So I have to keep it for now it is, using Linux where I need physical lines, OpenBSD is used on the rest. kind regards Sebastian
OpenBSD 4.0 pfsync + pfflowd accuracy problem or incorrect config?
Hi! OpenBSD ... 4.0 GENERIC.MP#0 i386 (2x Xeon P4 ) is located after Cisco (7206VXR) . Netflows from the Cisco and the Openbsd are collected on a collector (flow-tools). I've got for the same hour for the same networks, from OpenBSD: Total Flows : 59671 Total Octets: 3111418360 . Average Kbits / second (flow) : 419.2015 Average Kbits / second (real) : 3319.2888 and from the Cisco: Total Flows : 783739 Total Octets: 9246726494 Average Kbits / second (flow) : 7958.4517 Average Kbits / second (real) : 9864.4893 Three times difference!!! Data from Cisco corresponds for the other sourses results ( SNMP counters,). I've try different pf rulesets , in particular this: pass in log (all) inet all keep state pass out log (all) inet all keep state but the problem still here. log (all) I need for other purposes. Does anyone meet a problem like this? OpenBSD load: # uptime load averages: 0.29, 0.43, 0.37 Thanks! Alexander Zatserkovniy
Re: Serial Port Network
I agree with Marcus's comments... unless there's some reason you haven't mentioned yet that's preventing you, you should likely get some 10Mbps nic's. The file xfer rate for anything of 'today's size' would take forever over the serial connection... but remote management via the serial connection would be fine (via tip)... especially if the boxes aren't right next to each other to swap the kvm. danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marcus Watts Sent: Tuesday, April 10, 2007 1:19 AM To: Don Smith Cc: misc@openbsd.org Subject: Re: Serial Port Network Don Smith [EMAIL PROTECTED] writes: I have 2 older desktop computers (old Pentium 1 processors), ... slip or ppp. You won't be doing much file sharing this way though, unless you're *very* patient. usb doesn't do peer-peer networking, so I don't see what good that does you. You'd be *much* better off buying a brace of ethernet cards. ISA - 10 megabits cards should be nearly free. You'll also have to score some thin-net cable and terminators. Alternatively, you can get twisted pair cards. If you have PCI bus machines you can do better, but that probably postdates your machines. You probably don't need a console except for maintenance. You can just swap monitors for that. You could set up a serial console tip, but it's not worth it unless you have some other reason you want it. You probably don't want to run ppp on your console port. -Marcus
tftp-proxy without nat?
Hi, I have an OpenBSD 4.0 firewall between two networks. The traffic between these two is routed. when I take a look at the manual pages, then it looks like the tftp-proxy only useful for connections that do NAT, where the client is in a private network, and the server has a public IP. Without NAT, I will need sth. like this in the nat section: rdr-anchor tftp-proxy/* rdr on $int_if proto udp from $lan to any port tftp - \ 127.0.0.1 port 6969 and this in the filter section: anchor tftp-proxy/* but I do not know, how to allow the data packets, from the server to the client to traverse the firewall. Is there a way to make it stateful somehow? kind regards Sebastian pass in on $ kind regards Sebastian
Re: Serial Port Network
Marcus Watts escreveu: Don Smith [EMAIL PROTECTED] writes: I have 2 older desktop computers (old Pentium 1 processors), ... I played with this some time ago. I managed to make communication beetwen: linux(ppp server) - windows(client) linux(server) - linux(client) openbsd(client) - linux(server) openbsd(server) - linux(client) I followed a very good howto on tldp.org. To make it work on openbsd i had to make some minor adaptations, like the devices not being ttyS0, but cua0X, and so on. But expect very low rates. I managed to transfer files between them, using ssh, at rates of 15Kb/s. I played also with plip, but i don't know if there is something similar with it on openbsd. On linux - linux communication you can achieve higher rates than with ppp. Be careful, with the setup on openbsd, cause you have 2 daemons: the ppp(userland) and pppd(kernel). I only tested it with pppd. but it should work with the ppp daemon also. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 6.10 Edgy Eft Snike Tecnologia em Informatica 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OpenBSD with RBAC?
On Mon, 9 Apr 2007 22:17:23 +0200, Joachim Schipper [EMAIL PROTECTED] said: On Mon, Apr 09, 2007 at 02:46:32PM -0500, Lawal, Banji wrote: I was wondering if anyone out there has used OpenBSD with RBAC. From what I have found out so far RBAC is only deployed with FreeBSD. If anyone has any info about this please let me know. You are right, that doesn't work on OpenBSD. You might be interested in systrace, though. It would be nice if somebody was doing something like SeOS for OBSD, though. But, I know, only so much time and so many developers and I don't code, so I'll shut up now.
Re: est setperf core 2
On Tue, Apr 10, 2007 at 11:19:50AM +0200, giovanni wrote: my laptop has a core 2 processor (T5500) but because my acpi dsdt lacks of PCT, PSS and PPC I can't use acpicpu for playing w/ setperf The setperf mechanism is not MP safe hence why it was disabled, the case of core duo 2 this might work because of shared registers dim@ or someone more familiar with EST would have to comment on that, but in a general case you will likely only change the speed of one cpu the cpu that happened to handle the sysctl. Note that it will look to you in userland like both cpus were changed because cpuspeed will be altered by EST but it may not be the case, and frankly there is the potential for some nasty side effects. There is an mp safe sysctl diff for i386 in some semblance of completness but I will likely not be finished till after I finish exams (early may) gwk
Re: how to view Ethernet frame CRC errors
Another shot--- Anyone know how to see L2 CRC errors on an Ethernet interface? Thanks, danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Farrell Sent: Monday, April 09, 2007 11:02 AM To: misc@openbsd.org Subject: how to view Ethernet frame CRC errors Hello, I'm looking for a way to view L2 frame CRC errors on an interface. I've scoured netstat, but found nothing (from what I've known of it it's all Layer 3 anyway). I googled and came up rather empty (FCS error openBSD, ethernet frame CRC errors openbsd, etc.) . The purpose for this is to deduce duplex-mismatch problems on Fast Ethernet interfaces where you only have visibility/control over one side of the Ethernet connection. If there is no way to specifically view counters like this are there other counters (or a combination of counters) I can look to that would definitively show a duplex-mismatch situation (as in no false-positives) ? I know there are error counters in netstat -i but are those always going to mean there is a duplex mismatch problem (it just seems there's a lack of detail there so those errors could result from a variety of issues)? Is there anything to be gleaned from a netstat -s to show this also? I appreciate any suggestions, Dan Farrell Applied Innovations Corp. [EMAIL PROTECTED]
Beep!
Hello list. I have a small, trivial task I can't accomplish and I'm sure you guys can help me in a second. I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. Is there a way to do so on OpenBSD 4.0/i386? I've shuffled through MISC archives and FAQs, but I found nothing relevant... Thank you all, byee, Manuel Don't get soaked. Take a quick peak at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather
Re: how to view Ethernet frame CRC errors
I haven't used it on OpenBSD, but on linux, ethtool can give you a good bit of information on an ethernet connection. -Alex Dan Farrell wrote: Another shot--- Anyone know how to see L2 CRC errors on an Ethernet interface? Thanks, danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Farrell Sent: Monday, April 09, 2007 11:02 AM To: misc@openbsd.org Subject: how to view Ethernet frame CRC errors Hello, I'm looking for a way to view L2 frame CRC errors on an interface. I've scoured netstat, but found nothing (from what I've known of it it's all Layer 3 anyway). I googled and came up rather empty (FCS error openBSD, ethernet frame CRC errors openbsd, etc.) . The purpose for this is to deduce duplex-mismatch problems on Fast Ethernet interfaces where you only have visibility/control over one side of the Ethernet connection. If there is no way to specifically view counters like this are there other counters (or a combination of counters) I can look to that would definitively show a duplex-mismatch situation (as in no false-positives) ? I know there are error counters in netstat -i but are those always going to mean there is a duplex mismatch problem (it just seems there's a lack of detail there so those errors could result from a variety of issues)? Is there anything to be gleaned from a netstat -s to show this also? I appreciate any suggestions, Dan Farrell Applied Innovations Corp. [EMAIL PROTECTED]
Re: Beep!
printf \a For more info man printf Tim On Tuesday 10 April 2007 8:53 am, Manuel Ravasio wrote: Hello list. I have a small, trivial task I can't accomplish and I'm sure you guys can help me in a second. I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. Is there a way to do so on OpenBSD 4.0/i386? I've shuffled through MISC archives and FAQs, but I found nothing relevant... Thank you all, byee, Manuel ___ _ Don't get soaked. Take a quick peak at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather -- Tim Kuhlman Network Administrator ColoradoVnet.com
Re: how to view Ethernet frame CRC errors
If I'm not mistaken ethtool is not written for OBSD. danno -Original Message- From: Alex Thurlow [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 10, 2007 11:59 AM To: Dan Farrell Cc: misc@openbsd.org Subject: Re: how to view Ethernet frame CRC errors I haven't used it on OpenBSD, but on linux, ethtool can give you a good bit of information on an ethernet connection. -Alex Dan Farrell wrote: Another shot--- Anyone know how to see L2 CRC errors on an Ethernet interface? Thanks, danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Farrell Sent: Monday, April 09, 2007 11:02 AM To: misc@openbsd.org Subject: how to view Ethernet frame CRC errors Hello, I'm looking for a way to view L2 frame CRC errors on an interface. I've scoured netstat, but found nothing (from what I've known of it it's all Layer 3 anyway). I googled and came up rather empty (FCS error openBSD, ethernet frame CRC errors openbsd, etc.) . The purpose for this is to deduce duplex-mismatch problems on Fast Ethernet interfaces where you only have visibility/control over one side of the Ethernet connection. If there is no way to specifically view counters like this are there other counters (or a combination of counters) I can look to that would definitively show a duplex-mismatch situation (as in no false-positives) ? I know there are error counters in netstat -i but are those always going to mean there is a duplex mismatch problem (it just seems there's a lack of detail there so those errors could result from a variety of issues)? Is there anything to be gleaned from a netstat -s to show this also? I appreciate any suggestions, Dan Farrell Applied Innovations Corp. [EMAIL PROTECTED]
Re: Beep!
Print a bell character, e.g. print \\a in ksh. Use xset b on if the bell has been turned off via xset b off. Regards, Andreas On 10/04/07, Manuel Ravasio [EMAIL PROTECTED] wrote: Hello list. I have a small, trivial task I can't accomplish and I'm sure you guys can help me in a second. I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. Is there a way to do so on OpenBSD 4.0/i386? I've shuffled through MISC archives and FAQs, but I found nothing relevant... Thank you all, byee, Manuel Don't get soaked. Take a quick peak at the forecast with the Yahoo! Search weather shortcut. http://tools.search.yahoo.com/shortcuts/#loc_weather -- Andreas Kahari Somewhere in the general Cambridge area, UK
Re: Beep!
On Tue, 2007-04-10 at 07:53 -0700, Manuel Ravasio wrote: I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. \b -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Beep!
On 4/10/07, Manuel Ravasio [EMAIL PROTECTED] wrote: I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. It depends on your terminal, but you can probably just use the ASCII bel character. That is, add a command like: echo -n \007 (note: untested, not near a unix). -Nick
Re: Beep!
On Tue, Apr 10, 2007 at 07:53:23AM -0700, Manuel Ravasio wrote: Hello list. I have a small, trivial task I can't accomplish and I'm sure you guys can help me in a second. I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. Is there a way to do so on OpenBSD 4.0/i386? I've shuffled through MISC archives and FAQs, but I found nothing relevant... man speaker(4) for example, # echo 'CDEFGAHOC' /dev/speaker reyk
Binary kernel updates
Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
OpenBGPd + pf + pf tables.
Hello, I receive several subnet with OpenBGPd and I add them into a pf table like this : pf.conf (extract) table bgp { 172.31.0.0/24, 10.0.1.1 } bgpd.conf (extract) AS 65530 holdtime 180 holdtime min 3 fib-update no listen on xxx.xxx.xxx.150 neighbor xxx.xxx.xxx.xxx { descr routeurs announce none remote-as 35189 } deny quick from any prefix 0.0.0.0/0 allow from any prefixlen 8 - 24 allow from any set pftable bgp The problem I have is if I have a subnet removed from bgp (eg my AS35189 neighbor) it is not removed from pf table bgp. Do you have an little idea to do this automaticaly ? Thanks ! /Xavier
Re: how to view Ethernet frame CRC errors
On Tue, Apr 10, 2007 at 11:39:18AM -0400, Dan Farrell wrote: Another shot--- Anyone know how to see L2 CRC errors on an Ethernet interface? The best thing you get is Ierrs and Colls from netstat -i output. This should include the CRC errors. OpenBSD does not account L2 CRC errors in a seprarate counter -- on some cards it is hard to get that info. Almost all Ierrs are HW related (DMA errors, CRC errors, short frames, oversized frames, jadda jadda jadda). For duplex missmatch issues the input error counter and the collision counter are good indicators. -- :wq Claudio Thanks, danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Farrell Sent: Monday, April 09, 2007 11:02 AM To: misc@openbsd.org Subject: how to view Ethernet frame CRC errors Hello, I'm looking for a way to view L2 frame CRC errors on an interface. I've scoured netstat, but found nothing (from what I've known of it it's all Layer 3 anyway). I googled and came up rather empty (FCS error openBSD, ethernet frame CRC errors openbsd, etc.) . The purpose for this is to deduce duplex-mismatch problems on Fast Ethernet interfaces where you only have visibility/control over one side of the Ethernet connection. If there is no way to specifically view counters like this are there other counters (or a combination of counters) I can look to that would definitively show a duplex-mismatch situation (as in no false-positives) ? I know there are error counters in netstat -i but are those always going to mean there is a duplex mismatch problem (it just seems there's a lack of detail there so those errors could result from a variety of issues)? Is there anything to be gleaned from a netstat -s to show this also? I appreciate any suggestions, Dan Farrell Applied Innovations Corp. [EMAIL PROTECTED]
Re: Beep!
Manuel Ravasio wrote: Hello list. snip I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. snip I usually use: echo -ne '\a' Best, Chris
Re: Beep!
On 4/10/07, Ryan Corder [EMAIL PROTECTED] wrote: On Tue, 2007-04-10 at 07:53 -0700, Manuel Ravasio wrote: I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. \b isn't \b a backspace? -- almir
Re: Binary kernel updates
Why post twice? Sending it as different person within 24 hours of one another is not going to get what you want... A couple of people gave you solutions, choose one, or move to Linux... Remember this??? [EMAIL PROTECTED] [EMAIL PROTECTED] to misc@openbsd.org dateApr 9, 2007 4:43 PM subject Binary kernel and base update mailed-by openbsd.org Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico On 4/9/07, Rico Secada [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: Binary kernel updates
Hey Rico, Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. You must be joking. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? `man release` once more. Be well and good luck with your management... Nico
Re: Beep!
On Tue, Apr 10, 2007 at 06:16:55PM +0200, Reyk Floeter wrote: man speaker(4) for example, # echo 'CDEFGAHOC' /dev/speaker cat /bsd /dev/speaker is fun, too, especially if you're into weird electronic music ;-) -- stefan http://stsp.name PGP Key: 0xF59D25F0
Re: Beep!
great man, thanks :-) the echo \a etc. never worked with me I replaced echo '.' in /etc/rc.local with echo 'C' /dev/speaker so now I know when my headless server is ready booting up Reyk Floeter wrote: On Tue, Apr 10, 2007 at 07:53:23AM -0700, Manuel Ravasio wrote: Hello list. I have a small, trivial task I can't accomplish and I'm sure you guys can help me in a second. I'm creating some shell scripts for various administrative purposes, and I'd really like to add some kind of command at the end of each in order to have the pc speaker BEEP when the script is over. Is there a way to do so on OpenBSD 4.0/i386? I've shuffled through MISC archives and FAQs, but I found nothing relevant... man speaker(4) for example, # echo 'CDEFGAHOC' /dev/speaker reyk
Re: Binary kernel updates
Hey Rico, Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. I guess management is the one maintaining the servers were you work then, or you told them it was to hard, so you get what you asked for.
Re: Beep!
On Tue, 2007-04-10 at 18:52 +0200, Almir Karic wrote: isn't \b a backspace? oh yeah, oops. meant to say \a I guess -- Ryan Corder [EMAIL PROTECTED] Systems Engineer, NovaSys Health LLC. 501-219- ext. 646 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Binary kernel updates
If you'd bothered to inspect the headers you would have noticed that the below message was sent before the one that has many replies but it didn't arrive until about 20 hours after it was sent. Probably stuck in the pipes somewhere, that seems to happen with misc@ alot. Rico probably figured it was lost and so he sent another which is fairly reasonable. Jeremy On 10-Apr-07, at 12:44 PM, Bryan wrote: Why post twice? Sending it as different person within 24 hours of one another is not going to get what you want... A couple of people gave you solutions, choose one, or move to Linux... Remember this??? [EMAIL PROTECTED] [EMAIL PROTECTED] to misc@openbsd.org dateApr 9, 2007 4:43 PM subject Binary kernel and base update mailed-by openbsd.org Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico On 4/9/07, Rico Secada [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: how to view Ethernet frame CRC errors
Thank-you very much! danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Claudio Jeker Sent: Tuesday, April 10, 2007 12:32 PM To: misc@openbsd.org Subject: Re: how to view Ethernet frame CRC errors On Tue, Apr 10, 2007 at 11:39:18AM -0400, Dan Farrell wrote: Another shot--- Anyone know how to see L2 CRC errors on an Ethernet interface? The best thing you get is Ierrs and Colls from netstat -i output. This should include the CRC errors. OpenBSD does not account L2 CRC errors in a seprarate counter -- on some cards it is hard to get that info. Almost all Ierrs are HW related (DMA errors, CRC errors, short frames, oversized frames, jadda jadda jadda). For duplex missmatch issues the input error counter and the collision counter are good indicators. -- :wq Claudio Thanks, danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Farrell Sent: Monday, April 09, 2007 11:02 AM To: misc@openbsd.org Subject: how to view Ethernet frame CRC errors Hello, I'm looking for a way to view L2 frame CRC errors on an interface. I've scoured netstat, but found nothing (from what I've known of it it's all Layer 3 anyway). I googled and came up rather empty (FCS error openBSD, ethernet frame CRC errors openbsd, etc.) . The purpose for this is to deduce duplex-mismatch problems on Fast Ethernet interfaces where you only have visibility/control over one side of the Ethernet connection. If there is no way to specifically view counters like this are there other counters (or a combination of counters) I can look to that would definitively show a duplex-mismatch situation (as in no false-positives) ? I know there are error counters in netstat -i but are those always going to mean there is a duplex mismatch problem (it just seems there's a lack of detail there so those errors could result from a variety of issues)? Is there anything to be gleaned from a netstat -s to show this also? I appreciate any suggestions, Dan Farrell Applied Innovations Corp. [EMAIL PROTECTED]
FTP/ftp-proxy/pf issue.
Hio. I'm trying to setup a firewall that allows FTP in to a server that is NATd on the other side. But that only allows access from one address outside the firewall. Something like: Machine - Internet - Firewall/NAT - FTP server I realize I need to use ftp-proxy to get through the NAT part of the firewall, but I'm not having much luck with it so far. Here is what I have: /usr/sbin/ftp-proxy -R 10.10.11.10 pf.conf: $dev_addr = machine that has access to ftp to this server. $proxy_addr = 127.0.0.1 nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $wan_if proto tcp from $dev_addr to $wan_if port ftp - $proxy_addr port 8021 block in all block out all anchor ftp-proxy/* pass in proto tcp from $proxy_addr to any port 21 keep state When I try to FTP from the allowed machine I get: Connected to ftp-server 421 Service not available, remote server has closed connection Any help on this would be appreciated. If you need any more info please let me know. Thanks, -- Steve
Re: Redirect traffic through VPN
Dag Richards wrote: Matiss Miglans wrote: Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss So you have working VPN from LAN2 to LAN# and reverse? You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. Are LAN1 and LAN2 really hosted off the same firewall? If so then the statement no no VPN between LAN1 and LAN3 is silly. In the layout as described you need to setup a VPN from LAN1 to LAN3. You could possibly introduce an additional firewall to do nating prior to VPN but that would be again silly. Yes, this VPN from LAN2 to LAN3 works great ! There is three company's, and I need to make this connection trought my company. The idea is that, I can make changes in connection when I need. I can control that all. There is no way to make VPN from LAN1 to LAN3 - of course I too, will amke there VPN, but... Normaly there is route that shows external interface and IP as a gateway, I changed that to the 192.168.0.1 and now I can ping, ssh, etc to the LAN3 froum this OpenBSD box. But anyway I cant forward/binat to the LAN3 I tried to set up one old Celeron box with OpenBSD, that do only port forwarding from LAN1 to LAN3 and reverse. This box is in LAN1 and LAN2, thei make port forvarding like this: rdr on fxp1 from 10.210.1.215 to 10.210.1.216 - 192.168.30.2 That all works great. But thats not that what I will make. I will make that on one box, becaus this is very old box, and I do not now, when they can die. I don't understand, if I can see this network from router, why I can't forward traffic to this network ?! Best regards Matiss
Re: Binary kernel updates
I am exceedingly sorry. I realize now that it was not Rico's fault. My venom was uncalled for... Again, sorry Rico, et al... back to the shadows... On 4/10/07, Jeremy Huiskamp [EMAIL PROTECTED] wrote: If you'd bothered to inspect the headers you would have noticed that the below message was sent before the one that has many replies but it didn't arrive until about 20 hours after it was sent. Probably stuck in the pipes somewhere, that seems to happen with misc@ alot. Rico probably figured it was lost and so he sent another which is fairly reasonable. Jeremy On 10-Apr-07, at 12:44 PM, Bryan wrote: Why post twice? Sending it as different person within 24 hours of one another is not going to get what you want... A couple of people gave you solutions, choose one, or move to Linux... Remember this??? [EMAIL PROTECTED] [EMAIL PROTECTED] tomisc@openbsd.org date Apr 9, 2007 4:43 PM subject Binary kernel and base update mailed-by openbsd.org Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico On 4/9/07, Rico Secada [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: FTP/ftp-proxy/pf issue.
On Tue, 10 Apr 2007, Steve Mertz wrote: I'm trying to setup a firewall that allows FTP in to a server that is NATd on the other side. But that only allows access from one address outside the firewall. Something like: Machine - Internet - Firewall/NAT - FTP server I realize I need to use ftp-proxy to get through the NAT part of the firewall, but I'm not having much luck with it so far. Here is what I have: /usr/sbin/ftp-proxy -R 10.10.11.10 pf.conf: $dev_addr = machine that has access to ftp to this server. $proxy_addr = 127.0.0.1 nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $wan_if proto tcp from $dev_addr to $wan_if port ftp - $proxy_addr port 8021 block in all block out all anchor ftp-proxy/* pass in proto tcp from $proxy_addr to any port 21 keep state This last rule is the problem. You need to pass _out_ from the firewall, and not using the 127.0.0.1 address, but the address that the kernel will pick for the connection to the server (10.10.11.1?). Or you can try this: pass out proto tcp from any to port 21 keep state user proxy -- Cam
Re: tftp-proxy without nat?
On Tue, Apr 10, 2007 at 04:41:04PM +0200, Sebastian Reitenbach wrote: Hi, I have an OpenBSD 4.0 firewall between two networks. The traffic between these two is routed. when I take a look at the manual pages, then it looks like the tftp-proxy only useful for connections that do NAT, where the client is in a private network, and the server has a public IP. Without NAT, I will need sth. like this in the nat section: rdr-anchor tftp-proxy/* rdr on $int_if proto udp from $lan to any port tftp - \ 127.0.0.1 port 6969 and this in the filter section: anchor tftp-proxy/* but I do not know, how to allow the data packets, from the server to the client to traverse the firewall. Is there a way to make it stateful somehow? Unless I am sorely mistaken, TFTP uses standard UDP traffic. Just allow that through the firewall (pass from $lan to $tftp_server port tftp keep state). -- TFMotD: ioprbs (4) - I2O SCSI RAID controller
Re: Redirect traffic through VPN
rc wrote: On 4/5/07, Dag Richards [EMAIL PROTECTED] wrote: Matiss Miglans wrote: Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss So you have working VPN from LAN2 to LAN# and reverse? You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. Are LAN1 and LAN2 really hosted off the same firewall? If so then the statement no no VPN between LAN1 and LAN3 is silly. In the layout as described you need to setup a VPN from LAN1 to LAN3. You could possibly introduce an additional firewall to do nating prior to VPN but that would be again silly. Matiss, There are three ways that you can connect to the servers: 1. VPN (IPSEC) 2. 1 to 1 NAT (bidirectional NAT). Opened to the world, if not properly firewalled. This will have to be done on both sides. 3. Port forwarding (redirection with pf) Opened to the world, if not properly firewalled. This will have to be done on both sides. 1. There is no way to make VPN from LAN1 to LAN3 - I'm also angry for that... 2. and 3. I tried - I have no idea how to make that trought VPN. Forwarding traffic over public Internet- I can firewall what I will, if this is non-crypted trafiic, that tis is not secure. . I would choose 1. because the traffic is going to be encrypted going over the Internet and still behind your firewall and NAT without being opened to the world. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 Implemented incorrectly: http://www.openbsd.org/faq/pf/rdr.html or if you want binat: http://www.openbsd.org/faq/pf/nat.html#binat I have read this FAQ's I dont understand what are implemented incorrectly ?! If i try this on separated OpenBSD box, then that works great ! rdr on fxp1 from 10.210.1.215 to 10.210.1.216 - 192.168.30.2 You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. From my experience, this is not correct. You can have NAT and IPSEC running on the same box. IPSEC takes precedence over NAT and routing. Of course, NAT over routing. rc Do you have NAT over IPSEC or you have NAT and IPSEC on one box ? I have no Idea where to search - i tried google, but nothing useful. Best Regards Matiss
Re: FTP/ftp-proxy/pf issue.
Son of a Thanks Camiel. I changed $proxy_addr to $lan_if and it started working. -- Steve Camiel Dobbelaar wrote: On Tue, 10 Apr 2007, Steve Mertz wrote: I'm trying to setup a firewall that allows FTP in to a server that is NATd on the other side. But that only allows access from one address outside the firewall. Something like: Machine - Internet - Firewall/NAT - FTP server I realize I need to use ftp-proxy to get through the NAT part of the firewall, but I'm not having much luck with it so far. Here is what I have: /usr/sbin/ftp-proxy -R 10.10.11.10 pf.conf: $dev_addr = machine that has access to ftp to this server. $proxy_addr = 127.0.0.1 nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $wan_if proto tcp from $dev_addr to $wan_if port ftp - $proxy_addr port 8021 block in all block out all anchor ftp-proxy/* pass in proto tcp from $proxy_addr to any port 21 keep state This last rule is the problem. You need to pass _out_ from the firewall, and not using the 127.0.0.1 address, but the address that the kernel will pick for the connection to the server (10.10.11.1?). Or you can try this: pass out proto tcp from any to port 21 keep state user proxy -- Cam
Re: OpenBSD with RBAC?
On Tue, Apr 10, 2007 at 11:03:09AM -0400, [EMAIL PROTECTED] wrote: On Mon, 9 Apr 2007 22:17:23 +0200, Joachim Schipper [EMAIL PROTECTED] said: On Mon, Apr 09, 2007 at 02:46:32PM -0500, Lawal, Banji wrote: I was wondering if anyone out there has used OpenBSD with RBAC. From what I have found out so far RBAC is only deployed with FreeBSD. If anyone has any info about this please let me know. You are right, that doesn't work on OpenBSD. You might be interested in systrace, though. It would be nice if somebody was doing something like SeOS for OBSD, though. But, I know, only so much time and so many developers and I don't code, so I'll shut up now. I didn't spend more than a few minutes with Google, which wasn't terribly helpful (if I want search engine optimization, I'll just open my spam folder thankyouvermuch) but it appears my 'systrace' comment is right on. Really, do try. There's even a Linux version nowadays (though last I checked, there were some bugs still being worked out). You *will* want to know a thing or two about system calls, but that's almost inevitable. Xsystrace(1) or its command-line version isn't terribly pretty, but does work very well for quickly defining a policy. Joachim -- PotD: x11/x11vnc - VNC server for real X displays
Re: BSD thin client
On january, 27, Reiner Jung wrote: In the next 2 weeks, a free NX client will be released which is runs on OpenBSD without Linux emulation. All closed source parts from Nomachine client are rewritten. As there are some parts from original Nomachine client was used, it will be released under the GPL May I ask you if this is now available ? Thanks. -+-neil-+-
Re: Beep!
On 2007/04/10 19:09, Stefan Sperling wrote: On Tue, Apr 10, 2007 at 06:16:55PM +0200, Reyk Floeter wrote: man speaker(4) for example, # echo 'CDEFGAHOC' /dev/speaker cat /bsd /dev/speaker is fun, too, especially if you're into weird electronic music ;-) likewise 'tcpdump -w/dev/audio' (maybe with -yIEEE802_11_RADIO)
Routerboard 532 Bounty
I'm not sure where to ask this; so, I thought I'd start here in misc first. I think I have convinced myself that I want to sponsor an architecture port effort. Specifically, I would like to see OpenBSD ported to the Routerboard 532 (IDT MIPS32 4Kc processor). After STFW, I see that a few other people have posted questions about this in the past without a lot of positive response (it seems that there might have been a port that would have been suitable at one point in time, but is no longer part of the current distribution). I'm curious what the non-technical (finical) stewardship requirements might be for bringing back a dropped architecture and making sure that it works on a very specific set of target boards (starting with the 532). I don't think this is too much of a technical undertaking (but at the moment it's beyond my ability and time constraints)... the routerboard 532 boots off of compaq flash (no need to muck about with the on-board flash). The only things that worry me are the slim resources (64MB of memory max) and support for the first NIC (IDT Korina 10/100 Mbit/s Fast Ethernet port). I would be willing to forgo support for the IDT NIC just to get things started quickly (the other NICs are VIA VT6105). I would want support for at least one commodity 802.11(series) wireless NIC in both the 2.4ghz and 5ghz ranges. Other potential issue include the funky bootstrap code (which looks for ELF), custom BIOS and MIPS endedness. I don't want this to be a goatrope where I send off a bunch a Routerboard hardware and nobody even tries to collect the bounty, but I know the OpenBSD project has a pretty good reputation for getting things done when equipment and funds are provided (if I'm off mark with that semi-acquired assumption, please someone fill me in off-line). Where do I start and who do I need to talk to?
live DB cloning to pgsql
there is a pervasive sql v8 database on windows 2003 server that i would like to clone to a pgsql database on openbsd. i've not done this before and am not familiar with the proper technique(s) to do such a thing. the goal is to have any changes made to the pervasive DB be piped over to the mirror pgsql DB as the changes are made. any suggestions on how to setup this communication between the DBs would be very much appreicated. cheers, jake
Re: Beep!
Great! Thank you all! Manuel man speaker(4) for example, # echo 'CDEFGAHOC' /dev/speaker Get your own web address. Have a HUGE year through Yahoo! Small Business. http://smallbusiness.yahoo.com/domains/?p=BESTDEAL
Re: bcw(4) is gone
On Tue, Apr 10, 2007 at 07:33:31PM +0800, Doug Brewer wrote: Reyk Floeter [EMAIL PROTECTED] wrote: On Tue, Apr 10, 2007 at 12:19:29PM +0200, frantisek holop wrote: if someone is still reading the thread... lalalala Is it funny? Fuck off!!! lalalala it is not funny but all this GPL discussion and speculations will not bring it back. reyk
Re: GRE over IPsec
Chris Jones wrote: Hey all, I know that it's possible to run GRE over and IPsec tunnel but I am wondering if anyone here has seen some good documentation (besides the man pages) or a howto on setting this up. I'm trying to config my OpenBSD 4.0firewall to interop with a route-based VPN network with a mix of Fortigate and Netscreen firewalls. Fortigates and Netscreens both use GRE interaces as tunnel interfaces when creating route-based VPN tunnels. Right now all endpoints are using un-numbered (0.0.0.0/0) GRE interfaces and so I would I've been setting up IPSEC tunnels with Juniper/NetScreen firewalls for years. I've never done GRE. I have setup a simple tunnel with Juniper/NetScreen to OpenBSD. I didn't use GRE. I don't see why you need GRE since IPSEC does tunnels.
[OT] Re: Beep!
On Tue, Apr 10, 2007 at 07:09:17PM +0200, Stefan Sperling wrote: cat /bsd /dev/speaker is fun, too, especially if you're into weird electronic music ;-) In this case, you should also try madplay (from ports) on kernels for different platforms, but be sure to use a rate between 1 a 4 kHz. Ciao, Kili -- DE:Signaturen erzeugen Krebs. EN:Signatures cause cancer. ES:Signaturas provocan cancer. LATIN:Cancerem signatura faciunt. SE:Signaturer fvrorsaka cancer. FR:Les signatures provoquent le cancer. RO:Signaturile produc cancer. RU:Podpis'ki razvivazt rak. PL:Signatury provokuyom racka [send translations]
Re: BSD thin client
On january, 27, Reiner Jung wrote: In the next 2 weeks, a free NX client will be released which is runs on OpenBSD without Linux emulation. All closed source parts from Nomachine client are rewritten. As there are some parts from original Nomachine client was used, it will be released under the GPL Just a thought may be. Would be nice that the new parts possible would be release under BSD and what can't be, would still be GPL, then if that's of good interest to some, may be someone else might step to finish it up and replace the end GPL parts if possible. Specially if you spend some much time making it to run one OpenBSD that is BSD based license. In the light of all that happened in the last week or so, that might be a good idea. Just food for thought. Best, Daniel
Re: live DB cloning to pgsql
On Tue, Apr 10, 2007 at 03:55:48PM -0500, Jacob Yocom-Piatt wrote: there is a pervasive sql v8 database on windows 2003 server that i would like to clone to a pgsql database on openbsd. i've not done this before and am not familiar with the proper technique(s) to do such a thing. the goal is to have any changes made to the pervasive DB be piped over to the mirror pgsql DB as the changes are made. any suggestions on how to setup this communication between the DBs would be very much appreicated. You might want to consider slony-l (asynchronous replication, might not be what you want, but rather mature) and pgcluster (synchronous, but development appears to have ceased). There is some documentation on the net on how to do this; I've never gone past looking at it, myself, so couldn't help you there. Joachim -- TFMotD: perlgpl (1) - the GNU General Public License, version 2
Re: BSD thin client
On 4/10/07, Daniel Ouellet [EMAIL PROTECTED] wrote: On january, 27, Reiner Jung wrote: In the next 2 weeks, a free NX client will be released which is runs on OpenBSD without Linux emulation. All closed source parts from Nomachine client are rewritten. As there are some parts from original Nomachine client was used, it will be released under the GPL The nx software does not look anywhere near as good as sun's sunray implementation. I would really like to use my sunrays on my OpenBSD boxes. However I imagine the protocol would be incredibly complicated. -- Best Regards Edd
Re: Binary kernel updates
On Tue, 10 Apr 2007 13:34:57 -0400 Jeremy Huiskamp [EMAIL PROTECTED] wrote: If you'd bothered to inspect the headers you would have noticed that the below message was sent before the one that has many replies but it didn't arrive until about 20 hours after it was sent. Probably stuck in the pipes somewhere, that seems to happen with misc@ alot. Rico probably figured it was lost and so he sent another which is fairly reasonable. Thank you Jeremy! That was exactly what happened :-) I thought my ISP had some problems with his SMTP server. Jeremy On 10-Apr-07, at 12:44 PM, Bryan wrote: Why post twice? Sending it as different person within 24 hours of one another is not going to get what you want... A couple of people gave you solutions, choose one, or move to Linux... Remember this??? [EMAIL PROTECTED] [EMAIL PROTECTED] to misc@openbsd.org dateApr 9, 2007 4:43 PM subject Binary kernel and base update mailed-by openbsd.org Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico On 4/9/07, Rico Secada [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
date -u gives wrong timezone output?
Hi, 'date -u' on a 4.0 -stable will give something like Tue Apr 10 22:03:24 GMT 2007 but shouldn't it be Tue Apr 10 22:03:24 UTC 2007 Cheers, Markus
Re: date -u gives wrong timezone output?
On 4/10/07, Markus Bergkvist [EMAIL PROTECTED] wrote: Hi, 'date -u' on a 4.0 -stable will give something like Tue Apr 10 22:03:24 GMT 2007 but shouldn't it be Tue Apr 10 22:03:24 UTC 2007 UTC = GMT for all that we care about. [[http://en.wikipedia.org/wiki/Coordinated_Universal_Time]] -Nick
Re: Binary kernel updates
On Tue, 10 Apr 2007 11:29:17 -0700 Bryan [EMAIL PROTECTED] wrote: I am exceedingly sorry. I realize now that it was not Rico's fault. My venom was uncalled for... Again, sorry Rico, et al... Apology accepted :-) back to the shadows... On 4/10/07, Jeremy Huiskamp [EMAIL PROTECTED] wrote: If you'd bothered to inspect the headers you would have noticed that the below message was sent before the one that has many replies but it didn't arrive until about 20 hours after it was sent. Probably stuck in the pipes somewhere, that seems to happen with misc@ alot. Rico probably figured it was lost and so he sent another which is fairly reasonable. Jeremy On 10-Apr-07, at 12:44 PM, Bryan wrote: Why post twice? Sending it as different person within 24 hours of one another is not going to get what you want... A couple of people gave you solutions, choose one, or move to Linux... Remember this??? [EMAIL PROTECTED] [EMAIL PROTECTED] tomisc@openbsd.org date Apr 9, 2007 4:43 PM subject Binary kernel and base update mailed-by openbsd.org Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico On 4/9/07, Rico Secada [EMAIL PROTECTED] wrote: Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: live DB cloning to pgsql
On 4/10/07, Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Apr 10, 2007 at 03:55:48PM -0500, Jacob Yocom-Piatt wrote: there is a pervasive sql v8 database on windows 2003 server that i would like to clone to a pgsql database on openbsd. i've not done this before and am not familiar with the proper technique(s) to do such a thing. the goal is to have any changes made to the pervasive DB be piped over to the mirror pgsql DB as the changes are made. any suggestions on how to setup this communication between the DBs would be very much appreicated. You might want to consider slony-l (asynchronous replication, might not be what you want, but rather mature) and pgcluster (synchronous, but development appears to have ceased). There is some documentation on the net on how to do this; I've never gone past looking at it, myself, so couldn't help you there. I think he's going to have to write a stored procedure and some triggers on the pervasive box. Greg
Re: OpenBGPd + pf + pf tables.
On Tue, Apr 10, 2007 at 06:33:12PM +0200, Xavier Beaudouin wrote: The problem I have is if I have a subnet removed from bgp (eg my AS35189 neighbor) it is not removed from pf table bgp. Do you have an little idea to do this automaticaly ? does it work how you want to if you change from using tables to route labels? http://marc.info/?l=openbsd-pfm=113646508819716w=2 -- jared
Re: Binary kernel and base update
On Tue, 10 Apr 2007 01:43:56 +0200 [EMAIL PROTECTED] wrote: Thanks to all for the kind and enlightening answers. When I read that it was mainly due to lack of people and so, and not because that it was a bad idea, I then hope OpenBSD will keep expanding, and one day have all the resources which it needs. Hi all. I have noticed that the OpenBSD team puts a lot of emphasis on using binary packets rather than building from ports, which I think IMHO is good, but why is it that there is no binary kernel updates, rather than patching the kernel from source? I am asking this not from a point that we find this difficult, rather in OpenBSD its really easy. But sometimes its very time consuming, and yes there exists binpatch and other solutions, but why isn't there an official OpenBSD way? Last week management decided to go back to using Debian on some of our servers due to them being easy to upgrade including kernel and basesystem upgrades. OpenBSD has really made a cool solution with pkg_add -u, but why not kernel and basesystem binary updates as well? Best and kind regards. Rico
Re: date -u gives wrong timezone output?
On Tue, Apr 10, 2007 at 06:17:58PM -0400, Nick ! wrote: On 4/10/07, Markus Bergkvist [EMAIL PROTECTED] wrote: Hi, 'date -u' on a 4.0 -stable will give something like Tue Apr 10 22:03:24 GMT 2007 but shouldn't it be Tue Apr 10 22:03:24 UTC 2007 UTC = GMT for all that we care about. [[http://en.wikipedia.org/wiki/Coordinated_Universal_Time]] i could be wrong here, but perhaps he is not suggesting that there is any wallclock difference between GMT and UTC, but rather that the manpage for date(1) says: --- -u Display or set the date in UTC (Coordinated Universal) time. --- as opposed to ... date in GMT ..., also as implied by how it is '-u' and not '-g' least, that was my reaction to his post? -- jared Index: date.c === RCS file: /cvs/src/bin/date/date.c,v retrieving revision 1.27 diff -u -u -r1.27 date.c --- date.c 29 Nov 2005 19:07:46 - 1.27 +++ date.c 11 Apr 2007 03:19:15 - @@ -102,7 +102,7 @@ tval = atol(optarg); break; case 'u': /* do everything in UTC */ - if (setenv(TZ, GMT0, 1) == -1) + if (setenv(TZ, UTC, 1) == -1) err(1, cannot unsetenv TZ); break; case 't': /* minutes west of GMT */