Re: hoststated and UDP
On Thu, 28 Jun 2007 00:19:56 +0200 Luca Corti [EMAIL PROTECTED] wrote: Hello, I've setup hoststated for load balancing of some services, and it works well. If I'm not missing something hoststated actually works just for TCP. Is there any plan to implement UDP support? Yes there is, I will implement it at least for L3 pretty soon, there are other ongoing things for hoststated that are more important at the moment though.
Re: Intel Core 2
Hi, On 6/27/07, Theo de Raadt [EMAIL PROTECTED] wrote: Various developers are busy implimenting workarounds for serious bugs in Intel's Core 2 cpu. These processors are buggy as hell, and some of these bugs don't just cause development/debugging problems, but will *ASSUREDLY* be exploitable from userland code. Full (current) errata from Intel: http://download.intel.com/design/processor/specupdt/31327914.pdf An easier summary document for some people to read: http://www.geek.com/images/geeknews/2006Jan/core_duo_errata__2006_01_21__full.gif I don't know much about the recent history of these chips. Are there any good summaries around? don't know but I am not surprised. Intel get's kicked their butt by the AMD64 cpu's like never before. The pull out the old PIII Design modified by some other company for Low Energy and put the stuff into Laptops. But since their P4 crap can't keep up to amd. They force the same old thing into the Core CPUs. And hey, it works. They are low power and fast. But ... it's a patchwork cpu ... no new development ... not enough time to carefull test things ... structural and design flaws which can not be cared for etc... So basically this all is two PIII cores with lot's of additional logic and modifications turning it into the ultimate Franken Dualcore PIII on steroids. Of course people shouldn't really know that, they might be scared of the monster. Considering all this the CPU runs very well. Don't own one though and all the machines I care for are AMD since the AthlonXP came up. I might still buy a Laptop with it, since I will be the only user on it, the only bugs I care are those which crash the machine more often then I crash it when dropping it *g* but even there some VIA stuff hit's the marked which is quite promising and well, there's always the Zaurus. And then there is MIPS. If AMD/Intel are not carefull they might wakeup one day with mips all around. They pop up like mushrooms in corners where you don't expect them. -sm * Now please Sharp, get us a new zaurus with a bit more RAM and a higher resolution display.
Re: nfe0 problem (obsd 4.1)
Hi! I've noticed that once in a while the nfe0 interface will stop sending and receiving data. At this point I can not make it work again. The only solution I have is to reboot the box. I have installed a dc0 card in the box since. The problem seemed intermittent and not reliably reproducible. I had problems like these when I ported OpenBSD to the Xbox ( http://tobias.schroepf.de/doku/doku.php?id=xbox:porting_openbsd_to_the_xbox ) You can find the patches I have made here: http://tobias.schroepf.de/doku/doku.php?id=xbox:patch_the_openbsd_sources_network But don't know if this will solve your problem. Markus Ritzer
'netstat: invalid address (30000) ??? on 4.1-current i386 binary snapshot
On a freshly installed binary snapshot netstat -an -f inet6 shows netstat: invalid address (3) ??? - # netstat -an -f inet6 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 ::1.587*.*LISTEN tcp6 0 0 ::1.25 *.*LISTEN netstat: invalid address (3) ??? - # dmesg | head -6 OpenBSD 4.1-current (GENERIC) #311: Wed Jun 27 02:31:47 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 268 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX real mem = 133791744 (127MB) avail mem = 121819136 (116MB) --- The same message was also on the snapshot of : # dmesg | head -6 OpenBSD 4.1-current (GENERIC) #302: Wed Jun 20 09:30:00 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 268 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX real mem = 133791744 (127MB) avail mem = 121823232 (116MB) - # netstat -an -f inet6 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 ::1.587*.*LISTEN tcp6 0 0 ::1.25 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN tcp6 0 0 *.37 *.*LISTEN tcp6 0 0 *.13 *.*LISTEN tcp6 0 0 *.113 *.*LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) udp6 0 0 ::1.512*.* netstat: invalid address (3) ??? - I edited the /etc/ssh/sshd_config file to disable sshd from LISTENing on IPv6. After reverting to the original sshd_config file and rebooting, the error message still persists - # netstat -an -f inet6 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 ::1.587*.*LISTEN tcp6 0 0 ::1.25 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN netstat: invalid address (3) ??? --- Of the X installation file sets I only installed xbase41.tgz because of the expat libs needed by some binary packages. =Adriaan=
Re: Intel Core 2
Constantine A. Murenin wrote: On 27/06/07, Jacob Yocom-Piatt [EMAIL PROTECTED] wrote: you make more money if your widgets break because your new widget is vastly improved. new packaging, same great defects! The best thing about computer parts randomly failing will hit us in a few years, due to RoHS directives: http://en.wikipedia.org/wiki/RoHS#Impact_on_reliability http://en.wikipedia.org/wiki/Whisker_%28metallurgy%29 Another problem that lead-free solders face is the growth of tin whiskers. These thin strands of tin can grow and make contact with an adjacent trace, developing a short circuit. Tin whiskers have already been responsible for at least one failure at a nuclear power plant. Other documented failures include satellites in orbit, aircraft in flight, and implanted medical pacemakers. Reliability decay of low-lead materials may be economically desirable for some consumer product companies because it provides a mechanism to enforce planned obsolescence and replacement. Ironically, this is the opposite of the claimed intent of RoHS legislation. C. uuhhh that's scary. Are you sure they haven't found a solution for that?
Re: Intel Core 2
rough translation from swedish to english of: http://strombergson.com/kryptoblog/?p=311 begin Intel Advannced Management Technology - Rootkit's for everyone intel just released a new x86 cpu, one new addition avaiding the news is the AMT (Active Management Technology) AMT is a technology intended to facilitate survailance, maintenance and control computers remotely. AMT allows for the following funcitons among others: * Monitor and control (filter) the network traffic - before/under the running operatingsystem * sending out patches to computers - even if they are turned off. * Control, upgrade, change, add and remove software * isolate and shutdown computers infected with viruses * control on/off of the power supply * re-route hdd access to a location on the network * re-route mouse, keyboard, screen and other extras to a location on the network AMT is based on functions in the chipset that allows chipsets to communicate with other chips out-of-band from the CPU, options include LAN, serial interfaces or a direct ethernet interface. image http://softwarecommunity.intel.com/UserFiles/en-us/figure_1(1).gif /image Ergo, there is a microcontroller in the MCU that is always on (as long as the system has power through the power supply) and can recieve and perform instructions even though the system appears to be turned off. The microcontroller is floating in a software environment that implements a huge number of service functions and gives customers the option to add their own functions translators note: does anyone remember the bios resident virus of mid to late 90's? end translators note. image http://softwarecommunity.intel.com/UserFiles/en-us/figure_2(1).gif /image one of the most important parts is the feature or function to communicate with the machine through a separate TCP/IP stack, in other words, even if there is a firewall or other security countermeasures in place protecting the operatingsystems TCP/IP stack, there is a side channel into the system. translators note: rant goes here end translators note. image http://softwarecommunity.intel.com/UserFiles/en-us/figure_3.gif /image So AMT gives systemowners and administrators brand new ways to monitor and control a large number of PC's. AMT will be shipped with a XML (SOAP) based system for managing and administrating AMT clients. But at the same time, the hair on my arms and raise thinking of what would happend should this technology be used for evil purposes. How easy would it be to detect and protect oneself from the rootkits that will sneak into AMT. Rutkowskas Blue Pill is in theory dangerously close. There are security functions in AMT to ensure this will not happend, namely Kerberos and Active Directory based authentication, further on the built in sidechannel TCP/IP stack offers TLS based communication. For those that want to know more about AMT link 1 there are several pages on intel's website link 2. There is also a developerskit (SDK) for AMT available free of change on intels site link 3 link 1 http://www.intel.com/technology/manage/iamt/ link 2 : http://www.intel.com/business/vpro/index.htm link 3 : http://www.intel.com/cd/ids/developer/asmo-na/eng/321157.htm On 6/27/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: On Wed, Jun 27, 2007 at 04:25:08PM -0300, Leonardo Rodrigues wrote: http://www.geek.com/images/geeknews/2006Jan/core_duo_errata__2006_01_21__full .gif Show stopper Potentially Catastrophic Those are some warm and fuzzy words =) Geez, that's a whole lot of bugs... I never imagined that processors could be so bugged. Theo says that AMD is getting less helpful towards open source OS. Well, that's great. We only have 2 big proc developers for i386, and now those two are turning out crap products with diminishing documentation =( I wonder where this road will lead us. If you really want to know... http://strombergson.com/kryptoblog/?p=311 I'd really love to read a translation of that document, but it seems to say something along the lines of... Basically, the new Celeron seems to have a separate memory and process manager that can hide the thread and memory that does ... stuff. But the chip is creepier than that. If I am understanding Strvmbergson correctly, this chip is the first step in a brave new world where you have no clue what really goes on when you buy a chip. About Strombergson: Strvmbergson is one of Sweden's foremost experts on hardware design (ASIC) and keeps a couple of software patents too (trie sorting ip addresses for routing i.e). -- Or not. Today is Pungenday, the 32nd day of Confusion in the YOLD 3173 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? [demime 1.01d removed an attachment of type application/pgp-signature] -- -- JPL
Re: Rename multiple files at once
On Wed, Jun 27, 2007 at 09:52:29AM -0700, Marco S Hyman wrote:
for FILE in *jpg; do
NEW=$(echo $FILE | sed -e 's/\.jpg$/_thumb.jpg/')
mv ${FILE} ${NEW}
done
There is no need for echo and sed. OpenBSD sh and ksh support
${var%suffix} which evaluates to the contents of var less the suffix.
For completeness' sake: so does bash, apparently.
Cheerio,
Thomas
--
-
Thomas Ribbrockhttp://www.ribbrock.orgICQ#: 15839919
You have to live on the edge of reality - to make your dreams come true!
Re: looking for a good guide on driver writing
* Gregory Edigarov [EMAIL PROTECTED] [2007-06-27 11:31]: I am looking for a guide about driver writing for OpenBSD. here it is: look for a similiar driver, read understand it, start from there. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Are Intel PWLA8391GT PRO/1000 GT desktop NICs supported on i386?
* Lloyd Martin [EMAIL PROTECTED] [2007-06-27 19:57]: Does anyone know if Intel PWLA8391GT PRO/1000 GT desktop NICs are supported on the i386 platform? without knowing about that one explicitely, in all the intel PRO/1000 should work. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: 'netstat: invalid address (30000) ??? on 4.1-current i386 binary snapshot
On Thu, 28 Jun 2007, Adriaan wrote: On a freshly installed binary snapshot netstat -an -f inet6 shows netstat: invalid address (3) ??? thanks for the report, we can reproduce and are looking into this -Otto - # netstat -an -f inet6 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 ::1.587*.*LISTEN tcp6 0 0 ::1.25 *.*LISTEN netstat: invalid address (3) ??? - # dmesg | head -6 OpenBSD 4.1-current (GENERIC) #311: Wed Jun 27 02:31:47 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 268 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX real mem = 133791744 (127MB) avail mem = 121819136 (116MB) --- The same message was also on the snapshot of : # dmesg | head -6 OpenBSD 4.1-current (GENERIC) #302: Wed Jun 20 09:30:00 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 268 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,MMX real mem = 133791744 (127MB) avail mem = 121823232 (116MB) - # netstat -an -f inet6 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 ::1.587*.*LISTEN tcp6 0 0 ::1.25 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN tcp6 0 0 *.37 *.*LISTEN tcp6 0 0 *.13 *.*LISTEN tcp6 0 0 *.113 *.*LISTEN Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) udp6 0 0 ::1.512*.* netstat: invalid address (3) ??? - I edited the /etc/ssh/sshd_config file to disable sshd from LISTENing on IPv6. After reverting to the original sshd_config file and rebooting, the error message still persists - # netstat -an -f inet6 Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 ::1.587*.*LISTEN tcp6 0 0 ::1.25 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN netstat: invalid address (3) ??? --- Of the X installation file sets I only installed xbase41.tgz because of the expat libs needed by some binary packages. =Adriaan=
Re: LC_COLLATE and PostgreSQL
On Tue, 26 Jun 2007 at 12:35, Artur Litwinowicz wrote: O I think it is not good idea to change the code of OpenBSD by me. Years ago I was coding in C++ (at the University but with best mark ;). Now I am working for Oracle Corp. (PL/SQL and etc.) and I am a little out of practice ;) with C/C++. Maybe someone core OpenBSD Developer will agree with me, that the extended COLLATION in OpenBSD will be the strong point in the system functionality ? I had the same problem with PostgreSQL on OpenBSD a few years ago and I've written some C-language extensions (database functions). Be advised that this is a totally non-standard solution. Here you go: The idea was to make simple functions for sorting and upper/lower conversion, that would be faster than typical unicode table lookups. Since I only ever needed a single language at a time, I didn't need all the fancy unicode stuff. In lang.h, there are lower and upper alphabet strings for each language (currently english and slovenian). You can add your own, of course. If you run make (you may need to edit the Makefile first), you'll get the hash_en.so, hash_sl.so, upper_en.so, upper_sl.so, lower_en.so and lower_sl.so shared libs containing postgres functions with the same names. To load them into database, use CREATE FUNCTION func_name(TEXT) RETURNS TEXT AS \ 'path/to/func_file.so', 'func_name' LANGUAGE C IMMUTABLE STRICT for each of them. The upper_XX and lower_XX functions return the upper/lowercase version of the input string. The hash_XX function replaces the input string with new string where each letter is replaced with its position in the alphabet. For example, instead of SELECT ... ORDER BY my_column you can use SELECT ... ORDER BY hash_sl(my_column) and you've got slovenian sort order. For performance, create an index on hash_sl(my_column), not my_column. This will only work on unicode databases. Of course, there may be bugs. They are quite likely, actually. I remember I wrote all this in a hurry. But it has worked OK for at least three projects now. All the files except for lang.h follow below. For lang.h, go to http://www.komna.com/tin/lang.h; (it's UTF-8 encoded, so I can't put it here inline). # Makefile # # Copyright (c) 2004 Valentin Kozamernik [EMAIL PROTECTED] # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # INCLUDE_DIR=/usr/local/include/postgresql/server build: hash_en.so hash_sl.so lower_en.so lower_sl.so upper_en.so upper_sl.so hash_en.so: hash.c cc -Wall -Werror -fpic -c -o hash_en.o hash.c -I$(INCLUDE_DIR) -DEN ld -Bshareable -o hash_en.so hash_en.o hash_sl.so: hash.c cc -Wall -Werror -fpic -c -o hash_sl.o hash.c -I$(INCLUDE_DIR) -DSL ld -Bshareable -o hash_sl.so hash_sl.o lower_en.so: lower.c cc -Wall -Werror -fpic -c -o lower_en.o lower.c -I$(INCLUDE_DIR) -DEN ld -Bshareable -o lower_en.so lower_en.o lower_sl.so: lower.c cc -Wall -Werror -fpic -c -o lower_sl.o lower.c -I$(INCLUDE_DIR) -DSL ld -Bshareable -o lower_sl.so lower_sl.o upper_en.so: upper.c cc -Wall -Werror -fpic -c -o upper_en.o upper.c -I$(INCLUDE_DIR) -DEN ld -Bshareable -o upper_en.so upper_en.o upper_sl.so: upper.c cc -Wall -Werror -fpic -c -o upper_sl.o upper.c -I$(INCLUDE_DIR) -DSL ld -Bshareable -o upper_sl.so upper_sl.o clean: -rm *.o *.so /* * $Id: utf8.h,v 1.1.1.1 2004/12/14 14:53:28 tin Exp $ * * Copyright (c) 2004 Valentin Kozamernik [EMAIL PROTECTED] * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include sys/types.h typedef u_int32_t widechar_t; #define STR_WCHAR_UNKNOWN
Re: looking for a good guide on driver writing
On Thu, Jun 28, 2007 at 10:58:50AM +0200, Henning Brauer wrote: * Gregory Edigarov [EMAIL PROTECTED] [2007-06-27 11:31]: I am looking for a guide about driver writing for OpenBSD. here it is: look for a similiar driver, read understand it, start from there. ... and don't copy all the wrong stuff from one dirver to another. -- :wq Claudio
Re: LC_COLLATE and PostgreSQL
Hi Valentin, thank You very, very much for Your answer. Your idea is great !!! I am very happy with this solution :) Of course I have to recall that pleasure with C/C++ coding but for now this is the best and fastest way for me. Have a nice day, Best regards :) Artur On Thu, 28 Jun 2007 11:18:00 +0200, Valentin Kozamernik [EMAIL PROTECTED] wrote: On Tue, 26 Jun 2007 at 12:35, Artur Litwinowicz wrote: O I think it is not good idea to change the code of OpenBSD by me. Years ago I was coding in C++ (at the University but with best mark ;). Now I am working for Oracle Corp. (PL/SQL and etc.) and I am a little out of practice ;) with C/C++. Maybe someone core OpenBSD Developer will agree with me, that the extended COLLATION in OpenBSD will be the strong point in the system functionality ? I had the same problem with PostgreSQL on OpenBSD a few years ago and I've written some C-language extensions (database functions). Be advised that this is a totally non-standard solution. Here you go: The idea was to make simple functions for sorting and upper/lower conversion, that would be faster than typical unicode table lookups. Since I only ever needed a single language at a time, I didn't need all the fancy unicode stuff. In lang.h, there are lower and upper alphabet strings for each language (currently english and slovenian). You can add your own, of course. If you run make (you may need to edit the Makefile first), you'll get the hash_en.so, hash_sl.so, upper_en.so, upper_sl.so, lower_en.so and lower_sl.so shared libs containing postgres functions with the same names. To load them into database, use CREATE FUNCTION func_name(TEXT) RETURNS TEXT AS \ 'path/to/func_file.so', 'func_name' LANGUAGE C IMMUTABLE STRICT for each of them. The upper_XX and lower_XX functions return the upper/lowercase version of the input string. The hash_XX function replaces the input string with new string where each letter is replaced with its position in the alphabet. For example, instead of SELECT ... ORDER BY my_column you can use SELECT ... ORDER BY hash_sl(my_column) and you've got slovenian sort order. For performance, create an index on hash_sl(my_column), not my_column. This will only work on unicode databases. Of course, there may be bugs. They are quite likely, actually. I remember I wrote all this in a hurry. But it has worked OK for at least three projects now. All the files except for lang.h follow below. For lang.h, go to http://www.komna.com/tin/lang.h; (it's UTF-8 encoded, so I can't put it here inline). # Makefile # # Copyright (c) 2004 Valentin Kozamernik [EMAIL PROTECTED] # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED AS IS AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # INCLUDE_DIR=/usr/local/include/postgresql/server build: hash_en.so hash_sl.so lower_en.so lower_sl.so upper_en.so upper_sl.so hash_en.so: hash.c cc -Wall -Werror -fpic -c -o hash_en.o hash.c -I$(INCLUDE_DIR) -DEN ld -Bshareable -o hash_en.so hash_en.o hash_sl.so: hash.c cc -Wall -Werror -fpic -c -o hash_sl.o hash.c -I$(INCLUDE_DIR) -DSL ld -Bshareable -o hash_sl.so hash_sl.o lower_en.so: lower.c cc -Wall -Werror -fpic -c -o lower_en.o lower.c -I$(INCLUDE_DIR) -DEN ld -Bshareable -o lower_en.so lower_en.o lower_sl.so: lower.c cc -Wall -Werror -fpic -c -o lower_sl.o lower.c -I$(INCLUDE_DIR) -DSL ld -Bshareable -o lower_sl.so lower_sl.o upper_en.so: upper.c cc -Wall -Werror -fpic -c -o upper_en.o upper.c -I$(INCLUDE_DIR) -DEN ld -Bshareable -o upper_en.so upper_en.o upper_sl.so: upper.c cc -Wall -Werror -fpic -c -o upper_sl.o upper.c -I$(INCLUDE_DIR) -DSL ld -Bshareable -o upper_sl.so upper_sl.o clean: -rm *.o *.so /* * $Id: utf8.h,v 1.1.1.1 2004/12/14 14:53:28 tin Exp $ * * Copyright (c) 2004 Valentin Kozamernik [EMAIL PROTECTED] * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS
Re: em Intel 1000 GT
Someone posted on one of these lists asking about if this card works on 4.1... I dont recall seeing any reply.. I use this card just fine: em0 at pci1 dev 9 function 0 Intel PRO/1000GT (82541GI) rev 0x05: irq 5 -JD
Re: em Intel 1000 GT
On 28 June 2007 at 11:18, in message [EMAIL PROTECTED], JD Bronson [EMAIL PROTECTED] wrote: Someone posted on one of these lists asking about if this card works on 4.1... I dont recall seeing any reply.. OpenBSD 4.1-stable (GENERIC) #2: Tue May 8 16:48:20 BST 2007 em0 at pci7 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 11, address 00:1b:21:01:c8:30 em1 at pci7 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 7, address 00:1b:21:01:c8:31 em2 at pci7 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, address 00:1b:21:01:c8:32 em3 at pci7 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 11, address 00:1b:21:01:c8:33 Intel Pro/1000GT http://www.intel.com/network/connectivity/products/pro1000gt_quadport_server_adapter.htm GTG
Re: i386 performance degradation since recent snapshots
i'm encountering a real performance problem since a recent update : - previous snapshots dated around 22 may was working perfectly, launching my session (xfce) took around 10-15sec. Launching firefox took around 5secs - updated last week on 20 of june, launching my session takes around 1 minute and a half, launching ffx takes 20sec Just a thought: - what does 'hostname' show? - do you have an entry in /etc/hosts which maps this name to your correct IP address? I've seen long delays in X startup if the system hostname can't be resolved to an IP address (which can be very annoying in dynamic IP environments, or where DHCP changes the hostname). But this experience is with non-OpenBSD boxes; I only use command line on OpenBSD. Also: - is your DNS working properly? (e.g. nslookup www.openbsd.org gives you a positive answer in a reasonably short period of time, and nslookup xyz gives you an NXDOMAIN answer also in a reasonably short period of time) Regards, Brian.
openbsd 4.1 and keep state
Hi all, I have quick question , i need not to create state on one of the rule but once is done by default starting with verison 4.1 , not sure how to do it. Any tips welcome Thanku you Jacek
Re: openbsd 4.1 and keep state
On 6/28/07, jacek [EMAIL PROTECTED] wrote: Hi all, I have quick question , i need not to create state on one of the rule but once is done by default starting with verison 4.1 , not sure how to do it. Any tips welcome Thanku you Jacek Read : http://www.openbsd.org/faq/pf/filter.html#stateopts http://www.undeadly.org/cgi?action=articlesid=20070424020008 Marius -- [EMAIL PROTECTED], joy2share.com, vrajamarii.net, ispot.ro}
Intel Core 2 problems and OpenBSD Security
-- Forwarded message -- From: Theo de Raadt [EMAIL PROTECTED] Date: Jun 27, 2007 10:38 PM Subject: Intel Core 2 To: [EMAIL PROTECTED] Various developers are busy implimenting workarounds for serious bugs in Intel's Core 2 cpu. These processors are buggy as hell, and some of these bugs don't just cause development/debugging problems, but will *ASSUREDLY* be exploitable from userland code. As is typical, BIOS vendors will be very late providing workarounds / fixes for these processors bugs. Some bugs are unfixable and cannot be worked around. Intel only provides detailed fixes to BIOS vendors and large operating system groups. Open Source operating systems are largely left in the cold. Full (current) errata from Intel: http://download.intel.com/design/processor/specupdt/31327914.pdf - We bet there are many more errata not yet announced -- every month this file gets larger. - Intel understates the impact of these erraata very significantly. Almost all operating systems will run into these bugs. - Basically the MMU simply does not operate as specified/implimented in previous generations of x86 hardware. It is not just buggy, but Intel has gone further and defined new ways to handle page tables (see page 58). - Some of these bugs are along the lines of buffer overflow; where a write-protect or non-execute bit for a page table entry is ignored. Others are floating point instruction non-coherencies, or memory corruptions -- outside of the range of permitted writing for the process -- running common instruction sequences. - All of this is just unbelievable to many of us. An easier summary document for some people to read: http://www.geek.com/images/geeknews/2006Jan/core_duo_errata__2006_01_21__full.gif Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare the hell out of us. Some of these are things that cannot be fixed in running code, and some are things that every operating system will do until about mid-2008, because that is how the MMU has always been managed on all generations of Intel/AMD/whoeverelse hardware. Now Intel is telling people to manage the MMU's TLB flushes in a new and different way. Yet even if we do so, some of the errata listed are unaffected by doing so. As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are. == For instance, AI90 is exploitable on some operating systems (but not OpenBSD running default binaries). == At this time, I cannot recommend purchase of any machines based on the Intel Core 2 until these issues are dealt with (which I suspect will take more than a year). Intel must be come more transparent. (While here, I would like to say that AMD is becoming less helpful day by day towards open source operating systems too, perhaps because their serious errata lists are growing rapidly too).
Re: openbsd 4.1 and keep state
http://openbsd.org/faq/pf/filter.html#stateopts no state Prevents the rule from automatically creating a state entry. On 6/28/07, jacek [EMAIL PROTECTED] wrote: Hi all, I have quick question , i need not to create state on one of the rule but once is done by default starting with verison 4.1 , not sure how to do it. Any tips welcome Thanku you Jacek -- Julien Cabillot
Re: i386 performance degradation since recent snapshots
On Thu, 28 Jun 2007 13:07:41 +0100 Brian Candler [EMAIL PROTECTED] wrote: i'm encountering a real performance problem since a recent update : - previous snapshots dated around 22 may was working perfectly, launching my session (xfce) took around 10-15sec. Launching firefox took around 5secs - updated last week on 20 of june, launching my session takes around 1 minute and a half, launching ffx takes 20sec For what it is worth; I am also using snapshots. The first snap I installed here was from somewhere in may (I think the 25th), and the one I am using now is the one from June 25th. I do not see any performance problems here, in fact I am very happy with the latest snap. My guess would be you have problems with IPV6 or DNS. Jan.
Re: Intel Core 2 problems and OpenBSD Security
On 6/28/07, Siju George [EMAIL PROTECTED] wrote: -- Forwarded message -- From: Theo de Raadt [EMAIL PROTECTED] Date: Jun 27, 2007 10:38 PM Subject: Intel Core 2 To: [EMAIL PROTECTED] Various developers are busy implimenting workarounds for serious bugs in Intel's Core 2 cpu. Sorry :-( this was supposed to go to the local BSD lists. apologies Siju
Re: openbsd 4.1 and keep state
Use no state in your rule. jacek wrote: Hi all, I have quick question , i need not to create state on one of the rule but once is done by default starting with verison 4.1 , not sure how to do it. Any tips welcome Thanku you Jacek
Re: SSH brute force attacks no longer being caught by PF rule
I have a question about this.. Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel? It would be nice since doing a reboot wipes out kernel kept IPs... table scanners persist file /etc/tables/scanners vs table scanners persist Thanks :) -JD Date: Thu, 28 Jun 2007 01:39:37 -0400 From: Daniel Ouellet [EMAIL PROTECTED] User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) To: OpenBSD misc@openbsd.org Subject: Re: SSH brute force attacks no longer being caught by PF rule Sender: [EMAIL PROTECTED] Steve B wrote: The rule I've had in my pf.conf file to catch and block forceful SSH attempts no longer appears to be working. I see the entries in my authlog, but the IPs are no longer getting added to my table. I suspect I screwed something up, but so far I am at a loss to see where. Could someone pass another set of eyes over the relevant parts of my pf.conf? Put quickly as an example, but you can try: # Define some variable for clarity SSH_LIMIT=(max-src-conn-rate 3/30, overload scanners flush global) ## SSH Hackers - blocked IPs table scanners persist file /etc/tables/scanners # Block ssh access to bad ssh scanner block drop in log quick on $ext_if inet proto tcp \ from scanners to any port ssh # Allow quick valid traffic to ssh but log all attempts as well pass in log quick on $ext_if inet proto tcp from ! scanners \ to $ext_if port ssh flags S/SA keep state \ $SSH_LIMIT You may also want to add a section to always make sure you will have SSH access to your box before you block all SSH access like you did should someone spoof your source IP to log yourself out as well with may be something like: # Allow quick ssh access to good guys on main interface. pass in quick on $ext_if inet proto tcp from goodguys \ to $ext_if port ssh flags S/SA keep state Daniel
Re: openbsd 4.1 and keep state
On 2007/06/28 15:45, Huzeyfe ONAL wrote: Use no state in your rule. and 'flags any' if it's TCP.
Re: SSH brute force attacks no longer being caught by PF rule
At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote: Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead? so if it wont write to a file...I presume it blocks whats listed in /etc/tables/scanners permanently and then only blocks NEW offenders via kernel memory? (can someone clarify my understanding of that? I would ideally like to stop attacks and then write the offenders in a file so I dont loose these during a reboot... what if I cron something like this: pfctl -t scanners -T show /etc/tables/scanners pfctl -f /etc/pf.conf Would that work??
Re: Intel Core 2
http://www.theregister.com/2007/06/27/intel_core2_duo_bios_fix/ Intel has released a BIOS patch for Windows machines running Core 2 and Xeon 3000/5000 chips that addresses potential unpredictable system behavior. After reading the whole article, it sounds like Intel is attempting to address some of the many bugs the chips have. In their wisdom, it sounds like they are making it difficult to get these updates if you *don't* run wind0ze. I like this quote: I'll put it to you this way, [Intel spokesman] Knupffer said. I've got a core chip at home and I haven't updated. That doesn't say much. If it's a non-networked machine, who really needs *any* patches...
Re: SSH brute force attacks no longer being caught by PF rule
On 2007/06/28 08:46, J.D. Bronson wrote: Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead?
FTP traffic counting
I am using OpenBSD 4.0 and I am counting bytes with labels for most protocols but with ftp-proxy I do not know how to proceed. How can I do this? These are the rules I have in pf.conf: nat-anchor ftp-proxy/* rdr-anchor ftp-proxy/* rdr pass on $INT \ inet proto tcp \ from any \ to any port ftp \ - 127.0.0.1 port 8021 anchor ftp-proxy/* pass out on $EXT \ inet proto tcp \ from ($EXT) \ to any port 21 \ keep state I can add a label for port 21 but how do I track the data ports? Thank you very much for any help in this matter. Juan Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
Re: Intel Core 2
On Thu, 28 Jun 2007 10:26:45 +0200, RedShift [EMAIL PROTECTED] wrote: Reliability decay of low-lead materials may be economically desirable for some consumer product companies because it provides a mechanism to enforce planned obsolescence and replacement. Ironically, this is the opposite of the claimed intent of RoHS legislation. uuhhh that's scary. Are you sure they haven't found a solution for that? The inexpensive solution is to use a minimum of 4% lead in the tin based solder but that goes against the purpose of RoHS even if more waste is produced do to early failure. There are other alloying agents which impede tin whisker growth but they tend to either add significantly to the cost or compromise other characteristics.
Re: SSH brute force attacks no longer being caught by PF rule
On Wed, Jun 27, 2007 at 09:54:04PM -0700, Steve B wrote: The rule I've had in my pf.conf file to catch and block forceful SSH attempts no longer appears to be working. I see the entries in my authlog, but the IPs are no longer getting added to my table. I suspect I screwed something up, but so far I am at a loss to see where. Could someone pass another set of eyes over the relevant parts of my pf.conf? ## SSH Hackers - blocked IPs table scanners persist file /etc/tables/scanners ## Packet Filtering ## block quick from scanners block in all ## Pass SSH traffic ## pass in log on $ext_if inet proto tcp from any to any port = ssh flags S/SA keep state (source-track rule, max-src-conn 10, max-src-conn-rate 5/60, overload scanners flush global, if-bound, sr c.track 60) 'pass in log' suggests the solution; try to connect via SSH and let tcpdump listen on pflog0. Joachim -- TFMotD: perlnewmod (1) - preparing a new module for distribution
Re: Intel Core 2
On 2007/06/28 09:16, David W. Hess wrote: On Thu, 28 Jun 2007 10:26:45 +0200, RedShift [EMAIL PROTECTED] wrote: Reliability decay of low-lead materials may be economically desirable for some consumer product companies because it provides a mechanism to enforce planned obsolescence and replacement. Ironically, this is the opposite of the claimed intent of RoHS legislation. uuhhh that's scary. Are you sure they haven't found a solution for that? The inexpensive solution is to use a minimum of 4% lead in the tin based solder but that goes against the purpose of RoHS even if more waste is produced do to early failure. Lead is still permitted for some equipment (notably network infrastructure), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0095:EN:HTML annex 7: - lead in solders for servers, storage and storage array systems (exemption granted until 2010), - lead in solders for network infrastructure equipment for switching, signalling, transmission as well as network management for telecommunication, - lead in electronic ceramic parts (e.g. piezoelectronic devices).
Re: SSH brute force attacks no longer being caught by PF rule
On Thu, 28 Jun 2007 09:02:43 -0500 J.D. Bronson [EMAIL PROTECTED] wrote: At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote: Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead? so if it wont write to a file...I presume it blocks whats listed in /etc/tables/scanners permanently and then only blocks NEW offenders via kernel memory? (can someone clarify my understanding of that? I would ideally like to stop attacks and then write the offenders in a file so I dont loose these during a reboot... what if I cron something like this: pfctl -t scanners -T show /etc/tables/scanners pfctl -f /etc/pf.conf Would that work?? The persist thing got me at first too, but the FAQ is quite clear and does not actual say it writes anywhere. I just assumed it for reasons beyond this discussion. Anyway, persist keeps it even if no rules are not using it. The file part is strictly for pre-populating when pf starts up. I am not sure why you have both of those... the top line to output would be fine, and have your pf ruleset use the file at startup to read them in.
Re: SSH brute force attacks no longer being caught by PF rule
On 2007/06/28 09:02, J.D. Bronson wrote: At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote: Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead? so if it wont write to a file...I presume it blocks whats listed in /etc/tables/scanners permanently and then only blocks NEW offenders via kernel memory? (can someone clarify my understanding of that? yes. when the ruleset is loaded, the table in memory is populated with the contents of /etc/tables/scanners. when someone hits overload, they are just added to the table in memory. I would ideally like to stop attacks and then write the offenders in a file so I dont loose these during a reboot... what if I cron something like this: pfctl -t scanners -T show /etc/tables/scanners pfctl -f /etc/pf.conf Would that work?? no need to reload the ruleset each time, and your table file will grow quite large by using to append each time; this would be better: TMPFILE=`mktemp -p /etc/tables scanners.XX` || exit 1 pfctl -t scanners -Ts $TMPFILE mv $TMPFILE /etc/tables/scanners this is all from a 'how to do it' point-of-view, I don't think it's all that useful. if an attacker is still active, they'll hit overload soon enough anyway.
Re: USB200M (linksys) reporting device problem, disabling port
On Wed, Jun 27, 2007 at 09:45:17PM -0400, Eric wrote: hello.. i just installed OpenBSD 4.1 from an original CD. My USB ethernet adapter, a Linksys USB200M is a known good working adapter (verified on Mac OS X 10.4 and FreeBSD 6.2). I am building a gateway with OpenBSD and this hardware has only one builtin ethernet adapter (rl0) and will require a 2nd. PCI ethernet is not an option (it's a small form factor fanless PC). I require the USB200M to operate or a suitable alternative must be found. snipped - full dmesg below The documentation confirms the USB200M is supported via the axe(4) driver. The FAQ, mailing list archives, and google have produced no answers. They seem to produce results stating either that the USB200M is supported via axe(4) or that the axe(4) driver has been committed (in the 3.x branches). Almost all of the available information is relating to the introduction of axe(4) in 3.x. Some results refer to this issue, but have no replies which resolve the problem. I can't tell if you have a USB2 (ehci) controller, you didn't include a full dmesg. But if you don't perhaps there is an issue with usb/uhci code not properly handling high speed devices on low speed controllers. The BIOS has an option for OnChip USB2 which is enabled, as is OnChip USB. However i don't see a ehci controller Full dmesg: OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Samuel 2 (CentaurHauls 686-class) 802 MHz cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX real mem = 125337600 (122400K) avail mem = 106831872 (104328K) using 1560 buffers containing 6389760 bytes (6240K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 03/17/03, BIOS32 rev. 0 @ 0xfb390, SMBIOS rev. 2.2 @ 0xf0800 (43 entries) bios0: VIA Technologies, Inc. VT8601 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdd54 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdce0/112 (5 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! 0xd/0x4000 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8601 PCI rev 0x05 ppb0 at pci0 dev 1 function 0 VIA VT82C601 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x6a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-8192 wd0: 4-sector PIO, LBA, 7815MB, 16007040 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 11 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x1a: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 rl0 at pci0 dev 14 function 0 Realtek 8139 rev 0x10: irq 11, address 00:11:5b:01:e8:74 rlphy0 at rl0 phy 0: RTL internal PHY cmpci0 at pci0 dev 15 function 0 C-Media Electronics CMI8738/C3DX Audio rev 0x10: irq 12 audio0 at cmpci0 opl0 at cmpci0: model OPL3 midi0 at opl0: CMPCI Yamaha OPL3 mpu at cmpci0 not configured C-Media Electronics HSP56 AMR rev 0x20 at pci0 dev 15 function 1 not configured isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi1 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo biomask ef6d netmask ef6d ttymask efef pctr: user-level cycle counter enabled uhub0: port 1, set config at addr 2 failed uhub0: device problem, disabling port 1 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 thank you
logger time stamps
I've written a korn script (viagrad) that runs as a daemon and checks
that my ADSL router is up. If no hosts beyond the router are pingable,
it resets (via expect scripts) the username in the router to the telco's
default, then waits a while for a re-train on the gateway, reboots the
router, resets the account to my user account, and starts the loop
again.
In the script I have:
this=$(basename ${0})
syslog=logger -t ${this}
..
ping_hosts()
{
..
..
# if our router is not connected to the Internet, then log so
if [[ ${notified} = 'false' ]]; then
${syslog} 'link down!'
send_mail 'down!'
notified='true'
fi
..
..
..
reboot_router()
{
${syslog} rebooting ${router}
$(dirname ${0})/reboot/${router_connect}
# Give the router a chance to reboot retrain
sleep ${reboot_sleep}
ping_router
}
reset_line()
{
${syslog} line reset with account: ${1}
$(dirname ${0})/reset/${router_connect} ${1}
# Give the router a chance to retrain on the ADSL gateway
sleep ${retrain_sleep}
ping_router
}
..
The router's DNS name is juniper, and the host that this runs on is
teak, but notice the time stamps from the script are delayed, compared
to the syslog events from the router:
Jun 28 12:41:05 juniper juniper: board 0 line 0 channel 0, call 8, C02 Call
Terminated
Jun 28 12:42:13 juniper juniper: ppp:LCP Closing
LATE:
Jun 28 12:40:09 teak viagrad: link down!
Jun 28 12:43:22 juniper juniper: ppp:IPCP Closing
Jun 28 12:44:30 juniper juniper: board 0 line 0 channel 0, call 9, C01 Outgoing
Call dev=5 ch=0
Jun 28 12:45:38 juniper juniper: board 0 line 0 channel 0, call 9, C02 OutCall
Connected 512000
Jun 28 12:46:46 juniper juniper: ppp:LCP Starting
Jun 28 12:47:54 juniper juniper: ppp:LCP Opening
Jun 28 12:49:02 juniper juniper: ppp:CHAP Shutdown
Jun 28 12:50:10 juniper juniper: ppp:LCP Closing
LATE:
Jun 28 12:43:10 teak viagrad: line reset with account: [EMAIL PROTECTED]
Jun 28 12:51:18 juniper juniper: board 0 line 0 channel 0, call 9, C02 Call
Terminated
Jun 28 12:52:26 juniper juniper: board 0 line 0 channel 0, call 10, C01
Outgoing Call dev=5 ch=0
Jun 28 12:53:34 juniper juniper: board 0 line 0 channel 0, call 10, C02 OutCall
Connected 512000
LATE:
Jun 28 12:43:54 teak viagrad: rebooting branch.juniper
Jun 28 12:54:42 juniper juniper: ppp:LCP Starting
Jun 28 12:55:50 juniper juniper: ppp:LCP Opening
Jun 28 12:56:58 juniper juniper: ppp:CHAP Shutdown
Jun 28 12:58:06 juniper juniper: ppp:LCP Closing
LATE:
Jun 28 12:45:29 teak viagrad: line reset with account: [EMAIL PROTECTED]
Jun 28 12:59:14 juniper juniper: board 0 line 0 channel 0, call 10, C02 Call
Terminated
Jun 28 13:00:22 juniper juniper: board 0 line 0 channel 0, call 11, C01
Outgoing Call dev=5 ch=0
Jun 28 13:01:30 juniper juniper: board 0 line 0 channel 0, call 11, C02 OutCall
Connected 512000
Jun 28 13:02:39 juniper juniper: ppp:LCP Starting
LATE:
Jun 28 12:49:33 teak viagrad: rebooting branch.juniper
Jun 28 13:03:47 juniper juniper: ppp:LCP Opening
Jun 28 13:04:55 juniper juniper: ppp:CHAP Shutdown
Jun 28 13:06:03 juniper juniper: ppp:LCP Closing
LATE:
Jun 28 12:54:31 teak viagrad: line reset with account: [EMAIL PROTECTED]
Jun 28 13:07:11 juniper juniper: board 0 line 0 channel 0, call 11, C02 Call
Terminated
LATE:
Jun 28 12:55:14 teak viagrad: rebooting branch.juniper
Jun 28 13:08:19 juniper juniper: board 0 line 0 channel 0, call 12, C01
Outgoing Call dev=5 ch=0
LATE:
Jun 28 12:56:49 teak viagrad: line reset with account: [EMAIL PROTECTED]
Jun 28 13:09:27 juniper juniper: board 0 line 0 channel 0, call 12, C02 OutCall
Connected 512000
Jun 28 13:10:35 juniper juniper: ppp:LCP Starting
Jun 28 13:11:05 juniper juniper: ppp:LCP Opening
Jun 28 13:11:05 juniper juniper: ppp:LCP Closing
Jun 28 13:11:05 juniper juniper: board 0 line 0 channel 0, call 12, C02 Call
Terminated
LATE:
Jun 28 13:00:54 teak viagrad: rebooting branch.juniper
Jun 28 13:11:05 juniper juniper: board 0 line 0 channel 0, call 13, C01
Outgoing Call dev=5 ch=0
LATE:
Jun 28 13:05:51 teak viagrad: line reset with account: [EMAIL PROTECTED]
Jun 28 13:11:05 juniper juniper: board 0 line 0 channel 0, call 13, C02 OutCall
Connected 512000
LATE:
Jun 28 13:06:34 teak viagrad: rebooting branch.juniper
Jun 28 13:11:05 juniper juniper: ppp:LCP Starting
LATE:
Jun 28 13:08:10 teak viagrad: line reset with account: [EMAIL PROTECTED]
ISP's RADUIS server goes a bit spazzo as everyone tries to re-auth after
the brown-out:
Jun 28 13:11:05 juniper juniper: ppp:LCP Opening
Jun 28 13:11:05 juniper juniper: ppp:CHAP Opening
Jun 28 13:11:05 juniper juniper: ppp:IPCP Starting
Jun 28 13:11:05 juniper juniper: ppp:IPCP Opening
Jun 28 13:11:05 juniper juniper: board 0 line 0 channel 0, call 9, C01 Outgoing
Call dev=5 ch=0
Jun 28 13:11:05 juniper juniper:
Re: SSH brute force attacks no longer being caught by PF rule
J.D. Bronson wrote: At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote: Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead? so if it wont write to a file...I presume it blocks whats listed in /etc/tables/scanners permanently and then only blocks NEW offenders via kernel memory? (can someone clarify my understanding of that? I would ideally like to stop attacks and then write the offenders in a file so I dont loose these during a reboot... what if I cron something like this: pfctl -t scanners -T show /etc/tables/scanners pfctl -f /etc/pf.conf Would that work?? I was trying to help giving you an example that would work, as you said it was working before and not anymore. But I guess you need to go back and read the faq, and the man page on pf and cron. Looks like you want others to do the work for you and giving you the answer, or even more details is like doing the setup for you and you will not remember or understand it properly to do it right the next time around. Sorry, I really was going to send you more but deleted my email. It wouldn't be the right way to help you. Configuring a firewall is important to make sure you protect yourself and your office, etc. Do your homework first, then if you have question you sure can asked and will be more then happy to help. Feeding you with a spoon is the wrong thing to do here as firewall is to important for you not to understand it fully. I sure don't want to be mean, but I think that's the best way to help you. I fell it wouldn't be helping you doing so. If you are not sure of something, why not testing it and see. (; Best, Daniel
Re: SSH brute force attacks no longer being caught by PF rule
Guys...I was not the one that started this thread.. I just chimed in and asked for a tweak on the setup. I have what I need for now :) -JD At 11:54 AM 06/28/2007, Daniel Ouellet wrote: J.D. Bronson wrote: At 08:56 AM 06/28/2007, Stuart Henderson wrote: On 2007/06/28 08:46, J.D. Bronson wrote: Will NEW offenders be added to /etc/tables/scanners as they are discovered and therefore not just remain in kernel? No, pf does not write to files. How about cron(8) and pfctl(8) instead? so if it wont write to a file...I presume it blocks whats listed in /etc/tables/scanners permanently and then only blocks NEW offenders via kernel memory? (can someone clarify my understanding of that? I would ideally like to stop attacks and then write the offenders in a file so I dont loose these during a reboot... what if I cron something like this: pfctl -t scanners -T show /etc/tables/scanners pfctl -f /etc/pf.conf Would that work?? I was trying to help giving you an example that would work, as you said it was working before and not anymore. But I guess you need to go back and read the faq, and the man page on pf and cron. Looks like you want others to do the work for you and giving you the answer, or even more details is like doing the setup for you and you will not remember or understand it properly to do it right the next time around. Sorry, I really was going to send you more but deleted my email. It wouldn't be the right way to help you. Configuring a firewall is important to make sure you protect yourself and your office, etc. Do your homework first, then if you have question you sure can asked and will be more then happy to help. Feeding you with a spoon is the wrong thing to do here as firewall is to important for you not to understand it fully. I sure don't want to be mean, but I think that's the best way to help you. I fell it wouldn't be helping you doing so. If you are not sure of something, why not testing it and see. (; Best, Daniel
Re: SSH brute force attacks no longer being caught by PF rule
J.D. Bronson wrote: Guys...I was not the one that started this thread.. I just chimed in and asked for a tweak on the setup. Sorry for my mistake then. I should refrain from replying on lack of sleep. (; I have what I need for now :) Glad it help you never the less.
clamav on 3.9
Hi there, I'm trying to install the newest clamav (0.90.3) on OpenBSD 3.9 . I updated the sources, and managed to compile it . But when i try to install the package i get this error: pkg_add /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz Can't install /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz: lib not found idn.16.15 Even by looking in the dependency tree: lha-1.14i.ac20050924, unzip-5.52, arc-5.21n, gmp-4.1.4p0, libiconv-1.9.2p3, bzip2-1.0.3, curl-7.15.3, zoo-2.10.1p0 Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. And libidn is installed : pkg_info |grep libid libidn-0.6.1internationalized string handling I read here http://www.mail-archive.com/[EMAIL PROTECTED]/msg11199.html someone had a similar problem and his solution was to update curl as well , but i can't upgrade it because i get another funky error: /usr/local/bin/libtool --tag=CC--mode=link -O2 -pipe -L/usr/local/lib -o curl main.o hugehelp.o urlglob.o writeout.o writeenv.o getpass.o homedir.o curlutil.o strtoofft.o strdup.o ../lib/libcurl.la -lz mkdir .libs cc -O2 -pipe -o .libs/curl main.o hugehelp.o urlglob.o writeout.o writeenv.o getpass.o homedir.o curlutil.o strtoofft.o strdup.o -L/usr/local/lib -L../lib/.libs -lcurl -lcrypto -lssl -lidn -licon v -lz -Wl,-rpath,/usr/local/lib main.o(.text+0x2ff): In function `file2string': : warning: strcpy() is almost always misused, please use strlcpy() /usr/local/lib/libcurl.so.3.3: warning: sprintf() is often misused, please use snprintf() main.o(.text+0x68b1): In function `my_get_line': : warning: strcat() is almost always misused, please use strlcat() main.o(.text+0x4752): In function `operate': : undefined reference to `curl_easy_escape' collect2: ld returned 1 exit status *** Error code 1 Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2/src (line 358 of Makefile). *** Error code 1 Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2/src (line 279 of Makefile). *** Error code 1 Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2 (line 374 of Makefile). *** Error code 1 Stop in /u/system/ports/net/curl (line 1924 of /usr/ports/infrastructure/mk/bsd.port.mk). I'd appreciate any help on how to continue Thanks!
Fw: clamav on 3.9
I'v managed to compile curl (jsut had to remove the old one first)
but i still can't install the clamav package , i still get the same error
message:
test:/usr/ports/security/clamav{95}# pkg_add
/usr/ports/packages/i386/all/clamav-0.90.3p0.tgz
Can't install /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz: lib not
found curl.3.3
Even by looking in the dependency tree:
arc-5.21n, libidn-0.6.1, libiconv-1.9.2p3, bzip2-1.0.3,
zoo-2.10.1p0, unzip-5.52, lha-1.14i.ac20050924, gettext-0.14.5p1,
expat-1.95.6p1, gmp-4.1.4p0, curl-7.16.2
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.
test:/usr/ports/security/clamav{96}#
- Original Message -
From: Marcos Laufer [EMAIL PROTECTED]
To: misc@openbsd.org
Sent: Thursday, June 28, 2007 3:56 PM
Subject: clamav on 3.9
Hi there,
I'm trying to install the newest clamav (0.90.3) on OpenBSD 3.9 . I updated
the
sources, and managed to compile it . But when i try to install the package i
get this error:
pkg_add /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz
Can't install /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz: lib not
found idn.16.15
Even by looking in the dependency tree:
lha-1.14i.ac20050924, unzip-5.52, arc-5.21n, gmp-4.1.4p0,
libiconv-1.9.2p3, bzip2-1.0.3, curl-7.15.3, zoo-2.10.1p0
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.
And libidn is installed :
pkg_info |grep libid
libidn-0.6.1internationalized string handling
I read here http://www.mail-archive.com/[EMAIL PROTECTED]/msg11199.html
someone
had a similar problem and his solution was to update curl as well , but i
can't
upgrade it because i get another funky error:
/usr/local/bin/libtool --tag=CC--mode=link
-O2 -pipe -L/usr/local/lib -o curl main.o hugehelp.o urlglob.o
writeout.o writeenv.o getpass.o homedir.o curlutil.o strtoofft.o strdup.o
../lib/libcurl.la -lz
mkdir .libs
cc -O2 -pipe -o .libs/curl main.o hugehelp.o urlglob.o writeout.o writeenv.o
getpass.o homedir.o curlutil.o strtoofft.o
strdup.o -L/usr/local/lib -L../lib/.libs -lcurl -lcrypto -lssl -lidn -licon
v -lz -Wl,-rpath,/usr/local/lib
main.o(.text+0x2ff): In function `file2string':
: warning: strcpy() is almost always misused, please use strlcpy()
/usr/local/lib/libcurl.so.3.3: warning: sprintf() is often misused, please
use snprintf()
main.o(.text+0x68b1): In function `my_get_line':
: warning: strcat() is almost always misused, please use strlcat()
main.o(.text+0x4752): In function `operate':
: undefined reference to `curl_easy_escape'
collect2: ld returned 1 exit status
*** Error code 1
Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2/src (line 358 of
Makefile).
*** Error code 1
Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2/src (line 279 of
Makefile).
*** Error code 1
Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2 (line 374 of
Makefile).
*** Error code 1
Stop in /u/system/ports/net/curl (line 1924 of
/usr/ports/infrastructure/mk/bsd.port.mk).
I'd appreciate any help on how to continue
Thanks!
Re: clamav on 3.9
On 2007/06/28 15:56, Marcos Laufer wrote: I'm trying to install the newest clamav (0.90.3) on OpenBSD 3.9 . I updated the sources, and managed to compile it . But when i try to install the package i get this error: this is a variant of http://www.openbsd.org/faq/faq15.html#NoFun; Can't install /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz: lib not found idn.16.15 You need to update some dependencies too. But, the time you would spend doing this by hand would be better spent upgrading the OS to a version that receives port updates.
Re: clamav on 3.9
I'm trying to install the newest clamav (0.90.3) on OpenBSD 3.9 . I updated The clamav package for 3.9 is clamav-0.88.tgz For 4.1 it is: clamav-0.90.tgz Don't mix versions. http://openbsd.org/faq/faq15.html#Latest
Fw: clamav on 3.9 [SOLVED]
I just worked it out, sorry for the noise !
Just had to compile clamav again with the newest curl installed , and the
resulting clamav package worked just fine.
- Original Message -
From: Marcos Laufer [EMAIL PROTECTED]
To: misc@openbsd.org
Sent: Thursday, June 28, 2007 4:11 PM
Subject: Fw: clamav on 3.9
I'v managed to compile curl (jsut had to remove the old one first)
but i still can't install the clamav package , i still get the same error
message:
test:/usr/ports/security/clamav{95}# pkg_add
/usr/ports/packages/i386/all/clamav-0.90.3p0.tgz
Can't install /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz: lib not
found curl.3.3
Even by looking in the dependency tree:
arc-5.21n, libidn-0.6.1, libiconv-1.9.2p3, bzip2-1.0.3,
zoo-2.10.1p0, unzip-5.52, lha-1.14i.ac20050924, gettext-0.14.5p1,
expat-1.95.6p1, gmp-4.1.4p0, curl-7.16.2
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.
test:/usr/ports/security/clamav{96}#
- Original Message -
From: Marcos Laufer [EMAIL PROTECTED]
To: misc@openbsd.org
Sent: Thursday, June 28, 2007 3:56 PM
Subject: clamav on 3.9
Hi there,
I'm trying to install the newest clamav (0.90.3) on OpenBSD 3.9 . I updated
the
sources, and managed to compile it . But when i try to install the package i
get this error:
pkg_add /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz
Can't install /usr/ports/packages/i386/all/clamav-0.90.3p0.tgz: lib not
found idn.16.15
Even by looking in the dependency tree:
lha-1.14i.ac20050924, unzip-5.52, arc-5.21n, gmp-4.1.4p0,
libiconv-1.9.2p3, bzip2-1.0.3, curl-7.15.3, zoo-2.10.1p0
Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.
And libidn is installed :
pkg_info |grep libid
libidn-0.6.1internationalized string handling
I read here http://www.mail-archive.com/[EMAIL PROTECTED]/msg11199.html
someone
had a similar problem and his solution was to update curl as well , but i
can't
upgrade it because i get another funky error:
/usr/local/bin/libtool --tag=CC--mode=link
-O2 -pipe -L/usr/local/lib -o curl main.o hugehelp.o urlglob.o
writeout.o writeenv.o getpass.o homedir.o curlutil.o strtoofft.o strdup.o
../lib/libcurl.la -lz
mkdir .libs
cc -O2 -pipe -o .libs/curl main.o hugehelp.o urlglob.o writeout.o writeenv.o
getpass.o homedir.o curlutil.o strtoofft.o
strdup.o -L/usr/local/lib -L../lib/.libs -lcurl -lcrypto -lssl -lidn -licon
v -lz -Wl,-rpath,/usr/local/lib
main.o(.text+0x2ff): In function `file2string':
: warning: strcpy() is almost always misused, please use strlcpy()
/usr/local/lib/libcurl.so.3.3: warning: sprintf() is often misused, please
use snprintf()
main.o(.text+0x68b1): In function `my_get_line':
: warning: strcat() is almost always misused, please use strlcat()
main.o(.text+0x4752): In function `operate':
: undefined reference to `curl_easy_escape'
collect2: ld returned 1 exit status
*** Error code 1
Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2/src (line 358 of
Makefile).
*** Error code 1
Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2/src (line 279 of
Makefile).
*** Error code 1
Stop in /u/system/ports/net/curl/w-curl-7.16.2/curl-7.16.2 (line 374 of
Makefile).
*** Error code 1
Stop in /u/system/ports/net/curl (line 1924 of
/usr/ports/infrastructure/mk/bsd.port.mk).
I'd appreciate any help on how to continue
Thanks!
openbsd 4.0 installed, need to add network interface after install
openbsd gurus, As the saga continues... I have a newly built server with openbsd 4.0. During installation, it did not find the onboard lan interface, which I did not realize until after the installation had completed. I made sure the bios was set properly. There was no LAN option in the BIOS. I assumed the onboard lan interface was bad. This has happened before so I added a linksys lan card in the system. I rebooted. I checked the BIOS for any LAN options. Nothing. I booted into openbsd. No interfaces created. How do I get the system to discover the network interface? I have been searching the net for anything like this and have not found anything that has worked. Do I need to reinstall the system? Or, is there some tool I can use to rediscover the network interface so it gets setup properly? Thanks in advance for any pointers you can provide. JohnM Here is my current dmesg: -- OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) (AuthenticAMD 686-class, 256KB L2 cache) 1.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 527986688 (515612K) avail mem = 473665536 (462564K) using 4256 buffers containing 26501120 bytes (25880K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(08) BIOS, date 12/24/01, BIOS32 rev. 0 @ 0xfb420, SMBIOS rev. 2.2 @ 0xf0800 (31 entries) bios0: VIA Technologies, Inc. VT8361 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdef4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde70/128 (6 entries) pcibios0: PCI Exclusive IRQs: 10 11 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8361 PCI rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8361 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility , channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC35L120AVV207-0 wd0: 16-sector PIO, LBA48, 117800MB, 241254720 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide0 channel 1 drive 0: WDC WD1200JB-00DUA3 wd1: 16-sector PIO, LBA48, 114473MB, 234441648 sectors atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: CD-ROM, CCD-52X6S, YSG1 SCSI0 5/cdrom removable wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x1a: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console biomask ffed netmask ffed ttymask ffef pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 -- -- john mendenhall [EMAIL PROTECTED] surf utopia internet services
OpenBSD 4.0: isakmpd and immediate use of crls (without isakmpd restart)
Hello, I was wondering what is the best way to immediately use a newly received crl that contains a revoked certificate... Basically if I have 3 firewalls and one of them is compromised I will push a new crl on the 2 uncorrupted firewalls. The thing is that (even when I send them a HUP signal) isakmpd only uses the CRL when the next main-mode is performed. One thing I was thinking is to remove all IPSEC SAs echo T /var/run/isakmpd.fifo Then find a way to remove all IKE SAs echo t main * /var/run/isakmpd.fifo -- something like this...I'm don't know yet how I could do that. However, it is a bit inconvenient because the connection between the two good firewalls is broken as well. I found this: http://archives.neohapsis.com/archives/openbsd/2002-10/1327.html but it doesn't help much in this case... I was looking through the isakmpd code and I could force this by changing sa.c file, sa_reinit function to remove all SAs not just phase 2 SAs on SIGHUP when Renegotiate-on-HUP is set. Again that would break all tunnels not just the one to the compromised firewall. But there must be a better way to do this. Thanks, ./catalin - Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail
Re: openbsd 4.0 installed, need to add network interface after install
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Mendenhall Sent: Thursday, June 28, 2007 03:37 PM To: misc@openbsd.org Subject: openbsd 4.0 installed, need to add network interface after install openbsd gurus, As the saga continues... I have a newly built server with openbsd 4.0. During installation, it did not find the onboard lan interface, which I did not realize until after the installation had completed. I made sure the bios was set properly. There was no LAN option in the BIOS. I assumed the onboard lan interface was bad. This has happened before so I added a linksys lan card in the system. I rebooted. I checked the BIOS for any LAN options. Nothing. I booted into openbsd. No interfaces created. How do I get the system to discover the network interface? I have been searching the net for anything like this and have not found anything that has worked. Do I need to reinstall the system? Or, is there some tool I can use to rediscover the network interface so it gets setup properly? Thanks in advance for any pointers you can provide. JohnM Here is my current dmesg: -- OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) (AuthenticAMD 686-class, 256KB L2 cache) 1.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT, PSE36,MMX,FXSR,SSE real mem = 527986688 (515612K) avail mem = 473665536 (462564K) using 4256 buffers containing 26501120 bytes (25880K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(08) BIOS, date 12/24/01, BIOS32 rev. 0 @ 0xfb420, SMBIOS rev. 2.2 @ 0xf0800 (31 entries) bios0: VIA Technologies, Inc. VT8361 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdef4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde70/128 (6 entries) pcibios0: PCI Exclusive IRQs: 10 11 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8361 PCI rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8361 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility , channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: IC35L120AVV207-0 wd0: 16-sector PIO, LBA48, 117800MB, 241254720 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1 at pciide0 channel 1 drive 0: WDC WD1200JB-00DUA3 wd1: 16-sector PIO, LBA48, 114473MB, 234441648 sectors atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: CD-ROM, CCD-52X6S, YSG1 SCSI0 5/cdrom removable wd1(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x1a: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x1a: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom0: console biomask ffed netmask ffed ttymask ffef pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support dkcsum: wd0 matches BIOS drive 0x80 dkcsum: wd1 matches BIOS drive 0x81 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 -- -- john mendenhall [EMAIL PROTECTED] surf utopia internet services John, I'm far from a guru, but looking at your dmesg I don't see a lan card there at all. Here are the first few steps: 1- Check the hardware compatability list to make sure the lan card is supported. 2- Take a look and make sure the lan card is seated in it's slot properly. I have had this happen a few times with smaller cards not seating all the way (it's probably because of my fat paws). btw, for an add on card, you
Re: Intel Core 2
Thanks very much! On Thu, Jun 28, 2007 at 10:24:01AM +0200, Johan P. Lindstrvm wrote: rough translation from swedish to english of: ...
Re: SSH brute force attacks no longer being caught by PF rule
2007/6/28, J.D. Bronson [EMAIL PROTECTED]: so if it wont write to a file...I presume it blocks whats listed in /etc/tables/scanners permanently and then only blocks NEW offenders via kernel memory? (can someone clarify my understanding of that? Do you really need a file? In my experience blocking the offenders for 1h is enough; they very rarely come back later. Best Martin
Re: logger time stamps
Solved with 'eval', details below:
On Thu, Jun 28, 2007 at 04:50:54PM +0100, Craig Skinner wrote:
In the script I have:
this=$(basename ${0})
syslog=logger -t ${this}
syslog='logger -t ${this}'
..
ping_hosts()
{
..
..
# if our router is not connected to the Internet, then log so
if [[ ${notified} = 'false' ]]; then
${syslog} 'link down!'
eval ${syslog} 'link down!'
send_mail 'down!'
notified='true'
fi
..
..
..
reboot_router()
{
${syslog} rebooting ${router}
$(dirname ${0})/reboot/${router_connect}
eval ${syslog} 'rebooting ${router}'
eval $(dirname ${0})/reboot/${router_connect}
# Give the router a chance to reboot retrain
sleep ${reboot_sleep}
ping_router
}
reset_line()
{
${syslog} line reset with account: ${1}
$(dirname ${0})/reset/${router_connect} ${1}
eval ${syslog} 'line reset with account: ${1}'
eval $(dirname ${0})/reset/${router_connect} ${1}
# Give the router a chance to retrain on the ADSL gateway
sleep ${retrain_sleep}
ping_router
}
..
Jun 28 23:40:41 teak viagrad: start up
Jun 28 23:40:41 teak viagrad: loading config
Jun 28 23:40:43 teak viagrad: Internet link up! Gateway: 193.29.223.169
I pulled the phone cable:
Jun 28 23:41:04 juniper juniper: board 0 line 0 channel 0, call 26, C02 Call
Terminated
Jun 28 23:41:04 juniper juniper: ppp:LCP Closing
Jun 28 23:41:04 juniper juniper: ppp:IPCP Closing
Jun 28 23:42:05 teak viagrad: Internet link down!
Jun 28 23:45:06 teak viagrad: line reset with account: [EMAIL PROTECTED]
And put it back in:
Jun 28 23:45:37 juniper juniper: board 0 line 0 channel 0, call 34, C01
Outgoing Call dev=5 ch=0
Jun 28 23:45:37 juniper juniper: board 0 line 0 channel 0, call 34, C02 OutCall
Connected 512000
Jun 28 23:45:37 juniper juniper: ppp:LCP Starting
Jun 28 23:45:40 juniper juniper: ppp:LCP Opening
Jun 28 23:45:40 juniper juniper: ppp:CHAP Opening
Jun 28 23:45:40 juniper juniper: ppp:IPCP Starting
Jun 28 23:45:40 juniper juniper: ppp:IPCP Opening
Jun 28 23:45:51 teak viagrad: rebooting branch.juniper
Jun 28 23:46:38 juniper juniper: board 0 line 0 channel 0, call 8, C01 Outgoing
Call dev=5 ch=0
Jun 28 23:46:38 juniper juniper: board 0 line 0 channel 0, call 8, C02 OutCall
Connected 512000
Jun 28 23:46:38 juniper juniper: ppp:LCP Starting
Jun 28 23:46:38 juniper juniper: ppp:LCP Opening
Jun 28 23:46:38 juniper juniper: ppp:LCP Closing
Jun 28 23:46:41 juniper juniper: board 0 line 0 channel 0, call 8, C02 Call
Terminated
Jun 28 23:46:44 juniper juniper: board 0 line 0 channel 0, call 9, C01 Outgoing
Call dev=5 ch=0
Jun 28 23:46:44 juniper juniper: board 0 line 0 channel 0, call 9, C02 OutCall
Connected 512000
Jun 28 23:46:44 juniper juniper: ppp:LCP Starting
Jun 28 23:46:47 juniper juniper: ppp:LCP Opening
Jun 28 23:46:48 juniper juniper: ppp:CHAP Opening
Jun 28 23:46:48 juniper juniper: ppp:IPCP Starting
Jun 28 23:46:48 juniper juniper: ppp:IPCP Opening
Jun 28 23:47:27 teak viagrad: line reset with account: [EMAIL PROTECTED]
Jun 28 23:47:36 juniper juniper: ppp:LCP Closing
Jun 28 23:47:36 juniper juniper: ppp:IPCP Closing
Jun 28 23:47:36 juniper juniper: board 0 line 0 channel 0, call 9, C02 Call
Terminated
Jun 28 23:47:38 juniper juniper: board 0 line 0 channel 0, call 10, C01
Outgoing Call dev=5 ch=0
Jun 28 23:47:38 juniper juniper: board 0 line 0 channel 0, call 10, C02 OutCall
Connected 512000
Jun 28 23:47:38 juniper juniper: ppp:LCP Starting
Jun 28 23:47:39 juniper juniper: board 0 line 0 channel 0, call 10, C02 Call
Terminated
Jun 28 23:47:50 juniper juniper: board 0 line 0 channel 0, call 11, C01
Incoming Call 150
Jun 28 23:47:53 juniper juniper: ppp:LCP Opening
Jun 28 23:47:55 juniper juniper: ppp:CHAP Opening
Jun 28 23:47:55 juniper juniper: ppp:IPCP Starting
Jun 28 23:47:55 juniper juniper: ppp:IPCP Opening
Jun 28 23:48:12 teak viagrad: Internet link up! Gateway: 193.29.223.169
--
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]
bgpd and multihop
I've just updated one of our routers from an end of May snapshot to a Jun 28th snapshot and have noticed that we seem to be having problems with our multihop sessions since the upgrade. [EMAIL PROTECTED] bgpctl -n s rib 80.252.127.0/24 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin I 80.252.127.0/24 84.246.195.116 200 0 65123 i 80.252.127.0/24 84.246.195.116 200 0 65123 i [EMAIL PROTECTED] bgpctl -n s rib det 80.252.127.0/24 BGP routing table entry for 80.252.127.0/24 65123 Nexthop 84.246.195.116 (via ?) from 80.252.124.1 (80.252.124.1) Origin IGP, metric 0, localpref 200, internal Last update: 00:19:45 ago Community: 8282:200 8282:400 NO_EXPORT BGP routing table entry for 80.252.127.0/24 65123 Nexthop 84.246.195.116 (via ?) from 84.246.195.116 (84.246.195.116) Origin IGP, metric 0, localpref 200, external Last update: 00:20:10 ago Community: 8282:400 NO_EXPORT where as on our older trusty box [EMAIL PROTECTED] bgpctl -n s rib 80.252.127.0/24 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *80.252.127.0/24 84.246.195.116 200 0 65123 i [EMAIL PROTECTED] bgpctl -n s rib det 80.252.127.0/24 BGP routing table entry for 80.252.127.0/24 65123 Nexthop 84.246.195.116 (via 80.252.119.2) from 84.246.195.116 (84.246.195.116) Origin IGP, metric 0, localpref 200, external, valid, best Last update: 5d21h14m ago Community: 8282:400 NO_EXPORT -- Jon Morby FidoNet Registration Services Ltd tel: 0845 004 3050 / fax: 0845 004 3051 web: http://www.fido.net/
Re: openbsd 4.1 and keep state
On Thu, Jun 28, 2007 at 02:56:33PM +0100, Stuart Henderson wrote: On 2007/06/28 15:45, Huzeyfe ONAL wrote: Use no state in your rule. and 'flags any' if it's TCP. You can set this explicitly if you'd like, but it's not necessary: pfctl only applies 'flags S/SA' by default if the rule is stateful.
spamd patch
I think the passtime should use now + passtime not now + expire, Is it correct? Index: libexec/spamd/grey.c === RCS file: /cvs/src/libexec/spamd/grey.c,v retrieving revision 1.39 diff -u -r1.39 grey.c --- libexec/spamd/grey.c2007/03/18 18:38:57 1.39 +++ libexec/spamd/grey.c2007/06/17 06:07:45 @@ -846,7 +846,7 @@ gd.first = now; gd.bcount = 1; gd.pcount = spamtrap ? -1 : 0; - gd.pass = now + expire; + gd.pass = now + passtime; gd.expire = now + expire; memset(dbk, 0, sizeof(dbk)); dbk.size = strlen(lookup); - [demime 1.01d removed an attachment of type application/octet-stream which had a name of spamd-grey.c.patch]
