Re: Speed Problems

[Bryan Irvine]

What have you looked at? are you running pf? what kind of ruleset?
Tried simplifying it?

--Bryan

On 9/25/07, rezidue [EMAIL PROTECTED] wrote:
 I've been having problems with throughput on a box I'm using as an edge
 gateway.  I can't seem to get it to push out more than 150Mb/sec at about
 20k pps.  It's a Tyan Thunder K8SR (S2881) board that has two gig broadcom
 interfaces on a shared pci-x bus.  It's on the bcm5704c chipset and I'm
 running OpenBSD 4.0.  The machine has two dual core amd opteron chips and
 two gigs of ram.  Barley any resources are being used when we are peaking
 during the day.  When we hit around 140+Mb/sec I start seeing packet loss
 and when I copy a file from this machine via scp to another host over the
 gig lan I can see that it directly affects throughput.  I've spent all day
 trying to find the problem but I've had no luck.  Any ideas?  Any info I can
 provide?

Re: Speed Problems

[Claudio Jeker]

On Tue, Sep 25, 2007 at 11:57:37PM -0500, rezidue wrote:
 I've been having problems with throughput on a box I'm using as an edge
 gateway.  I can't seem to get it to push out more than 150Mb/sec at about
 20k pps.  It's a Tyan Thunder K8SR (S2881) board that has two gig broadcom
 interfaces on a shared pci-x bus.  It's on the bcm5704c chipset and I'm
 running OpenBSD 4.0.  The machine has two dual core amd opteron chips and
 two gigs of ram.  Barley any resources are being used when we are peaking
 during the day.  When we hit around 140+Mb/sec I start seeing packet loss
 and when I copy a file from this machine via scp to another host over the
 gig lan I can see that it directly affects throughput.  I've spent all day
 trying to find the problem but I've had no luck.  Any ideas?  Any info I can
 provide?
 

Order a 4.2 CD and install it as soon as you get it. 4.2 removed many
bottlenecks in the network stack. In the meanwhile check out for the ip
ifq len:
# sysctl net.inet.ip.ifq
net.inet.ip.ifq.len=0
net.inet.ip.ifq.maxlen=256
net.inet.ip.ifq.drops=0

I bet your drops are non 0 and the maxlen is to small (256 is a better
value for gigabit firewalls/routers).
-- 
:wq Claudio

Re: SMTP flood + spamdb

[Craig Skinner]

Chris Smith wrote:

On Tuesday 25 September 2007, Craig Skinner wrote:

If you are using postfix:

/etc/postfix/main.cf:
..
..
smtpd_recipient_restrictions =
 reject_non_fqdn_hostname
 reject_invalid_hostname
 reject_non_fqdn_sender
 reject_non_fqdn_recipient
 reject_unlisted_recipient  -- this one


Isn't this actually a postfix default?
As smtpd_reject_unlisted_recipient defaults to yes.


Absolutely correct, but by poking it in smtpd_recipient_restrictions you 
can choose when to invoke it. Probably makes little difference either 
way in the real world.

Re: spamd shows up as an open relay

[Craig Skinner]

Rob wrote:


You're right, then. If I explicitly block inbound connections to the
outbound mail server (instead of redirecting them), that might fix the
problem ... depending on just what kind of check the recipient's mail
server is doing.


A sending MTA is not required to accept SMTP connections, only those 
listed with DNS MX records should do so. I guess the superfluous 
redirect is causing the trouble. The outbound server must TCP block 
inbound connections with pf or the OS, do not use the MTA to 55x reject 
the connection.


Slightly off topic; but as you know, sender verification schemes work by 
looking up the sender's domain's MX records and attempting to send a 
mail to that sender. Should not matter which IP the mail is coming from. 
Compare gmail's vast array of outbound MTA ip address blocks, they are 
not listed in the MX records.



I'm a little concerned about just blocking those connections per your
suggestion, though.


Sounds like the right thing to do to me.


It might end up just changing the affected
recipients; if someone's dumb enough not to correctly check for an
open relay, someone else is certainly dumb enough to reject mail if
they can't connect back to the inbound IP.


But you said that they are connecting to the outbound IP and that you 
are redirecting them to the inbound IP, so this is not an issue if you 
reject the connection instead of redirecting it.


Best you can do is give it a go and send them a mail while watching the 
logs! Its only mail, not as if gold bullion is getting lost.

Re: SMTP flood + spamdb

[Craig Skinner]

RW wrote:


What I was getting looked like backscatter and smelled like backscatter
it is just that some of the IPs sending it didn't check out as MTAs.
i.e. they were not listed MXs for the domain they came from AND the
domain was not likely someone with separate outbound senders.

They all retried too and when I had them as TRAPPED entries the logged
data included typical failed-to-deliver messages.



'bots getting smart eh? Bugger! If that is the trend, greylisting starts 
to lose its value as spammers adapt to the RFCs.


Set up a pf queue of dialup speed for windows boxes connecting to port 
25? Should slow them down a bit, but still let the odd legit extrange 
sent mail in.

9GB Wide SCSI HDDs useful?

[knitti]

Hi,

we have here six 9GB Wide SCSI HDDs (68 pin), which are of no
use to us anymore. Each has been surface-scanned, so (at the moment)
they are working well.

Details:

4  IBM DDRS-39130 manufactured in October 1998
2 Quantum Atlas IV (should also be from the last century)

*If* someone from the OpenBSD developer community can use them,
I would ship them anywhere in the EU, preferrably in Germany.


greetings,
knitti

man strnlen mistake?

[Karel Kulhavy]

In  doing this, strnlen() looks only at the first maxlen characters at s and
never beyond s+maxlen.

Shouldn't it be never beyond s+maxlen-1?

CL

Re: SMTP flood + spamdb

[Peter N. M. Hansteen]

Craig Skinner [EMAIL PROTECTED] writes:

 'bots getting smart eh? Bugger! If that is the trend, greylisting
 starts to lose its value as spammers adapt to the RFCs.

If they adapt to greylisting and start following relevant RFCs, we've
succeeded in making spamming more expensive. I don't see that
happening much, though.  The spam that reaches content filtering here
has managed to get itself into the queue on real mail servers which
for some reason allows them.

On the 'spamd looks like an open relay' issue, it would make sense to
use a relay checker which actually checks for mail received, not just
the status codes.  On the other hand I actually like that part of
spamd the way it is.  Spammers who apparently think every IP address
in our range is an open relay occasionally swell our greylists quite a
bit.  None of it ever gets delivered, of course, but we see the
attempts quite often these days.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Cannot fork

[Edd Barrett]

Hi all,

Yesterday my workstation started doing this:
[EMAIL PROTECTED]:eddlocal ifconfig
ksh: cannot fork - try again

It usually only lasts a couple of minutes, but during which time the
machine is pretty useless.

Top tells me that I have 500MB of RAM free, and that the OS has not
even started swapping.

I am going to try upgrading my snapshot to see if that fixes this, but
I thought I should report it incase.

OpenBSD 4.2-current (GENERIC) #2: Tue Sep 11 14:16:04 BST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 1055678464 (1006MB)
avail mem = 1013071872 (966MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/05/04, BIOS32 rev. 0 @
0xf0010, SMBIOS rev. 2.3 @ 0xfbe40 (76 entries)
bios0: vendor Intel Corp. version BF86510A.86A.0058.P15.0404050012
date 04/05/2004
bios0: Intel Corporation D865GLC
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3d00/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xa200! 0xca800/0x1000 0xcb800/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02: aperture
at 0xf000, size 0x800
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 3 function 0 Intel 82865G/PE/P CPU-CSA rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547EI) rev 0x00:
irq 10, address 00:0c:f1:f5:13:41
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 5
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 10
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 9
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2
pci2 at ppb1 bus 2
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02:
24-bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02:
DMA, channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: WDC WD800JD-00MSA1
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: irq 3
iic0 at ichiic0
adt0 at iic0 addr 0x2e: emc6d100 rev 0x65
auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq
3, ICH5 AC97
ac97: codec id 0x41445375 (Analog Devices AD1985)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ff6d netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
uhidev0 at uhub1 port 1 configuration 1 interface 0
uhidev0: Sun Microsystems Type 6 Mouse, rev 1.00/1.02, addr 2, iclass 3/1
ums0 at uhidev0: 3 buttons
wsmouse0 at ums0 mux 0
uhidev1 at uhub1 port 2 configuration 1 interface 0
uhidev1: Sun Microsystems Type 6 Keyboard, rev 1.00/1.01, addr 3, iclass 3/1
ukbd0 at uhidev1: 8 modifier keys, 6 key codes, layout 32
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
auich0: measured ac97 link rate at 47998 Hz, 

Re: spamd shows up as an open relay

[frantisek holop]

hmm, on Tue, Sep 25, 2007 at 02:50:41PM -0700, Rob said that
 We just ran across an odd intermittent problem with email that we
 traced back to spamd showing up as an open relay. I double-checked the
 documentation and mailing list archives and didn't find anything
 relevant.

dnsstuff.com is great to have a look what an admin
left out/forgot/doesn't know :D

i was quite dismayed too when it showed me as an open relay...
(http://www.dnsstuff.com/tools/dnsreport.ch?domain=obiit.org)

but please note their wording:

FAIL

Open relay test

WARNING: One or more of your mailservers appears to be an open relay. If
so, this means that you are allowing spammers to freely use the
mailserver to send out spam! It is possible that your mailserver accepts
all E-mail and later bounces it, or accepts the relay attempt and then
deletes the E-mail, but this is not common.

WARNING: obiit.org appears to be an open relay: 250 This is hurting you
more than it is hurting me. br /


and they are right, it is not common.  but any service that would rely
on this kind of info _only_ (mail accepted but not checking if arrived)
should get a clue and rethink their strategy.

that said, i have no idea if this could be changed in a meaningful way
for spamd.  the best thing about it after all, is it's MTA/OS ignorance.

-f
-- 
43.3% of all statistics are meaningless.

Re: Speed Problems

[Stuart Henderson]

On 2007/09/25 23:57, rezidue wrote:
 I've been having problems with throughput on a box I'm using as an edge
 gateway.

dmesg and vmstat -i might give clues. Also try bsd.mp if you use
bsd (or vice-versa), and Claudio's suggestion of 4.2 is a good one.

Re: Cannot fork

[Jacob Yocom-Piatt]

Edd Barrett wrote:

Hi all,

Yesterday my workstation started doing this:
[EMAIL PROTECTED]:eddlocal ifconfig
ksh: cannot fork - try again

It usually only lasts a couple of minutes, but during which time the
machine is pretty useless.

  


you sure you've not got your maximum number of processes for your login 
class? i routinely see this error on my workstations when i've got lots 
of stuff open. the proper solution is to bump up the login.conf values 
for your login class, not sure if this can be fixed sans complete logout 
and relogin.


if it's lasting a couple minutes then maybe some processes are being 
created and destroyed shortly thereafter.


cheers,
jake


Top tells me that I have 500MB of RAM free, and that the OS has not
even started swapping.

I am going to try upgrading my snapshot to see if that fixes this, but
I thought I should report it incase.

OpenBSD 4.2-current (GENERIC) #2: Tue Sep 11 14:16:04 BST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 1055678464 (1006MB)
avail mem = 1013071872 (966MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/05/04, BIOS32 rev. 0 @
0xf0010, SMBIOS rev. 2.3 @ 0xfbe40 (76 entries)
bios0: vendor Intel Corp. version BF86510A.86A.0058.P15.0404050012
date 04/05/2004
bios0: Intel Corporation D865GLC
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3d00/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801EB/ER LPC rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xa200! 0xca800/0x1000 0xcb800/0x1000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G/PE/P CPU-I/0-1 rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02: aperture
at 0xf000, size 0x800
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 3 function 0 Intel 82865G/PE/P CPU-CSA rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547EI) rev 0x00:
irq 10, address 00:0c:f1:f5:13:41
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 11
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 5
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 10
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: irq 11
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: irq 9
usb0 at ehci0: USB revision 2.0
uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1
ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xc2
pci2 at ppb1 bus 2
ichpcib0 at pci0 dev 31 function 0 Intel 82801EB/ER LPC rev 0x02:
24-bit timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 Intel 82801EB/ER IDE rev 0x02:
DMA, channel 0 configured to compatibility, channel 1 configured to
compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: WDC WD800JD-00MSA1
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 Intel 82801EB/ER SMBus rev 0x02: irq 3
iic0 at ichiic0
adt0 at iic0 addr 0x2e: emc6d100 rev 0x65
auich0 at pci0 dev 31 function 5 Intel 82801EB/ER AC97 rev 0x02: irq
3, ICH5 AC97
ac97: codec id 0x41445375 (Analog Devices AD1985)
ac97: codec features headphone, 20 bit DAC, No 3D Stereo
audio0 at auich0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ff6d netmask ff6d ttymask ffef
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
uhidev0 at uhub1 port 1 configuration 1 interface 0
uhidev0: Sun Microsystems Type 6 Mouse, rev 1.00/1.02, addr 2, 

Re: spamd shows up as an open relay

[frantisek holop]

hmm, on Wed, Sep 26, 2007 at 11:22:23AM +0200, frantisek holop said that
 dnsstuff.com is great to have a look what an admin
 left out/forgot/doesn't know :D
 
 i was quite dismayed too when it showed me as an open relay...
 (http://www.dnsstuff.com/tools/dnsreport.ch?domain=obiit.org)

sorry, doesn't let you use it directly, doh.
have to go through the front door.

and when you pass that test, they'll say, it's just a quick check,
and go to

http://www.abuse.net/relay.html

if want a full check.

-f
-- 
30 minutes of begging is not considered foreplay.

Re: Cannot fork

[Markus Lude]

On Wed, Sep 26, 2007 at 10:11:57AM +0100, Edd Barrett wrote:
 Hi all,
 
 Yesterday my workstation started doing this:
 [EMAIL PROTECTED]:eddlocal ifconfig
 ksh: cannot fork - try again
 
 It usually only lasts a couple of minutes, but during which time the
 machine is pretty useless.
 
 Top tells me that I have 500MB of RAM free, and that the OS has not
 even started swapping.

You have reached the limit of the maximal allowed processes run by you.
You could raise the limit in /etc/login.conf, but first I would check if
there is something wrong on your machine with that many processes. It
could be OK.

 I am going to try upgrading my snapshot to see if that fixes this, but
 I thought I should report it incase.
 
Regards,
Markus

You just recieved a Electronic Greeting.

[Electronic Greeting]

 Hello ,
A Greeting Card is waiting for you at our virtual post office! You can
pick up your postcard at the following web address:
http://www.all-yours.net/u/view.php?id=a0190313376667

visit E-Greetings at http://www.all-yours.net/
and enter your pickup code, which is: a0190313376667

(Your postcard will be available for 60 days.)

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Craig Skinner [EMAIL PROTECTED] wrote:
 RW wrote:
  
  What I was getting looked like backscatter and smelled like backscatter
  it is just that some of the IPs sending it didn't check out as MTAs.
  i.e. they were not listed MXs for the domain they came from AND the
  domain was not likely someone with separate outbound senders.
  
  They all retried too and when I had them as TRAPPED entries the logged
  data included typical failed-to-deliver messages.
  
 
 'bots getting smart eh? Bugger! If that is the trend, greylisting starts 
 to lose its value as spammers adapt to the RFCs.
[...]

Greylisting is trivial to bypass, with or without a queue: just send
the same messages twice.  Some spammers have figured that out long ago.
Ever wondered why sometimes you receive 2 or 3 copies of the same spam,
from the same IP, with the same Message-Id etc., a few minutes apart?

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

wi driver: maximal output power question

[Marcus Andree]

Dear all,

First, let me say a big hello to everyone here. I've been out of this
list for almost three years... Just came back less than a week ago and
Chuck Yerkes is sorely missing...

I don't know if this question will be better answered here or on [EMAIL 
PROTECTED]

After reading an email about power management on ral devices, took
a look in the following piece of code, from if_wi.c.

It seems to suggest that power output, using wi devices, is limited.
Anything greater than 20dBm will be treated as 20dBm.

I'm waiting the arrival of some senao cards, capable of 200mW (23dBm)
output. Is the wi driver capable of handling this amount of power?


STATIC int
wi_set_txpower(struct wi_softc *sc, struct ieee80211_txpower *txpower)
{
   u_int16_t   cmd;
   u_int16_t   power;
   int8_t  tmp;
   int error;
   int alc;

   if (txpower == NULL) {
   if (!(sc-wi_flags  WI_FLAGS_TXPOWER))
   return (EINVAL);
   alc = 0;/* disable ALC */
   } else {
   if (txpower-i_mode == IEEE80211_TXPOWER_MODE_AUTO) {
   alc = 1;/* enable ALC */
   sc-wi_flags = ~WI_FLAGS_TXPOWER;
   } else {
   alc = 0;/* disable ALC */
   sc-wi_flags |= WI_FLAGS_TXPOWER;
   sc-wi_txpower = txpower-i_val;
   }
   }

   /* Set ALC */
   cmd = WI_CMD_DEBUG | (WI_DEBUG_CONFBITS  8);
   if ((error = wi_cmd(sc, cmd, alc, 0x8, 0)) != 0)
   return (error);

   /* No need to set the TX power value if ALC is enabled */
   if (alc)
   return (0);

   /* Convert dBM to internal TX power value */
   if (sc-wi_txpower  20)
   power = 128;
   else if (sc-wi_txpower  -43)
   power = 127;
   else {
   tmp = sc-wi_txpower;
   tmp = -12 - tmp;
   tmp = 2;

   power = (u_int16_t)tmp;
   }

   /* Set manual TX power */
   cmd = WI_CMD_WRITE_MIF;
   if ((error = wi_cmd(sc, cmd,
WI_HFA384X_CR_MANUAL_TX_POWER, power, 0)) != 0)
   return (error);

   if (sc-sc_ic.ic_if.if_flags  IFF_DEBUG)
   printf(%s: %u (%d dBm)\n, sc-sc_dev.dv_xname, power,
   sc-wi_txpower);

   return (0);
}

Re: The Atheros story ... Rui trolling again.

[Siegbert Marschall]

Rui Miguel Silva Seabra [EMAIL PROTECTED]

 lol it's always bullshit when it's not convenient to you, right?
and you are a troll. can you please troll around somewhere else, you
are wasting precious magnetic domains.

eris will not set you free, she will eat you alive.

-sm

Re: Cannot fork

[Edd Barrett]

On 26/09/2007, Markus Lude [EMAIL PROTECTED] wrote:
 You have reached the limit of the maximal allowed processes run by you.

Correct I am only allowed 64. A quick login class switch to staff
should fix this.

Thanks for the help.

-- 
Best Regards

Edd

---
http://students.dec.bournemouth.ac.uk/ebarrett

Re: OpenBSD on decTOP?

[Diana Eichert]

On Tue, 25 Sep 2007, Jonathan Gray wrote:

SNIP

There has been at least one dmesg submitted for these,


Did you see any serial ports detected in the dmesg?  If so how many?

thanks

diana

Re: SMTP flood + spamdb

[Damien Miller]

On Wed, 26 Sep 2007, Liviu Daia wrote:

 Greylisting is trivial to bypass, with or without a queue: just send
 the same messages twice.  Some spammers have figured that out long ago.
 Ever wondered why sometimes you receive 2 or 3 copies of the same spam,
 from the same IP, with the same Message-Id etc., a few minutes apart?

That doesn't work, at least not against spamd.

Re: The Atheros story in much fewer words

[Gilles Chehade]

On Wed, Sep 26, 2007 at 02:32:05PM +0200, Siegbert Marschall wrote:
  You don't seem to get the fact that I'm not even talking about what's
  more or less free (in your definition). The BSD has fewer requirements,
  but it allows some users to not have the freedoms you claim to defend.
 
 ROTFL. I almost wetted my keyboard with the remains in the bottle of
 water I was just about to drink...
 
  but it allows some users to not have the freedoms you claim to defend.
 
 Exactly. That's freedom. Being able to choose, even to choose to abandon
 freedom. Freedom of choice.
 
 Keep on writing I am beginning to enjoy the show, you are getting better
 at playing the clown Rui.
 

Please, don't encourage him :(

Gilles

hoststated and remote ip address

[holger glaess]

hi

i run the hoststated and ic have a small problem.

my config are

table hobbithosts {
#check http /ldirector.html code 200
check icmp
timeout 300
real port 443
host $hobbit_predmz_ip
}

service hobbit01 {
virtual host $hobbit_dmz_ip port 443 interface em0
tag hobbit01
sticky-address
table hobbithosts
}

so i setup also an user authentication by apache and this work also if the 
connection plain from www.

but if i connect the webserver through the hoststated i get never the 
authentication login from the apache.

can help me someone ?

holger

Re: OpenBSD on decTOP?

[Stuart Henderson]

On 2007/09/26 06:38, Diana Eichert wrote:
 On Tue, 25 Sep 2007, Jonathan Gray wrote:
 SNIP
 There has been at least one dmesg submitted for these,

 Did you see any serial ports detected in the dmesg?  If so how many?

none showing.

Re: The Atheros story in much fewer words

[ttw+bsd]

 but it allows some users to not have the freedoms you claim to defend.

think you'll struggle to find people here who claim to defend freedom.
personally, i'm a believer and practitioner, i  leave the defending
to the mis-guided and the hypocrites.

Re: OpenBSD on decTOP?

[David Redhouse]

On 26/09/2007, Diana Eichert [EMAIL PROTECTED] wrote:
  On Tue, 25 Sep 2007, Jonathan Gray wrote:
 SNIP
  There has been at least one dmesg submitted for these,

 Did you see any serial ports detected in the dmesg?  If so how many?

T'was mine:

OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by National Semi (Geode by NSC 586-class)
366 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,PGE,CMOV,MMX
real mem  = 112693248 (107MB)
avail mem = 100970496 (96MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/19/06
pcibios at bios0 function 0x1a not configured
bios0: ROM list: 0xc/0x8000
acpi0 at mainbus0: rev 0
acpi0: tables DSDT FACP BOOT
acpitimer at acpi0 not configured
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu at acpi0 not configured
acpibtn at acpi0 not configured
acpibtn at acpi0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 NS CS5535 Host rev 0x21
vga1 at pci0 dev 1 function 1 NS CS5535 VIDEO rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ATT/Lucent LTMODEM rev 0x02 at pci0 dev 13 function 0 not configured
pcib0 at pci0 dev 15 function 0 NS CS5535 ISA rev 0x13
pciide0 at pci0 dev 15 function 2 NS CS5535 IDE rev 0x00: DMA (unsupported),
channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 ignored (other hardware responding at addresses)
pciide0: channel 1 ignored (not responding; disabled or no drives?)
NS CS5535 AUDIO rev 0x00 at pci0 dev 15 function 3 not configured
ohci0 at pci0 dev 15 function 4 NS CS5535 USB rev 0x06: irq 10, version 1.0,
legacy support
ohci1 at pci0 dev 15 function 5 NS CS5535 USB rev 0x06: irq 11, version 1.0,
legacy support
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: ST310014A
wd0: 16-sector PIO, LBA, 9768MB, 20005650 sectors
wd0(wdc0:0:0): using BIOS timings
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb0 at ohci0: USB revision 1.0
uhub0 at usb0: NS OHCI root hub, rev 1.00/1.00, addr 1
usb1 at ohci1: USB revision 1.0
uhub1 at usb1: NS OHCI root hub, rev 1.00/1.00, addr 1
biomask effd netmask effd ttymask 
pctr: user-level cycle counter enabled
axe0 at uhub0 port 2 configuration 1 interface 0
axe0: D-Link DUB-E100 rev B1, rev 2.00/0.01, addr 2, AX88772, address
00:80:c8:38:92:7e
rlphy0 at axe0 phy 3: IP101 10/100 PHY, rev. 4
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a swap on wd0b dump on wd0b

-- 
dir21

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Damien Miller [EMAIL PROTECTED] wrote:
 On Wed, 26 Sep 2007, Liviu Daia wrote:

  Greylisting is trivial to bypass, with or without a queue: just
  send the same messages twice.  Some spammers have figured that out
  long ago.  Ever wondered why sometimes you receive 2 or 3 copies of
  the same spam, from the same IP, with the same Message-Id etc., a
  few minutes apart?

 That doesn't work, at least not against spamd.

How does spamd distinguish between a legitimate retry and a
re-injection of the same message with the same Message-Id, sender etc.?

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: OpenBSD on decTOP?

[Diana Eichert]

according to the datasheet for the CS5535 there are 2 UARTS on the chip.
http://www.amd.com/files/connectivitysolutions/geode/geode_gx/31506_cs5535_databook.pdf

that would suck if it was permanently disabled

diana

Re: SMTP flood + spamdb

[Craig Skinner]

Liviu Daia wrote:


How does spamd distinguish between a legitimate retry and a
re-injection of the same message with the same Message-Id, sender etc.?



It doesn't.

Just what you described would probably be within the default 25 mins 
grey period. Another delivery attempt would be needed after this time to 
pass spamd.

Re: SMTP flood + spamdb

[Jeremy C. Reed]

On Wed, 26 Sep 2007, Liviu Daia wrote:

 On 26 September 2007, Damien Miller [EMAIL PROTECTED] wrote:
  On Wed, 26 Sep 2007, Liviu Daia wrote:
 
   Greylisting is trivial to bypass, with or without a queue: just
   send the same messages twice.  Some spammers have figured that out
   long ago.  Ever wondered why sometimes you receive 2 or 3 copies of
   the same spam, from the same IP, with the same Message-Id etc., a
   few minutes apart?
 
  That doesn't work, at least not against spamd.
 
 How does spamd distinguish between a legitimate retry and a
 re-injection of the same message with the same Message-Id, sender etc.?

It can't.

But spamd's default of 25 minute passtime should help. (Well it does 
help someone -- since it limits the spammer's resources.)

(spamd doesn't know about Message-Id, it uses connecting IP address, 
HELO/EHLO, envelope-from, and envelope-to.)

Re: OpenBSD on decTOP?

[Diana Eichert]

hmmm, further reading of the data sheet makes me wonder if the serial UART
is at address 2E8H for com3, if so that is disabled in GENERIC.
#pccom3 at isa? port 0x2e8 irq 9# (conflicts with some video cards)

I'm not completely familiar with the device scan when the kernel is 
loaded.  Will it discover a device hanging off isa0 if a driver is not

compiled into the kernel and show it as not configured or will it just
not find it at all?

diana

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Craig Skinner [EMAIL PROTECTED] wrote:
 Liviu Daia wrote:
 
  How does spamd distinguish between a legitimate retry and a
  re-injection of the same message with the same Message-Id, sender
  etc.?

 It doesn't.

 Just what you described would probably be within the default 25 mins
 grey period.

Why should it?  The second copy is sent in a separate run, that's
the whole point.  The only thing the bot has to figure out is how long
to wait until the second run.  A smart one would send a second copy
after 10 minutes, and a third one after, say, 35 minutes.

 Another delivery attempt would be needed after this time to pass
 spamd.

Moral: randomize the greylisting time...

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: OpenBSD on decTOP?

[Markus Hennecke]

Diana Eichert schrieb:

hmmm, further reading of the data sheet makes me wonder if the serial UART
is at address 2E8H for com3, if so that is disabled in GENERIC.
#pccom3 at isa? port 0x2e8 irq 9# (conflicts with some video cards)

I'm not completely familiar with the device scan when the kernel is 
loaded.  Will it discover a device hanging off isa0 if a driver is not

compiled into the kernel and show it as not configured or will it just
not find it at all?


As it won't probe on port 0x2e8 it will not find it. Thats why it was 
disabled, the probe will have negative effects on other hardware.


Greetings
  Markus

Re: SMTP flood + spamdb

[Luca Corti]

On Wed, 2007-09-26 at 17:02 +0300, Liviu Daia wrote:
  Another delivery attempt would be needed after this time to pass
  spamd.
 Moral: randomize the greylisting time...

Between which min/max valuse? Keep in mind that this corresponds to the
(minimum) delay introduced in delivering a good messages to the mailbox.

ciao

Luca

Re: SMTP flood + spamdb

[Craig Skinner]

Liviu Daia wrote:

Why should it?  The second copy is sent in a separate run, that's
the whole point.  The only thing the bot has to figure out is how long
to wait until the second run.  A smart one would send a second copy
after 10 minutes, and a third one after, say, 35 minutes.


OK, but you did say a few minutes apart.

In English, few is normally a single digit.

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Luca Corti [EMAIL PROTECTED] wrote:
 On Wed, 2007-09-26 at 17:02 +0300, Liviu Daia wrote:
   Another delivery attempt would be needed after this time to pass
   spamd.
  Moral: randomize the greylisting time...

 Between which min/max valuse? Keep in mind that this corresponds to
 the (minimum) delay introduced in delivering a good messages to the
 mailbox.

That's up to you.  The minimum should be large enough to keep away
naive bots, as it does now.  The maximum should be as large as you
can afford without being too anti-social. :) Some crap will still pass
through anyway.

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: OpenBSD on decTOP?

[Diana Eichert]

On Wed, 26 Sep 2007, Markus Hennecke wrote:

As it won't probe on port 0x2e8 it will not find it. Thats why it was 
disabled, the probe will have negative effects on other hardware.


Greetings
 Markus


that's what I assumed, but I thought I'd ask anyway.

thanks

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Liviu Daia [EMAIL PROTECTED] wrote:
 On 26 September 2007, Luca Corti [EMAIL PROTECTED] wrote:
  On Wed, 2007-09-26 at 17:02 +0300, Liviu Daia wrote:
Another delivery attempt would be needed after this time to pass
spamd.
   Moral: randomize the greylisting time...
 
  Between which min/max valuse? Keep in mind that this corresponds to
  the (minimum) delay introduced in delivering a good messages to the
  mailbox.

 That's up to you.  The minimum should be large enough to keep away
 naive bots, as it does now.  The maximum should be as large as you
 can afford without being too anti-social. :) Some crap will still pass
 through anyway.

The maximum should also leave plenty of time before expiry.  Some
mailers use queue backoff algorithms, which means some legitimate
messages might never get a chance to pass if the window is too small...

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: SMTP flood + spamdb

[Peter N. M. Hansteen]

Liviu Daia [EMAIL PROTECTED] writes:

 Why should it?  The second copy is sent in a separate run, that's
 the whole point.  The only thing the bot has to figure out is how long
 to wait until the second run.  A smart one would send a second copy
 after 10 minutes, and a third one after, say, 35 minutes.

*BZZT!* Assuming facts not in evidence: a *smart* spambot /and/ a
spammer who actually *cares* about the delivery of individual messages.

 Another delivery attempt would be needed after this time to pass
 spamd.

Actually, the way it works is more like this:

1st try: 451 try again later

 * At this point, anywhere between 80%-97% of spammers just move
   on, there's millions more messages to spew out there, and 
   other hosts which are way more receptive.

2nd try, after passtime: 451 try again later 
 (spamd to self: oh, this one retried, better whitelist)

 * This is where we decide it has a chance to be non-trash,
   but we don't let on just yet

3rd try: now you talk to the real smtp daemon (if there is one)

 * They've passed the test.  They may still be bastids, but
   at least they know some basic rules of conduct.

 Moral: randomize the greylisting time...

Random numbers can be fun, but I'd like to see real world data which
support your theory.

I'm beginning to think that this is another one of those 'I refuse to
believe greylisting works because I refuse to understand it' episodes.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: SMTP flood + spamdb

[Craig Skinner]

Liviu Daia wrote:

That's up to you.  The minimum should be large enough to keep away
naive bots, as it does now.  The maximum should be as large as you
can afford without being too anti-social. :) Some crap will still pass
through anyway.


The maximum should also leave plenty of time before expiry.  Some
mailers use queue backoff algorithms, which means some legitimate
messages might never get a chance to pass if the window is too small...



The defaults work very well:

See: http://www.ualberta.ca/~beck/nycbug06/spamd/mgp1.html
Hear: http://www.fetissov.org/public/nycbsdcon06/2.4.mp3

Re: SMTP flood + spamdb

[Dave Anderson]

On Wed, 26 Sep 2007, Liviu Daia wrote:

On 26 September 2007, Craig Skinner [EMAIL PROTECTED] wrote:
 Liviu Daia wrote:
 
  How does spamd distinguish between a legitimate retry and a
  re-injection of the same message with the same Message-Id, sender
  etc.?

 It doesn't.

 Just what you described would probably be within the default 25 mins
 grey period.

Why should it?  The second copy is sent in a separate run, that's
the whole point.  The only thing the bot has to figure out is how long
to wait until the second run.  A smart one would send a second copy
after 10 minutes, and a third one after, say, 35 minutes.

 Another delivery attempt would be needed after this time to pass
 spamd.

Moral: randomize the greylisting time...

Or take advantage of the (by default) 25 minute window to use other
means to detect that this address is sending spam.  Perhaps spamd should
be extended to look for excessive attempts to send messages from an
address during that period?  (How often do spammers' lists contain only
one or two addresses from a domain?)

Dave

-- 
Dave Anderson
[EMAIL PROTECTED]

Re: SMTP flood + spamdb

[Stuart Henderson]

On 2007/09/26 11:03, Dave Anderson wrote:
 
 Or take advantage of the (by default) 25 minute window to use other
 means to detect that this address is sending spam.  Perhaps spamd should
 be extended to look for excessive attempts to send messages from an
 address during that period?

google: greyscanner

Re: SMTP flood + spamdb

[Peter N. M. Hansteen]

Dave Anderson [EMAIL PROTECTED] writes:

 Or take advantage of the (by default) 25 minute window to use other
 means to detect that this address is sending spam.  Perhaps spamd should
 be extended to look for excessive attempts to send messages from an
 address during that period?  (How often do spammers' lists contain only
 one or two addresses from a domain?)

You could probably use straight rdr instead of rdr pass to feed spamd,
then in the relevant pass rule apply your source tracking options and
overload and some table magic for that

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Internet slowdown when pf is enabled? Running on i386 -current

[Reza Muhammad]

I know it's weird that's why I posted this in the first place :P

anyway, the OpenBSD gateway is running web server (apache+php), and mail server 
(postfix+dovecot).
The thing is, it doesn't seem there are alot of connections from those daemons. 
and like i said before,
if i tried to connect to the Internet directly from my laptop, the connection 
is fine.  Would a tcpdump log be
any helpful at this point?

Thanks for replying though.

On Wed, 26 Sep 2007 15:55:21 +0200, knitti [EMAIL PROTECTED] wrote:
 On 9/22/07, Reza Muhammad [EMAIL PROTECTED] wrote:
 I'm having a problem with my Internet connection in my home network. I
 noticed that my Internet connection has been very slow since I upgraded to
 -current a week ago.  First, I thought it was just my ISP problem.  Then, I
 tried to connect to the Internet directly from my laptop, it worked fine.
 

 I noticed that the Internet is slowing down when pf is enabled.  I
 changed my pf.conf to only do nat, and scrub incoming packets, but it is
 still slow.
 State Table  Total Rate
   current entries  698
   searches 448763619511.5/s
   inserts   280924 1221.4/s
   removals  280226 1218.4/s
 
 I don't know what kind of traffic you have on your box, but these
 numbers look strange.
 I see on various firewalls between 0.1 and 5% of that with some simple
 rulesets and
 NAT. These are DSL links, both asymmetric and symmetric.
 
 If you are really only doing NAT, something is strange.
 
 greetings,
 knitti

Re: Porting OpenBSD to OLPC XO laptops.

[Paul de Weerd]

[diverted to [EMAIL PROTECTED]

On Wed, Sep 26, 2007 at 08:08:41AM -0700, big one wrote:
| OLPC (One Laptop Per Child) had released XO AMD Geode LX Laptops
| using G1G1 (Buy 2 Get 1). One laptop will be sent to the buyer and the
| 2nd laptop will be sent to a child in a poor, developing country.
| 
| According to Mr Theo de Raadt from OpenBSD, it is impossible to
| write device driver for Wireless chipset inside XO.
| 
| According to OLPC developer team:
| 1. There is no standard BIOS inside XO laptops.
| 2. There is no VGA/EGA/CGA video mode.
| 
| Is it possible to port OpenBSD to XO Laptops without
| activating/using the wireless chipset?
| Thank you

Why not buy some and send them to interested developers. 

Buy 2 Send 1 to an OpenBSD developer ;)

Cheers,

Paul 'WEiRD' de Weerd

-- 
[++-]+++.+++[---].+++[+
+++-].++[-]+.--.[-]
 http://www.weirdnet.nl/ 

Loading PF after ppp

[Amit Finkler]

I connect to the internet using pppoe(8) by putting the following line
in /etc/rc.local.conf:


ppp -ddial pppoe


However, the pf rules load before I have an internet connection and
therefore pfctl reports an error.


How does one load PF after ppp?


Amit.

Re: SMTP flood + spamdb

[Luca Corti]

On Wed, 2007-09-26 at 17:38 +0300, Liviu Daia wrote:
 That's up to you.  The minimum should be large enough to keep away
 naive bots, as it does now.  The maximum should be as large as you
 can afford without being too anti-social. :) Some crap will still pass
 through anyway.

Sometimes is not about being social, but about receiving important
messages in time. Some greylisting implementations have a bit more
relaxed policies on whitelisting (e.g. whitelisting /24 subnets on which
the sender resides instead of single IP address) to speed up
whitelisting efficiency. Not sure about how much spam this allows to
slip through.

ciao

Luca

Re: SMTP flood + spamdb

[Luca Corti]

On Wed, 2007-09-26 at 16:01 +0100, Craig Skinner wrote:
 The defaults work very well:
 See: http://www.ualberta.ca/~beck/nycbug06/spamd/mgp1.html
 Hear: http://www.fetissov.org/public/nycbsdcon06/2.4.mp3

Maybe this also has to do with amount and type of traffic you get.
Small shops are probably more likely to experience delays, while hosters
of a large number of high traffic domains should have whitelists converge fast.

ciao

Luca

OpenBSD configuration file for Samhain

[Siju George]

Hi,

I got Samhain
http://www.la-samhna.de/samhain/
installed on a 4.1

The default configuration file for it is written for a FreeBSD system.
Are there people out there who use Samhain on OpenBSD if so could you
please help me tune the configuration file to use it with OpenBSD.

The default configuration file is given below.

Thank you so much :-)

Kind Regards

Siju

#
#
# FreeBSD Configuration file  for samhain.
#
#
#
# -- empty lines and lines starting with '#', ';' or '//' are ignored
# -- boolean options can be Yes/No or True/False or 1/0
# -- you can PGP clearsign this file -- samhain will check (if compiled
#with support) or otherwise ignore the signature
# -- CHECK mail address
#
# To each log facility, you can assign a threshold severity. Only
# reports with at least the threshold severity will be logged
# to the respective facility (even further below).
#
#
# SETUP for file system checking:
# (i)   There are several policies, each has its own section. Put files
#   into the section for the appropriate policy (see below).
# (ii)  Section [EventSeverity]:
#   To each policy, you can assign a severity (further below).
# (iii) Section [Log]:
#   To each log facility, you can assign a threshold severity. Only
#   reports with at least the threshold severity will be logged
#   to the respective facility (even further below).
#

#
#
# Files are defined with: file = /absolute/path
#
# Directories are defined with:  dir = /absolute/path
# or with an optional recursion depth (N = 99): dir = N/absolute/path
#
# Directory inodes are checked. If you only want to check files
# in a directory, but not the directory inode itself, use (e.g.):
#
# [ReadOnly]
# dir = /some/directory
# [IgnoreAll]
# file = /some/directory
#
# You can use shell-style globbing patterns, like: file = /path/foo*
#
##

[Misc]
##
## Add or subtract tests from the policies
## - if you want to change their definitions,
##   you need to do that before using the policies
##
# RedefReadOnly = (no default)
# RedefAttributes=(no default)
# RedefLogFiles=(no default)
# RedefGrowingLogFiles=(no default)
# RedefIgnoreAll=(no default)
# RedefIgnoreNone=(no default)
# RedefUser0=(no default)
# RedefUser1=(no default)

#
# - / --
#

[ReadOnly]
dir = 0/

[Attributes]
file = /
file = /proc
file = /entropy
file = /tmp
file = /var

#
# - /dev ---
#

[Attributes]
dir = 99/dev

[IgnoreAll]
file = /dev/ttyp?

[Misc]
##
## pseudo terminals are created/removed as needed
##
IgnoreAdded = /dev/(p|t)typ.*
IgnoreMissing = /dev/(p|t)typ.*


#
# - /etc ---
#

[ReadOnly]
##
## for these files, only access time is ignored
##
dir = 99/etc


#
# - /boot ---
#

[ReadOnly]
dir = 99/boot

#
# - /bin, /sbin ---
#

[ReadOnly]
dir = 99/bin
dir = 99/sbin

#
# - /lib ---
#

[ReadOnly]
dir = 99/lib

#
# - /libexec ---
#

[ReadOnly]
dir = 99/libexec

#
# - /rescue ---
#

[ReadOnly]
dir = 99/rescue

#
# - /root ---
#

[Attributes]
##
## for these files, only changes in permissions and ownership are checked
##
dir = 99/root

#
# - /stand ---
#

[ReadOnly]
dir = 99/stand

#
# - /usr ---
#

[ReadOnly]
dir = 99/usr

[Attributes]
dir = /usr/.snap
dir = /usr/share/man/cat?
file = /usr/compat/linux/etc
file = /usr/compat/linux/etc/ld.so.cache

[IgnoreAll]
dir = -1/usr/home

#
# - /var ---
#

[Attributes]

dir = 0/var

[LogFiles]
##
## for these files, changes in signature, timestamps, and size are ignored
##

file=/var/run/utmp

[GrowingLogFiles]
##
## For these files, changes in signature, timestamps, and increase in size
## are ignored. Logfile rotation will cause a report because of shrinking
## size and different inode.
##
dir = 99/var/log

[Attributes]
#
# rotated logs will change inode
#
file = /var/log/*.[0-9].bz2
file = /var/log/*.[0-9].log
file = /var/log/*.[0-9]
file = /var/log/*.[0-9][0-9]
file = /var/log/*.old

file = /var/log/sendmail.st


[Misc]
#
# Various naming schemes for rotated logs
#
IgnoreAdded = /var/log/.*\.[0-9]+$
IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
IgnoreAdded = /var/log/.*\.[0-9]+\.bz2$
IgnoreAdded = /var/log/.*\.[0-9]+\.log$


[IgnoreNone]
##
## for these files, all modifications (even access time) are reported
##- you may create some interesting-looking file (like /etc/safe_passwd),
##  just to watch whether someone will access it ...
##



[User0]
[User1]
## User0 and User1 are sections for files/dirs with 

Re: Internet slowdown when pf is enabled? Running on i386 -current

[Stuart Henderson]

On 2007/09/26 22:32, Reza Muhammad wrote:
 Would a tcpdump log be any helpful at this point?

maybe; try ifconfig pfsync0 create and tcpdump -nipfsync0 -vvs1000

inserts   280924 1221.4/s
removals  280226 1218.4/s

expect it to scroll pretty damn fast...

Re: Loading PF after ppp

[Martin Schröder]

2007/9/26, Amit Finkler [EMAIL PROTECTED]:
 How does one load PF after ppp?

By using ppp.linkup

 cat /etc/ppp/ppp.linkup
MYADDR:
 !bg sh -c /sbin/pfctl -e -f /etc/pf.conf

Best
   Martin

Re: Loading PF after ppp

[Cezary Morga]

 I connect to the internet using pppoe(8) by putting the following
 line in /etc/rc.local.conf:

 ppp -ddial pppoe

 However, the pf rules load before I have an internet connection and
 therefore pfctl reports an error.

 How does one load PF after ppp?

Being in the same situation I had not enabled PF through rc.conf of
rc.conf.local, instead I've put following in rc.local:

/usr/sbin/ppp -background -quiet pppoe
if [ $? -eq 0 ]; then
echo PPP enabled
pfctl -e
pfctl -f /etc/pf.conf
fi

I'm not sure whether it's correct or not, but it works for me :)

Regards,
--
Cezary Morga
There are three kinds of lies: lies, damned lies, and statistics.
(Benjamin Disraeli)

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc ]

Re: spamd shows up as an open relay

[Bob Beck]

 I'm not 100% certain I'm getting your idea here ... we do currently
 run inbound/outbound mail on different IPs, but the problem isn't with
 the connections themselves.
 
 From the example session transcript with spamd that I posted earlier:
 
 250 Hello, spam sender. Pleased to be wasting your time.
 MAIL FROM: [EMAIL PROTECTED]
 250 Ok to start over.
 RCPT TO: [EMAIL PROTECTED]
 250 You are about to try to deliver spam. Your time will be spent, for 
 nothing.
 
 For an actual MTA, the 250 code here indicates an open relay, because
 we are not the MX for checkor.com.

Nope, because you can reject it later on. Their test is flawed.

All our open relay checking we do here actually checks the full
dialogue to see if the message is accepted *and* checks for an actual
relay, if they aren't doing that, their test is amatuer hour crap. 

 spamd of course doesn't know this
 (and I'm aware that fixing it might not be easy), but it is still
 triggering a false positive as an open relay.

Spamd won't change in this regard. It would completely break
spamd to accomodate some false idea of a test. 

Re: Loading PF after ppp

[Andreas Maus]

On Wed, Sep 26, 2007 at 05:54:58PM +0200, Amit Finkler wrote:
 I connect to the internet using pppoe(8) by putting the following line
 in /etc/rc.local.conf:
 
 ppp -ddial pppoe
 
 However, the pf rules load before I have an internet connection and
 therefore pfctl reports an error.
 
 How does one load PF after ppp?
Hi  Amit.

I guess pf complains about the non-existant interface.

Starting and stopping pf can be done with entries in 
/etc/ppp/ppp.linkup and /etc/ppp/ppp.linkdown

e.g I use:

# cat /etc/ppp/ppp.linkup
[... snipp ...]
  ! sh -c ifconfig pflog0 up
  ! sh -c pfctl -e
  ! sh -c pfctl -f /etc/pf.conf
  ! sh -c /usr/local/bin/svc -u /service/pflogd
[... snipp ...]

and 

# cat /etc/ppp/ppp.linkdown
[... snipp ...]
  ! sh -c /usr/local/bin/svc -d /service/pflogd
  ! sh -c /usr/local/bin/svc -t /service/pflogd
  ! sh -c pfctl -d
[... snipp ...]

I use djbs daemontools to start and stop pflogd, but I think you
can also use ! sh -c /sbin/pflogd and ! sh -c pkill pflogd

HTH,

Andreas.

-- 
Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of
an 8-bit operating system written for a 4-bit processor by a 2-bit
company who cannot stand 1 bit of competition.

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Peter N. M. Hansteen [EMAIL PROTECTED] wrote:
 Liviu Daia [EMAIL PROTECTED] writes:

  Why should it?  The second copy is sent in a separate run,
  that's the whole point.  The only thing the bot has to figure out
  is how long to wait until the second run.  A smart one would send
  a second copy after 10 minutes, and a third one after, say, 35
  minutes.

 *BZZT!* Assuming facts not in evidence: a *smart* spambot /and/
 a spammer who actually *cares* about the delivery of individual
 messages.

My point is it doesn't have to.  The third copy passes regardless of
what happens with the first two.

[...]
  Moral: randomize the greylisting time...

 Random numbers can be fun, but I'd like to see real world data which
 support your theory.

Ok, since you ask, here's a recent one.  The message passed all my
filters, so it was received three times.  Please note the identical
message-id.

First run:

Sep 25 18:06:16 ns1 postfix-localhost/smtpd[27143]: 9FAE1142A7: 
client=unknown[212.239.40.101]
Sep 25 18:06:17 ns1 postfix/cleanup[3734]: 9FAE1142A7: message-id=[EMAIL 
PROTECTED]
Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: from=[EMAIL PROTECTED], 
size=2545, nrcpt=2 (queue active)
Sep 25 18:06:18 ns1 postfix/pipe[25075]: 9FAE1142A7: to=[EMAIL PROTECTED], 
relay=uucpz, delay=1.8, delays=1.7/0/0/0.06, dsn=2.0.0, status=sent (delivered 
via uucpz service)
Sep 25 18:06:18 ns1 postfix/local[7260]: 9FAE1142A7: to=[EMAIL PROTECTED], 
relay=local, delay=1.9, delays=1.7/0/0/0.24, dsn=2.0.0, status=sent (delivered 
to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)
Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: removed

The same message, sent 8 minutes later:

Sep 25 18:14:14 ns1 postfix-localhost/smtpd[8404]: 1649714331: 
client=unknown[212.239.40.101]
Sep 25 18:14:15 ns1 postfix/cleanup[21622]: 1649714331: message-id=[EMAIL 
PROTECTED]
Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: from=[EMAIL PROTECTED], 
size=2547, nrcpt=2 (queue active)
Sep 25 18:14:15 ns1 postfix/pipe[25075]: 1649714331: to=[EMAIL PROTECTED], 
relay=uucpz, delay=1.4, delays=1.4/0/0/0.05, dsn=2.0.0, status=sent (delivered 
via uucpz service)
Sep 25 18:14:15 ns1 postfix/local[7260]: 1649714331: to=[EMAIL PROTECTED], 
relay=local, delay=1.6, delays=1.4/0/0/0.25, dsn=2.0.0, status=sent (delivered 
to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)
Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: removed

Same, 28 minutes later:

Sep 25 18:42:52 ns1 postfix-localhost/smtpd[13055]: 72BCD142A7: 
client=unknown[212.239.40.101]
Sep 25 18:42:53 ns1 postfix/cleanup[21622]: 72BCD142A7: message-id=[EMAIL 
PROTECTED]
Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: from=[EMAIL PROTECTED], 
size=3724, nrcpt=2 (queue active)
Sep 25 18:42:53 ns1 postfix/pipe[25075]: 72BCD142A7: to=[EMAIL PROTECTED], 
relay=uucpz, delay=0.81, delays=0.75/0.01/0/0.05, dsn=2.0.0, status=sent 
(delivered via uucpz service)
Sep 25 18:42:53 ns1 postfix/local[7260]: 72BCD142A7: to=[EMAIL PROTECTED], 
relay=local, delay=1, delays=0.75/0.01/0/0.24, dsn=2.0.0, status=sent 
(delivered to command: /usr/local/sbin/gather_stats.pl 
/usr/local/share/Mail_stats)
Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: removed

Should I have used spamd, the first two copies would have been
discarded, but the third would have passed.

That said, randomizing the greylisting time probably is probably
a lot of trouble, for little added value (it still doesn't solve the
problem).

 I'm beginning to think that this is another one of those 'I refuse to
 believe greylisting works because I refuse to understand it' episodes.

Oh, I'm not saying it doesn't work.  What I'm saying is, greylisting
is trivial to bypass, and some spammers have figured that out.
Amazingly, most of them still haven't, which is why it still works in a
significant number of cases.

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: Loading PF after ppp

[Stuart Henderson]

 On Wed, Sep 26, 2007 at 05:54:58PM +0200, Amit Finkler wrote:
  I connect to the internet using pppoe(8) by putting the following line
  in /etc/rc.local.conf:
  
  ppp -ddial pppoe
  
  However, the pf rules load before I have an internet connection and
  therefore pfctl reports an error.
  
  How does one load PF after ppp?

By starting ppp from hostname.tun0...

Re: SMTP flood + spamdb

[Bob Beck]

 Oh, I'm not saying it doesn't work.  What I'm saying is, greylisting
 is trivial to bypass, and some spammers have figured that out.
 Amazingly, most of them still haven't, which is why it still works in a
 significant number of cases.
 

greylisting does what it does. It delays the initial email
for 30 minutes or more. what you do with that 30 minutes will decide
on how effective it is for you. 

In that 30 minutes)

1) you can look at their traffic profile and decide you don't want to 
   talk to them. 

2) they can hit a greytrap locally and you can decide you don't want to 
   talk to them.

3) they can hit a bogus domain mx'ed to you locally and you can decide you
   don't want to talk to them.

4) optionally, if you check the greylist against valid local mail addresses, 
   you could trap them if they're mailing to bogus local addresses (we do that 
here)

5) 1-4 could happen above at someone elses site (like nixspam or uatraps) that
you are using as a blacklist. 

And in the end some of it gets through. That's why you run other
stuff in addition to spamd if you really can't stand that. 

spamd is designed to get the low hanging fruit. It is *NOT* designed
to stop all possible spam, forever. attempting to do so there is wrong. Spamd is
a *tool* - it's good for what it's good for - stopping stuff that is easily
identifiable in the smtp dialogue. It is not intended for other things. 

-Bob

Re: SMTP flood + spamdb

[Jeremy C. Reed]

On Wed, 26 Sep 2007, Liviu Daia wrote:

 Same, 28 minutes later:
 
 Sep 25 18:42:52 ns1 postfix-localhost/smtpd[13055]: 72BCD142A7: 
 client=unknown[212.239.40.101]
 Sep 25 18:42:53 ns1 postfix/cleanup[21622]: 72BCD142A7: message-id=[EMAIL 
 PROTECTED]
 Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: from=[EMAIL PROTECTED], 
 size=3724, nrcpt=2 (queue active)
 Sep 25 18:42:53 ns1 postfix/pipe[25075]: 72BCD142A7: to=[EMAIL PROTECTED], 
 relay=uucpz, delay=0.81, delays=0.75/0.01/0/0.05, dsn=2.0.0, status=sent 
 (delivered via uucpz service)
 Sep 25 18:42:53 ns1 postfix/local[7260]: 72BCD142A7: to=[EMAIL PROTECTED], 
 relay=local, delay=1, delays=0.75/0.01/0/0.24, dsn=2.0.0, status=sent 
 (delivered to command: /usr/local/sbin/gather_stats.pl 
 /usr/local/share/Mail_stats)
 Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: removed
 
 Should I have used spamd, the first two copies would have been
 discarded, but the third would have passed.

Not good example. As that would still hit spamd (default 25 minutes and 
your earlier one was too fast). Now it is whitelisted.

Do you have a fourth email sent? (Which will have passed.)

����� ��� ������� ������ ������� ������ ��.��.��� ��� ���� ������; ��� ����� ����� ����� ��������� �������� ��� ��� ����

[ArabianBusiness.com Arabic]

[IMAGE]Having trouble reading this email? See it in your browser

ArabianBusiness.com Daily News Alert

GHMK ]m Gacf^Z:

GaCMO ,26 SHJcHQ 2007



[IMAGE]

GaCNHGQ GaQFmSmI

HfQUI OHm fdGSOG_ J]fRGd HcfG]^I cSGecm Cf.Ec.G_S Zal U]^I TQGFeG
GaGJ]G^ aG mRGa mMJGL Jf^mZ GacSJKcQmd fmcdM dGSOG_ fHfQUI OHm 17 HGacGFI
]m Cf.Ec.G_S GaJm JOmQ HfQUGJ ]m TcGa CfQfH

^XQ JJf^Z JQGLZ RmGOI GaEmLGQGJ fGaEH^GA Zal QHX GaZcaI
fRmQ GacGamI Ga^XQm m^fa Ed GaEmLGQGJ ]m ^XQ SJSJ^Q NaGa GaGKdl ZTQ TeQG
Gac^HaI fCd GaHaGO caJRcI HGaEH^GA Zal QHX ZcaJeG HGaOfaGQ GaCcQm_m

ArabianBusiness.com JobsBrowse all jobs ;

Business Operations Manager
Dubai, UAE

Head of Risk - Banking
Doha, Qatar

Head of Proprietary Trading
Doha, Qatar

[IMAGE]

c^GfaGJ

GaEcGQGJ JTLZ GaHdGA GaUOm^ aaHmFI
GaEcGQGJ JXa^ dYGc JUdm] GaHdGA GaUOm^ aaHmFI _NXfI aQ]Z GafZm GaHmFm Vcd
UdGZI GaHdGA

Hdf_ fE^JUGO

GQJ]GZ GaQmGa aCZal SZQ ]m 21 ZGcG H]Za cVGQHGJ
GaQmGa GaSZfOm mQJ]Z Eal CZal cSJfmGJe cdP 21 ZGcG c^GHa GaOfaGQ GaCcQm_m
cZ JUGZO GaJ_edGJ HCd Gacca_I SJQ]Z ^QmHG ^mcI ZcaJeG GacQHfXI HGaOfaGQ

E^JUGO ]QOm

GaRcQOI Ga_fmJmI JTJQm MUI ]m TQ_I Jcfma GaES_Gd
^GaJ Sf^ Ga_fmJ aaCfQG^ GacGamI GaKaGKGA Ed TQ_I GaRcQOI Ga^GHVI Ga_fmJmI
GTJQJ MUI JHa[ 11.37 ]m GacGFI cd TQ_I Jcfma GaES_Gd GacMamI aaE^QGV
GaZ^GQm.

SmGMI f]dGO^

LcmQG JJfal EOGQI cdJLZ ESHGdm
cTQfZ LcmQI HfQJ SfaQ ]m cGmfQ_G ^mO GaEdTGA fcd GacJf^Z G]JJGMe cXaZ
ZGc 2010

^XGZ ZGc

XmGQfG GaJGm]fd GaSZfOmmd mJa^fd GaJOQmH ]m Gacca_I GacJMOI
GaSZfOmI SJ^fc HJOQmH Cfa 22 XmGQ fcedOS Zal Gac^GJaI GaCfQfHmI GaUdZ
(JGm]fd) ]m Gacca_I GacJMOI HZO Cd ^Gc GaHaOGd cDNQGp HEHQGc U]^I HcHa[
8.8 camGQ OfaGQ aTQGA 72 XGFQI

cfGUaGJ

EmQ ]QGdS JNXX aadcf ]m GaHMQmd
SJ^fc NOcI GaTMd ]m EmQ ]QGdS HRmGOI ZOO QMaGJeG cd cXGQ GaHMQmd

GaEZaGd Zd cfZO G]JJGM LSQ Ga^QefO
emFI GaXQ^ fGacfGUaGJ J^fa HCd LSQ Ga^QefO GaLOmO SmJc G]JJGMe ^Ha cGQS
Ga^GOc

Gac^GaGJ GaC_KQ ^QGAI

  1.  EmQGd JSJZQV ^fJeG GaUGQfNmI ]m JMPmQ LOmO aa[QH

  2.  JOTmd NXI CHfYHm 2030

  3.  GaEcGQGJ JfG]^ Zal OfGA mSGZO Zal f^] GaJONmd

  4.  dGTXfd SZfOmfd ]m M^f^ GaEdSGd mXGaHfd HGaGZJQG] Hec

  5.  GaSZfOmI J]QL Zd dGTX EUaGMm aCSHGH UM

To Advertise in this newsletter please contact
: Richard O'Sullivan
Tel: +971 50 651 4745

a^O Ja^mJ ePe GaQSGaI cd TQ_I Bm Jm Hm! GaTQ_I GaQGFOI ]m GadTQ ]m cLGa
GaGJUGaGJ fJ^dmI GacZafcGJ fGaCZcGa ]m GaTQ^ GaCfSX! f^O Jc JSLma HQmO_
GaEa_JQfdm HZO Cd GTJQ_J ]m GadSNI GaEa_JQfdmI adTQI
Arabianbusiness.com/arabic! fPa_ CKdGA GTJQG__ HcSGH^I Cf JU]M_ aCMO
cfG^ZdG (ITP.net; GitexTimes.com; ArabianBusiness.com; TimeOutDubai.com;
TimeOutAbuDhabi.com and Ahlan.ae ).

EPG Q[HJ ]m MP] ZdfGd HQmO_ GaEa_JQfdm cd ^GFcI cQGSaGJdG ]Gd^Q edG Ja^m
ePe GadTQI

Re: Speed Problems

[Tom Bombadil]

Hi Claudio...

What does 'net.inet.ip.ifq.maxlen=256' do for us?

Tried a few 'man', and a few google searches and I wasn't very
successful. Found tons of other posts telling ppl to bump up that
sysctl, but never found what it does exactly.

Cheers,
g.

Re: Porting OpenBSD to OLPC XO laptops.

[Joshua Smith]

Maybe I've missed something but what makes it impossible to write a
device driver for the Wireless chipset?

-Josh

On 9/26/07, Paul de Weerd [EMAIL PROTECTED] wrote:
 [diverted to [EMAIL PROTECTED]

 On Wed, Sep 26, 2007 at 08:08:41AM -0700, big one wrote:
 | OLPC (One Laptop Per Child) had released XO AMD Geode LX Laptops
 | using G1G1 (Buy 2 Get 1). One laptop will be sent to the buyer and the
 | 2nd laptop will be sent to a child in a poor, developing country.
 |
 | According to Mr Theo de Raadt from OpenBSD, it is impossible to
 | write device driver for Wireless chipset inside XO.
 |
 | According to OLPC developer team:
 | 1. There is no standard BIOS inside XO laptops.
 | 2. There is no VGA/EGA/CGA video mode.
 |
 | Is it possible to port OpenBSD to XO Laptops without
 | activating/using the wireless chipset?
 | Thank you

 Why not buy some and send them to interested developers.

 Buy 2 Send 1 to an OpenBSD developer ;)

 Cheers,

 Paul 'WEiRD' de Weerd

 --
 [++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
  http://www.weirdnet.nl/

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Jeremy C. Reed [EMAIL PROTECTED] wrote:
 On Wed, 26 Sep 2007, Liviu Daia wrote:
 
  Same, 28 minutes later:
  
  Sep 25 18:42:52 ns1 postfix-localhost/smtpd[13055]: 72BCD142A7: 
  client=unknown[212.239.40.101]
  Sep 25 18:42:53 ns1 postfix/cleanup[21622]: 72BCD142A7: message-id=[EMAIL 
  PROTECTED]
  Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: from=[EMAIL 
  PROTECTED], size=3724, nrcpt=2 (queue active)
  Sep 25 18:42:53 ns1 postfix/pipe[25075]: 72BCD142A7: to=[EMAIL 
  PROTECTED], relay=uucpz, delay=0.81, delays=0.75/0.01/0/0.05, dsn=2.0.0, 
  status=sent (delivered via uucpz service)
  Sep 25 18:42:53 ns1 postfix/local[7260]: 72BCD142A7: to=[EMAIL 
  PROTECTED], relay=local, delay=1, delays=0.75/0.01/0/0.24, dsn=2.0.0, 
  status=sent (delivered to command: /usr/local/sbin/gather_stats.pl 
  /usr/local/share/Mail_stats)
  Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: removed
  
  Should I have used spamd, the first two copies would have been
  discarded, but the third would have passed.
 
 Not good example. As that would still hit spamd (default 25 minutes
 and your earlier one was too fast). Now it is whitelisted.

 Do you have a fourth email sent? (Which will have passed.)

Not at hand, but I haven't been looking for one either.  Does spamd
really behave like that?  That is, ignore retries during the greylisting
period, and whitelist messages only on subsequent attempts?

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: SMTP flood + spamdb

[Liviu Daia]

On 26 September 2007, Bob Beck [EMAIL PROTECTED] wrote:
  Oh, I'm not saying it doesn't work.  What I'm saying is,
  greylisting is trivial to bypass, and some spammers have figured
  that out.  Amazingly, most of them still haven't, which is why it
  still works in a significant number of cases.
 

   greylisting does what it does. It delays the initial email for
 30 minutes or more. what you do with that 30 minutes will decide on
 how effective it is for you.

   In that 30 minutes)
[...]

Ok, brain dump:

That's an interesting idea, a lot of slow operations could be
offloaded to those 30 minutes.  Your greyscanner script does DNS checks
on the envelope.  A lot more could be done, should the script have
access to the body.  I think it's legal to reply with 4xx (that is,
simulate a queue error) to the final . . That could be used to gather
and inspect the data; basically do at greylisting time what Postfix does
with the after-queue filters.

I suppose gathering everything would be prohibitive though, and
against the entire philosophy of greylisting.  Which brings me to a
different approach: use a pre-queue filter instead of spamd (which is
what I'm doing now).  Now, the problem with pre-queue filters is they
can take too long to scan a message.  Thus, the better mouse trap: a
pre-queue filter, which can send feedback to smapd, and use spamd's
database to keep some state across messages.  I need to ponder on that
some more.

   spamd is designed to get the low hanging fruit. It is *NOT*
 designed to stop all possible spam, forever. attempting to do so there
 is wrong. Spamd is a *tool* - it's good for what it's good for -
 stopping stuff that is easily identifiable in the smtp dialogue. It is
 not intended for other things.

We are in violent agreement here...

Regards,

Liviu Daia

-- 
Dr. Liviu Daia  http://www.imar.ro/~daia

Re: Porting OpenBSD to OLPC XO laptops.

[Constantine A. Murenin]

On 26/09/2007, Paul de Weerd [EMAIL PROTECTED] wrote:
 [diverted to [EMAIL PROTECTED]

 On Wed, Sep 26, 2007 at 08:08:41AM -0700, big one wrote:
 | OLPC (One Laptop Per Child) had released XO AMD Geode LX Laptops
 | using G1G1 (Buy 2 Get 1). One laptop will be sent to the buyer and the
 | 2nd laptop will be sent to a child in a poor, developing country.
 |
 | According to Mr Theo de Raadt from OpenBSD, it is impossible to
 | write device driver for Wireless chipset inside XO.
 |
 | According to OLPC developer team:
 | 1. There is no standard BIOS inside XO laptops.
 | 2. There is no VGA/EGA/CGA video mode.
 |
 | Is it possible to port OpenBSD to XO Laptops without
 | activating/using the wireless chipset?
 | Thank you

 Why not buy some and send them to interested developers.

 Buy 2 Send 1 to an OpenBSD developer ;)

You'd have to buy at least a total of four laptops then. :)

It is no less interesting to note that the price is obviously 2 times
more what it was supposed to be.

One more thing that deserves attention is that the OLPC camp promised
us all that by the time the laptop goes into mass production, all
parts of the system will be free, including the wireless module --
but is it indeed so?

C.

Re: Porting OpenBSD to OLPC XO laptops.

[Stuart Henderson]

On 2007/09/26 13:58, Joshua Smith wrote:
 Maybe I've missed something but what makes it impossible to write a
 device driver for the Wireless chipset?

not impossible, but I think it was fiddly. it's malo(4), isn't it?

there's the usual silly games with firmware files too, you need to get
them onto the system by some other method (wired, USB, type in a printed
uuencode, or whatever).

Re: Porting OpenBSD to OLPC XO laptops.

[Constantine A. Murenin]

On 26/09/2007, Joshua Smith [EMAIL PROTECTED] wrote:
 Maybe I've missed something but what makes it impossible to write a
 device driver for the Wireless chipset?

Nothing is impossible, but the problem is that so many parts of the
OLPC hardware are proprietary and without readily available
documentation that the work would be very difficult and time
consuming.

Looks can be deceiving, too: this version of the laptop appears to be
targeted to 18+ users, because in many jurisdictions you have to be at
least 18 to sign an NDA in order to actually explore the hardware part
of the laptop.

C.

Re: Internet slowdown when pf is enabled? Running on i386 -current

[Can E. Acar]

Reza Muhammad wrote:
 
 Hi guys,
 
 I'm having a problem with my Internet connection in my home network. I 
 noticed that \
 my Internet connection has been very slow since I upgraded to -current a week 
 ago.  \
 First, I thought it was just my ISP problem.  Then, I tried to connect to the 
 \
 Internet directly from my laptop, it worked fine.

Did it happen before the upgrade? What were you running before?

 I noticed that the Internet is slowing down when pf is enabled.  I changed my 
 pf.conf \
 to only do nat, and scrub incoming packets, but it is still slow.  Here's the 
 output \
 of 'ping' to the Internet.
[snip]
 
 noticed that the connection is more than 4 times slower?
 
 # here's my pf settings
 [EMAIL PROTECTED]:~% sudo pfctl -sa
 TRANSLATION RULES:
 nat on sis0 inet from 192.168.1.0/24 to any - (sis0:0)
 
 FILTER RULES:
 scrub in all fragment reassemble
 pass in all flags S/SA keep state
 pass out all flags S/SA keep state
 No queue in use
 
[snip]
 
 my home network is on 192.168.1.0/24, but I see a lot of connections with 
 state \
 NO_TRAFFIC:SINGLE that are from other networks (I'm assuming they are coming 
 from my \
 ISP's network). Can someone help me out here? Would hardware be the problem? 
 I just \
 thought that if the network card was broken, it should just not work right? 
 Rather \
 than the connection being slower?  Anyway, let me just post my dmesg also

There is a lot of external broadcast traffic they are probably the cause of
the large number of state insertions/deletions. They are either a badly
designed
p2p/broadcast/whatever protocol, or the result of the worm/malware of
the month.

Can you add

block drop in quick on sis0 all

at the start of your ruleset? This way the external traffic does not
create states at all.

Can

-- 
In theory, there is no difference between theory and practice.
But, in practice, there is.

4.2 and compactflash

[Chris Cohen]

Hi,

maybe this is a bit off-topic, but:
I'm planning to upgrade my firewall box which is running 4.1-STABLE on a 512Mb 
Kingston compactflash card to 4.2 on a 1-2gb (also Kingston) cf card.
Currently I have / mounted ro and /var and /etc on an mfs which can be 
tricky...

Question is: do I still need to mount / ro on current cf cards or do they have 
enough write cycles?

The box doesn't run anything but pf, named and ntpd.

-- 
Thanks
Chris

Re: Speed Problems

[Claudio Jeker]

On Wed, Sep 26, 2007 at 10:48:02AM -0700, Tom Bombadil wrote:
 Hi Claudio...
 
 What does 'net.inet.ip.ifq.maxlen=256' do for us?
 
 Tried a few 'man', and a few google searches and I wasn't very
 successful. Found tons of other posts telling ppl to bump up that
 sysctl, but never found what it does exactly.
 

net.inet.ip.ifq.maxlen defines how many packets can be queued in the IP
input queue before further packets are dropped. Packets comming from the
network card are first put into this queue and the actuall IP packet
processing is done later. Gigabit cards with interrupt mitigation may spit
out many packets per interrupt plus heavy use of pf can slowdown the
packet forwarding. So it is possible that a heavy burst of packets is
overflowing this queue. On the other hand you do not want to use a too big
number because this has negative effects on the system (livelock etc).
256 seems to be a better default then the 50 but additional tweaking may
allow you to process a few packets more.

-- 
:wq Claudio

Re: Speed Problems

[Stuart Henderson]

On 2007/09/26 10:48, Tom Bombadil wrote:
 What does 'net.inet.ip.ifq.maxlen=256' do for us?

try http://archive.openbsd.nu/?ml=openbsd-techa=2006-10t=2474666

Re: 4.2 and compactflash

[Chris Kuethe]

On 9/26/07, Chris Cohen [EMAIL PROTECTED] wrote:
 Question is: do I still need to mount / ro on current cf cards or do they have
 enough write cycles?

Go ahead and mount rw. I've put a couple of terabytes through a 256M
card with iogen, and it's doing fine. The wear-leveling mechanisms on
the cards work quite well, and I've had cards in production for years
with no ill effect.

CK

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

Re: You can't export non-ffs filesystems with NFS, and it isn't documented

[Alexander Hall]

[ Answering to a post from two and a half years back. :-)
  I was fiddling with nfs and stuff and remembered this thread.
  While reading it, I found out what the problem was. I realize
  (or at least hope) that Han is not still troubleshooting this
  issue, but for the archives... :-) ]

Han Boetes wrote:

Julian Leyh wrote:

Han Boetes [EMAIL PROTECTED] wrote:

I just noticed once again you can't export non-ffs filesystems
with NFS. Well you can export them, but after mounting the
partition on the client you won't see any files.

I can't verify this behavior... mounted a msdos filesystem (usb
stick) and exported it via nfs. i could mount and view all files
on target nfs client. (server and client both -current).


Odd...

Could you be so kind to show me the lines of the msdos partition
in /etc/fstab and in exports?

I have:

  ~% grep msdos /etc/fstab
  /dev/sd0a /mnt/usb msdos rw,nodev,nosuid,noatime,noauto 0 0

  ~% grep usb /etc/exports 
  /mnt/usb/ -mapall=han:nfs marsupilami


The problem is that nfs shares does not traverse file system mount 
points once initialized. Since nfs probably was started prior to 
mounting the msdos partition (with the noauto option in /etc/fstab), nfs 
would only share the contents of the mount point directory itself.


A ``pkill -HUP mountd'' might help after mounting the msdos file system, 
in order to make mountd aware of the new file system overriding the 
mount point directory.


/Alexander

Re: Speed Problems

[Tom Bombadil]

 net.inet.ip.ifq.maxlen defines how many packets can be queued in the IP
 input queue before further packets are dropped. Packets comming from the
 network card are first put into this queue and the actuall IP packet
 processing is done later. Gigabit cards with interrupt mitigation may spit
 out many packets per interrupt plus heavy use of pf can slowdown the
 packet forwarding. So it is possible that a heavy burst of packets is
 overflowing this queue. On the other hand you do not want to use a too big
 number because this has negative effects on the system (livelock etc).
 256 seems to be a better default then the 50 but additional tweaking may
 allow you to process a few packets more.

Thanks Claudio...

In the link that Stuart posted here, Henning mentions 256 times the
number of interfaces:
http://archive.openbsd.nu/?ml=openbsd-techa=2006-10t=2474666

I'll try both and see.

Thanks you and Stuart for the hints.

Re: Speed Problems

[rezidue]

Hopefully this makes it through , I've been trying to post comments all day
but they don't seem to make it here.

To Bryan, I wasn't running pf originally when I noticed this problem but I
am now just to block ssh from the outside.  I've disabled and re-enabled pf
to see if it affects throughput and it's not, or isn't that noticeable.  As
for what I have done I have performed a number of bandwidth tests.  I've
come from the outside, traversing the gateway while downloading from an
internal host.  I've come from the outside to the gateway downloading from
it, I've come from the local subnet on a machine running the exact same
hardware and installation while transferring a file in each direction.
While under high load all forms of this testing is affected with poor
speeds.  Even when not under high loads I never see the speeds I should.
I've checked interface stats on the switch and have found no errors.  I have
run iperf and can only seem to get 5-16Mb/s.  I even bumped up sendspace and
recvspace to help with edge host to host transfer but I've not seen any
improvement.  I'm going to be tinkering with netperf more because I'm not
sure if I ran into an issue on bsd with it.  On two linux boxes on the
inside it reports line speed between them.

To Max, Cables don't show any problems and I have the problems internally as
well, not just external hosts.  I wish it was that simple.

To Claudio, I've gone through the 4.1 and 4.2 changes in hopes I would find
some clear reason as to why I'm having these issues but I've not seen
anything. The odd thing is that I report a negative value for drops and it's
counting down.

net.inet.ip.ifq.drops=-1381027346

I've put maxlen=256 and it seems to have slowed the count down.


To Stuart, Dmesg has not shown any issues.  I've been a bit confused with
how to interpret the output of vmstat and systat vmstat.  I was told to
look for interrupts on systat vmstat but I haven't seen any being thrown
while under heavy load.  I also don't think I understand how interrupts
work.  As for vmstat -i, I'm not exactly sure what would signify a problem
but I get the following output:

Gateway1 (about 3-4 times the load of gateway2)
interrupt   total rate
irq0/clock 6455328221  399
irq0/ipi   2543041813  157
irq19/ohci0  91660
irq17/pciide0 76302290
irq0/bge0 25346022947 1570
irq1/bge1 21123330824 1308
Total 55475363200 3437

Gateway2:
interrupt   total rate
irq0/clock 6455272059  400
irq0/ipi   1819715207  112
irq19/ohci0 125740
irq17/pciide0 62321130
irq0/bge0  8118898045  503
irq1/bge1 12291117020  761
Total 28691247018 1777



On 9/26/07, Tom Bombadil [EMAIL PROTECTED] wrote:

  net.inet.ip.ifq.maxlen defines how many packets can be queued in the IP
  input queue before further packets are dropped. Packets comming from the
  network card are first put into this queue and the actuall IP packet
  processing is done later. Gigabit cards with interrupt mitigation may
 spit
  out many packets per interrupt plus heavy use of pf can slowdown the
  packet forwarding. So it is possible that a heavy burst of packets is
  overflowing this queue. On the other hand you do not want to use a too
 big
  number because this has negative effects on the system (livelock etc).
  256 seems to be a better default then the 50 but additional tweaking may
  allow you to process a few packets more.

 Thanks Claudio...

 In the link that Stuart posted here, Henning mentions 256 times the
 number of interfaces:
 http://archive.openbsd.nu/?ml=openbsd-techa=2006-10t=2474666

 I'll try both and see.

 Thanks you and Stuart for the hints.

Speed Problems Part 2

[rezidue]

For some reason I can't seem to reply to the earlier responses.  Hopefully
this gets through.

On 9/26/07, Bryan Irvine  [EMAIL PROTECTED] wrote:

What have you looked at? are you running pf? what kind of ruleset?
   Tried simplifying it?

--Bryan

I wasn't running pf originally when I noticed this problem but I am now just
to block ssh from the outside.  I've disabled and re-enabled pf to see if it
affects throughput and it's not, or isn't that noticeable.  As for what I
have done I have performed a number of bandwidth tests.  I've come from the
outside, traversing the gateway while downloading from an internal host.
I've come from the outside to the gateway downloading from it, I've come
from the local subnet on a machine running the exact same hardware and
installation while transferring a file in each direction.  While under high
load all forms of this testing is affected with poor speeds.  Even when not
under high loads I never see the speeds I should.  I've checked interface
stats on the switch and have found no errors.  I have run iperf and can only
seem to get 5-16Mb/s.  I even bumped up sendspace and recvspace to help with
edge host to host transfer but I've not seen any improvement.  I'm going to
be tinkering with netperf more because I'm not sure if I ran into an issue
on bsd with it.  On two linux boxes on the inside it reports line speed
between them.

On 9/26/07, Maxim Belooussov  [EMAIL PROTECTED] wrote:

Hi,
   The first thing to do is to check the cable :)

   And the second thing to do is to check the entire chain. Maybe it's
   not you, but the other end who cannot handle the load.

   Max

Cables don't show any problems and I have the problems internally as well,
not just external hosts.  I wish it was that simple.

On 9/26/07, Claudio Jeker [EMAIL PROTECTED] wrote:

Order a 4.2 CD and install it as soon as you get it. 4.2 removed many
bottlenecks in the network stack. In the meanwhile check out for the ip
ifq len:
# sysctl net.inet.ip.ifq
net.inet.ip.ifq.len=0
net.inet.ip.ifq.maxlen=256
net.inet.ip.ifq.drops=0

I bet your drops are non 0 and the maxlen is to small (256 is a better
value for gigabit firewalls/routers).
--
:wq Claudio

I've gone through the 4.1 and 4.2 changes in hopes I would find some clear
reason as to why I'm having these issues but I've not seen anything.  What
exactly is this queue?  The odd thing is that I report a negative value for
drops and it's counting down.

net.inet.ip.ifq.drops=-1381027346

I've put maxlen=256 and it seems to have slowed the count down.

On 9/26/07, Stuart Henderson [EMAIL PROTECTED] wrote:

dmesg and vmstat -i might give clues. Also try bsd.mp if you use
bsd (or vice-versa), and Claudio's suggestion of 4.2 is a good one.

Dmesg has not shown any issues.  I've been a bit confused with how to
interpret the output of vmstat and systat vmstat.  I was told to look for
interrupts on systat vmstat but I haven't seen any being thrown while
under heavy load.  As for vmstat -i, I'm not exactly sure what would
signify a problem but I get the following output:

Gateway1 (about 3-4 times the load of gateway2)
interrupt   total rate
irq0/clock 6455328221  399
irq0/ipi   2543041813  157
irq19/ohci0  91660
irq17/pciide0 76302290
irq0/bge0 25346022947 1570
irq1/bge1 21123330824 1308
Total 55475363200 3437

Gateway2:
interrupt   total rate
irq0/clock 6455272059  400
irq0/ipi   1819715207  112
irq19/ohci0 125740
irq17/pciide0 62321130
irq0/bge0  8118898045  503
irq1/bge1 12291117020  761
Total 28691247018 1777

Here is my sysctl -a output:

kern.ostype=OpenBSD
kern.osrelease=4.0
kern.osrevision=200611
kern.version=OpenBSD 4.0-stable (GENERIC.MP) #0: Thu Mar 15 07:28:19 CST
2007
[EMAIL PROTECTED]
:/usr/src/sys/arch/amd64/compile/GENERIC.MP

kern.maxvnodes=1310
kern.maxproc=532
kern.maxfiles=1772
kern.argmax=262144
kern.securelevel=1
kern.hostname=dyno1.nothingtoseehere.com
kern.hostid=0
kern.clockrate=tick = 1, tickadj = 40, hz = 100, profhz = 100, stathz =
100
kern.posix1version=199009
kern.ngroups=16
kern.job_control=1
kern.saved_ids=1
kern.boottime=Fri Mar 23 06:44:05 2007
kern.domainname=
kern.maxpartitions=16
kern.rawpartition=2
kern.osversion=GENERIC.MP#0
kern.somaxconn=128
kern.sominconn=80
kern.usermount=0
kern.random=160901082016 47373568 0 502891828 23135 5922320 0 0 0 0 0 0
22063035075 935474146 14935755619 48820374348 1984945954 2097660952
3949423372 384190080 606887773 1054912573 2101170714 1709697072 1531324571
891699911 1726356236 407933168 707207288 1237035834 37928905 5295362
15709563 160990 51580 47229 44160 31299 

Re: 4.2 and compactflash

[Chris Cohen]

On Wednesday 26 September 2007 21:17:00 Chris Kuethe wrote:
 On 9/26/07, Chris Cohen [EMAIL PROTECTED] wrote:
  Question is: do I still need to mount / ro on current cf cards or do they
  have enough write cycles?

 Go ahead and mount rw. I've put a couple of terabytes through a 256M
 card with iogen, and it's doing fine. The wear-leveling mechanisms on
 the cards work quite well, and I've had cards in production for years
 with no ill effect.


Thanks you Chris ;) and the guys who replied off-list.

-- 
Greetings
Chris

Re: Porting OpenBSD to OLPC XO laptops.

[Martin Reindl]

Paul de Weerd [EMAIL PROTECTED] wrote:

 [diverted to [EMAIL PROTECTED]
 
 On Wed, Sep 26, 2007 at 08:08:41AM -0700, big one wrote:
 | OLPC (One Laptop Per Child) had released XO AMD Geode LX Laptops
 | using G1G1 (Buy 2 Get 1). One laptop will be sent to the buyer and the
 | 2nd laptop will be sent to a child in a poor, developing country.
 | 
 | According to Mr Theo de Raadt from OpenBSD, it is impossible to
 | write device driver for Wireless chipset inside XO.
 | 
 | According to OLPC developer team:
 | 1. There is no standard BIOS inside XO laptops.
 | 2. There is no VGA/EGA/CGA video mode.
 | 
 | Is it possible to port OpenBSD to XO Laptops without
 | activating/using the wireless chipset?
 | Thank you
 
 Why not buy some and send them to interested developers. 
 
 Buy 2 Send 1 to an OpenBSD developer ;)
 

Last week I borrowed a pre-production B2 model from a friendly OLPC
developer. It's true the hardware is more like some embedded appliance
than 'normal' i386. Moreover, it uses Open Firmware and not a BIOS.

You can probably find this information and more on the OLPC wikis but
here are dmesg and lspci for the curious. But keep in mind this is a
pre-production model and the hardware in the production models is
beefed up.

(And no, I'm currently too much of a slacker getting it working with
OpenBSD)

00:01.0 Host bridge: National Semiconductor Corporation Geode GX2 Host Bridge 
(rev 21)
00:01.1 VGA compatible controller: National Semiconductor Corporation Geode GX2 
Graphics Processor
00:0c.0 FLASH memory: Marvell Technology Group Ltd. Unknown device 4100 (rev 10)
00:0c.1 Generic system peripheral [0805]: Marvell Technology Group Ltd. Unknown 
device 4101 (rev 10)
00:0c.2 Multimedia video controller: Marvell Technology Group Ltd. Unknown 
device 4102 (rev 10)
00:0f.0 ISA bridge: Advanced Micro Devices [AMD] CS5536 [Geode companion] ISA 
(rev 03)
00:0f.3 Multimedia audio controller: Advanced Micro Devices [AMD] CS5536 [Geode 
companion] Audio (rev 01)
00:0f.4 USB Controller: Advanced Micro Devices [AMD] CS5536 [Geode companion] 
OHC (rev 02)
00:0f.5 USB Controller: Advanced Micro Devices [AMD] CS5536 [Geode companion] 
EHC (rev 02)



[0.00] Linux version 2.6.22-20070910.30.olpc.25d22c40e3bef15 ([EMAIL 
PROTECTED]) (gcc version 4.1.1 20070105 (Red Hat 4.1.1-51)) #1 PREEMPT Mon Sep 
10 03:09:19 EDT 2007
[0.00] BIOS-provided physical RAM map:
[0.00]  BIOS-e801:  - 0009f000 (usable)
[0.00]  BIOS-e801: 0010 - 075dd000 (usable)
[0.00] 117MB LOWMEM available.
[0.00] Entering add_active_range(0, 0, 30173) 0 entries of 256 used
[0.00] Zone PFN ranges:
[0.00]   DMA 0 - 4096
[0.00]   Normal   4096 -30173
[0.00] early_node_map[1] active PFN ranges
[0.00] 0:0 -30173
[0.00] On node 0 totalpages: 30173
[0.00]   DMA zone: 32 pages used for memmap
[0.00]   DMA zone: 0 pages reserved
[0.00]   DMA zone: 4064 pages, LIFO batch:0
[0.00]   Normal zone: 203 pages used for memmap
[0.00]   Normal zone: 25874 pages, LIFO batch:7
[0.00] DMI not present or invalid.
[0.00] Allocating PCI resources starting at 1000 (gap: 
075dd000:f8a23000)
[0.00] Built 1 zonelists.  Total pages: 29938
[0.00] Kernel command line: ro root=mtd0 rootfstype=jffs2 
console=ttyS0,115200 console=tty0 fbcon=font:SUN12x22
[0.00] Initializing CPU#0
[0.00] CPU 0 irqstacks, hard=c074a000 soft=c0749000
[0.00] PID hash table entries: 512 (order: 9, 2048 bytes)
[0.00] Detected 362.994 MHz processor.
[   13.994339] Console: colour EGA 80x25
[   13.995511] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[   13.996123] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[   14.022039] Memory: 106348k/120692k available (2325k kernel code, 13804k 
reserved, 842k data, 168k init, 0k highmem)
[   14.00] virtual kernel memory layout:
[   14.022234] fixmap  : 0xd000 - 0xf000   (   8 kB)
[   14.022251] vmalloc : 0xc800 - 0xb000   ( 895 MB)
[   14.022267] lowmem  : 0xc000 - 0xc75dd000   ( 117 MB)
[   14.022284]   .init : 0xc071a000 - 0xc0744000   ( 168 kB)
[   14.022301]   .data : 0xc06455e9 - 0xc07181b4   ( 842 kB)
[   14.022318]   .text : 0xc040 - 0xc06455e9   (2325 kB)
[   14.022777] Checking if this processor honours the WP bit even in supervisor 
mode... Ok.
[   14.174046] Calibrating delay using timer specific routine.. 727.64 BogoMIPS 
(lpj=3638233)
[   14.174543] Security Framework v1.0.0 initialized
[   14.174651] SELinux:  Initializing.
[   14.174857] SELinux:  Starting in permissive mode
[   14.174904] selinux_register_security:  Registering secondary module 
capability
[   14.175015] Capability LSM initialized as secondary
[   14.175269] Mount-cache hash table entries: 512
[   14.176363] CPU: After 

Re: SMTP flood + spamdb

[Rob]

 Oh, I'm not saying it doesn't work.  What I'm saying is, greylisting
 is trivial to bypass, and some spammers have figured that out.
 Amazingly, most of them still haven't, which is why it still works in a
 significant number of cases.

Just to give an additional data point here: I work for an ISP that
receives upwards of a million inbound SMTP connections per day.

While watching the connection logs, I've noticed that a large majority
of spammers get the first spamd response (250 Hello, spam sender.
Pleased to be wasting your time.) and immediately disconnect. This
suggests to me that rather than spend time trying to get whitelisted
by spamd servers, they've mostly decided to skip them entirely and
move on to servers that aren't running spamd.

Spamd, by itself, filters out almost 90% of our inbound email. So far,
I've had just two false positives from mail servers that weren't
behaving correctly, that I had to whitelist manually.

We're running spamd with its defaults, for now.

spamd doesn't catch everything, but it works is a bit of an understatement.

We've also been hit by backscatter, and I haven't had the time to
figure out how to stop that one yet.

- R.

Re: SMTP flood + spamdb

[Hannah Schroeter]

Hi!

On Wed, Sep 26, 2007 at 02:03:03PM -0700, Rob wrote:
[...]

While watching the connection logs, I've noticed that a large majority
of spammers get the first spamd response (250 Hello, spam sender.
Pleased to be wasting your time.) and immediately disconnect. This
suggests to me that rather than spend time trying to get whitelisted
by spamd servers, they've mostly decided to skip them entirely and
move on to servers that aren't running spamd.

Interesting. Do you think they pattern match on the response, or do you
think they disconnect if the initial greeting takes too long (spamd
stutters for the first 10 seconds, in its default settings)? I'd guess
the latter.

[...]

We've also been hit by backscatter, and I haven't had the time to
figure out how to stop that one yet.

For some, signed envelope senders or variations thereof work. That
depends on a few circumstances.

The basic idea is this:

My email address is [EMAIL PROTECTED] Normal mail installations would
send mails out with both the From header *and* the envelope sender set
to [EMAIL PROTECTED] SES and similar schemes instead create a modified
sender address like [EMAIL PROTECTED] That is used
in the envelope. The header From address is left unmodified. TAG is a
tag saying this is a address created using the envelope signing
scheme, hannah is the original local part, timestamp can be made short
by making it have only day granularity, and perhaps even only days
modulo 2^ sig is a MAC, created from the local part, the timestamp
and a host specific key.

When a legitimate bounce (empty envelope from) is received, it must be
in response to a mail recently sent out from our domain. If all mails
sent out from our domain use the envelope signing scheme, bounces need
only be accepted if they are to *signed* addresses that are recent
enough and have a valid MAC. Bounces that don't fulfill that can be
rejected (I'd reject after DATA or later so address verification will
not lead to false positive rejects in other situations). In addition,
bounces should be only addressed to exactly *one* recipient...

Some also use SRS (sender rewriting scheme, from the SPF people),
signing their own envelope as if the mail were forwarded, and accept
bounce traffic only to SRS'ed addresses.

- R.

Kind regards,

Hannah.

Re: SMTP flood + spamdb

[Rob]

Hannah,

On 9/26/07, Hannah Schroeter [EMAIL PROTECTED] wrote:
 Hi!

 On Wed, Sep 26, 2007 at 02:03:03PM -0700, Rob wrote:
 [...]

 While watching the connection logs, I've noticed that a large majority
 of spammers get the first spamd response (250 Hello, spam sender.
 Pleased to be wasting your time.) and immediately disconnect. This
 suggests to me that rather than spend time trying to get whitelisted
 by spamd servers, they've mostly decided to skip them entirely and
 move on to servers that aren't running spamd.

 Interesting. Do you think they pattern match on the response, or do you
 think they disconnect if the initial greeting takes too long (spamd
 stutters for the first 10 seconds, in its default settings)? I'd guess
 the latter.

I would guess the latter too, except that they tend to wait the full
default 10 seconds until the first 250 response. I'm looking forward
to increasing the stutter time to something on the order of 60 seconds
and watching to see what happens then.

 We've also been hit by backscatter, and I haven't had the time to
 figure out how to stop that one yet.

 For some, signed envelope senders or variations thereof work. That
 depends on a few circumstances.

 The basic idea is this:

[...snip...]

That would be nifty, but I don't think it would work in our case. We
have a number of customers that send mail through their own mail
server (or another provider's mail server) and receive mail through
ours (old email addresses, hosted domains, etc.).

So far we've seen the backscatter come through in a quick burst from a
handful of mail servers. For one example, one of our unlucky users
received 800+ bounce messages from about four mail servers in Italy. I
think I can use max-src-conn and max-src-conn-rate, plus a few
whitelist entries for Google, Yahoo, etc., to stop that, but it
requires careful monitoring.

- R.

Re: SMTP flood + spamdb

[Peter N. M. Hansteen]

Rob [EMAIL PROTECTED] writes:

 I would guess the latter too, except that they tend to wait the full
 default 10 seconds until the first 250 response. I'm looking forward
 to increasing the stutter time to something on the order of 60 seconds
 and watching to see what happens then.

I have reports that increasing the -s value to 4 seconds serves to
keep the stupid ones around for (you guessed it) four times as long,
at least for the tarpitted ones.  So the host which would hang on for
404 seconds earlier now beavers on for 1616, and so on.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: SMTP flood + spamdb

[RW]

On Wed, 26 Sep 2007 17:26:22 +0200, Peter N. M. Hansteen wrote:


 Or take advantage of the (by default) 25 minute window to use other
 means to detect that this address is sending spam.  Perhaps spamd should
 be extended to look for excessive attempts to send messages from an
 address during that period?  (How often do spammers' lists contain only
 one or two addresses from a domain?)

You could probably use straight rdr instead of rdr pass to feed spamd,
then in the relevant pass rule apply your source tracking options and
overload and some table magic for that

Have you been looking at my ruleset?  ;-)

I took out the pass on the rdr ages ago because unless I did my
personal blacklist could not be used to block things like stormers and
some tedious twits like a movie-house chain which keeps on sending to a
long gone client of mine even though the address returns a 554 every
time.

I blacklist those permanently to stop log clutter.

Rod/

_
Depressed? Me?
Don't make me laugh!
:Spike Milligan:1918-2002:

Re: Porting OpenBSD to OLPC XO laptops.

[Floor Terra]

On Sep 26, 2007, at 5:08 PM, big one wrote:

OLPC (One Laptop Per Child) had released XO AMD Geode LX Laptops  
using G1G1 (Buy 2 Get 1). One laptop will be sent to the buyer and  
the 2nd laptop will be sent to a child in a poor, developing country.


According to Mr Theo de Raadt from OpenBSD, it is impossible to  
write device driver for Wireless chipset inside XO.


According to OLPC developer team:
1. There is no standard BIOS inside XO laptops.
2. There is no VGA/EGA/CGA video mode.

Is it possible to port OpenBSD to XO Laptops without activating/ 
using the wireless chipset?

Thank you



The XO laptop looks like a great little laptop to use without the
nice looking but weird SUGAR interface. I was actually hoping
to buy one to use with OpenBSD. I didn't think any part of the laptop
would be closed.

From http://wiki.laptop.org/go/Core_principles/lang-en
..
There is no inherent external dependency in being able to localize
software into their language, fix the software to remove bugs, and
repurpose the software to fit their needs. Nor is there any  
restriction

in regard to redistribution; OLPC cannot know and should not control
how the tools we create will be re-purposed in the future.
...
Further, every child has something to contribute; we need a free and
open framework that supports and encourages the very basic human
need to express.

Give me a free and open environment and I will learn and teach with
joy.

Proprietary hardware and software seems to be directly against their
core principles.

The XO laptop uses Open Firmware instead of a BIOS, so it's probably
a lot like a Sun SPARC  or a PPC Mac.

Can you point me to the source where Theo de Raadt claims that it's
impossible to write a driver for the Marvell Libertas controller
(wireless networking). I can't seem to find it.

Thanks,

Floor Terra

Re: Speed Problems Part 2

[Tobias Weingartner]

rezidue wrote:
  kern.version=OpenBSD 4.0-stable (GENERIC.MP) #0: Thu Mar 15 07:28:19 CST

Just for the hell of it, try running GENERIC, instead of GENERIC.MP.

--Toby.

Re: Speed Problems Part 2

[Stuart Henderson]

On 2007/09/26 13:50, rezidue wrote:
 
 Order a 4.2 CD and install it as soon as you get it. 4.2 removed many
 bottlenecks in the network stack. In the meanwhile check out for the ip
 ifq len:
 # sysctl net.inet.ip.ifq
 net.inet.ip.ifq.len=0
 net.inet.ip.ifq.maxlen=256
 net.inet.ip.ifq.drops=0
 
 I bet your drops are non 0 and the maxlen is to small (256 is a better
 value for gigabit firewalls/routers).
 --
 :wq Claudio
 
 I've gone through the 4.1 and 4.2 changes in hopes I would find some clear
 reason as to why I'm having these issues but I've not seen anything.

At the last hackathon, there was a lot of work done on profiling and
optimizing the path through the network stack/PF; you'll see more about
this at http://www.openbsd.org/papers/cuug2007/mgp00012.html (and the
following pages).

 What exactly is this queue?  The odd thing is that I report a negative
 value for drops and it's counting down.

The -ve is because it's a signed integer and has, on your system,
exceeded the maximum value since bootup..

 net.inet.ip.ifq.drops=-1381027346
 I've put maxlen=256 and it seems to have slowed the count down.

You might like to try bumping it up until it stops increasing (uh,
decreasing. :-) And re-investigate when you get 4.2 (or make any other
changes to the system).

Re: OpenBSD on decTOP?

[Douglas A. Tutty]

On Wed, Sep 26, 2007 at 08:47:04AM -0600, Diana Eichert wrote:
 On Wed, 26 Sep 2007, Markus Hennecke wrote:
 
 As it won't probe on port 0x2e8 it will not find it. Thats why it was 
 disabled, the probe will have negative effects on other hardware.
 
 Greetings
  Markus
 
 that's what I assumed, but I thought I'd ask anyway.
 

If this particular board doesn't have that conflicting hardware, can't
you alter the kernel with config(8) to find the UART?

Doug.

AX.25

[Christopher Snell]

It's been a few years since anybody has asked this.  Is anybody
working on an AX.25 implementation for OpenBSD?  Just passed my Extra
exam and would like to start doing some packet radio soon.  Would love
to put OpenBSD 23km up like this guy did with Linux:

http://vpizza.org/~jmeehan/balloon/

Chris
KE7OVL

Re: Porting OpenBSD to OLPC XO laptops.

[Jonathan Gray]

On Wed, Sep 26, 2007 at 01:58:16PM -0400, Joshua Smith wrote:
 Maybe I've missed something but what makes it impossible to write a
 device driver for the Wireless chipset?
 
 -Josh

No one said it is impossible, it is just far harder than it should
be due to a lack of documentation and companies like Red Hat signing
NDAs with Marvell.

The specific chip the OLPC people are using thus far does not seem to be
found anywhere else in the market.  Combine that with a quirky non
standard machine with limited availability and you see why people
aren't terribly interested.

Re: OpenBSD on decTOP?

[Diana Eichert]

On Wed, 26 Sep 2007, Douglas A. Tutty wrote:


On Wed, Sep 26, 2007 at 08:47:04AM -0600, Diana Eichert wrote:

On Wed, 26 Sep 2007, Markus Hennecke wrote:


As it won't probe on port 0x2e8 it will not find it. Thats why it was
disabled, the probe will have negative effects on other hardware.

Greetings
Markus


that's what I assumed, but I thought I'd ask anyway.


If this particular board doesn't have that conflicting hardware, can't
you alter the kernel with config(8) to find the UART?

Doug.


Yep, you sure could and that would be a good test for someone who already
has a decTOP.  However after more reading of the documentation it is quite
possible the UARTS are completely disabled.

thanks

diana

Re: Internet slowdown when pf is enabled? Running on i386 -current

[Reza Muhammad]

Here's the log:

10:12:28.738263 UPD ST:
all 6 122.200.52.134:22 - 125.160.128.35:60387
   ESTABLISHED:ESTABLISHED
   [1381080430 + 65535] wscale 0  [3262031687 + 17040] wscale 0
   age 3812101632:33:20, expires in 00:00:00, 482:293 pkts, 38584:35992 bytes
   id: 46facdc5804b creatorid: 2a435432 updates: 3
10:12:28.902894 INS ST:
all 17 255.255.255.255:5678 - 122.200.54.146:5678   NO_TRAFFIC:SINGLE
   age 00:00:00, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 13
   id: 46facdc581a9 creatorid: 257e0ae9
10:12:29.458559 UPD ST:
all 17 255.255.255.255:3259 - 122.200.50.65:1129   NO_TRAFFIC:SINGLE
   age 3571779072:45:52, expires in 00:00:00, 5:0 pkts, 270:0 bytes, rule 13
   id: 46facdc580f5 creatorid: 257e0ae9 updates: 0
10:12:29.648865 INS ST:
all 17 255.255.255.255:5678 - 192.168.140.248:5678   NO_TRAFFIC:SINGLE
   age 00:00:00, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 13
   id: 46facdc581aa creatorid: 257e0ae9
all 17 255.255.255.255:5678 - 192.168.125.120:5678   NO_TRAFFIC:SINGLE
   age 00:00:00, expires in 00:00:00, 0:0 pkts, 0:0 bytes, rule 13
   id: 46facdc581ab creatorid: 257e0ae9
10:12:30.173882 UPD ST:
all 17 239.255.255.250:1900 - 192.168.0.1:1900   NO_TRAFFIC:SINGLE
   age 494275328:34:56, expires in 00:00:00, 7181:0 pkts, 2279289:0 bytes
   id: 46facdc537f4 creatorid: 2a435432 updates: 12
10:12:30.173947 DEL ST:
all 6 122.200.52.134:80 - 125.160.128.35:49548
   FIN_WAIT_2:FIN_WAIT_2
   [2274342568 + 65535] wscale 0  [2570619505 + 17040] wscale 0
   age 1024067328:26:24, expires in 00:00:00, 6:5 pkts, 1653:645 bytes, rule 15
   id: 46facdc580f6 creatorid: 257e0ae9
all 17 255.255.255.255:5678 - 192.168.157.58:5678   NO_TRAFFIC:SINGLE
   age 1024067328:26:24, expires in 00:00:00, 2:0 pkts, 230:0 bytes, rule 13
   id: 46facdc580f8 creatorid: 257e0ae9
all 17 255.255.255.255:5678 - 192.168.93.10:5678   NO_TRAFFIC:SINGLE
   age 167249408:06:08, expires in 00:00:00, 2:0 pkts, 224:0 bytes, rule 13
   id: 46facdc580f9 creatorid: 257e0ae9
all 17 255.255.255.255:5678 - 192.168.157.52:5678   NO_TRAFFIC:SINGLE
   age 167249408:06:08, expires in 00:00:00, 2:0 pkts, 210:0 bytes, rule 13
   id: 46facdc580fa creatorid: 257e0ae9
10:12:30.173983 DEL ST:
all 17 122.200.51.255:138 - 122.200.51.219:138   NO_TRAFFIC:SINGLE
   age 60622336:24:48, expires in 00:00:00, 2:0 pkts, 471:0 bytes, rule 13
   id: 46facdc580fe creatorid: 257e0ae9
all 17 255.255.255.255:5678 - 192.168.157.74:5678   NO_TRAFFIC:SINGLE
   age 60622336:24:48, expires in 00:00:00, 2:0 pkts, 230:0 bytes, rule 13
   id: 46facdc580ff creatorid: 257e0ae9

and there's still more.  I noticed that the traffic coming in from 192.168.*.* 
aren't from my local network.


On Wed, 26 Sep 2007 17:19:05 +0100, Stuart Henderson [EMAIL PROTECTED] wrote:
 On 2007/09/26 22:32, Reza Muhammad wrote:
 Would a tcpdump log be any helpful at this point?
 
 maybe; try ifconfig pfsync0 create and tcpdump -nipfsync0 -vvs1000
 
inserts   280924 1221.4/s
removals  280226 1218.4/s
 
 expect it to scroll pretty damn fast...

Re: Internet slowdown when pf is enabled? Running on i386 -current

[Stuart Henderson]

On 2007/09/27 10:16, Reza Muhammad wrote:
 Here's the log:

Can's suggestion to block the incoming packets on sis0 is good.

The problem is caused because you receive a lot of junk traffic
from your ISP's network.  Since OpenBSD 4.1, PF uses 'keep state'
by default (this avoids some problems with common rulesets and
TCP window scaling) and this is causing a lot of unnecessary
states to be created. So I guess before you upgraded, you used
a version from before 4.1.

 and there's still more.  I noticed that the traffic coming in
 from 192.168.*.* aren't from my local network.

It looks like your ISP has many subnets running over the same
physical network.

Quotas cause system freeze on 4.1 AMD64 (raid1)

[Matt]

Running 4.1 generic kernel w. RAID1 on AMD64.
Checking a users quota freezes the system and renders it useless.

I have implemented quotas like described in the FAQ

1) alter /etc/fstab:  /dev/raid0f /var ffs rw,userquota,softdep,nodev 1 
2  -- This is a 60GB slice

2) create a test quota file for existing user 'johndoe'
3) quotaon -a
4) quota johndoe

At point 4 the system stops responding.
The server stays up and I can ping / login through SSH, however it never 
lets me pass after the password, it just hangs.

The webserver (which reads files from /var/) doesn't work anymore either.
I drove to the DC but still could not login as root. I could login as 
johndoe but su-ing to root gave the same problems.


Hard rebooting helped, but the machine then hanged during startup on 
'Checking quota's: ' - or so it seems.
I waited 10 minutes - nothing happened. So CTRL-C'd it and removed it 
from /etc/fstab to prevent further problems.
The only thing I can think of is that /var is 'just too big'..? Or could 
this be caused by a wrongly edited quota.user file?


Any help is appreciated!

Matt

Re: Internet slowdown when pf is enabled? Running on i386 -current

[Reza Muhammad]

 On Wed, 26 Sep 2007 11:37:28 -0700, Can E. Acar [EMAIL PROTECTED]
 wrote:
 Reza Muhammad wrote:
...
 also

 There is a lot of external broadcast traffic they are probably the cause
 of
 the large number of state insertions/deletions. They are either a badly
 designed
 p2p/broadcast/whatever protocol, or the result of the worm/malware of
 the month.

 Can you add

 block drop in quick on sis0 all

 at the start of your ruleset? This way the external traffic does not
 create states at all.

 Can



Actually I've been noticing that my ISP has been broadcasting a lot of
things since I've been using them.
For example, I would get this type of message in /var/log/message all the
time:
Sep 27 10:10:25 blowfish /bsd: arp: attempt to overwrite entry for
192.168.1.1 on lo0 by 00:02:6f:3e:14:59 on sis0

Anyway, about the ruleset, since I'm also running a web server, and mail
server on this box, I shouldn't use block quick right?
Rather block in quick on sis0 all, then open up the ports that I need to
use? Or am I missing the point?

Thanks.