Is anybody working on Wine?
Is anybody working on WINE for OpenBSD? The avaliable package support to small amount of software for now... -- Dmitrij D. Czarkoff
Re: restore hanging on an unusual file name
On 21/11/2007, at 12:08 PM, Jeff Ross wrote:
Jeff Ross wrote:
Hi,
11609 restore RET write 27/0x1b
11609 restore CALL write(0x2,0x80147000,0x34)
11609 restore GIO fd 2 wrote 52 bytes
1834488 Document Scrap '\M-o\M^C\M^X Journal Entrie...'.shs
On a console (not xterm) the file name appears to be
Document Scrap 'C/ Journal Entrie...'.shs
(that's a lower case i with two dots over it.)
My original e-mail did get mangled a little.
The C/ above is really the lowercase i with two dots over it.
Jeff
I had a look out of curiosity (again) ... no great words of wisdom
but might help ...
Doesn't *just* seem to be because of the i-with-two-dots above it
(0xEF? I looked at http://unicode.org/charts/ and the Latin-1 page
- you'll need a PDF viewer. The character is a LATIN SMALL LETTER I
WITH DIAERESIS to give it the proper moniker ...)
Create char_file.c (yes, no prizes for this code.) You can achieve
getting this filename without code, but might be easier to use the
code than find the right character and paste it.
#include stdio.h
int main(void) {
FILE *f;
char fn[]=x.txt;
fn[2]=0xEF;
f=fopen(fn,w);
fputs(Something here,f);
fclose(f);
return 0;
}
Compile with ...
# cc -Wall -o char_file char_file.c
Execute with ...
# ./char_file
You should end up with a new file in your current directory:
xx?xx.txt (depending on your display, that question mark may appear
as the i-with-two-dots.)
Do a dump:
# mkdir testd
# mv xx?xx.txt testd
# dump -0 -f testd.dmp testd/
DUMP: Dumping sub files/directories from /home
DUMP: Dumping file/directory testd/
DUMP: Date of this level 0 dump: Thu Nov 22 10:59:25 2007
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/rwd0h (/home) to testd.dmp
DUMP: mapping (Pass I) [regular files]
DUMP: mapping (Pass II) [directories]
DUMP: estimated 106 tape blocks on 0.00 tape(s).
DUMP: Volume 1 started at: Thu Nov 22 10:59:25 2007
DUMP: dumping (Pass III) [directories]
DUMP: dumping (Pass IV) [regular files]
DUMP: 74 tape blocks on 1 volume
DUMP: Date of this level 0 dump: Thu Nov 22 10:59:25 2007
DUMP: Volume 1 completed at: Thu Nov 22 10:59:25 2007
DUMP: Date this dump completed: Thu Nov 22 10:59:25 2007
DUMP: Average transfer rate: 0 KB/s
DUMP: Closing testd.dmp
DUMP: DUMP IS DONE
Do a restore:
# restore -i -f testd.dmp
restore cd testd
restore verbose
verbose mode on
restore ls
./testd:
25 ./ 2 ../24 xx?xx.txt
restore quit
The copy/paste was via a Mac console - on X running on OpenBSD 4.2/
i386 the i-with-two-dots appears correctly throughout.
I *know* your dump/restore process is a LOT more complicated than
this - I'm trying to reproduce the error with the smallest amount of
effort (don't fancy setting up a Windows box and compressing 12Gb,
etc.!)
Guess the next thing might be getting a way smaller sample dump file
that still shows the problem? Doesn't *seem* to be just the i
character - so is it the spaces? The apostrophes? Combination of
all three? The length of the filename? The Windows factor? Samba?
Translation by something?
The (interactive) restore source code is in /usr/src/sbin/restore/
interactive.c - so you could try adding some debug messages in there
on a test box and run the file through it ...
Are you running 4.2 i386 (apologies if covered or obvious in your
posting?)
Thanks.
Reprise d'entreprise
Bonjour, Vous sachant intiresser par la reprise ou lâachat sur votre secteur dâactiviti de lâun de vos concurrents. Nous nous permettons de vous faire parvenir ce mail dâinformations. Celui-ci vous permettra dâaccider ` notre service de mise en relation. www.reprise-entreprise.fr Vous avez la possibiliti de crier une veille sur votre activiti, ou sur votre rigion. Dans lâattente de votre visite, Cordialement, Une Equipe ` votre service. REPRISE ENTREPRISE www.reprise-entreprise.fr Ne plus recevoir d'information de notre part, suivez le lien
Re: Is this load balancing Idea for squid ok while using route-to or is there a better one?
Hi,
QUITE UNFORTUNATELY THIS DOES NOT SEEM TO WORK :-(
Could some one please let me see the flaw in logic or implementation?
Thank you so much :-)
Kind Regards
Siju
On Nov 21, 2007 10:46 AM, Siju George [EMAIL PROTECTED] wrote:
Hi,
I have two internet connections connected to my firewall now.
Both are from the same ISPs with IP addresses IP1 and IP2
Both have the same gateway GWIP
$ext_if=IP1
$ext_if2=IP2
Now to load balance squid what I am doing is to tag half of the
packets comming to squid using the rules
===
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
keep state tag squid probability 50% label squid
pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state
pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
from $int_if:network to any keep state
===
This gets half of the traffic that comes to squid tagged and labeled as
'squid'
then I have the following NAT rule for the $ext_if which is the
default route to NAT the tagged rules ( i.e half of squid traffic )
to IP2 on $ext_if2
=
nat on $ext_if from $int_if:network to any tagged squid - ($ext_if2)
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if2 from $int_if:network to any - ($ext_if2)
=
and finally for the filter rules to route the tagged packets through
the second interface.
==
pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
all modulate state flags S/SA tagged squid
pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
all keep state
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
} all keep state
===
derived this Idea from
http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html
after searching the archives.
Just wondering if there is a better way to do it :-)
Thank you so much especially Danny for the post :-)))
Kind Regards
Siju
Re: can't change password with passwd comand
Hi Nick, Thanks for your points: sorry about the formating, I am sending this in plain text , let me know if this is better. I have looked over the master.passwd file and compaired with another machines working master.passwd and everything seems ok. you wrote: You can add and delete users all you want, there's something wrong with the master.passwd file. When you call up vipw or passwd, it makes a copy of that file to /etc/ptmp, you edit that file, then it does a sanity check and if it passes the sanity check, it rolls that file back to master.passwd, and makes the rest of the files (not necessarily in that order). Yours doesn't pass the sanity check. The strange thing is, is that if I use vipw and make changes it accepts the changes, but it does not except changes when I use passwd. If somthing is wrong with master.passwd file, wouldn't vipw also not work? I will try your suggestion about copying a fresh master.passwd file to /etc and starting from scratch.. see if that works.. I hope so (-: Thanks for all your help! - Original Message - From: Nick Holland To: misc@openbsd.org Sent: Tuesday, November 20, 2007 10:29 PM Subject: Re: can't change password with passwd comand Jumping Mouse wrote: Hi Clint and others, I tried: # rm spwd* pwd* passwd* ptmp # pwd_mkdb /etc/master.passwd pointless. then #passwd username but I am still getting: (for all users) pwd_mkdb: corrupted entrypwd_mkdb: at line #24pwd_mkdb: /etc/ptmp: Inappropriate file type or formatpasswd: /etc/master.passwd: unchanged right. If the file is corrupted, the file is corrupted, it isn't going to spend a lot of time trying to push a change in and maybe make it worse. It is curious that it does let you change root's PW, but that's nice, it does let you get back in and fix the rest. I have searched the faqs but have not been able to find a good solution to this issue. Does anyone have any thoughts? EXACTLY what it says. Something around line 24 is wrong. A FEW ideas: * Line break at col 80 that you are assuming is a wrap, but it isn't. * Trailing spaces. * Blank lines (including an extra newline at end-of-file) Those are some of the errors I've made. I've probably repressed the really funny ones. You are free to make your own. :) You can add and delete users all you want, there's something wrong with the master.passwd file. When you call up vipw or passwd, it makes a copy of that file to /etc/ptmp, you edit that file, then it does a sanity check and if it passes the sanity check, it rolls that file back to master.passwd, and makes the rest of the files (not necessarily in that order). Yours doesn't pass the sanity check. Before you run vipw/passwd/whatever there is no /etc/ptmp file unless someone killed an edit inappropriately. If that's the case, it doesn't let you edit the file in the first place. Your file is corrupted. You need to fix it. Don't edit the file and then expect us to spot the error unless it is really blatant, and at this point, don't bother trying to convey much info at all over that mailer you are using. :) Worst case, assuming you are the only one (or one of few) on the system, grab the /etc/master.passwd from the etcXX.tgz file of the appropriate version of OpenBSD you are running, stick it in /etc, run vipw, make a trivial change (or run mkwhateveritis), exit, change root's PW, and re-populate the file one user at a time. You already know unpleasant things happened to your passwd file. You have a regular user at line 24...that's been a while since a regular user popped up that early in the file. You probably have got lots of problems there. Fortunately, it is pretty easy to rebuild. Just save a copy of your current version, and after the dust settles, copy over the individual users you need (and watch for wraps!). And ONLY those users... Nick.
Re: can't change password with passwd comand
ok here is a user with full details: (this is in plain text, hope it's more readable) cat.cat:$2a$07$aYgatzjxAULHQmmZkjmvteGEaO8Ie8geMoUfhl7AAzKi.WeRhuoA6:10006:20::0:0:Pussy Cat:/smbhome/student_homedirs/cat.cat:/bin/ksh - Original Message - From: Clint Pachl To: Jumping Mouse Cc: misc@openbsd.org Sent: Tuesday, November 20, 2007 8:56 PM Subject: Re: can't change password with passwd comand Jumping Mouse wrote: Hi Clint, Yes I am the one. as for changing the password this seems to happen to any user except for the root acount, I am able to use passwd to change the root account password. Here is line 24: (I removed the password and real usernmame) username::1000:0::0:0:username:/home/username:/bin/ksh I was going to say, don't remove the username or password because the problem could be embedded in either one of those fields. Anyway, check to make sure that there is no whitespace adjacent to any colons. I don't know if this matters but there is no ptmp file in the /etc directory (no was there before I followed your earlier instructions) Doesn't matter. Just wanted to make sure it wasn't causing any problems when running passwd, which uses that file name as it's temp file.
Re: restore hanging on an unusual file name
On Wed, Nov 21, 2007 at 10:20:39PM +1300, Richard Toohey wrote:
On 21/11/2007, at 12:08 PM, Jeff Ross wrote:
Jeff Ross wrote:
Hi,
11609 restore RET write 27/0x1b
11609 restore CALL write(0x2,0x80147000,0x34)
11609 restore GIO fd 2 wrote 52 bytes
1834488 Document Scrap '\M-o\M^C\M^X Journal Entrie...'.shs
On a console (not xterm) the file name appears to be
Document Scrap 'C/ Journal Entrie...'.shs
(that's a lower case i with two dots over it.)
My original e-mail did get mangled a little.
The C/ above is really the lowercase i with two dots over it.
Jeff
I had a look out of curiosity (again) ... no great words of wisdom but
might help ...
Doesn't *just* seem to be because of the i-with-two-dots above it (0xEF? I
looked at http://unicode.org/charts/ and the Latin-1 page - you'll need a
PDF viewer. The character is a LATIN SMALL LETTER I WITH DIAERESIS to give
it the proper moniker ...)
Create char_file.c (yes, no prizes for this code.) You can achieve getting
this filename without code, but might be easier to use the code than find
the right character and paste it.
#include stdio.h
int main(void) {
FILE *f;
char fn[]=x.txt;
fn[2]=0xEF;
f=fopen(fn,w);
fputs(Something here,f);
fclose(f);
return 0;
}
Compile with ...
# cc -Wall -o char_file char_file.c
Execute with ...
# ./char_file
You should end up with a new file in your current directory:
xx?xx.txt (depending on your display, that question mark may
appear as the
i-with-two-dots.)
Do a dump:
# mkdir testd
# mv xx?xx.txt testd
# dump -0 -f testd.dmp testd/
DUMP: Dumping sub files/directories from /home
DUMP: Dumping file/directory testd/
DUMP: Date of this level 0 dump: Thu Nov 22 10:59:25 2007
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/rwd0h (/home) to testd.dmp
DUMP: mapping (Pass I) [regular files]
DUMP: mapping (Pass II) [directories]
DUMP: estimated 106 tape blocks on 0.00 tape(s).
DUMP: Volume 1 started at: Thu Nov 22 10:59:25 2007
DUMP: dumping (Pass III) [directories]
DUMP: dumping (Pass IV) [regular files]
DUMP: 74 tape blocks on 1 volume
DUMP: Date of this level 0 dump: Thu Nov 22 10:59:25 2007
DUMP: Volume 1 completed at: Thu Nov 22 10:59:25 2007
DUMP: Date this dump completed: Thu Nov 22 10:59:25 2007
DUMP: Average transfer rate: 0 KB/s
DUMP: Closing testd.dmp
DUMP: DUMP IS DONE
Do a restore:
# restore -i -f testd.dmp
restore cd testd
restore verbose
verbose mode on
restore ls
./testd:
25 ./ 2 ../24 xx?xx.txt
restore quit
The copy/paste was via a Mac console - on X running on OpenBSD 4.2/i386 the
i-with-two-dots appears correctly throughout.
I *know* your dump/restore process is a LOT more complicated than this -
I'm trying to reproduce the error with the smallest amount of effort (don't
fancy setting up a Windows box and compressing 12Gb, etc.!)
Guess the next thing might be getting a way smaller sample dump file that
still shows the problem? Doesn't *seem* to be just the i character - so is
it the spaces? The apostrophes? Combination of all three? The length of
the filename? The Windows factor? Samba? Translation by something?
The (interactive) restore source code is in
/usr/src/sbin/restore/interactive.c - so you could try adding some debug
messages in there on a test box and run the file through it ...
Are you running 4.2 i386 (apologies if covered or obvious in your posting?)
Thanks.
The easiest way to reproduce I found so far is:
echo '\M-o\M^C\M^X' | unvis
It hangs my xterm. It does not hang a console.
I think dump should 'vis' the filenames it prints.
-Otto
Re: Is anybody working on Wine?
On Wed, Nov 21, 2007 at 12:13:53PM +0300, Dmitrij Czarkoff wrote: Is anybody working on WINE for OpenBSD? The avaliable package support to small amount of software for now... most pplz seem to work on beer rather... cu -- paranoic mickey (my employers have changed but, the name has remained)
Re: acpiac
On Nov 20, 2007 5:40 PM, Marco Peereboom [EMAIL PROTECTED] wrote:
yeah the spec tells us to. Why?
maybe I'm wrong in what I'm saying...
device AC could have _PSR but not _STA.
when _STA exists it gives us this information:
0xf - AC adapter exists
0x0 - AC adapter does not exists
because this information it is not used later, I really do not
understand why _STA it is evaluated.
some hints?
tnx
On Tue, Nov 20, 2007 at 11:52:33AM +0100, giovanni wrote:
hello,
any reason for evaluating _STA before _PSR for getting AC status?
if (aml_evalname(sc-sc_acpi, sc-sc_devnode, _STA, 0, NULL,
NULL)) {
dnprintf(10, %s: no _STA\n,
DEVNAME(sc));
}
if (aml_evalname(sc-sc_acpi, sc-sc_devnode, _PSR, 0, NULL,
res)) {
dnprintf(10, %s: no _PSR\n,
DEVNAME(sc));
return (1);
--
see ya,
giovanni
--
see ya,
giovanni
Re: nptd regression in 4.2
On Sat, Nov 17, 2007 at 05:37:17PM +0100, Otto Moerbeek wrote:
On Fri, Nov 16, 2007 at 01:39:09PM +0100, Otto Moerbeek wrote:
On Fri, Nov 16, 2007 at 01:13:42PM +0100, Otto Moerbeek wrote:
On Fri, Nov 16, 2007 at 12:40:29PM +0100, frantisek holop wrote:
hmm, on Fri, Nov 16, 2007 at 12:30:00PM +0100, Toni Mueller said that
could someone test this before i submit a bug report?
I've removed the '-s' flag for this reason, although I would very much
prefer to have it in place in the case that I have net access. I don't
know whether it would be feasible for ntpd to see whether there's an
appropriate route, and whether the relevant interfaces are up.
it definitely worked in 4.1 even with -s.
It is this commit, which manages to keep the outging buffer full.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/client.c.diff?r1=1.75r2=1.76f=h
Reverting it makes the problem go away.
Still thinking how to solve this.
-Otto
This seems to work for me,
-Otto
G, sent the wrong diff. This has a far batter chanche.
So, did anybody test this?
-Otto
Index: client.c
===
RCS file: /cvs/src/usr.sbin/ntpd/client.c,v
retrieving revision 1.76
diff -u -p -r1.76 client.c
--- client.c 1 May 2007 07:40:45 - 1.76
+++ client.c 17 Nov 2007 16:34:07 -
@@ -123,7 +123,8 @@ client_query(struct ntp_peer *p)
int tos = IPTOS_LOWDELAY;
if (p-addr == NULL client_nextaddr(p) == -1) {
- set_next(p, scale_interval(INTERVAL_QUERY_AGGRESSIVE));
+ set_next(p, MAX(SETTIME_TIMEOUT,
+ scale_interval(INTERVAL_QUERY_AGGRESSIVE)));
return (0);
}
@@ -140,8 +141,8 @@ client_query(struct ntp_peer *p)
if (errno == ECONNREFUSED || errno == ENETUNREACH ||
errno == EHOSTUNREACH || errno == EADDRNOTAVAIL) {
client_nextaddr(p);
- set_next(p,
- scale_interval(INTERVAL_QUERY_AGGRESSIVE));
+ set_next(p, MAX(SETTIME_TIMEOUT,
+ scale_interval(INTERVAL_QUERY_AGGRESSIVE)));
return (-1);
} else
fatal(client_query connect);
binat and VPN question
Hi I have 2 ipsec VPN endpoints on a firewall. The remote networks both use the same address range (10.10.1/24). The question is now to route this? I was thinking about using binat to NAT one of the two networks to 10.10.2/24. So that on my network 10.10.1.1 is actually 10.10.1.1 on remote network A and 10.10.2.1 is actually 10.10.1.1 on remote network B. But is that possible for an entire network? Or is there an other way? Kind regards, Tom Van Looy
Re: can't change password with passwd comand
Kafriki wrote: ok here is a user with full details: (this is in plain text, hope it's more readable) cat.cat:$2a$07$aYgatzjxAULHQmmZkjmvteGEaO8Ie8geMoUfhl7AAzKi.WeRhuoA6:10006:20::0:0:Pussy Cat:/smbhome/student_homedirs/cat.cat:/bin/ksh Ok, so you're a cat lover. Anyway, that dot in the username may be causing some problems. passwd(5) says: The login name may be up to 31 characters long. For compatibility with legacy software, a login name should start with a letter and consist solely of letters, numbers, dashes and underscores. The login name must never begin with a hyphen (`-'); also, it is strongly suggested that nei- ther uppercase characters nor dots (`.') be part of the name, as this tends to confuse mailers. No field may contain a colon as this has been used historically to separate the fields in the user database. I successfully added the user cat.cat and changed the user's password with passwd(1) on my 4.1 system. I'm not sure what is going on in your system. Try using vipw to replace the password with an * then try running passwd again. Are you sure there isn't an empty line in master.passwd? I appended an empty line to my master.passwd and ran passwd and I received the same exact error as you did. BTW, how many lines are in your master.passwd file (wc -l /etc/master.passwd) and what is the line number with the error reported by passwd? Because vipw is working for you, try removing the invalid line, then run passwd for another account. This should test whether your passwd program is working properly. It is weird that vipw works, but passwd complains. - Original Message - From: Clint Pachl To: Jumping Mouse Cc: misc@openbsd.org Sent: Tuesday, November 20, 2007 8:56 PM Subject: Re: can't change password with passwd comand Jumping Mouse wrote: Hi Clint, Yes I am the one. as for changing the password this seems to happen to any user except for the root acount, I am able to use passwd to change the root account password. Here is line 24: (I removed the password and real usernmame) username::1000:0::0:0:username:/home/username:/bin/ksh I was going to say, don't remove the username or password because the problem could be embedded in either one of those fields. Anyway, check to make sure that there is no whitespace adjacent to any colons. I don't know if this matters but there is no ptmp file in the /etc directory (no was there before I followed your earlier instructions) Doesn't matter. Just wanted to make sure it wasn't causing any problems when running passwd, which uses that file name as it's temp file.
network 'device timeout' or 'watchdog timeout' on macppc with 4.2
Hi, Using OpenBSD 4.2 on a Mac G3 and/or a Lombard G3 (dmesg below) I quickly get: Nov 20 22:20:26 bellinzona /bsd: fxp0: device timeout Nov 20 22:57:42 bellinzona /bsd: fxp0: device timeout Nov 21 07:33:43 bellinzona /bsd: xl0: watchdog timeout Nov 21 07:34:28 bellinzona /bsd: xl0: watchdog timeout Nov 21 07:37:01 bellinzona /bsd: xl0: watchdog timeout and the network card drops off line. This makes 4.2 not so usable. It happens with different interfaces both on the PowerMac G3 and on the Lombard. I saw the line: # Fix for macppc when using the new context switching code. in the post 4.2 changes so I tried the snapshot from 13 Nov. This makes the Lombard G3 work. It makes the PowerMac G3 better, but not perfect. With the fxp it transfers about 50meg or so before dropping off line. With the xl0 the transfer is smaller. Thanks in advance. I am happy to try building a newer current. Or, I can move back to 4.1 which didn't seem to have this difficulty. cheers bruce PowerMac G3 dmesg (note that I removed the fxp and put in a xl). OpenBSD 4.2-current (GENERIC) #1585: Mon Nov 12 18:27:11 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/macppc/compile/GENERIC real mem = 536870912 (512MB) avail mem = 512176128 (488MB) mainbus0 at root: model PowerMac1,1 cpu0 at mainbus0: 750 (Revision 0x8201): 350 MHz: 512KB backside cache mem0 at mainbus0 mpcpcibr0 at mainbus0 pci: grackle, Revision 0x40 pci0 at mpcpcibr0 bus 0 pchb0 at pci0 dev 0 function 0 Motorola MPC106 PCI rev 0x40 ppb0 at pci0 dev 13 function 0 DEC 21154 PCI-PCI rev 0x02 pci1 at ppb0 bus 1 TI TSB12LV21 FireWire rev 0x02 at pci1 dev 0 function 0 not configured pciide0 at pci1 dev 1 function 0 CMD Technology PCI0646 rev 0x05: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using irq 26 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: IBM-DPTA-371360 wd0: 16-sector PIO, LBA, 13042MB, 26712000 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) xl0 at pci1 dev 3 function 0 3Com 3c905 100Base-TX rev 0x00: irq 24, address 00:60:08:6e:a8:0f nsphy0 at xl0 phy 24: DP83840 10/100 PHY, rev. 1 macobio0 at pci1 dev 5 function 0 Apple Paddington rev 0x00 macintr0 at macobio0 offset 0x10 mesh0 at macobio0 offset 0x1 irq 12: 50MHz, SCSI ID 7 scsibus0 at mesh0: 8 targets escc-legacy at macobio0 offset 0x12000 not configured zsc0 at macobio0 offset 0x13000: irq 15,16 zstty0 at zsc0 channel 0 zstty1 at zsc0 channel 1 awacs0 at macobio0 offset 0x14000: irq 17,8,9 headphones audio0 at awacs0 power-mgt at macobio0 offset 0x0 not configured fdc at macobio0 offset 0x15000 not configured adb0 at macobio0 offset 0x16000 irq 18: via-cuda, 0 targets piic0 at adb0 iic0 at piic0 wdc0 at macobio0 offset 0x2 irq 13: DMA atapiscsi0 at wdc0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: PLEXTOR, CD-R PX-W1210A, 1.07 SCSI0 5/cdrom removable cd0(wdc0:0:0): using BIOS timings, DMA mode 2 bm0 at macobio0 offset 0x11000 irq 42,33: address 00:05:02:57:1b:a5 lxtphy0 at bm0 phy 0: LXT970 10/100 PHY, rev. 1 nvram at macobio0 offset 0x6 not configured ohci0 at pci1 dev 6 function 0 Opti 82C861 rev 0x10: irq 28, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 Opti OHCI root hub rev 1.00/1.00 addr 1 vgafb0 at pci0 dev 16 function 0 ATI Rage 128 GL rev 0x00, mmio wsdisplay0 at vgafb0 mux 1: console (std, vt100 emulation) bootpath: /pci/@d/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]:/bsd root on wd0a swap on wd0b dump on wd0b The Lombard G3 dmsg: OpenBSD 4.2-current (GENERIC) #1585: Mon Nov 12 18:27:11 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/macppc/compile/GENERIC real mem = 268435456 (256MB) avail mem = 250462208 (238MB) mainbus0 at root: model PowerBook1,1 cpu0 at mainbus0: 750 (Revision 0x8202): 333 MHz: 512KB backside cache mem0 at mainbus0 mpcpcibr0 at mainbus0 pci: grackle, Revision 0x40 pci0 at mpcpcibr0 bus 0 pchb0 at pci0 dev 0 function 0 Motorola MPC106 PCI rev 0x40 ohci0 at pci0 dev 14 function 0 ATT/Lucent USB rev 0x12: irq 28, version 1.0 macobio0 at pci0 dev 16 function 0 Apple Paddington rev 0x00 macintr0 at macobio0 offset 0x10 escc-legacy at macobio0 offset 0x12000 not configured zsc0 at macobio0 offset 0x13000: irq 15,16 zstty0 at zsc0 channel 0 zstty1 at zsc0 channel 1 awacs0 at macobio0 offset 0x14000: irq 17,8,9 speaker audio0 at awacs0 power-mgt at macobio0 offset 0x0 not configured adb0 at macobio0 offset 0x16000 irq 18: via-pmu, 3 targets akbd0 at adb0 addr 2: iBook keyboard with inverted T (ISO layout) wskbd0 at akbd0: console keyboard ams0 at adb0 addr 3: EMP trackpad tpad 2-button, 400 dpi wsmouse0 at ams0 mux 0 abtn0 at adb0 addr 7: brightness/volume/eject buttons apm0 at adb0: battery flags 0x5, 100% charged wdc0 at macobio0 offset 0x2 irq 13: DMA wd0 at wdc0 channel 0 drive 0: FUJITSU MHH2048AT wd0: 16-sector PIO, LBA, 4645MB, 9514260 sectors wd0(wdc0:0:0):
snmpd on current
Hi all, I'm currently running 4.2-current and installing net-snmp-5.4.1 from ports (updated). Something is wrong, when I run snmpd, it seem to eat all CPU and memory keep getting bigger.. is there anything wrong? thanks.. Insan OpenBSD 4.2-current (GENERIC) #1: Wed Nov 21 19:37:37 WIT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1069101056 (1019MB) avail mem = 1026625536 (979MB) RTC BIOS diagnostic error ffixed_disk,invalid_time mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0x3fbf4000 (42 entries) bios0: vendor Intel Corporation version S3000.86B.02.00.0044.071120071047 date 07/11/2007 bios0: Intel S3000AH acpi0 at mainbus0: rev 0 acpi0: tables DSDT FACP APIC WDDT MCFG ASF! SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S1) PEX4(S4) PEX5(S4) UHC1(S1) UHC2 (S1) UHC3(S1) UHC4(S1) EHCI(S1) AC9M(S4) AZAL(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P32_) acpiprt2 at acpi0: bus 1 (PEX0) acpiprt3 at acpi0: bus -1 (PEX1) acpiprt4 at acpi0: bus -1 (PEX2) acpiprt5 at acpi0: bus -1 (PEX3) acpiprt6 at acpi0: bus 2 (PEX4) acpiprt7 at acpi0: bus 3 (PEX5) acpicpu0 at acpi0: FVS, 3000, 2400 MHz acpibtn0 at acpi0: SLPB cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Pentium(R) D CPU 3.00GHz, 3000.34 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX 16, xTPR,NXE,LONG cpu0: 2MB 64b/line 8-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel E7230 MCH rev 0x00 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01 pci3 at ppb2 bus 3 em0 at pci3 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: irq 9, addres s 00:15:17:49:04:0d Intel 82573E AMT rev 0x03 at pci3 dev 0 function 3 not configured Intel 82573E KCS (Active Management) rev 0x03 at pci3 dev 0 function 4 not con figured uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 10 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 11 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 11 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci4 at ppb3 bus 4 vga1 at pci4 dev 4 function 0 ATI ES1000 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em1 at pci4 dev 5 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 9, addre ss 00:15:17:49:04:0e pcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01 pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 c onfigured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVD-ROM GDR-H30N, 1.00 SCSI0 5/cdrom r emovable cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST380215AS wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: irq 10 iic0 at ichiic0 adt0 at iic0 addr 0x2e: emc6d100 rev 0x69 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a swap on wd0b dump on wd0b -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: can't change password with passwd comand
On Nov 21, 2007 10:48 AM, Kafriki [EMAIL PROTECTED] wrote: ok here is a user with full details: (this is in plain text, hope it's more readable) cat.cat:$2a$07$aYgatzjxAULHQmmZkjmvteGEaO8Ie8geMoUfhl7AAzKi.WeRhuoA6:10006:20::0:0:Pussy Cat:/smbhome/student_homedirs/cat.cat:/bin/ksh Don't paste a user but line 24's user -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: can't change password with passwd comand
Cristiano Deana wrote: On Nov 21, 2007 10:48 AM, Kafriki [EMAIL PROTECTED] wrote: ok here is a user with full details: (this is in plain text, hope it's more readable) cat.cat:$2a$07$aYgatzjxAULHQmmZkjmvteGEaO8Ie8geMoUfhl7AAzKi.WeRhuoA6:10006:20::0:0:Pussy Cat:/smbhome/student_homedirs/cat.cat:/bin/ksh Don't paste a user but line 24's user and 23 and 25... Better yet, end the blooming guessing game, post the thing somewhere. Yes, that means all your PWs are trash, but if you are inheriting a machine, you need to change all the PWs anyway...and probably once again once you have properly secured it. Or manually edit down the file to the absolute minimum that demonstrates the problem. Or move the file to another OpenBSD machine (they are easy to build) and verify that the problem is IN that file, and not a systemic problem, which is not out of the question, considering the other apparent damage to it. Then do what we will do and chew through the file and figure out why it isn't working. Nick.
IPoEoA on ueagle?
I am running 4.2-RELEASE and have recompiled the kernel to include the lines: Option NATM ueagle* at usb? My Sagem [EMAIL PROTECTED] 800 E2 is recognised by the kernel: # dmesg | grep ueagle ueagle0 at uhub3 port 2 ueagle0 detached ueagle0 at uhub3 port 2 ueagle0: Analog Devices Eagle II, rev 1.00/50.0b, addr 2 ueagle0: address: 00:60:4c:16:d1:60 # My ISP uses IPoEoA. I have done a bit of reading on ATM (although I am by no means an expert) and I would like to know if IPoEoA is supported in ueagle. Can anyone please tell me if this is the case and, if so, is there any special configuration advice they can give me? Kind regards --- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V, which has its seat at Amsterdam, the Netherlands, and is registered in the Commercial Register under number 33002587, including its group companies, shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. ---
Terrible messages in /var/log/messages
Hello misc, After boot I see alot of terrible messages in /var/log/messages which are added to it every second. It look like driver bug. Maybe somebody can help resolve this problem. content of /var/run/dmsg.boot OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.93GHz (GenuineIntel 686-class) 2.94 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT ,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR real mem = 527790080 (503MB) avail mem = 502685696 (479MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/23/06, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.4 @ 0xf04d0 (45 entries) bios0: vendor American Megatrends Inc. version 3.28 date 01/23/2006 bios0: Compaq Presario 061 PJ534AA-ABA SR1250NX NA440 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf8c60/304 (17 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801FB LPC rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xa400! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82915G/P/GV Host rev 0x04 vga1 at pci0 dev 2 function 0 Intel 82915G/P/GV Video rev 0x04: aperture at 0xd000, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 27 function 0 Intel 82801FB HD Audio rev 0x03: irq 10 azalia0: host: High Definition Audio rev. 1.0 azalia0: codec: Realtek ALC880 (rev. 5.0), HDA version 0.9 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x03 pci1 at ppb0 bus 1 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: irq 3 uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: irq 5 uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: irq 10 ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: irq 11 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xd3 pci2 at ppb1 bus 2 VIA VT6306 FireWire rev 0x80 at pci2 dev 1 function 0 not configured rl0 at pci2 dev 2 function 0 Realtek 8139 rev 0x10: irq 6, address 00:11:2f:d7:ff:29 rlphy0 at rl0 phy 0: RTL internal PHY sis0 at pci2 dev 3 function 0 NS DP83815 10/100 rev 0x00, DP83815C: irq 3, address 00:a0:cc:a1:60:bb nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801FB LPC rev 0x03: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801FB SATA rev 0x03: DMA, channel 0 wired to compatibility, channel 1 wir ed to compatibility wd0 at pciide0 channel 1 drive 0: ST3120025A wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: GENERIC, DVD RW 12XMax, 100I SCSI0 5/cdrom removable wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801FB SMBus rev 0x03: irq 10 iic0 at ichiic0 adt0 at iic0 addr 0x2e: sch5017 rev 0x89 usb1 at uhci0: USB revision 1.0 uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 biomask ff3d netmask ff7d ttymask pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x40INUSE ichiic0: abort failed, status 0x42INTR,INUSE ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0 ichiic0: abort failed, status 0x42INTR,INUSE umass0 at uhub4 port 1 configuration 1 interface 0 umass0: vendor 0x058f USB Reader, rev 1.10/1.00, addr 2 umass0: using SCSI over Bulk-Only scsibus1 at umass0: 2 targets sd0 at scsibus1 targ 1 lun 0: Generic, USB SD Reader, 1.00 SCSI0 0/direct removable sd0: drive offline sd1 at scsibus1 targ 1 lun 1: Generic, USB CF Reader, 1.01 SCSI0 0/direct removable sd1: drive offline
Fw: IPoEoA on ueagle?
I'm not sure if this made it before my subscription was confirmed, so I'm posting it again (1.5 hours later). - Forwarded by Hammond Mason/GB/ABNAMRO/NL on 21/11/2007 14:23 - Hammond Mason/GB/ABNAMRO/ NL To misc@openbsd.org 21/11/2007 12:59 cc Subject IPoEoA on ueagle? I am running 4.2-RELEASE and have recompiled the kernel to include the lines: Option NATM ueagle* at usb? My Sagem [EMAIL PROTECTED] 800 E2 is recognised by the kernel: # dmesg | grep ueagle ueagle0 at uhub3 port 2 ueagle0 detached ueagle0 at uhub3 port 2 ueagle0: Analog Devices Eagle II, rev 1.00/50.0b, addr 2 ueagle0: address: 00:60:4c:16:d1:60 # My ISP uses IPoEoA. I have done a bit of reading on ATM (although I am by no means an expert) and I would like to know if IPoEoA is supported in ueagle. Can anyone please tell me if this is the case and, if so, is there any special configuration advice they can give me? Kind regards --- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V, which has its seat at Amsterdam, the Netherlands, and is registered in the Commercial Register under number 33002587, including its group companies, shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. ---
Re: MAC multicast address
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 11/20/07 6:45 AM, Fridiric Pli wrote:
Hello,
Is there a way to control which multicast MAC address an ethernet interface
should handle ?
I have problem with a server running OpenBSD4.1-rel (A) with a pcn and carp
interface.
On the same Ethernet network, there is another server (B) and a
hi-availability cluster of firewalls (commercial product) (F composed of F1
and F2) reached via unicast IP address (IPADDR{F}) over multicast MAC
address (MAC{F}).
When B wants to communicate to a service behind F (IP route is known via
IPADDR{FW} ) this appens :
- B send ARP request to ff:ff:ff:ff:ff:ff from MAC{B} Who has IPADDR{FW}?
tell IPADDR{B}
- B receive ARP response from MAC{F1} to MAC{B} IPADDR{FW} is at MAC{F}
- B receive ARP response from MAC{F2} to MAC{B} IPADDR{FW} is at MAC{F}
possible cluster misconfiguration here. there should only be one virtual
IP, and it alone should respond to ARP requests, with one IP/MAC address
- B send an ethernet frame to F from MAC{B} IPADDR{B} to MAC{F} IPADDR{F}
- A receive this ethernet frame
why? B and F have unicast MAC and IP addresses so far, yes? So, unless A
and B on a hub or wireless LAN, only B and F should see them.
- A send a new frame from MAC{A} IPADDR{B} to MAC{?} (this MAC is a
multicast mac that is not used by any of my openbsd server)
huh? why would A use B's address as its source IP?
CARP uses multicast but it sounds like there may be at least a couple of
other problems here. I would fix them first before proceeding.
dn
This mean the one initial frame is duplicated and by cascade, huge of
ethernet frames are transmitted.
This behavour makes the performance of the firewall decreasing.
Ethernet frames sent by another sever (SERVER2) to a multicast mac address
that is handled by a cluster of firewall (commercial product) are received
and resent to another multicast mac address.
Thanks for help,
Fred
iD8DBQFHREM9yPxGVjntI4IRAmkmAJ9XLQ6ztGmOI1o4CcDUv308ypET3gCg78KY
2X61JjtJLZVMn/q11T63CWI=
=/kyo
-END PGP SIGNATURE-
Re: acpiac
The spec dictates a blanket _STA for all devices. So we have to call
just to make the spec happy. The fact that we don't do anything with
it doesn't really matter :-)
On Wed, Nov 21, 2007 at 11:52:24AM +0100, giovanni wrote:
On Nov 20, 2007 5:40 PM, Marco Peereboom [EMAIL PROTECTED] wrote:
yeah the spec tells us to. Why?
maybe I'm wrong in what I'm saying...
device AC could have _PSR but not _STA.
when _STA exists it gives us this information:
0xf - AC adapter exists
0x0 - AC adapter does not exists
because this information it is not used later, I really do not
understand why _STA it is evaluated.
some hints?
tnx
On Tue, Nov 20, 2007 at 11:52:33AM +0100, giovanni wrote:
hello,
any reason for evaluating _STA before _PSR for getting AC status?
if (aml_evalname(sc-sc_acpi, sc-sc_devnode, _STA, 0, NULL,
NULL)) {
dnprintf(10, %s: no _STA\n,
DEVNAME(sc));
}
if (aml_evalname(sc-sc_acpi, sc-sc_devnode, _PSR, 0, NULL,
res)) {
dnprintf(10, %s: no _PSR\n,
DEVNAME(sc));
return (1);
--
see ya,
giovanni
--
see ya,
giovanni
Re: can't change password with passwd comand
Ok, Ok I get the point. I agree that posting line 24 will not help, any user except root gives the same issues. And as a last and final attempt I will check the end of the file for any spaces as Clint suggested. finally: What if I try a master.passwd file form a working machine of same Build. If that file does work then we can conclude it is systemic. I am off for thanksgiving over here in the US.. so it may be a while before I respond with my results. Thanks everyone, so far. - Original Message - From: Nick Holland To: misc Sent: Wednesday, November 21, 2007 7:18 AM Subject: Re: can't change password with passwd comand Cristiano Deana wrote: On Nov 21, 2007 10:48 AM, Kafriki [EMAIL PROTECTED] wrote: ok here is a user with full details: (this is in plain text, hope it's more readable) cat.cat:$2a$07$aYgatzjxAULHQmmZkjmvteGEaO8Ie8geMoUfhl7AAzKi.WeRhuoA6:10006:20 ::0:0:Pussy Cat:/smbhome/student_homedirs/cat.cat:/bin/ksh Don't paste a user but line 24's user and 23 and 25... Better yet, end the blooming guessing game, post the thing somewhere. Yes, that means all your PWs are trash, but if you are inheriting a machine, you need to change all the PWs anyway...and probably once again once you have properly secured it. Or manually edit down the file to the absolute minimum that demonstrates the problem. Or move the file to another OpenBSD machine (they are easy to build) and verify that the problem is IN that file, and not a systemic problem, which is not out of the question, considering the other apparent damage to it. Then do what we will do and chew through the file and figure out why it isn't working. Nick.
Re: Formal verification as another tool for ensuring OpenBSD quality
Andris wrote: Hi, I have read about formal verification, and it sounds like a perfect tool to outreach the project goals. I'm pretty sure developers know about it, so I'd like to read comments or opinions. http://en.wikipedia.org/wiki/Formal_verification Greetings. Well, just go ahead and do it. Please post your findings afterwards.
Re: Compromising a host with pf enabled?
On Nov 19, 2007 10:53 PM, Clint Pachl [EMAIL PROTECTED] wrote: In my DMZ research, some sources state that all services need to be replicated in each DMZ. Following that advice, I would have to setup Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like a lot of work. What do you guys think? A company I know just moved to this architecture. They have something on the scope of 5 DMZs consisting of about 10 different segments/tiers. This was the result of security architecture design for the most secure setup to provide segmentation. I think it sucks. While the amount of segmentation they have is probably A Good Thing, the way it is implemented imposes this necessary duplication of infrastructure services in each of the segments. So instead of a pair of DNS servers, they've got a pair of DNS servers *per segment.* Ditto for LDAP, DHCP, monitoring, backup and administration jump servers. Maybe more. It significantly increased the amount of systems that need to be maintained in the organization. Introducing jump servers increased the number of administrative accounts that were needed by everyone. It increased the complexity of the design and processes for administration. It increased the amount of replication of services and data transfer on the networks for that. It significantly increased the cost to implement. We have suspicions that it's now too difficult for administrators to effectively maintain the hosts in these segments and some may be slipping on patches, backups, or other necessary administration tasks. Moral: only do this crap if you can balance it out with the ability to reasonably manage the outcome and not incur disproportionate cost to the benefit it provides. DS
Re: Formal verification as another tool for ensuring OpenBSD quality
On 11/20/07, Andris [EMAIL PROTECTED] wrote: Hi, I have read about formal verification, and it sounds like a perfect tool to outreach the project goals. I'm pretty sure developers know about it, so I'd like to read comments or opinions. You'll want to check out the Z specification language. It's a work of art. The ISO standard is available online, but it would probably be heavy sledding for a newcomer, so you should start with an intro. There are a number of open source tools (dunno about the licensing.) My guess is knowledge of formal methods is quite rare even among the development cognoscenti. It's hard enough to find time to learn functional languages like haskell or ml; formal methods is a whole 'nother area. UML is widely known, but as a formal language, well, let's just say Z makes it look like an amateur hack. Ditto for xml schema. Even without formal (automated) verificiation, proof etc. formal notations are absolutely terrific for documenting specifications. Usually that means system specs, but once upon a time I did quite a bit of work trying to specify a typesetting language in Z - syntax and formal semantics. Never got around to writing it out (too lazy, er, busy), but I could see how it could be done, and Z provided a clarity that allowed me to think about the problems far more rigorously and with far more nuance than would otherwise have been possible. Recently I discovered the W3C tried to use Z to specify one of their languages, but I forget which. -Gregg
Re: snmpd on current
Hi, On Wed, 21 Nov 2007 22:30:30 +0700, Brian A. Seklecki [EMAIL PROTECTED] wrote: On Wed, 21 Nov 2007, Insan Praja SW wrote: Date: Wed, 21 Nov 2007 18:45:47 +0700 From: Insan Praja SW [EMAIL PROTECTED] To: misc@openbsd.org misc@openbsd.org Subject: snmpd on current Hi all, I'm currently running 4.2-current and installing net-snmp-5.4.1 from ports (updated). Something is wrong, when I run snmpd, it seem to eat all CPU and memory keep getting bigger.. is there anything wrong? thanks.. Run it in foreground w/ verbose debugging. Worst case scenario, result to ktrace/kdump. http://linux.die.net/man/1/snmpcmd -DALL -Lo -f looks promsign. ~~BAS For temporary, I choose to uninstall net-snmp -current (and remove the package, remove the ports/net/net-snmp dirs), update the source tree with 4.2 -stable (net-snmp-5.4p1), download and install http://www.packetmischief.ca/openbsd/snmp/obsd-mibs42.tar from Joel Knight and viola, its working. Well, I got another machine identically the same, I will try to see whats happening before. Thanks, Insan -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: binat and VPN question
And I can't just change the IP range of network A and B because these are customer networks (and they for sure don't want to change it). Tom Van Looy wrote: Hi I have 2 ipsec VPN endpoints on a firewall. The remote networks both use the same address range (10.10.1/24). The question is now to route this? I was thinking about using binat to NAT one of the two networks to 10.10.2/24. So that on my network 10.10.1.1 is actually 10.10.1.1 on remote network A and 10.10.2.1 is actually 10.10.1.1 on remote network B. But is that possible for an entire network? Or is there an other way? Kind regards, Tom Van Looy
OpenBGPD selecting wrong nexthop over openvpn tunnel
Hi all,
I've been doing some testing with OpenBGPD to possibly replace quagga/
zebra on some of our host based routers. One problem I have found
is that when it is connecting to a peer over a tun device (we use
openvpn), the bgp daemon gets the proper nexthop information but when
it is added to the routing table, it installs the local address as
the nexthop to the routes it received. I can't decide if this is an
undocumented function or a bug, but I can replicate it over both
FreeBSD (our main platform) and OpenBSD and using all versions of
openbgpd I could find. For example, I have a machine at 10.8.1.248
connecting to 10.8.1.2:
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
inet 10.8.1.248 -- 10.8.1.2 netmask 0x
Opened by PID 49178
The connection is working fine and quagga-quagga connections work
normally (10.8.1.2 is a FreeBSD 6.1 machine) with a translated but
identical functionality configuration.
10.8.1.2 has all the interesting routes I want to see from
10.8.1.248, but the daemon is installing 10.8.1.248 as the nexthop to
those routes, for example:
gw0# bgpctl sho ip bgp | grep 10.3.116.33/32
10.3.116.33/32 10.8.1.2 100 0 64820 65502
64830 64910 i
gw0# netstat -nrf inet | grep 10.3.116.33/32
10.3.116.33/32 10.8.1.248 UG1 00 fxp0.1
It's baffling me as bgpd is reporting the nexthop as 10.8.1.2, but is
actually installing 10.8.1.248, which makes no sense to me. This is
a pretty cut and dry ebgp session, nothing fancy going on.
bgpd.conf:
AS 65530
router-id 10.8.1.248
log updates
fib-update yes
network 10.12.0.0/16
neighbor 10.8.1.2 {
remote-as 64820
descr 'at-br1.sv'
}
From the other side of the connection, the 10.12/16 network is
advertised normally and that route is propagated. I also tried
(without luck) to set the nexthop to 10.8.1.2 to force it to use the
correct IP, but only get repeated messages of:
nexthop 10.8.1.2 now valid: via 10.8.1.248
nexthop 10.8.1.2 now invalid
I looked through the openbgpd source but it quickly went over my
head. Any ideas?
-casey
Re: snmpd on current
On Wed, 21 Nov 2007, Insan Praja SW wrote: Date: Wed, 21 Nov 2007 18:45:47 +0700 From: Insan Praja SW [EMAIL PROTECTED] To: misc@openbsd.org misc@openbsd.org Subject: snmpd on current Hi all, I'm currently running 4.2-current and installing net-snmp-5.4.1 from ports (updated). Something is wrong, when I run snmpd, it seem to eat all CPU and memory keep getting bigger.. is there anything wrong? thanks.. Run it in foreground w/ verbose debugging. Worst case scenario, result to ktrace/kdump. http://linux.die.net/man/1/snmpcmd -DALL -Lo -f looks promsign. ~~BAS
Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E
Hello! I am having troubles with setting up site-to-site IPSec VPN tunnel between OpenBSD and Cisco PIX 515E. I have the following configuration [ A.B.C.B ] - [ OpenBSD 4.1 (M.N.O.P) ] -- Internet -- [ (I.J.K.L) Cisco PIX 515E ] - [ E.F.G.H ] # cat /etc/ipsec.conf ike esp from A.B.C.D to E.F.G.H peer I.J.K.L main auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha1 enc 3des group none psk *secret* # ipsecctl -s all FLOWS: flow esp in from E.F.G.H to A.B.C.B peer I.J.K.L srcid M.N.O.P/32 dstid I.J.K.L/32 type use flow esp out from A.B.C.B to E.F.G.H peer I.J.K.L srcid M.N.O.P/32 dstid I.J.K.L/32 type require SAD: esp tunnel from M.N.O.P to I.J.K.L spi 0x73b8da7c auth hmac-sha1 enc 3des-cbc esp tunnel from I.J.K.L to M.N.O.P spi 0xbd5af3e7 auth hmac-sha1 enc 3des-cbc # With this configuration I cannot ping E.F.G.H from A.B.C.B and vice-versa. Both of these hosts have routes to each others through corresponding gateways (OpenBSD and Cisco). What am I missing? Thanks, Shohrukh
Re: Is this load balancing Idea for squid ok while using route-to or is there a better one?
Hi Siju,
Are you running the squid on the same box where the firewall is?
If so, tags will not be preserved on the outgoing connections from squid
to the internet.
Regards,
Rosen
Siju George wrote:
Hi,
QUITE UNFORTUNATELY THIS DOES NOT SEEM TO WORK :-(
Could some one please let me see the flaw in logic or implementation?
Thank you so much :-)
Kind Regards
Siju
On Nov 21, 2007 10:46 AM, Siju George [EMAIL PROTECTED] wrote:
Hi,
I have two internet connections connected to my firewall now.
Both are from the same ISPs with IP addresses IP1 and IP2
Both have the same gateway GWIP
$ext_if=IP1
$ext_if2=IP2
Now to load balance squid what I am doing is to tag half of the
packets comming to squid using the rules
===
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
keep state tag squid probability 50% label squid
pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state
pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
from $int_if:network to any keep state
===
This gets half of the traffic that comes to squid tagged and labeled as 'squid'
then I have the following NAT rule for the $ext_if which is the
default route to NAT the tagged rules ( i.e half of squid traffic )
to IP2 on $ext_if2
=
nat on $ext_if from $int_if:network to any tagged squid - ($ext_if2)
nat on $ext_if from $int_if:network to any - ($ext_if)
nat on $ext_if2 from $int_if:network to any - ($ext_if2)
=
and finally for the filter rules to route the tagged packets through
the second interface.
==
pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
all modulate state flags S/SA tagged squid
pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
all modulate state flags S/SA
pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
all keep state
pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
} all keep state
===
derived this Idea from
http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html
after searching the archives.
Just wondering if there is a better way to do it :-)
Thank you so much especially Danny for the post :-)))
Kind Regards
Siju
OpenBGPD not inserting correct nexthop over openvpn tunnel
Hi all,
I'm having some issues with OpenBGPD across a point-to-point openvpn
link. Some quick background: we have a number of quagga based
FreeBSD machines doing BGP sessions for our redundancy and due to
some recent backstabbing by quagga, want to test out openbgpd. It
worked well in a normal setup with full tables and advertising our
networks, but we hit a snag when we attempted to do some routing over
a couple vpn links. Over the tun link, OpenBGPD connects to the peer
and advertises the networks properly, but when selecting the nexthop
for the remote side prefixes, it installs the local IP in to the
routing table. I've tested every version of OpenBGPD I could get my
hands on (and I'm currently using the latest release) and have tested
it on OpenBSD and FreeBSD (currently using FreeBSD in this example,
but I can duplicate it on OpenBSD too)
For example, our tunnel interface looks like:
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
inet 10.8.1.248 -- 10.8.1.2 netmask 0x
Opened by PID 49178
10.8.1.2 has a number of routes I'm interested in. When I start up
openbgpd, I'll get the normal route update messages:
neighbor 10.8.1.2 (AS64820) update 10.14.112.20/32 via 10.8.1.2
neighbor 10.8.1.2 (AS64820) update 10.14.113.5/32 via 10.8.1.2
neighbor 10.8.1.2 (AS64820) update 10.14.113.4/32 via 10.8.1.2
etc
and the BGP RIB has the same info:
*10.14.113.1/32 10.8.1.2 100 0 64820 65400
65402 i
*10.14.113.2/32 10.8.1.2 100 0 64820 65400
65402 i
*10.14.113.4/32 10.8.1.2 100 0 64820 65400
65402 i
etc
but when I look at the routes installed in the kernel:
10.14.113.1/32 10.8.1.248 UG1 00 fxp0.1
10.14.113.2/32 10.8.1.248 UG1 00 fxp0.1
10.14.113.4/32 10.8.1.248 UG1 00 fxp0.1
This is a very straightforward ebgp connection, bgpd.conf is below.
This was translated from a quagga/zebra configuration which is
identical and works properly. I've also tried adding a nexthop
10.8.1.2 but the nexthop still isn't set properly. I started looking
through the openbgpd source but it quickly went over my head. Is
this a bug or a behavior that I can't find any documentation on? Any
ideas?
bgpd.conf:
gw0# cat /usr/local/etc/bgpd.conf
AS 65530
router-id 10.8.1.248
log updates
fib-update yes
network 10.12.0.0/16
neighbor 10.8.1.2 {
remote-as 64820
descr 'at-br1.sv'
}
-casey
WiFi parameters
Hi everybody, I'm currently looking for a way to configure fragmentation thresholds and beacon intervals on a Ralink-based WiFi card on OpenBSD 4.2, configured as an AP. So far, I've read the ifconfig manual page, asked on forums, and performed some research on Google, and nothing came up. So I was wondering whether it was possible or not. Thanks for your answers -- Peroumalnaik Emmanuel
Re: Formal verification as another tool for ensuring OpenBSD quality
On 11/20/07, Andris [EMAIL PROTECTED] wrote: Hi, I have read about formal verification, and it sounds like a perfect tool to outreach the project goals. I'm pretty sure developers know about it, so I'd like to read comments or opinions. Some Z links: The original de facto manual, outdated but still very useful and readable: http://spivey.oriel.ox.ac.uk/mike/zrm/index.html Jacky's book is excellent, but not free. ISO Spec (note the small print, which contains a link to the free download): http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumb er=21573 Actually the easy way to do this is: http://www.bibsonomy.org/user/mobileink/Z I'm digging around at http://vl.zuser.org/#tools and I find many of the free tools are a) written in Java, and b) GPL licensed. So there's a good OBSD project, implement some Z tools. ;) However, HOL, which is used by some Z tools, is BSD licensed: http://hol.sourceforge.net/ As is the Glasgow Haskell Compiler. Anyway, the main practical benefit of Z for OBSD would probably be e.g. for documenting NICs or the like. Formal specification, validation, etc. for e.g. cryptographic stuff would be great, but also a huge amount of work. Even then, if the implementation language is C, then the code will be beyond formal analysis; you'd have to use an implementation language that supports formal reasoning, like haskell. Not to mention, you'd have to prove that your compiler works correctly. -gregg
Re: OpenBGPD selecting wrong nexthop over openvpn tunnel
Also pardon the double post that will soon follow. I thought my mail
client had fed this mail to a black hole so I sent another.
-casey
On Nov 21, 2007, at 9:51 AM, Casey Ransom wrote:
Hi all,
I've been doing some testing with OpenBGPD to possibly replace
quagga/zebra on some of our host based routers. One problem I
have found is that when it is connecting to a peer over a tun
device (we use openvpn), the bgp daemon gets the proper nexthop
information but when it is added to the routing table, it installs
the local address as the nexthop to the routes it received. I
can't decide if this is an undocumented function or a bug, but I
can replicate it over both FreeBSD (our main platform) and OpenBSD
and using all versions of openbgpd I could find. For example, I
have a machine at 10.8.1.248 connecting to 10.8.1.2:
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
inet 10.8.1.248 -- 10.8.1.2 netmask 0x
Opened by PID 49178
The connection is working fine and quagga-quagga connections work
normally (10.8.1.2 is a FreeBSD 6.1 machine) with a translated but
identical functionality configuration.
10.8.1.2 has all the interesting routes I want to see from
10.8.1.248, but the daemon is installing 10.8.1.248 as the nexthop
to those routes, for example:
gw0# bgpctl sho ip bgp | grep 10.3.116.33/32
10.3.116.33/32 10.8.1.2 100 0 64820 65502
64830 64910 i
gw0# netstat -nrf inet | grep 10.3.116.33/32
10.3.116.33/32 10.8.1.248 UG1 00 fxp0.1
It's baffling me as bgpd is reporting the nexthop as 10.8.1.2, but
is actually installing 10.8.1.248, which makes no sense to me.
This is a pretty cut and dry ebgp session, nothing fancy going on.
bgpd.conf:
AS 65530
router-id 10.8.1.248
log updates
fib-update yes
network 10.12.0.0/16
neighbor 10.8.1.2 {
remote-as 64820
descr 'at-br1.sv'
}
From the other side of the connection, the 10.12/16 network is
advertised normally and that route is propagated. I also tried
(without luck) to set the nexthop to 10.8.1.2 to force it to use
the correct IP, but only get repeated messages of:
nexthop 10.8.1.2 now valid: via 10.8.1.248
nexthop 10.8.1.2 now invalid
I looked through the openbgpd source but it quickly went over my
head. Any ideas?
-casey
Re: network 'device timeout' or 'watchdog timeout' on macppc with 4.2
On Wednesday, November 21, 2007 at 11:56:48 +0100, Bruce O'Neel wrote: Hi, Using OpenBSD 4.2 on a Mac G3 and/or a Lombard G3 (dmesg below) I quickly get: Nov 20 22:20:26 bellinzona /bsd: fxp0: device timeout Nov 20 22:57:42 bellinzona /bsd: fxp0: device timeout Nov 21 07:33:43 bellinzona /bsd: xl0: watchdog timeout Nov 21 07:34:28 bellinzona /bsd: xl0: watchdog timeout Nov 21 07:37:01 bellinzona /bsd: xl0: watchdog timeout and the network card drops off line. This makes 4.2 not so usable. It happens with different interfaces both on the PowerMac G3 and on the Lombard. I noticed the same behaviour with em, bge and xl NIC's on a G3 (PowerMac1,1, dmesg below of the machine running 4.1-stable). No problems with 4.2 on a G4 (PowerMac3,1), no problems with 4.1 on the same G3 (PowerMac1,1). Maurice [ using 364116 bytes of bsd ELF symbol table ] console out [ATY,Rage128y]console in [keyboard] ADB found : memaddr 8800 size 800, : consaddr 8800, : ioaddr 8092, size 2: memtag 8000, iotag 8000: width 1024 linebytes 1024 height 768 depth 8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2007 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.1-stable (GENERIC) #3: Sat Oct 27 12:13:04 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/macppc/compile/GENERIC real mem = 268435456 (262144K) avail mem = 236310528 (230772K) using 1254 buffers containing 13418496 bytes (13104K) of memory mainbus0 (root): model PowerMac1,1 cpu0 at mainbus0: 750 (Revision 0x8201): 400 MHz: 1MB backside cache mpcpcibr0 at mainbus0 pci: grackle, Revision 0x40 pci0 at mpcpcibr0 bus 0 pchb0 at pci0 dev 0 function 0 Motorola MPC106 PCI rev 0x40 ppb0 at pci0 dev 13 function 0 DEC 21154 PCI-PCI rev 0x02 pci1 at ppb0 bus 1 TI TSB12LV21 FireWire rev 0x02 at pci1 dev 0 function 0 not configured pciide0 at pci1 dev 1 function 0 CMD Technology PCI0646 rev 0x05: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using irq 26 for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: ST320014A wd0: 16-sector PIO, LBA, 19092MB, 39102336 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) bge0 at pci1 dev 3 function 0 Broadcom BCM5701 rev 0x15, BCM5701 B5 (0x0105): irq 24, address 00:04:76:f8:44:37 brgphy0 at bge0 phy 1: BCM5701 10/100/1000baseT PHY, rev. 0 macobio0 at pci1 dev 5 function 0 Apple Paddington rev 0x00 macintr0 at macobio0 offset 0x10 mesh0 at macobio0 offset 0x1 irq 12: 50MHz, SCSI ID 7 scsibus0 at mesh0: 8 targets escc-legacy at macobio0 offset 0x12000 not configured zsc0 at macobio0 offset 0x13000: irq 15,16 zstty0 at zsc0 channel 0 zstty1 at zsc0 channel 1 awacs0 at macobio0 offset 0x14000: irq 17,8,9 headphones audio0 at awacs0 power-mgt at macobio0 offset 0x0 not configured fdc at macobio0 offset 0x15000 not configured adb0 at macobio0 offset 0x16000 irq 18: via-cuda, 0 targets pi2c0 at adb0 iic0 at pi2c0 wdc0 at macobio0 offset 0x2 irq 13: DMA atapiscsi0 at wdc0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: SONY, CD-ROM CDU601-25, 1.0p SCSI0 5/cdrom removable cd0(wdc0:0:0): using BIOS timings, DMA mode 2 bm0 at macobio0 offset 0x11000 irq 42,33: address 00:05:02:b1:53:c9 lxtphy0 at bm0 phy 0: LXT970 10/100 PHY, rev. 1 nvram at macobio0 offset 0x6 not configured ohci0 at pci1 dev 6 function 0 Opti 82C861 rev 0x10: irq 28, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: Opti OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered vgafb0 at pci0 dev 16 function 0 ATI Rage 128 GL rev 0x00, mmio wsdisplay0 at vgafb0 mux 1: console (std, vt100 emulation) bootpath: '/pci/@d/[EMAIL PROTECTED]/[EMAIL PROTECTED]/[EMAIL PROTECTED]/bsd' boot device: wd0. root on wd0a rootdev=0x0 rrootdev=0xb00 rawdev=0xb02 uhidev0 at uhub0 port 1 configuration 1 interface 0 uhidev0: CC Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator, rev 2.00/1.41, addr 2, iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd0 at ukbd0 mux 1 wskbd0: connecting to wsdisplay0 uhidev1 at uhub0 port 1 configuration 1 interface 1 uhidev1: CC Technology Inc. HID Keyboard/Mouse PS/2 to USB Translator, rev 2.00/1.41, addr 2, iclass 3/1 uhidev1: 3 report ids ums0 at uhidev1 reportid 1: 5 buttons and Z dir. wsmouse0 at ums0 mux 0 uhid0 at uhidev1 reportid 2: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 3: input=5, output=0, feature=0
PE1950
Hello, I'm planning on running OpenBSD 4.2 on Dell Power Edge 1950. Question 1: How stable is it on x64 platform? I mean native 64 bit code. I assume that x86 code will run just fine ... Question 2: Does anyone know if PERC 6 RAID controller is supported. The hardware list says that it will work with PERC 5 and I'm wondering if the same driver will detect and support the chipset on PERC 6 controller. Any feedback would be appreciated. Regards, Stas. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: restore hanging on an unusual file name
Otto Moerbeek wrote:
On Wed, Nov 21, 2007 at 10:20:39PM +1300, Richard Toohey wrote:
On 21/11/2007, at 12:08 PM, Jeff Ross wrote:
Jeff Ross wrote:
Hi,
11609 restore RET write 27/0x1b
11609 restore CALL write(0x2,0x80147000,0x34)
11609 restore GIO fd 2 wrote 52 bytes
1834488 Document Scrap '\M-o\M^C\M^X Journal Entrie...'.shs
On a console (not xterm) the file name appears to be
Document Scrap 'C/ Journal Entrie...'.shs
(that's a lower case i with two dots over it.)
My original e-mail did get mangled a little.
The C/ above is really the lowercase i with two dots over it.
Jeff
I had a look out of curiosity (again) ... no great words of wisdom but
might help ...
Doesn't *just* seem to be because of the i-with-two-dots above it (0xEF? I
looked at http://unicode.org/charts/ and the Latin-1 page - you'll need a
PDF viewer. The character is a LATIN SMALL LETTER I WITH DIAERESIS to give
it the proper moniker ...)
Create char_file.c (yes, no prizes for this code.) You can achieve getting
this filename without code, but might be easier to use the code than find
the right character and paste it.
#include stdio.h
int main(void) {
FILE *f;
char fn[]=x.txt;
fn[2]=0xEF;
f=fopen(fn,w);
fputs(Something here,f);
fclose(f);
return 0;
}
Compile with ...
# cc -Wall -o char_file char_file.c
Execute with ...
# ./char_file
You should end up with a new file in your current directory:
xx?xx.txt (depending on your display, that question mark may appear as the
i-with-two-dots.)
Do a dump:
# mkdir testd
# mv xx?xx.txt testd
# dump -0 -f testd.dmp testd/
DUMP: Dumping sub files/directories from /home
DUMP: Dumping file/directory testd/
DUMP: Date of this level 0 dump: Thu Nov 22 10:59:25 2007
DUMP: Date of last level 0 dump: the epoch
DUMP: Dumping /dev/rwd0h (/home) to testd.dmp
DUMP: mapping (Pass I) [regular files]
DUMP: mapping (Pass II) [directories]
DUMP: estimated 106 tape blocks on 0.00 tape(s).
DUMP: Volume 1 started at: Thu Nov 22 10:59:25 2007
DUMP: dumping (Pass III) [directories]
DUMP: dumping (Pass IV) [regular files]
DUMP: 74 tape blocks on 1 volume
DUMP: Date of this level 0 dump: Thu Nov 22 10:59:25 2007
DUMP: Volume 1 completed at: Thu Nov 22 10:59:25 2007
DUMP: Date this dump completed: Thu Nov 22 10:59:25 2007
DUMP: Average transfer rate: 0 KB/s
DUMP: Closing testd.dmp
DUMP: DUMP IS DONE
Do a restore:
# restore -i -f testd.dmp
restore cd testd
restore verbose
verbose mode on
restore ls
./testd:
25 ./ 2 ../24 xx?xx.txt
restore quit
The copy/paste was via a Mac console - on X running on OpenBSD 4.2/i386 the
i-with-two-dots appears correctly throughout.
I *know* your dump/restore process is a LOT more complicated than this -
I'm trying to reproduce the error with the smallest amount of effort (don't
fancy setting up a Windows box and compressing 12Gb, etc.!)
Guess the next thing might be getting a way smaller sample dump file that
still shows the problem? Doesn't *seem* to be just the i character - so is
it the spaces? The apostrophes? Combination of all three? The length of
the filename? The Windows factor? Samba? Translation by something?
The (interactive) restore source code is in
/usr/src/sbin/restore/interactive.c - so you could try adding some debug
messages in there on a test box and run the file through it ...
Are you running 4.2 i386 (apologies if covered or obvious in your posting?)
Thanks.
The easiest way to reproduce I found so far is:
echo '\M-o\M^C\M^X' | unvis
It hangs my xterm. It does not hang a console.
I think dump should 'vis' the filenames it prints.
-Otto
Thank you Richard and Otto!
Nick Bender suggested to me off list that the problem might not be with
restore but rather with terminal flow control. I fired up screen,
turned flow control off, and restore did its thing with no problems
whatsoever.
So at least the workaround to the problem has been found.
Additionally, Otto's comment about the xterm and vis/unvis works that
way here, too. The console does work, so I'll be using it for restores
in the future. Speaking from my own gun-bullet-foot experience, when
you need restore you need it _badly_ and the last thing you want to see
is restore just...stop.
Jeff
5.1 sound card recommendation
Hello everyone! Do somebody have success with 5.1 sound ? If so, please recommend PCI Sound Card to work with OpenBSD 4.2(-CURRENT). I have MARC'ed a bit but similar messages were 1 year ago. I'd like to think that something have been changed.. Thank you for your time. -- C programmers never die. They are just cast into void.
Re: 5.1 sound card recommendation
On Wed, Nov 21, 2007 at 09:23:52PM +0300, Nickolay A. Burkov wrote: Hello everyone! Do somebody have success with 5.1 sound ? If so, please recommend PCI Sound Card to work with OpenBSD 4.2(-CURRENT). I have MARC'ed a bit but similar messages were 1 year ago. I'd like to think that something have been changed.. currently there is nearly no support for more than two channel audio; supported cards that can do 5.1 will run in 2 channel mode (ie stereo) imho cmpci(4) and uaudio(4) cards are the easyer to make work in 2 channel mode, recent sound blaster cards are unlikly to get a working driver soon. -- Alexandre
Re: Terrible messages in /var/log/messages
Are you actually using the I2C interface for anything? It may be that you have a variant of the hardware that isn't quite supported and it should be possible to disable the driver in the kernel and avoid these messages. -Andy On 21 Nov 2007, at 11:47, Evgeniy Sudyr wrote: Hello misc, After boot I see alot of terrible messages in /var/log/messages which are added to it every second. It look like driver bug. Maybe somebody can help resolve this problem. content of /var/run/dmsg.boot OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.93GHz (GenuineIntel 686-class) 2.94 GHz cpu0: FPU ,V86 ,DE ,PSE ,TSC ,MSR ,PAE ,MCE ,CX8 ,APIC ,SEP ,MTRR ,PGE ,MCA ,CMOV ,PAT ,PSE36 ,CFLUSH ,DS ,ACPI ,MMX ,FXSR ,SSE ,SSE2 ,SS ,HTT ,TM,SBF,SSE3,MWAIT,DS- CPL,CNXT-ID,xTPR real mem = 527790080 (503MB) avail mem = 502685696 (479MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 01/23/06, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.4 @ 0xf04d0 (45 entries) bios0: vendor American Megatrends Inc. version 3.28 date 01/23/2006 bios0: Compaq Presario 061 PJ534AA-ABA SR1250NX NA440 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf8c60/304 (17 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801FB LPC rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xa400! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82915G/P/GV Host rev 0x04 vga1 at pci0 dev 2 function 0 Intel 82915G/P/GV Video rev 0x04: aperture at 0xd000, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 27 function 0 Intel 82801FB HD Audio rev 0x03: irq 10 azalia0: host: High Definition Audio rev. 1.0 azalia0: codec: Realtek ALC880 (rev. 5.0), HDA version 0.9 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x03 pci1 at ppb0 bus 1 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: irq 3 uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: irq 5 uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: irq 10 ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: irq 11 ehci0: timed out waiting for BIOS usb0 at ehci0: USB revision 2.0 uhub0 at usb0: Intel EHCI root hub, rev 2.00/1.00, addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xd3 pci2 at ppb1 bus 2 VIA VT6306 FireWire rev 0x80 at pci2 dev 1 function 0 not configured rl0 at pci2 dev 2 function 0 Realtek 8139 rev 0x10: irq 6, address 00:11:2f:d7:ff:29 rlphy0 at rl0 phy 0: RTL internal PHY sis0 at pci2 dev 3 function 0 NS DP83815 10/100 rev 0x00, DP83815C: irq 3, address 00:a0:cc:a1:60:bb nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801FB LPC rev 0x03: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801FB SATA rev 0x03: DMA, channel 0 wired to compatibility, channel 1 wir ed to compatibility wd0 at pciide0 channel 1 drive 0: ST3120025A wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: GENERIC, DVD RW 12XMax, 100I SCSI0 5/ cdrom removable wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801FB SMBus rev 0x03: irq 10 iic0 at ichiic0 adt0 at iic0 addr 0x2e: sch5017 rev 0x89 usb1 at uhci0: USB revision 1.0 uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3: Intel UHCI root hub, rev 1.00/1.00, addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4: Intel UHCI root hub, rev 1.00/1.00, addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 biomask ff3d netmask ff7d ttymask pctr: user-level cycle counter enabled mtrr: Pentium Pro MTRR support ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x40INUSE ichiic0: abort failed, status 0x42INTR,INUSE ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0 ichiic0: abort failed, status 0x42INTR,INUSE umass0 at uhub4
Re: can't change password with passwd comand
Jumping Mouse wrote: Ok, Ok I get the point. I agree that posting line 24 will not help, any user except root gives the same issues. And as a last and final attempt I will check the end of the file for any spaces as Clint suggested. You mean you haven't check for empty lines and trailing and adjacent spaces yet? finally: What if I try a master.passwd file form a working machine of same Build. If that file does work then we can conclude it is systemic. What are you saying? If you try a master.passwd file from a working machine and it does work, then we can conclude your original master.passwd file was crap. At this point, I would say end the troubleshooting on the crappy master.passwd file and do what Holland said. Extract a master.passwd file from a pristine etcXX.tgz and go from there. DO NOT use a master.passwd from another working machine. We don't need to introduce other variables.
Re: Compromising a host with pf enabled?
Darren Spruell wrote:
On Nov 19, 2007 10:53 PM, Clint Pachl [EMAIL PROTECTED] wrote:
In my DMZ research, some sources state that all services need to be
replicated in each DMZ. Following that advice, I would have to setup
Kerberos, ntp, backup, and DNS in each DMZ and the LAN; that sounds like
a lot of work. What do you guys think?
A company I know just moved to this architecture. They have something
on the scope of 5 DMZs consisting of about 10 different
segments/tiers. This was the result of security architecture design
for the most secure setup to provide segmentation.
I think it sucks. While the amount of segmentation they have is
probably A Good Thing, the way it is implemented imposes this
necessary duplication of infrastructure services in each of the
segments. So instead of a pair of DNS servers, they've got a pair of
DNS servers *per segment.* Ditto for LDAP, DHCP, monitoring, backup
and administration jump servers. Maybe more. It significantly
increased the amount of systems that need to be maintained in the
organization. Introducing jump servers increased the number of
administrative accounts that were needed by everyone. It increased the
complexity of the design and processes for administration. It
increased the amount of replication of services and data transfer on
the networks for that. It significantly increased the cost to
implement. We have suspicions that it's now too difficult for
administrators to effectively maintain the hosts in these segments and
some may be slipping on patches, backups, or other necessary
administration tasks.
Moral: only do this crap if you can balance it out with the ability to
reasonably manage the outcome and not incur disproportionate cost to
the benefit it provides.
Thanks for that feedback. That example you gave sounds like an admin
nightmare.
I've decided to go with a fairly flat topology. I will have a single
DMZ, a LAN segment, and a segment for WLAN and use a single firewall to
route between the segments. Anything that will be directly accessible
from the Internet will go in the DMZ, otherwise everything else goes in
the LAN. I will poke holes in the firewall from the DMZ to the LAN as
necessary (i.e. webservers - {database,kerberos,etc}). Every host on
the network will have pf enabled, only allowing services to specified
hosts. I will also be setting up nagios and snort to keep the network in
check and watch for illegal communications between servers.
I've done a lot of network and DMZ design research over the last 3 days.
I've looked at hundreds of websites and newsgroup postings and read the
following titles:
Building DMZs for Enterprise Networks
http://www.amazon.com/Building-Enterprise-Networks-Robert-Shimonski/dp/1931836884/ref=sr_1_6?ie=UTF8s=booksqid=1195677170sr=1-6
Designing and Building Enterprise DMZs
http://www.amazon.com/Designing-Building-Enterprise-DMZs-Flynn/dp/1597491004/ref=sr_1_8?ie=UTF8s=booksqid=1195677170sr=1-8
Designing Large Scale LANs
http://www.amazon.com/Designing-Large-Scale-Kevin-Dooley/dp/0596001509/ref=sr_1_11?ie=UTF8s=booksqid=1195677281sr=1-11
I've also built highly segmented networks and find them difficult to
manage and they have highly complex traffic flows and firewall rule
sets. And I don't believe they offer much more security because many
attacks are taking place at the application level and on the inside
carried out by compromised hosts. I think every server should be
hardened and monitored and trust no one.
In all my research, I like best this article about MIT's security
architecture:
http://www.computerworld.com/securitytopics/security/story/0,10801,100021,00.html
Re: OpenBGPD selecting wrong nexthop over openvpn tunnel
* Casey Ransom [EMAIL PROTECTED] [2007-11-21 17:57]: tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 inet 10.8.1.248 -- 10.8.1.2 netmask 0x Opened by PID 49178 gw0# bgpctl sho ip bgp | grep 10.3.116.33/32 10.3.116.33/32 10.8.1.2 100 0 64820 65502 64830 64910 i gw0# netstat -nrf inet | grep 10.3.116.33/32 10.3.116.33/32 10.8.1.248 UG1 00 fxp0.1 It's baffling me as bgpd is reporting the nexthop as 10.8.1.2, but is actually installing 10.8.1.248, which makes no sense to me. that is exit nexthop vs true nexthop. what does route -n get 10.8.1.2 show? I suspect there's a bug with tun not setting the ifindexin the routing message (*sigh*, another one) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: WiFi parameters
| I'm currently looking for a way to configure fragmentation | thresholds and beacon intervals on a Ralink-based WiFi card on | OpenBSD 4.2, configured as an AP. Frames fragmentation is not supported by OpenBSD, both in the TX and RX paths. This is a limitation of the ieee80211(9) layer (for the RX path) as well as a limitation of the drivers (for the TX path.) An OpenBSD AP can't talk to stations using fragmented frames. You can't configure the beacon interval too, basically because there's no such option in ifconfig and an ioctl in ieee80211(9) is missing. It wouldn't be too hard to implement though. Damien
Re: PE1950
This machines works fine with 4.2. PERC6 does not work yet with out mfi driver but I am also pretty sure those aren't really available yet. On Wed, Nov 21, 2007 at 09:55:54AM -0800, Stanislav Ovcharenko wrote: Hello, I'm planning on running OpenBSD 4.2 on Dell Power Edge 1950. Question 1: How stable is it on x64 platform? I mean native 64 bit code. I assume that x86 code will run just fine ... Question 2: Does anyone know if PERC 6 RAID controller is supported. The hardware list says that it will work with PERC 5 and I'm wondering if the same driver will detect and support the chipset on PERC 6 controller. Any feedback would be appreciated. Regards, Stas. Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: 5.1 sound card recommendation
On Wednesday 21 November 2007, Nickolay A. Burkov wrote: Hello everyone! Do somebody have success with 5.1 sound ? If so, please recommend PCI Sound Card to work with OpenBSD 4.2(-CURRENT). I have MARC'ed a bit but similar messages were 1 year ago. I'd like to think that something have been changed.. Thank you for your time. For some strange reason I recall reading about some work being done on the Sound Blaster Audigy cards. Many of those cards are 5.1, 6.1 or 7.1 surround sound. A quick search on openbsd audigy shows we've had support since 3.9 but I'm not sure if this includes the surround sound features, or if it's just two channel? kind regards, JCR
Re: OpenBGPD selecting wrong nexthop over openvpn tunnel
On Nov 21, 2007, at 3:30 PM, Henning Brauer wrote: what does route -n get 10.8.1.2 show? I suspect there's a bug with tun not setting the ifindexin the routing message (*sigh*, another one) gw0# route -n get 10.8.1.2 route to: 10.8.1.2 destination: 10.8.1.2 interface: tun0 flags: UP,HOST,DONE recvpipe sendpipe ssthresh rtt,msecrttvar hopcount mtu expire 0 0 0 0 0 0 1500 0 -casey
Re: spamdb output
On Mon, 19 Nov 2007 14:47:37 -0700, Bob Beck wrote: RW [EMAIL PROTECTED] [2007-11-11 22:39]: It seems that the migrated database works but new entries go on the end - no SORT of order, and SPAMTRAP entries (that I entered using a script) ended up showing in two bunches in the midst of other unordered entries. My question is: Is this normal with spamd a la 4.2 or is it because I migrated a database? This is normal in 4.2 - the change happened post 4.0 when spamdb stopped using DB_BTREE Thanks Bob. I'm already using a script to sort the list to emulate the previous behaviour but at least I know I'll have to keep a copy for any future wipe and re-install upgrade. Looking at today's output showed me another puzzle which you will probably shoot down, but here goes. Here is one line fro spamdb: GREY|69.28.223.134|mta5br.cmpgnr.com|gotb1103621_1102728_683443_1138134 [EMAIL PROTECTED] |[EMAIL PROTECTED]|1195673789|1195675648|1195688189|2|0 but here is a line from my spamlog: Nov 22 07:08:14 mail spamd[28826]: whitelisting 69.28.223.134 in /var/db/spamd Why does the spamdb output show GREY instead of WHITE three hours later? It does show the 2 knocks which date -r will show were more than a half hour apart and so the whitelisting should have happened. Colour me puzzled. BTW the envelope recipient address shown is a spamtrap and is my only edit of the output. Thanks again for spamd. I absolutely love it. I have never known of it causing loss of genuine mail and also grepping the mail log daily for reject has only shown two emails in the last six months being blocked by zen.spamhaus having passed spamd. Both were really spammers anyway so apmd has an extremely good batting average. Two domains hosted on that box and zero customer complaints = mail admin happiness. In the beginning was The Word and The Word was Content-type: text/plain The Word of Rod.
Re: Compromising a host with pf enabled?
Clint Pachl wrote: I've done a lot of network and DMZ design research over the last 3 days. I've looked at hundreds of websites and newsgroup postings and read the following titles: The best security setup are the simplest one that you can look at your pf configuration and understand very well each lines as well as any other admin that may need to play with it. That's how you avoid mistakes. I am not a fan of multiple DMZ by any mean, specially when traffic needs to go across these different DMZ, every time someone does that, over time, you end up having holes in it as it's getting complicated and sometime an admin will take a shortcut because of an issue that crap up one day, fix dirty and quickly and never go back to look at it and then your DMZ end up in swiss cheese before you know it. My own preferred setup is your firewall at the edge of your network facing the Internet obviously, one DMZ and the LAN. Then each servers that run services in the DMZ, in my case anyway there is only one service per servers and that server run OpenBSD and PF on each one. Couldn't be simpler and when it is time to upgrade to the next release, that's pretty quick as well as there isn't any excuse of, (well guys, you don't understand, I can't upgrade, I need to still run 3.5 because of this or that reason and my setup is to complicated, etc). Then you are always at the latest release, you follow the release and keep all your servers up to date and because it's one service per server, it's pretty quick and painless to upgrades, etc. Then each server as I said run PF, but also in every setup, don't only block incoming traffic, do it right and block the outgoing one as well. Again, many will say, it's to complicated to do, so they don't do it, but I would say that if that's to complicated to understand, then you have no clue what you are doing and sure don't understand your traffic and have no security policy either in that case. Just a simple example to illustrate this. You wrote that you have web server. I don't know, may be you also run php on it. Let said you have an intern that is in charge for the summer of the web server php upgrades. Let say that he doesn't really write good code, but it does work, so everyone is happy, but there is plenty of holes created by not checking the value pass to the various scripts. Then you have a bad guys going and trying to compromise your network via php simple injection of codes, via one not check variable on your php code and that obviously run the scripts and what that does called a URL on an other server on the net, the inject that on your box and then you end up compromise. So, what all your setup was used for. Nothing and didn't protect you much. But if your PF configuration on your web server only allow traffic coming from port 80 and going to others 1023 as an example and actually block any traffic coming from you to any other device on port 80, then you have block that compromise and you can see it in your logs. You know your server only allow incoming on 80 and reply to these ( dns as well, etc, put you use your own server as well, so you secure that already the same way), then you make your setup secure and with proper setup and very simple to maintain as well. The best security setup is to know what is suppose to come in and also what is suppose to go out and you allow only these. Now if you do simple setup with one service per box and on top of your mail firewall, you have PF on that box and every other DMZ servers, your are going to have very peaceful nights and plenty of sleep! Hope this help, but if you sit back and just think about it, you will see that you don't need to read for days on to find the best setup, or what works for you. Instead of studying all the documents on the Internet about security setup, study your network about what it does needs and what traffic is suppose to be on it and make it so. You will learn a lots doing so and even that as a side effect, if you also block outgoing traffic and you log all connections trying to go to port 25 that is not your own servers, you will find all your Windows compromise workstations as well in the process, very quickly, etc. Or all the visitor to your network with their laptops that bring with them virus, etc and don't even know it. Checking incoming traffic logs is important yes, but other then blocking access to these bad guys, there isn't much you can do. However, blocking outgoing traffic and also checking these logs are way more important and then you are pro active in your security and will fix issues way before they create damage on your LAN. My setup send emails to the support team when these happen, so I tell you that is doesn't take long before a visitor plug his/here laptop on the LAN with virus before it gets detected and then get his/here head beat up for not be responsible and the issue is taken care of very
Iznenadjenje nedelje - bonus poklon mp3
Igraj se i osvoji...MP3 Top Shop Kako do bonus nagrade? Pozivajte prijatelje! Trancend MP3 Player 1GB Ucesnik koji dobije najveci broj prijateljskih poena, odnosno pozove najveci broj prijatelja do 27. novembra dobija MP3 Player kao bonus poklon za prijateljstvo. Vreme je da ponovo saberemo rezultate i nastavimo dalje... Odgovorom na 4. pitanje osvajas nove poene. Trenutni broj Tvojih poena je: 0 ...odgovori na pitanje, osvoji jos 40 poena i povecaj svoje sanse za dobijanje vrednih poklona! Broj telefona istaknut na sajtu www.e-topshop.tv je: 021 678 34 50 Klikom na jedan od odgovora, neposredno se ukljucujete u nagradnu igru. Kako biste saznali vise o osvajanju dodatnih bodova i pravilima igre, kliknite ovde. 021 489 26 60 021 439 99 21 I ne zaboravi na dodatne bodove i mogucnost da dobiješ MP3 Player! I dalje pozivaj prijatelje, jer na kraju, ucesnici sa najvise bodova pobedjuju! I to nije sve! 1. Mozete ostvariti bonus od 10% popusta na specijalno odabrane proizvode 2. Svakog ucesnika ocekuje poklon e-knjiga: Ljubav, zdravlje i jos ponesto. 1. Nagrada: SAMSUNG LCD TV 2. Nagrada: SONY digitalna kamera 3. Nagrada: Walkman mobilni telefon Lcd Tv Sony Cam Sony mobile Ovu elektronsku postu primate, ukoliko ste svojevoljno ostavili svoju e-mail adresu na nekom od sajtova Top Shop-a ili se prijavili za e-casopis Top Shop-a ili nekog od nasih brendova. Ukoliko ne zelite vise da primate nase elektronske poruke, za odjavljivanje sa nase e-mailing liste, kliknite ovde. i ostavite svoje podatke. Studio Moderna d.o.o., Laze Nancica 50, 21000 Novi Sad, Tel: 021 489 26 60, Fax: 021 489 26 08, E-mail: [EMAIL PROTECTED] [IMAGE]
Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E
From which machine do I have to do ping -I A.B.C.D E.F.G.H pf has default config and allows everything forwarding is enabled Christoph Leser wrote: you could try ping -I A.B.C.D E.F.G.H if this does not work, it might be the packet filter ( pf ) check this with tcpdump -lnevv -i pflog0 regards christoph -Urspr|ngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Auftrag von Shohrukh Shoyoqubov Gesendet: Mittwoch, 21. November 2007 18:08 An: misc@openbsd.org Betreff: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E Hello! I am having troubles with setting up site-to-site IPSec VPN tunnel between OpenBSD and Cisco PIX 515E. I have the following configuration [ A.B.C.B ] - [ OpenBSD 4.1 (M.N.O.P) ] -- Internet -- [ (I.J.K.L) Cisco PIX 515E ] - [ E.F.G.H ] # cat /etc/ipsec.conf ike esp from A.B.C.D to E.F.G.H peer I.J.K.L main auth hmac-sha1 enc 3des group modp1024 quick auth hmac-sha1 enc 3des group none psk *secret* # ipsecctl -s all FLOWS: flow esp in from E.F.G.H to A.B.C.B peer I.J.K.L srcid M.N.O.P/32 dstid I.J.K.L/32 type use flow esp out from A.B.C.B to E.F.G.H peer I.J.K.L srcid M.N.O.P/32 dstid I.J.K.L/32 type require SAD: esp tunnel from M.N.O.P to I.J.K.L spi 0x73b8da7c auth hmac-sha1 enc 3des-cbc esp tunnel from I.J.K.L to M.N.O.P spi 0xbd5af3e7 auth hmac-sha1 enc 3des-cbc # With this configuration I cannot ping E.F.G.H from A.B.C.B and vice-versa. Both of these hosts have routes to each others through corresponding gateways (OpenBSD and Cisco). What am I missing? Thanks, Shohrukh
Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E
On Thu, 22 Nov 2007, Shohrukh Shoyoqubov wrote: Date: Thu, 22 Nov 2007 09:46:54 +0500 From: Shohrukh Shoyoqubov [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E From which machine do I have to do ping -I A.B.C.D E.F.G.H pf has default config and allows everything forwarding is enabled What does netstat -rn -f encap look like? ~bas Christoph Leser wrote: you could try ping -I A.B.C.D E.F.G.H
xinetd support
is it supported on openbsd? http://www.xinetd.org/ thank you. BG ~~Kalyan-mastu~~
Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E
# netstat -rn -f encap Routing tables Encap: Source PortDestinationPort Proto SA(Address/Proto/Type/Direction) E.F.G.H/32 0A.B.C.B/32 0 0 I.J.K.L/esp/use/in A.B.C.B/32 0E.F.G.H/32 0 0 I.J.K.L/esp/require/out # Brian A. Seklecki wrote: On Thu, 22 Nov 2007, Shohrukh Shoyoqubov wrote: Date: Thu, 22 Nov 2007 09:46:54 +0500 From: Shohrukh Shoyoqubov [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: Site-to-site IPSec VPN between OpenBSD and Cisco PIX 515E From which machine do I have to do ping -I A.B.C.D E.F.G.H pf has default config and allows everything forwarding is enabled What does netstat -rn -f encap look like? ~bas Christoph Leser wrote: you could try ping -I A.B.C.D E.F.G.H
Re: xinetd support
On Thursday 22 November 2007 01:00:03 badeguruji wrote: is it supported on openbsd? http://www.xinetd.org/ thank you. BG It compiled ok. I'm too tired to test it but there is a comment that it worked on bsdi and sunos, so I wouldn't be too surprised if it works, but why don't you try it? --STeve Andre'
Re: 5.1 sound card recommendation
On Wed, Nov 21, 2007 at 01:12:38PM -0800, J.C. Roberts wrote: On Wednesday 21 November 2007, Nickolay A. Burkov wrote: Hello everyone! Do somebody have success with 5.1 sound ? If so, please recommend PCI Sound Card to work with OpenBSD 4.2(-CURRENT). I have MARC'ed a bit but similar messages were 1 year ago. I'd like to think that something have been changed.. Thank you for your time. For some strange reason I recall reading about some work being done on the Sound Blaster Audigy cards. Many of those cards are 5.1, 6.1 or 7.1 surround sound. A quick search on openbsd audigy shows we've had support since 3.9 but I'm not sure if this includes the surround sound features, or if it's just two channel? Older audigy cards based on EMU10K1 chips are supposed to work with the emu(4) driver, it's still two channel. Newer cards based on CA0106 will not work because there's no driver for the chip. The last time I've asked creative for documentation they didn't reply; since then, I've lost interest in these cards. -- Alexandre
Re: Hoststated and stickiness based on cookie strings
On 2007/11/18 6:04 PM, Preston Norvell [EMAIL PROTECTED] muttered eloquently: snip The first is a basic issue with load balancing. No matter which algorithm we choose, initial traffic is extremely heavily waited towards the system in the table with the highest id. In point of experience so far, the only time more than one host is reliably used is when using the roundrobin type of load-balancing. If 'loadbalance' or 'hash' is used, 99.9% of traffic ends up on a single host; some will end up on other hosts, sometime momentarily though, and not what we've been able see as deterministically. The situation with 'loadbalance' we understand since our test system on the internet is essentially coming from essentially one address (though even in limited testing with a hand full of additional requesting addresses, it appears that it works the same). With a test of traffic from our test host with roundrobin (50 separate, simultaneous single request/response sessions run for several seconds), 797 of the requests ended up at the high id host and 628 across the remaining 7 (89 or 90 for each). We have discovered the issue with this unbalanced balancing. The root cause appears to be some invalid assumptions in the roundrobin code in the relay_from_table function in relay.c. If you look at the config (snipped here for space), you will notice that we have 16 hosts in the appx table. Hosts 9-16 are offline until further notice, and it's their existence in the table that is causing the roundrobin to be more of a half-moon robin. If we remove them from the table, the balancing returns to normal. Here's the theory, born out by experience and some snooping through the code: Basically when the requests start coming in, it tries #1 which is up and the connection is sent there. Then another connection comes in and it roundrobins to #2 which is up so the connection is sent there, and so on and so forth up to the 9th connection. Then another connection comes in, it roundrobins to #9 which isn't up so it chews through the table (in backwards order?), and finds #8 up first so it sends it to #8. Then the tenth connection comes in, which it rounrobins to #10, which isn't up so it chews through the table and finds #8 up first so it sends it to #8. This happens until it's gone through the remaining hosts in the table, then it resets to the first item in the table, sends the next connection to #1, and the next to #2, etc. Pardon me if I get the exact interpretation, but I haven't done C programming in a very long time. The balancer logic for roundrobin iterates through the hosts in the table by incrementing a tracking variable in the relay's struct. It then breaks, and hops to the while loop to check if the host is up. If it's not up it iterates through the rest of the hosts in the table until it finds one or runs out of items in the table. If it runs out it decides to run through the entire table from the top. In either of these cases, I believe the connection is dispatched to the first item it finds, rather than the next one it should go to according to the theory of roundrobin. This exactly matches the mathematical distribution of the sessions in our logs. In general the roundrobin seems to suffer with an assumption that a large block of hosts wouldn't be down at one time. This is an invalid assumption (intentional or not) for a production environment where someone may need to take down a substantial number of hosts at once for maintenance. In addition, since the same logic is used for all three algorithms (roundrobin, loadbalance, and hash), it explains why the non-roundrobin modes were producing consistently incorrect balancing as well. There is some stickiness provided by the hash in these additional modes, but their balancing seems to be similarly borked but in a more complicated fashion. snip Thoughts? Thanks much, ;P mn -- Preston M Norvell [EMAIL PROTECTED] Systems/Network Administrator Serials Solutions http://www.serialssolutions.com Phone: (866) SERIALS (737-4257) ext 1094
Re: IPoEoA on ueagle?
| I am running 4.2-RELEASE and have recompiled the kernel to include the | lines: | | Option NATM | ueagle* at usb? | | My Sagem [EMAIL PROTECTED] 800 E2 is recognised by the kernel: | | # dmesg | grep ueagle | ueagle0 at uhub3 port 2 | ueagle0 detached | ueagle0 at uhub3 port 2 | ueagle0: Analog Devices Eagle II, rev 1.00/50.0b, addr 2 | ueagle0: address: 00:60:4c:16:d1:60 | # | | My ISP uses IPoEoA. | I have done a bit of reading on ATM (although I am by no means an expert) | and I would like to know if IPoEoA is supported in ueagle. No. ueagle supports plain IPoA (with or without LLC encap) and PPPoA only. It's more a limitation of the OS (netatm stack) than a limitation of the driver though. Are you sure your ISP really uses IPoEoA? It is the first time I see this. Does your modem synchronize at least? (just run ifconfig ueagle0 up) Damien
