Re: 4.2 and em(4)
It appears that you have two bus types -- PCI-E and PCI-X. em0 - 5 are PCI-E. PCI-E is a spoke-hub (star) bus topology so each em() is on its own bus pathway. One PCI-E device does NOT contend with another. em6 and em7 are PCI-X and, yes, they're on the same bus, and, yes, they may contend with each other. Are they, (i) a one dual-ports NIC, or (ii) two single-port NICs, or (iii) a chip embedded on the mb? -Original Message- From: Mikael Kermorgant [EMAIL PROTECTED] Subject: Re: 4.2 and em(4) Date: Tue, 15 Apr 2008 00:46:08 +0200 Hello, I'd like to jump on what you said about separate buses because I haven't looked at this before. You made me curious to understand this dmesg output : cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82Q965 Host rev 0x02 agp0 at pchb0: aperture at 0xd000, size 0x800 ppb0 at pci0 dev 1 function 0 Intel 82Q965 PCIE rev 0x02: irq 14 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09 pci3 at ppb2 bus 3 vga1 at pci0 dev 2 function 0 Intel 82Q965 Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb3 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x02: irq 14 pci4 at ppb3 bus 4 em0 at pci4 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 14, address 00:10:f3:10:7e:68 ppb4 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x02: irq 10 pci5 at ppb4 bus 5 em1 at pci5 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 10, address 00:10:f3:10:7e:69 ppb5 at pci0 dev 28 function 2 Intel 82801H PCIE rev 0x02: irq 11 pci6 at ppb5 bus 6 em2 at pci6 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 11, address 00:10:f3:10:7e:6a ppb6 at pci0 dev 28 function 3 Intel 82801H PCIE rev 0x02: irq 15 pci7 at ppb6 bus 7 em3 at pci7 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 15, address 00:10:f3:10:7e:6b ppb7 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x02: irq 14 pci8 at ppb7 bus 8 em4 at pci8 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 14, address 00:10:f3:10:7e:6c ppb8 at pci0 dev 28 function 5 Intel 82801H PCIE rev 0x02: irq 10 pci9 at ppb8 bus 9 em5 at pci9 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 10, address 00:10:f3:10:7e:6d uhci0 at pci0 dev 29 function 0 Intel 82801H USB rev 0x02: irq 5 uhci1 at pci0 dev 29 function 1 Intel 82801H USB rev 0x02: irq 15 ehci0 at pci0 dev 29 function 7 Intel 82801H USB rev 0x02: irq 5 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb9 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xf2 pci10 at ppb9 bus 10 em6 at pci10 dev 14 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 11, address 00:10:f3:10:7e:6e em7 at pci10 dev 15 function 0 Intel PRO/1000MT (82541GI) rev 0x05: irq 10, address 00:10:f3:10:7e:6f Just by reading this : pci4 at ppb3 bus 4 em0 at pci4 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 14, address 00:10:f3:10:7e:68 ppb4 at pci0 dev 28 function 1 Intel 82801H PCIE rev 0x02: irq 10 pci5 at ppb4 bus 5 em1 at pci5 -- I'd deduce em0 (pci4, bus 4) and em1 (pci5, bus 5) are on separate buses... but am I right ? But em6 and em7 are on the same bus, right ? Thanks in advance, Mikael Kermorgant On Mon, Apr 14, 2008 at 11:14 PM, scott [EMAIL PROTECTED] wrote: We've found the best gateway box -- pf, sshd for ssh -w vpn and ipsec clients, spamd, etc. -- is non-MP, as follows. A) Use a box with the fastest memory bandwidth (and latency) your budget -- cash or time spent scrounging -- can afford/acquire. (e.g. on a P-III 1 GHz machine, we saw meaningful better top-end results on our stress tests between using PC133 vs PC100 and again between PC133 CL2.5 vs CL3 memory sticks.) B.1) Server-class motherboards usually have multiple PCI buses (say again, buses, not slots). Opposing the em(4) nics on separate buses, with regard to in-to-out flows, helps quite a bit too. e.g internet --- (em0)(bus1)(pf)(bus2)(em1) --- LAN. B.2) Once a while back, we did see some positive affect by trying to share the driver-IRQ for the like em(4). But not too sure about this one. C) We found, on 4.2, if your mb will play nicely, expressly enabling ACPI (vs. default APM) functionality seemed to improve the the boxes throughput too. In our case, INTEL MOTHERBOARDS. Your mb may not like this, though, so use with care and/or wait to 4.3 release. -Original Message- From: Stuart Henderson [EMAIL PROTECTED] To: misc@openbsd.org Subject: Re: 4.2 and em(4) Date: Mon, 14 Apr 2008 16:23:24 + (UTC) Mailer: slrn/0.9.8.1 (OpenBSD) Delivered-To: [EMAIL PROTECTED] On 2008-04-14, Joe Warren-Meeks [EMAIL PROTECTED] wrote: If the box was only doing pf stuff, then that would be correct. If you were to put a bunch
Privilege Seperation on HTTP Server in DMZ
I'm running nginx web server on my DMZ servers. It has the ability to run the master process as root and the workers as a non-root user. All logs, pid file, etc. are written by the master process. I was thinking of redirecting port 80 traffic to a non-privileged port via pf and running nginx master and worker procs as non-root user. Would there be more security in this configuration? The only downside I can think of is that if a worker proc is compromised, the log files could be as well. Other than that, it seems more secure to avoid running as root, especially third party apps. Am I missing something? -pachl
DORS / CLUC 2008, Apr 16 - Apr 18, 2008, Zagreb, Croatia
Hey, For those 'in the area', Mitja and I will give a talk about OpenBSD 4.3 and a workshop on VPN at DORS / CLUC 2008. Info on http://www.openbsd.org/events.html -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= https://kd85.com/notforsale.html --
Re: How secure is OpenBSD really
Thank you bot for the quick reply.
Re: How secure is OpenBSD really
Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. Sure, I'll just sum up 6 years of pretty continuous development for you. Unfortunately, it would take too long to read and I don't want to waste any of your time, so I'll just summarize it as lots of changes.
Re: How secure is OpenBSD really
What's your point? Is OpenBSD perfect? No. Does it have flaws? Yes. Can it be broken? Yes, and you've dug something out from six years ago that may or not prove that. But the same can be said of Linux, Windows, Mac OS, etc., etc. Has every flaw/bug been discovered? No. Will there be more issues found? Yes. Does it tackle security pro-actively? Yes. Does it prefer security and openness and doing things correctly over bells whistles and best performance whatever the cost? Yes - security and correctness are priorities - but you could find that out from http://www.openbsd.org/goals.html. Does that mean that it will be perfect? No. Are the developers/leaders perfect? No. Is OpenBSD the One True Secure High Performance Operating System for every imaginable task? No ... but then nor is anything else. Is OpenBSD for you? Only you can decide ... and even if it is, it may not be the best tool for EVERY job. HTH. On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. Sure, I'll just sum up 6 years of pretty continuous development for you. Unfortunately, it would take too long to read and I don't want to waste any of your time, so I'll just summarize it as lots of changes.
E-Mailing rémunéré au résultat
Si ce message ne s'affiche pas correctement, vous pouvez le visualiser en suivant ce lien. [IMAGE] COMMUNIQUEZ SANS VOUS ENGAGER ! Enfin une solution de mise en place de campagnes e-mailing rimuniries au risultat : [IMAGE] Nous vous offrons la possibiliti dâaccider ` lâe-mailing et de rialiser des ventes en toute siriniti financihre. [IMAGE] Email :* Nom :* Prinom :* Tiliphone :* Sociiti :* Message : Les champs marquis d'un * sont obligatoires. e-mailingone -Sarl au capital de 15⬠50 rue Henri Prou 78340 Les Clayes sous bois â Siret n0 49793861300013 Si vous ne souhaitez plus recevoir de message de notre part, cliquez ici
Re: 4.2 and em(4)
* Joe Warren-Meeks [EMAIL PROTECTED] [2008-04-14 17:53]: On Mon, Apr 14, 2008 at 05:38:21PM +0200, Jordi Espasa Clofent wrote: Hey there, According several messages I've read from Henning or Daniel in present and @pf list, there are not any benefits in run PF with MP kernels (and multi-processor boxes, of course). Even you can get a poor performance that uni-processor kernel/box. If the box was only doing pf stuff, then that would be correct. If you were to put a bunch of ftp-proxys on there too, then MP would help, no? ftp-proxies, not really. bloated proxies like squid, maybe pretending to try to save windows/macos boxes from the inevitable using some form of content scanning - yes, MP can be useful. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: How secure is OpenBSD really
2008/4/15, Jernej Makovsek [EMAIL PROTECTED]: http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. Go back to your Linux system. IIRC the systems hacked don't run OpenBSD. RTFAQ.
Re: How secure is OpenBSD really
I'm sad to see this obvious troll working.
Re: How secure is OpenBSD really
As I said in my first post Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat Now why did I post the Wired story? Because when I read the archive I was expecting that the penetration has been taken seriously and analysed publicly in detail. But instead it was dismissed as a joke. And it doesn`t matter if it`s form 2002, what`s important to me is how you deal with the problem. One can get flawed picture that this is how you deal with remote exploits. I was really looking forward to read your comments on how that and that developer did that and that error in analyizing the situation and how the changes you made to the exploited program changed other programs and such but instead ppl feel endangered. Ok, thanks for all the info. Flaming is starting, I have better things to do.. like make X work on OBSD. Bye On Tue, Apr 15, 2008 at 12:42 PM, Richard Toohey [EMAIL PROTECTED] wrote: What's your point? Is OpenBSD perfect? No. Does it have flaws? Yes. Can it be broken? Yes, and you've dug something out from six years ago that may or not prove that. But the same can be said of Linux, Windows, Mac OS, etc., etc. Has every flaw/bug been discovered? No. Will there be more issues found? Yes. Does it tackle security pro-actively? Yes. Does it prefer security and openness and doing things correctly over bells whistles and best performance whatever the cost? Yes - security and correctness are priorities - but you could find that out from http://www.openbsd.org/goals.html. Does that mean that it will be perfect? No. Are the developers/leaders perfect? No. Is OpenBSD the One True Secure High Performance Operating System for every imaginable task? No ... but then nor is anything else. Is OpenBSD for you? Only you can decide ... and even if it is, it may not be the best tool for EVERY job. HTH. On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again, don`t want to start any flame, just interested how your community responded and responds to issues like that. Sure, I'll just sum up 6 years of pretty continuous development for you. Unfortunately, it would take too long to
Re: How secure is OpenBSD really
On Tue, 15 Apr 2008 13:45:14 +0200 Jernej Makovsek [EMAIL PROTECTED] wrote: Please just ignore this post! As I said in my first post Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat Now why did I post the Wired story? Because when I read the archive I was expecting that the penetration has been taken seriously and analysed publicly in detail. But instead it was dismissed as a joke. And it doesn`t matter if it`s form 2002, what`s important to me is how you deal with the problem. One can get flawed picture that this is how you deal with remote exploits. I was really looking forward to read your comments on how that and that developer did that and that error in analyizing the situation and how the changes you made to the exploited program changed other programs and such but instead ppl feel endangered. Ok, thanks for all the info. Flaming is starting, I have better things to do.. like make X work on OBSD. Bye On Tue, Apr 15, 2008 at 12:42 PM, Richard Toohey [EMAIL PROTECTED] wrote: What's your point? Is OpenBSD perfect? No. Does it have flaws? Yes. Can it be broken? Yes, and you've dug something out from six years ago that may or not prove that. But the same can be said of Linux, Windows, Mac OS, etc., etc. Has every flaw/bug been discovered? No. Will there be more issues found? Yes. Does it tackle security pro-actively? Yes. Does it prefer security and openness and doing things correctly over bells whistles and best performance whatever the cost? Yes - security and correctness are priorities - but you could find that out from http://www.openbsd.org/goals.html. Does that mean that it will be perfect? No. Are the developers/leaders perfect? No. Is OpenBSD the One True Secure High Performance Operating System for every imaginable task? No ... but then nor is anything else. Is OpenBSD for you? Only you can decide ... and even if it is, it may not be the best tool for EVERY job. HTH. On 15/04/2008, at 10:28 PM, Jernej Makovsek wrote: Reading the archive it seems to me that el8 was taken as a joke: List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-15 17:11:01 [Download message RAW] no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious List: openbsd-misc Subject:Re: main openbsd server compromised ? From: e eliab () spack ! org Date: 2002-08-16 18:40:17 [Download message RAW] * dayioglu ([EMAIL PROTECTED]) wrote: On Thu, 2002-08-15 at 20:11, e wrote: no, el8 is not a serious zine, it's a joke, i'm sure reading a little more of the zine would have made that obvious Not to cause a flame-war but the disclosed mail traffic of K2 seem very normal. I did read the whole thing and to create so many joke mails is, err, at least unusual. Are you sure you read it all? quite sure, el8 has been known to do this same type of thing before. And that`s that. But onhttp://www.wired.com/culture/lifestyle/news/2002/08/54400 I read that OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily refused to discuss the compromise (link http://www.openssh.com/txt/trojan.adv) in late July of a file server maintained by the open-source, Unix-based operating-system project. On Aug. 1, a dangerous Trojan horse program was discovered amid the code for OpenBSD, which is used by thousands of organizations and renowned for its security.. And: Christopher Ambient Empire Abad, a security expert with Qualys, confirmed that excerpts of e-mails and other files stolen from his directory on a server were published in el8's latest zine. So it appears to me that what el8 posted wasn`t a joke. Did I missed something again? With regards, Jernej On Tue, Apr 15, 2008 at 1:59 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 4/14/08, Jernej Makovsek [EMAIL PROTECTED] wrote: Now with this post I don`t want to start any wars. I know that nothing is bullet proof and so on but as a wannabe OBSD user I`m just interested in if this compromise was analysed and especially how the code has changed from then, what did you do to make sure that this does not repeat. And if it was a third party app, why wasn`t it configured within a jail? Ok, I learned that sysjail was announced on May 22 2006, but surely you have chroot capability. And sysjail is connected with systrace... Well again,
Re: How secure is OpenBSD really
Jernej: AFAIK there was only one provable and admitted case of an exploit of OpenBSD's public facing systems, and that was of an ftp server that happened to be hosting OpenBSD tarballs. And while FAQ 8.18 says that the project's publicly available servers at openbsd.org do not run OpenBSD, a compromise of an openbsd.org platofmr is really not the issue, though it highlights it. When you install this OS, it is secure by default. Wonderful. Making any configuration changes or adding any software might compromise that security. This means that security of the software configuration and the hardware platform are the administrator's responsibility -- mistakes could be made. In addition, OpenBSD systems may be compromised (and probably are) for other reasons than administrator error. Compromise is always possible through human behavior -- such as the inadvertent disclosure of passwords or keys, through social engineering scam attacks, etc. FYI: Since the inception of OpenBSD, there have been exactly two known remote exploits found in the OS. That's a pretty decent network-based security record for a general purpose OS.
Re: How secure is OpenBSD really
Ok, I should study faq and some mans. Thanks Josh. And other - sorry for the inconvenience. Jernej On Tue, Apr 15, 2008 at 2:18 PM, Josh Grosse [EMAIL PROTECTED] wrote: Jernej: AFAIK there was only one provable and admitted case of an exploit of OpenBSD's public facing systems, and that was of an ftp server that happened to be hosting OpenBSD tarballs. And while FAQ 8.18 says that the project's publicly available servers at openbsd.org do not run OpenBSD, a compromise of an openbsd.org platofmr is really not the issue, though it highlights it. When you install this OS, it is secure by default. Wonderful. Making any configuration changes or adding any software might compromise that security. This means that security of the software configuration and the hardware platform are the administrator's responsibility -- mistakes could be made. In addition, OpenBSD systems may be compromised (and probably are) for other reasons than administrator error. Compromise is always possible through human behavior -- such as the inadvertent disclosure of passwords or keys, through social engineering scam attacks, etc. FYI: Since the inception of OpenBSD, there have been exactly two known remote exploits found in the OS. That's a pretty decent network-based security record for a general purpose OS.
Re: How secure is OpenBSD really
Jernej Makovsek [EMAIL PROTECTED] writes: Reading the archive it seems to me that el8 was taken as a joke: Yes, some random person, on a publicly available list where anyone can post, said he thought it was a joke. Your point is? Go away, little troll. //art
Re: X60 Tablet Wacom, Atheros 5213 others
15 April 2008 P3. 06:16:58 Vadim Jukov wrote: Also I bought D-Link DWL-AG530 for desktop PC, because someone said (cannot discover that letter now:( ) it's Atheros 5212-based, which is supported. Damned me, I messed up ral(4) and ath(4) in my mind, and bought a card from a manufacturer which do not support OpenBSD... :( And I run in a problem that either man in the letter made a typo (530 instead 520), or D-Link slightly changed chip. Novadays it's based on 5213, which fails to initialize or doesn't work either. Sample dmesg output (from different boots): ath0 at pci0 dev 11 function 0 Atheros AR5413 rev 0x01: irq 11 ath0: AR5413 10.5 phy 6.1 rf 6.3, FCC2A*, address 00:1c:f0:19:aa:66 ath0: ath_chan_set: unable to reset channel 52 (5260 MHz) ath0: unable to reset hardware; hal status 3618911128 ath0: unable to reset hardware; hal status 3520943048 ath0: unable to reset hardware; hal status 3520945608 ath0: unable to reset hardware; hal status 3520946120 ath0: unable to reset hardware; hal status 0 ath0: unable to reset hardware; hal status 3485396992 ath0: unable to reset hardware; hal status 0 ath0: unable to reset hardware; hal status 3618274072 --- ath0 at pci0 dev 11 function 0 Atheros AR5213 (D-Link DWL-AG530) rev 0x01: irq 11 ath0: unable to attach hardware; HAL status 22 --- ath0 at pci0 dev 11 function 0 Atheros AR5413 rev 0x01: irq 11 ath0: AR5413 10.5 phy 6.1 rf 6.3, FCC2A*, address 00:1c:f0:19:aa:66 ath0: bogus xmit rate 0x0 (idx 0x7) ath0: bogus xmit rate 0x0 (idx 0x7) ath0: bogus xmit rate 0x0 (idx 0x7) When I played with this card and driver, forcing detecting it as 5212 (second sample output), I saw message saying failed to resume the AR5212 (again), see sys/dev/ic/ar5212.c line 334 (I played with incrementing loop count and sleep time there, without luck). Do not remember HAL status though, but it was consistent; may try again of course if it's needed. A few minutes ago, while I was writing this, it freezed (no panic) whole PC after a few ifconfig ath0 media xxx and ifconfig ath0 commands. I have no AP around there, so I cannot ever say, does it work in BSS mode, but in hostap mode it doesn't (even when status is active). But I'm newbie in Wi-Fi at all, maybe I missed something... Now I can reliable call a freeze or panic: boot boot -s ... # cd /etc # sh netstart ath0 # ^D ... starting network... got it One of the panic (not from a GENERIC kernel (I tried 2: month-old and one build a few hours ago), they still just freeze, and I have stopped experiments now) is at the end of letter. Also on madwifi.org I discovered that D-Link really changed chip in A4 or A5 h/w revision (I have A6), from AR5212 to AR5213. Currently I'm trying to find a replace for this card (AR5212-based at least)... -- Best wishes, Vadim Zhukov (written by hand) ddb trace Debugger(d1a0,de8d1960,d19ff030,4,1) at Debugger+0x4 panic(d07273ad,d072748c,7,2,d7b7df00) at panic+0x63 ieee80211_set_link_state(d19ff030,4,,919f7) at ieee80211_set_link_state ath_newstate(d19ff030,4,,0064,de9eae60) at ath_newstate+0x181 ieee80211_create_ibss(d19ff030,d19ff2ea,d0202262,d0,7f51e754) at ieee80211_create_ibss+0x11b ieee80211_end_scan(d19ff030,d0388db6,d1a1d2c0,de9eaed8) at ieee80211_end_scan_0x21e ath_next_scan(d19ff000,beaebe58,5305bdc4,0,0) at ath_next_scan+0x3d softclock(58,10,10,10,d7bd12b0) at softclock+0x22c Bad frame pointer: 0xde9eaef8 ddb ps PID PPID PGRPUID S FLAGS WAITCOMMAND 29743 12849 12849 0 3 0x4002 biowait perl 23968 29279 29279 83 3 0x180 pollntpd 23968 29279 1 0 3 0x80 pollntpd 18665 1 18665 0 3 0x80 pollrpc.lock 28214 31308 31308 0 3 0x80 nfsdnfsd 25324 31308 31308 0 3 0x80 nfsdnfsd 265 31308 31308 0 3 0x80 nfsdnfsd 30325 31308 31308 0 3 0x80 nfsdnfsd 31308 1 31308 0 3 0x80 netcon nfsd 28807 1 28807 0 3 0x80 select mountd 24743 19443 19443 68 3 0x180 select isakmpd 12187 1 12187 28 3 0x180 pollportmap 19443 1 19443 0 3 0x80 netio isakmpd 21435 10256 10256 70 3 0x180 select named 10256 1 10256 0 3 0x180 netio named 27148 2629 2629 74 3 0x180 bpf pflogd 2629 1 2629 0 3 0x80 netio pflogd 6598 12385 12385 73 3 0x180 pollsyslogd 12385 1 12385 0 3 0x80 netio syslogd 12849 1 12849 0 3 0x4082 pause sh 18 0 0 0 3 0x100200 bored crypto 17 0 0 0 3 0x100200 aiodonedaiodoned 16 0 0 0 3 0x100200 syncer update 15 0 0 0 3 0x100200 cleaner cleaner
Re: X60 Tablet Wacom, Atheros 5213 others
- Pen doesn't work at all. Windows say it's connected to the LPC chip mentioned above. Does this mean that I have to write a driver for it (and modify wscons framework to support touch strength, and then modify Xorg wscons driver, BTW removing usbtablet(4))? Looks like nice effort for me, but'll take a lot of time... if it's like my x61 tablet, it's a serial wacom tablet and it's just on a non-standard irq and address so you have to tell the kernel where to probe for pccom0. 'config -e' your kernel, 'change pccom0', set the irq to 5 and port to 0x200. and it should attach pccom0. you'll need the linux wacom driver for xorg compiled without usb stuff: http://linuxwacom.sourceforge.net/ - Buttons near display (are actual in the tablet mode) do not work either. Windows says they're connected in parallel to pen device. they were working fine for me on my x61. they generate keycodes you can see by running xev. i made them send normal keys with xmodmap: ! little button that can only be pressed with the tip of the pen !keycode 198 = ! screen rotation key !keycode 204 = ! whatever that button is to the right of rotate !keycode 199 = keycode 203 = Escape ! d-pad arrows and center keycode 209 = Up keycode 206 = Left keycode 205 = Right keycode 207 = Down keycode 200 = Return i eventually setup something to respond to keycode 204 and call a script that ran 'xrandr' to rotate the display. - FireWire and finger scanner are not supported and do not work either. BTW, does anyone have any docs for the last one (see dmesg for more info)? finger scanner is working, it's your ugen0 device. fprint works just fine with it: http://reactivated.net/fprint/wiki/Main_Page i have more info on the x61 tablet at http://lowerca.se/laptops/
Help on package upgrade on 4.3 needed
Hello folks! I need a little help with an issue when upgrading to 4.3-packages (from 4.2). I use OpenBSD on an ThinkPad T60 as my daily tool. I followed the instructions on www.openbsd.org/faq/upgrade43.html when upgrading the system from the 4.3 CD's. Then I did: $ sudo pkg_add -u -i -F update -F updatedepends Everything went fine - except that I shouldn't have done that as the majority of the 4.3-packages are not yet available. :/ In particular all QT/KDE apps will not yet work. But Gtk/Glib apps work neither. pkg_add gave a note to upgrade the following databases: /var/db/gtk-2.0/gtk.immodules /var/db/gtk-2.0/gdk-pixbuf.loaders /var/db/xmlcatalog Unfortunatelly I didn't find a man page for gtk-2.0. The man page for xmlcatalog is beyond my skills (or my English). Via Google I found the advice to use pkg_add -r -F update. Well - this somehow worked without any remarks. BUT: Gtk+2-related apps still don't work (like sylpheed). Can someone help me? Any hints on where to get more information? What additional information do you need to help me? I provide dmesg further down as first source. BTW: Without any trouble the 4.2-versions of Firefox, OpenOffice, acrobat, xpdf, nedit and mc worked still after upgrading. Good! Any help is welcome - thanks! Stefan dmesg OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM) Duo CPU T2400 @ 1.83GHz (GenuineIntel 686-class) 1.83 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,VMX,EST,TM2,xTPR real mem = 2145808384 (2046MB) avail mem = 2066866176 (1971MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/07/07, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev. 2.4 @ 0xe0010 (68 entries) bios0: vendor LENOVO version 79ETE0WW (2.20 ) date 12/07/2007 bios0: LENOVO 200855G acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET BOOT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus 4 (EXP2) acpiprt5 at acpi0: bus 12 (EXP3) acpiprt6 at acpi0: bus 21 (PCI1) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2 acpitz0 at acpi0: critical temperature 127 degC acpitz1 at acpi0: critical temperature 99 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibat0 at acpi0: BAT0 model 92P1139 serial 6480 type LION oem Panasonic acpibat1 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit online acpidock at acpi0 not configured bios0: ROM list: 0xc/0xfe00 0xd/0x1000 0xd1000/0x1000 0xdc000/0x4000! 0xe/0x1! cpu0 at mainbus0 cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130b2c06000b2c cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1833 MHz (1404 mV): speeds: 1833, 1000 MHz pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03 agp0 at pchb0: no integrated graphics ppb0 at pci0 dev 1 function 0 Intel 82945GM PCIE rev 0x03: irq 11 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility X1300 M52-64 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: irq 11 azalia0: codec[s]: Analog Devices/0x1981, Conexant/0x2bfa, using Analog Devices/0x1981 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: irq 11 pci2 at ppb1 bus 2 em0 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: irq 11, address 00:15:58:31:de:bd ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: irq 11 pci3 at ppb2 bus 3 wpi0 at pci3 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02: irq 11, MoW2, address 00:18:de:9c:fd:27 ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: irq 11 pci4 at ppb3 bus 4 ppb4 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: irq 11 pci5 at ppb4 bus 12 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: irq 11 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: irq 11 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb5 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2 pci6 at ppb5 bus 21 cbb0 at pci6 dev 0 function 0 TI PCI1510 CardBus rev 0x00: irq 11 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0 pcmcia0
spamd in modified greylisting mode.
I'm hoping someone can help me by answering a couple of questions regarding spamd. Ultimately, I'm wanting to know if the spamd setup I'm envisioning is possible. I'll explain the situation. To begin, we attempted a typical setup of spamd in greylisting mode on our firewall in front of our MX. This worked great and was catching lots of spam, for around 48 hours. During this time, we (IT Dept.) got several complaints about delayed delivery of emails from our clients. This was mostly due to impatient recipients within our organization. However, as a result, we were told, by executive order, to shut down the greylisting. Apparently the greylisting, in doing what it's supposed to do, was disrupting time-sensitive email. Nevermind that we were white-listing these senders as we were made aware of them. So, this brings me to my set-up inquiry. We do receive lots of delivery attempts to non-existent addresses in our domain and the greytrapping feature of spamd was especially handy for blocking sites attempting to deliver to these non-existent addresses. I would like to be able to take advantage of this feature of spamd, along with the blacklist features, while not delaying email to non spamtrapped addresses. From my understanding of the interaction between spamd and pf, this either isn't possible or is non-trivial. However, I figured I would see if anyone has done a similar set-up or knows of a way to implement this. Thanks. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: X60 Tablet Wacom, Atheros 5213 others
Vadim Jukov wrote: 15 April 2008 P3. 06:16:58 Vadim Jukov wrote: Also I bought D-Link DWL-AG530 for desktop PC, because someone said (cannot discover that letter now:( ) it's Atheros 5212-based, which is supported. Damned me, I messed up ral(4) and ath(4) in my mind, and bought a card from a manufacturer which do not support OpenBSD... :( And I run in a problem that either man in the letter made a typo (530 instead 520), or D-Link slightly changed chip. Novadays it's based on 5213, which fails to initialize or doesn't work either. Sample dmesg output (from different boots): ath0 at pci0 dev 11 function 0 Atheros AR5413 rev 0x01: irq 11 ath0: AR5413 10.5 phy 6.1 rf 6.3, FCC2A*, address 00:1c:f0:19:aa:66 ath0: ath_chan_set: unable to reset channel 52 (5260 MHz) ath0: unable to reset hardware; hal status 3618911128 ath0: unable to reset hardware; hal status 3520943048 ath0: unable to reset hardware; hal status 3520945608 ath0: unable to reset hardware; hal status 3520946120 ath0: unable to reset hardware; hal status 0 ath0: unable to reset hardware; hal status 3485396992 ath0: unable to reset hardware; hal status 0 ath0: unable to reset hardware; hal status 3618274072 --- ath0 at pci0 dev 11 function 0 Atheros AR5213 (D-Link DWL-AG530) rev 0x01: irq 11 ath0: unable to attach hardware; HAL status 22 --- ath0 at pci0 dev 11 function 0 Atheros AR5413 rev 0x01: irq 11 ath0: AR5413 10.5 phy 6.1 rf 6.3, FCC2A*, address 00:1c:f0:19:aa:66 ath0: bogus xmit rate 0x0 (idx 0x7) ath0: bogus xmit rate 0x0 (idx 0x7) ath0: bogus xmit rate 0x0 (idx 0x7) When I played with this card and driver, forcing detecting it as 5212 (second sample output), I saw message saying failed to resume the AR5212 (again), see sys/dev/ic/ar5212.c line 334 (I played with incrementing loop count and sleep time there, without luck). Do not remember HAL status though, but it was consistent; may try again of course if it's needed. A few minutes ago, while I was writing this, it freezed (no panic) whole PC after a few ifconfig ath0 media xxx and ifconfig ath0 commands. I have no AP around there, so I cannot ever say, does it work in BSS mode, but in hostap mode it doesn't (even when status is active). But I'm newbie in Wi-Fi at all, maybe I missed something... Now I can reliable call a freeze or panic: boot boot -s ... # cd /etc # sh netstart ath0 # ^D ... starting network... got it One of the panic (not from a GENERIC kernel (I tried 2: month-old and one build a few hours ago), they still just freeze, and I have stopped experiments now) is at the end of letter. Also on madwifi.org I discovered that D-Link really changed chip in A4 or A5 h/w revision (I have A6), from AR5212 to AR5213. Currently I'm trying to find a replace for this card (AR5212-based at least)... -- Best wishes, Vadim Zhukov (written by hand) ddb trace Debugger(d1a0,de8d1960,d19ff030,4,1) at Debugger+0x4 panic(d07273ad,d072748c,7,2,d7b7df00) at panic+0x63 ieee80211_set_link_state(d19ff030,4,,919f7) at ieee80211_set_link_state ath_newstate(d19ff030,4,,0064,de9eae60) at ath_newstate+0x181 ieee80211_create_ibss(d19ff030,d19ff2ea,d0202262,d0,7f51e754) at ieee80211_create_ibss+0x11b ieee80211_end_scan(d19ff030,d0388db6,d1a1d2c0,de9eaed8) at ieee80211_end_scan_0x21e ath_next_scan(d19ff000,beaebe58,5305bdc4,0,0) at ath_next_scan+0x3d softclock(58,10,10,10,d7bd12b0) at softclock+0x22c Bad frame pointer: 0xde9eaef8 ddb ps PID PPID PGRPUID S FLAGS WAITCOMMAND 29743 12849 12849 0 3 0x4002 biowait perl 23968 29279 29279 83 3 0x180 pollntpd 23968 29279 1 0 3 0x80 pollntpd 18665 1 18665 0 3 0x80 pollrpc.lock 28214 31308 31308 0 3 0x80 nfsdnfsd 25324 31308 31308 0 3 0x80 nfsdnfsd 265 31308 31308 0 3 0x80 nfsdnfsd 30325 31308 31308 0 3 0x80 nfsdnfsd 31308 1 31308 0 3 0x80 netcon nfsd 28807 1 28807 0 3 0x80 select mountd 24743 19443 19443 68 3 0x180 select isakmpd 12187 1 12187 28 3 0x180 pollportmap 19443 1 19443 0 3 0x80 netio isakmpd 21435 10256 10256 70 3 0x180 select named 10256 1 10256 0 3 0x180 netio named 27148 2629 2629 74 3 0x180 bpf pflogd 2629 1 2629 0 3 0x80 netio pflogd 6598 12385 12385 73 3 0x180 pollsyslogd 12385 1 12385 0 3 0x80 netio syslogd 12849 1 12849 0 3 0x4082 pause sh 18 0 0 0 3 0x100200 bored crypto 17 0 0 0 3 0x100200 aiodonedaiodoned 16 0 0 0 3
Bug 5682
Hi, Can someone please commit this, we are suffering from it and would be very happy not the have to patch manually. It has been running on +3 systems with the relevant hardware for about 6 months now. Also, what is the correct procedure for getting bugs corrected? When I search the pr-database there are lots of open bugs. Rickard.
Re: ath0 - not reachable - system hangs
Matthew Szudzik wrote: ath0 at pci0 dev 12 function 0 Atheros AR2413 rev 0x01: irq 9 ath0: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:1d:0f:af:98:88 According to the CVS log at http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/ath.c#rev1.56 support is still incomplete for the AR2413 chipset. This log is now 17 months old, I had hoped, that something would have changed there. Perhaps it was overseen and forgotten by the devs. Could we somehow help w/ testing or in some other way? I can't donate the hardware, but I could definitely spend some time or apply some patches if that would help the devs anyhow. Would be nice, if these devices would work in the future.
Re: ath0 - not reachable - system hangs
On Tue, Apr 15, 2008 at 11:52 AM, Dirk Mast [EMAIL PROTECTED] wrote: Matthew Szudzik wrote: ath0 at pci0 dev 12 function 0 Atheros AR2413 rev 0x01: irq 9 ath0: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:1d:0f:af:98:88 According to the CVS log at http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/ath.c#rev1.56 support is still incomplete for the AR2413 chipset. This log is now 17 months old, I had hoped, that something would have changed there. Perhaps it was overseen and forgotten by the devs. Could we somehow help w/ testing or in some other way? I can't donate the hardware, but I could definitely spend some time or apply some patches if that would help the devs anyhow. Would be nice, if these devices would work in the future. I could probably still get them at a cheap price, $20.00 or so and ship them if the shipping isn't too costly. I too would love to get them fully and properly working.
Transparent Squid Proxy random lock-ups
I posted this before in another thread, but figured I'd re-post it as its own thread. The set-up we have is a dedicated system running OpenBSD 4.2, Squid and SquidGuard. Squid is running in transparent mode and is (obviously) running as a transparent caching proxy, administratively blocking certain sites via SquidGuard. The problem we're having with this machine (and had with a previous machine, but thought it was the old hardware we were running it on) is that it will randomly have it's network interface stop working completely. The machine itself is not locked-up, and is still usable from a local console, but all network activity ceases. Attempts to reset the card using ifconfig, etc, do nothing. Once this lock-up happens, the only thing that seems to fix it is a full reboot. I have found no clues as to the cause of the problem in the log files. The system is a shuttle box running an AMD_64 processor, 1GB of ram and the built-in NIC, which uses the nfe driver. Please note that this system is not running pf. As I mentioned earlier, we experienced the same problem with a different system before (a re-commissioned PPC G4) and chalked it up to old, unstable hardware. But this is a reasonably modern system that is experiencing the same problem. Any help / hints would be greatly appreciated. Thanks in advance. dmesg and sysctl output follow: Here's the dmesg output: OpenBSD 4.2 (GENERIC) #1179: Tue Aug 28 10:37:50 MDT 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1073278976 (1023MB) avail mem = 1030926336 (983MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.2 @ 0xf (39 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 06/28/2005 bios0: Shuttle Inc SN95V30 acpi at mainbus0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: AMD Athlon(tm) 64 Processor 3700+, 2211.02 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: AMD erratum 89 present, BIOS upgrade may be required pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 NVIDIA nForce3 250 PCI Host rev 0xa1 pcib0 at pci0 dev 1 function 0 NVIDIA nForce3 250 ISA rev 0xa2 nviic0 at pci0 dev 1 function 1 NVIDIA nForce3 250 SMBus rev 0xa1 iic0 at nviic0 iic1 at nviic0 adt0 at iic1 addr 0x2e: adm1027 rev 0x6a iic1: addr 0x4e 03=06 04=06 12=ff 13=0f 28=83 29=12 2a=12 2b=28 ohci0 at pci0 dev 2 function 0 NVIDIA nForce3 250 USB rev 0xa1: irq 7, version 1.0, legacy support ohci1 at pci0 dev 2 function 1 NVIDIA nForce3 250 USB rev 0xa1: irq 5, version 1.0, legacy support ehci0 at pci0 dev 2 function 2 NVIDIA nForce3 250 USB2 rev 0xa2: irq 10 usb0 at ehci0: USB revision 2.0 uhub0 at usb0: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 nfe0 at pci0 dev 5 function 0 NVIDIA nForce3 LAN rev 0xa2: irq 10, address 00:30:1b:ba:2d:ee eephy0 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 2 auich0 at pci0 dev 6 function 0 NVIDIA nForce3 250 AC97 rev 0xa1: irq 7, nForce3 AC97 ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0) audio0 at auich0 pciide0 at pci0 dev 8 function 0 NVIDIA nForce3 250 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITE-ON, DVDRW SHW-160P6S, PS01 SCSI0 5/cdrom removable cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 4 pciide1 at pci0 dev 10 function 0 NVIDIA nForce3 250 SATA rev 0xa2: DMA pciide1: using irq 11 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: WDC WD2500JD-00HBC0 wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ppb0 at pci0 dev 11 function 0 NVIDIA nForce3 250 AGP rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon 9200 SE Sec rev 0x01 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ATI Radeon 9200 SE rev 0x01 at pci1 dev 0 function 1 not configured ppb1 at pci0 dev 14 function 0 NVIDIA nForce3 250 PCI-PCI rev 0xa2 pci2 at ppb1 bus 2 VIA VT6306 FireWire rev 0x80 at pci2 dev 7 function 0 not configured pchb1 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb2 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb3 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb4 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using
Re: bgp routing question
On 25/03/2008, Fridiric Pli [EMAIL PROTECTED] wrote: Hi, I have an openbsd router with two ebgp peers. I have serveral prefixes to announce but I would like to know how I could influence outcoming traffic from each of my prefix. I did not understand how to use weight, localpref and metric nor filter rules to do that. any clue or example ? many thanks, FP I believe you can use local pref to influence outbound traffic. http://www.cisco.com/en/US/docs/internetworking/technology/handbook/bgp.html# wp1020583 -- -Lawrence
Re: ath0 - not reachable - system hangs
Dirk Mast wrote: Matthew Szudzik wrote: ath0 at pci0 dev 12 function 0 Atheros AR2413 rev 0x01: irq 9 ath0: AR2413 7.8 phy 4.5 rf 5.6, FCC2A*, address 00:1d:0f:af:98:88 According to the CVS log at http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/ath.c#rev1.56 support is still incomplete for the AR2413 chipset. This log is now 17 months old, I had hoped, that something would have changed there. Perhaps it was overseen and forgotten by the devs. Could we somehow help w/ testing or in some other way? I can't donate the hardware, but I could definitely spend some time or apply some patches if that would help the devs anyhow. Would be nice, if these devices would work in the future. Doh. Ignore this. Old mail from sent folder made it again.
Re: spamd in modified greylisting mode.
Preston Kutzner [EMAIL PROTECTED] writes: So, this brings me to my set-up inquiry. We do receive lots of delivery attempts to non-existent addresses in our domain and the greytrapping feature of spamd was especially handy for blocking sites attempting to deliver to these non-existent addresses. I would like to be able to take advantage of this feature of spamd, along with the blacklist features, while not delaying email to non spamtrapped addresses. You will probably find that those delivery attempts tend to try the secondary mx first, if you have one. One way to harvest the known bad senders would be to set up one or more dummy backup MXes whose sole purpose is to run a greylisting spamd with greytrapping. The next step would then be a blacklisting-only spamd in front of your real MX using frequent dumps of your greytrapped IP addresses, likely supplemented by something like uatraps. Most likely not as effective as greylisting with greytrapping all around, but it would give you some of the benefits of greytrapping. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd in modified greylisting mode.
Preston, I do not believe that spamd can deliver mail on the first attempt. Hosts like Southwest airlines and a few others only attempt to send mail _once_ and never try again. Even worse are hosts that use unique From: addresses on every attempt and thus never get white listed. Other hosts only retry the delivery of mail once or twice in a four(4) hour period. I understand your dilemma especially if you work in marketing. Spamd needs to know about the host trying to deliver the mail before it can white list the host. Normally, the remote host would need to connect to your mail host at least three times before the mail can be delivered. For example: attempt 1: host is GREY listed attempt 2: host is WHITE listed attempt 3: host connects to the real mail server to deliver its mail We have written Perl scripts to watch the spamd logs and add remote hosts that send to valid email addresses to the white list. This will reduce the amount of attempts the remote host needs to make down to two: attempt 1: host is GREY listed by spamd _and_ WHITE listed by our script attempt 2: host connects to the real mail server to deliver its mail The speed at which the email is delivered is dependent on the retry rate of the remote host. This still in not a perfect solution. Now, you could try to collect a white list of hosts you always accept mail for, but the problem is your users want to accept mail quickly from all hosts. If your business is highly dynamic and you accept email from new potential clients all the time then this method is not really that helpful. If anyone has any other ideas on this topic I would also be interested in hear them. Hope this helps. Spamd tarpit/greylisting anti-spam how to http://calomel.org/spamd_config.html -- Calomel @ http://calomel.org Open Source Research and Reference On Tue, Apr 15, 2008 at 10:48:47AM -0500, Preston Kutzner wrote: I'm hoping someone can help me by answering a couple of questions regarding spamd. Ultimately, I'm wanting to know if the spamd setup I'm envisioning is possible. I'll explain the situation. To begin, we attempted a typical setup of spamd in greylisting mode on our firewall in front of our MX. This worked great and was catching lots of spam, for around 48 hours. During this time, we (IT Dept.) got several complaints about delayed delivery of emails from our clients. This was mostly due to impatient recipients within our organization. However, as a result, we were told, by executive order, to shut down the greylisting. Apparently the greylisting, in doing what it's supposed to do, was disrupting time-sensitive email. Nevermind that we were white-listing these senders as we were made aware of them. So, this brings me to my set-up inquiry. We do receive lots of delivery attempts to non-existent addresses in our domain and the greytrapping feature of spamd was especially handy for blocking sites attempting to deliver to these non-existent addresses. I would like to be able to take advantage of this feature of spamd, along with the blacklist features, while not delaying email to non spamtrapped addresses. From my understanding of the interaction between spamd and pf, this either isn't possible or is non-trivial. However, I figured I would see if anyone has done a similar set-up or knows of a way to implement this. Thanks. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Chatting with developers? Is it soo 1996?
I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. I'm wondering, when did it go private? Why can't users join and chat.. or idle.. and watch OpenBSD development as it takes place, are there any other places to go besides -cvs? http://monkey.org/openbsd/archive2/misc/199609/msg00014.html -Nix Fan.
Re: Chatting with developers? Is it soo 1996?
I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. Many developers did not like it, so please leave them alone.
Re: Chatting with developers? Is it soo 1996?
On Tue, Apr 15, 2008 at 2:20 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. Many developers did not like it, so please leave them alone. I can understand your point, but isn't there a way of connecting to just read? I mean, we only read, you talk. That would be very interesting.
Mega Conferencia 18 Jun - Pav Atlantico
- PT - Caso nao visualize as imagens, clique no seguinte link: http://www.hostallsends.net/2008/04/20080033.html THE SECRET - O SEGREDO EM PORTUGAL 18 JUN 2008 - PAVILHAO ATLANTICO MEGA CONFERENCIA COM BOB PROCTOR COMPRE JA O SEU BILHETE, Va a www.osegredoemportugal.com ou dirija-se aos locais de venda: FNAC, Media Markt, El Corte Ingles, ABEP e www.pavilhaoatlantico.pt Depois de The Secret se ter tornado o livro mais vendido em todo o mundo, no proximo dia 18 de Junho, venha assistir a primeira conferencia do Segredo em Portugal conduzida por Bob Proctor, o filosofo do livro e DVD The Secret. Posso mostrar-vos como ganhar o dinheiro que precisam, para as coisas que querem, para viver da maneira que preferirem viver Bob Proctor O Pavilhao Atlantico vai transformar-se para receber uma conferencia que voce nao pode perder: Um cenario multimedia composto de alta tecnologia, ecra gigante, traducao simultanea, um ambiente espectacular e cheio de ENERGIA POSITIVA sao os ingredientes que farao desta, a maior conferencia jamais realizada em Portugal. Primeira parte com o orador motivacional Adelino Cunha. Producao do evento: Just LikeYou - Comunicacao 2.0 - Esta campanha foi distribuida para misc@openbsd.org Para se remover da lista, por favor clique neste link http://www.webmkt2.net/oempro/unsubscribe.php?CampaignID=18CampaignStatisticsID=29Demo=0EncryptedMemberID=Mzg5NTY5ODA5MjA%3D[EMAIL PROTECTED] -/- - UK - If you can not view images, click this link: http://www.hostallsends.net/2008/04/20080033.html - This campaing was delivered to misc@openbsd.org To remove from the list, please visit this link http://www.webmkt2.net/oempro/unsubscribe.php?CampaignID=18CampaignStatisticsID=29Demo=0EncryptedMemberID=Mzg5NTY5ODA5MjA%3D[EMAIL PROTECTED]
Re: Chatting with developers? Is it soo 1996?
On Apr 15, 2008, at 1:52 PM, Andris wrote: On Tue, Apr 15, 2008 at 2:20 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. Many developers did not like it, so please leave them alone. I can understand your point, but isn't there a way of connecting to just read? I mean, we only read, you talk. That would be very interesting. Yes, and annoying to the developers. The last thing they want are private conversations broadcasted on [EMAIL PROTECTED] --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Abort trap on 4.3 release
Hi guys, Yesterday I installed OpenBSD 4.3 release from CD. I copied both PORTS_TA.GZ and SRC_TAR.GZ to /tmp. I extracted the ports to /usr/, and while extracting src, I tried to make libsndfile in the ports tree. I got Abort trap. I tried other commands as well but I got the same. Shell buildin commands just worked. I couldn't even halt my system, it gave me the same error. So, I turned my laptop off, and on, waited for 'that diskchecking thing'. Finding an IP via DHCP seems te work, but after the Starting network-line, I started getting the Abort trap error for ~10 times. Also, the following line is comming again and again: [date] init: can't exec getty '/usr/libexec/getty' for port /dev/sttyC[012345]: Is a directory (Uhm, I'm not sure if I'll try to fix this install. I think I'll do just a fresh install instead. But let's just wait for yours commends) Pieter Verberne OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz (GenuineIntel 686-class) 1.67 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR real mem = 1063677952 (1014MB) avail mem = 1020465152 (973MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/18/07, BIOS32 rev. 0 @ 0xfd690, SMBIOS rev. 2.4 @ 0xe0010 (68 entries) bios0: vendor LENOVO version 7CETC6WW (2.16 ) date 04/18/2007 bios0: LENOVO 9456HTG acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) LURT(S3) DURT(S3) EXP0(S4) EXP1(S4) EXP2(S4) EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (AGP_) acpiprt2 at acpi0: bus 2 (EXP0) acpiprt3 at acpi0: bus 3 (EXP1) acpiprt4 at acpi0: bus 4 (EXP2) acpiprt5 at acpi0: bus 12 (EXP3) acpiprt6 at acpi0: bus 21 (PCI1) acpiec0 at acpi0 acpicpu0 at acpi0: C3, C2, C1, FVS, 1667, 1333, 1000 MHz acpitz0 at acpi0: critical temperature 127 degC acpitz1 at acpi0: critical temperature 98 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibat0 at acpi0: BAT0 model 42T4510 serial 35445 type LION oem SANYO acpibat1 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit offline acpidock at acpi0 not configured bios0: ROM list: 0xc/0xea00! 0xdc000/0x4000! 0xe/0x1! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03 agp0 at pchb0: aperture at 0xd000, size 0x1000 vga1 at pci0 dev 2 function 0 Intel 82945GM Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: irq 11 azalia0: RIRB time out azalia0: codec[s]: Analog Devices/0x1981, 0x/0x, using Analog Devices/0x1981 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: irq 11 pci1 at ppb0 bus 2 bge0 at pci1 dev 0 function 0 Broadcom BCM5751M rev 0x21, BCM5750 C1 (0x4201): irq 11, address 00:16:d3:b5:fd:30 brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: irq 11 pci2 at ppb1 bus 3 wpi0 at pci2 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02: irq 11, MoW2, address 00:1b:77:41:2f:59 ppb2 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: irq 11 pci3 at ppb2 bus 4 ppb3 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: irq 11 pci4 at ppb3 bus 12 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: irq 11 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: irq 11 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2 pci5 at ppb4 bus 21 cbb0 at pci5 dev 0 function 0 TI PCIXX12 CardBus rev 0x00: irq 11 TI PCIXX12 FireWire rev 0x00 at pci5 dev 0 function 1 not configured cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 22 device 0 cacheline 0x8, lattimer 0xb0 pcmcia0 at cardslot0 ichpcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x02: PM disabled pciide0 at pci0 dev 31
Re: Chatting with developers? Is it soo 1996?
Sure. Write some code and get it in, then you'll get access :-) On 4/15/08, Andris [EMAIL PROTECTED] wrote: On Tue, Apr 15, 2008 at 2:20 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. Many developers did not like it, so please leave them alone. I can understand your point, but isn't there a way of connecting to just read? I mean, we only read, you talk. That would be very interesting. -- Sent from Gmail for mobile | mobile.google.com http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: SSD drives: performance gain
On Mon, Apr 14, 2008 at 06:52:06PM -0500, Jacob Yocom-Piatt wrote: am considering acquiring some machines with SSD drives, e.g. thinkpad X300, and was interested to hear about any experiences with openbsd on an SSD drive. As of last week, the T61 is available with the same drive that comes with the X300 and is both cheaper and available with more (and faster) options. later. ryanc
Re: Abort trap on 4.3 release
Hi guys, Yesterday I installed OpenBSD 4.3 release from CD. I copied both PORTS_TA.GZ and SRC_TAR.GZ to /tmp. I extracted the ports to /usr/, and while extracting src, I tried to make libsndfile in the ports tree. I got Abort trap. I tried other commands as well but I got the same. Shell buildin commands just worked. I couldn't even halt my system, it gave me the same error. You extracted the source in / instead of /usr/src. As a result, almost all commands have been overwritten with similarly-named directories containing their sources. Reinstall, and do not make this mistake a second time. Miod
Re: Chatting with developers? Is it soo 1996?
On Tue, Apr 15, 2008 at 2:20 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. Many developers did not like it, so please leave them alone. I can understand your point, but isn't there a way of connecting to just read? I mean, we only read, you talk. That would be very interesting. No. When people lurk, developers don't as feel free to discuss.
Re: Abort trap on 4.3 release
On Tue, Apr 15, 2008 at 08:01:37PM +0200, Pieter Verberne wrote: Hi guys, Hi Pieter. Yesterday I installed OpenBSD 4.3 release from CD. I copied both Congratulations for your OpenBSD 4.3 CD set ;) PORTS_TA.GZ and SRC_TAR.GZ to /tmp. I extracted the ports to /usr/, and And here is your error. src.tgz has to be extractes in /usr/src. You extracted in in /tmp and copied the files to /usr. tigger:/share/netinst/pub/OpenBSD/4.2# tar tvzf src.tar.gz [... snipp ...] drwxr-xr-x root/wheel0 2007-06-18 22:25 ./bin/chmod drwxr-xr-x root/wheel0 2007-08-21 00:24 ./bin/chmod/CVS -rw-r--r-- root/wheel 14 2006-03-01 03:10 ./bin/chmod/CVS/Repository -rw-r--r-- root/wheel 250 2007-06-18 22:25 ./bin/chmod/CVS/Entries -rw-r--r-- root/wheel 421 2001-09-06 20:52 ./bin/chmod/Makefile -rw-r--r-- root/wheel 4864 2007-06-18 22:25 ./bin/chmod/chflags.1 -rw-r--r-- root/wheel 3651 2007-06-18 22:25 ./bin/chmod/chgrp.1 and this will overwrite e.g. /usr/bin/chmod (the file) with the directory /usr/bin/chmod. And this is causing the abort trap because under /usr the files has been replaced by directories. [date] init: can't exec getty '/usr/libexec/getty' for port /dev/sttyC[012345]: Is a directory --^ See it has been replaced by a directory. If you extract src.tar.gz to /tmp make sure you copy this to /usr/src. (Uhm, I'm not sure if I'll try to fix this install. I think I'll do just a fresh install instead. But let's just wait for yours commends) Either do a fresh install or boot the installation CD, exit to the shell when prompted if you want to (I)nstall, (U)grade or (S)hell. Mount your partition and change to the mount point and extract the filesets you need (base43.tgz, ...) using tar xvzpf ... HTH, Andreas. P.S.: Don't worry I made this error several times ;) -- Windows 95: A 32-bit patch for a 16-bit GUI shell running on top of an 8-bit operating system written for a 4-bit processor by a 2-bit company who cannot stand 1 bit of competition.
Re: Which chips for gigabit ethernet cards are the most OpenBSD friendly and stable?
Allen wrote: Hi Jonathan, This has been discussed *extensively* on the list. You can no doubt read the archives for more detail. I've run bge and em based cards for many, many moons and both have served me quite well. I'm sure others have done more testing than I have but if I had to pick which was better it would be a toss up. Both have performed admirably even when given a right proper thrashing. :-) Well, one difference for me here. The EM does give me better results in very heavy use, but what really make it the choice for me is when it's setup in CARP. Why, well, I can't say why, but if the server crash and it does when I use PERL very heavily for hours none stop and it's always when is process huge logs by awstats with the query extension enable. In that case, the server will crash may be once a month and when it does, CARP sadly do not take it over in that case as the BGE built in network card still reply to multicast packets and ping. I can't explain it, but that's the results. The server is dead, nothing works anymore and does need to be hard reset, and the purpose of setting CARP in that instance is gone. So far I do not have that effect with em card. Don't asked me what's different, I do not know, that's the end results however. So, if you have a choice, I sure would use em, if CARP is not in the picture, bge is not bad, but em still provide better results so far. Best, Daniel
Re: Bug 5682
On Tue, Apr 15, 2008 at 06:03:53PM +0200, Rickard Dahlstrand wrote: Hi, Can someone please commit this, we are suffering from it and would be very happy not the have to patch manually. It has been running on +3 systems with the relevant hardware for about 6 months now. Also, what is the correct procedure for getting bugs corrected? When I search the pr-database there are lots of open bugs. Rickard. I now nothing about ciss(4), but if you mail test reports to [EMAIL PROTECTED] with the subject Re: Category/Number: title, so in ths case Re: kernel/5682: fix ciss(4) the report will be attached to the PR. In that way, useful info does not get lost (like your post likely will in all the noise of misc@). Please include at least dmesgs with your report, so we can see which version of ciss(4) hardware you have tested and on which platforms. Getting bugs corrected is sometimes hard, but you can make it as easy for developers as possible by sending in proper, detailed reports, with diffs to fix the problem and test reports on various platforms. -Otto
Re: Chatting with developers? Is it soo 1996?
bofh ha scritto: Sure. Write some code and get it in, then you'll get access :-) I dont think so... You know, some code, dont make you a developer...Or at least OpenBSD developer. Skilled and more than some code make you a developer... My 0.02 cent... Francesco On 4/15/08, Andris [EMAIL PROTECTED] wrote: On Tue, Apr 15, 2008 at 2:20 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. Many developers did not like it, so please leave them alone. I can understand your point, but isn't there a way of connecting to just read? I mean, we only read, you talk. That would be very interesting. -- Sent from Gmail for mobile | mobile.google.com http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Bug 5682
Otto Moerbeek wrote: On Tue, Apr 15, 2008 at 06:03:53PM +0200, Rickard Dahlstrand wrote: Hi, Can someone please commit this, we are suffering from it and would be very happy not the have to patch manually. It has been running on +3 systems with the relevant hardware for about 6 months now. Also, what is the correct procedure for getting bugs corrected? When I search the pr-database there are lots of open bugs. Rickard. I now nothing about ciss(4), but if you mail test reports to [EMAIL PROTECTED] with the subject Re: Category/Number: title, so in ths case Re: kernel/5682: fix ciss(4) the report will be attached to the PR. In that way, useful info does not get lost (like your post likely will in all the noise of misc@). Please include at least dmesgs with your report, so we can see which version of ciss(4) hardware you have tested and on which platforms. Getting bugs corrected is sometimes hard, but you can make it as easy for developers as possible by sending in proper, detailed reports, with diffs to fix the problem and test reports on various platforms. Hi Otto, Thanks, I have sent dmesg and bioctl output for three systems to gnats@, is there anything else I can do? Rickard.
Re: Chatting with developers? Is it soo 1996?
On Tue, Apr 15, 2008 at 10:12:08AM -0700, Unix Fan wrote: I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. I'm wondering, when did it go private? Why can't users join and chat.. or idle.. and watch OpenBSD development as it takes place, are there any other places to go besides -cvs? Went private at some point in the past, in fact before I became a developer. As a result, there's a lot of stuff on that channel, and not all of it is technical. You've got to realize, there are not that many people with commit rights to the tree. After years working together, we know one another, so things about family matters appear on the channel, or lots of private jokes. This stuff is definitely written with the expectation that no outsiders are listening. And it's good that way. Some public stuff goes on in [EMAIL PROTECTED] or inside the tree proper. Sorry, we don't even have time to do everything we would like, development-wise and documentation-wise, so sanitizing private communication stuff to extract only the public parts is out of the question.
Re: How secure is OpenBSD really
On Tue, Apr 15, 2008 at 01:45:14PM +0200, Jernej Makovsek wrote: As I said in my first post Now with this post I don`t want to start any wars. that's hard to believe, considering the subject you used, and the 6 year old spoof ezine story you asked about. disclaimers like the above generally mean exactly the opposite. if you really don't mean to start a flame war, ask your question in a more reasonable manner, or just do the research yourself. -- [EMAIL PROTECTED] SDF Public Access UNIX System - http://sdf.lonestar.org
4.3 and acpi
Hi there, recently I've upgraded OpenBSD 4.2 to 4.3. And it seems, that acpi and the BIOS of my Asus M6Ne laptop don't like each other that much. Without doing anything, OpenBSD 4.3 presents this at boot: OpenBSD 4.3 (GENERIC) #3: Sat Apr 12 23:47:41 CEST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1.60GHz (GenuineIntel 686-class) 1.61 GH z cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,AC PI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 real mem = 535654400 (510MB) avail mem = 509906944 (486MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/01/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf6930 (35 entries) bios0: vendor American Megatrends Inc. version 0209 date 07/01/2005 bios0: ASUSTeK Computer Inc. M6Ne apm0 at bios0: Power Management spec V1.2 apm0: AC on, no battery acpi at bios0 function 0x0 not configured [etc. pp.] You see, acpi doesn't seem to work at all. But when I boot the machine and disable apm this output appears: OpenBSD 4.3 (GENERIC) #3: Sat Apr 12 23:47:41 CEST 2008 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1.60GHz (GenuineIntel 686-class) 1.61 GH z cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,AC PI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 real mem = 535654400 (510MB) avail mem = 509906944 (486MB) User Kernel Config UKC disable apm 321 apm0 disabled UKC quit Continuing... mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/01/05, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.3 @ 0xf6930 (35 entries) bios0: vendor American Megatrends Inc. version 0209 date 07/01/2005 bios0: ASUSTeK Computer Inc. M6Ne apm at bios0 function 0x15 not configured acpi0 at bios0: rev 0 acpi0: tables DSDT FACP OEMB acpi0: wakeup devices SMBS(S3) MODM(S3) P0P2(S3) CBC1(S3) USB1(S3) USB2(S3) USB3 (S3) EHCI(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (P0P2) acpiprt2 at acpi0: bus 1 (P0P1) acpiec0 at acpi0 acpicpu0 at acpi0-- invalid ref: efffeecc:aml_freevalue:1782 -- invalid ref: efffeecb:aml_freevalue:1782 -- invalid ref: efffeecc:aml_freevalue:1782 -- invalid ref: efffeecc:aml_freevalue:1782 -- invalid ref: efffeecc:aml_freevalue:1782 -- invalid ref: efffeecb:aml_freevalue:1782 -- invalid ref: efffeecb:aml_freevalue:1782 -- invalid ref: efffeeca:aml_freevalue:1782 -- invalid ref: efffeecc:aml_freevalue:1782 -- invalid ref: efffeecb:aml_freevalue:1782 -- invalid ref: efffeecc:aml_freevalue:1782 -- invalid ref: efffeecb:aml_freevalue:1782 Data modified on freelist: word 3 of object 0xd119c440 size 0x30 previous type d evbuf (0xefffeeca != 0xefffeecc) Data modified on freelist: word 3 of object 0xd119ccc0 size 0x30 previous type d evbuf (0xefffeeca != 0xefffeecc) Data modified on freelist: word 3 of object 0xd119d480 size 0x30 previous type d evbuf (0xefffeec9 != 0xefffeecc) Data modified on freelist: word 3 of object 0xd1199ac0 size 0x30 previous type d evbuf (0xefffeeca != 0xefffeecc) Data modified on freelist: word 3 of object 0xd119d740 size 0x30 previous type d evbuf (0xefffeecb != 0xefffeecc) Data modified on freelist: word 3 of object 0xd119eb80 size 0x30 previous type d evbuf (0xefffeeca != 0xefffeecc) : C2, PSS acpitz0 at acpi0: critical temperature 105 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpiac0 at acpi0: AC unit online acpibat0 at acpi0: BAT0 model M6NE serial 1 type LIon oem ASUSTek acpibat1 at acpi0: BAT1 not present acpibtn2 at acpi0: PWRB [etc. pp.] Up to now, I don't know, how to deal with this. Under Debian and WinXP acpi works without problems. Just let my know, if you need any further Information (acpidumb?).
Re: 4.3 and acpi
On 2008-04-15, axel keuchel [EMAIL PROTECTED] wrote: apm0 at bios0: Power Management spec V1.2 apm0: AC on, no battery acpi at bios0 function 0x0 not configured [etc. pp.] You see, acpi doesn't seem to work at all. that's normal: with single processor systems, APM is preferred. with multi processor systems, ACPI is preferred. (this is done in sys/arch/i386/i386/bios.c, the if (apm ncpu 2) check). Up to now, I don't know, how to deal with this. Under Debian and WinXP acpi works without problems. Just let my know, if you need any further Information (acpidumb?). # SYS=asus-m6ne # mkdir $SYS; cd $SYS # acpidump -o $SYS $SYS.aml # dmesg $SYS.dmesg # cd ..;tar czf $SYS.tgz $SYS put the created tgz on a webserver and send the URL.
Re: Chatting with developers? Is it soo 1996?
On Tue, Apr 15, 2008 at 10:12:08AM -0700, Unix Fan wrote: SNIP I'm wondering, when did it go private? Why can't users join and chat.. or idle.. and watch OpenBSD development as it takes place, are there any other places to go besides -cvs? It's been private as long as I can remember and I've used OpenBSD since at least 1998. Follow cvs@ and tech@ archives if you're interested in what is going on. I used to read ALL the cvs commits then I decided to get a life. Until I get around to contributing something of value I see no purpose in watching over the shoulders of developers. diana
Re: Chatting with developers? Is it soo 1996?
Voyeurism is a bad thing ;) And the developers made another choice so :) Andris a icrit : On Tue, Apr 15, 2008 at 2:20 PM, Theo de Raadt [EMAIL PROTECTED] wrote: I found an old email on the mailing lists, dating back to 1996, when Theo announced users could connect and chat with the developers on their ICB server. Many developers did not like it, so please leave them alone. I can understand your point, but isn't there a way of connecting to just read? I mean, we only read, you talk. That would be very interesting. Ce message a fait l'objet d'un traitement anti-virus. Il est rappeli que tout message ilectronique est susceptible d'altiration au cours de son acheminement sur Internet. Ce message, ainsi que les pihces jointes, sont itablis, sous la seule responsabiliti de l'expiditeur, ` l'intention exclusive de ses destinataires ; ils peuvent contenir des informations confidentielles. Toute publication, utilisation ou diffusion doit jtre autorisie prialablement. Ce message a fait l'objet d'un traitement anti-virus. Il est rappeli que tout message ilectronique est susceptible d'altiration au cours de son acheminement sur Internet. Vous pouvez consulter le site de l'Assemblie nationale ` l'adresse suivante : http://www.assemblee-nationale.fr
Re: Help on package upgrade on 4.3 needed
On Tue, Apr 15, 2008 at 8:39 AM, Stefan Wollny [EMAIL PROTECTED] wrote: Hello folks! I need a little help with an issue when upgrading to 4.3-packages (from 4.2). I use OpenBSD on an ThinkPad T60 as my daily tool. I followed the instructions on www.openbsd.org/faq/upgrade43.html when upgrading the system from the 4.3 CD's. Then I did: $ sudo pkg_add -u -i -F update -F updatedepends Everything went fine - except that I shouldn't have done that as the majority of the 4.3-packages are not yet available. :/ In particular all QT/KDE apps will not yet work. But Gtk/Glib apps work neither. pkg_add gave a note to upgrade the following databases: /var/db/gtk-2.0/gtk.immodules /var/db/gtk-2.0/gdk-pixbuf.loaders /var/db/xmlcatalog Unfortunatelly I didn't find a man page for gtk-2.0. The man page for xmlcatalog is beyond my skills (or my English). Via Google I found the advice to use pkg_add -r -F update. Well - this somehow worked without any remarks. BUT: Gtk+2-related apps still don't work (like sylpheed). Can someone help me? Any hints on where to get more information? What additional information do you need to help me? I provide dmesg further down as first source. BTW: Without any trouble the 4.2-versions of Firefox, OpenOffice, acrobat, xpdf, nedit and mc worked still after upgrading. Good! Any help is welcome - thanks! 4.3 isn't out yet. Try again around May 1 or build the packages you need from ports. -Bryan
Personal EMF Shielding Devices
A while back someone on the list posted concerning their wife's sensitivity to EMF. I came across this via a local list. http://www.lessemf.com/personal.html HTH
Re: install42.iso hangs....any ideas?
Redirected from ports@ to [EMAIL PROTECTED] An explanation of what lead you to post it to ports@ would be interesting, second one of those in a couple days, starting to sound like something is unclear somewhere. [EMAIL PROTECTED] wrote: Hey All, I'm trying to install OpenBSD 4.2 and have created an ISO image using ISORecorder for XP. The creation of the image on the CD completed with no errors. When I boot from the CD to install...the script begins and I get some white text on blue background...but then the install stops at the following message: cd0 at scsibus0 targ 1 lun 0: HL-DT_ST, DVDRAM GSA-E50L, NE01 SCSI0 5/cdrom removalable any ideas would be greatly appreciated. Thanks in advance. You have given us almost nothing to go on. however... I notice you have a DVDRAM there. I've only had one of those, and I pulled it out of the machine it was in because it seemed to be defective. I could be wrong..it may be that only two people have ever tried to install OpenBSD on a machine with a DVDRAM drive into OpenBSD, you and me. Or maybe you and I are the only owners of defective DVDRAM drives. SO, first thing I'd try is to pull the DVDRAM drive out and use a CD or DVD drive, see if that works better. If so, let us know, I'll look into my defective DVDRAM drive more. If not, tell us SOMETHING about your computer, or (much) better yet, just put a serial console on it and snag the boot output and let us look. Or type out a lot more of what you see on the screen. Put the digicam down, I'm not looking. Nick.
PF ssh bruteforce logging and blocking
I have some rules in my pf.conf for ssh brute force where it should
block and log the offending IP address in /etc/bruteforce file. I also
told syslog to log all ssh logging in /var/log/sshd. I can see some
failed login in /var/log/sshd but my /etc/bruteforce file is still
empty. Here's my pf.conf -
ext_if = fxp0
tcp_services = {80, 443, 123}
udp_services = {123}
icmp_services = {echo_req}
set block-policy drop
set loginterface $ext_if
scrub in all fragment reassemble
scrub out all random-id fragment reassemble
block all
pass quick on lo0 all
pass out quick on lo0 all
table bruteforce persist file /etc/bruteforce
block quick from bruteforce
antispoof log for { lo0, $ext_if }
block drop in quick log on $ext_if inet6 all
pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $udp_services
pass inet proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/3, \
overload bruteforce flush global)
pass out log on $ext_if inet proto tcp from any to any port $tcp_services
block drop in quick on $ext_if from any to {255.255.255.255, 192.168.25.255}
block drop out quick on $ext_if inet proto icmp from any to {192.168.25.1}
block quick from any os NMAP
pass out log on $ext_if proto { tcp, udp, icmp } all keep state
block drop out quick log on $ext_if inet proto tcp from any to port 22
Here's what I can see on my /var/log/sshd -
Invalid user test from xxx.xx.xx.xx
input_userauth_request: invalid user test
Failed password for invalid user test from xxx.xx.xx.xx port 43734 ssh2
Is there anything I am doing wrong in my pf.conf? Thanks for any help.
Re: install42.iso hangs....any ideas?
On Tue, Apr 15, 2008 at 10:03:01PM -0400, Nick Holland wrote: I could be wrong..it may be that only two people have ever tried to install OpenBSD on a machine with a DVDRAM drive into OpenBSD, you and me. Or maybe you and I are the only owners of defective DVDRAM drives. I have a DVDRAM drive with the following dmesg cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-4083N, 1.08 SCSI0 5/cdrom removable and I have not had any problems installing OpenBSD 4.2 on the machine (a ThinkPad T60).
Re: install42.iso hangs....any ideas?
Sorry for hijacking this thread, but it brings up an interesting question.. How well does OpenBSD support DVD-RAM drives? does the cd(4) driver support read/write operations? - i.e: Would it be possible to use it as a normal block device? Again, sorry for hijacking.. unfortunately, I'm not sure why your system is bailing out at that point, consider enabling verbose in UKC. (boot -c) ..And yet another off-topic question, What about Mount Rainier (packet writing) support for CD-RW drives? that would be so awesome! :D -Nix Fan.
Re: PF ssh bruteforce logging and blocking
Chris,
Your /etc/bruteforce file will be read when pf loads its rules. Ip's added
to the bruteforce table through the overload directive will _not_ be
added to the /etc/bruteforce text file.
Can you see ips in the bruteforce table?
pfctl -t bruteforce -T show
If you want to dump those ips from the table to the text file you can
always do pfctl -t bruteforce -T show /etc/bruteforce
Hope this helps.
OpenBSD Pf Firewall how to ( pf.conf )
http://calomel.org/pf_config.html
--
Calomel @ http://calomel.org
Open Source Research and Reference
On Wed, Apr 16, 2008 at 12:20:38PM +1000, Chris wrote:
I have some rules in my pf.conf for ssh brute force where it should
block and log the offending IP address in /etc/bruteforce file. I also
told syslog to log all ssh logging in /var/log/sshd. I can see some
failed login in /var/log/sshd but my /etc/bruteforce file is still
empty. Here's my pf.conf -
ext_if = fxp0
tcp_services = {80, 443, 123}
udp_services = {123}
icmp_services = {echo_req}
set block-policy drop
set loginterface $ext_if
scrub in all fragment reassemble
scrub out all random-id fragment reassemble
block all
pass quick on lo0 all
pass out quick on lo0 all
table bruteforce persist file /etc/bruteforce
block quick from bruteforce
antispoof log for { lo0, $ext_if }
block drop in quick log on $ext_if inet6 all
pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $udp_services
pass inet proto tcp from any to any port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 5/3, \
overload bruteforce flush global)
pass out log on $ext_if inet proto tcp from any to any port $tcp_services
block drop in quick on $ext_if from any to {255.255.255.255, 192.168.25.255}
block drop out quick on $ext_if inet proto icmp from any to {192.168.25.1}
block quick from any os NMAP
pass out log on $ext_if proto { tcp, udp, icmp } all keep state
block drop out quick log on $ext_if inet proto tcp from any to port 22
Here's what I can see on my /var/log/sshd -
Invalid user test from xxx.xx.xx.xx
input_userauth_request: invalid user test
Failed password for invalid user test from xxx.xx.xx.xx port 43734 ssh2
Is there anything I am doing wrong in my pf.conf? Thanks for any help.
Re: install42.iso hangs....any ideas?
On Tue, Apr 15, 2008 at 07:33:41PM -0700, Unix Fan wrote: How well does OpenBSD support DVD-RAM drives? does the cd(4) driver support read/write operations? - i.e: Would it be possible to use it as a normal block device? I have successfully read and written several DVDs and CDs using OpenBSD, following the instructions at http://www.openbsd.org/faq/faq13.html
Re: PF ssh bruteforce logging and blocking
On Wed, Apr 16, 2008 at 1:39 PM, Calomel [EMAIL PROTECTED] wrote: Can you see ips in the bruteforce table? pfctl -t bruteforce -T show If you want to dump those ips from the table to the text file you can always do pfctl -t bruteforce -T show /etc/bruteforce Thanks. This resolved the issue.
