Re: OpenBSD Strage Problem
A billion sorry to you.
Let me explain my problem to you.
I have openbsd 4.1 with two internal nic which is Wired and Wireless.
My wireless suddenly cannot become an access point. Previously, it can be an
access point. I think openbsd cannot parse the /etc/hostname.ral0(Linksys
WLMP-54GS).
I try to delete and recreate the file but still no luck.
Before this incident, when i delete ral0 file and reboot. I need to manually
ifconfig address to wireless, then second time it will know how to parse the
file and no need me to ifconfig for second time.
This is a second problem which is ping to openbsd from client and ping to
client from openbsd. All ok but cannot browse or ping my ISP DNS server.
Below is my DHCP.conf
// General ISP nameserver here
// authoriative; I temporalily uncomment it.
// Wired
subnet 172.16.0.0.0 netmask 255.240.0.0
{
options routers 172.16.10.1;
}
// I use fixed address which is
host
{
// statement here
}
// Wireless
subnet 192.168.0.0 netmask 255.255.0.0
{
options routers 192.168.5.1
}
// i use fixed address here for wireless MAC filtering
host xxx
{
// hardware-ethernet 6454;
// fixed address 192.168.5.10;
}
I try to off the firewall and use dhcpd -d to debug but no error message
from stdout.
My /etc/hostname.rl1 (Internal interface)
inet 172.168.10.1 255.240.0.0 NONE
/etc/hostname.ral0 :
inet 192.168.5.1 255.255.0.0 NONE and some other options to become as access
point.
I check dmesg and my wireless card can detect by openbsd.
I off other services such as portsentry.
After setting up this router, i will contirubte back to openbsd by set up
Tor relay and let other benefits.
If you need further information, please do not hesitate to request here.
A billion thanks for your help.
I truly need your help.
--
View this message in context:
http://www.nabble.com/OpenBSD-Strage-Problem-tp16062121p16089381.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBSD Strage Problem
Peter_APIIT [EMAIL PROTECTED] writes: My wireless suddenly cannot become an access point. Previously, it can be an access point. just to eliminate the obvious: you have checked that packet forwarding is enabled? as in $ sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 and checking the relevant lines in your sysctl.conf. It is odd if it stopped working, though. Could the problem be at the client side? Are you able to connect to other wireless networks using the same client machines? plug type=shameless Other than that, you may or may not find the wireless parts of http://home.nuug.no/~peter/pf/ useful (my pf tutorial, with a few other bits thrown in, you may want to head straight for http://home.nuug.no/~peter/pf/en/wireless.simple.html or http://home.nuug.no/~peter/pf/en/wireless.simple.setup.html, or even buy the tutorial's book descendant /plug -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: gettimeofday() dramatical slowdown from 4.1-4.2
Most likely (although you haven't provided any information, so we can't be sure), your machine is using the 8254 time counter. Earlier it would have been using TSC for timekeeping, but TSC is so unreliable on so many machines and it's more or less impossible to know when it can be trusted, so TSC is not used anymore. In reality, what matters is that the timecounters are MP safe and support wider range of hardware. The code might be slower. Or might be faster when you have the right hardware. //art
Re: The REAL reason we use OpenBSD
On Sun, Mar 16, 2008 at 4:41 AM, Paul de Weerd [EMAIL PROTECTED] wrote: [...] Placing correctness before features is such a fundamentally different approach to what (most) other projects do, with such obvious results, I'm amazed OpenBSD is still the only one doing it. [...] I add two more: simplicity and intuitiveness. Simplicity because things are laid out really well, and are easy to grasp/understand. For eg., the netstart script, the rc.local script, rc.shutdown script, and I can just go on. Try checking the rc.* stuff on Linux, and the simplicity thing distinctly stands out. And intuitiveness follows because of this simplicity. :-) Thanks. -Amarendra
amd64 X cursor disappear
Hi. I began to play with amd64 and I'm running into a weird issue. This is under: OpenBSD 4.3 (GENERIC) #1367: Mon Mar 10 14:28:13 MDT 2008 The first time I `startx` from the console, everything works fine. Then, if I quit my X session, then try to re `startx` again, then I loose my mouse cursor. Note that the cursor is still there, it is just invisible! I tried playing with different xorg.conf configurations, as well as the HWCursor option without success. Some info here (bug me if you need more): Xorg.0.log -- http://www.bsdfrog.org/tmp/Xorg.0.log xorg.conf -- http://www.bsdfrog.org/tmp/xorg.conf dmesg -- http://www.bsdfrog.org/tmp/dmesg diff between working and non-working logs -- http://www.bsdfrog.org/tmp/Xorg.diff Cheers! -- Antoine
Re: amd64 X cursor disappear
Antoine Jacoutot [EMAIL PROTECTED] writes: Hi. I began to play with amd64 and I'm running into a weird issue. This is under: OpenBSD 4.3 (GENERIC) #1367: Mon Mar 10 14:28:13 MDT 2008 The first time I `startx` from the console, everything works fine. Then, if I quit my X session, then try to re `startx` again, then I loose my mouse cursor. Note that the cursor is still there, it is just invisible! I tried playing with different xorg.conf configurations, as well as the HWCursor option without success. You may have a try by changing the mouse protocol from wsmouse to auto, for PS/2 mouses this might work. Anyway I don't guarantee this would work. It seems this is a bug in the nv driver. While shifting between virtual ttys, the display driver should store/restore everything, including the mouse cursor. If that doesn't work. You may disable hardware cursor and XAA acceleration. This may be the last resort, I think. Some info here (bug me if you need more): Xorg.0.log -- http://www.bsdfrog.org/tmp/Xorg.0.log xorg.conf -- http://www.bsdfrog.org/tmp/xorg.conf dmesg -- http://www.bsdfrog.org/tmp/dmesg diff between working and non-working logs -- http://www.bsdfrog.org/tmp/Xorg.diff Cheers! -- Denise H. G. darcsis AT gmail DOT com
Re: amd64 X cursor disappear
Hello, Antoine ! Option HWCursor off Usually adding this option to Driver section helps, otherwise ... I've had this problem number of times myself on OpenBSD and on Linux too. Regards Valery.
Re: amd64 X cursor disappear
On Mon, 17 Mar 2008, Valery Masiutsin wrote: Option HWCursor off Did you read my original post? -- Antoine
Re: gettimeofday() dramatical slowdown from 4.1-4.2
On 2008-03-17, Artur Grabowski [EMAIL PROTECTED] wrote: Most likely (although you haven't provided any information, so we can't be sure), your machine is using the 8254 time counter. The 8s on the core2duo machine seems a bit slow since slower machines using 8254 take around 3.5s for the same test. It would be interesting to know which counter is actually used on that machine, maybe some newer ICH doesn't work as quickly with ichpm(4) as the older ones and changing to 8254 may actually be faster.
include files in pf.conf
Hi, searching on the Internet gave me no clear answer: is there a way to include other config files in pf.conf, like # /etc/pf.conf Include /etc/pf.interfaces Include /etc/pf.natrules etc... I expect to have many rules, so I'd like to split them accross multiple files. Thanks, Arjen
Re: include files in pf.conf
Arjen Van Drie [EMAIL PROTECTED] writes: searching on the Internet gave me no clear answer: is there a way to include other config files in pf.conf, like you can load anchors from separate files, see pf.conf(5) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: include files in pf.conf
On 2008-03-17, Arjen Van Drie [EMAIL PROTECTED] wrote: searching on the Internet gave me no clear answer: is there a way to include other config files in pf.conf, like Support has been added for 4.3.
Re: include files in pf.conf
On Mon, Mar 17, 2008 at 01:31:47PM +0100, Arjen Van Drie wrote: Hi, searching on the Internet gave me no clear answer: is there a way to include other config files in pf.conf, like the internet is for... anyway, sometimes the manpage gives a good answer, just look at pf.conf(5): ---snip--- Additional configuration files can be included with the include keyword, for example: include /etc/pf/sub.filter.conf ---snap--- of course, you can also search the internet via http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf # /etc/pf.conf Include /etc/pf.interfaces Include /etc/pf.natrules use lowercase letters and quotes... include /etc/pf.interfaces etc... I expect to have many rules, so I'd like to split them accross multiple files. Thanks, Arjen reyk
Re: include files in pf.conf
Reyk Floeter wrote: On Mon, Mar 17, 2008 at 01:31:47PM +0100, Arjen Van Drie wrote: Hi, searching on the Internet gave me no clear answer: is there a way to include other config files in pf.conf, like the internet is for... anyway, sometimes the manpage gives a good answer, just look at pf.conf(5): The manpage was the first place I looked (so obvious I didn't even mention it): in mine (OpenBSD 4.2) is no such text. I think that Stuart Henderson gave me the correct answer by stating that support for include directives is in 4.3. Thanks, Arjen.
obsd 3.4 port of mysql may have error9 issue again...
just a heads up, for mysql on new openbsd 3.4 just did the make build for src with OPENBSD_3_4 Tag and mysql port from anoncvs today because I was starting to see the infamous errorcode 9 with the beta port of mysql If I run mysqlcheck -A against a lot of databases... about the last database it comes back errors... Error: File './*_drupal/vocabulary_node_types.MYD' not found (Errcode: 9) Error: Got error9 from storage engine error: Corrupt If I run mysqlcheck only against the database(s) shown with errors then it is okay. If I keep doing it I lock up mysql and have to kill it... So I checked ports and saw mysql-server-5.0.51a and replaced 5.0.51 but unfortunately, still seeing it after updating package to yes I am starting mysql with a file limit It could be just a configuration issue on my side, but I recommend others look into looking at mysql port on 3.4 to see if they get the tmp 9 error when doing database optimizations and tests... btw, per some suggesions on http://www.openbsdsupport.org/mysql.htm here is how I am starting mysql in my /etc/rc.mysql su -c _mysql root -c '/usr/local/bin/mysqld_safe --open-files-limit=2048 --log-slow-queries ' /dev/null echo -n ' mysql' and I setup the mysql in login.conf and changed /etc/sysctl.conf
Possible bug in pthreads
Hello misc@,
doing some C programming with threads (yeah *ugh*), I discovered a
strange issue.
There seems to be some problem using static mutexes (a mutex not
created by pthread_mutex_init()).
Here is some test code which works very well on linux, but gives:
-- (ID:2238337024)
First
mutex_prob: thread1: pthread_mutex_unlock() (0): Undefined error: 0
on OpenBSD.
The output should look like:
-- (ID:somenumber)
First
Second
Thread somenumber2 done
Thread somenumber3 done
-- (ID:somenumber)
the mutex is looked by the main-thread and only thread1 may print
without locking the mutex first, thus First will always be printed
first.
If this is not a bug, perhaps somebody can point out the API difference
between OpenBSD and Linux I missed.
Regards
ahb
Test code:
#include err.h
#include errno.h
#include pthread.h
#include stdio.h
#include stdlib.h
/* static mutex var */
static pthread_mutex_t fz_mutex = PTHREAD_MUTEX_INITIALIZER;
static void
thread1(void *name)
{
printf(First\n);
/* free Mutex */
if (pthread_mutex_unlock(fz_mutex) != 0)
err(1, thread1: pthread_mutex_unlock() (%d), errno);
/* thread end */
pthread_exit((void *)pthread_self());
}
static void
thread2(void *name)
{
/* lock Mutex */
pthread_mutex_lock(fz_mutex);
printf(Second\n);
/* free Mutex again */
if (pthread_mutex_unlock(fz_mutex) != 0)
err(1, thread2: pthread_mutex_unlock() (%d), errno);
/* thread end */
pthread_exit((void *)pthread_self());
}
int
main(void)
{
static pthread_t th1, th2;
static int ret1, ret2;
/* main thread */
printf(\n-- (ID:%lu)\n, pthread_self());
/* lock mutex */
pthread_mutex_lock(fz_mutex);
/* Threads erzeugen */
if (pthread_create(th1, NULL, (void *)thread1,NULL)
!= 0)
err(1, pthread_create(th1));
if (pthread_create(th2, NULL, (void *)thread2,NULL)
!= 0)
err(1, pthread_create(th2));
/* Wait for both threads to finish */
pthread_join(th1, (void *)ret1);
pthread_join(th2, (void *)ret2);
printf(Thread %lu done\n, th1);
printf(Thread %lu done\n, th2);
printf(- (ID: %lu)\n, pthread_self());
return EXIT_SUCCESS;
}
Compile:
gcc -o foo foo.c -lpthread
Re: Possible bug in pthreads
On Mon, Mar 17, 2008 at 04:33:34PM +0100, Andreas Bihlmaier wrote:
Hello misc@,
doing some C programming with threads (yeah *ugh*), I discovered a
strange issue.
There seems to be some problem using static mutexes (a mutex not
created by pthread_mutex_init()).
Here is some test code which works very well on linux, but gives:
-- (ID:2238337024)
First
mutex_prob: thread1: pthread_mutex_unlock() (0): Undefined error: 0
on OpenBSD.
The output should look like:
-- (ID:somenumber)
First
Second
Thread somenumber2 done
Thread somenumber3 done
-- (ID:somenumber)
the mutex is looked by the main-thread and only thread1 may print
without locking the mutex first, thus First will always be printed
first.
If this is not a bug, perhaps somebody can point out the API difference
between OpenBSD and Linux I missed.
Regards
ahb
Test code:
Correct test code (on #openbsd oenoene just pointed out to me that errno
does not get set (doh!)):
#include err.h
#include pthread.h
#include stdio.h
#include stdlib.h
/* static Mutex-Variable */
static pthread_mutex_t fz_mutex = PTHREAD_MUTEX_INITIALIZER;
static void
thread1(void *name)
{
int ret;
printf(First\n);
/* free Mutex */
if ((ret = pthread_mutex_unlock(fz_mutex)) != 0)
errx(1, thread1: pthread_mutex_unlock() (return: %d), ret);
/* thread end */
pthread_exit((void *)pthread_self());
}
static void
thread2(void *name)
{
int ret;
/* lock Mutex */
pthread_mutex_lock(fz_mutex);
printf(Second\n);
/* free Mutex again */
if ((ret = pthread_mutex_unlock(fz_mutex)) != 0)
errx(1, thread2: pthread_mutex_unlock() (return: %d), ret);
/* thread end */
pthread_exit((void *)pthread_self());
}
int
main(void)
{
static pthread_t th1, th2;
static int ret1, ret2;
/* main thread */
printf(\n-- (ID:%lu)\n, pthread_self());
/* lock mutex */
pthread_mutex_lock(fz_mutex);
/* Threads erzeugen */
if (pthread_create(th1, NULL, (void *)thread1,NULL)
!= 0)
err(1, pthread_create(th1));
if (pthread_create(th2, NULL, (void *)thread2,NULL)
!= 0)
err(1, pthread_create(th2));
/* Wait for both threads to finish */
pthread_join(th1, (void *)ret1);
pthread_join(th2, (void *)ret2);
printf(Thread %lu done\n, th1);
printf(Thread %lu done\n, th2);
printf(- (ID: %lu)\n, pthread_self());
return EXIT_SUCCESS;
}
Re: Possible bug in pthreads
On Mon, Mar 17, 2008 at 04:42:57PM +0100, Andreas Bihlmaier wrote: On Mon, Mar 17, 2008 at 04:33:34PM +0100, Andreas Bihlmaier wrote: Hello misc@, doing some C programming with threads (yeah *ugh*), I discovered a strange issue. Okay replying to myself AGAIN since I found out where I was wrong: snip from /usr/include/pthread.c #define PTHREAD_MUTEX_DEFAULT PTHREAD_MUTEX_ERRORCHECK snip from linux man page (about using no error checking mutexes by DEFAULT) This is non-portable behavior... Thanks to people at #openbsd for pointing me in the right direction. Regards ahb
Re: obsd 3.4 port of mysql may have error9 issue again...
On Mon, Mar 17, 2008 at 02:50:01PM +, Paul Pruett wrote: just a heads up, for mysql on new openbsd 3.4 just did the make build for src with OPENBSD_3_4 Tag and mysql port from anoncvs today because I was starting to see the infamous errorcode 9 with the beta port of mysql ??? OpenBSD 4.3, you mean. If I run mysqlcheck -A against a lot of databases... about the last database it comes back errors... Error: File './*_drupal/vocabulary_node_types.MYD' not found (Errcode: 9) Error: Got error9 from storage engine error: Corrupt No such issues there with OpenBSD 4.3.
Re: Samba(SMB) or Netatalk(AFP)?
On Tue, Mar 11, 2008 at 01:01:45AM +1100, Sunnz wrote: Basically I want to set up a network share on my OpenBSD box which my Mac laptops and Linux laptops can access to. Smb (...) was a breeze to set up. I also tried out NFS in the past on OpenBSD. Got it to work but I don't really understand how it works. There aren't any form of authentication, just a list of IP that has access to it... which always seemed weird to me... that it uses whatever permission on the OpenBSD on the laptop, which doesn't really work out... like the group users can have a very different gid on Linux than on Mac. Maybe I am not using it correctly or understood how it is supposed to work? So now I am looking at AFP via Netatalk SAMBA is indeed pretty good, so you could look into that. I know you're not asking this (yet), but keep in mind that it's possible to get OpenBSD to talk SMB, but it takes a little more work than just invoking mount(8) with the proper options. On the other hand, all those systems, and in fact any decent Unix, have a very well-tested NFS client. And even Windows can be made to use NFS with something like 'Services for UNIX'. In short, connecting any random Unix system to NFS is a snap. Basically, the same argument applies to AFP, but stronger - OpenBSD will have some trouble, and clients are less well-tested than NFS clients. In the end, though, both SMB and NFS are pretty good choices. But NFS is more Unix-y. If you need authentication, consider something simple like authpf(8). (Which would have to turn off a default deny-type rule.) If, on the other hand, you can do without even the little authentication that NFS gives you, you can force all clients to use the same uid (-mapall in exports(5)). This frees you from the hassle of keeping uids and gids synchronized - and the cost may or may not be interesting. Finally, consider net/unison. It's not a filesystem - more like a two-way rsync - but can be tremendously useful if you want to keep some files on multiple systems synchronized. Joachim -- TFMotD: env (1) - set and print environment
openbsd hosting services
Hello, i am in need to host my web application on third party web hosting services, but i have had no luck searching one. My trivial need is common: php, MySQL, web server, ASP with support to MySQL. But i do need a shell server that supports building and compiling programs in C with support for MySQL. I need a shell access to an openbsd that support cron services and allows me to code and compile and build ANSI C code that will handle database work by connect to an MySQL Server. Does anybody suggest anything ? Thanks in advance.
Re: internal virtual network with qemu
On Tue, Mar 11, 2008 at 09:33:10AM -0700, Lord Sporkton wrote: I am running OpenBSD on OpenBSD with qemu(from pkg) all 4.2 I am using the host OS for network services, ntp, dns, and router, I am using the guest OS's for client services, www, ftp, sql, etc. Eh... are you aware that qemu without kqemu is very, very slow? And that this list has a virtualization does not enhance security mantra? Just checking. If you want to experiment with a real network without having a large amount of hardware, what you're doing is actually a pretty good way of going about it. Just don't try to *actually* run it in production. My goal is to have all the guests on internal addresses and use the host to nat them to publics as needed, as well as the host providing ipsec tunnels to allow other locations to access the client services via internal address. My question is: Is it best to put my private gateway ip on the real ethernet interface or on a loopback or other interface on the host? I'm not really sure what you mean. Most qemu setups I've seen connect to the host OS via tunX, so there is not really a private gateway there. You could NAT your real external interface into these tun devices. Joachim -- TFMotD: ul (1) - do underlining
Re: openbsd hosting services
I suggest letting the OpenBSD donation page ( http://openbsd.org/donations.html ) be your first step in this process, since they've donated something to the project and it's always nice to reciprocate. Personally, I chose M5 Computer Security (U.S.-based) and have been very happy with the service. On Monday 17 March 2008 11:14:28 am you wrote: Hello, i am in need to host my web application on third party web hosting services, but i have had no luck searching one. My trivial need is common: php, MySQL, web server, ASP with support to MySQL. But i do need a shell server that supports building and compiling programs in C with support for MySQL. I need a shell access to an openbsd that support cron services and allows me to code and compile and build ANSI C code that will handle database work by connect to an MySQL Server. Does anybody suggest anything ? Thanks in advance.
Re: openbsd hosting services
At 03:14 PM 3/17/2008 -0300, John Nietzsche wrote: Hello, i am in need to host my web application on third party web hosting services, but i have had no luck searching one. My trivial need is common: php, MySQL, web server, ASP with support to MySQL. Why would you be asking a BSD list for Windoze hosting? Lee
Re: what version/release for Thinkpad x61
I used to install 4.2-release, and then -snapshot (4.3), but long term I think I will follow -current. However, lots of pages in faq recommend/talk about install/update from iso/binary packages. Is there any doc/link on how to run a -current obsd (with base plus some apps, and X)? Thanks. Arthur - Original Message - From: Michael [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Saturday, March 15, 2008 9:54 AM Subject: Re: what version/release for Thinkpad x61 Hi, What version or release should I choose? 4.2 or 4.3 or latest snapshot? I am usually just following current... updating once in a while or directly after a security fix that affects me. Zoong PHAM schrieb: What is the status of (k)qemu in OpenBSD now? qemu works great, but kqemu doesn't always work, only on two of four systems here. Those who do not work are probably too new. kqemu works great on my Thinkpad X41 and a Dell Optiplex SX 270, but doesn't work on a Dell PE 2950 and some newer Optiplex at work. Michael
FYI: Discrepancy between pf FAQ and man pf.conf(5)
I've been working on the pf configuration for my home firewall, and have reviewed a lot of documentation in the process. I've noticed that, when discussing queueing, the pf FAQ mentions only CBQ and PRIQ while man pf.conf(5) also defines HFSC. Dave -- Dave Anderson [EMAIL PROTECTED]
Re: FYI: Discrepancy between pf FAQ and man pf.conf(5)
Dave Anderson [EMAIL PROTECTED] writes: that, when discussing queueing, the pf FAQ mentions only CBQ and PRIQ while man pf.conf(5) also defines HFSC. It's probably a matter of coming up with an example configuration that is simple enough to present well within the probable reader's attention span and fits document's format, corresponds reasonably well to a situation a prospective reader would regognize, and with the characteristics to demonstrate what makes HFSC stand out as the better algorithm for that particular application, in an example that is sophisticated enough to demonstrate a reasonably complete set of significant parameters while keeping the reader's focused on the relative strengths of the algorithm rather than getting lost in potentially confusing detail. That just about sums up why writing up something along those lines is still on my list of things to do, rather than written and published already. I will keep trying, the general task juggling allowing. I realize this probably sounds terribly condescending, that's not what I intended. It's just that some subjects are in fact very hard to write well. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Flexibility of pf rules created by ftp-proxy?
I've been working on the pf configuration for my home firewall, including setting up ftp-proxy. I've noticed that the command is getting cluttered with options to adjust the rules it creates to the needs of different pf configurations. Has any thought been given to allowing arbitrary nat, rdr and pass rules to be specified in a configuration file (in the same syntax as for pf.conf) with macros defined for the server, client and proxy addresses (as in the examples; also, perhaps, a few other macros -- such as for the interfaces through which the client and server are reachable)? I'm not asking (let alone demanding) that anyone implement this, but would like to know if it's been considered and rejected for some reason, is on someone's to-do list, has never been thought about, or whatever. It seems to me to be a good way both to avoid needing more and more options to tweak the generated rules and to avoid the delay involved in modifying the program whenever someone comes up with a new need. Thanks in advance for any info, Dave -- Dave Anderson [EMAIL PROTECTED]
Re: FYI: Discrepancy between pf FAQ and man pf.conf(5)
On Mon, 17 Mar 2008, Peter N. M. Hansteen wrote: Dave Anderson [EMAIL PROTECTED] writes: that, when discussing queueing, the pf FAQ mentions only CBQ and PRIQ while man pf.conf(5) also defines HFSC. It's probably a matter of coming up with an example configuration that is simple enough to present well within the probable reader's attention span and fits document's format, corresponds reasonably well to a situation a prospective reader would regognize, and with the characteristics to demonstrate what makes HFSC stand out as the better algorithm for that particular application, in an example that is sophisticated enough to demonstrate a reasonably complete set of significant parameters while keeping the reader's focused on the relative strengths of the algorithm rather than getting lost in potentially confusing detail. That just about sums up why writing up something along those lines is still on my list of things to do, rather than written and published already. I will keep trying, the general task juggling allowing. That's all true, and anyone who would depend on the FAQ without also looking at the man pages is probably better off not trying to use HFSC. It's just that my sense of the quality of OpenBSD documentation is offended by the fact that HFSC isn't mentioned at all in text which appears to discuss all of the options. I realize this probably sounds terribly condescending, that's not what I intended. It's just that some subjects are in fact very hard to write well. Not a problem. Dave -- Dave Anderson [EMAIL PROTECTED]
A few questions for which I haven't found answers...
I've been working on the pf configuration for my home firewall (which has a single static public IP address, hides half a dozen other systems behind NAT, and is being upgraded to OpenBSD 4.2), and have come up with some questions for which I can't find answers in the documentation. (I've searched the mailing list archives and (re)read the 4.2 pf FAQ, the 4.2 man pages for pf(4), bpf(4), ip(4), inet(3), netintro(4), socket(2), route(4), connect(2), bind(2), ifconfig(8), ftp-proxy(8), ftp(1), pf.conf(5) and the man page for the 4.2 package for ftpsesame.) The pf FAQ states that for the 'urpf-failed' source the source IP address of the packet is looked up in the routing table. If the outbound interface found in the routing table entry is the same as the interface that the packet just came in on, then the uRPF check passes; this is basically what I'd expect, but I haven't found confirmation of it in any of the man pages. [Also, what happens if the interface found by the lookup is not a hardware interface?] This should mean that this rule block drop in log quick from urpf-failed to any would make this rule block drop in log quick from no-route to any redundant, and would also eliminate the need for all 'antispoof' rules. Are these inferences correct? 'ftp-proxy' will handle FTP connections to external servers from the systems behind the firewall, but I don't see any way to make it also handle connections from the firewall itself. The best tool I've found for that is 'ftpsesame' (in packages), despite the fact that it apparently suffers from race conditions when setting up rules, but I don't see any obvious way to configure it to only process the FTP control connections which have not already been dealt with by ftp-proxy. 'ftpsesame' uses bpf (which apparently, but I haven't been able to confirm this, sees inbound packets before pf does and sees outbound packets after pf is finished with them) with, by default, a filter to select only TCP packets directed to port 21. Since tags and other metadata added by pf are apparently not available to the bpf filter, I don't see any way of distinguishing between control connections from systems behind the firewall that are being handled via ftp-proxy and those originating from the firewall itself. If there's something I'm missing, or if there's a better tool than ftpsesame to use, I'd love to hear about it -- since I'd really like to make FTP 'just work' everywhere. I actually do have one idea about how to handle FTP, but it raises another question for which I can't find an answer. I have a second static IP address available which I could add as an alias on the external interface (I've been planning to use it that way as a secondary MX for spamd) and direct ftp-proxy to use that alias as its source address -- so that ftpsesame could select only those connections from the main address. But I'd need to control which of the two addresses was used for each outbound connection since, while most of the resources I use on the net don't care where a connection comes from, a few do. This isn't a problem for anything behind the firewall (since nat / rdr / binat rules specify the external address) and shouldn't be a problem for incoming connections (since they will use the original destination address as the source address for return traffic), but I can't find any information about what source address is used by default on outgoing connections when one or more aliases are present on the external interface. Is there some way of marking one of the addresses assigned to an interface as preferred, so that programs needing a source address for a new connection on an interface will use it unless told to do otherwise? I may be able to get by with just understanding which alias will be chosen as the source address when a program uses INADDR_ANY, but that doesn't seem to be documented either. I need to know how this is designed to work rather than just how it appears to work at the moment, since a 'solution' which might change when I upgrade (or even just reboot) is not acceptable. Thanks in advance for either direct answers or pointers to relevant bits of documentation that I've missed. Dave -- Dave Anderson [EMAIL PROTECTED]
Re: the death of the oldest OpenBSD system on the net...
I've just finished a small argument with some colleages here at work. They just couldn't believe a Pentium 133 was serving a hundred e-mail accounts... Even in death we can count on OpenBSD to show how things should be done. RIP. On Sun, Mar 16, 2008 at 9:23 AM, Alexander Bochmann [EMAIL PROTECTED] wrote: ...was rather unspectacular: Hardware failiure. The system's name was base, originally installed with OpenBSD 2.3 on Jun 12, 1998: -rw-r--r-- 1 root wheel 5 Jun 12 1998 etc/myname It ran the OpenBSD 2.3 kernel and most of the userland until it stopped responding about three weeks ago and couldn't be resurrected. Small hardware problems had happened before, as with most systems that have been running uninterrupted for nearly 10 years, but this time I decided against getting it up again: Running modern software had gotten a real chore (never managed to backport OpenSSH, for example, so it still had the last version of the old ssh.com daemon (1.2.32?). (Well, that, and the 2.3 GENERIC kernel reliably shot down the VMWare session I tried to get it running in.) Good old internet software like sendmail or bind never were a problem though, even in their most recent versions (which may or may not be a compliment, depending on your point of view). To my knowlege, the system never was hacked - despite running software like qpop 2.53 or really, really old versions of apache and php. (I sometimes found core files, but I guess the system was just too obscure to be a valid target for any type of automated attack.) base had lots of old stuff still lying around, like an emergency netboot environment for the sun3/160 that it had replaced as main server for infra.de back at the time, an Amanda client for my old employer's network backup system that's long gone, or the configuration for half a dozen UUCP feeds which have lost their peers ages ago. Gone are the days when 32MB RAM was a lot, a stripped down OpenBSD kernel had a whopping 1MB, and a handful of blacklists got rid of almost all of the spam. -rwxr-xr-x 1 root wheel1056157 Jul 31 2002 /bsd Alex.
Re: the death of the oldest OpenBSD system on the net...
Marcus Andree wrote: I've just finished a small argument with some colleages here at work. They just couldn't believe a Pentium 133 was serving a hundred e-mail accounts... back in time (but not to long ago), I served 3000 email accounts for a Swiss multinational insurance company on a P133 with 32MB RAM. That is no big deal, however. sendmail and any Unix like system can handle that without problem.
Re: openbsd hosting services
Because shell access is supposed to be on openbsd. On Mon, Mar 17, 2008 at 3:34 PM, L. V. Lammert [EMAIL PROTECTED] wrote: At 03:14 PM 3/17/2008 -0300, John Nietzsche wrote: Hello, i am in need to host my web application on third party web hosting services, but i have had no luck searching one. My trivial need is common: php, MySQL, web server, ASP with support to MySQL. Why would you be asking a BSD list for Windoze hosting? Lee
Re: the death of the oldest OpenBSD system on the net...
On Mon, Mar 17, 2008 at 4:34 PM, Marcus Andree [EMAIL PROTECTED] wrote: I've just finished a small argument with some colleages here at work. They just couldn't believe a Pentium 133 was serving a hundred e-mail accounts... Did you not remind them the earliest UNIX systems had 64K of ram and were serving 10s if not hundreds of users? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: the death of the oldest OpenBSD system on the net...
On Mon, Mar 17, 2008 at 4:56 PM, Marc Balmer [EMAIL PROTECTED] wrote: back in time (but not to long ago), I served 3000 email accounts for a Swiss multinational insurance company on a P133 with 32MB RAM. That is no big deal, however. sendmail and any Unix like system can handle that without problem. Until a few years back, all the emails for one of the most widely recognized global brands went through 3 gateway servers (think 250k employees, and a whole bunch of automatic notification emails) that were freebsd, sendmail, and either dual ppro 200mhz or dual P2-400mhz. softdep really helped them out :) -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
WPA hardware workaround, for what it's worth
Hello all, For those who urgently need WPA-enabled wireless support on OpenBSD... The D-Link DWL-G730AP portable router is small, USB-powered and in Client mode can connect to a wireless network using WPA and provide an EtherNet LAN with DHCP. It's top drawback is that the configuration interface requires a JavaScript-enabled browser. lynx in base cannot be used to configure it but it will remember its configuration should you often have OpenBSD guests on a given network. They retail for about $52 US on up. Michael.
Re: the death of the oldest OpenBSD system on the net...
Marcus Andree ha scritto: I've just finished a small argument with some colleages here at work. They just couldn't believe a Pentium 133 was serving a hundred e-mail accounts... Even in death we can count on OpenBSD to show how things should be done. RIP. I still use an Pentium 166 with 64 Mb with FreeBSD 5.2 that handle 400 email accounts without problem :) a pic of my beast http://raven.lilik.it/foto/im000785.jpg (it's an old pic)
Re: the death of the oldest OpenBSD system on the net...
At 05:09 PM 3/17/2008 -0400, bofh wrote: On Mon, Mar 17, 2008 at 4:34 PM, Marcus Andree [EMAIL PROTECTED] wrote: I've just finished a small argument with some colleages here at work. They just couldn't believe a Pentium 133 was serving a hundred e-mail accounts... Did you not remind them the earliest UNIX systems had 64K of ram and were serving 10s if not hundreds of users? Indeed! Luckily, nobody had invented a GUI back then. Lee
Re: WPA hardware workaround, for what it's worth
FWIW - my employer uses a lot of Mikrotik stuff for various needs. I bought one of their 532 boards along with an SR5 wireless card and just made a simple wireless bridge to my OBSD box at home. Simple, effective, not cheap but better quality than some of the residential grade crap on the market. Accessible via SSH, web or an app called Winbox that runs just as good under WINE as it does under native Windows. The command line has more options than the GUI.
Re: openbsd hosting services
--- Daniel Anderson [Mon, Mar 17, 2008 at 11:29:59AM -0700]: --- I suggest letting the OpenBSD donation page ( http://openbsd.org/donations.html ) be your first step in this process, since they've donated something to the project and it's always nice to reciprocate. Personally, I chose M5 Computer Security (U.S.-based) and have been very happy with the service. i can second the M5 recommendation. i am 100% satisfied.
Re: Flexibility of pf rules created by ftp-proxy?
On 2008-03-17, Dave Anderson [EMAIL PROTECTED] wrote: I've been working on the pf configuration for my home firewall, including setting up ftp-proxy. I've noticed that the command is getting cluttered with options to adjust the rules it creates to the needs of different pf configurations. it would be better to turn this on its head, and handle these in the anchor definition in pf.conf (i.e. define options which should be applied to all rules under that anchor: log, tag, queue, label, rtable, blah blah blah). doing this in ftp-proxy(/tftp-proxy/ftpsesame/pptp-proxy/wherever else you might want it) would be an inefficient way of handling this and annoying to keep eveything in-sync.
Opening VPN ports
Hi Everyone, I have an OpenBSD 3.3 transparently bridged packet filtering firewall. I would like to enable a VPN connection through the firewall into a Win2K3 server that sits behind the firewall. I am finding conflicting information on what ports/protocol to open up. Microsoft is saying protocol ID 47 and TCP port 1723 both inbound and outbound. If that's true, then something like the following should work: pass in quick on ext_if proto 47 from any to any pass out quick on ext_if proto 47 from any to any pass in quick on ext_if proto tcp from any to any port 1723 keep state pass out quick on ext_if proto tcp from any to any port 1723 keep state I had not luck with the above. If I disable PF I can connect fine, so I know for sure that the problem has to do with PF blocking my access. To complicate matters, I've found other references to protocols 50 51 and port 500. I'm hoping that one of you who has this working can let me know what I need to config in order to allow my VPN connection to pass through the firewall. Thanks, Dave
AMD Geode
Hello all. My cuestion is simply. OpenBSD run over AMD Geode, specificly over Packard Bell S18P?. thanks. Dimitri.- http://dimitri.homeunix.com/~dimitri/ OpenBSD - Free, Functional Secure
Re: Opening VPN ports
Dave Beckstrom [EMAIL PROTECTED] writes: I have an OpenBSD 3.3 transparently bridged packet filtering firewall. I would like to enable a VPN connection through the firewall into a Win2K3 server that sits behind the firewall. VPN could be a lot of things, but this sounds very much like the Microsoft PPTP variety, and cut to the chase, it's one of those protocols that's hard to do right. There is work going on now that might solve this soon (as in patches on tech@, may turn up in snapshots soonish), but the only more or less working solution right now is the frickin pptp proxy, at frickin.sourceforge.net. Not much loved by OpenBSD developers, but it's there. Not really wanting to nag, but you may want to look into upgrading to a more recent OpenBSD, hardly any recent software will be even tested on 3.3 these days. For the protocols and ports, it's almost always better (as in makes your rule set more readable and maintainable) to grep for the numbers in /etc/protocols and /etc/services files respectively. More likely than not you can put what you find in your pf.conf - I am finding conflicting information on what ports/protocol to open up. Microsoft is saying protocol ID 47 and TCP port 1723 both inbound and outbound. If that's true, then something like the following should work: that would be proto gre and port pptp respectively To complicate matters, I've found other references to protocols 50 51 and port 500. those would be proto esp, proto ah and port isakmp. and yes, you may need to go through contortions with others. I would recommend looking into other VPNs than the builtin Microsoft one, almost all other options are easier to deal with. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: the death of the oldest OpenBSD system on the net...
raven schreef: I still use an Pentium 166 with 64 Mb with FreeBSD 5.2 that handle 400 email accounts without problem :) a pic of my beast http://raven.lilik.it/foto/im000785.jpg (it's an old pic) Doesn't matter that much in case of machine pictures, it get's worse with people when the pics are old. Machines get prettier over time. ;-) Wijnand
Re: Opening VPN ports
On 2008-03-17, Dave Beckstrom [EMAIL PROTECTED] wrote: I have an OpenBSD 3.3 transparently bridged packet filtering firewall. It's had a good long run, but please update this 5-year old system which you have in a *security* role... I am finding conflicting information on what ports/protocol to open up. Microsoft is saying protocol ID 47 and TCP port 1723 both inbound and outbound. If that's true, then something like the following should work: pass in quick on ext_if proto 47 from any to any pass out quick on ext_if proto 47 from any to any pass in quick on ext_if proto tcp from any to any port 1723 keep state pass out quick on ext_if proto tcp from any to any port 1723 keep state Don't forget to pass traffic on the internal interface. On 2008-03-17, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: There is work going on now that might solve this soon (as in patches on tech@, may turn up in snapshots soonish) It's OK through a normal packet filter, and a single user behind a NAT is also OK. PPTP only needs to be proxied when you have more than one concurrent endpoint behind a NAT.
question re spamd.alloweddomains file
I have populated /etc/mail/spamd.alloweddomains with all email addresses serviced by my Postfix server. Nevertheless, I still see entries in my mail log that submissions to non-existent addresses are being attempted. One thing I have noticed is that, so far, all submissions have as their origin my backup MX server (which unfortunately is a third party beyond my control). I am running OpenBSD 4.2. Comments? TIA, /juan Instant Messaging, free SMS, sharing photos and more... Try the new Yahoo! Canada Messenger at http://ca.beta.messenger.yahoo.com/
Re: question re spamd.alloweddomains file
On Mon, 17 Mar 2008 20:30:53 -0400 (EDT), Juan Miscaro wrote: I have populated /etc/mail/spamd.alloweddomains with all email addresses serviced by my Postfix server. Nevertheless, I still see entries in my mail log that submissions to non-existent addresses are being attempted. One thing I have noticed is that, so far, all submissions have as their origin my backup MX server (which unfortunately is a third party beyond my control). I am running OpenBSD 4.2. Comments? TIA, /juan Get rid of the backup MX. You don't really need it if you have a reliable server and a mostly up connection to the 'net. What is more if the backup MX is not running spamd and does not reject mail for unknown recipients you will end up blacklisted for backscattering. Spammers love backup MXes. Rod/ Note: on-list replies will suffice. If you MUST reply offlist, use my reply-to address or I won't see it. -- Rod/ /earth: write failed, file system is full cp: /earth/creatures: No space left on device
Re: AMD Geode
On Mon, 17 Mar 2008, Dimitri wrote: Hello all. My cuestion is simply. OpenBSD run over AMD Geode, Yes. specificly over Packard Bell S18P?. Don't know. -d
