Re: filesystems?
Also you can use ext2(3) filesystem for this purpose: BSD works quite OK with it (though with no journal support), Linux - ow, do you think it's not?:) - and there are some tools in the Internet to be able to read ext2 from Windows. Don't know about writing: you need to investigate it by yourself. 2007/9/3, stan [EMAIL PROTECTED]: I'm trying to decide what filesystem to use on a USB drive. I'd like to be able to access the unit from OpenBSD, FreeBSD, Linux, and perhaps Windows. What is the intersection of the sets of filesystems supported by these various OS's? -- I'm sorry, no one here has any intentions of helping you with anything. I am the manager of all of Customer Service.
Re: That whole Linux stealing our code thing
On Mon, Sep 03, 2007 at 12:35:18AM -0400, Dave Anderson wrote: The basis of your argument appears to be that you interpret the last paragraph above (starting with Alternatively) as explicit permission to replace all of the previous material (starting with Redistribution and use) with the GPLv2. Is this inference correct? The basis of your argument is thinking the copyright notice is anything more than (c) years, Fu Bar is mandatory and unchangeable. It is incorrect. The copyright notice is *only* (c) years, Fu Bar All rest is informational. Then a choice of licenses is offered to the receiver. If he only uses the software, neither affects him, but if he distributes, he either does it under the terms of the GPL v2 or under the terms of the BSD, or just as dual licensed. Actually, strictly speaking, the word *alternatively* might be interpreted in a more radical way as meaning you can't distribute in a dual licensed form, but I don't subscribe that. If he does distribute under the GNU GPL v2 and doesn't remove the licensed under the BSD, he's not being honest. IANAL, so I'm not going to speculate on the correct legal interpretation of this text; I will grant that, if it were ordinary speech, I can see how someone who tried hard enough could believe that interpretation. Actually, you do really have to try hard to justify *your* interpretation, since the meaning of *alternatively* and what a copyright notice is, is a little beyond reality. the license text in this case is, at the very least, behaving unethically. I actually think it's unethical to give a gift virtually without strings attached and then crying like a baby because people don't give back anything. Rui -- Hail Eris, Hack Linux! Today is Sweetmorn, the 27th day of Bureaucracy in the YOLD 3173 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
Re: How to use (compact) flash cards with OpenBSD
I have gotten past all the problems I discussed in my original message to this list. On the AMD/Tyan motherboard with the Addonics CF to SATA converter, what I did was purchase a Lexar Professional UDMA 300X CF card. This card is faster, and provides the UDMA interface that the motherboard and the OS likes to use. I changed the cabling so that the flash card was the first disk (wd0 to OpenBSD), and I moved the SATA hard drive to wd1. For this first attempt, I put swap, /tmp, and /var onto partitions on wd1. wd0 (the flash), has /, /usr, and /home I was able to cleanly install OpenBSD and boot into it. It appears to work fine. I do get an error from savecore that wants to use wd0b, and I'll have to tweak that. On an older i386 machine, I used another CF (actually it provides a PCMCIA) to IDE adaptor made by http://www.prestico.com/prod-cardmaster.htm I used the Sandisk drive I wrote about previously. The sandisk CF card does not support UDMA. Again, made the CF card be wd0, and the hard drive be wd1, the partitions were as described above. Again, no problems installing OpenBSD, and running it. Thanks to Nick Holland for suggesting making the flash card be wd0, and inspiring me to go try and find a UDMA CF card. And appologies to Nick and everyone for the poorly worded subject line on my original message. Don On 7/30/07, Don Jackson [EMAIL PROTECTED] wrote: I have a Tyan S2881 Thunder K8SR motherboard (Opteron), and wd0 is a SATA hard disk (Western Digital), but I want to boot and run off a flash card. I have an Addonics SATA to CF adaptor, Model ADSACF) http://www.addonics.com/products/flash_memory_reader/adsacf.asp The OpenBSD 4.1 installer (booted via PXEboot) seems to have a LOT of trouble with the flash drive (recognized as WD1). How can I make OpenBSD happy with this drive? The actual CF card is a SanDisk Ultra II 8Gb. I had zero problems installing and using a similar SanDisk card in a Soekris 4801, so I know that it must be possible to make this work. How do I make OpenBSD happy with the flash disk? Do I need special BIOS settings? I had very similar problems with another IDE - Flash adaptor in a Pentium machine. Here is the log from the installer: Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2007 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.1-stable (RAMDISK_CD) #1: Sun May 27 13:25:48 PDT 2007 [EMAIL PROTECTED]:/home/openbsd/4.1/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Dual Core AMD Opteron(tm) Processor 270 (AuthenticAMD 686-class, 1024KB L2 cache) 2 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3 cpu0: AMD erratum 89 present, BIOS upgrade may be required real mem = 2146988032 (2096668K) avail mem = 1953828864 (1908036K) using 4278 buffers containing 107474944 bytes (104956K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 05/23/06, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf9830 (63 entries) bios0: TYAN S2881 Thunder K8SR Mainboard apm0 at bios0: Power Management spec V1.2 apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf4d30/208 (11 entries) pcibios0: no compatible PCI ICU found: ICU vendor 0x1022 product 0x746b pcibios0: Warning, unable to fix up PCI interrupt routing pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4800 0xcc800/0x1800 0xce000/0x1800 0xcf800/0x1000 acpi at mainbus0 not configured cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) ppb0 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07 pci1 at ppb0 bus 3 ohci0 at pci1 dev 0 function 0 AMD 8111 USB rev 0x0b: irq 9, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: irq 9, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhub1 at usb1 uhub1: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered pciide0 at pci1 dev 5 function 0 CMD Technology SiI3114 SATA rev 0x02: DMA pciide0: using irq 10 for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: WDC WD2500YS-01SHB0 wd0: 16-sector PIO, LBA48, 239372MB, 490234752 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: SanDisk SDCFH-8192 wd1: 4-sector PIO, LBA, 7815MB, 16007040 sectors wd1(pciide0:1:0): using BIOS timings, DMA mode 2 vga1 at pci1 dev 6 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) pcib0 at pci0
ath5k license revised
http://marc.info/?l=linux-wirelessm=118857712529898w=2
Re: That whole Linux stealing our code thing
Hi, On Sat, 01.09.2007 at 00:42:25 -0600, Theo de Raadt [EMAIL PROTECTED] wrote: So true, the license You use can't be removed. But when You get the dual-licensed software, when You start modifying it You arrange the licensing deal on terms of either first or second or both licenses. You choose the license You gain You rights from and after You accepted it, You can do whatever You want copyright until the law and the license You accepted prohibit. The license You didn't accept doesn't restrict You any way until otherwise stated by the developper. That is utterly false. with all due respect, but this is utterly true, this being the raison d'etre for dual- (or otherwise multi-) licensing *any* software in the first place. While I see what kind of a problem you are talking about, and it surely is an undesirable problem to be sure, the sole reason why BSD can't import back GPL'ed changes is that GPL'ed changes impose more conditions than does the BSD license. Or wrapped in a different way: Were you GPL'ing your code, you had _absolutely_no_ (legal) problems importing back those changes. The GPL ensures availability of source code (which is good!), but those are exactly the strings you opted to not attach to your software with the argument that this kind of force is non-free. Now, this implies that you consider the ability for a licensor to not give back code a freedom which the Linux community has taken the liberty to make use of, so why do you complain? Honestly, this imho is an ugly side-effect of what you were preaching all the years, but I cannot imagine that it is by evil intention. I hope Eben finds a way to resolve the problem in a way that doesn't draw the line between BSD on one and Linux on the other side. Imho, no-one needs a dog-fight between these two groups, and I also hope that no-one wants it, either, but I'm not so sure about that actually being the case. Weren't you complaining loudly about the absense of contributions from large companies every year when you started a new rally for donations (we donate, according to our feeble possibilities), and now you're claiming that the Linux folks are doing even more evil than those companies who not give back in any form, according to your statements, do? Because they release source code, but you opt to stay too far away to get it? They imho need to do it this way since it is essential for the legal integrity of their system (as much as you chose to not use such stuff for the very same reason). Are you just this very moment saying that you want to enforce a viral effect of the BSD license on Linux via covert action (you could, in theory, have published, thus lessened/avoided this problem *much* earlier)? Because this is what you arrive at, should enough lawyers feel that you are right and the Linux-folks feel unable to remove the BSD-derived code from their stuff. I have a very hard time swallowing that, and even in the name of freedom! I also have trouble with you playing the copyright law is the same, everywhere argument because this is really not true, and it's even a moving target (though generally moving in the wrong direction). And last, but not least, I'd like to paraphrase the old adage, that you seem to have forgotten: United we stand, divided we fall. There's a variation that goes like this: Two people quarreling makes the third (bystander) happy. Best, --Toni++
Re: ath5k license revised
Gregg Reynolds [EMAIL PROTECTED] writes: http://marc.info/?l=linux-wirelessm=118857712529898w=2 IANAL (nor a party to this so ICBW), but AFAICS the SFLC told them to DTRT. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: That whole Linux stealing our code thing
Hi! I just returned from vacation where I was offline for about two weeks. So I totally missed the incidence and all the surrounding discussion. I'm just digging through many many mails in my inbox from OpenBSD users and developers, Linux people, GNU/freesoftware people, misc *BSD people, and obviously from some trolls. I don't want to restart the discussion but I just want to say and repeat a few words: - I will not release or agree to release my code under either the GPL or any kind of a dual-license. - The ISC-style license must remain including the copyright notice and even the warranty term. - Thanks to the OpenBSD community and especially to Theo de Raadt for entering into it and for defending my rights as the author of the controversial code. - This is eating our time. Every few weeks I get a new discussion about licensing of the atheros driver etc. blah blah. Why can't they just accept the license as it is and focus on more important things? I will talk to different people to get the latest state and to think about the next steps. I don't even know if the issue has been solved in the linux tree. But PLEASE DON'T SPAM ME with any other mails about this, even if you want to help/support me, I will talk to the relevant people in private. Thanks! reyk On Fri, Aug 31, 2007 at 07:40:52PM -0600, Theo de Raadt wrote: [bcc'd to Eben Moglen so that people don't flood him] I stopped making public statements in the recent controversy because Eben Moglen started working behind the scenes to 'improve' what Linux people are doing wrong with licensing, and he asked me to give him pause, so his team could work. Honestly, I was greatly troubled by the situation, because even people like Alan Cox were giving other Linux developers advice to ... break the law. And furthermore, there are even greater potential risks for how the various communities interact. For the record -- I was right and the Linux developers cannot change the licenses in any of those ways proposed in those diffs, or that conversation (http://lkml.org/lkml/2007/8/28/157). It is illegal to modify a license unless you are the owner/author, because it is a legal document. If there are multiple owners/authors, they must all agree. A person who receives the file under two licenses can use the file in either way but if they distribute the file (modified or unmodified!), they must distribute it with the existing license intact, because the licenses we all use have statements which say that the license may not be removed. It may seem that the licenses let one _distribute_ it under either license, but this interpretation of the license is false -- it is still illegal to break up, cut up, or modify someone else's legal document, and, it cannot be replaced by another license because it may not be removed. Hence, a dual licensed file always remains dual licensed, every time it is distributed. Now I've been nice enough to give Eben and his team a few days time to communicate inside the Linux community, to convince them that what they have proposed/discussed is wrong at a legal level. I think that Eben also agrees with me that there are grave concerns about how this leads to problems at the ethical and community levels (at some level, a ethos is needed for Linux developers to work with *BSD developers). And there are possibilities that similar issues could loom in the larger open source communities who are writing applications. Eben has thus far chosen not to make a public statement, but since time is running out on people's memory, I am making one. Also, I feel that a lot of Linux relicencing meme-talkin' trolls basically have attacked me very unfairly again, so I am not going to wait for Eben to say something public about this. In http://lkml.org/lkml/2007/8/29/183, Alan Cox managed to summarize what Jiri Slaby and Luis Rodriguez were trying to do by proposing a modification of a Dual Licenced file without the consent of all the authors. Alan asks So whats the problem ?. Well, Alan, I must caution you -- your post is advising people to break the law. I will attempt to describe in simple terms, based on what I have been taught, how one must handle such licenses: - If you receive dual licensed code, you may not delete the license you don't like and then distribute it. It has to stay, because you may not edit someone's else's license -- which is a three-part legal document (For instance: Copyright notice, BSD, followed by GPL). - If you receive ISC or BSD licensed code, you may not delete the license. Same principle, since the notice says so. It's the law. Really. - If you add large pieces of originality to the code which are valid for copyright protection on their own, you may choose to put a different and seperate (must be non-conflicting...) license at the top of the file above the existing license. (Warning: things become less clear as
Re: IPSec
Hello, Yeah, i bet it works beautifully with OBSD tunnels but I'm trying to create a tunnel between OBSD and ISA Server 2006 on VMWare Server. Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste In the ISA Server is configured correctly for the Phase-1 and Phase-2 encriptions and auths. Any help here? On 8/31/07, Jeff Quast [EMAIL PROTECTED] wrote: I tried to learn with HOWTO's, I didnt have the internet at home at the time. I printed out maybe 50 pages of various HOWTO's. When I got home, I found none of them were up to date with the current (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I ended up learning how to do ipsec with just the manuals. You'd be amazed how easy it went. On 8/31/07, JosC) Costa [EMAIL PROTECTED] wrote: Hello, Anyone knows a really good IPSec howto besides the man pages?
Re: That whole Linux stealing our code thing
Hannah Schroeter [EMAIL PROTECTED] writes: I guess he means writing own additions/modifications (thus creating a combined or derivative work), and releasing those *own* additions/modifications under the GPL. In the end, you can use the combined/derivative work only to the extent that's permitted by *both* licenses. The term embrace and extend comes to mind. //art
Re: IPSec
Hi, On Mon, Sep 03, 2007 at 12:59:48PM +0100, Josi Costa wrote: Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute isakmpd does not like the transforms for phase 2 proposed by the other peer. It seems, that phase 2 has no group description. --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste In the ISA Server is configured correctly for the Phase-1 and Phase-2 encriptions and auths. Any help here? On 8/31/07, Jeff Quast [EMAIL PROTECTED] wrote: I tried to learn with HOWTO's, I didnt have the internet at home at the time. I printed out maybe 50 pages of various HOWTO's. When I got home, I found none of them were up to date with the current (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I ended up learning how to do ipsec with just the manuals. You'd be amazed how easy it went. On 8/31/07, JosC) Costa [EMAIL PROTECTED] wrote: Hello, Anyone knows a really good IPSec howto besides the man pages?
Re: filesystems?
Salut, On Mon, Sep 03, 2007 at 08:46:37AM +0300, Ihar Hrachyshka wrote: Also you can use ext2(3) filesystem for this purpose: BSD works quite OK with it (though with no journal support), Linux - ow, do you think it's not?:) - and there are some tools in the Internet to be able to read ext2 from Windows. Don't know about writing: you need to investigate it by yourself. The same goes for ffs/ufs Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: IPSec
How can I solve this? Any docs about it? Debugging? On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: Hi, On Mon, Sep 03, 2007 at 12:59:48PM +0100, JosC) Costa wrote: Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute isakmpd does not like the transforms for phase 2 proposed by the other peer. It seems, that phase 2 has no group description. --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste In the ISA Server is configured correctly for the Phase-1 and Phase-2 encriptions and auths. Any help here? On 8/31/07, Jeff Quast [EMAIL PROTECTED] wrote: I tried to learn with HOWTO's, I didnt have the internet at home at the time. I printed out maybe 50 pages of various HOWTO's. When I got home, I found none of them were up to date with the current (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I ended up learning how to do ipsec with just the manuals. You'd be amazed how easy it went. On 8/31/07, JosC) Costa [EMAIL PROTECTED] wrote: Hello, Anyone knows a really good IPSec howto besides the man pages?
Re: IPSec
Hi, which transforms are configured on the ISA server for phase 2? On Mon, Sep 03, 2007 at 02:21:24PM +0100, Josi Costa wrote: How can I solve this? Any docs about it? Debugging? On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: Hi, On Mon, Sep 03, 2007 at 12:59:48PM +0100, JosC) Costa wrote: Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute isakmpd does not like the transforms for phase 2 proposed by the other peer. It seems, that phase 2 has no group description. --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste In the ISA Server is configured correctly for the Phase-1 and Phase-2 encriptions and auths. Any help here? On 8/31/07, Jeff Quast [EMAIL PROTECTED] wrote: I tried to learn with HOWTO's, I didnt have the internet at home at the time. I printed out maybe 50 pages of various HOWTO's. When I got home, I found none of them were up to date with the current (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I ended up learning how to do ipsec with just the manuals. You'd be amazed how easy it went. On 8/31/07, JosC) Costa [EMAIL PROTECTED] wrote: Hello, Anyone knows a really good IPSec howto besides the man pages?
Re: IPSec
3des, sha1, PFS disabled. On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: Hi, which transforms are configured on the ISA server for phase 2? On Mon, Sep 03, 2007 at 02:21:24PM +0100, JosC) Costa wrote: How can I solve this? Any docs about it? Debugging? On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: Hi, On Mon, Sep 03, 2007 at 12:59:48PM +0100, JosC) Costa wrote: Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 13:49:55 obsd1 isakmpd[1074]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 13:49:55 obsd1 isakmpd[1074]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute isakmpd does not like the transforms for phase 2 proposed by the other peer. It seems, that phase 2 has no group description. --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste In the ISA Server is configured correctly for the Phase-1 and Phase-2 encriptions and auths. Any help here? On 8/31/07, Jeff Quast [EMAIL PROTECTED] wrote: I tried to learn with HOWTO's, I didnt have the internet at home at the time. I printed out maybe 50 pages of various HOWTO's. When I got home, I found none of them were up to date with the current (easy) capabilities of OpenBSD using ipsec.conf and ipsecctl... I ended up learning how to do ipsec with just the manuals. You'd be amazed how easy it went. On 8/31/07, JosC) Costa [EMAIL PROTECTED] wrote: Hello, Anyone knows a really good IPSec howto besides the man pages?
Re: vmware cvs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank You for all your help, but i didn't have time to try it out. And today VirtualBox 1.5.0 came out which supports OpenBSD 4.x, so i'll use that one instead of VmWare. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu GC!bri MC!tC) C-rta: iD8DBQFG3BDP8najRxwF9nkRArivAJ0dUTr7oO45/b6Qrd4xRYrDhwDt2QCggaS4 CAlY1STBqw39amkfb5PtAIY= =e8N4 -END PGP SIGNATURE-
Re: IPSec
On Mon, Sep 03, 2007 at 02:45:46PM +0100, Josi Costa wrote: 3des, sha1, PFS disabled. ok, then enable pfs, use modp1024
Re: filesystems?
On Mon, 3 Sep 2007 16:10:52 +0300 Ihar Hrachyshka [EMAIL PROTECTED] wrote: 2007/9/3, Tonnerre LOMBARD [EMAIL PROTECTED]: Salut, On Mon, Sep 03, 2007 at 08:46:37AM +0300, Ihar Hrachyshka wrote: Also you can use ext2(3) filesystem for this purpose: BSD works quite OK with it (though with no journal support), Linux - ow, do you think it's not?:) - and there are some tools in the Internet to be able to read ext2 from Windows. Don't know about writing: you need to investigate it by yourself. The same goes for ffs/ufs Ow, please provide me with the link to Windows UFS software. I'll be glad to see it by myself. https://sourceforge.net/projects/ffsdrv/ -- I am chaos. I am the substance from which your artists and scientists build rhythms. I am the spirit with which your children and clowns laugh in happy anarchy. I am chaos. I am alive, and tell you that you are free. Eris, Goddess Of Chaos, Discord Confusion
Re: ath5k license revised
On 03/09/07, Gregg Reynolds [EMAIL PROTECTED] wrote: http://marc.info/?l=linux-wirelessm=118857712529898w=2 This is kinda old news: http://marc.info/?l=openbsd-miscm=118866496716802w=2 The interesting thing, though, is to notice that: 1. Jiri, the original author of the infamous GPLv2 patch, changed his GPLv2 to BSD (thanks!) 2. Nick, originally a good guy, changed his BSD and BSD/GPLv2 to GPLv2 only. WTF? Why can't they both agree to use BSD, so that the modifications remain compatible with what it was forked from -- Reyk's ath(4) HAL in OpenBSD. P.S. Also, see Reyk's response: http://marc.info/?l=openbsd-miscm=118881908304473w=2 Constantine.
Re: IPSec
Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id ac1a0a53: 172.26.10.83, responder id 0a80/ff80: 10.0.0.128/255.255.255.128 Same thing: btw, ISA Server 2006 gives me this: -- LOCAL Local Tunnel Endpoint: 172.26.10.83 Remote Tunnel Endpoint: 172.26.10.82 To allow HTTP proxy or NAT traffic to the remote site, the remote site configuration must contain the local site tunnel end-point IP address. IKE Phase I Parameters: Mode: Main mode Encryption: 3DES Integrity: SHA1 Diffie-Hellman group: Group 2 (1024 bit) Authentication Method: Pre-shared secret (teste) Security Association Lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: 3DES Integrity: SHA1 Perfect Forward Secrecy: ON Diffie-Hellman group: Group 2 (1024 bit) Time Rekeying: ON Security Association Lifetime: 3600 seconds Kbyte Rekeying: OFF Remote Network 'OBSD1' IP Subnets: Subnet: 10.0.0.1/255.255.255.255 Subnet: 10.0.0.2/255.255.255.254 Subnet: 10.0.0.4/255.255.255.252 Subnet: 10.0.0.8/255.255.255.248 Subnet: 10.0.0.16/255.255.255.240 Subnet: 10.0.0.32/255.255.255.224 Subnet: 10.0.0.64/255.255.255.192 Subnet: 10.0.0.128/255.255.255.128 Local Network 'Internal' IP Subnets: Subnet: 10.0.1.0/255.255.255.0 Routable Local IP Addresses: Subnet: 10.0.1.0/255.255.255.0 -- REMOTE -- Local Tunnel Endpoint: 172.26.10.82 Remote Tunnel Endpoint: 172.26.10.83 IKE Phase I Parameters: Mode: Main mode Encryption: 3DES Integrity: SHA1 Diffie-Hellman group: Group 2 (1024 bit) Authentication Method: Pre-shared secret (teste) Security Association Lifetime: 28800 seconds IKE Phase II Parameters: Mode: ESP tunnel mode Encryption: 3DES Integrity: SHA1 Perfect Forward Secrecy: ON Diffie-Hellman group: Group 2 (1024 bit) Time Rekeying: ON Security Association Lifetime: 3600 seconds Kbyte Rekeying: OFF Site-to-Site Network IP Subnets: Subnet: 10.0.1.0/255.255.255.0 I've defined only the Class C of 10.0.0.1 to 10.0.0.255 and there's a lot of subnets! Maybe that's the issue? On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: On Mon, Sep 03, 2007 at 02:45:46PM +0100, JosC) Costa wrote: 3des, sha1, PFS disabled. ok, then enable pfs, use modp1024
Re: ath5k license revised
On 03/09/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: Gregg Reynolds [EMAIL PROTECTED] writes: http://marc.info/?l=linux-wirelessm=118857712529898w=2 IANAL (nor a party to this so ICBW), but AFAICS the SFLC told them to DTRT. In this whole discussion, I really like the following quote from a response to Luis' email regarding SFLC involvement... Al Viro [EMAIL PROTECTED]: if you have to rely on SFLC for licensing decisions... Ouch. http://lkml.org/lkml/2007/9/1/222 Yes. Ouch. C.
Re: IPSec
Hi, On Mon, Sep 03, 2007 at 03:11:35PM +0100, Josi Costa wrote: Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id ac1a0a53: 172.26.10.83, responder id 0a80/ff80: 10.0.0.128/255.255.255.128 isakmpd tells you, that the peer sent the wront phase 2 ID. Here, you tell ISA to propose these IDs, but... Remote Network 'OBSD1' IP Subnets: Subnet: 10.0.0.1/255.255.255.255 Subnet: 10.0.0.2/255.255.255.254 Subnet: 10.0.0.4/255.255.255.252 Subnet: 10.0.0.8/255.255.255.248 Subnet: 10.0.0.16/255.255.255.240 Subnet: 10.0.0.32/255.255.255.224 Subnet: 10.0.0.64/255.255.255.192 Subnet: 10.0.0.128/255.255.255.128 here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed by the peer: --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24
Re: filesystems?
I'm trying to decide what filesystem to use on a USB drive. I'd like to be able to access the unit from OpenBSD, FreeBSD, Linux, and perhaps Windows. What is the intersection of the sets of filesystems supported by these various OS's? By the way, if you want to use OpenBSD to format a USB drive as FAT32, then edit the MBR partition table as described at http://marc.info/?l=openbsd-miscm=118379731620389 and run newfs_msdos # newfs_msdos -F 32 -u 63 /dev/rsd0i (note, this line assumes that the drive is device sd0)
Re: ath5k license revised
Constantine A. Murenin [EMAIL PROTECTED] writes: In this whole discussion, I really like the following quote from a response to Luis' email regarding SFLC involvement... At first blush it looks to me like the SFLC at least must have emphasized that the originators' wishes are to be respected. By volume at least most of the public discussion has been from and between people who have not themselves contributed code. It remains to be seen if the (apparently SFLC recommended) commit referenced upthread is actually acceptable to the originators involved. Al Viro [EMAIL PROTECTED]: if you have to rely on SFLC for licensing decisions... Ouch. http://lkml.org/lkml/2007/9/1/222 Yes. Ouch. At least some degree of agreement between the two camps then. :) I've kept repeating over the years that license issues revolve for a large part around having a measure of basic respect for other people, specifically those who make useful code for others to use. Episodes like these are tiring at least (distracting from other important task for me at least) and to some extent painful, but if this one leads to an SFLC statement saying respecting the wishes of those who use other licenses than GPL is essential or words to that effect, it may actually end up doing some good for all of us. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: filesystems?
Le lundi 03 septembre 2007 C 16:10 +0200, Jona Joachim a C)crit : On Mon, 3 Sep 2007 16:10:52 +0300 Ihar Hrachyshka [EMAIL PROTECTED] wrote: 2007/9/3, Tonnerre LOMBARD [EMAIL PROTECTED]: Salut, On Mon, Sep 03, 2007 at 08:46:37AM +0300, Ihar Hrachyshka wrote: Also you can use ext2(3) filesystem for this purpose: BSD works quite OK with it (though with no journal support), Linux - ow, do you think it's not?:) - and there are some tools in the Internet to be able to read ext2 from Windows. Don't know about writing: you need to investigate it by yourself. The same goes for ffs/ufs Ow, please provide me with the link to Windows UFS software. I'll be glad to see it by myself. https://sourceforge.net/projects/ffsdrv/ But linux is not abble to write to ufs/ffs file system. http://en.wikipedia.org/wiki/Berkeley_Fast_File_System#Implementations I think fat32 is a good choice: you have nothing to install.
Re: IPSec
Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 - 10.0.0.0 to 10.0.0.255. FLOWS: flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type use flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type require SAD: esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth hmac-sha1 enc 3des-cbc esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth hmac-sha1 enc 3des-cbc BUT there's another error: Sep 3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed Sep 3 16:12:08 obsd1 isakmpd[16423]: dropped message from 172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: Hi, On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote: Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id ac1a0a53: 172.26.10.83, responder id 0a80/ff80: 10.0.0.128/255.255.255.128 isakmpd tells you, that the peer sent the wront phase 2 ID. Here, you tell ISA to propose these IDs, but... Remote Network 'OBSD1' IP Subnets: Subnet: 10.0.0.1/255.255.255.255 Subnet: 10.0.0.2/255.255.255.254 Subnet: 10.0.0.4/255.255.255.252 Subnet: 10.0.0.8/255.255.255.248 Subnet: 10.0.0.16/255.255.255.240 Subnet: 10.0.0.32/255.255.255.224 Subnet: 10.0.0.64/255.255.255.192 Subnet: 10.0.0.128/255.255.255.128 here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed by the peer: --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24
Re: filesystems?
2007/9/3, The One [EMAIL PROTECTED]: FAT32. And everyone can be compiled to read NTFS; Linux can even write to it. Best Martin
Re: vmware cvs
The problem is not VMWare...it's your setup. I have 8 guests running 3.8 - 4.1 running on ESX 3.0.1, all of them can grab stuff from CVS without an issue. Unless you fix the problem, you'll experience the same results running VirtualBox guests. GC!bri MC!tC) wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thank You for all your help, but i didn't have time to try it out. And today VirtualBox 1.5.0 came out which supports OpenBSD 4.x, so i'll use that one instead of VmWare. Gabri Mate [EMAIL PROTECTED] DUOSOL Bt. http://www.duosol.hu GC!bri MC!tC) C-rta: iD8DBQFG3BDP8najRxwF9nkRArivAJ0dUTr7oO45/b6Qrd4xRYrDhwDt2QCggaS4 CAlY1STBqw39amkfb5PtAIY= =e8N4 -END PGP SIGNATURE-
Re: IPSec
Attached. On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: Hi, could you please run isakmpd with the -L (see isakmpd(8)) flag and could you provide we the generated pcap file? On Mon, Sep 03, 2007 at 04:17:22PM +0100, JosC) Costa wrote: Okay, I've altered the range from 10.0.0.1 to 10.0.0.255 - 10.0.0.0 to 10.0.0.255. FLOWS: flow esp in from 172.26.10.83 to 10.0.0.0/24 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type use flow esp out from 10.0.0.0/24 to 172.26.10.83 peer 172.26.10.83 srcid obsd1.my.domain dstid 172.26.10.83/32 type require SAD: esp tunnel from 172.26.10.83 to 172.26.10.82 spi 0x3fe97772 auth hmac-sha1 enc 3des-cbc esp tunnel from 172.26.10.82 to 172.26.10.83 spi 0x981a7980 auth hmac-sha1 enc 3des-cbc BUT there's another error: Sep 3 16:12:08 obsd1 isakmpd[16423]: exchange_run: exchange_validate failed Sep 3 16:12:08 obsd1 isakmpd[16423]: dropped message from 172.26.10.83 port 500 due to notification type PAYLOAD_MALFORMED On 9/3/07, Hans-Joerg Hoexer [EMAIL PROTECTED] wrote: Hi, On Mon, Sep 03, 2007 at 03:11:35PM +0100, JosC) Costa wrote: Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: KEY_EXCH payload without a group desc. attribute Sep 3 15:05:16 obsd1 isakmpd[25239]: dropped message from 172.26.10.83 port 500 due to notification type NO_PROPOSAL_CHOSEN Sep 3 15:05:16 obsd1 isakmpd[25239]: responder_recv_HASH_SA_NONCE: peer proposed invalid phase 2 IDs: initiator id ac1a0a53: 172.26.10.83, responder id 0a80/ff80: 10.0.0.128/255.255.255.128 isakmpd tells you, that the peer sent the wront phase 2 ID. Here, you tell ISA to propose these IDs, but... Remote Network 'OBSD1' IP Subnets: Subnet: 10.0.0.1/255.255.255.255 Subnet: 10.0.0.2/255.255.255.254 Subnet: 10.0.0.4/255.255.255.252 Subnet: 10.0.0.8/255.255.255.248 Subnet: 10.0.0.16/255.255.255.240 Subnet: 10.0.0.32/255.255.255.224 Subnet: 10.0.0.64/255.255.255.192 Subnet: 10.0.0.128/255.255.255.128 here you tell isakmpd to accept only 10.0.1.0/24, which is never proposed by the peer: --- /etc/ipsec.conf --- ike dynamic esp from 10.0.0.0/24 to 10.0.1.0/24 peer 172.26.10.83 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk teste tag teste To get started, tell ISA to only use one remote subnet, ie. 10.0.1.0/24 tcpdump: WARNING: snaplen raised from 96 to 65536 17:12:40.500794 172.26.10.83.500 172.26.10.82.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 45e904f3a6260510-116cb8bcab6a79b2 msgid: 518e3038 len: 292 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x17b3274e payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: KEY_EXCH len: 132 payload: NONCE len: 24 payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0 [ttl 0] (id 1, len 320) 17:12:40.510601 172.26.10.82.500 172.26.10.83.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 45e904f3a6260510-116cb8bcab6a79b2 msgid: 518e3038 len: 292 payload: HASH len: 24 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP spisz: 4 xforms: 1 SPI: 0xeb318a59 payload: TRANSFORM len: 32 transform: 1 ID: 3DES attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 0e10 attribute ENCAPSULATION_MODE = TUNNEL attribute AUTHENTICATION_ALGORITHM = HMAC_SHA attribute GROUP_DESCRIPTION = 2 payload: NONCE len: 24 payload: KEY_EXCH len: 132 payload: ID len: 12 type: IPV4_ADDR = 172.26.10.83 payload: ID len: 16 type: IPV4_ADDR_SUBNET = 10.0.0.0/255.255.255.0 [ttl 0] (id 1, len 320) 17:12:40.530390 172.26.10.83.500 172.26.10.82.500: [udp sum ok] isakmp v1.0 exchange QUICK_MODE cookie: 45e904f3a6260510-116cb8bcab6a79b2 msgid: 518e3038 len: 52 payload: HASH len: 24 [ttl 0] (id 1, len 80) 17:59:32.728642 172.26.10.83.500
Re: Unable to connect to the the ISP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Again some progress. I know this is a newbie blunder, but I entered my username and password as 'username' and 'password' instead of username and password. I still think it's worth mentioning in this mailing list for possible future mistakes of newbies such as myself. As a result of this important change in /etc/hostname.pppoe0, I managed to get a valid IP address from my provider. However, I still cannot access the inet via any service, be it ping, telnet, ftp or http. In the ifconfig the one-before-last line of pppoe0 shows inet AAA.AAA.AAA.AAA -- 0.0.0.1 netmask 0xff00 where AAA.AAA.AAA.AAA is my valid IP address. Do I need to enter a different gateway or is 0.0.0.1 good enough? Thanks, Amit. iD8DBQFG3ExpEzurR/yozRMRAn0uAKCsmNcDmeRSyH/0SXr15qIbJDQTgQCfW5dU sMLMPmkxsaLSQvMfrLGV/Ys= =LltP -END PGP SIGNATURE-
Re: Xorg7 and driver CA0106 in OpenBSD ?
On Mon, Sep 03, 2007 at 04:34:58PM +0200, Nicolas Letellier wrote: - I see that soundcards based on chipset CA0406 don't work for the moment. On the other hand, i see a driver (GPL) for FreeBSD? Could it be include in next versions of OpenBSD ? Or this driver is too different for it ? I'm not aware of such a driver for FreeBSD, could you give me a pointer to the source code? I'm currently trying to get the datasheet of the ca0106, if I get it I'll try to write a driver. -- Alexandre
Re: Xorg7 and driver CA0106 in OpenBSD ?
On 9/3/07, Nicolas Letellier [EMAIL PROTECTED] wrote: Hello guys, I have two questions : - do you have an idea for the integration of Xorg 7 in OpenBSD ? In 4.2 release ? OpenBSD 4.2 will have xorg 7.2 under the name xenocara http://www.xenocara.com/ Sam Fourman Jr.
Re: kernel rebuild - and rebuild userland?
On Mon, 3 Sep 2007, Kevin Cheng wrote: John, I have seen your thread at misc for question about rebuilding userland. If files inside /usr/src/sys/dev/usb have been altered due to backport (from 4.1 to 4.0), do I need to build userland too? Hi Kevin, I'm cc:'ing this back to misc. Your question is slightly different from mine. I had asked about rebuilding userland after updating patches. You are backporting, not just patching, and may need to rebuild userland to avoid issues. Others on this list should have more informative answers. John Thou shalt not partake of decaf!--The Descendents
Re: X Windows and Multihead Display
On 9/3/07, Matthieu Herrb [EMAIL PROTECTED] wrote: On 9/2/07, Aaron Hsu [EMAIL PROTECTED] wrote: Hello All, I guess I'm doing some strange things here, and I hope that they are not going to come back to bite me. :-) Goal: To have an X Windows Two Monitor, One Video Card system running Hardware: Macbook Pro 2.16ghz Intel Core Duo w/ ATI Radeon Mobility X1600 So far, the only way I have been able to get my system to work has been to run `X -configure' and then use the generated x.org configuration file in /etc/X11/xorg.conf. This has some problems. 1) Resolution is an ugly 1400x1050 (should be 1680x1050). 2) Display driver is Vesa 3) My external LCD (Apple HD Display) monitor is not recognized. This is becoming a FAQ, but apparently things have not been said loudly enough yet to be found by the search engines while you were doing your homework. the ATI X1600 chipset is not supported by the radeon driver in X.Org, only by the vesa driver for now. A new driver (avivo) is being developped, and hopefully will be supported on OpenBSD in the future, but not yet. The vesa driver only supports mode known by the BIOS. It does not use modlines you may add to your xorg.conf. So if the Xorg.0.log file shows that a 1680x1050 more is present in your bios, you should be able to use it... If the mode that matches your monitor's native resolution is not present in the BIOS, you're on you own. Tools like i915resolution *may* work to patch the bios to replace one useless mode by the mode you're looking for. Hmm and I forgot: the vesa driver doesn't support multi-head on one card with dual outputs. (It does support multi-head with 2 physical cards, but this doesn't count in the laptop case).
Re: X Windows and Multihead Display
On 9/2/07, Aaron Hsu [EMAIL PROTECTED] wrote: Hello All, I guess I'm doing some strange things here, and I hope that they are not going to come back to bite me. :-) Goal: To have an X Windows Two Monitor, One Video Card system running Hardware: Macbook Pro 2.16ghz Intel Core Duo w/ ATI Radeon Mobility X1600 So far, the only way I have been able to get my system to work has been to run `X -configure' and then use the generated x.org configuration file in /etc/X11/xorg.conf. This has some problems. 1) Resolution is an ugly 1400x1050 (should be 1680x1050). 2) Display driver is Vesa 3) My external LCD (Apple HD Display) monitor is not recognized. This is becoming a FAQ, but apparently things have not been said loudly enough yet to be found by the search engines while you were doing your homework. the ATI X1600 chipset is not supported by the radeon driver in X.Org, only by the vesa driver for now. A new driver (avivo) is being developped, and hopefully will be supported on OpenBSD in the future, but not yet. The vesa driver only supports mode known by the BIOS. It does not use modlines you may add to your xorg.conf. So if the Xorg.0.log file shows that a 1680x1050 more is present in your bios, you should be able to use it... If the mode that matches your monitor's native resolution is not present in the BIOS, you're on you own. Tools like i915resolution *may* work to patch the bios to replace one useless mode by the mode you're looking for. -- Matthieu Herrb
routing question
Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? TIA Paolo
Re: routing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 2:15 PM, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? One possible issue is that the default config for OpenVPN uses unroutable addresses out of RFC 1918 space. I believe the default config file uses 172.16.111.0/29 or something like that. Routers should never forward packets to RFC 1918 addresses across the public Internet; it's a best practice to filter them. Remote OpenVPN traffic looks like it comes from from 172.16.111.something, and the main office router will quite properly drop traffic destined there. You're either going to need to NAT your VPN traffic or (far better, if you can) get enough public IPv4 or IPv6 addresses not to mess with NAT. dn iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb 9hQTU1zRm18kxf/K6vHpYv4= =4YME -END PGP SIGNATURE-
Re: routing question
On 2007/09/03 17:15, Paolo Supino wrote: I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? Probably, a route on the OpenVPN clients to the branch office network. You can push this from the central OpenVPN box.
Re: filesystems?
Salut, On Mon, Sep 03, 2007 at 05:10:57PM +0200, Eric Elena wrote: I think fat32 is a good choice: you have nothing to install. Did you ever have to debug a deep directory structure where something caused all directory to become files? On a 500G disk? Fun. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature]
Re: routing question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 3:28 PM, Paolo Supino wrote: Hi David It's true that all IP addresses are in the 10.x.x.x private address space that isn't supposed to be routed on the Internet, but in all the connections over the Internet the only visible addresses are the public ones (otherwise the VPNs wouldn't be working): Main and branch office public IP addresses and what ever the road warriors receive when connecting their laptops, either at home or at a client's site. The branch's firewall NATs the branch office 10.x.x.x address space on its external interface, but I don't see how that would cause routing problems between the 2 VPNs. Per Stuart's suggestion, check your VPN clients' routing tables with netstat -f inet -nr | more and determine whether they have a path to your main office. Same thing for servers at the main office trying to reach the VPN clients. traceroute might be helpful (or might not; lots of places filter ICMP). dn iD8DBQFG3IxEyPxGVjntI4IRAj6MAKD5KMLoU74rea9P8HyApe8hS5nHmgCeLbco +W9hUUKEAvhqCZM9ktKErd4= =h5aK -END PGP SIGNATURE-
Re: routing question
Hi David It's true that all IP addresses are in the 10.x.x.x private address space that isn't supposed to be routed on the Internet, but in all the connections over the Internet the only visible addresses are the public ones (otherwise the VPNs wouldn't be working): Main and branch office public IP addresses and what ever the road warriors receive when connecting their laptops, either at home or at a client's site. The branch's firewall NATs the branch office 10.x.x.x address space on its external interface, but I don't see how that would cause routing problems between the 2 VPNs. TIA Paolo David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 2:15 PM, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? One possible issue is that the default config for OpenVPN uses unroutable addresses out of RFC 1918 space. I believe the default config file uses 172.16.111.0/29 or something like that. Routers should never forward packets to RFC 1918 addresses across the public Internet; it's a best practice to filter them. Remote OpenVPN traffic looks like it comes from from 172.16.111.something, and the main office router will quite properly drop traffic destined there. You're either going to need to NAT your VPN traffic or (far better, if you can) get enough public IPv4 or IPv6 addresses not to mess with NAT. dn iD8DBQFG3H+syPxGVjntI4IRAko7AJ9P7SamMasV+9hS/9f6jzPit00FywCgjfnb 9hQTU1zRm18kxf/K6vHpYv4= =4YME -END PGP SIGNATURE-
Re: filesystems?
Ho so I'm not the only one :) On 9/4/07, Tonnerre LOMBARD [EMAIL PROTECTED] wrote: Salut, On Mon, Sep 03, 2007 at 05:10:57PM +0200, Eric Elena wrote: I think fat32 is a good choice: you have nothing to install. Did you ever have to debug a deep directory structure where something caused all directory to become files? On a 500G disk? Fun. Tonnerre [demime 1.01d removed an attachment of type application/pgp-signature] -- Julien Cabillot
Re: routing question
Hi David I do push the route to the OpenVPN clients and I do have the route back on the servers in the main office. To be sure I ran a sniffer on a server in the main office to see if any traffic reaches the server from the VPN client and the sniffer showed nothing reached the server. It's not a firewalling issue in either the main or branch offices as the same type of traffic (ping in this case) worked fine from a desktop in the branch office. TIA Paolo David Newman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/3/07 3:28 PM, Paolo Supino wrote: Hi David It's true that all IP addresses are in the 10.x.x.x private address space that isn't supposed to be routed on the Internet, but in all the connections over the Internet the only visible addresses are the public ones (otherwise the VPNs wouldn't be working): Main and branch office public IP addresses and what ever the road warriors receive when connecting their laptops, either at home or at a client's site. The branch's firewall NATs the branch office 10.x.x.x address space on its external interface, but I don't see how that would cause routing problems between the 2 VPNs. Per Stuart's suggestion, check your VPN clients' routing tables with netstat -f inet -nr | more and determine whether they have a path to your main office. Same thing for servers at the main office trying to reach the VPN clients. traceroute might be helpful (or might not; lots of places filter ICMP). dn iD8DBQFG3IxEyPxGVjntI4IRAj6MAKD5KMLoU74rea9P8HyApe8hS5nHmgCeLbco +W9hUUKEAvhqCZM9ktKErd4= =h5aK -END PGP SIGNATURE-
Centralized ports collection server
Dear gentleman, i would like to set a single box in my network to keep syncronized to the ports collection infra structure. My ideia is to export the directory /usr/ports to all my local connected machines. So, there would be no need to sync them all. I would like to be able to build the utilities/lib/etc once and be able to install them every machine with the same hardware/OS version. Is that possible? How show be my /etc/exports control configuration file? Thanks in advance. PS: Is this an elegant way to achieve low stress environment?
Re: routing question
On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: filesystems?
Peter N. M. Hansteen wrote: On the other hand, on some units long filenames ended up with MS-DOS style 8.3 file names until I recreated the file system on them (newfs -t msdos). Fortunately my new 4GB unit did not have that problem. Also, it's worth noting that Vista and I think XP SP2 won't create a FAT32 partition above 32gb. If you create a 32gb partition with other tools the large partition will work just fine under Windows though.
partioning for multiple OS's
I have a new laptop. It came with Vista on it. I used gpartd to resize those partions, and added Ubuntu. Now I want to add OpenBSD, and FreeBSD. I'd like to do OpenBSD next. When I boot the 4.1 CD, I get to the partioning step, and I am confused. Since I can't figure out how to capture the screen imafe from a machine booted off of the CD. I'll show you what Linux's cfdisk shows. NameFlags Part Type FS Type [Label]Size (MB) -- sda1Primary Unknown (27) 10479.01 sda2BootPrimary FAT16[] 31453.48 sda3Primary Linux ReiserFS3.54 sda5Logical Linux swap / Solaris 3997.49 Logical Free Space74109.78 How can I acomplish this? -- I'm sorry, no one here has any intentions of helping you with anything. I am the manager of all of Customer Service.
Re: routing question
Hi RW Except for the branch VPN to the main office subnet (line# 3) I have the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice versa on the main office VPN peer). Why do I need to setup a tunnel between the branch firewall and main office subnet? TIA Paolo RW wrote: On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: filesystems?
On Tue, Sep 04, 2007 at 12:23:34AM +0200, Tonnerre LOMBARD wrote: On Mon, Sep 03, 2007 at 05:10:57PM +0200, Eric Elena wrote: I think fat32 is a good choice: you have nothing to install. Did you ever have to debug a deep directory structure where something caused all directory to become files? On a 500G disk? Fun. I would suggest that the OP be very specific with what is needed. What size of filesystem? Which operating systems need to read only and which to read and write. Given how flexible Linux and OBSD are, I would guess that the limit will be what can windows do. I don't know since I only used windows 3.1 for some games when I wasn't running OS/2. For 7 years its been Debian and now I'm transitioning to OBSD. I never have to interoperate with windows users. Doug.
Re: routing question
On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote: Hi RW Except for the branch VPN to the main office subnet (line# 3) I have the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice versa on the main office VPN peer). Why do I need to setup a tunnel between the branch firewall and main office subnet? TIA Paolo RW wrote: On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ I don't know your setup because you didn't explain it fully but what I showed you works for my client. Let's make a symbolic ipsec.conf out of what I have shown you: ike esp from $OpenVPNlan to $HOlan peer $HOfirewall ike esp from $Branchlan to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOfirewall You cannot use macros like that but perhaps it makes it clearer. In our case we have servers on both office LANs and the roadies using OpenVPN need to be able to get to both. You will have to trim and tweak your rules to suit your own variation but think about this. Regular route table entries have no influence on what happens with IPsec and do not need to. IPsec configuration sets up flows and then the packets know how to get to their target. If they don't have a flow path, they won't know how and will be routed out to the cloud via the default gateway and then get lost. Rod/ Hint. Read this: A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: partioning for multiple OS's
On 9/4/07, stan [EMAIL PROTECTED] wrote: I have a new laptop. It came with Vista on it. I used gpartd to resize those partions, and added Ubuntu. Now I want to add OpenBSD, and FreeBSD. I'd like to do OpenBSD next. When I boot the 4.1 CD, I get to the partioning step, and I am confused. Since I can't figure out how to capture the screen imafe from a machine booted off of the CD. I'll show you what Linux's cfdisk shows. NameFlags Part Type FS Type [Label]Size (MB) -- sda1Primary Unknown (27) 10479.01 sda2BootPrimary FAT16[] 31453.48 sda3Primary Linux ReiserFS3.54 sda5Logical Linux swap / Solaris 3997.49 Logical Free Space74109.78 How can I acomplish this? The MBR has only 4 slots for partitions. If you only would use primary partitions you can have maximum 4 of these. You also can have a single extended partition, combined with 0 to 3 primary partitions. You cannot have multiple extended partitions. If you need to run Linux, it would be best to create 2 logical partitions within the extended partition for Linux. One logical for the Linux system and the other for Linxu swap. That would free up the current primary ReiserFS.partition. While Linux can boot from a logical partitions inside an extended one, the BSDs only can boot from a primary partition. So besides Linux you could install 3 other operating systems that need a primary partition. A possible complication would be a suspend-to-RAM partition which possible would take away one, only leaving you with only 2 primaries. I never owned a laptop, nor did I use suspend-to-RAM so I leave that issue to others ;) =Adriaan=
Re: Centralized ports collection server
On 9/4/07, John Nietzsche [EMAIL PROTECTED] wrote: Dear gentleman, i would like to set a single box in my network to keep syncronized to the ports collection infra structure. My ideia is to export the directory /usr/ports to all my local connected machines. So, there would be no need to sync them all. I would like to be able to build the utilities/lib/etc once and be able to install them every machine with the same hardware/OS version. Is that possible? How show be my /etc/exports control configuration file? An alternative would be to use one box to create binary packages from ports. Copy or link the packages to one directory which you make available to the clients by NFS, scp or ftp. You now can install the binary packages on the clients by setting their PKG_PATH to that directory of the building machine. =Adriaan=
Re: partioning for multiple OS's
stan wrote: When I boot the 4.1 CD, I get to the partioning step, and I am confused. Since I can't figure out how to capture the screen imafe from a machine booted off of the CD. I'll show you what Linux's cfdisk shows. You can capture the screen using a serial port and null-modem cable to another computer, see the FAQ for more info. I'm not that familiar with the output of the Linux program. When I have to install OpenBSD on the same disk as another OS and I don't feel like thinking, I usually just create a primary partition the size I want with the other OS and then change the partition type to A6 during the OpenBSD install process.
Re: Help with Altell PC6700
This issue has been resolved The Altell PPC6700 EVDO works great http://freshbsd.org/2007/09/02/05/20/26 Many thanks to jsg@ On 8/26/07, Sam Fourman Jr. [EMAIL PROTECTED] wrote: hello misc@ I am in a bit of a time crunch and I am looking for help. it seems Windows Update screwed over a bunch of our laptops somehow(gee go figure) now remote desktop has some sort of a weird screen update problem that I can't seem to fix.(spent Thursday and Friday on it) (you type and it never shows up until you leave the text field) when I use OpenBSD with rdesktop it works like a charm, no text update problems) we have a number of IBM/Lenovo x41 Tablet Computers.(Very well supported in OpenBSD) We also have several UTStarcom Pocket PC smart Phones(Windows Mobile 5) here is a link http://www.utstar.com/pcd/view_phone_details.aspx?mcode=PPC6700sAct=0 What I am in desperate need to do is, use these Phones ad Wireless Modems and use rdesktop to access our office(XP professional Machines) from the field. would someone be able to help me add these devices to OpenBSD in a way that they will attach in some way that I can use them with ppp to dial #777? here is someone that did this in Fedora 5 http://andrewtv.org/fedora-ppc6700/ below are several OpenBSD dmesg dmesg x41 (Not in Modem Mode just default) http://ralink.lesmilde.com/x41/x41-tablet2.txt dmesg x41 ( in Wireless Modem Mode) http://ralink.lesmilde.com/x41/x41-tablet3.txt dmesg x41 with ACPI enabled( in Wireless Modem Mode) http://ralink.lesmilde.com/x41/x41-tablet4.txt if you need any other output I would be happy to get it to you imminently if need be I can provide root ssh access to one of these. Thank you for your help in advance, I am really in a time crunch as no one can work without remote desktop Sam Fourman Jr.
Re: partioning for multiple OS's
On Mon, Sep 03, 2007 at 08:23:30PM -0400, stan wrote: I have a new laptop. It came with Vista on it. I used gpartd to resize those partions, and added Ubuntu. Now I want to add OpenBSD, and FreeBSD. I'd like to do OpenBSD next. When I boot the 4.1 CD, I get to the partioning step, and I am confused. Since I can't figure out how to capture the screen imafe from a machine booted off of the CD. I'll show you what Linux's cfdisk shows. NameFlags Part Type FS Type [Label]Size (MB) -- sda1Primary Unknown (27) 10479.01 sda2BootPrimary FAT16[] 31453.48 sda3Primary Linux ReiserFS3.54 sda5Logical Linux swap / Solaris 3997.49 Logical Free Space74109.78 How can I acomplish this? Ouch. The FAQ section 4.8 says that OBSD's partition has to be a primary partition. All your primary partitions are taken: 1: unknown (probably vista); 2: vista; 3 linux; 4 to hold the extended partitions. Linux doesn't have these limitations. I would get rid of Ubuntu, remove the sda3 and sda5, use OBSD's fdisk to make your OBSD primary partition in the third slot, leaving free space in logical partitions for linux. This assumes that your computer's bios can boot from anywhere on the disk. How you actually go about setting up the boot loaders is not something I know. I've heard that linux's GRUB can boot BSDs. DISCLAIMER: this is from my reading of the faq and __Absolute_OpenBSD__. I've never dual-booted, haven't run windows since 3.1, and am very new to OBSD. However, I've used Debian since 2001 or so. Good luck, Doug.
Re: filesystems?
On Mon, Sep 03, 2007 at 07:22:47PM -0400, Douglas A. Tutty wrote: On Tue, Sep 04, 2007 at 12:23:34AM +0200, Tonnerre LOMBARD wrote: On Mon, Sep 03, 2007 at 05:10:57PM +0200, Eric Elena wrote: I think fat32 is a good choice: you have nothing to install. Did you ever have to debug a deep directory structure where something caused all directory to become files? On a 500G disk? Fun. I would suggest that the OP be very specific with what is needed. What size of filesystem? Which operating systems need to read only and which to read and write. Given how flexible Linux and OBSD are, I would guess that the limit will be what can windows do. I don't know since I only used windows 3.1 for some games when I wasn't running OS/2. For 7 years its been Debian and now I'm transitioning to OBSD. I never have to interoperate with windows users. OK, let's eliminate Windows from the requiremant. Now we have OpenBSD, Linux, and FreeBSD in order of importance. All 3 need read/write access. I will be using this to move data, and I want to be able to keep various places in sync, using rsync. So modification date, and file name retention are important. Where does that lead us? -- I'm sorry, no one here has any intentions of helping you with anything. I am the manager of all of Customer Service.
Re: partioning for multiple OS's
On Tue, Sep 04, 2007 at 04:04:10AM +0200, Adriaan wrote: On 9/4/07, stan [EMAIL PROTECTED] wrote: I have a new laptop. It came with Vista on it. I used gpartd to resize those partions, and added Ubuntu. Now I want to add OpenBSD, and FreeBSD. I'd like to do OpenBSD next. When I boot the 4.1 CD, I get to the partioning step, and I am confused. Since I can't figure out how to capture the screen imafe from a machine booted off of the CD. I'll show you what Linux's cfdisk shows. NameFlags Part Type FS Type [Label]Size (MB) -- sda1Primary Unknown (27) 10479.01 sda2BootPrimary FAT16[] 31453.48 sda3Primary Linux ReiserFS3.54 sda5Logical Linux swap / Solaris 3997.49 Logical Free Space74109.78 How can I acomplish this? The MBR has only 4 slots for partitions. If you only would use primary partitions you can have maximum 4 of these. You also can have a single extended partition, combined with 0 to 3 primary partitions. You cannot have multiple extended partitions. If you need to run Linux, it would be best to create 2 logical partitions within the extended partition for Linux. One logical for the Linux system and the other for Linxu swap. That would free up the current primary ReiserFS.partition. While Linux can boot from a logical partitions inside an extended one, the BSDs only can boot from a primary partition. So besides Linux you could install 3 other operating systems that need a primary partition. A possible complication would be a suspend-to-RAM partition which possible would take away one, only leaving you with only 2 primaries. I never owned a laptop, nor did I use suspend-to-RAM so I leave that issue to others ;) So, I need to move the Linux partion (using gpartd), reset the boot loader, and then I can put the 2 BSD's in the remaining 2 primary partions? I don't need the suspend to disk functionality anyway. -- I'm sorry, no one here has any intentions of helping you with anything. I am the manager of all of Customer Service.
Re: routing question (solved)
Hi RW I found the problem :-) My OpenVPN setup is OK. My ipsecctl.conf was almost perfect: I setup the flow from my OpenBSD box (the branch office) to be passive ... duh!!! ;-) Now that it has been converted to dynamic the tunnel gets setup if the OpenVPN client initiates traffic :-) TIA Paolo RW wrote: On Mon, 03 Sep 2007 20:26:14 -0400, Paolo Supino wrote: Hi RW Except for the branch VPN to the main office subnet (line# 3) I have the other IPSEC rules: peer to peer, 2 subnets to 1 subnet (and vice versa on the main office VPN peer). Why do I need to setup a tunnel between the branch firewall and main office subnet? TIA Paolo RW wrote: On Mon, 03 Sep 2007 17:15:02 -0400, Paolo Supino wrote: Hi I have a firewall that also acts as a VPN peer for 2 VPNs. One of the VPNs is IPSEC that connects between the main office and a branch office. The second VPN is OpenVPN that connects windows based road warriors to the branch office. I want to enable employees that connect to the branch's OpenVPN to reach the main office servers (and filter traffic to). Both VPNs are working so the appropriate routing entries exist in the firewall's routing table. Even if I disable all the firewall rules and just let everything pass through the firewall the OpenVPN clients still cannot reach the main office servers. What am I missing? I'll bet you don't have some flows set up in ipsec.conf to handle it. Here is a simple ipsec.conf from one end of an ipsec tunnel where OpenVPN clients also login: ike esp from 10.10.8.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 172.22.2.0/24 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 172.22.3.0/24 peer 250.101.222.1 ike esp from 195.228.107.202 to 250.101.222.1 The first line adds the OpenVPN network to the mix. Needless to say the other end of the tunnel has an ipsec.conf that makes sure that traffic can return. Fictional addresses used to protect the innocent... Does that help? Please reply to the list. I am subscribed and don't need a cc, thanks. Rod/ I don't know your setup because you didn't explain it fully but what I showed you works for my client. Let's make a symbolic ipsec.conf out of what I have shown you: ike esp from $OpenVPNlan to $HOlan peer $HOfirewall ike esp from $Branchlan to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOlan peer $HOfirewall ike esp from $BranchFW to $HOfirewall You cannot use macros like that but perhaps it makes it clearer. In our case we have servers on both office LANs and the roadies using OpenVPN need to be able to get to both. You will have to trim and tweak your rules to suit your own variation but think about this. Regular route table entries have no influence on what happens with IPsec and do not need to. IPsec configuration sets up flows and then the packets know how to get to their target. If they don't have a flow path, they won't know how and will be routed out to the cloud via the default gateway and then get lost. Rod/ Hint. Read this: A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Rod/ From the land down under: Australia. Do we look umop apisdn from up over?
Re: That whole Linux stealing our code thing
On 9/2/07, Marco Peereboom [EMAIL PROTECTED] wrote: Dude stop yapping you are making an ass of yourself. We know your favorite audience is you. Show us your bar and people might listen to you again. As stated before, your opinion is not relevant. Your interpretation is not relevant. In fact everything you have said is not relevant. No kidding. I finally got my head around this whole issue after reading Jeroen's and Hannah's well-written messages. It seems that RMSS is willfully ignoring the differences between copyright and license in the real world as opposed to the fantasy world of his mind. Greg -- Ticketmaster and Ticketweb suck, but everyone knows that: http://ticketmastersucks.org Dethink to survive - Mclusky
sasyncd: no shared key specified
tried sasyncd out on 4.1-release and noticed that when i uncomment the basic settings in the default /etc/sasyncd.conf file that i see # sasyncd -d config: no shared key specified, cannot continue# # cat /etc/sasyncd.conf # $OpenBSD: sasyncd.conf,v 1.1 2007/02/22 16:55:32 henning Exp $ # sample sasyncd configuration file # see sasyncd.conf(5) # IP addresses or hostnames of sasyncd(8) peers. peer 10.0.0.2 #peer 10.0.0.3 #peer 10.0.0.4 # Track master/slave state on this carp(4) interface. interface carp1 # Shared AES key, 16/24/32 bytes. sharedkey 0x349fec85c11f6b658d5c457d4668e035f11dfdccb849d5053a8763787b74db70 i've also tried specifying the shared key in a separate file. clues? cheers, jake --
Re: partioning for multiple OS's
On 9/3/07, stan [EMAIL PROTECTED] wrote: NameFlags Part Type FS Type [Label]Size (MB) -- sda1Primary Unknown (27) 10479.01 sda2BootPrimary FAT16[] 31453.48 sda3Primary Linux ReiserFS3.54 sda5Logical Linux swap / Solaris 3997.49 Logical Free Space74109.78 sda1 is most probably your rescue space or bios utilities. Not recommended for deletion. sda2 looks like your vista. sda3 is your linux partition. Recommend not using reiserfs. It has interesting failure cases. Recommend installing linux in an extended partition (along with the swap, which is your sda5). So, I need to move the Linux partion (using gpartd), reset the boot loader, and then I can put the 2 BSD's in the remaining 2 primary partions? Unless you want to remove your bios/restore partition, you won't have an additional primary partition. *ponder* Hmm... vague neurons are telling me that ntfs may be bootable from an extended partition. You may have to destroy your vista install to try that, but if it works, then you can have the following: /dev/sda1 - primary restore /dev/sda2 - openbsd /dev/sda3 - freebsd /dev/sda5 - extended linux /dev/sda6 - extended linux swap /dev/sda7 - extended vista I don't need the suspend to disk functionality anyway. You'll have to get pretty friendly with grub. Alternatively, get very friendly with the windows bootloader (you can use it to boot linux, and probably also openbsd and freebsd). -- This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation.