Re: Trouble with OpenBSD 4.2 DNS server setup
> Are you *sure* you don't mean "while still providing the _internal > network_ recursive queries" or "not provide _reverse_ queries"? Really, > really sure? no I am not sure, My DNS skills are not what they need to be. I am working on improving them. I am just getting tired of the endless worms and spyware that somehow finds it way onto a windows 2000 server. hell there isn't even a monitor on that computer, other than windows update it has never even browsed the web. so I decided it was time to brush up on my skills and ditch the windows DNS. what I have found out since I made this post is that recursion has not much to do with reverse lookup. it would appear that I was confused. I really do thank everyone for their input it is helpful. Sam Fourman Jr.
Re: Trouble with OpenBSD 4.2 DNS server setup
On Thu, May 08, 2008 at 12:03:30AM -0500, Sam Fourman Jr. wrote: > On Wed, May 7, 2008 at 10:41 PM, Jon Radel <[EMAIL PROTECTED]> wrote: > > Sam Fourman Jr. wrote: > > >> > (...) I want to host email for 10 different domains (...) > > >> If you're currently using a setup that involves the same IP > > >> address for both authoritative (domains you host) and recursive > > >> queries (client DNS requests), you should get these split onto > > >> separate addresses. > > What I am really after is, well it is probably a fine line the > most secure DNS can be while still providing the outside world > recursive queries. > because there is no real (sane) way to host email servers and not > provide recursive queries. Are you *sure* you don't mean "while still providing the _internal network_ recursive queries" or "not provide _reverse_ queries"? Really, really sure? I would dispute the necessity of either, at least for a modest setup, but I will agree that both are helpful: a caching nameserver can speed up name resolution, potentially increasing throughput on a busy server; a proper reverse DNS can help get past spam filters. But providing all of the world access to recursive DNS is not a good idea, and certainly not necessary. Joachim -- TFMotD: zmore, zless (1) - view compressed files
Re: Trouble with OpenBSD 4.2 DNS server setup
On Wed, May 7, 2008 at 11:03 PM, Sam Fourman Jr. <[EMAIL PROTECTED]> wrote: > On Wed, May 7, 2008 at 10:41 PM, Jon Radel <[EMAIL PROTECTED]> wrote: ... If you're currently using a setup that involves the same IP address for both authoritative (domains you host) and recursive queries (client DNS requests), you should get these split onto separate addresses. > > What I am really after is, well it is probably a fine line the > most secure DNS can be while still providing the outside world > recursive queries. > because there is no real (sane) way to host email servers and not > provide recursive queries. We all agree that you need to provide recursive DNS service to the hosts that are your MTAs and that you need to answer DNS queries about your own zones from any host out there. However, you do not need to provide *recursive* service to random outside hosts on the Internet at large in order to send and receive email. That is, your servers can and should refuse to answer a DNS query that asked for, for example, the address of www.openbsd.org. If you think otherwise, please cite references. Philip Guenther
Re: Trouble with OpenBSD 4.2 DNS server setup
On Thu, 8 May 2008 00:03:30 -0500, Sam Fourman Jr. wrote: >On Wed, May 7, 2008 at 10:41 PM, Jon Radel <[EMAIL PROTECTED]> wrote: >> >> Sam Fourman Jr. wrote: >> >> > I assume that if I want to host email for 10 different domains I have >> >> If you're currently using a setup that involves the same IP >> >> address for both authoritative (domains you host) and recursive >> >> queries (client DNS requests), you should get these split onto >> >> separate addresses. > >What I am really after is, well it is probably a fine line the >most secure DNS can be while still providing the outside world >recursive queries. >because there is no real (sane) way to host email servers and not >provide recursive queries. Why do you believe that? Nobody's DNS ever needs to provide recursion for any but its local users and hosting mailservers doesn't change anything. Try googling for: dns recursion bad or just read http://tinyurl.com/58wv6m for an example of what you can let yourseld in for. Even Microsoft knows better. (5th link found by Google) and the 4th link is a pdf from us-cert.gov about " The Continuing Denial of Service Threat Posed by DNS Recursion" botnets and phishers will love you if you don't block recursive queries from outside your citadel. > >Sam Fourman Jr. > You don't need to CC me. I'm subscribed. Replies to my list address (From:) get tarpitted except from the list servers. Reply-to: works fine though, but you don't need it. Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: httpd-problem after upgrade 4.2 -> 4.3
On Thu, 08 May 2008 09:41:23 +0800, Uwe Dippel wrote: > Apache reacts very slow. Despite of a load <0.5, > lynx 127.0.0.1 (as root) takes more than 5-10 seconds until the static > -rwxr-x--- 1 root www 2236 Dec 12 2006 /var/www/htdocs/index.html > props up. Any other task on the system is done instantaneous. > From other machines, on the same network, it takes a similar time to > see that page. Sorry, guys, brown bag. I seem to be very noisy these days. The reason for this is just a little DDoS! Once out of sight, everything behaves fine. My excuses again, Uwe
Re: How do I use digest authentication to allow/deny directory access
On Wed, May 07, 2008 at 07:26:25AM -0700, Ed Flecko wrote: > Thanks, Adam. > > To test even "Basic" authentication, I created a file named > "passwords" in the htdocs directory to confirm that Apache could reach > it. :-) > > Then I made this entry in the httpd.conf file: > > > AuthType Basic > AuthName "Private" > AuthUserFile /var/www/htdocs/passwords > Require user stephanie > > > Unfortunately, all I get is an "Internet Explorer cannot display the > webpage" error message. I don't get any dialog box to sign in. > > I'm stumped. > > Suggestions? I should probably know, but I don't. You may want to look at /var/www/logs/error_log, though. That should at least verify that your configuration works, and is likely to contain a helpful error message. Also, I am not sure if you ever explicitly stated that this works without authentication? If that is the case, you may have a permission issues. (Note that Apache runs as www, and has its own permission system on top of that - see Allow and Deny.) Joachim -- PotD: x11/mterm - dockable program launcher
Re: Problem with state and PF on a 4.3 setup
Steve Johnson <[EMAIL PROTECTED]> writes: > I have keep state entries for all of my rules, so I don't know where > the problem could be. The ruleset is available here: > http://www.sjohnson.info/other/pf.conf > > The only thing I've removed from the ruleset are aliases and table > definitions. Leaving those definitions in there (suitably anonymized if need be) would have made it easier to play with for others. But anyway, the first thing that strikes me is that the ruleset logic is a bit hard to follow with all those pass quick rules and the block quick at the end. That final block could be a significant part of the problem, and unless my low caffeine level plays tricks on me, the only "pass out" I find is for ICMP traffic. If you want traffic through your gateway, you need to pass out to $somewhere as well (or where appropriate just pass from $foo to $bar). It's usually a lot better to start with a block all, then punch the holes you need with pass rules, and add quick only when there's a real need for it. And as Joachim mentioned, using lists and macros in a few places where your rule set now has blocks of very similar rules is extremely good for readability. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Trouble with OpenBSD 4.2 DNS server setup
On Wed, May 7, 2008 at 10:41 PM, Jon Radel <[EMAIL PROTECTED]> wrote: > > Sam Fourman Jr. wrote: > >> > I assume that if I want to host email for 10 different domains I have > >> If you're currently using a setup that involves the same IP > >> address for both authoritative (domains you host) and recursive > >> queries (client DNS requests), you should get these split onto > >> separate addresses. What I am really after is, well it is probably a fine line the most secure DNS can be while still providing the outside world recursive queries. because there is no real (sane) way to host email servers and not provide recursive queries. Sam Fourman Jr.
Re: Problem with state and PF on a 4.3 setup
Steve Johnson wrote: > > Hi, > > I have a new setup with a 4.3 PF firewall that includes CARP addresses, > trunked VLANs and HA. We've migrated from a different architecture, so > the rules have never been tested on a different version before. I've > tried to setup the first unit with my ruleset, but all forwarded packets > seem to have problems with state. The packets come through, a state > table entry is created, they reach the system, but when they come back, > they are blocked by PF. > > I have keep state entries for all of my rules, so I don't know where the > problem could be. The ruleset is available here: > http://www.sjohnson.info/other/pf.conf > > The only thing I've removed from the ruleset are aliases and table > definitions. > > When I check for specific entries in the state table, I see them as > "CLOSED:SYN_SENT". If I disable PF, the packets make it through > properly, so it should not be any routing or IP forwarding issue. I also > tried conservative instead of aggressive optimization, but it didn't > change anything, as I expected. > > Here are the sysctl settings that I hace changed: > net.inet.ip.forwarding=1 > net.inet.tcp.recvspace=65536 > net.inet.tcp.sendspace=65536 > net.inet.carp.preempt=1 > > Any clue as to what could be the problem? > > Thanks a lot, > Steve Johnson > You appear making use of the default pass rule for all your outbound traffic, as I didn't notice a single rule that applied to outbound traffic (other than your block port 0, CARP, PFSync, and ping rules). I don't believe that can be counted on to establish state. So a packet arrives on an interface, is allowed in with a "pass in quick on XX" and state is established. The packet is then routed out YY, which is allowed since there is no rule to block it. There is, however, no state established on interface YY, so the return packet is dropped unless you have a rule explicitly allowing that packet in. Try dropping a pass out all into the rule set to see if things get better. (As a test, think about the implications before you put that into production.) --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Editing C with...
http://xkcd.com/378/ --- James A. Peltier [EMAIL PROTECTED] http://www.site-fx.net --- On Wed, 5/7/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Subject: Re: Editing C with... > To: [EMAIL PROTECTED] > Cc: misc@openbsd.org > Received: Wednesday, May 7, 2008, 11:42 PM > --- Matthew Szudzik <[EMAIL PROTECTED] wrote: > > > And anyway, I'm > a minimalist (that's why I run OpenBSD). nvi is > > fine--vim and emacs just > have too much bloat. > > Which is why we have mg in tree: emacs without the > bloat.
Re: Problem with state and PF on a 4.3 setup
On Wed, May 07, 2008 at 04:09:43PM -0400, Steve Johnson wrote:
> I have a new setup with a 4.3 PF firewall that includes CARP addresses,
> trunked VLANs and HA. We've migrated from a different architecture, so the
> rules have never been tested on a different version before. I've tried to
> setup the first unit with my ruleset, but all forwarded packets seem to
> have problems with state. The packets come through, a state table entry is
> created, they reach the system, but when they come back, they are blocked
> by PF.
>
> I have keep state entries for all of my rules, so I don't know where the
> problem could be. The ruleset is available here:
> http://www.sjohnson.info/other/pf.conf
>
> The only thing I've removed from the ruleset are aliases and table
> definitions.
>
> When I check for specific entries in the state table, I see them as
> "CLOSED:SYN_SENT". If I disable PF, the packets make it through properly,
> so it should not be any routing or IP forwarding issue. I also tried
> conservative instead of aggressive optimization, but it didn't change
> anything, as I expected.
>
> Here are the sysctl settings that I hace changed:
> net.inet.ip.forwarding=1
> net.inet.tcp.recvspace=65536
> net.inet.tcp.sendspace=65536
> net.inet.carp.preempt=1
>
> Any clue as to what could be the problem?
Not really, I'm afraid, but some ideas:
- I see you've marked everything as "block log" - is there anything on
pflog0 (pflog(4), tcpdump(8))? If so, which rule is triggered?
- if pf is enabled, can the firewall access and be accessed by all hosts
involved in the testing? (That is, are you sure that routing is the
only thing that fails?)
- does this happen for all protocols (TCP/UDP/ICMP e.a.)?
- if nobody else has a good idea, could you create a dump with tcpdump
and post it (ASCII output should do, I believe)? On all involved
interfaces, please.
- your ruleset could be a lot more compact if you used "{ a, b, c }"
everywhere (antispoof!), and omitted anything unnecessary ("keep state
flags S/SA" has been the default for several releases, and "port =
http" can be written as just "port http"). You might also wish to
reconsider using "quick" for every rule. But this is purely stylistic.
Joachim
--
TFMotD: pod2latex (1) - convert pod documentation to latex format
Re: Trouble with OpenBSD 4.2 DNS server setup
Sam Fourman Jr. wrote:
>> > I assume that if I want to host email for 10 different domains I have
>> > to have these set
>> >
>> > allow-recursion { any; };
>>
>> This allows anybody to use your nameserver as a resolver (e.g.
>> anyone can ask you to lookup domains for them). You shouldn't
>> do this at all without a very good reason (one example being if
>> you're providing DNS to VPN clients and filtering non-VPN traffic).
>> Doing so without other controls leaves you open to being an
>> attack amplifier for anyone who can send a UDP packet with an
>> invalid source address, and also may open you up to DNS poisoning.
>>
>> If you're currently using a setup that involves the same IP
>> address for both authoritative (domains you host) and recursive
>> queries (client DNS requests), you should get these split onto
>> separate addresses.
>>
>
> so if I understand this, the correct way to setup DNS
> is to have one nameserver do just recursive quires
> and a separate name server on a separate ip address have the actual domain
> files
Ah, you go wrong right at the start, when you use the phrase "the
correct way." ;-) There are many ways of doing this, and a fair number
of them are arguably correct. (Obviously many of the others range from
silly to really, really bad.) I suspect that Stuart Henderson and I
will just have to agree to respectfully disagree, a bit.
It is true that one of the easier ways of distinguishing between
providing recursive lookups for local resolvers and providing
non-recursive lookups of authoritative data for the world at large is to
simply run two servers on two IP addresses. Easier to prove that you've
locked things down appropriately, makes firewalling the former possible,
allows you to grow the two servers onto separate pieces of hardware if
you grow (I once got to watch an ISP split their DNS servers into pieces
when their hardware started staggering under the load--it was much more
painful than it had to be).
However, if you're not rolling in IP addresses and are pretty sure that
big growth is not in your DNS servers future, you can get pretty close
with some ACLs. For example, I have some servers which have something
along the lines of:
acl "clients" { };
acl "nameservers" { };
options {
allow-query {"clients"; };
allow-recursion {"clients"; };
allow-transfer {"nameservers"; };
};
zone "example.com" in {
type master;
file "master/db.example.com";
allow-query { any; };
};
The upshot is that client addresses can send queries, including
recursive ones, for anything. The rest of the world can only send
non-recursive queries for the zones for which this server is authoritative.
--Jon Radel
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Re: Editing C with...
--- Matthew Szudzik <[EMAIL PROTECTED] wrote: > And anyway, I'm a minimalist (that's why I run OpenBSD). nvi is > fine--vim and emacs just have too much bloat. Which is why we have mg in tree: emacs without the bloat.
Re: How do I set up personal web sites for users?
If your users are in /home and you're not willing to modify your filesystem layout much, you could simply export your /home as readonly nfs share and mount it to /var/www/users. something like that should work in /etc/exports: /home -alldirs,ro 127.0.0.1 $ mount_nfs -o rw 127.0.0.1:/home /var/www/users now you can ignore the fact that apache is chrooted. Don't expect read performance to be the same though.
Re: Editing C with...
I learned emacs before vi, but I could never remember all of emacs' complicated keystrokes. It feels as though there are far fewer commands to memorize in vi, and the commands that I do memorize are also useful for writing sed scripts--so the payoff of a little memorization in vi is greater than the payoff in emacs. And anyway, I'm a minimalist (that's why I run OpenBSD). nvi is fine--vim and emacs just have too much bloat.
httpd-problem after upgrade 4.2 -> 4.3
After the successful upgrade of the first machine, I have some trouble with the second. Chances are that the trouble is my fault, but I could still appreciate a clue: Apache reacts very slow. Despite of a load <0.5, lynx 127.0.0.1 (as root) takes more than 5-10 seconds until the static -rwxr-x--- 1 root www 2236 Dec 12 2006 /var/www/htdocs/index.html props up. Any other task on the system is done instantaneous. >From other machines, on the same network, it takes a similar time to see that page. But it is not a data-rate problem, because after the lng wait, the data itself comes down to the clients at close to 100Mb/sec. Downloading a file of 60M, on the same subnet, takes about 20 seconds to connect to the IP-address/subdir and 7 seconds for the transfer. pf is disabled, /etc/hosts is ::1 localhost.uniten.edu.my localhost 127.0.0.1 localhost.uniten.edu.my localhost ::1 metalab.uniten.edu.my metalab 172.16.0.2 metalab.uniten.edu.my metalab Apache has been restarted, it stops and restarts 'graceful' within a second or two top says Memory: Real: 76M/423M act/tot Free: 1562M Swap: 0K/2151M used/tot I am stumped, Uwe
Re: Trouble with OpenBSD 4.2 DNS server setup
> > I assume that if I want to host email for 10 different domains I have
> > to have these set
> >
> > allow-recursion { any; };
>
> This allows anybody to use your nameserver as a resolver (e.g.
> anyone can ask you to lookup domains for them). You shouldn't
> do this at all without a very good reason (one example being if
> you're providing DNS to VPN clients and filtering non-VPN traffic).
> Doing so without other controls leaves you open to being an
> attack amplifier for anyone who can send a UDP packet with an
> invalid source address, and also may open you up to DNS poisoning.
>
> If you're currently using a setup that involves the same IP
> address for both authoritative (domains you host) and recursive
> queries (client DNS requests), you should get these split onto
> separate addresses.
>
so if I understand this, the correct way to setup DNS
is to have one nameserver do just recursive quires
and a separate name server on a separate ip address have the actual domain files
Sam Fourman Jr.
Re: ral(4) hostap plea
On Wednesday 07 May 2008 10:53:23 Stuart Henderson wrote: > I have a pair of Gigabyte cards which identify the same way; > > ral0 at pci0 dev 16 function 0 "Ralink RT2560" rev 0x01: irq 10, > address 00:0f:ea:84:f4:ed ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 > > They are terrible, very poor signal strength on both. I guess there's > either a lot of difference between cards using the same ICs, or > they're very sensitive to pigtail or something (though I tried > several). > > I'd really like to have a sure-fire, always-works MiniPCI card for > hostap that can be bought individually... any suggestions? are the > 11n ral(4) any more predictable? anyone got CM9 working? I've not seen good radio performance from the pre-MIMO rals though many people here have been very happy with them. MIMO rals have more useful radios IME. Not sure about miniPCI but RT28xx has been good here. Changes by: [EMAIL PROTECTED] 2008/04/26 14:08:01 Modified files: sys/dev/ic : rt2860.c Log message: hardware TKIP (including MIC) + CCMP OpenBSD 4.3-current (GENERIC) #853: Fri May 2 04:37:23 MDT 2008 ral0 at pci0 dev 14 function 0 "Ralink RT2860" rev 0x00: irq 10, address 00:0c:f6:xx:xx:xx ral0: MAC/BBP RT2860 (rev 0x0101), RF RT2820 (2T3R) ral0: flags=8943 mtu 1500 lladdr 00:0c:f6:xx:xx:xx groups: wlan media: IEEE802.11 autoselect mode 11g hostap status: active ieee80211: nwid babbage chan 3 bssid 00:0c:f6:xx:xx:xx wpapsk wpaprotos wpa1,wpa2 wpaakms psk,802.1x wpaciphers tkip,ccmp wpagroupcipher tkip 100dBm
Re: net-snmp and openbsd
On Tue, May 6, 2008 at 10:03 PM, Parvinder Bhasin <[EMAIL PROTECTED]> wrote: > > Appreciate any help. > > Thanks :) Does netstat show it listening on the correct IP? any reason to run net-snmp? I'd use the base snmpd unless you have a very specific reason to run net-snmp. aaron.glenn
Re: Trouble with OpenBSD 4.2 DNS server setup
On 2008-05-07, Sam Fourman Jr. <[EMAIL PROTECTED]> wrote:
> here is my trouble, if i use nslookup from a computer that is set to
> use my name server(ns.wiscdns.com)
> my output is as follows:
>
> Sam# nslookup 12.192.128.135
> Server: 12.192.128.131
> Address: 12.192.128.131#53
>
> 135.128.192.12.in-addr.arpa name = pop3.DigitalDataWeb.Com.
If I query your server directly I get that too.
> however if I change my name server to a local ISP (that I do not use
> for service)
>
> my output is as follows
>
> Sam$ nslookup 12.192.128.135
> Server: 209.103.196.2
> Address: 209.103.196.2#53
>
> ** server can't find 135.128.192.12.in-addr.arpa: NXDOMAIN
Your ISP has not delegated or CNAMEd 135.128.192.12.in-addr.arpa
to direct people doing the lookups to contact your server. Using
dig, compare a query for 135.128.192.12.in-addr.arpa ANY with
a query for 1.128.192.12.in-addr.arpa ANY.
Since you are in a subnet that is not on an exact byte boundary
(/8 /16 /24) the normal way is to ask your ISP to configure CNAMEs,
with your /25 you will probably get CNAMEs like this:
128.128/25.128.192.12.in-addr.arpa.
129.128/25.128.192.12.in-addr.arpa.
130.128/25.128.192.12.in-addr.arpa.
131.128/25.128.192.12.in-addr.arpa.
132.128/25.128.192.12.in-addr.arpa.
..you get the picture..
and you will then have to configure named to answer authoritatively
for 128/25.128.192.12.in-addr.arpa, and set your PTR up in that zone
instead, like:
135.128/25.128.192.12.in-addr.arpa. CNAME pop3.DigitalDataWeb.com.
> I assume that if I want to host email for 10 different domains I have
> to have these set
>
> allow-recursion { any; };
This allows anybody to use your nameserver as a resolver (e.g.
anyone can ask you to lookup domains for them). You shouldn't
do this at all without a very good reason (one example being if
you're providing DNS to VPN clients and filtering non-VPN traffic).
Doing so without other controls leaves you open to being an
attack amplifier for anyone who can send a UDP packet with an
invalid source address, and also may open you up to DNS poisoning.
If you're currently using a setup that involves the same IP
address for both authoritative (domains you host) and recursive
queries (client DNS requests), you should get these split onto
separate addresses.
> auth-nxdomain yes;
I haven't used bind for authoritative dns for a while, but I don't
think this makes a difference for domains you're authoritative
for. AIUI it just forces "authoritative answer" to be set on any
NXDOMAIN response, even if you're not authoritative for that
domain.
> I am open to any suggestions anyone has, because this is my first set
> of BSD based name servers
This isn't OS-specific, it's just that Windows DNS server tends
to do a bunch of things that it doesn't show you so you don't
get to see what's happening.
Re: Trouble with OpenBSD 4.2 DNS server setup
On Wed, May 7, 2008 at 3:56 PM, Sam Fourman Jr. <[EMAIL PROTECTED]> wrote: ... > now that I am trying to host a mail server, I found out my reverse > lookup is not working correctly > > we have a /25 ip block on our T1 ... > however if I change my name server to a local ISP (that I do not use > for service) > > my output is as follows > > Sam$ nslookup 12.192.128.135 > Server: 209.103.196.2 > Address:209.103.196.2#53 > > ** server can't find 135.128.192.12.in-addr.arpa: NXDOMAIN How is a DNS client supposed to know that your server should be queried for that information? It asks the servers for the nearest parent zone (192.12.in-addr.arpa) and gets back NS records for your server. It's not working because that parent zone doesn't have those records and therefore isn't delegating the domain to you. So, you need to talk with the people from whom you got that /25 allocation and tell them the names of your authoritative servers and their IP addresses so that they can add the necessary NS records to their zone, pointing at your servers. (The above contains some gross simplifications; go read the DNS nutshell book from O'Reilly for the full details.) Philip Guenther
Trouble with OpenBSD 4.2 DNS server setup
hello misc@
I am in need of some guidance, I am trying to convert our name servers
from Windows 2000 DNS to OpenBSD named
I put this name server up last October and it has worked great, or at
least i thought it did.
now that I am trying to host a mail server, I found out my reverse
lookup is not working correctly
we have a /25 ip block on our T1
here is my trouble, if i use nslookup from a computer that is set to
use my name server(ns.wiscdns.com)
my output is as follows:
Sam# nslookup 12.192.128.135
Server: 12.192.128.131
Address:12.192.128.131#53
135.128.192.12.in-addr.arpa name = pop3.DigitalDataWeb.Com.
however if I change my name server to a local ISP (that I do not use
for service)
my output is as follows
Sam$ nslookup 12.192.128.135
Server: 209.103.196.2
Address:209.103.196.2#53
** server can't find 135.128.192.12.in-addr.arpa: NXDOMAIN
I copied all of my named config files in a directory on a webserver
along with a dmesg located here
http://www.puffybsd.com/named/
I assume that if I want to host email for 10 different domains I have
to have these set
allow-recursion { any; };
auth-nxdomain yes;
I am open to any suggestions anyone has, because this is my first set
of BSD based name servers
I do not have a 2nd name server setup yet I just need to do some more
reading and figure out how they are different.
as always Thank you very much for your help
Sam Fourman Jr.
Re: mknod Invalid argument after upgrade.
On Wed, May 7, 2008 at 11:52 AM, Paul Pruett <[EMAIL PROTECTED]> wrote: > What things should I check to fix mknod, short of format hard drive? You should back up user data, scrub, and reinstall. At this point, you don't really know what was done to break your system and have no reason to be confident that there aren't other things broken that you just don't know about yet. If you actually want to have any confidence that this machine won't spontaneously fail or that it hasn't been compromised in some way, then reinstall. (I mention "compromised" only because mknod will fail with the "Invalid argument" error if run inside a chroot. If some malicious party or practical joker has taken over your machine, hacking the rc scripts to run most stuff inside a chroot would be one way to try to hide the traces. Done properly, tools will be hacked to return lies consistent with that, so there's no guaranteed way to be able to detect the condition, but you could try by checking things like a) does "ls -li /" show the root directory has having inode #2? b) does "fstat | grep ' root'" show _only_ the priv-sep daemons? c) does "fsdb -f /dev/rwd0a" let you browse a directory tree that matches what you see with ls, all the way down to inode numbers and most timestamps? If any of those answer "no", then you've been hacked. If not, however, you still don't know.) Philip Guenther
Re: ral(4) hostap plea
Hello, > Personally, I've given up on using OpenBSD as an AP--though I have for > years. Back when I used wi, everything worked very well. However, > 802.11g drivers/cards work very poorly as APs. While speed with them > can be good at times, different wireless clients performed erratically > and frequently the AP would lock up. I have since moved on and now > use commercial APs. > > Sorry if this is not what you were looking for. I'd love to say > 802.11g, OpenBSD and APs work swimmingly, but that has never been the > case for me. > I personally don't think it's that much an obsd problem, there are always some people which can't connect to whatever AP you are running. That's why we have a some cheap WiFi cards lying around. "Can't connect? Put this one in. Voila." In the past the Realtek stuff was a nightmare, then came centrino... -sm
Re: Editing C with...
You can always use the name of comand instead keystrokes. Also you can customize these keys and change the defaults (customizable) On Wed, May 7, 2008 at 6:28 PM, Marco Peereboom <[EMAIL PROTECTED]> wrote: > I gave emacs quite the fighting chance. Used it for 4 weeks and could > not deal with the sore hands & fingers anymore. > > emacs is great for people that don't mind finger gymnastics. Vim is > much nicer for people with sore hands. > > > On Wed, May 07, 2008 at 04:55:55PM +0100, overdrive openbsd wrote: > > > > Hi Jordi, > > > > I don't want to start a flamewar, but I will say my experience; after > > lot of years using vi and vim, I decide 'taste' emacs. Now I can see > > that the major part of users those use vi/vim is because they never > > tried more than 5 minutes on emacs or directly they never tried. Now I > > am more productive (-; of course stupid devels will be stupid in vi or > > emacs, but they will be slower to write their stupid code! > > > > Borja Tarraso > > > > On Sat, May 3, 2008 at 6:56 PM, Jordi Espasa Clofent > > <[EMAIL PROTECTED]> wrote: > > > Yes, I know, it's completely a dumb question; but I'm curious about it. > > > > > > I'm just learning C applied in networking area and I wonder what editor > is > > > preferred by OpenBSD developers. > > > > > > At present moment I use vim. > > > > > > -- > > > Thanks, > > > Jordi Espasa Clofent
Problem with state and PF on a 4.3 setup
Hi, I have a new setup with a 4.3 PF firewall that includes CARP addresses, trunked VLANs and HA. We've migrated from a different architecture, so the rules have never been tested on a different version before. I've tried to setup the first unit with my ruleset, but all forwarded packets seem to have problems with state. The packets come through, a state table entry is created, they reach the system, but when they come back, they are blocked by PF. I have keep state entries for all of my rules, so I don't know where the problem could be. The ruleset is available here: http://www.sjohnson.info/other/pf.conf The only thing I've removed from the ruleset are aliases and table definitions. When I check for specific entries in the state table, I see them as "CLOSED:SYN_SENT". If I disable PF, the packets make it through properly, so it should not be any routing or IP forwarding issue. I also tried conservative instead of aggressive optimization, but it didn't change anything, as I expected. Here are the sysctl settings that I hace changed: net.inet.ip.forwarding=1 net.inet.tcp.recvspace=65536 net.inet.tcp.sendspace=65536 net.inet.carp.preempt=1 Any clue as to what could be the problem? Thanks a lot, Steve Johnson
Re: Editing C with...
If you want to stick with what's in the tree, mg does a fine job. Compiles, parses errors, jumps to the correct line, and so on.
mknod Invalid argument after upgrade.
Apologies, but so far suggestions have not worked. What things should I check to fix mknod, short of format hard drive? Situation, after possibly messing up using a wrong MAKDEV during upgrade to OBSD 4.3 (amd64) from beta, I fixed by making sure /dev was empty of all, then booting from stable 4.3 media and doing upgrade, which replaced and therefore repaired /dev HOWEVER, now mknod fails for making devices except when used as mkfifo (-p). So I don't dare do MAKEDEV again since it runs 'rm' first then tries to do mknod, leaving no drivers and no way short of booting cdrom to fix. This failure of mknod is true under /dev and other directories, and I am running it as root. And / is mounted without nodev as expected. # head -1 /etc/fstab /dev/wd0a / ffs rw 1 1 example: # cd /dev # whereis mknod /sbin/mknod # /sbin/mknod foo c 1 1 mknod: foo: Invalid argument # uname -a OpenBSD 4.3 GENERIC.MP#1582 amd64 # Fails also with GENERIC bsd. tia, your help appreciated, I will document finding and post for others ---
Re: Editing C with...
I gave emacs quite the fighting chance. Used it for 4 weeks and could not deal with the sore hands & fingers anymore. emacs is great for people that don't mind finger gymnastics. Vim is much nicer for people with sore hands. On Wed, May 07, 2008 at 04:55:55PM +0100, overdrive openbsd wrote: > Hi Jordi, > > I don't want to start a flamewar, but I will say my experience; after > lot of years using vi and vim, I decide 'taste' emacs. Now I can see > that the major part of users those use vi/vim is because they never > tried more than 5 minutes on emacs or directly they never tried. Now I > am more productive (-; of course stupid devels will be stupid in vi or > emacs, but they will be slower to write their stupid code! > > Borja Tarraso > > On Sat, May 3, 2008 at 6:56 PM, Jordi Espasa Clofent > <[EMAIL PROTECTED]> wrote: > > Yes, I know, it's completely a dumb question; but I'm curious about it. > > > > I'm just learning C applied in networking area and I wonder what editor is > > preferred by OpenBSD developers. > > > > At present moment I use vim. > > > > -- > > Thanks, > > Jordi Espasa Clofent
Re: OpenBSD 4.3 Screen Brightness on HP DV6000 laptop
On Wed, May 07, 2008 at 08:12:52AM -0700, Andrew Stone wrote: > > I'm currently having trouble getting my f7 and 78 brightness keys to > work on my laptop. I would appreciate any help getting these to work, > or alternative methods for changing my screen brightness. I think > it must be configurable because it changes vastly when I am either > plugged in to AC or running on battery. > > A dmesg is below. > > [...] > vga1 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03 If you have Xorg configured, you should be able to use the intel(4) driver with the xbacklight(1) utility.
Re: ral(4) hostap plea
> It looks like newegg carries the EDIMAX EW-7128G. Since I bought the > previous card from them as well, maybe I'll have them switch them and > see if I have any better luck. Thanks for the suggestion. > We have done testing with that card as well, we used 3 circular 14db antennas on a 110ft tower running OpenBSD 4.2 and we got over a mile of solid coverage with a atheros usb adapter on the client MIMO really makes all the difference. in this test both AP and client were running OpenBSD 4.2 Sam Fourman Jr.
Re: ral(4) hostap plea
On Wed, May 07, 2008 at 11:16:29AM -0500, Sam Fourman Jr. wrote: > > I'd really like to have a sure-fire, always-works MiniPCI card for > > hostap that can be bought individually... any suggestions? are the 11n > > ral(4) any more predictable? anyone got CM9 working? > > We have had decent luck with ral RT2860 chipset we use the edimax PCI cards. > I sent a few of them to damien@ last year and he made a driver for > them that in in OpenBSD 4.3 > > > Sam Fourman Jr. It looks like newegg carries the EDIMAX EW-7128G. Since I bought the previous card from them as well, maybe I'll have them switch them and see if I have any better luck. Thanks for the suggestion. -- James Turner BSD Group Consulting http://www.bsdgroup.org
Re: Editing C with...
On 5/6/08, Emilio Perea <[EMAIL PROTECTED]> wrote: > Although I've never had to deal with Vista, previous versions of Windows > had a "Resource Kit" available which includes vi. With some Vista > versions you can install SUA (Subsystem for UNIX Applications) which > includes tcsh and ksh with vi (packages for vim, emacs and other editors Somewhat off-topic but more OpenBSD-related - if you are using Microsoft's Services for Unix (SFU) you should try this: $ strings /bin/* |grep OpenBSD This is fairly well-known but still fun to see. -Mark
OpenBSD 4.3 Screen Brightness on HP DV6000 laptop
Hi all,
I'm currently having trouble getting my f7 and 78 brightness keys to work on my
laptop. I would appreciate any help getting these to work, or alternative
methods for changing my screen brightness. I think it must be configurable
because it changes vastly when I am either plugged in to AC or running on
battery.
A dmesg is below.
Thanks,
Andrew
OpenBSD 4.3 (GENERIC.MP) #587: Wed Mar 12 11:21:57 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 CPU T5300 @ 1.73GHz ("GenuineIntel" 686-class) 1.73 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR
real mem = 2137026560 (2038MB)
avail mem = 2058293248 (1962MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 02/02/07, BIOS32 rev. 0 @ 0xfd610, SMBIOS
rev. 2.4 @ 0xdf010 (22 entries)
bios0: vendor Hewlett-Packard version "F.16" date 02/02/2007
bios0: Hewlett-Packard HP Pavilion dv6000 (RV214UA#ABA)
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC HPET MCFG TCPA APIC BOOT SLIC SSDT SSDT SSDT SSDT
acpi0: wakeup devices RP02(S3) PXS3(S4) LANC(S4) PS2K(S3) PS2M(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU T5300 @ 1.73GHz ("GenuineIntel" 686-class) 1.73 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: duplicate apic id, remapped to apid 2
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEGP)
acpiprt2 at acpi0: bus 2 (RP01)
acpiprt3 at acpi0: bus 3 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus 5 (PCIB)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2
acpicpu1 at acpi0: C3, C2
acpitz0 at acpi0acpitz0: THR1: failed to read _TMP
: failed to read _TMP
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
acpiac0 at acpi0: AC unit offline
acpibat0 at acpi0: BAT0 model "Primary" serial type LION oem "Hewlett-Packard"
acpibtn2 at acpi0: LID_
bios0: ROM list: 0xc/0xe600! 0xce800/0x1800 0xdf000/0x800! 0xe/0x1800!
cpu0: unknown Enhanced SpeedStep CPU, msr 0x06130d2506000d25
cpu0: using only highest and lowest power states
cpu0: Enhanced SpeedStep 1733 MHz (1292 mV): speeds: 1733, 800 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
agp0 at pchb0: aperture at 0xc000, size 0x1000
vga1 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: apic 2 int
22 (irq 5)
azalia0: codec[s]: Conexant/0x5045
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 2 int 17
(irq 3)
pci1 at ppb0 bus 2
wpi0 at pci1 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: apic 2 int
16 (irq 11), MoW1, address 00:19:d2:ad:b2:b8
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 2 int 16
(irq 11)
pci2 at ppb1 bus 3
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 2 int 23
(irq 7)
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 2 int 19
(irq 10)
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 2 int 18
(irq 3)
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: apic 2 int 16
(irq 11)
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: apic 2 int 23
(irq 7)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
pci3 at ppb2 bus 5
"Ricoh 5C832 Firewire" rev 0x00 at pci3 dev 5 function 0 not configured
sdhc0 at pci3 dev 5 function 1 "Ricoh 5C822 SD/MMC" rev 0x19: apic 2 int 17
(irq 3)
sdmmc0 at sdhc0
"Ricoh 5C843 MMC" rev 0x01 at pci3 dev 5 function 2 not configured
"Ricoh 5C592 Memory Stick" rev 0x0a at pci3 dev 5 function 3 not configured
"Ricoh 5C852 xD" rev 0x05 at pci3 dev 5 function 4 not configured
fxp0 at pci3 dev 8 function 0 "Intel PRO/100 VM" rev 0x02, i82562: apic 2 int
20 (irq 10), address 00:1b:24:00:56:2a
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GBM LPC" rev 0x02: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x02: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom
removable
cd0(pc
Re: ral(4) hostap plea
> I'd really like to have a sure-fire, always-works MiniPCI card for > hostap that can be bought individually... any suggestions? are the 11n > ral(4) any more predictable? anyone got CM9 working? We have had decent luck with ral RT2860 chipset we use the edimax PCI cards. I sent a few of them to damien@ last year and he made a driver for them that in in OpenBSD 4.3 Sam Fourman Jr.
Re: Editing C with...
I used Emacs for more than 10 years, and now I use vim. I like it better. There is no single thing that is right for everyone. On Wed, May 07, 2008 at 04:55:55PM +0100, overdrive openbsd wrote: > Hi Jordi, > > I don't want to start a flamewar, but I will say my experience; after > lot of years using vi and vim, I decide 'taste' emacs. Now I can see > that the major part of users those use vi/vim is because they never > tried more than 5 minutes on emacs or directly they never tried. Now I > am more productive (-; of course stupid devels will be stupid in vi or > emacs, but they will be slower to write their stupid code! > > Borja Tarraso > > On Sat, May 3, 2008 at 6:56 PM, Jordi Espasa Clofent > <[EMAIL PROTECTED]> wrote: > > Yes, I know, it's completely a dumb question; but I'm curious about it. > > > > I'm just learning C applied in networking area and I wonder what editor is > > preferred by OpenBSD developers. > > > > At present moment I use vim. > > > > -- > > Thanks, > > Jordi Espasa Clofent > -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Editing C with...
Hi Jordi, I don't want to start a flamewar, but I will say my experience; after lot of years using vi and vim, I decide 'taste' emacs. Now I can see that the major part of users those use vi/vim is because they never tried more than 5 minutes on emacs or directly they never tried. Now I am more productive (-; of course stupid devels will be stupid in vi or emacs, but they will be slower to write their stupid code! Borja Tarraso On Sat, May 3, 2008 at 6:56 PM, Jordi Espasa Clofent <[EMAIL PROTECTED]> wrote: > Yes, I know, it's completely a dumb question; but I'm curious about it. > > I'm just learning C applied in networking area and I wonder what editor is > preferred by OpenBSD developers. > > At present moment I use vim. > > -- > Thanks, > Jordi Espasa Clofent
Re: ral(4) hostap plea
On Tue, May 06, 2008 at 11:05:35PM -0400, James Turner wrote: > Some info, the ral(4) is a Gigabyte GN-WP01GS which is an RT2561S. My > basic hostname.ral0 reads: inet 192.168.1.1 255.255.255.0 NONE media > autoselect mode 11g mediaopt hostap nwid my_net nwkey secret chan 11. I'm also using ral in hostap mode, and it works perfectly. Contents of hostname.ral0: inet 192.168.2.1 255.255.255.0 NONE media autoselect mediaopt hostap nwid stupendous mode 11g (I don't use WEP.) The device itself: ral0 at pci0 dev 11 function 0 "Ralink RT2561S" rev 0x00: irq 11, address 00:11:6b:3d:7f:6a ral0: MAC/BBP RT2561C, RF RT2527 Try attaching (if you haven't already) a high quality external antenna. This made a world of difference in my case. -- Jurjen Oskam Savage's Law of Expediency: You want it bad, you'll get it bad.
Re: saslauthd and rimap
On Wed, 7 May 2008, Stephan A. Rickauer wrote: > If someone happens to run saslauthd 2.1.22 on OpenBSD and uses rimap as > authmech against a cyrus server, please try to authenticate using a > password with double-quotes. I think we've found a bug here and it would > be neat to have a confirmation. Does this happen only under OpenBSD? If not, then you should talk to upstream. -- Antoine
Re: 1U IBM or Dell server for firewall
On Wed, 07 May 2008 21:03:18 +0700, smartTERRA NOC <[EMAIL PROTECTED]>
wrote:
An IBM x3250 looks like this on dmesg:
OpenBSD 4.3-current (GENERIC.MP) #0: Thu Mar 13 05:46:13 WIT 2008
As discussed on this ML a MP enable kernel is not a good choice for a
performant firewall solution...
Falk
Agreed, but this is a web server. I just like to see that an openBSD
64-bit MP machines working. Maybe if I had another similar machine I could
make a simple comparison and bring them to the ML. And this is from an
Intel s3000AH 4.3-current
OpenBSD 4.3-current (GENERIC) #0: Fri Apr 18 02:41:38 WIT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
RTC BIOS diagnostic error e
cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3.01 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,
SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,CNXT-ID,CX16,xTPR
real mem = 1069719552 (1020MB)
avail mem = 1026269184 (978MB)
RTC BIOS diagnostic error e
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/11/06, SMBIOS rev. 2.4 @
0x3fbf4000 (42 entries)
bios0: vendor Intel Corporation version
"S3000.86B.02.00.0046.112220071112" date 11/22/2007
bios0: Intel S3000AH
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC WDDT MCFG ASF! SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S1) PEX4(S4) PEX5(S4)
UHC1(S1) UHC2(S1) UHC3(S1)
UHC4(S1) EHCI(S1) AC9M(S4) AZAL(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P32_)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus -1 (PEX3)
acpiprt6 at acpi0: bus 2 (PEX4)
acpiprt7 at acpi0: bus 3 (PEX5)
acpicpu0 at acpi0: FVS, 3000, 2400 MHz
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc/0x9000 0xc9000/0x1800 0xca800/0x1800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0x00
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: irq 9
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: irq 9
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: irq 11
pci3 at ppb2 bus 3
em0 at pci3 dev 0 function 0 "Intel PRO/1000MT (82573E)" rev 0x03: irq 9,
address 00:15:17:25:0a:9d
"Intel 82573E Serial" rev 0x03 at pci3 dev 0 function 3 not configured
"Intel 82573E KCS" rev 0x03 at pci3 dev 0 function 4 not configured
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 10
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 11
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 11
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 11
ehci0: timed out waiting for BIOS
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci4 at ppb3 bus 4
em1 at pci4 dev 0 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq
11, address
00:07:e9:0f:44:ac
em2 at pci4 dev 1 function 0 "Intel PRO/1000MT (82540EM)" rev 0x02: irq
11, address
00:07:e9:0f:44:e3
vga1 at pci4 dev 4 function 0 "ATI ES1000" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em3 at pci4 dev 5 function 0 "Intel PRO/1000MT (82541GI)" rev 0x05: irq 9,
address 00:15:17:25:0a:9e
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM
disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA,
channel 0 configured to
compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA,
channel 0 configured to
native-PCI, channel 1 configured to native-PCI
pciide1: using irq 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 152627MB, 312581808 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: irq 10
iic0 at ichiic0
adt0 at iic0 addr 0x2e: sch5027 rev 0x69
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0:
spkr0 at pcppi0
npx0 at isa0 port 0xf0/1
Re: How do I use digest authentication to allow/deny directory access
Thanks, Adam. To test even "Basic" authentication, I created a file named "passwords" in the htdocs directory to confirm that Apache could reach it. :-) Then I made this entry in the httpd.conf file: AuthType Basic AuthName "Private" AuthUserFile /var/www/htdocs/passwords Require user stephanie Unfortunately, all I get is an "Internet Explorer cannot display the webpage" error message. I don't get any dialog box to sign in. I'm stumped. Suggestions? Ed
Re: 1U IBM or Dell server for firewall
An IBM x3250 looks like this on dmesg: OpenBSD 4.3-current (GENERIC.MP) #0: Thu Mar 13 05:46:13 WIT 2008 As discussed on this ML a MP enable kernel is not a good choice for a performant firewall solution... Falk
saslauthd and rimap
If someone happens to run saslauthd 2.1.22 on OpenBSD and uses rimap as authmech against a cyrus server, please try to authenticate using a password with double-quotes. I think we've found a bug here and it would be neat to have a confirmation. Thanks, -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWebwww.ini.uzh.ch
Re: How do I set up personal web sites for users?
If you are using the OpenBSD's apache with a default configuration: Firstly, open httpd.conf, then modify UserDir disabled to UserDir /var/www/users. Then, uncomment following lines: 410 411 AllowOverride FileInfo AuthConfig Limit 412 Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec 413 414 Order allow,deny 415 Allow from all 416 417 418 Order deny,allow 419 Deny from all 420 421 Cheers 2008/5/7 Lars NoodC)n <[EMAIL PROTECTED]>: > Ed Flecko wrote: > > I've created a user (Stephanie) on the box, and I've added her to the > > /etc/ftpchroot file so she can upload stuff to her directory... > > > > 1.) Can someone tell me what I'm doing wrong? > > How about trying sftp or scp to avoid sending login information in the > clear? There are even graphical clients if needed. > > If you want drag-n-drop transfers, then the fastest to set up is > probably to use mod_dav. > http://www.openbsd.org/4.3_packages/i386/mod_dav-1.0.3p5.tgz-long.html > > Regards, > -Lars > > -- Stephano Zanzin http://sirviente.9grid.es/~stephano/ IRC: stzan @ freenode
Re: How do I set up personal web sites for users?
On 2008-05-06, Ed Flecko <[EMAIL PROTECTED]> wrote: > I've created a user (Stephanie) on the box, and I've added her to the > /etc/ftpchroot file so she can upload stuff to her directory; now I > just want her to be able to reach whatever she uploads (which probably > will be just a bunch of files) via Apache and that's where I'm > stumped. http://openbsd.org/faq/faq10.html#httpdchroot, see the "Historic file system layouts" section.
Re: ral(4) hostap plea
On Wed, May 07, 2008 at 07:30:17AM +, Stuart Henderson wrote: > On 2008-05-07, Daniel Melameth <[EMAIL PROTECTED]> wrote: > > Personally, I've given up on using OpenBSD as an AP--though I have for > > years. Back when I used wi, everything worked very well. However, > > 802.11g drivers/cards work very poorly as APs. > > Some 802.11g drivers/cards... I've had nothing but good luck with > acx, though I don't know where to buy them in MiniPCI format without > dismantling a commercial AP. > I appreciate all the feedback I've gotten so far. I'm actually using a normal PCI card in my soekris net5501. If you have any suggestions where I might get a PCI version of a acx card I'd defiantly give it a try. As far as the ral(4) goes I guess for now I'll just stick with my wi(4) and be happy. -- James Turner BSD Group Consulting http://www.bsdgroup.org
Re: How do I set up personal web sites for users?
Ed Flecko wrote: > I've created a user (Stephanie) on the box, and I've added her to the > /etc/ftpchroot file so she can upload stuff to her directory... > > 1.) Can someone tell me what I'm doing wrong? How about trying sftp or scp to avoid sending login information in the clear? There are even graphical clients if needed. If you want drag-n-drop transfers, then the fastest to set up is probably to use mod_dav. http://www.openbsd.org/4.3_packages/i386/mod_dav-1.0.3p5.tgz-long.html Regards, -Lars
Re: How do I set up personal web sites for users?
Hi, This is the solution I use : mkdir /var/www/users/myuser/ chown myuser:myuser /var/www/users/myuser cd /home/myuser and create a symbolic link www -> /var/www/users/myuser I wish it help. Ed Flecko wrote: Hi folks, I have a few questions about how to set up users on my OBSD 4.3 box. I've created a user (Stephanie) on the box, and I've added her to the /etc/ftpchroot file so she can upload stuff to her directory; now I just want her to be able to reach whatever she uploads (which probably will be just a bunch of files) via Apache and that's where I'm stumped. I was expecting to be able to reach her stuff via the typical *nix http://server/~stephanie, but that didn't work. 1.) Can someone tell me what I'm doing wrong? 2.) Inside the /var/www directory, there's a "user" directory. What's that for? 3.) Do I need to, or would it be advantageous to, modify the httpd.conf file? What sort of entries might be helpful? Thank you, Ed
Re: ral(4) hostap plea
On Wed, 7 May 2008, Peter N. M. Hansteen wrote: just one other data point, this is the Gigabyte badged card in my home gateway, works IME better than the ath it replaced: ral0 at pci1 dev 4 function 0 "Ralink RT2561S" rev 0x00: irq 12, address 00:1a:4d:3c:88:76 ral0: MAC/BBP RT2561C, RF RT2527 I got two of those cards, but in my soekris they won't do 11g. A few packets get through and then the network traffic is shut down. The client says that it is associated with the ap, but tcpdump won't see any packets. 11b mode works pretty stable. dmesg part is this (looks the same as yours): ral0 at pci0 dev 17 function 0 "Ralink RT2561S" rev 0x00: irq 15, address 00:1d:7d:46:87:1b ral0: MAC/BBP RT2561C, RF RT2527 Kind regards, Markus
Re: ral(4) hostap plea
just one other data point, this is the Gigabyte badged card in my home gateway, works IME better than the ath it replaced: ral0 at pci1 dev 4 function 0 "Ralink RT2561S" rev 0x00: irq 12, address 00:1a:4d:3c:88:76 ral0: MAC/BBP RT2561C, RF RT2527 - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Via C7, was Re: "VIA Announces Strategic Open Source Driver Development Initiative"
On 5/6/08, Geoff Steckel <[EMAIL PROTECTED]> wrote: > > I use them for firewalls and disk servers. For that they work > quite well. Yes, graphics are painfully slow, but I think that's the > fault of the integrated graphics. Using a PCI graphics card seems > to speed them up quite a bit. > > One of them I use as a disk server peaks out at about 80 MB/sec, > quite respectable for a 32/33 PCI bus machine. As a firewall, doing > IPSEC, 20 Mbit/sec uses about 15% of the CPU. Not too bad for a > fanless machine drawing less than 30 watts total including disks. > > geoff steckel I'm so dependent upon GUIs while transitioning over from many years of a career in microsoft support... I am perfectly comfortable installing and configuring OSs and applications from the command line, but when it comes time to see what *state* the machine is in, my little brain needs pretty colors and pointy-clicky. Even though booting up OpenBSD 4.1 and 4.2 takes longer than it should (both from SATA and a 2GB CompactFlash), I'll give 4.3 a spin and keep it strictly command-line. Unfortunately, adding a PCI card isn't an option, since both motherboards are in the same 1U case and portability is paramount (it has to ride in a C-130 back and forth from the middle east). Unless I can fabricate a circuit card just large enough to fit in the PCI slot and then use a cable to pull it up into a free 1U space, then break in back out into a card slot... (A plot is forming in my head) I do have 1U free in the 6U toughbox, and it could just as well be a dedicated external PCI card case, lol. There's probably issues with signal timing and attentuation if the PCI bus gets longer than a few inches, though. What sort of case do you have your boards in? I do appreciate the very-low power draw of the Migrus C787-1.5G, and heat was never an issue even in the worst Mesopotamia had to offer. The whole setup (VSAT satellite receiver, UPS, ethernet switch, active power distribution, servers with two 3.5" SATA drives each, and one shared monitor) pulls under 1 amp in total and never hiccupped using filthily transformed 220V --> 110V, 50Hz electricity. I expected at least *one* device to demand 60Hz but I was fortunately wrong. I was able to provide unfiltered internet access to my fellow servicemembers - the US military blocks services such as myspace.com, yahoo instant messenger (and of course, pr0n) over the network they provide for morale, but most of the people there are young and can't live without. JC
A list of non-free compliant companies?
First, Theo, thank you for your work to keep non-free drivers out of free operating systems. I am a die-hard GNU, however I really respect your work and applaud you for giving you time. Every push counts. Does someone have a list of companies (model numbers included) that have produced free drivers for their hardware? I'm making yet (another) fork of Ubuntu named Gridnix, for those who want a completely free server OS that lends well to virtualization and clustering. I hope to say on our website, if you use "such and such, our OS won't work for you, go away and complain to your hardware manufacturer." My hope is that my ideals do not get in the way of productivity. I don't re-license code, I don't preach and I don't argue. I'm just hoping to gather some information. 2/3 of the patches that I've submitted (and were accepted) have been under the modified BSD license. Hopefully, someone can help :) -- Monkey + Typewriter = Echoreply ( http://echoreply.us )
Re: Thinkpad X41 and tpwireless
On 2008-05-06, Adam Patterson <[EMAIL PROTECTED]> wrote: > I had purchased a new supported mini-pci car for my x41 Tablet only to > find out that tpwireless doesn't support the x41 series as well as some > others. > > Is there any alternative way that people know of for unlocking this in > the x41 series? Easy way is to buy one the BIOS already supports, plenty on ebay. http://www.thinkwiki.org/wiki/Problem_with_unauthorized_MiniPCI_network_card doesn't give much help for X41. There are some suggestions to reprogram IDs in the eeprom of the card, and hack the drivers to work with them, but it's not worth it. > Maybe a supported list should be put in a man page for it or in the > package description. I was able to find the information (about it not > being supported) it in the misc archives though. I should have checked > first but I thought the x40 and x41 were almost identical. Oh well. The disk controllers are also very different.
Re: ral(4) hostap plea
On 2008-05-07, Pierre Riteau <[EMAIL PROTECTED]> wrote: >> I have a ral (MSI54G PCI card in a Soekris 4801 pf firewall) that I use > > I agree this is a good card, I have the very same: > ral0 at pci1 dev 8 function 0 "Ralink RT2560" rev 0x01: irq 11, address > 00:13:d3:00:43:fc > ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 I have a pair of Gigabyte cards which identify the same way; ral0 at pci0 dev 16 function 0 "Ralink RT2560" rev 0x01: irq 10, address 00:0f:ea:84:f4:ed ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 They are terrible, very poor signal strength on both. I guess there's either a lot of difference between cards using the same ICs, or they're very sensitive to pigtail or something (though I tried several). I'd really like to have a sure-fire, always-works MiniPCI card for hostap that can be bought individually... any suggestions? are the 11n ral(4) any more predictable? anyone got CM9 working?
Re: Thinkpad X41 and tpwireless
I have a X41 Tablet, and it has standard Atheros wireless: 04:02.0 Ethernet controller: Atheros Communications, Inc. AR5212 802.11abg NIC (rev 01) Tom. [demime 1.01d removed an attachment of type application/pgp-signature]
Re: ral(4) hostap plea
On Wed, May 07, 2008 at 04:15:23PM +1000, Rod Whitworth wrote: > On Tue, 6 May 2008 23:26:26 -0600, Daniel Melameth wrote: > > >On Tue, May 6, 2008 at 9:05 PM, James Turner <[EMAIL PROTECTED]> wrote: > >> I've been trying to get my new ral(4) card to work like I would expect it > >> to. I've read through most if not all the talk on misc@ about running these > >> cards in hostap mode. I would really like to replace my wi(4), which > >> works really well, with my new ral(4) and enjoy 11g and later wpa. > >> Sadly, the performance is just not there in both 11b or 11g modes. > >> > >> Some info, the ral(4) is a Gigabyte GN-WP01GS which is an RT2561S. My > >> basic hostname.ral0 reads: inet 192.168.1.1 255.255.255.0 NONE media > >> autoselect mode 11g mediaopt hostap nwid my_net nwkey secret chan 11. > >> I've enabled RAL_DEBUG in my kernel and selected one of the standard > >> channels with the highest power. This is on 4.2 -release + patches. If > >> anyone has any new or additional information that might be helpful I > >> would greatly appreciate it, otherwise I guess I'll stick to my trusted > >> wi(4). > > > >Personally, I've given up on using OpenBSD as an AP--though I have for > >years. Back when I used wi, everything worked very well. However, > >802.11g drivers/cards work very poorly as APs. While speed with them > >can be good at times, different wireless clients performed erratically > >and frequently the AP would lock up. I have since moved on and now > >use commercial APs. > > > >Sorry if this is not what you were looking for. I'd love to say > >802.11g, OpenBSD and APs work swimmingly, but that has never been the > >case for me. > > > H. MMMV (My Mileage Must Vary) > > I have a ral (MSI54G PCI card in a Soekris 4801 pf firewall) that I use > for laptop connectivity inside my Faraday Cage house. It also talks to > a wireless router hacked to be a wireless interface for my PVR > (Topfield) so that the Toppy can get its EPG updates every day and > transfer recorded stuff to a PC for editing. It looks like this: > $ ifconfig ral0 > ral0: flags=8943 mtu > 1500 > lladdr 00:13:d3:6b:a9:be > media: IEEE802.11 autoselect mode 11g hostap > status: active > ieee80211: nwid puffy2 chan 11 bssid 00:13:d3:6b:a9:be nwkey > 100dBm > inet 192.168.181.1 netmask 0xff00 broadcast 192.168.181.255 > inet6 fe80::213:d3ff:fe6b:a9be%ral0 prefixlen 64 scopeid 0x4 > > and it does ftp which talks to the Toppy through USB 1 connection: > ftp> get HDDInfo.tap > local: HDDInfo.tap remote: HDDInfo.tap > 227 Entering Passive Mode (192,168,181,81,4,68) > 150 Opening BINARY mode data connection for 'HDDInfo.tap' (189924 > bytes). > 100% |**| 185 KB > 00:00 > 226 Transfer complete. > 189924 bytes received in 0.38 seconds (487.06 KB/s) > $ > > Not too shabby and it does stuff lots faster talking to the laptop > quite reliably. > > FWIW. > > Rod/ > (Any off-list replies to the reply-to address only, please. Others are > tarpitted.) > -- > Did you hear about the Buddhist who refused his dentist's Novocain > during root canal work? He wanted to transcend dental medication. > I agree this is a good card, I have the very same: ral0 at pci1 dev 8 function 0 "Ralink RT2560" rev 0x01: irq 11, address 00:13:d3:00:43:fc ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 and I can easily get 2.6 MB/s with sftp. -- Pierre Riteau
Re: consultas a los BSD's
But you Jordi, when you reply, you can be a little more soft ? Everybody do mistakes, give a chance to all ;) I will.
Re: ral(4) hostap plea
On 2008-05-07, Daniel Melameth <[EMAIL PROTECTED]> wrote: > Personally, I've given up on using OpenBSD as an AP--though I have for > years. Back when I used wi, everything worked very well. However, > 802.11g drivers/cards work very poorly as APs. Some 802.11g drivers/cards... I've had nothing but good luck with acx, though I don't know where to buy them in MiniPCI format without dismantling a commercial AP.
Re: net-snmp and openbsd
On 2008-05-07, Parvinder Bhasin <[EMAIL PROTECTED]> wrote: > I am having some issues getting snmpd going on one of my boxes , > wondering if some snmp guru can help me here. Do you actually need some Net-SNMP feature? Despite the comment at the bottom of snmpd(8), the snmpd in base works well for many of the common uses. (If you haven't upgraded to 4.3 yet, this would be a good reason to do so).
