PF rules2
Hi again,
I follow with my own fight with PF. ( sorry to send other mail, but i can't
really fix this ).
If I reduce pf.conf to the following rules:
block in all
pass in on $int_if proto {tcp,udp] from any to any port 22 keep state
I can connect to ssh, but it takes at least on minute to ask me the user and
pass.
If i change it to block in on $ext_if all, then i can connect with the
normal speed.
The rules order is correct ( i think ), pf goes from less specific rule to
more especific rule.. If i told pf if there is no match block in all, if
connection is to port 22 pass it. I can't understand why this doesn't work..
please, can you point to what is wrong?
Thanks!
Tang Tse
Re: about spam
On Fri, May 04, 2007 at 01:26:58PM +0900, LinuxUser wrote: Hi ,all .my name is tuyosi , a japanese . there are little infomation about spamd . so i barely run spamd in my own fashion . but i donot see whethe my way is good or not , so i make quetions. my doing is next , 1)in /etc/services , i add next line spamd-sync 8025/udp 2)in /etc/pf.conf , according to ' man pf.conf , i add next line rdr on $ext_if inet proto tcp from spammers to port smtp \ tag SPAMD - 127.0.0.1 port spamd block in on $ext_if pass in on $ext_if inet proto tcp tagged SPAMD 3) in /etc/rc.local , i add next lines if [ -x /usr/local/bin/spamd ]; then echo -n ' ---spamd--- '; /usr/local/bin/spamd -d fi 4) in /etc/rc/conf.local #spamd_flags= #NO # for normal use: and see spamd-setup(8) spamd_grey=YES #NO # use spamd greylisting if YES spamlogd_flags=-i pppoe0 # use eg. -i interface and see spamlogd(8) namely spamd_flags= has no effect . and restart openbsd , # ps -ax | grep spam 13425 ?? Is 0:19.82 perl: /usr/local/bin/spamd -d (perl) 23460 ?? I 0:00.06 perl: spamd child (perl) 6975 ?? I 0:00.10 perl: spamd child (perl) 5950 p0 I+ 0:00.02 grep spam where do i see orthodox practice of spamd ? Hi Tuyosi san, I think you have confused the OpenBSD project's spamd with the daemonized version of SpamAssassin (it is also called spamd). Spamd is a part of OpenBSD and can be enabled in rc.conf.local. Have you read the man page of spamd? There is also a list of databases and links to the man pages at http://www.openbsd.org/spamd/. -- Regards, Jussi Peltola
Re: malo driver
On Thu, May 03, 2007 at 09:00:56PM -0500, Default User wrote: According to http://openbsd.org/i386.html#hardware the Netgear WG511v2 Wireless PC card should work, using the malo driver: Marvell Libertas IEEE 802.11b/g CardBus adapters (malo), including: (G) Netgear WG511v2 But on a laptop with OpenBSD 4.1, the card was not (apparently) recognized, nor did the malo driver seem to load. Please provide the dmesg of your box with the card inserted. From your two lines I don't know if the card was not seen at all (e.g. your cardbus slot plays games like mine likes to do) or if it was recognized but the driver did not attach because the PCI IDs were not matched. Without that info we can not help you. This same system recognies a Netgear MA111 v1 usb wireless adapter, automatically loading the wi driver, and the whole system was installed by network that way, with no wired ethernet connection needed. So, does the malo driver need to be loaded manually, and is it even on the OpenBSD 4.1 network install cd (from cd41.iso)? No malo(4) is not on any of the install medias as we are not allowed to ship the firmware. Without firmware you can not make the card work and so it does not make sense to include the driver. GENERIC on the other hand has malo(4) enabled. -- :wq Claudio
Problems with vpn roadwarriors using the same public ip
Hi all,
I have a very strange problem. I am using an OpenBSD 4.1 with isakmpd config
(isakmpd.conf and isakmpd.policy) to establish vpn connections for my
roadwarriors clients.
When two roadwarriors clients that use the same public ip, only one client can
connect, the other no. Roadwarriors use the greenbow client.
Somebody knows how can I fix this???
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Soekris + vpn1411: Corrupted MAC on input
Hi, I got a weird behavior with my net4801 and vpn1411 card when using OpenBSD. Tried this with 4.0, 4.0-current and now 4.1-stable. With the GENERIC kernel I get Corrupted MAC on input after a short time during an SSH connection. Since I had to modify the kernel options slighty to get my APC UPS working with OpenBSD 4.0 over USB so I build myself a custom SOEKRIS kernel. This also got me rid of the Corrupted MAC on input issue. Since a custom kernel is not needed anymore for the APC UPS with OpenBSD 4.1 because the USV gets properly detected as ugen0 I just kept the GENERIC kernel. But now I have Corrupted MAC on input again. After compiling a custom SOEKRIS kernel for 4.1 too the corrupted MAC issue is gone again. List of needed config changes taken from: http://www.apcupsd.com/manual/USB_Configuration.html#SECTION000102300 Please have a look at the diff between the GENERIC and my custom SOEKRIS config below and also both dmesg outputs. I also made a diff of both dmesg outputs for easy comparison. Would be nice if someone got an idea about why that fixes the Corrupted MAC on input issue. Michael --- sys/arch/i386/conf/GENERIC Wed Feb 28 22:54:43 2007 +++ sys/arch/i386/conf/SOEKRIS Thu May 3 19:51:06 2007 @@ -218,14 +218,14 @@ umass* at uhub?# USB Mass Storage devices scsibus* at umass? atapiscsi* at umass? -uhidev*at uhub?# Human Interface Devices -ums* at uhidev? # USB mouse -wsmouse* at ums? mux 0 -ukbd* at uhidev? # USB keyboard -wskbd* at ukbd? mux 1 -ucycom*at uhidev? # Cypress serial -ucom* at ucycom? -uhid* at uhidev? # USB generic HID support +#uhidev* at uhub?# Human Interface Devices +#ums* at uhidev? # USB mouse +#wsmouse* at ums? mux 0 +#ukbd* at uhidev? # USB keyboard +#wskbd*at ukbd? mux 1 +#ucycom* at uhidev? # Cypress serial +#ucom* at ucycom? +#uhid* at uhidev? # USB generic HID support aue* at uhub?# ADMtek AN986 Pegasus Ethernet atu* at uhub?# Atmel AT76c50x based 802.11b axe* at uhub?# ASIX Electronics AX88172 USB Ethernet OpenBSD 4.1 (GENERIC) #0: Wed May 2 15:56:17 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 268005376 (261724K) avail mem = 236859392 (231308K) using 3302 buffers containing 13524992 bytes (13208K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 20/50/29, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc8000/0x9000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c7:7f:64 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c7:7f:65 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c7:7f:66 nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 ppb0 at pci0 dev 10 function 0 TI PCI2250 PCI-PCI rev 0x02 pci1 at ppb0 bus 1 sis3 at pci1 dev 0 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 9, address 00:00:24:c7:4c:2c nsphyter3 at sis3 phy 0: DP83815 10/100 PHY, rev. 1 sis4 at pci1 dev 1 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 5, address 00:00:24:c7:4c:2d nsphyter4 at sis4 phy 0: DP83815 10/100 PHY, rev. 1 sis5 at pci1 dev 2 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 9, address 00:00:24:c7:4c:2e nsphyter5 at sis5 phy 0: DP83815 10/100 PHY, rev. 1 sis6 at pci1 dev 3 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 5, address 00:00:24:c7:4c:2f nsphyter6 at sis6 phy 0: DP83815 10/100 PHY, rev. 1 hifn0 at pci0 dev 14 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 11 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 gpio0 at gscpcib0: 64 pins NS SC1100 SMI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: CF300 wd0: 1-sector PIO, LBA, 983MB, 2014992 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 5, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0
Re: PF rules2
On Fri, May 04, 2007 at 08:00:06AM +0200, Tang Tse wrote:
Hi again,
I follow with my own fight with PF. ( sorry to send other mail, but i can't
really fix this ).
If I reduce pf.conf to the following rules:
block in all
pass in on $int_if proto {tcp,udp] from any to any port 22 keep state
I can connect to ssh, but it takes at least on minute to ask me the user and
pass.
If i change it to block in on $ext_if all, then i can connect with the
normal speed.
so there's a question begging here - what _other_ traffic is being blocked by
block in all that is allowed through by the other option?
hint: think about running sshd in debug to see what takes so long.
or use pf block in log all (or whatever the appropriate syntax is) to see what
is
dropped.
my guess is that your resolver is not accessible for some reason in the slow
case
and ssh is timing out on the reverse lookup for the client connection.
a+
scorch
Re: Soekris + vpn1411: Corrupted MAC on input
AFAIK ugen0 denotes a USB device for which no driver exists. Therefore it is possible that your USV is not configured at all? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Sent: 04 May 2007 09:48 AM snip Since a custom kernel is not needed anymore for the APC UPS with OpenBSD 4.1 because the USV gets properly detected as ugen0 I just kept the GENERIC kernel. But now I have Corrupted MAC on input again. /snip
Decoding interface flags (ifconfig)
I'm curious if the flag bits, shown for each interface with ifconfig(8), can be decoded in order to reveal the characteristics of NICs, such as hardware RX/TX checksums and VLAN. So far I have searched: netintro(4) ifmedia(4) inet(4) sys/net/if.c sys/dev/pci/if_em.c But haven't found anything definitive. Can someone explain or point out some source or man page? -pachl
dmesg MS Virtual PC
hi, Seems that no one is man enough here: Running in a MS Virtual PC 2004 :) OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Mobile Intel(R) Pentium(R) 4 - M CPU 2.50GHz (GenuineIntel 686-class) 1.26 GHz cpu0: FPU,V86,PSE,TSC,MSR,PAE,CX8,SEP,PGE,CMOV,ACPI,MMX,FXSR,SSE,SSE2,CNXT-ID,xTPR real mem = 267939840 (261660K) avail mem = 236802048 (231252K) using 3301 buffers containing 13520896 bytes (13204K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 08/14/03, SMBIOS rev. 2.3 @ 0xf8cc0 (39 entries) bios0: Microsoft Corporation Virtual Machine apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0xa000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX rev 0x03 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x01 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Virtual HD wd0: 128-sector PIO, LBA, 16383MB, 33554304 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MS, C/DVD-ROM, 3.0 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x02pci_intr_map: no mapping for pin A : polling iic0 at piixpm0 vga1 at pci0 dev 8 function 0 S3 Trio32/64 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) de0 at pci0 dev 10 function 0 DEC 21140 rev 0x20, 21140A pass 2.0: irq 11, address 00:03:ff:ae:3a:5c isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v4.13 midi0 at sb0: SB MIDI UART audio0 at sb0 opl0 at sb0: model OPL3 midi1 at opl0: SB Yamaha OPL3 pcppi0 at isa0 port 0x61 midi2 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ti16750, 64 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ti16750, 64 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec fd1 at fdc0 drive 1: density unknown isapnp0 at isa0 port 0x279: read port 0x203 Sound Blaster 16, PNPB003, PNPB003, at isapnp0 port 0x221/16,0x0/16 irq 0 drq 0,0 resource conflict joy0 at isapnp0 Game Port, PNPB02F, PNPB02F, port 0x201/1 biomask e745 netmask ef45 ttymask ffc7 pctr: user-level cycle counter enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 cd0(atapiscsi0:0:0): Check Condition (error 0x70) on opcode 0x0 SENSE KEY: Not Ready ASC/ASCQ: Medium Not Present mfG -- stefan --
Re: Soekris + vpn1411: Corrupted MAC on input
On 2007/05/04 12:00, [EMAIL PROTECTED] wrote: AFAIK ugen0 denotes a USB device for which no driver exists. correct, and that's what you want here; apcupsd and NUT talk to USB devices using libusb, so you don't want a kernel driver to attach to them.
Re: another dumb vlan question
On Thu, 03 May 2007 23:18:38 -0700, Clint Pachl [EMAIL PROTECTED] wrote: Axton wrote: On 5/2/07, Matiss Miglans [EMAIL PROTECTED] wrote: Hi Scenario 1 will be right. Don't mix there normal ethernet with vlan's. Jonathan Whiteman wrote: Lets say I'm setting up vlan devices so that 4 completely separate subnets' gateways can share same ethernet port on the router. Is it more appropriate to give the physical device itself an ip address and then create 3 vlan devices, or to give the physical device no ip address at all and create 4 vlan devices? Or? I have a hypothetical question regarding security concerning this setup. Would it be more secure to have 4 physically different interfaces each connected to a single VLAN? I am kind of new to VLANs and I am trying to discern the security issues involved. I was thinking about doing something similar to the OP. And what exactly is more secure about having 4 different physical interfaces connected to the same VLAN? That doesn't make any sense, unless you're talking about trunking the 4 interfaces, then adding a vlan interface on top. All of which has nothing to do with VLAN security. Any VLAN security you can really impact will exist on the switch, not at the host. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Decoding interface flags (ifconfig)
On Fri, May 04, 2007 at 03:27:53AM -0700, Clint Pachl wrote: I'm curious if the flag bits, shown for each interface with ifconfig(8), can be decoded in order to reveal the characteristics of NICs, such as hardware RX/TX checksums and VLAN. they are already decoded in the string, nothing is hiding here ;) bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 see src/sys/net/if.h: UP 0x1 | BROADCAST 0x2 | RUNNING 0x40 | PROMISC 0x100 | SIMPLEX 0x800 |MULTICAST 0x8000 = 0x8943 you're looking for the capabilities field but we do not export it to userland. you have to trust the manpages or look at the drivers for if_capabilities/IFFCAP_. reyk
Re: Soekris + vpn1411: Corrupted MAC on input
I see. Thanks -Original Message- From: Stuart Henderson [mailto:[EMAIL PROTECTED] Sent: 04 May 2007 12:46 PM To: Marius Van Deventer - Umzimkulu Cc: misc@openbsd.org Subject: Re: Soekris + vpn1411: Corrupted MAC on input On 2007/05/04 12:00, [EMAIL PROTECTED] wrote: AFAIK ugen0 denotes a USB device for which no driver exists. correct, and that's what you want here; apcupsd and NUT talk to USB devices using libusb, so you don't want a kernel driver to attach to them.
Re: Soekris + vpn1411: Corrupted MAC on input
Hi, Stuart Henderson schrieb: On 2007/05/04 12:00, [EMAIL PROTECTED] wrote: AFAIK ugen0 denotes a USB device for which no driver exists. correct, and that's what you want here; apcupsd and NUT talk to USB devices using libusb, so you don't want a kernel driver to attach to them. I think there is a little misunderstanding here. This is *not* about the USV but about the SSH connection. I just noticed this weird behavior because I had to make a custom kernel for the USV with OpenBSD 4.0. Ok, again. With the GENERIC 4.0 / 4.1 kernel I get the message Corrupted MAC on input during a SSH connection and the connection closes. This is with the Soekris net4801 which got a vpn1411 card. When I use my custom SOEKRIS kernel with the changes mentioned in my original mail the SSH connection is stable and hifn card is working just fine. I hope it is now clear. =) Michael
Re: PF rules2
Tang Tse wrote:
Thanks all of you.
I have an internal DNS server ( a vmware machine on my desktop computer
) so name resolution shoudn't be a problem, isn't it?
When you say allow dns lookups, you mean to open dns port?
Thanks!!
Tang
2007/5/4, Fred Crowson [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]:
Tang Tse wrote:
Hi again,
I follow with my own fight with PF. ( sorry to send other mail,
but i can't
really fix this ).
If I reduce pf.conf to the following rules:
block in all
This rule causes pf to block in on all your interfaces, as you are
blocking DNS, ssh takes longer to work out where your connecting from,
either add an entry for your lan machine to /etc/hosts and/or allow DNS
lookups.
pass in on $int_if proto {tcp,udp] from any to any port 22 keep state
I can connect to ssh, but it takes at least on minute to ask me
the user and
pass.
If i change it to block in on $ext_if all, then i can connect
with the
normal speed.
Here you are only blocking on the external interface so ssh is not
having to wait for the blocked DNS timeout.
The rules order is correct ( i think ), pf goes from less
specific rule to
more especific rule.. If i told pf if there is no match block in
all, if
connection is to port 22 pass it. I can't understand why this
doesn't work..
please, can you point to what is wrong?
Thanks!
Tang Tse
HTH
Fred
--
http://www.crowsons.net/puters/x41.php
block will block all DNS queries (port 53) unless their is a rule
allowing them to pass...
--
http://www.crowsons.net/puters/x41.php
-stable no longer mentioned in dmesg?
quick question: My newly build 4.1-stable on i386 says in dmesg: OpenBSD 4.1 (GENERIC) #0: Thu May 3 14:29:53 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC I was expected to see a 4.1-stable (just because I've seen it before with 3.x and 4.0). I double checked building from the correct tree. Am I missing something in my build process or has this changed? I did: # cd /usr # export CVSROOT=[EMAIL PROTECTED]:/cvs # cvs -z5 checkout -P -rOPENBSD_4_1 src # cd /usr/src/sys/arch/i386/conf # /usr/sbin/config GENERIC # cd /usr/src/sys/arch/i386/compile/GENERIC # make clean make depend make reboot BTW: What is that #0 for (release has #1435)? Thanks! -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWeb www.ini.unizh.ch RSA public key: https://www.ini.uzh.ch/~stephan/pubkey.asc ---
Re: -stable no longer mentioned in dmesg?
On Fri, May 04, 2007 at 01:15:20PM +0200, Stephan A. Rickauer wrote: quick question: My newly build 4.1-stable on i386 says in dmesg: OpenBSD 4.1 (GENERIC) #0: Thu May 3 14:29:53 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC I was expected to see a 4.1-stable (just because I've seen it before with 3.x and 4.0). I double checked building from the correct tree. Am I missing something in my build process or has this changed? update your tree, it got fixed some days/hours ago I did: # cd /usr # export CVSROOT=[EMAIL PROTECTED]:/cvs # cvs -z5 checkout -P -rOPENBSD_4_1 src # cd /usr/src/sys/arch/i386/conf # /usr/sbin/config GENERIC # cd /usr/src/sys/arch/i386/compile/GENERIC # make clean make depend make reboot BTW: What is that #0 for (release has #1435)? kernel build version. look at /usr/src/sys/arch/i386/compile/GENERIC/vers.c, it will be updated every time you run a make in your kernel dir. Thanks! -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWeb www.ini.unizh.ch RSA public key: https://www.ini.uzh.ch/~stephan/pubkey.asc ---
Re: -stable no longer mentioned in dmesg?
Stephan A. Rickauer wrote: quick question: My newly build 4.1-stable on i386 says in dmesg: OpenBSD 4.1 (GENERIC) #0: Thu May 3 14:29:53 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC The fix was recently committed, Changes by: [EMAIL PROTECTED] 2007/05/03 04:12:09 Modified files: sys/conf : Tag: OPENBSD_4_1 newvers.sh Log message: enter -stable
Re: -stable no longer mentioned in dmesg?
On Fri, 4 May 2007 13:30:06 +0200 Reyk Floeter [EMAIL PROTECTED] wrote: On Fri, May 04, 2007 at 01:15:20PM +0200, Stephan A. Rickauer wrote: quick question: My newly build 4.1-stable on i386 says in dmesg: OpenBSD 4.1 (GENERIC) #0: Thu May 3 14:29:53 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC I was expected to see a 4.1-stable (just because I've seen it before with 3.x and 4.0). I double checked building from the correct tree. Am I missing something in my build process or has this changed? update your tree, it got fixed some days/hours ago BTW: What is that #0 for (release has #1435)? kernel build version. look at /usr/src/sys/arch/i386/compile/GENERIC/vers.c, it will be updated every time you run a make in your kernel dir. Cool, thanks. -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWeb www.ini.unizh.ch RSA public key: https://www.ini.uzh.ch/~stephan/pubkey.asc ---
Re: -stable no longer mentioned in dmesg?
On Fri, May 04, 2007 at 01:15:20PM +0200, Stephan A. Rickauer wrote: | quick question: My newly build 4.1-stable on i386 says in dmesg: | | OpenBSD 4.1 (GENERIC) #0: Thu May 3 14:29:53 CEST 2007 | [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC | | I was expected to see a 4.1-stable (just because I've seen it before | with 3.x and 4.0). I double checked building from the correct tree. Am I | missing something in my build process or has this changed? You're missing the change to newvers.sh : http://marc.info/?l=openbsd-cvsm=117818724826225w=2 | I did: | | # cd /usr | # export CVSROOT=[EMAIL PROTECTED]:/cvs | # cvs -z5 checkout -P -rOPENBSD_4_1 src | | # cd /usr/src/sys/arch/i386/conf | # /usr/sbin/config GENERIC | # cd /usr/src/sys/arch/i386/compile/GENERIC | # make clean make depend make reboot Try the checkout again, you should now get an updated newvers.sh that says -stable. | BTW: What is that #0 for (release has #1435)? That's the build-count (or whatever it's called officially). You've built 0 kernels from your tree so far (this gets reset when you clean up after your build). If you build again (with another patch), you'll see #1 and so on. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: 4.1 Packages Page
Hi there, On 5/3/07, djgoku [EMAIL PROTECTED] wrote: http://www.openbsd.org/4.1_packages/ Gets a 404 error. I Agree - Noticed this the oyther day. -- Best Regards Edd
Re: another dumb vlan question
Jason Dixon wrote: On Thu, 03 May 2007 23:18:38 -0700, Clint Pachl [EMAIL PROTECTED] wrote: Axton wrote: On 5/2/07, Matiss Miglans [EMAIL PROTECTED] wrote: Hi Scenario 1 will be right. Don't mix there normal ethernet with vlan's. Jonathan Whiteman wrote: Lets say I'm setting up vlan devices so that 4 completely separate subnets' gateways can share same ethernet port on the router. Is it more appropriate to give the physical device itself an ip address and then create 3 vlan devices, or to give the physical device no ip address at all and create 4 vlan devices? Or? I have a hypothetical question regarding security concerning this setup. Would it be more secure to have 4 physically different interfaces each connected to a single VLAN? Mistake, sorry. I meant to say connected to different VLANs, not connected to a single VLAN. And what exactly is more secure about having 4 different physical interfaces connected to the same VLAN? That doesn't make any sense, unless you're talking about trunking the 4 interfaces, then adding a vlan interface on top. All of which has nothing to do with VLAN security. Are there security advantages to having 4 physical interfaces of a router connected to 4 switch ports, with each switch port belonging to a different VLAN? Or, a single physical interface connected to a single switch port that belongs to 4 VLANs? The second option obviously saves you some interfaces and switchports, albeit a decrease in bandwidth, but does it make you more vulnerable to VLAN attacks (e.g. VLAN spoofing/hopping)? Any VLAN security you can really impact will exist on the switch, not at the host. I guess I'm asking from a host or switch perspective.
Re: Prevent circumventing dansguardian with pf
* Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. that is the biggest bullshit i have read on this list in some time. if you deny icmp, you shall burn in hell -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF rules2
Tang Tse wrote:
Thanks for the answear,
Is it secure to open DNS ports to outside world? Or you mean to open open
outgoing DNS conections? If i want to redirect incomming ssh connections
from internet to some inside server, should i open DNS incoming?
Thanks!!
Not necessarily - but how about a rule like:
pass out on $ext_if proto { tcp, udp } from any to $my_nameserver \
port 53 keep state
HTH
Fred
PS http://home.nuug.no/~peter/pf/ is well worth reading
--
http://www.crowsons.net/puters/x41.php
Re: another dumb vlan question
On Fri, 04 May 2007 06:10:46 -0700, Clint Pachl [EMAIL PROTECTED] wrote: Jason Dixon wrote: On Thu, 03 May 2007 23:18:38 -0700, Clint Pachl [EMAIL PROTECTED] wrote: Axton wrote: On 5/2/07, Matiss Miglans [EMAIL PROTECTED] wrote: Hi Scenario 1 will be right. Don't mix there normal ethernet with vlan's. Jonathan Whiteman wrote: Lets say I'm setting up vlan devices so that 4 completely separate subnets' gateways can share same ethernet port on the router. Is it more appropriate to give the physical device itself an ip address and then create 3 vlan devices, or to give the physical device no ip address at all and create 4 vlan devices? Or? I have a hypothetical question regarding security concerning this setup. Would it be more secure to have 4 physically different interfaces each connected to a single VLAN? Mistake, sorry. I meant to say connected to different VLANs, not connected to a single VLAN. And what exactly is more secure about having 4 different physical interfaces connected to the same VLAN? That doesn't make any sense, unless you're talking about trunking the 4 interfaces, then adding a vlan interface on top. All of which has nothing to do with VLAN security. Are there security advantages to having 4 physical interfaces of a router connected to 4 switch ports, with each switch port belonging to a different VLAN? Or, a single physical interface connected to a single switch port that belongs to 4 VLANs? If you understood VLANs, you'd realize what a silly question this is. If you want to use 4 physical interfaces for segregated routing, do it... just don't bother with vlan interfaces (on your router). However, if you'd prefer to minimize the amount of physical interfaces... or possibly trunk them and layer vlan interfaces on top, that's fine too. You're mixing your OSI layers. Seriously, go back and read about VLANs and trunking/bonding. The second option obviously saves you some interfaces and switchports, albeit a decrease in bandwidth, but does it make you more vulnerable to VLAN attacks (e.g. VLAN spoofing/hopping)? See above. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Prevent circumventing dansguardian with pf
On 5/4/07, Henning Brauer [EMAIL PROTECTED] wrote: * Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. that is the biggest bullshit i have read on this list in some time. if you deny icmp, you shall burn in hell You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data: http://www.cs.uit.no/~daniels/PingTunnel/
Re: file sets
At 12:38 PM 5/2/07, bubka20 wrote: no, sorry, I'm meant base40.tgz, etc40tgz, etc. My problem though is with step#6. I'm probably not creating the cd properly ( my cd contains files: base40, bsd, bsd.mp, bsd.rp, comp40, etc40, game40, man40, misc40, xbase40, xetc40, xfont40, xserve40, xshare40 in random order with no tree structure..). Should I create them with a tree 4.0/i386/base40, bsd, etc.? and if so, how do I do that? I've noticed this same problem when creating custom cdroms for OpenBSD install. I could never get the install program to see the files sets if they were in the root directory on cdrom. In your burning software, copy the directory containing sets to cdrom instead of the files in that directory.
Re: dmesg output Sun Fire 4200
I have never tried that actually. Whenever I get to it I'll let you know. On Thu, May 03, 2007 at 06:47:30AM -0400, Daniel Ouellet wrote: Marco Peereboom wrote: I am running an X4100 with -current and I see no issues at all. If I may ask, how the Sun Integrated Lights Out Manager (ILOM) on this X4100 box compare to the regular LOM of the Sparc 64 series? Power cycle and possible to do full remote install via console as well like the regular Sun? I know the X2100 is far from the usual LOM I am use to. Thanks for your time! Best, Daniel
Re: Prevent circumventing dansguardian with pf
* Open Phugu [EMAIL PROTECTED] [2007-05-04 15:36]: On 5/4/07, Henning Brauer [EMAIL PROTECTED] wrote: * Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. that is the biggest bullshit i have read on this list in some time. if you deny icmp, you shall burn in hell You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data: http://www.cs.uit.no/~daniels/PingTunnel/ so can tcp, so we shall block all tcp so can udp, so we shall block all udp so can water pipes, so let's deny access to all toilets for everybody so can underwear, so let us require everybody to work naked -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Prevent circumventing dansguardian with pf
On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote: if you deny icmp, you shall burn in hell You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data: http://www.cs.uit.no/~daniels/PingTunnel/ This looks like it's pretty trivially defeated; bzero()'ing the data portion of the ICMP echo request/response removes the piggybacked data channel. For even more fun, you could overwrite the actual data in the covert channel with a fun message about the Care Bears. Or, for bonus points, some nice Harry Potter slashfic ;-) - Bert
Re: Prevent circumventing dansguardian with pf
On Friday 04 May 2007 15:42:58 Henning Brauer wrote: so can underwear, so let us require everybody to work naked Actually, depending who you work with, this can be a good thing... -- Antoine
Re: Prevent circumventing dansguardian with pf
On Fri, May 04, 2007 at 07:26:32AM -0600, Open Phugu wrote: On 5/4/07, Henning Brauer [EMAIL PROTECTED] wrote: * Chad M Stewart [EMAIL PROTECTED] [2007-04-25 19:31]: On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote: pass in inet proto icmp all icmp-type $icmp_types keep state This can be used as a covert communication channel. Allowing internal IPs to send/receive ping is bad. that is the biggest bullshit i have read on this list in some time. if you deny icmp, you shall burn in hell You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data: http://www.cs.uit.no/~daniels/PingTunnel/ Yes, but so can DNS and pretty much any data you let out of your network. Consider encoding data in send time if you have both of those covered. See the .sig for a better solution; due to an oversight by the developers, those man pages are not found on a stock OpenBSD system, but Google will be happy to help. Joachim -- TFMotD: knife, axe, cutter, chainsaw(8) - tools to improve network performance via SNIP
Re: Soekris + vpn1411: Corrupted MAC on input
Michael [EMAIL PROTECTED] wrote: With the GENERIC 4.0 / 4.1 kernel I get the message Corrupted MAC on input during a SSH connection and the connection closes. This is with the Soekris net4801 which got a vpn1411 card. This is a known problem frequently reported on the soekris-technical mailing list. There is various speculation about this circulating around, but I'm not aware of anybody actually understanding what is going on there. When I use my custom SOEKRIS kernel with the changes mentioned in my original mail the SSH connection is stable and hifn card is working just fine. That is ... bizarre. -- Christian naddy Weisgerber [EMAIL PROTECTED]
Re: vmware vmxnet driver (vic) error
Did some hours of debugging and found something really weird. On my host and virtual machines this uuid.bios will cause error when fetching a large file from the network: uuid.bios = 56 4d 02 e3 a3 f3 69 22-f8 8e 8d 41 78 07 b9 ae ethernet0.generatedAddress = 00:0c:29:07:b9:ae and this uuid.bios won't: uuid.bios = 56 4d 06 40 43 9c 36 70-df 0a cb d7 9f 61 22 b7 ethernet0.generatedAddress = 00:0c:29:61:22:b7 Could somebody try to reproduce? Thanks, Bert Reyk Floeter wrote: On Thu, May 03, 2007 at 08:01:53PM +0200, Bert Koelewijn wrote: Is anybody successfully using the vmxnet network driver (vic)? yes, i was using it with esx and the freeware vmware server. time to test it again... With various VMWare Server 1.0+ versions and host operating systems I'm experiencing the following problem: vm_fault(0xd5fd9298, 0x0, 0, 3) - e kernel: page fault trap, code=0 Stopped at _bus_dmamap_load_mbuf+0xf: movl$0,0x18(%esi) yuck do you get the ddb prompt to enter a 'trace' command? -Bert lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 vic0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:07:b9:ae groups: egress media: Ethernet autoselect status: active inet 192.168.2.30 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::20c:29ff:fe07:b9ae%vic0 prefixlen 64 scopeid 0x1 pflog0: flags=0 mtu 33224 enc0: flags=0 mtu 1536 OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Genuine Intel(R) CPU T2300 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3 real mem = 267939840 (261660K) avail mem = 236793856 (231244K) using 3302 buffers containing 13524992 bytes (13208K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries) bios0: VMware, Inc. VMware Virtual Platform apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 0xe/0x4000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: VMware Virtual IDE Hard Drive wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x08: SMBus disabled vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) mpi0 at pci0 dev 16 function 0 Symbios Logic 53c1030 rev 0x01: irq 9 scsibus1 at mpi0: 16 targets vic0 at pci0 dev 17 function 0 VMware Virtual NIC rev 0x10: irq 11 vic0: VMXnet 864F, address 00:0c:29:07:b9:ae isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pmsi0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pmsi0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask ef65 netmask ef65 ttymask ffe7 pctr: 686-class user-level performance counters enabled mtrr: CPU supports MTRRs but not enabled dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 arp info overwritten for 192.168.2.254 by 00:50:56:fe:78:6c on vic0
Re: OpenBSD 4.1 Torrents
Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release?
[OT] CHS for Thinkpad 390i anyone?
I've lost the CHS for an IBM Thinkpad 390i, 4.1 GB. Could anyone, please, post or send privately the corresponding numbers? Harddrive detection = auto doesn't work anymore, and a boot floppy doesn't find the harddrive/ primary partition (FAT16, 2 GB) anymore. Thanks in advance. Alf.
Re: OpenBSD 4.1 Torrents
On Fri, May 04, 2007 at 10:34:33AM -0400, John Fiore wrote: | Speaking of this, when will the OpenBSD project begin to post SHA256 | hashes | to the ftp sites. MD5 is dead: these two files are different and yet | have the same | MD5 hash. | http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps | http://www.cits.rub.de/imperia/md/content/magnus/order.ps | | | Great. Could you please show me the link to files that have the same length | and MD5 as those in the 4.1 release? Dont forget that they should also be valid gzip'ed tar archives, and (to properly use as an attack vector) extract to just about the same set of files (with your trojaned binaries) as the originals. Good luck ! Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: PF rules2
err. Maybe it's me but to answer his original question - it's more
than likely a DNS lookup issue.
Have a look in /etc/ssh/sshd_config and add in:
UseDNS no
restart the sshd daemon with a kill -HUP command and you should have
no problems.
Alternatively, you could fix your dns lookup issues..
Cheers - nick
On 4 May 2007, at 14:06, Fred Crowson wrote:
Tang Tse wrote:
Thanks for the answear,
Is it secure to open DNS ports to outside world? Or you mean to
open open
outgoing DNS conections? If i want to redirect incomming ssh
connections
from internet to some inside server, should i open DNS incoming?
Thanks!!
Not necessarily - but how about a rule like:
pass out on $ext_if proto { tcp, udp } from any to $my_nameserver \
port 53 keep state
HTH
Fred
PS http://home.nuug.no/~peter/pf/ is well worth reading
--
http://www.crowsons.net/puters/x41.php
Re: OpenBSD 4.1 Torrents
On 2007/05/04 17:03, Paul de Weerd wrote: Dont forget that they should also be valid gzip'ed tar archives that makes things *significantly* easier: valid gzip + random crap = valid gzip
Re: Prevent circumventing dansguardian with pf
Bret Lambert([EMAIL PROTECTED]) on 2007.05.04 09:47:43 +: This looks like it's pretty trivially defeated; bzero()'ing the data portion of the ICMP echo request/response removes the piggybacked data channel. Then I'll encode my data with the morse over ping protocol. If a user can send any sort of packet to the outside world, he can send almost any information. If you want deny users the possiblility to smuggle data outside of their workplace (or whatever) then don't connect them to the internet. /Benno -- Sebastian Benoit [EMAIL PROTECTED] There are no good wars, with the following exceptions: the American Revolution, World War Two and the Star Wars Trilogy. -- Bart Simpson
nonsense from OBSD 4.0 ping
I have the OpenBSD 4.0 ping and it wrote this: 64 bytes from 192.168.2.215: icmp_seq=3029 ttl=64 time=6.057 ms 64 bytes from 192.168.2.215: icmp_seq=3035 ttl=64 time=44.108 ms 64 bytes from 192.168.2.215: icmp_seq=3036 ttl=64 time=-994831.-515 ms ^ Parse error: minus sign not allowed between decimal dot and the decimal part. CL
Problem on installing OpenBSD - disks not found
Hi folks, Old P-II 350 box IWill motherboard support - ATA-33 HD Hot Rod ABit ATA-66 PCI Controller Maxtor HD - ATA-100 10G connected to above Controller OpenBSD 4.1 CD installer - burned with CD41.iso During installation it prompted No disks found. Previously on Windows I did this trick, connecting the HD to IDE first. Then the HD was detected. After installation completed reconnected the HD to the Controller. Is there any other ways on OpenBSD. Or I have to do the same trick as before? TIA B.R. Stephen Liu -- View this message in context: http://www.nabble.com/Problem-on-installing-OpenBSD---disks-not-found-tf3692366.html#a10323754 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Problems with vpn roadwarriors using the same public ip
carlopmart wrote: Hi all, I have a very strange problem. I am using an OpenBSD 4.1 with isakmpd config (isakmpd.conf and isakmpd.policy) to establish vpn connections for my roadwarriors clients. When two roadwarriors clients that use the same public ip, only one client can connect, the other no. Roadwarriors use the greenbow client. Somebody knows how can I fix this??? Many thanks. Hello, I have the same problem with racoon on Linux 2.6, when a second client connects to IPSEC thru NAT, the first one loses his connection. I don't know if it is related to IPSEC, or a bug in both isakmpd and racoon; but I haven't found a fix yet. Matthias Bertschy
Re: Bridge between a jumboframe and a normal 1512byte network
On Tue, May 01, 2007 at 08:44:45AM +0200, Markus Hennecke wrote: On Tue, 1 May 2007, Bob wrote: I tried to look this up with google, but didn't find any sensible answers. I.e. I'm building a gigabit network at home, and I now have an 100Base-TX network here. I would like to add a gigabit network to it. This gigabit network will ofcourse run with jumbo frames. Now my question is basically, can I plug an em and a fxp network cards into a machine and configure it to run with brconfig? Will the bridge fragment oversized packets from the gigabit network when talking to the 100Base-TX network? I'm running ofcourse OpenBSD 4.1-current on the machine that acts as a bridge. This is not possible. The bridge just takes a paket from one interface and puts it on the other interface(s). So jumbo frames are no option if a 100Base-TX network is connected. You could route between the two networks, then the router would fragment the pakets if they are too large. Actually the bridge in OpenBSD can handle this provided the packet is IP and the DF bit is not set. If the IP packet is too large for the outbound interface it will be fragmented.
Re: Prevent circumventing dansguardian with pf
On Fri, 2007-05-04 at 09:47 -0400, Bret Lambert wrote: On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote: if you deny icmp, you shall burn in hell You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data: http://www.cs.uit.no/~daniels/PingTunnel/ This looks like it's pretty trivially defeated; bzero()'ing the data portion of the ICMP echo request/response removes the piggybacked data channel. For even more fun, you could overwrite the actual data in the covert channel with a fun message about the Care Bears. Or, for bonus points, some nice Harry Potter slashfic ;-) For certain types of network links it can be useful for troubleshooting/debugging purposes to put different patterns into the data portion of the ICMP packet: http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a00800 a7599.shtml Although I agree that having the option to scrub or block ICMP packets with non-zero data payloads would be useful. Jeff [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
login and password
I received the congratulations message that openbsd was installed. Upon rebooting I see openbsd/i386 (puffy) (tty0) and I am prompted for login: and password: How do I find out my login and password? ... thanks -- View this message in context: http://www.nabble.com/login-and-password-tf3692674.html#a10324761 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Problems with vpn roadwarriors using the same public ip
Matthias Bertschy wrote:
carlopmart wrote:
Hi all,
I have a very strange problem. I am using an OpenBSD 4.1 with isakmpd
config (isakmpd.conf and isakmpd.policy) to establish vpn connections
for my roadwarriors clients.
When two roadwarriors clients that use the same public ip, only one
client can connect, the other no. Roadwarriors use the greenbow client.
Somebody knows how can I fix this???
Many thanks.
Hello,
I have the same problem with racoon on Linux 2.6, when a second client
connects to IPSEC thru NAT, the first one loses his connection.
I don't know if it is related to IPSEC, or a bug in both isakmpd and
racoon; but I haven't found a fix yet.
Matthias Bertschy
I think that I found a solution. I have put Share-SADB = Define on General
config on isakmpd.conf, and seems that now works ... But, is this ok? somebody
knows if using this option can produce a security hole?? I believe that share
SAs between clients could not be a good solution
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Re: login and password
At 09:49 AM 5/4/2007 -0700, bubka20 wrote: I received the congratulations message that openbsd was installed. Upon rebooting I see openbsd/i386 (puffy) (tty0) and I am prompted for login: and password: How do I find out my login and password? ... thanks What root password did you enter at installation? Lee
Re: login and password
Hello. You should definitively read the official documentation, specially the FAQ. And learn a little bit how does work a Unix system. On http://www.openbsd.org/faq/faq4.html#Network the last paragraph says that right after the network configuration a password is needed for the root account. In a Unix system, root is the name of the primary user, which is the super-user, the one who has the upper level of privilieges. So, at the very first system boot there is only one user declared to the system. Its login is root and is associated password is the one you just typed during the post installation configuration. Regards, Maxime DERCHE bubka20 wrote: I received the congratulations message that openbsd was installed. Upon rebooting I see openbsd/i386 (puffy) (tty0) and I am prompted for login: and password: How do I find out my login and password? ... thanks
Re: nonsense from OBSD 4.0 ping
On Fri, 4 May 2007, Karel Kulhavy wrote: I have the OpenBSD 4.0 ping and it wrote this: 64 bytes from 192.168.2.215: icmp_seq=3029 ttl=64 time=6.057 ms 64 bytes from 192.168.2.215: icmp_seq=3035 ttl=64 time=44.108 ms 64 bytes from 192.168.2.215: icmp_seq=3036 ttl=64 time=-994831.-515 ms ^ Parse error: minus sign not allowed between decimal dot and the decimal part. Is Parse error:... the output of some program? CL Observe the ping source: 733 if (timing) 734 (void)printf( time=%d.%03d ms, 735 (int)(triptime / 1000), 736 (int)(triptime % 1000)); your indicated triptime is -994,831,515 usec. Expressed otherwise, that is -994831515 3300135781 c4b41365, as an unsigned and in hex. Taking the unsigned interpretation, that would be 3300 seconds or about 55 minutes. (triptime is a quad_t type). I suggest a fault in your computer, some sort of glitch in the highspeed clock... unless the ping actually took 55 minutes. You can peruse the pellucid source to ping at /usr/src/sbin/ping.c Perhaps, if ping times must always be positive, the printf might be changed to 734 (void)printf( time=%u.%03u ms, 735 (unsigned int)(triptime / 1000), 736 (unsigned int)(triptime % 1000)); Your output would then have read: 64 bytes from 192.168.2.215: icmp_seq=3036 ttl=64 time=3300135.781 ms It would have been more helpful had you exhibited the original ping command. I am curious about the value for the -w (maxwait) parameter, which defaults to ten seconds. If that was the -w you used, then again I suggest looking for a hardware failure (or perhaps some process that pre-empted the clock or blocked interrupts in general). Dave -- Resistance is futile. You've already been assimilated.
Machine freezes from invalid Ethernet packets
Hello I connected a 10Mbps free space optics link to a 10Mbps hub to which OpenBSD 4.0 machine (Dell Inspiron 510m) was connected. The link had probably bad signal because on the Dell directly (i. e. in the NIC) I could receive the RTP that was transmitted through the link, but another device couldn't, a switch wouldn't broadcast it (even when it were IP/Ethernet broadcast) and the hub was flashing traffic only on the LED where it was connected and not the other ones (so it probably thought the traffic is damaged and not worth, though it didn't report any collisions). After a while observing nonsensical Ethernet frames with nonsensical protocol fields in Wireshark (which went away when I shielded away the carrier beam) I realized the machine is dead. The external mouse wouldn't move the pointer, the touchpad wouldn't, ctrl-alt-backspace didn't shut down the X server, no reactions to input. Turning off however worked. Do you have any idea if this could be a hardware bug in the Intel ethernet NIC or rather a buggy fxp driver in OBSD? CL OpenBSD 4.0-stable (GENERIC) #0: Sat Mar 17 00:07:37 CET 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1.50GHz (GenuineIntel 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 cpu0: Enhanced SpeedStep 1500 MHz (1340 mV): speeds: 1500, 1200, 1000, 800, 600 MHz real mem = 53504 (522500K) avail mem = 480100352 (468848K) using 4256 buffers containing 26853376 bytes (26224K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 01/28/05, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf8d00 (61 entries) bios0: Dell Inc. Inspiron 510m pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc590/176 (9 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371 ISA and IDE rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xd800! 0xcd800/0x800 0xce000/0x800 0xce800/0x800 0xcf000/0x800 0xcf800/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82852GM Hub-PCI rev 0x02 Intel 82852GM Memory rev 0x02 at pci0 dev 0 function 1 not configured Intel 82852GM Configuration rev 0x02 at pci0 dev 0 function 3 not configured vga1 at pci0 dev 2 function 0 Intel 82852GM AGP rev 0x02: aperture at 0xf000, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82852GM AGP rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 11 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x81 pci1 at ppb0 bus 1 cbb0 at pci1 dev 1 function 0 TI PCI4510 CardBus rev 0x02: irq 11 TI PCI4510 FireWire rev 0x00 at pci1 dev 1 function 1 not configured ipw0 at pci1 dev 3 function 0 Intel PRO/Wireless 2100 rev 0x04: irq 11, address 00:0c:f1:61:60:36 fxp0 at pci1 dev 8 function 0 Intel PRO/100 VE rev 0x81, i82562: irq 11, address 00:11:43:52:46:e7 inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: HTS421280H9AT00 wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SAMSUNG, CDRW/DVD SN-324S, U303 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x01: irq 11, ICH4 AC97 ac97: codec id 0x83847650 (SigmaTel STAC9750/51) ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D audio0 at auich0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at
Re: new openbsd 4.0 server, panic on ufsdirhash
Does this indicate I have a bad drive? Or, does it just need fsck run on it? I just installed openbsd 4.0 on this box a few days ago. It rebuilt the file systems from scratch. Do I need to redo everything? Or, do I need to start looking at hardware problems with the drive or the motherboard? Please let me know the next step to run that will help me get to a stable system. I tried viewing the file in error. I could run ls, but not ls -l. I went into single user mode and fscked the file system. I removed the file. I did not get the inode or anything else before removing it. I tried running the copy source command. cd /usr/src; tar xzf /mnt/src.tar.gz Another panic. panic #3: - mode = 0100644, inum = 106368, fs = /usr panic: ffs_valloc: dup alloc Stopped at Debugger+0x4: leave RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb Debugger(d0716864,5080,e9e21b40,d6bb671c,d1265000) at Debugger+0x4 panic(d06736fc,81a4,19f80,d12650d4,d1267e00) at panic+0x63 ffs_inode_alloc(d6ab69dc,81a4,d6c141e0,e9e21b94) at ffs_inode_alloc+0x11b ufs_makeinode(81a4,d6ab8ea0,e9e21e28,e9e21e3c) at ufs_makeinode+0x78 ufs_create(e9e21d08,d6ab8ea0,d6b33710,d6c141e0,d07171c0) at ufs_create+0x26 VOP_CREATE(d6ab8ea0,e9e21e28,e9e21e3c,e9e21d58) at VOP_CREATE+0x34 vn_open(e9e21e18,e02,1a4,d6b33710) at vn_open+0xdf sys_open(d6b33710,e9e21f68,e9e21f58,0,0) at sys_open+0xdb syscall() at syscall+0x2ea --- syscall (number 5) --- 0x1c00e3e1: ddb PID PPID PGRPUID S FLAGS WAIT COMMAND 15475 20392 20392 0 3 0x4086 pipewr gzip *20392 2075 20392 0 7 0x4006 tar 20997 15943 20997 1000 3 0x4086 ttyin csh 15943 9609 9609 1000 3 0x184 select sshd 9609 14206 9609 0 3 0x4084 netio sshd 14658 1 14658 0 3 0x4086 ttyin getty 4737 1 4737 0 3 0x4086 ttyin getty 13556 1 13556 0 3 0x4086 ttyin getty 30631 1 30631 0 3 0x4086 ttyin getty 2075 1 2075 1000 3 0x4086 pause csh 6223 1 6223 0 30x84 select cron 14206 1 14206 0 30x84 select sshd 14369 24346 24346 83 3 0x184 poll ntpd 24346 1 24346 0 30x84 poll ntpd 1115 7685 7685 73 2 0x184 syslogd 7685 1 7685 0 30x8c netio syslogd 13 0 0 0 30x100204 crypto_wa crypto 12 0 0 0 30x100204 aiodoned aiodoned 11 0 0 0 30x100204 syncer update 10 0 0 0 30x100204 cleanercleaner 9 0 0 0 30x100204 reaper reaper 8 0 0 0 30x100204 pgdaemon pagedaemon 7 0 0 0 30x100204 pftm pfpurge 6 0 0 0 30x100204 wait wskbd_hotkey 5 0 0 0 30x100204 usbtsk usbtask 4 0 0 0 30x100204 usbevt usb0 3 0 0 0 30x100204 apmev apm0 2 0 0 0 30x100204 kmallockmthread 1 0 1 0 3 0x4084 wait init 0 -1 0 0 3 0x80204 scheduler swapper ddb - So, back to my real question. Does this indicate a bad drive? Does this indicate a bad cable? Do I need to start swapping out parts to see where the problem is? Or, is there somewhere else I should be looking? Thanks in advance for any pointers. JohnM panic #1: - panic: kernel diagnostic assertion (dirblock dh-dh_nblk dh-dh_blkfree[dirblock] = (((slotneeded) + ((4) - 1)) / (4))) failed: file /usr/src/sys/ufs/ufs/ufs_dirhash.c, line 510 panic #2: - panic: ufsdirhash_findslot: 'crash66.C' not found dmesg: - OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Duron(tm) Processor (AuthenticAMD 686-class, 64KB L2 cache) 1.21 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,S SE real mem = 528052224 (515676K) avail mem = 473726976 (462624K) using 4256 buffers containing 26505216 bytes (25884K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 02/08/02, BIOS32 rev. 0 @ 0xfdb30, SMBIOS rev. 2.3 @ 0xf0630 (24 entries) bios0: ECS M821LR apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge
Re: login and password
On Fri, 04 May 2007 12:11:09 -0500, L. V. Lammert wrote: At 09:49 AM 5/4/2007 -0700, bubka20 wrote: I received the congratulations message that openbsd was installed. Upon rebooting I see openbsd/i386 (puffy) (tty0) and I am prompted for login: and password: How do I find out my login and password? ... thanks What root password did you enter at installation? Lee DO NOT send your password to the list, or anywhere else. during the install you were prompted to enter a password. you had to enter it twice, to make sure you didn't make any mistakes. your login is root, and the password you set is the one you want. chris -- Christopher Linn celinn at mtu.edu | By no means shall either the CEC System Administrator II | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein.
Upgrade 4.0 - 4.1 / files gone
During audit of upgrade from 4.0 to 4.1, I notice that a couple of files that were in etc40.tgz have been removed from etc41.tgz /.profile /.cshrc Does this mean we should all delete these files from our systems? If yes, should this be mentioned in upgrade41.html?
Re: Machine freezes from invalid Ethernet packets
On 5/4/07, Karel Kulhavy [EMAIL PROTECTED] wrote: Hello I connected a 10Mbps free space optics link to a 10Mbps hub to which OpenBSD 4.0 machine (Dell Inspiron 510m) was connected. The link had probably bad signal because on the Dell directly (i. e. in the NIC) I could receive the RTP that was transmitted through the link, but another device couldn't, a switch wouldn't broadcast it (even when it were IP/Ethernet broadcast) and the hub was flashing traffic only on the LED where it was connected and not the other ones (so it probably thought the traffic is damaged and not worth, though it didn't report any collisions). After a while observing nonsensical Ethernet frames with nonsensical protocol fields in Wireshark (which went away when I shielded away the carrier beam) I Do you still have the packets? If you do, can you replay them and see if the crash happens.
Re: OpenBSD 4.1 Torrents
On 5/4/07, John Fiore [EMAIL PROTECTED] wrote: Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release? That means nothing. If the OpenBSD project used a CRC16 to verify integrity, your argument would still hold. What matters is the ease of finding colliding files. While finding a file that has the same MD5 as an official file is hard, it seems ridiculous, to trust the security of downloaded files using an algorithm that is known to be insecure. From a project that has always placed security before everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512.
Re: nonsense from OBSD 4.0 ping
On Fri, 4 May 2007, Karel Kulhavy wrote: I have the OpenBSD 4.0 ping and it wrote this: 64 bytes from 192.168.2.215: icmp_seq=3029 ttl=64 time=6.057 ms 64 bytes from 192.168.2.215: icmp_seq=3035 ttl=64 time=44.108 ms 64 bytes from 192.168.2.215: icmp_seq=3036 ttl=64 time=-994831.-515 ms ^ Parse error: minus sign not allowed between decimal dot and the decimal part. You get no cookie for not including your dmesg. There have been various fixes since 4.0 to timekeeping, especially on amd64 in the MP case. Once symptom was that time could go backwards in some cases. Probably you are seeing that. -Otto
Re: load balance and redundancy 2 ISP's
By the way guys, this is the diagram that I want to implement: PF/Firewall/NAT |-| isp1|xl0| | rl0 |--Internal Network 192.x.x.x isp2|xl1 | |-| Thanks! kintaro oe [EMAIL PROTECTED] wrote: Hi All, I'm setting up a firewall/PF/NAT box for a company. we subscribe 2 E1's for our internet for redundancy. So basically what I want is to do load balance this 2 E1 internet and will be also become redundancy if one isp will go down. I read up in google and I see a syntax about round-robin. Could any one give me an advice how to setup for load balance and redundancy? I've also read about OpenBGP but can't understand how it works. I can't picture out how to implement OpenBGP. Thanks! cheers, kintaro Oe - Ahhh...imagining that irresistible new car smell? Check out new cars at Yahoo! Autos. cheers, kintaro Oe - Be a PS3 game guru. Get your game face on with the latest PS3 news and previews at Yahoo! Games.
R: login and password
You'll learn more, better and faster reading very good on-line documentation, get look at www.openbsd.org. Something tells me that you are trying to install and use openbsd without learn first how to do it, it's like to try to build a small jet and then try to fly without gasoline, that's no so easy. However, You was asked for root's (super user, administrtor) password during install. login with root and password You typed.. Hi -Messaggio originale- Da: bubka20 [EMAIL PROTECTED] Oggetto: login and password Data: ven 4 mag 2007 18.49 Dimen: 388 byte A: misc@openbsd.org I received the congratulations message that openbsd was installed. Upon rebooting I see openbsd/i386 (puffy) (tty0) and I am prompted for login: and password: How do I find out my login and password? ... thanks -- View this message in context: http://www.nabble.com/login-and-password-tf3692674.html#a10324761 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: dmesg output Sun Fire 4200
Marco Peereboom wrote: I have never tried that actually. Whenever I get to it I'll let you know. That would be great if possible. The sale on these baby from Sun end on May 7 and I got use to love the LOM so much that I try to only get Sun because of it. Moving bsd.rd from the new release to /bsd and doing a fresh new install remotely from the comfort of my house on tones of servers is something I got to love.
Re: OpenBSD 4.1 Torrents
Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release? That means nothing. If the OpenBSD project used a CRC16 to verify integrity, your argument would still hold. I wasn't aware that I made an argument. I simply asked a question, and the reason why you're unable to answer the question is that it is still hard to find collisions to the files in the 4.1 release in a way that it is not hard to find collisions in .exe's, scripts, postscript documents (which are themselves code to be interpreted by printers), etc. everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512. Your point is taken, however, can you illustrate the threat against which the stronger hash is to protect? If the threat is that someone will redirect you to a fake openbsd.org (through DNS cache poisoning, etc.), the stronger hash offers no protection. If there's a man in the middle, it similarly offers you no more protection, and the same is true if someone manages to hack openbsd.org and upload different binaries. I agree that there are stronger cryptographic hashes, but should they really make you sleep better at night? You used phrases such as known to be insecure and MD5 is dead. My question is dead for what purpose?. MD4 is certainly more insecure than MD5, yet I suspect that many of us use rsync daily and don't give it another thought.
Re: OpenBSD 4.1 Torrents
On Friday 04 May 2007 13:46:12 Open Phugu wrote: On 5/4/07, John Fiore [EMAIL PROTECTED] wrote: Speaking of this, when will the OpenBSD project begin to post SHA256 hashes to the ftp sites. MD5 is dead: these two files are different and yet have the same MD5 hash. http://www.cits.rub.de/imperia/md/content/magnus/letter_of_rec.ps http://www.cits.rub.de/imperia/md/content/magnus/order.ps Great. Could you please show me the link to files that have the same length and MD5 as those in the 4.1 release? That means nothing. If the OpenBSD project used a CRC16 to verify integrity, your argument would still hold. What matters is the ease of finding colliding files. While finding a file that has the same MD5 as an official file is hard, it seems ridiculous, to trust the security of downloaded files using an algorithm that is known to be insecure. From a project that has always placed security before everything, I do not understand the motivation behind not using a secure algorithm such as SHA-256 or SHA-512. Um, can you site a single *real world* example of where md5 sums have been co-opted in any way? Yes, md5 now has a weakness, but really, are there any cases of anyone having actually exploited it? Note that the ports are using better hashes for 4.1-current. I'll bet that the the 4.2 release will too, because its the right thing to do, but it isn't a flaming emergency. I'm not an expert on this, but I do read. Enlightenment is encouraged if I'm missing something here. --STeve Andre'
Re: login and password
thanks for the help everyone ... bubka20 wrote: I received the congratulations message that openbsd was installed. Upon rebooting I see openbsd/i386 (puffy) (tty0) and I am prompted for login: and password: How do I find out my login and password? ... thanks -- View this message in context: http://www.nabble.com/login-and-password-tf3692674.html#a10329264 Sent from the openbsd user - misc mailing list archive at Nabble.com.
[patch] addition to calendar.music
Index: usr.bin/calendar/calendars/calendar.music === RCS file: /cvs/src/usr.bin/calendar/calendars/calendar.music,v retrieving revision 1.20 diff -u -r1.20 calendar.music --- usr.bin/calendar/calendars/calendar.music 27 Jun 2006 14:52:49 - 1.20 +++ usr.bin/calendar/calendars/calendar.music 4 May 2007 20:32:25 - @@ -349,6 +349,7 @@ 09/04 Darius Milhaud is born in Aix-en-Provence, France, 1892 09/06 Hanns Eisler dies in East Berlin, 1962 09/07 Keith Moon (The Who) dies in London of a drug overdose, 1978 +09/07 Warren Zevon dies in Los Angeles, California, 2003 09/08 Anton Dvorak is born in Nelahozeves, Czechoslovakia, 1841 09/08 Ron Pigpen McKernan (Grateful Dead) is born in San Bruno, California, 1945 -- Perfection [in design] is achieved not when there is nothing left to add, but rather when there is nothing left to take away. -- Antoine de Saint-Exupery
New Samba 3.0x on OpenBSD 4.x
Hello list, I'm subscribed to the digest, so I don't reply unless I see a posting in the next day. I would reply to privmsgs though. I'm trying to setup a OpenBSD box to provide user logins domain membership with samba 3.0.24-main (via packages). I configure it like I have configured samba in the past, but something is new, different. When I try to obtain the current mapping of NTGROUPS to UNIXGROUPS via net groupmap list -- all I get is my prompt back, not even a blank line. It's as if there are no groups defined. But shouldn't a group be defined for example, Domain Admins, or Users, etc? Maybe not mapped right, but defined.. I'm not able to find anything via google with the search terms I'm trying. And I would appreciate any help. CC me for a quicker response. :) thanks. If opportunity doesn't knock, build a door. I can is a way of life. More and Bigger is not always Better. The road to success is always uphill. Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: load balance and redundancy 2 ISP's
kintaro oe wrote: By the way guys, this is the diagram that I want to implement: PF/Firewall/NAT |-| isp1|xl0| | rl0 |--Internal Network 192.x.x.x isp2|xl1 | |-| Thanks! kintaro oe [EMAIL PROTECTED] wrote: Hi All, I'm setting up a firewall/PF/NAT box for a company. we subscribe 2 E1's for our internet for redundancy. So basically what I want is to do load balance this 2 E1 internet and will be also become redundancy if one isp will go down. I read up in google and I see a syntax about round-robin. Could any one give me an advice how to setup for load balance and redundancy? I've also read about OpenBGP but can't understand how it works. I can't picture out how to implement OpenBGP. Thanks! Did you read http://www.openbsd.org/faq/pf/pools.html#outgoing ?
Re: Upgrade 4.0 - 4.1 / files gone
At 02:09 PM 5/4/07, Matthias Kilian wrote: On Fri, May 04, 2007 at 12:57:14PM -0400, Frank Bax wrote: During audit of upgrade from 4.0 to 4.1, I notice that a couple of files that were in etc40.tgz have been removed from etc41.tgz /.profile /.cshrc huh? $ tar tfz etc41.tgz|sed 2q ./.cshrc ./.profile Where did you get your install sets from? Bizarre. I extracted files again from the exact same etc41.tgz (copied from cdrom a few days ago) and got my two missing files, plus /etc/mail/spamd.conf which was also missing from first extract. All working well now.
panic in netboot for soekris 4801
I have a soekris 4801 that I am trying to reinstall. It boots an older -current just fine, but I need to replace the drive as well. When I pxeboot 4.1-release, or the latest snapshot, I get the same error. Dmesg (via script) included. POST: 0123456789bcefghipajklnoq,,,tvwxy comBIOS ver. 1.24 20040312 Copyright (C) 2000-2004 Soekris Engineering. net4801 CPU Geode 266 Mhz Mbyte Memory 0128 Pri Mas GS-Magicstor 1022C LBA Xlt 520-128-63 2097 Mbyte PXE-M00: BootManage UNDI, PXE-2.0 (build 082) Slot Vend Dev ClassRev Cmd Stat CL LT HT Base1Base2 Int --- 0:00:0 1078 0001 0600 0107 0280 00 00 00 00 0:06:0 100B 0020 0200 0107 0290 00 3F 00 E101 A000 10 0:07:0 100B 0020 0200 0107 0290 00 3F 00 E201 A0001000 10 0:08:0 100B 0020 0200 0107 0290 00 3F 00 E301 A0002000 10 0:18:2 100B 0502 01018001 0005 0280 00 00 00 00 0:19:0 0E11 A0F8 0C031008 0117 0280 08 38 00 A0003000 11 comBIOS Monitor. Press ? for help. boot F0 BootManage UNDI, PXE-2.0 (build 082) BootManage PXE-2.0 PROM 1.0, NATSEC 1.0, SDK 3.0/082 (OEM52) Copyright (C) 1989,2000 bootix Technology GmbH, D-41466 Neuss. PXE Software Copyright (C) 1997, 1998, 1999, 2000 Intel Corporation. Licensed to National Semiconductor CLIENT MAC ADDR: 00 00 24 C2 4A 24. DHCP. CLIENT IP: 209.204.157.106 MASK: 255.255.255.240 DHCP IP: 209.204.157.98 GATEWAY IP: 209.204.157.98 TFTP. TFTP.|probing: pc0 com0 com1 pci pxe![2.1] mem[639K 127M a20=on] disk: hd0+ net: mac 00:00:24:c2:4a:24, ip 209.204.157.106, server 209.204.157.98 OpenBSD/i386 PXEBOOT 1.12 switching console to com0 OpenBSD/i386 PXEBOOT 1.12 com0: 9600 baud booting tftp:bsd.rd: | 4704852+742904 [52+173344+158814]=0x583374 entry point at 0x200120J Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2007 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.1-current (RAMDISK_CD) #314: Fri May 4 02:51:50 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class) 267 MHz cpu0: FPU,TSC,MSR,CX8,CMOV,MMX cpu0: TSC disabled real mem = 133787648 (130652K) avail mem = 115912704 (113196K) using 1663 buffers containing 6811648 bytes (6652K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 20/40/12, BIOS32 rev. 0 @ 0xf7840 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Cyrix GXm PCI rev 0x00 sis0 at pci0 dev 6 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c2:4a:24 nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 sis1 at pci0 dev 7 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c2:4a:25 nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1 sis2 at pci0 dev 8 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 10, address 00:00:24:c2:4a:26 nsphyter2 at sis2 phy 0: DP83815 10/100 PHY, rev. 1 gscpcib0 at pci0 dev 18 function 0 NS SC1100 ISA rev 0x00 NS SC1100 SMI rev 0x00 at pci0 dev 18 function 1 not configured pciide0 at pci0 dev 18 function 2 NS SCx200 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: GS-Magicstor 1022C 23080803 wd0: 16-sector PIO, LBA, 2047MB, 4194126 sectors wd0(pciide0:0:0): using PIO mode 3 geodesc0 at pci0 dev 18 function 5 NS SC1100 X-Bus rev 0x00: iid 6 revision 3 wdstatus 0 ohci0 at pci0 dev 19 function 0 Compaq USB OpenHost rev 0x08: irq 11, version 1.0, legacy support isa0 at gscpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Compaq OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered biomask fbe5 netmask ffe5 ttymask ffe7 rd0: fixed, 3800 blocks dkcsum: wd0 matches BIOS drive 0x80 PXE boot MAC address 00:00:24:c2:4a:24, interface sis0 uvm_fault(0xd0697240, 0x0, 0, 1) - e fatal page fault (6) in supervisor mode trap type 6 code 0 eip d02b2321 cs d02f0008 eflags 10246 cr2 30 cpl 0 panic: trap type 6, code=0, pc=d02b2321 syncing disks... done rebooting...
Re: OpenBSD 4.1 Torrents
On 5/4/07, John Fiore [EMAIL PROTECTED] wrote: Your point is taken, however, can you illustrate the threat against which the stronger hash is to protect? If the threat is that someone will redirect you to a fake openbsd.org (through DNS cache poisoning, etc.), the stronger hash offers no protection. If there's a man in the middle, it similarly offers you no more protection, and the same is true if someone manages to hack openbsd.org and upload different binaries. You are completely correct. A stronger hash will do nothing against such an attack. However, my argument was that since attacks on MD5 will just be easier as cryptanalytic techniques improve and CPU time becomes cheaper, it makes no sense to keep using it when stronger hashes are available.
rdr on bridge interface possible? (squid transparent proxy on bridge)
Hi, I have googled with no success, read all the relevant man pages I could also with no success. I have an OpenBSD 4.1 box configured as a bridge. It is working 100%. I have a few monitoring programs (pmacct) feeding to some analysis tools ( flox, pnrg ). It's also running symon, symux, syweb. I'm very pleased with the config so far. I now would like to throw squid into the mix acting as a transparent proxy. I have the squid-transparent port installed. If I change the box from a bridge to a router doing NAT, the transparent proxy works 100%. I can also hit the box on 3128 and access the Internet (even in bridge mode). However, I want the installation of this system to be non-intrusive. To run as a router, it needs to be the default gateway of all the systems, and that amount of change for a transient analysis tool is not acceptable. I have tried everything I can think of to get this to work in bridge mode to no avail. I have net.inet.ip.forwarding=1. I have pf=YES in /etc/rc.conf.local. I have the default route to be the network default gateway and DNS is working on the OpenBSD box. I have put an IP address on the external (router facing) NIC and told Squid to listen to it. Configuring my browser to use that IP address as a proxy works 100%. I was thinking that a rule like below should work: rdr on $int_if inet proto tcp from any to any port www tag SQUID - 10.5.2.143 port 3128 int_if has no ip address. 10.5.2.143 is the IP address assigned on the external interface. My reasoning was that this would conceptually route the packet across the 2 interfaces, coming in on the internal and going out on the external. Doing a tcpdump on the int_if I can see the packet arriving with a destination port 80. Doing a tcpdump on the ext_if, I can see the packet arriving with a destination port of 3128. Squid never sees the packet...or maybe it does, but it does not log anything. I'm completely at a loss, as the squid itself is working properly if I can just get the packets to it! I have tried most combinations of IP address on inside interface, outside interface, redirecting to inside, outside, localhost, etc. to no avail. I'm begining to wonder if rdr is even possible on a bridge interface. I have not been able to find a complete list of commands available to the brconfig (eg: brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag boss) I cannot believe that at the bridge level (ethernet) I have access to any ip information (eg: port), so I can't tag at the bridge level for processing in pf. Any attempts I made to specify that type of information with the brconfig command failed. Can anyone shed any light? And no, no packets should be getting blocked as I have 2 rules, pass in all kepp state pass out all keep state Thanks, Steve Williams
load balance and redundancy 2 ISP's
Hi All, I'm setting up a firewall/PF/NAT box for a company. we subscribe 2 E1's for our internet for redundancy. So basically what I want is to do load balance this 2 E1 internet and will be also become redundancy if one isp will go down. I read up in google and I see a syntax about round-robin. Could any one give me an advice how to setup for load balance and redundancy? I've also read about OpenBGP but can't understand how it works. I can't picture out how to implement OpenBGP. Thanks! cheers, kintaro Oe - Ahhh...imagining that irresistible new car smell? Check outnew cars at Yahoo! Autos.
ACPI question and status request
Hello, In order to have my laptop (Dell Inspiron 4100) not powerdown immediately on pressing the power button, I recompiled the kernel with ACPI_ENABLE. However, it does not shutdown the box, but rather makes the button inactive (although it seems to locate it, according to the dmesg). Since I'm on a laptop, I'm also a bit worried about the cooling and such, but with a quick while true; do done-test, the fans started spinning when acpitz0.temp0 hit ~62 degC. Before asking a lot of specific questions on a moving target, what's the status of ACPI on OpenBSD, or where can I read about it (man pages aside)? I guess http://www.disorder.ru/openbsd/acpi.html is quite outdated. Some of the questions I (think I) have: - Would you describe ACPI on OpenBSD to be concidered experimental, decent or stable? - Does ACPI_ENABLE mean shifting from legacy mode to full ACPI/OSPM mode? - What can I expect to work or not work with/without ACPI_ENABLE? - Why does not the power button work? :) - Should I be worried about the cooling? Kernel configuration file ACPI and dmesg follows. acpi and acpiec are enabled post-build through config(8) in order to minimize the deviation from GENERIC. /Alexander ACPI # ACPI kernel, based on GENERIC include arch/i386/conf/GENERIC option ACPIVERBOSE option ACPI_ENABLE dmesg OpenBSD 4.1-current (ACPI) #2: Fri May 4 22:58:36 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/ACPI cpu0: Intel(R) Pentium(R) III Mobile CPU 866MHz (GenuineIntel 686-class) 864 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 670474240 (654760K) avail mem = 603484160 (589340K) using 4278 buffers containing 33648640 bytes (32860K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 05/16/03, BIOS32 rev. 0 @ 0xffe90, SMBIOS rev. 2.3 @ 0xf76b0 (61 entries) bios0: Dell Computer Corporation Inspiron 4100 apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 97% apm0: AC on, battery charge high, charging, estimated 1:34 hours apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbb90/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371 ISA and IDE rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0x1 acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP acpitimer0 at acpi0: 3579545 Hz, 24 bits acpi device at acpi0 from table DSDT not configured acpi device at acpi0 from table FACP not configured acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (AGP_) acpiprt2 at acpi0: bus 2 (PCIE) acpiprt3 at acpi0: bus 0 (MPCI) acpicpu0 at acpi0: CPU0: 866, 667 MHz acpitz0 at acpi0, critical temperature: 100 degC acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT0: model: 0002M400 serial: 4940 type: LION oem: SANYO acpibat1 at acpi0: BAT1: model: 0002M400 serial: 4943 type: LION oem: SANYO acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: PBTN acpibtn2 at acpi0: SBTN acpidock0 at acpi0: GDCK: not docked (0) cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82830MP CPU-I/O-1 rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82830MP CPU-AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M6 LY rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) uhci0 at pci0 dev 29 function 0 Intel 82801CA/CAM USB rev 0x01: irq 11 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x41 pci2 at ppb1 bus 2 xl0 at pci2 dev 0 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 11, address 00:06:5b:36:f8:e1 exphy0 at xl0 phy 24: 3Com internal media interface cbb0 at pci2 dev 1 function 0 TI PCI1420 CardBus rev 0x00: irq 11 cbb1 at pci2 dev 1 function 1 TI PCI1420 CardBus rev 0x00: irq 11 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 4 device 0 cacheline 0x8, lattimer 0x20 pcmcia0 at cardslot0 cardslot1 at cbb1 slot 1 flags 0 cardbus1 at cardslot1: bus 5 device 0 cacheline 0x8, lattimer 0x20 pcmcia1 at cardslot1 ichpcib0 at pci0 dev 31 function 0 Intel 82801CAM LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801CAM IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: HITACHI_DK23CA-30 wd0: 16-sector PIO, LBA, 28615MB, 58605120 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) auich0 at pci0 dev 31 function 5 Intel 82801CA/CAM AC97 rev 0x01: irq 11, ICH3 AC97 ac97: codec id 0x4352595b (Cirrus Logic CS4205 rev 3) ac97: codec features mic channel, tone, simulated stereo, bass boost, 20 bit DAC, 18 bit ADC, SRS 3D audio0 at auich0 Intel 82801CA/CAM Modem rev 0x01 at pci0 dev 31 function 6 not configured usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev
OpenBSD on Sun T1
Hi, I saw this part on the Interview on onlamp.com: http://www.onlamp.com/pub/a/bsd/2007/05/03/openbsd-41-puffy-strikes-again.html Do you plan to port OpenBSD to UltraSPARC T1 too? Mark Kettenis: Eventually, yes. However since these machines have multi-core CPUs we cannot fully support them until we have sparc64 SMP support. So getting multi-processor support is higher on the priority list right now. We've received some hardware donations that will help. Support for the new PCIe-based machines is already working though, and will appear in OpenBSD 4.2. Is that for real? I am only asking as if that really was going to happen and someone is really interested and working on it and make that real and also if more hardware would help this, I would be welling to get one unit to a dev that would actually make that happen for real in a decent time frame. Obviously I would love if other would step in to help pay for one, but if not, then so be it. However, time is the essence as well here for me anyway as the cost is lower now. There is a special from Sun that end May 7, so I could get one unit from here: http://www.sun.com/servers/coolthreads/t1000/index.xml Obviously not the full blown one as I can't afford that, but the base 6 core one that is in special now for $2,535, I could swing that if that's for real. Need a quick answer however as the special ends on the 7 of this month. One interested and if Theo confirm that, I would swing it to make it happen. Fell free to contact me privately for this. As long as it is a place that Sun will ship directly from the online order, I would do it. I know for one, I would love to fully run OpenBSD on that box in a very stable fashion! (; So, yes that's selfish as well of me to do that, but I know I can't make it happen code wise anyway. If no interest, or time to do so, then sorry for the noise and just ignore this. Best, Daniel
Re: 4.1 Packages Page
Djgoku he say: http://www.openbsd.org/4.1_packages/ Gets a 404 error. http://www.openbsd.org/4.0_packages/ Works fine. This appears to be normal procedure when a new release comes out. Give it a few days, and it'll be fine. (He says, confidently.) Steve http://www.fivetrees.com
more dumb vlan questions
Ok, so I'm hoping the answer to this question will complete my basic understanding of vlan setups. I have a system with the following network device configurations: - hostname.dc0: up hostname.vlan0: inet 172.17.1.1 255.255.255.0 172.17.1.255 vlan 512 vlandev dc0 vlanprio 1 hostname.vlan1: inet 172.17.2.1 255.255.255.0 172.17.2.255 vlan 513 vlandev dc0 vlanprio 2 hostname.vlan2: inet 172.17.3.1 255.255.255.0 172.17.3.255 vlan 514 vlandev dc0 vlanprio 3 hostname.vlan3: inet 172.17.4.1 255.255.255.0 172.17.4.255 vlan 515 vlandev dc0 vlanprio 4 - Now, in order to get hosts plugged into the switch that attaches to dc0 to see their respective vlan device as a gateway they all have to be configured with a vlan device as well, or else the switch itself has to support vlans in hardware? Or is there a way to do this with packet filter so that neither the hosts nor the switch require a special configuration? Sorry I feel really dumb for not being able to figure this out from the existing documentation. Perhaps I've missed out on some of it?
Re: more dumb vlan questions
Jonathan Whiteman wrote: Ok, so I'm hoping the answer to this question will complete my basic understanding of vlan setups. I have a system with the following network device configurations: - hostname.dc0: up hostname.vlan0: inet 172.17.1.1 255.255.255.0 172.17.1.255 vlan 512 vlandev dc0 vlanprio 1 hostname.vlan1: inet 172.17.2.1 255.255.255.0 172.17.2.255 vlan 513 vlandev dc0 vlanprio 2 hostname.vlan2: inet 172.17.3.1 255.255.255.0 172.17.3.255 vlan 514 vlandev dc0 vlanprio 3 hostname.vlan3: inet 172.17.4.1 255.255.255.0 172.17.4.255 vlan 515 vlandev dc0 vlanprio 4 - Now, in order to get hosts plugged into the switch that attaches to dc0 to see their respective vlan device as a gateway they all have to be configured with a vlan device as well, or else the switch itself has to support vlans in hardware? Or is there a way to do this with packet filter so that neither the hosts nor the switch require a special configuration? Each switch port connecting to a host on one of your VLANs must be configured for that VLAN. In Cisco-speak, the host ports will be in access mode (untagged). The port connected to your router/firewall should tag all packets with the VLAN information. This allows your router to determine which vlan interface the packets belong. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: malo driver
On Thu, 2007-05-03 at 23:52 -0400, Jean Raby wrote: On 5/3/07, Default User [EMAIL PROTECTED] wrote: According to http://openbsd.org/i386.html#hardware the Netgear WG511v2 Wireless PC card should work, using the malo driver: Marvell Libertas IEEE 802.11b/g CardBus adapters (malo), including: (G) Netgear WG511v2 But on a laptop with OpenBSD 4.1, the card was not (apparently) recognized, nor did the malo driver seem to load. This same system recognies a Netgear MA111 v1 usb wireless adapter, automatically loading the wi driver, and the whole system was installed by network that way, with no wired ethernet connection needed. So, does the malo driver need to be loaded manually, and is it even on the OpenBSD 4.1 network install cd (from cd41.iso)? From what I can see, malo is only enabled in GENERIC not in RAMDISK_CD, at least on i386. Could you provide a dmesg? -- Jean Sure, here it is: OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 1400MHz (GenuineIntel 686-class) 1.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF real mem = 2112319488 (2062812K) avail mem = 1920548864 (1875536K) using 4278 buffers containing 105738240 bytes (103260K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 09/03/04, BIOS32 rev. 0 @ 0xfd6f0, SMBIOS rev. 2.31 @ 0xd6010 (31 entries) bios0: TOSHIBA Satellite M35X apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd6f0/0x910 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf10/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xd000! 0xcd000/0x1000 0xd6000/0x800! 0xe/0x4000! acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82852GM Hub-PCI rev 0x02 Intel 82852GM Memory rev 0x02 at pci0 dev 0 function 1 not configured Intel 82852GM Configuration rev 0x02 at pci0 dev 0 function 3 not configured vga1 at pci0 dev 2 function 0 Intel 82852GM AGP rev 0x02: aperture at 0xe800, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82852GM AGP rev 0x02 at pci0 dev 2 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x03: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x03: irq 7 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x03: irq 5 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x03: irq 3 usb3 at ehci0: USB revision 2.0 uhub3 at usb3 uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x83 pci1 at ppb0 bus 1 VIA VT6306 FireWire rev 0x80 at pci1 dev 0 function 0 not configured rl0 at pci1 dev 1 function 0 Realtek 8139 rev 0x10: irq 11, address SNIP rlphy0 at rl0 phy 0: RTL internal PHY cbb0 at pci1 dev 4 function 0 ENE CB-1410 CardBus rev 0x01pci_intr_map: no mapping for pin A : couldn't map interrupt ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x03 pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: TOSHIBA MK4025GAS wd0: 16-sector PIO, LBA, 38154MB, 78140160 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, DVD-ROM SD-R2512, 1420 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801DB SMBus rev 0x03: irq 11 iic0 at ichiic0 auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x03: irq 11, ICH4 AC97 ac97: codec id 0x414c4752 (Avance Logic ALC250A?) ac97: codec features headphone, 20 bit DAC, 18 bit ADC, No 3D Stereo audio0 at auich0 Intel 82801DB Modem rev 0x03 at pci0 dev 31 function 6 not configured isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61
Re: : : HP ProLiant DL140 G3 problems
Raimo Niskanen wrote: Sorry, I can't make it work. For a DL140 G3 (or rather now a DL145 G3). I remember seing something like that on a DL380, though. telnet machine gives a weird prompt /./ that has no help and only responds with command errors. There is also a HTTP server running at the address. But not ssh. Ah, maybe, I seem to recall the DL 1xx servers didn't have all the management features.
Re: rdr on bridge interface possible? (squid transparent proxy on bridge)
On 5/4/07, Steve Williams [EMAIL PROTECTED] wrote: I now would like to throw squid into the mix acting as a transparent proxy. I have the squid-transparent port installed. If I change the ... I have tried everything I can think of to get this to work in bridge mode to no avail. I have net.inet.ip.forwarding=1. I have pf=YES in /etc/rc.conf.local. http://marc.info/?l=openbsd-miscm=108089194621750w=2 so try rdr on $int_if inet proto tcp from any to port www - 127.0.0.1port 3128 ... pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 I have it working here like this. Also, you aren't doing IP forwarding, so turn that off. The bridge does not need it. -Mark
Re: rdr on bridge interface possible? (squid transparent proxy on bridge)
Mark Pecaut wrote: On 5/4/07, Steve Williams [EMAIL PROTECTED] wrote: I now would like to throw squid into the mix acting as a transparent proxy. I have the squid-transparent port installed. If I change the ... I have tried everything I can think of to get this to work in bridge mode to no avail. I have net.inet.ip.forwarding=1. I have pf=YES in /etc/rc.conf.local. http://marc.info/?l=openbsd-miscm=108089194621750w=2 so try rdr on $int_if inet proto tcp from any to port www - 127.0.0.1port 3128 ... pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 I have it working here like this. Also, you aren't doing IP forwarding, so turn that off. The bridge does not need it. -Mark Which interface do you have the IP address on? Is it on the interface closest to the default gateway? Thanks VERY much for your pointers. I will try this ASAP. Cheers, Steve Williams
Re: Problem on installing OpenBSD - disks not found
satimis wrote: Hi folks, Old P-II 350 box IWill motherboard support - ATA-33 HD Hot Rod ABit ATA-66 PCI Controller Maxtor HD - ATA-100 10G connected to above Controller OpenBSD 4.1 CD installer - burned with CD41.iso with a dmesg, we would have known all that. AND, we might have believed you. :) During installation it prompted No disks found. Previously on Windows I did this trick, connecting the HD to IDE first. Then the HD was detected. After installation completed reconnected the HD to the Controller. if that worked in Windows, I'm guessing you were using Win9x, and probably fell back to BIOS support...probably horrible performance, but better than nothing. Kinda. Is there any other ways on OpenBSD. Or I have to do the same trick as before? The only way that trick would help you with OpenBSD is if this adapter had support in GENERIC that was not in bsd.rd. When it comes to IDE disk drivers, Not Likely. dmesg will tell you what is going on. Could be a whole lot of things, from plug your card in properly to add identifiers to the right driver to write a new driver from scratch. Get a dmesg, post it to the list. Or get yourself a new, cheap IDE adapter that will Just Work. Or simply use your on-board adapter. For a 10G drive, probably not huge amounts of difference in performance. Nick.
