Re: OpenBSD 4.4 httpd reverse proxy

[Pc Nicolas]

Yes I'm sure !

It is a weird problem...
In fact httpd does not proxy anything even with a successful compilation.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
disintx
Sent: jeudi 6 novembre 2008 03:05
To: misc@openbsd.org
Subject: Re: OpenBSD 4.4 httpd reverse proxy

Are you certain that /var/www/proxy/ is writeable by the server?
i.e. what is the owner/group of the directory and what are the permissions?

Pc Nicolas wrote:
 Hi
 
  
 
 I try to reconfigure httpd on OpenBSD 4.4 to do reverse proxy as I did for
 years following this documentation :
http://undeadly.org/cgi?action=article
 http://undeadly.org/cgi?action=articlesid=20040118105719
 sid=20040118105719
 
  
 
 I can't get it done.
 
 The only relevant message is in /var/www/logs/error_log 
 
 (13)Permission denied: proxy: error creating cache file
 /var/www/proxy/tmpzjzsP11224
 
  
 
 The permissions are the same as OpenBSD 4.3.
 
 I try chroot and no chroot (httpd -u).
 
  
 
 Any idea ?
 
  
 
 Thanks

Xorg: ABI mismatch

[giovanni]

just updated latest Xorg. apart from the sync-to-vblank intel's issue no 
troubles at all at first glance 
but I start seeing this in the logs (excerpt)

(II) LoadModule: record
(II) Loading /usr/X11R6/lib/modules/extensions//librecord.so
(II) Module record: vendor=X.Org Foundation
compiled for 1.4.2, module version = 1.13.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 0.3
(EE) module ABI major version (0) doesn't match the server's version (1)
(II) UnloadModule: record
(II) Unloading /usr/X11R6/lib/modules/extensions//librecord.so
(EE) Failed to load module record (module requirement mismatch, 0)
(II) LoadModule: xtrap

(II) Loading /usr/X11R6/lib/modules/extensions//libxtrap.so
(II) Module xtrap: vendor=X.Org Foundation
compiled for 1.4.2, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 0.3
(EE) module ABI major version (0) doesn't match the server's version (1)
(II) UnloadModule: xtrap
(II) Unloading /usr/X11R6/lib/modules/extensions//libxtrap.so
(EE) Failed to load module xtrap (module requirement mismatch, 0)

for taking away it I've temporary added

Section ServerFlags
OptionIgnoreABITrue
EndSection 

-- 
see ya,
giovanni

VPN Ipsec

[Louis Opter]

Hello,

I am trying to set up an ipsec vpn between two networks. But, I can't
figure out why it doesn't work.

I get some errors like (here on the malenfant gate, see network map
below) :
  Plcy 30 keynote_cert_obtain: failed to open
/etc/isakmpd/keynote//192.168.1.159/credentials
  Default rsa_sig_decode_hash: no public key found
  Default dropped message from $dugny_addr port 4500 due to notification
type INVALID_ID_INFORMATION

I don't understand why I have messages about keynote, because isakmpd is
launched with the -K flag (and why 192.168.1.159 instead of
$dugny_addr ?).

And, I don't understand why it doesn't find the public key. I have
correctly copied for each gate /etc/isakmpd/local.pub to the other gate
at /etc/isakmpd/pubkeys/ipv4/gate_ip


Here is my network map :

   { st_cyr_net : 192.168.2.0/24 }
|
   xl1 : 192.168.2.1
   [gate malenfant] Openbsd 4.4-current (as of 10/18) on the
livebox's DMZ
   xl0 : 192.168.1.183
|
   192.168.1.1
   [adsl router/modem livebox]
   $st_cyr_addr


 @@@
   @@@ Internet
 @@@


   $dugny_addr
   [adsl router/modem livebox]
   192.168.1.1
|
   xl0 : 192.168.1.159
 [gate nemoto] Openbsd 4.4-release on the livebox's DMZ
   xl1 : 192.168.3.1
|
   { dugny_net : 192.168.3.0/24 }

By DMZ I mean that all ports for tcp and udp are rediriged on the gate.

I don't see why the liveboxes can be the problem, they redirect all the
traffic. How nat on the liveboxes can cause troubles ?

Because the two gates run a different version of OpenBSD ?
I don't think so, however malenfant will be upgraded to 4.4-release
tomorrow evening.

My ipsec.confs :
 - on nemoto :
  st_cyr_net=192.168.2.0/24
  dugny_net=192.168.3.0/24
  st_cyr_addr=xx.xx.xx.xx
  ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr
 - on malenfant :
  st_cyr_net=192.168.2.0/24
  dugny_net=192.168.3.0/24
  dugny_addr=yy.yy.yy.yy
  ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr

pf is correctly (I hope) configured on both gates with (here is a
snippet from malenfant's pf.conf) :
  set skip on { lo enc0 }
  block in
  pass out
  pass in on $ext_if proto { tcp udp } \
  from $dugny_addr to ($ext_if) port ipsec-nat-t
  pass in on $ext_if proto udp to ($ext_if) port isakmp

My two enc0 interfaces are up.

If you find my mistake(s), have ideas, or need more informations please
tell me. Full configuration files and isakmpd log are available at :
http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz

Best Regards, Louis Opter.

Re: PF: very simple question...

[Limaunion]

Limaunion wrote:
Hi, for some reason my OpenBSD 4.4 firewall is been able to negotiate 
dhcp request although there are no rules that allow this operation.




Thanks everyone for the explanation, I wasn't sure what was wrong with 
my configuration. Now it's clear.

Best regards.
JC

Re: Duplicate incoming packets to multiple destinations using pf

[Simen Stavdal]

Ok,

Here are the first results
I have set up loopback addresses with the same ip address on two
receivers (for testing). (A.A.A.10)
Each receiver has unique external ip adresses in the same subnet as the
$nms_if

First, I created this rule :
pass in on $int_if dup-to ( $nms_if $nms_broadcastaddress ) proto udp
from 10.10.10.1 to $receiverloopbackaddress port 162
# I have tried to make the macros self-explanatory, so I won't include
their definitions here.
The rule gets accepted, and expands to :
pass in quick on bge1 dup-to (vlan4 A.A.A.15) inet proto udp from
10.10.10.1 to A.A.A.10 port = snmp-trap keep state
# The subnet is /28, hence the broadcast is .15 on network 0.

Although pf accepts the syntax, nothing happens when firing off a trap to
A.A.A.10.
If I replace $nms_broadcastaddress with one of the physical addresses
(f.ex A.A.A.1 or A.A.A.2) I can see the trap coming from 10.10.10.1 and
heading for A.A.A.10 on the receiver.

Since dup-to a broadcast address doesn't seem to work (unless I am doing
something completely wrong), I then need to specify multiple hosts, which
is not supported.
I can add a single address for the dup-to rule, but trying to add
multiple hosts gives me a syntax error when trying to load the conf
file.

I tried ( { $nms_if $nms-a, $nms_if $nms-b } ) but apparently this is not
supported (and syntax error is my bane).

So, I am sort of back to square one... broadcast not supported and
multiple individual receivers is not supported
BTW, Please correct me if anyone has been successful at this, because I
don't want to conclude on this unless it is correct.

That leaves me with multicast, which is yet to be tried, however, I don't
have much experience with this one, so testing may take  a little
longer...

Cheers,
Simon.

On Wed Nov 5 17:12 , Damian Gerow sent:

  Good luck, and let the list know how this fares out. I'm sure you're
  not
  the only person who's run into this problem before, and I'm curious
  to see
  what works out for your setup.

  As for submitting a feature request... TBH, I don't know. I'm not
  sure if
  sendbug is appropriate for feature requests or not. Given the text
  under
  http://www.openbsd.org/report.html, it sounds like sendbug is
  appropriate
  for feature requests, but you may want to double-check that yourself.

  - Damian

  Simen Stavdal wrote:
  :
  : Hello again,
  : Ok, I think we are getting closer to a resolution.
  : I like the loopback solution (never thought of that), it should
  work
  : for udp at least since it is connection-less, and it would work for
  my
  : scenario and netflow alike.
  : Then you could add multiple loopbacks to subscribe to different
  snmp
  : traps.
  : Tomorrow I will test this, and I will let you know how I got on.
  : If one were to request a new features from the OBSD developers, how
  : would one go about it?
  : Regarding whether or not it is the right tool to use, I agree,
  should
  : be up to the developers, but I thought it would be a natural place,
  : since it can be combined with a lot of other features,
  : such as carp for redundancy etc, ...TBC...
  : Russell and Damian also suggested sending traps as multicast, which
  I
  : will give a try too.
  : So long, and thanks for all the help so far !
  : Cheers,
  : Simon.
  : On Wed Nov 5 16:29 , Damian Gerow sent:
  :
  : Simen Stavdal wrote:
  : : Worth submitting a feature request?
  : : --- I looks like this would be the best solution ---
  : Sounds like you have your desired solution. So long as the OBSD
  : developers
  : accept your request as valid.
  : : --- The subject of my posting is Duplicating incoming packets to
  : : multiple destinations using pf ---
  : : --- And I never initially asked a closed question, but I did
  : state
  : : a scenario ---
  : Right, so I was led to believe that the context of your question
  : was limited
  : to re-mapping SNMP destinations. In other words, you had a specific
  : problem
  : on hand to solve, and that SNMP trap multiplexing was that problem.
  : : You have a piece of machinery. It's going to send traffic, to a
  : : given
  : : destination. However, this destination may be more than one
  : : machine. It
  : : may be two. It may be five. And the traffic may be single
  : : datagrams, or
  : : it may be a constant stream. Who knows. You don't want to update
  : : the
  : : source when this destination point changes, due to administrative
  : : overhead.
  : : So, you need an arbitrary resolution that is not
  : protocol-specific,
  : : that
  : : provides a single point of management (or otherwise incurs a very
  : : low
  : : administrative overhead), and where the client doesn't need to be
  : : modified.
  : : --- I wouldn't describe the scenario as arbitrary ---
  : Let's not argue over words.
  : You need a resolution that can be applied to any number of
  : situations. You
  : need a resolution that is sufficiently abstracted such that it
  : addresses
  : the root problem, 

OpenBSD Remote Access Server

[Insan Praja SW]

Hi Misc@,
In a few days I'm going to start new RAS project, and I'd like to use OBSD  
as ppp/pppoe server. Has anyone ever done this before? I'm looking to  
manage ppp clients access and bandwidth using radius server, but I had  
limited experiences with ppp server and radius.
If anyone willing to share their experiences, any enlignment and shed of  
light, would be much appreciated.

Warm Regards,


Insan
--
insandotpraja(at)gmaildotcom

isakmpd routing woes

[Carlos Laviola]

Hello,



I have three /24 networks connected to each other through multihomed OpenBSD 
4.0 servers using isakmpd(8). Recently, new point-to-point links have been 
installed between each of those networks on separate interfaces, and I would 
like to make it so traffic coming from/through specific (single) IPs in each of 
those networks reaches other specific single IPs in the other networks. Simply 
using route(8) was not enough, so I'm wondering if anyone knows if and how this 
can be done -- if this can still be done through isakmpd, great, but a way to 
bypass it so that the traffic can be redirected to the interfaces with the new 
links would also be enough.



Thanks in advance!

Carlos



[ Please Cc replies to me if possible, as I'm not subscribed to the list. ]

Re: SSL error

[jmc]

--- Doug Milam [Wed, Nov 05, 2008 at 07:58:39PM -0800]: --- 
 I've followed the SSL instructions in the FAQ, 
 http://www.openbsd.org/faq/faq10.html#HTTPS, but I get the following error in 
 Firefox (other browsers don't work either)
 
 SSL received a record that exceeded the maximum permissible length.
 (Error code: ssl_error_rx_record_too_long)
 
 PF allows connections to port 443, and the IfDefine segment of my 
 httpd.conf is enabled to listen on this port. -DSSL is enabled in 
 rc.conf.local

what happens if you `openssl s_client -connect $your_ip:443` ? are you
able to negotiate a connection then?

are there any hints in the httpd logs?

what version of OpenBSD? have you modified httpd's default config in any
other way?

Re: PF: very simple question...

[Stuart Henderson]

On 2008-11-06, Can Erkin Acar [EMAIL PROTECTED] wrote:
 Parsing raw network 
 data, even from a file, provides an opportunity to inject incredible 
 amounts of malicious input to the parser. That is also one reason we do 
 not have ethereal/wireshark in ports. The last time I looked, they had a 
 lot of parsers and an incredible amount of complex code tied to that 
 stream of malicious input.

wireshark now has support to run only the packet capture as a
privileged user (by installing dumpcap setuid to a user with read
access to /dev/bpf, typically root but can be another if you change
permissions). the dissectors and UI are run as whichever user
started it.

unfortunately, they haven't gone as far as we did with tcpdump -
wireshark's dissectors are run as the normal user starting it,
not jailed in an unprivileged process. anyone considering running
it should still take a lot of care...

HP DL180 hangs on boot

[Alexander Hall]

Hi!

I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I
hope someone can shed some light on.

[ While writing thie email I've done some more testing and realized
that the behaviour is not really consistent, but what I describe
below is a typical case ]

1. The machine takes loong pauses (usually two; sometimes more) while
   loading the kernel.
   - The first long pause is after entry point at ... line,
 and is about 90s. [noticed now that pressing any key on the
 keyboard makes it go on... interrupt issues?]
   - Second pause is after pckbd0 at isa0... and lasts
 approximately 3 to 5 minutes.

Dunno if it means anything, but somewhere in between the pauses
described first above, the machine beeps once. I get similar beeps
when adding or removing an usb stick, so it might be related to usb.

2. Sometimes the machine shuts down and restarts slightly after the
   kernel is loaded (might have time to show the (I)nstall...
   prompt). I don't have serial console for now so I cannot tell
   exactly. A few times I have seen the capital letter F being
   printed out (gray on blue) prior to the reboot.

disabling isa and pci seems to make it not hang but makes it rather
unusable... :-d

If the machine gets past loading and initializing the kernel without
rebooting, it seems fine but all I've done so far is installing 4.4.

The HP product id is 456830-421 with 1G RAM replaced by 4G (2+2)
and a 250GB SATA drive. The machine has no proper raid AFAICT (ie no
E200 or P400) but some (likely crappy) built-in semi-raid. Reinserting
the original memory stick did not improve anything, nor did removing
the harddrive.

The diagnostics test showed no errors, but i'm running it now over
the weekend. I'm going to try a firmware upgrade too.

Any clues are appreciated. dmesg from after the succesful install (bsd.rd) 
follows.

Thanks,
Alexander

[1] 
http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/15351-15351-3328412-3328421-3328421-3580698-3673202.html

==

OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov  2 13:41:35 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 3745857536 (3572MB)
avail mem = 3635634176 (3467MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfc4b0 (65 entries)
bios0: vendor HP version O19 date 08/20/2008
bios0: HP ProLiant DL180 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC MCFG SPMI SLIC OEMB HPET SSDT EINJ BERT ERST HEST
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (NPE2)
acpiprt2 at acpi0: bus 2 (NPE3)
acpiprt3 at acpi0: bus 3 (NPE4)
acpiprt4 at acpi0: bus 5 (NPE6)
acpiprt5 at acpi0: bus 10 (P0P1)
acpiprt6 at acpi0: bus 9 (P0PE)
acpiprt7 at acpi0: bus 8 (P0P3)
acpiprt8 at acpi0: bus 7 (BCM_)
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2494.12 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu0: 6MB 64b/line 16-way L2 cache
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel 5100 Host rev 0x80
ppb0 at pci0 dev 2 function 0 Intel 5100 PCIE rev 0x80
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 Intel 5100 PCIE rev 0x80
pci2 at ppb1 bus 2
ppb2 at pci0 dev 4 function 0 Intel 5100 PCIE rev 0x80
pci3 at ppb2 bus 3
ppb3 at pci0 dev 5 function 0 Intel 5100 PCIE rev 0x80
pci4 at ppb3 bus 4
ppb4 at pci0 dev 6 function 0 Intel 5100 PCIE rev 0x80
pci5 at ppb4 bus 5
ppb5 at pci0 dev 7 function 0 Intel 5100 PCIE rev 0x80
pci6 at ppb5 bus 6
pchb1 at pci0 dev 16 function 0 Intel 5100 FSB rev 0x80
pchb2 at pci0 dev 16 function 1 Intel 5100 FSB rev 0x80
pchb3 at pci0 dev 16 function 2 Intel 5100 FSB rev 0x80
pchb4 at pci0 dev 17 function 0 Intel 5100 Reserved rev 0x80
pchb5 at pci0 dev 19 function 0 Intel 5100 Reserved rev 0x80
pchb6 at pci0 dev 21 function 0 Intel 5100 DDR rev 0x80
pchb7 at pci0 dev 22 function 0 Intel 5100 DDR rev 0x80
uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: irq 11
uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: irq 14
uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: irq 5
ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb6 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: irq 11
pci7 at ppb6 bus 9
ppb7 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: irq 11
pci8 at ppb7 bus 8
vga1 at pci8 dev 0 function 0 Matrox MGA G200e (ServerEngines) rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
ppb8 at pci0 dev 28 function 5 Intel 82801I PCIE rev 0x02: irq 10
pci9 at ppb8 bus 7
bge0 at pci9 dev 0 function 0 Broadcom BCM5722 rev 0x00, BCM5755 C0 (0xa200): 
irq 10, address 00:22:64:42:1b:23
brgphy0 at bge0 phy 1: BCM5722 10/100/1000baseT PHY, rev. 0
uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: irq 7

Re: Xorg: ABI mismatch

[Hannah Schroeter]

Hi!

On Thu, Nov 06, 2008 at 09:18:13AM +0100, giovanni wrote:
just updated latest Xorg. apart from the sync-to-vblank intel's issue no 
troubles at all at first glance 
but I start seeing this in the logs (excerpt)

[...]

I have many more issues.

For this issue, I regenerated the configuration file (X -configure),
and use only the modules named in the generated configuration file.

These are:

Section Module
Load  dbe
Load  dri
Load  extmod
Load  glx
Load  freetype
EndSection

So GLcore, record, xtrap and type1 are gone from the previous config
file.

However, my previous fontpath additions won't work. If I keep them, I
get this *fatal* error:

  Fatal server error:
  could not open default cursor font 'cursor'
  giving up.

If I keep only the default font path, things work.

My font path additions would be these:

+   #FontPath /usr/local/share/fonts/override/
+   #FontPath /usr/local/openoffice/share/fonts/truetype
+   #FontPath /usr/local/share/fonts/
+   #FontPath /usr/local/lib/metamail/fonts
+   #FontPath /usr/local/lib/X11/fonts/terminus/
+   #FontPath /usr/local/lib/X11/fonts/freefont/
+   #FontPath /usr/local/lib/X11/fonts/mscorefonts
+   #FontPath /usr/local/lib/X11/fonts/ecoliercourt
+   #FontPath /usr/local/lib/X11/fonts/artwiz-aleczapka

All @fontdirs from ports (not even the complete list from all
my installed packages, as I see now, after a
grep '[EMAIL PROTECTED]' /var/db/pkg/*/+CONTENTS).

Another issue is even more glitches in xterm (when I move it around,
occasionally a line remains where it doesn't belong, until it's either
overwritten by text or a full redraw is triggered; and sometimes the
line between the scrollbar and the text pane wasn't seen; maybe both
issues are gone after I recompiled xenocara myself, at least couldn't
reproduce it today).

The old glitch (text is garbled after switching the font using the
Ctrl-Mouse3 menu) that has been there since the switch from XF4 to
xenocara is still there (and it's not necessarily from xorg, as it's *not*
there on Debian Linux, and it's not graphics card specific, because it
*is* there on two OpenBSD boxen with different graphics cards).

At least the issue with Greek fonts seems to be gone with the latest
update. :-)

Kind regards,

Hannah.

Re: HP DL180 hangs on boot

[Christophe Rioux]

I had some similar issue on the HP DL 120 G5.

Solution is: desactivate the RAID controler in the BIOS. If you need the use
some raid, use raidctl which is working again in version 4.4

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de
Alexander Hall
Envoyi : jeudi 6 novembre 2008 14:44
@ : misc@openbsd.org; [EMAIL PROTECTED]
Objet : HP DL180 hangs on boot

Hi!

I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I hope
someone can shed some light on.

[ While writing thie email I've done some more testing and realized that the
behaviour is not really consistent, but what I describe below is a typical
case ]

1. The machine takes loong pauses (usually two; sometimes more) while
   loading the kernel.
   - The first long pause is after entry point at ... line,
 and is about 90s. [noticed now that pressing any key on the
 keyboard makes it go on... interrupt issues?]
   - Second pause is after pckbd0 at isa0... and lasts
 approximately 3 to 5 minutes.

Dunno if it means anything, but somewhere in between the pauses described
first above, the machine beeps once. I get similar beeps when adding or
removing an usb stick, so it might be related to usb.

2. Sometimes the machine shuts down and restarts slightly after the
   kernel is loaded (might have time to show the (I)nstall...
   prompt). I don't have serial console for now so I cannot tell
   exactly. A few times I have seen the capital letter F being
   printed out (gray on blue) prior to the reboot.

disabling isa and pci seems to make it not hang but makes it rather
unusable... :-d

If the machine gets past loading and initializing the kernel without
rebooting, it seems fine but all I've done so far is installing 4.4.

The HP product id is 456830-421 with 1G RAM replaced by 4G (2+2) and a
250GB SATA drive. The machine has no proper raid AFAICT (ie no E200 or P400)
but some (likely crappy) built-in semi-raid. Reinserting the original memory
stick did not improve anything, nor did removing the harddrive.

The diagnostics test showed no errors, but i'm running it now over the
weekend. I'm going to try a firmware upgrade too.

Any clues are appreciated. dmesg from after the succesful install (bsd.rd)
follows.

Thanks,
Alexander

[1]
http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/15351-15351-3328412-3328421-33
28421-3580698-3673202.html

==

OpenBSD 4.4-current (RAMDISK_CD) #203: Sun Nov  2 13:41:35 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 3745857536 (3572MB)
avail mem = 3635634176 (3467MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xfc4b0 (65 entries)
bios0: vendor HP version O19 date 08/20/2008
bios0: HP ProLiant DL180 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC MCFG SPMI SLIC OEMB HPET SSDT EINJ BERT ERST
HEST acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (NPE2)
acpiprt2 at acpi0: bus 2 (NPE3)
acpiprt3 at acpi0: bus 3 (NPE4)
acpiprt4 at acpi0: bus 5 (NPE6)
acpiprt5 at acpi0: bus 10 (P0P1)
acpiprt6 at acpi0: bus 9 (P0PE)
acpiprt7 at acpi0: bus 8 (P0P3)
acpiprt8 at acpi0: bus 7 (BCM_)
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Xeon(R) CPU E5420 @ 2.50GHz, 2494.12 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
SH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX1
6,xTPR,NXE,LONG
cpu0: 6MB 64b/line 16-way L2 cache
pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0
Intel 5100 Host rev 0x80 ppb0 at pci0 dev 2 function 0 Intel 5100 PCIE
rev 0x80
pci1 at ppb0 bus 1
ppb1 at pci0 dev 3 function 0 Intel 5100 PCIE rev 0x80
pci2 at ppb1 bus 2
ppb2 at pci0 dev 4 function 0 Intel 5100 PCIE rev 0x80
pci3 at ppb2 bus 3
ppb3 at pci0 dev 5 function 0 Intel 5100 PCIE rev 0x80
pci4 at ppb3 bus 4
ppb4 at pci0 dev 6 function 0 Intel 5100 PCIE rev 0x80
pci5 at ppb4 bus 5
ppb5 at pci0 dev 7 function 0 Intel 5100 PCIE rev 0x80
pci6 at ppb5 bus 6
pchb1 at pci0 dev 16 function 0 Intel 5100 FSB rev 0x80
pchb2 at pci0 dev 16 function 1 Intel 5100 FSB rev 0x80
pchb3 at pci0 dev 16 function 2 Intel 5100 FSB rev 0x80
pchb4 at pci0 dev 17 function 0 Intel 5100 Reserved rev 0x80
pchb5 at pci0 dev 19 function 0 Intel 5100 Reserved rev 0x80
pchb6 at pci0 dev 21 function 0 Intel 5100 DDR rev 0x80
pchb7 at pci0 dev 22 function 0 Intel 5100 DDR rev 0x80 uhci0 at pci0 dev
26 function 0 Intel 82801I USB rev 0x02: irq 11
uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: irq 14
uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: irq 5 ehci0 at
pci0 dev 26 function 7 Intel 82801I USB rev 0x02: irq 15 usb0 at ehci0:
USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb6 at pci0 dev 28 function 0 Intel 82801I PCIE rev 0x02: irq 11
pci7 at ppb6 bus 9
ppb7 at pci0 dev 28 function 4 Intel 82801I PCIE rev 0x02: irq 11
pci8 at ppb7 bus 8
vga1 at pci8 dev 0 function 0 Matrox MGA G200e 

fjnews12-2008

[funjet]

FUNJET

ASSOCIAZIONE SPORTIVA FUNJET

www.funjet.it [EMAIL PROTECTED]

FJNEWS 12/2008

Con la gara di Domenica 2 Novembre 2008, l'A.S.D. Funjet di Empoli chiude
nel migliore dei modi una entusiasmante stagione agonistica.

A Marina di Massa nell'ultima prova di Campionato Italiano Moto D'Acqua
Endurance la Funjet si aggiudica altri 2 Titoli Nazionali, con Angelo
Bertozzi (Massa) Campione Italiano categoria F2 4T e con Andrea Bergamo
(Pordenone) Campione Italiano F1 2T, portanto a 4 i titoli Italiani vinti
nel 2008.

Ma h soprattutto il risultato di pubblico e di piloti, con ben 12 nuovi
atleti che si sono avvicinati per la prima volta al nostro sport,
partecipando a questo evento, rendendoci entusiasti e fiduciosi per la
stagione 2009.

Doveroso ringraziare l'Associazione Sportiva Balneare Paraflight,
location della gara, ed in particolare Marco, Manoela, e Rocco per
l'impegno e la grande disponibilit` organizzativa.

Un ringraziamento h doveroso anche alla F.I.M. ed in particolare al
Presidente della Commissione Moto D'Acqua, Luca Filiberti, che ha
presenziato e collaborato alla buona riuscita della manifestazione.

Da segnalare la vittoria della prova di Antonio D'Arma (Massa) giovane
pilota di casa, che conquista il titolo di Vice Campione Italiano F1 2T
2008.

4_titoli

Continuate a seguirci su www.funjet.it news anticipazioni risultati
agonistici gossip e la nuova FUNJET TV funtube...e.
www.motodacqua.eu dove h possibile trovare e scaricare le foto in forma
originale alla massima definizione di tutte le gare e gli show Funjet.

Le news di Funjet.it.Notizie e info dal mondo delle moto d'acqua.Questa
news letter viene spedita a circa 15000 mail ai piloti, gli sponsor,
testate giornalistiche, aziende del settore, partners, uffici marketing,
agenzie pubblicitarie, uffici stampa, televisioni e radio. Le
informazioni contenute nella presente comunicazione e relativi allegati
possono essere copiati e ritrasmessi con qualsiasi mezzo di comunicazione
purchi venga sempre citata la fonte. Per particolari esigenze e o
collaborazioni contattare la redazione.

Re: Xorg: ABI mismatch

[Owain Ainsworth]

On Thu, Nov 06, 2008 at 09:18:13AM +0100, giovanni wrote:
 just updated latest Xorg. apart from the sync-to-vblank intel's issue no 
 troubles at all at first glance 
 but I start seeing this in the logs (excerpt)
 
 (II) LoadModule: record
 (II) Loading /usr/X11R6/lib/modules/extensions//librecord.so
 (II) Module record: vendor=X.Org Foundation
 compiled for 1.4.2, module version = 1.13.0
 Module class: X.Org Server Extension
 ABI class: X.Org Server Extension, version 0.3
 (EE) module ABI major version (0) doesn't match the server's version (1)
 (II) UnloadModule: record
 (II) Unloading /usr/X11R6/lib/modules/extensions//librecord.so
 (EE) Failed to load module record (module requirement mismatch, 0)
 (II) LoadModule: xtrap
 
 (II) Loading /usr/X11R6/lib/modules/extensions//libxtrap.so
 (II) Module xtrap: vendor=X.Org Foundation
 compiled for 1.4.2, module version = 1.0.0
 Module class: X.Org Server Extension
 ABI class: X.Org Server Extension, version 0.3
 (EE) module ABI major version (0) doesn't match the server's version (1)
 (II) UnloadModule: xtrap
 (II) Unloading /usr/X11R6/lib/modules/extensions//libxtrap.so
 (EE) Failed to load module xtrap (module requirement mismatch, 0)
 
 for taking away it I've temporary added

You should instead have removed the record, and trap extension from you
config. Those extensions aren't there anymore in the new xserver.

-0-
-- 
Support your local Search and Rescue unit -- get lost.

Re: Xorg: ABI mismatch

[giovanni]

On Thu, Nov 6, 2008 at 3:35 PM, Owain Ainsworth [EMAIL PROTECTED] wrote:
 On Thu, Nov 06, 2008 at 09:18:13AM +0100, giovanni wrote:
 just updated latest Xorg. apart from the sync-to-vblank intel's issue no 
 troubles at all at first glance
 but I start seeing this in the logs (excerpt)

 (II) LoadModule: record
 (II) Loading /usr/X11R6/lib/modules/extensions//librecord.so
 (II) Module record: vendor=X.Org Foundation
 compiled for 1.4.2, module version = 1.13.0
 Module class: X.Org Server Extension
 ABI class: X.Org Server Extension, version 0.3
 (EE) module ABI major version (0) doesn't match the server's version (1)
 (II) UnloadModule: record
 (II) Unloading /usr/X11R6/lib/modules/extensions//librecord.so
 (EE) Failed to load module record (module requirement mismatch, 0)
 (II) LoadModule: xtrap

 (II) Loading /usr/X11R6/lib/modules/extensions//libxtrap.so
 (II) Module xtrap: vendor=X.Org Foundation
 compiled for 1.4.2, module version = 1.0.0
 Module class: X.Org Server Extension
 ABI class: X.Org Server Extension, version 0.3
 (EE) module ABI major version (0) doesn't match the server's version (1)
 (II) UnloadModule: xtrap
 (II) Unloading /usr/X11R6/lib/modules/extensions//libxtrap.so
 (EE) Failed to load module xtrap (module requirement mismatch, 0)

 for taking away it I've temporary added

 You should instead have removed the record, and trap extension from you
 config. Those extensions aren't there anymore in the new xserver.
I've just noted that in effect those extensions are no more present
(so the ABI error was correct) ) _but_ Xorg -configure keeps on
delivering those one in xorg.conf why?


 -0-
 --
 Support your local Search and Rescue unit -- get lost.




-- 
see ya,
giovanni

Re: Xorg: ABI mismatch

[Hannah Schroeter]

Hi!

On Thu, Nov 06, 2008 at 02:35:30PM +, Owain Ainsworth wrote:
[...]
 (EE) Failed to load module record (module requirement mismatch, 0)

 (EE) Failed to load module xtrap (module requirement mismatch, 0)

 for taking away it I've temporary added

You should instead have removed the record, and trap extension from you
config. Those extensions aren't there anymore in the new xserver.

Why the strange error message? For me that occurred even after I wiped
/usr/X11R6 and reinstalled the x*.tgz tarballs. Why not something akin
to No such file or directory?

Kind regards,

Hannah.

NAT + IPsec problem

[BARDOU Pierre]

Hello,
 
I am trying to setup an IPsec connection.
Here is the ipsec.conf :
ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
   main auth hmac-sha1 enc aes-256 \
   quick auth hmac-sha1 enc aes-256 group modp1024 psk 

Tunnels go up well :
flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid
212.99.28.26/32 dstid 10.3.2.2/32 type use
flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35
srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require
esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1
enc aes
esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1
enc aes

As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx
before the tunnel.
So I put this in my pf.conf :
nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2

The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go
through the tunnel, they are going to the internet.

Here is the pflog :
Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 
193.164.151.1: icmp: echo request
Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 
193.164.151.1: icmp: echo request

- Packets are going out through em0 (my inet interface) instead of enc0

As pf doc says translation occurs before filtering, I don't understand why
pf can see my real adress (10.31.30.1).
And the most important : why outgoing packets -with good adresses- don't
go through the tunnel ? 
Have I misconfigured something ?

Thank you for your help

--
Cordialement,
 
Pierre BARDOU
CSIM - Bureau 012
 
Midi Pyrénées Informatique Hospitalière
12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
Tél : 05 67 31 90 84
Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]
BEGIN:VCARD
VERSION:2.1
N:Bardou;Pierre
FN:BARDOU Pierre
ADR;WORK:;B011
LABEL;WORK:B011
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20070806T072621Z
END:VCARD


smime.p7s
Description: S/MIME cryptographic signature

Re: trunk(4), VLANs and MTU problems

[Johan Ström]

Okay, I've done some reading up on the code. It seems the em driver
(in 4.4) have its HW VLAN tagging capability disabled, and thus I
cannot use that. Seems some changes have been commited since, I tried
(without much hope of it working :P) to backport this into 4.4, but
failed totally as expected ;)

Instead, I've modified my configuration to not use VLANs, since I'm
only using 3 internal networks (previously 3 VLANs) from this router
at this moment, and I got 4 ports, I managed to solve it anyway..
But it would still be nice to be able to do VLAN routing (together
with trunk, I'll never push 1GBit right now, but I might want to
later) in the future, since thats something I cannot do now.

Anyone know how common this problem with blocked ICMP packets is?
Anyone else had the same problem?

Thanks
Johan

On Nov 4, 2008, at 14:08 , Johan Strvm wrote:


Hi list

I've just deployed two redundant OpenBSD 4.4's as main gateways for
a network, and all in all its working great, as expected with
OpenBSD :)

Each box (HP DL320) have one Intel Quad GigE adapter each (82571EB),
connected to a HP 2810-48 GigE switch.
em0 and em1 are trunk0, and running the external link on top (Thus
normal 1500 MTU)
em2 and em3 are trunk1, and here I run a couple of VLAN's, and thus
the MTU is 1496.

The problems I'm having is this:
When some mailservers (out of my control) tries to send email to our
server (located on one of the VLANs), they connect all fine and
performs SMTP handshake etc, but then when the get around to sending
DATA followed by the actual mail, they start to using 1500b frames
with the DF bit set.
All fine in a normal env.. But for me, this of course fails, since
my net can only handle 1496 bytes. As expected my box sends ICMP
unreachable - need to frag (mtu 1496) to the remote server.
This works fine and is respected in most cases, the package is
retransmitted in smaller frames, but some sending servers seems to
ignore my ICMP (firewalled away at their end? shouldnt be a problem
here since other servers gets it and retransmits), and just keeps on
sending 1500b packets.. And my box continues to drop em and
returning ICMP unreach..

So, I started looking in to enabling jumbo frames on my local net
(or at least make sure i can transmit 1500b on the VLANs), but it
seems I've hit a stop at trunk, since from what I can tell I cannot
get  1500b MTU there:

if_trunk.c:
...
   case SIOCSIFMTU:
   if (ifr-ifr_mtu  ETHERMTU) {
   error = EINVAL;
   break;
   }
   ifp-if_mtu = ifr-ifr_mtu;
   break;


ETHERMTU is #defined as 1500

So... Dead end there? Is there any way to get  1500b MTU on a trunk
somehow? Would it be possible to just hack if_trunk.c, and making
sure the underlying interface are running at at least 1502 bytes?
That would be enough for me.. That was what I first tried, changing
the MTU of em2/3 to 1502 in order to allow space for the VLAN tag,
hoping that the trunk interface would see this and change, but no.

I guess someone here probably had this problem sometime, how have
you solved it?

I could of course try to get in touch with the admins of these
servers but that is probably not the easiest task (the list of
servers I got problems with includes big global unnamed companies).

Thanks for any help, and many many thanks for the great OpenBSD 4.4
release! :)

Johan

Re: isakmpd routing woes

[Christoph Leser]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Carlos Laviola
 Gesendet: Donnerstag, 6. November 2008 13:34
 An: misc@openbsd.org
 Betreff: isakmpd routing woes


 Hello,



 I have three /24 networks connected to each other through
 multihomed OpenBSD 4.0 servers using isakmpd(8). Recently,
 new point-to-point links have been installed between each of
 those networks on separate interfaces, and I would like to
 make it so traffic coming from/through specific (single) IPs
 in each of those networks reaches other specific single IPs
 in the other networks. Simply using route(8) was not enough,
 so I'm wondering if anyone knows if and how this can be done
 -- if this can still be done through isakmpd, great, but a
 way to bypass it so that the traffic can be redirected to the
 interfaces with the new links would also be enough.



 Thanks in advance!

 Carlos



 [ Please Cc replies to me if possible, as I'm not subscribed
 to the list. ]



As far as I understand, the routes defined through isakmpd takes presidence
over routes defined via route add command.

But you can make isakmpd ignore specific ip addresses by adding bypass rules
to your ipsec.conf like

flow esp from a.b.c.0/24 to 10.105.60.100/32 type bypass

would bypass the ipsec tunnel between a.b.c.0/24 and 10.105.60.0/24 if the
target address is 10.150.60.100.

Hope this helps

Regards

Panic. ciss0: dead (HP ProLiant DL360 G5)

[Давыдов Денис]

Hello, all!

I've got panic with ciss0 on my HP ProLieant DL360 G5. Everything
works fine about month or so till this day. I forgot to enable SNMP
trap on iLO2, but anyway, don't know is there something interesting
from Integrated Lights-Out. Before installing OpenBSD I've did
hardware raid 1+0. Any ideas what's wrong with ciss? :)

sec:~$ uname -a
OpenBSD sec 4.2 SEC.MP#0 amd64
sec:~$

Is anyone got such problem? Thanks for any advice.

On tty console:

panic: ciss0: dead
Starting stack trace...
panic() at panic+0x136
ciss_heartbeat() at ciss_heartbeat+0x6a
softclock() at softclock+0x22d
softintr_dispatch() at softintr_dispatch+0x6a
Xsoftclock() at Xsoftclock+0x2d
--- interrupt ---
end of kernel
end trace frame: 0x2b0, count: 252
0:
End of stack trace.
syncing disks...

Also dmesg.boot and kernel config.

--
Denis Davydov

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of SEC]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of SEC.MP]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of SEC]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of dmesg.boot]

Re: Panic. ciss0: dead (HP ProLiant DL360 G5)

[Markus Hennecke]

PP0P2QP4PP2 PP5P=P8Q
 schrieb:

Hello, all!

I've got panic with ciss0 on my HP ProLieant DL360 G5. Everything
works fine about month or so till this day. I forgot to enable SNMP
trap on iLO2, but anyway, don't know is there something interesting
from Integrated Lights-Out. Before installing OpenBSD I've did
hardware raid 1+0. Any ideas what's wrong with ciss? :)

sec:~$ uname -a
OpenBSD sec 4.2 SEC.MP#0 amd64
sec:~$

Is anyone got such problem? Thanks for any advice.

On tty console:

panic: ciss0: dead
Starting stack trace...
panic() at panic+0x136
ciss_heartbeat() at ciss_heartbeat+0x6a
softclock() at softclock+0x22d
softintr_dispatch() at softintr_dispatch+0x6a
Xsoftclock() at Xsoftclock+0x2d
--- interrupt ---
end of kernel
end trace frame: 0x2b0, count: 252
0:
End of stack trace.
syncing disks...


If this happens regulary I would say the card is trashed. Had the same 
error on one of our boxes. It got more frequently, sometimes not even 
getting over the fsck stage. We swapped the card and the box worked again.



Also dmesg.boot and kernel config.

--
Denis Davydov

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of SEC]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of SEC.MP]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of SEC]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of dmesg.boot]


Your attachments are being removed by the list server.

Kind regards,
  Markus

Re: NAT + IPsec problem

[Christoph Leser]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von BARDOU Pierre
 Gesendet: Donnerstag, 6. November 2008 15:30
 An: misc@openbsd.org
 Cc: LOUIS Marc
 Betreff: NAT + IPsec problem


 Hello,

 I am trying to setup an IPsec connection.
 Here is the ipsec.conf :
 ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
main auth hmac-sha1 enc aes-256 \
quick auth hmac-sha1 enc aes-256 group modp1024 psk 

 Tunnels go up well :
 flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer
 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type
 use flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer
 193.164.151.35 srcid 212.99.28.26/32 dstid 10.3.2.2/32 type
 require esp tunnel from 193.164.151.35 to 212.99.28.26 spi
 0x1fd5f292 auth hmac-sha1 enc aes esp tunnel from
 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1 enc aes

 As my LAN is adressed using 10.31.0.0/16, I need to nat to
 10.63.61.xxx before the tunnel. So I put this in my pf.conf :
 nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2

 The problem is tha packets going from 10.31.30.1 to
 193.164.151.1 don't go through the tunnel, they are going to
 the internet.

 Here is the pflog :
 Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 
 193.164.151.1: icmp: echo request
 Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 
 193.164.151.1: icmp: echo request

 - Packets are going out through em0 (my inet interface)
 instead of enc0

 As pf doc says translation occurs before filtering, I don't
 understand why pf can see my real adress (10.31.30.1). And
 the most important : why outgoing packets -with good
 adresses- don't go through the tunnel ?
 Have I misconfigured something ?

 Thank you for your help

 --
 Cordialement,

 Pierre BARDOU
 CSIM - Bureau 012

 Midi Pyrinies Informatique Hospitalihre
 12 rue Michel Labrousse
 BP93668
 F-31036 Toulouse CEDEX 1

 Til : 05 67 31 90 84
 Fax : 05 34 61 51 00
 Mail : [EMAIL PROTECTED]

from openBSD ipsec manpage I ould guess that the decision, what flow to use is
done before pf processes the packets. And as the original packets do not match
the defined flows ( they are on a smaller subnet only ), the packets will go
to the internet, and are not reconsidered for matching an ipsec flow after NAT
has been done.

I saw messages, where people have circumvented this by defining local ( lo )
interface, where the NAT can be done. Not exactly what you want do do, but
might be provide some insight:

http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

openbsd fail2ban

[Charlie Clark]

Hi,

I have noticed that people constantly try to brute force sshd on my 
openbsd box, on my server I use fail2ban to prevent this and wondered if 
there is a similar solution for openbsd.


Regards,

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: openbsd fail2ban

[Martin Schröder]

2008/11/6 Charlie Clark [EMAIL PROTECTED]:
 I have noticed that people constantly try to brute force sshd on my openbsd
 box, on my server I use fail2ban to prevent this and wondered if there is a
 similar solution for openbsd.

Yes. RTFAQ.

Best
   Martin

Re: openbsd fail2ban

[Christoph Leser]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Charlie Clark
 Gesendet: Donnerstag, 6. November 2008 18:34
 An: misc
 Betreff: openbsd fail2ban


 Hi,

 I have noticed that people constantly try to brute force sshd on my
 openbsd box, on my server I use fail2ban to prevent this and
 wondered if
 there is a similar solution for openbsd.

 Regards,

 --

 Charlie Clark
 Network Engineer

 Lemon Computing Ltd
 Unit 9
 26-28 Priests Bridge
 London
 SW14 8TA
 UK

 Tel: +44 208 878 2138
 Fax: +44 208 878 2163
 Email: [EMAIL PROTECTED]
 Site: http://www.lemon-computing.com/

 Lemon Computing is a limited company registered in England 
 Wales under Company No. 03697052


you can use pf, I think.

Put something like this in your pf.conf:

table ssh-bruteforce
block drop in log quick from ssh-bruteforce to any


pass  in  $log_pass_ext \
on $ext_if  \
inet proto tcp  \
from any\
to $ext_if port 22  \
flags S/SA  \
keep state  \
(max-src-conn-rate 3/30,overload ssh-bruteforce flush global)

and pf will move offending source ip to the bruteforce table and subsequently
drop these packet

Re: openbsd fail2ban

[Marcus Andree]

I've written a small program about 5 years ago. It was a daemon that
implemented a
 service similar to  port knocking but entirely in user level,
calling pfctl by exec()
system calls to insert/remove remote IP addresses in a pf table holding machines
able to connect to the ssh daemon via port 22.

It was a ugly hack but it worked for us. I shall have a backup copy somewhere on
my powerbook at home...

On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote:
 Hi,

 I have noticed that people constantly try to brute force sshd on my openbsd
 box, on my server I use fail2ban to prevent this and wondered if there is a
 similar solution for openbsd.

 Regards,

 --

 Charlie Clark
 Network Engineer

 Lemon Computing Ltd
 Unit 9
 26-28 Priests Bridge
 London
 SW14 8TA
 UK

 Tel: +44 208 878 2138
 Fax: +44 208 878 2163
 Email: [EMAIL PROTECTED]
 Site: http://www.lemon-computing.com/

 Lemon Computing is a limited company registered in England  Wales under
 Company No. 03697052

Intel D201GLY2 install failure, OpenBSD 4.4

[Jamie Cuesta]

I'm booting from CD as prelude to install, and during CD boot see (NOTE this is 
manually transcribed from the screen):

: couldn't map interrupt
sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91pci_intr_map: bad 
interrupt line 19
: couldn't map interrupt
pciide1 at pci0 dev 5 function 0 SiS 181 SATA rev 0x01: DMA
pci_intr_map: bad interrupt line 17
pciide1: couldn't map native-PCI interrupt
pci_intr_map: bad interrupt line 17
pciide1: couldn't map native-PCI interrupt
ppb1 at pci0 dev 31 function 0 SiS PCI-PCI rev 0x00
pci2 at ppb1 bus 2
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x2f8/8 irq 4: ns 16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
biomask ffed netmask ffed ttymask 
rd0: fixed, 3800 blocks
softraid at root
root on rd0a swap on rd0b dump on rd0b
erase ^?, werase ^W, kill ^U, intr ^C, status ^T
(I)nstall, (U)pgrade or (S)hell?

I choose install, accept defaults for terminal type, answer 'y' to Proceed 
with install? [no] and get:

No disks found.
#

This system has a IDE CD-RW drive, and two SATA HDD's.  After failing OpenBSD 
4.4 install last week, I installed Debian stable on this system w/no problems.  
But I'd rather use OpenBSD so reporting this problem in hopes it can be fixed 
(mobo is a nice low-cost fanless mini-ITX, so could appeal to many).  My web 
searches show this problem being reported occasionally in the past but none I 
saw no reports for this mobo with 4.4 release.

I was hoping to include a dmesg via serial port capture (my box does not 
include a floppy), but 

boot set tty com0
switching console to com0
com0 console not present

Web searches suggested I could mess with the BIOS to get around this problem, 
but the only BIOS setting for the serial port is enable/disable: I switched to 
disable mode with no change in results.

FWIW, Jaime

Re: openbsd fail2ban

[Charlie Clark]

Hi Marcus,

If you come across this program again would I be able to steal it off of 
you, it will implement it as suggested before using pf state table 
tracking but your program sounds very interesting and I would still like 
to see it.


Thank you everyone for your answers.

Thanks,

Charlie

Marcus Andree wrote:

I've written a small program about 5 years ago. It was a daemon that
implemented a
 service similar to  port knocking but entirely in user level,
calling pfctl by exec()
system calls to insert/remove remote IP addresses in a pf table holding machines
able to connect to the ssh daemon via port 22.

It was a ugly hack but it worked for us. I shall have a backup copy somewhere on
my powerbook at home...

On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED] wrote:
  

Hi,

I have noticed that people constantly try to brute force sshd on my openbsd
box, on my server I use fail2ban to prevent this and wondered if there is a
similar solution for openbsd.

Regards,

--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052





  



--

Charlie Clark
Network Engineer

Lemon Computing Ltd
Unit 9
26-28 Priests Bridge
London
SW14 8TA
UK

Tel: +44 208 878 2138
Fax: +44 208 878 2163
Email: [EMAIL PROTECTED]
Site: http://www.lemon-computing.com/

Lemon Computing is a limited company registered in England  Wales under
Company No. 03697052

Re: HP DL180 hangs on boot

[Alexander Hall]

Christophe Rioux wrote:

I had some similar issue on the HP DL 120 G5.

Solution is: desactivate the RAID controler in the BIOS. If you need the use
some raid, use raidctl which is working again in version 4.4


This server has only some kind of built-in raid which I suppose is of 
the software-raid type. However it already was, and still is, disabled 
in the bios. The BIOS settings are: Compatible/IDE, Enhanced/IDE or 
Enhanced/RAID. I cannot swear I tested Enhanced/RAID but I wouldn't bet 
any money on that being the working combo... :-d


I'm going to try upgrading the BIOS firmware (there was some update 
regarding newer intel CPUs; dont know if it applies to the Xeon E5420 
but I suppose they wouldn't ship a machine with that processor with a 
non-working BIOS). Could be worth testing though.


Anyway, thanks and don't hesitate to mention anything I might have missed.

/Alexander

Re: openbsd fail2ban

[Michiel van Baak]

On 17:33, Thu 06 Nov 08, Charlie Clark wrote:
 Hi,

 I have noticed that people constantly try to brute force sshd on my  
 openbsd box, on my server I use fail2ban to prevent this and wondered if  
 there is a similar solution for openbsd.

Have a look at this section of the FAQ:
http://www.openbsd.org/faq/pf/filter.html#stateopts

What you are interested in is the sample using 'overload' and 'flush'

-- 

Michiel van Baak
[EMAIL PROTECTED]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD

Why is it drug addicts and computer aficionados are both called users?

Re: openbsd fail2ban

[Marcus Andree]

You'd be free to do whatever you want with it.

I'll see I can find the source. I'm pretty sure there's a copy on my
old powerbook. It was written for linux and openbsd and we used for an ad-hoc
authentication method to manage a remote machine over the unsecure internet.

Never did any security auditing on the code, but I don't think there's
anything wrong
with it. There was one or two things that I'd like to have the time to
implement, like
privilege separation but that's all.

But, as I said before, it is a ugly hack... :)

On Thu, Nov 6, 2008 at 3:57 PM, Charlie Clark [EMAIL PROTECTED] wrote:
 Hi Marcus,

 If you come across this program again would I be able to steal it off of
 you, it will implement it as suggested before using pf state table tracking
 but your program sounds very interesting and I would still like to see it.

 Thank you everyone for your answers.

 Thanks,

 Charlie

 Marcus Andree wrote:

 I've written a small program about 5 years ago. It was a daemon that
 implemented a
  service similar to  port knocking but entirely in user level,
 calling pfctl by exec()
 system calls to insert/remove remote IP addresses in a pf table holding
 machines
 able to connect to the ssh daemon via port 22.

 It was a ugly hack but it worked for us. I shall have a backup copy
 somewhere on
 my powerbook at home...

 On Thu, Nov 6, 2008 at 3:33 PM, Charlie Clark [EMAIL PROTECTED]
 wrote:


 Hi,

 I have noticed that people constantly try to brute force sshd on my
 openbsd
 box, on my server I use fail2ban to prevent this and wondered if there is
 a
 similar solution for openbsd.

 Regards,

 --

 Charlie Clark
 Network Engineer

 Lemon Computing Ltd
 Unit 9
 26-28 Priests Bridge
 London
 SW14 8TA
 UK

 Tel: +44 208 878 2138
 Fax: +44 208 878 2163
 Email: [EMAIL PROTECTED]
 Site: http://www.lemon-computing.com/

 Lemon Computing is a limited company registered in England  Wales under
 Company No. 03697052







 --

 Charlie Clark
 Network Engineer

 Lemon Computing Ltd
 Unit 9
 26-28 Priests Bridge
 London
 SW14 8TA
 UK

 Tel: +44 208 878 2138
 Fax: +44 208 878 2163
 Email: [EMAIL PROTECTED]
 Site: http://www.lemon-computing.com/

 Lemon Computing is a limited company registered in England  Wales under
 Company No. 03697052

Re: openbsd fail2ban

[Alexander Polakov]

2008/11/6, Charlie Clark [EMAIL PROTECTED]:
 Hi,

 I have noticed that people constantly try to brute force sshd on my
 openbsd box, on my server I use fail2ban to prevent this and wondered if
 there is a similar solution for openbsd.

Have you tried sshguard?

Re: openbsd fail2ban

[Joachim Schipper]

On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote:
 I have noticed that people constantly try to brute force sshd on my  
 openbsd box, on my server I use fail2ban to prevent this and wondered if  
 there is a similar solution for openbsd.

Yes, but why would you want to do that? It doesn't help in any real
sense - weak passwords are still weak and may still fall to a
distributed attack. and strong passwords or keys are pretty much
impossible to guess anyway.

Meanwhile, it's at least a little complex, takes some time to set up,
and has nasty failure modes.

Joachim

Re: openbsd fail2ban

[(private) HKS]

If you're just tired of the noise, consider moving SSH to a different
port. It provides no greater security but helps with some of the
annoyance.

-HKS

On Thu, Nov 6, 2008 at 2:34 PM, Joachim Schipper
[EMAIL PROTECTED] wrote:
 On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote:
 I have noticed that people constantly try to brute force sshd on my
 openbsd box, on my server I use fail2ban to prevent this and wondered if
 there is a similar solution for openbsd.

 Yes, but why would you want to do that? It doesn't help in any real
 sense - weak passwords are still weak and may still fall to a
 distributed attack. and strong passwords or keys are pretty much
 impossible to guess anyway.

 Meanwhile, it's at least a little complex, takes some time to set up,
 and has nasty failure modes.

Joachim

Re: Intel D201GLY2 install failure, OpenBSD 4.4

[Ted Unangst]

On Thu, Nov 6, 2008 at 11:49 AM, Jamie Cuesta [EMAIL PROTECTED] wrote:
 I was hoping to include a dmesg via serial port capture (my box does not 
 include a floppy), but

Use ftp.

Re: fps between 10/28 and 11/2 snapshots

[Nick Nauwelaerts]

On Wed, 5 Nov 2008 14:37:06 -0600
Neal Hogan [EMAIL PROTECTED] wrote:

 I've been running -current via snapshots and have had odd glxgears
 output between the 10/28 snap and 11/02 snap. Back on the 10/02
 version I was getting 1000-1300 fps. On the 11/02 version I get
 100-130 fps. It's not a huge deal for me at this point since I'm not
 too much of a gamer and have no need to watch movies on  my laptop. I
 just found it odd and thought you'd like to know . . . on behalf of
 those who possess the above interests.

While I have noticed the following on undeadly but must have missed it
on the mailing lists:

Mesa 7.2 defaults to sync-to-vblank for intel chips in an attempt to
avoid tearing in the display. In this mode, OpenGL drawing is
synchronised to the refresh rate of your monitor and thus is capped at
that rate. If for some reason this bothers you, you may circumvent this
by either setting 'vblank_mode=0' in your environment or use driconf
(in ports) to configure this option.

Might be relevant.

http://undeadly.org/cgi?action=articlesid=20081104235706mode=expandedcount=4

// nick

Re: NAT + IPsec problem

[Vladimir]

This is something I have struggled myself and don't have a good solution 
to. I actually asked a similar question to yours couple days ago :-(


http://marc.info/?l=openbsd-miscm=122530349320838w=2

Basically NATing stuff going through a VPN tunnel doesn't really work. I 
have followed the recipe from this post


http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

however I was unsuccessful. I have currently resorted to using a HAproxy 
to proxy the traffic.



Vladimir

BARDOU Pierre wrote:

Hello,
 
I am trying to setup an IPsec connection.

Here is the ipsec.conf :
ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
   main auth hmac-sha1 enc aes-256 \
   quick auth hmac-sha1 enc aes-256 group modp1024 psk 

Tunnels go up well :
flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid
212.99.28.26/32 dstid 10.3.2.2/32 type use
flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35
srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require
esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1
enc aes
esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1
enc aes

As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx
before the tunnel.
So I put this in my pf.conf :
nat from 10.31.30.1 to 193.164.151.1 - 10.63.61.2

The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go
through the tunnel, they are going to the internet.

Here is the pflog :
Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 
193.164.151.1: icmp: echo request
Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 
193.164.151.1: icmp: echo request

- Packets are going out through em0 (my inet interface) instead of enc0

As pf doc says translation occurs before filtering, I don't understand why
pf can see my real adress (10.31.30.1).
And the most important : why outgoing packets -with good adresses- don't
go through the tunnel ? 
Have I misconfigured something ?


Thank you for your help

--
Cordialement,
 
Pierre BARDOU

CSIM - Bureau 012
 
Midi PyrC)nC)es Informatique HospitaliC(re

12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
TC)l : 05 67 31 90 84

Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]

no pg_dump?

[Charlie Farinella]

I've installed postgresql client, server and contribs from packages on a 
new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included 
that I can find.  Where can I get these tools? 

--charlie

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: dhcpd on 4.4 is problematic

[Tobias Ulmer]

On Wed, Nov 05, 2008 at 08:16:01AM -0500, Kenneth R Westerback wrote:
 On Wed, Nov 05, 2008 at 12:22:03PM +0800, Uwe Dippel wrote:
  Here is what Stuart requested.
  I hope the attachment goes through!
  
00f0:          
0100:     6382 5363 3401 0035  c.Sc4..5
 
 And that might be the problem. The DHCP overload option (#52, or hex 34)
 has the correct length (01) but a value of 0. This indicates no overload
 and Solaris is upset that the option is even there in this case. So much
 for trying to simplify the code by using a standard header.
 
 So this option needs to be overwritten with DHO_PAD if there is no
 overloading.
 
 This (untested) diff might help. Unfortunately I have no Solaris to
 test against and I'm off to work now. Test reports welcome, or better
 fixes.
 
  Ken

Patch worksforme(tm)
client: OpenSolaris 2008.05 server: 4.4-stable, both i386.

Re: VPN Ipsec

[Felipe Alfaro Solana]

On Thu, Nov 6, 2008 at 9:39 AM, Louis Opter [EMAIL PROTECTED] wrote:
 Hello,

 I am trying to set up an ipsec vpn between two networks. But, I can't
 figure out why it doesn't work.

 I get some errors like (here on the malenfant gate, see network map
 below) :
  Plcy 30 keynote_cert_obtain: failed to open
 /etc/isakmpd/keynote//192.168.1.159/credentials
  Default rsa_sig_decode_hash: no public key found
  Default dropped message from $dugny_addr port 4500 due to notification
 type INVALID_ID_INFORMATION

These messages typically mean that the identifiers used by the peers
do not match. Try adding srcid foo and dstid bar on your ike esp
tunnel lines:

- on nemoto :
st_cyr_net=192.168.2.0/24
dugny_net=192.168.3.0/24
st_cyr_addr=xx.xx.xx.xx
ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr srcid
nemoto dstid malenfant

- on malenfant :
st_cyr_net=192.168.2.0/24
dugny_net=192.168.3.0/24
dugny_addr=yy.yy.yy.yy
ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr srcid
malenfant dsitd nemoto

Also, if your machine is multi-homed, you will probably want to
specify local to remove any ambiguity with respect the source IP
address that will be used in the outer (encapsulating) IP datagram.

 I don't understand why I have messages about keynote, because isakmpd is
 launched with the -K flag (and why 192.168.1.159 instead of
 $dugny_addr ?).

 And, I don't understand why it doesn't find the public key. I have
 correctly copied for each gate /etc/isakmpd/local.pub to the other gate
 at /etc/isakmpd/pubkeys/ipv4/gate_ip


 Here is my network map :

   { st_cyr_net : 192.168.2.0/24 }
|
   xl1 : 192.168.2.1
   [gate malenfant] Openbsd 4.4-current (as of 10/18) on the
 livebox's DMZ
   xl0 : 192.168.1.183
|
   192.168.1.1
   [adsl router/modem livebox]
   $st_cyr_addr


 @@@
   @@@ Internet
 @@@


   $dugny_addr
   [adsl router/modem livebox]
   192.168.1.1
|
   xl0 : 192.168.1.159
 [gate nemoto] Openbsd 4.4-release on the livebox's DMZ
   xl1 : 192.168.3.1
|
   { dugny_net : 192.168.3.0/24 }

 By DMZ I mean that all ports for tcp and udp are rediriged on the gate.

 I don't see why the liveboxes can be the problem, they redirect all the
 traffic. How nat on the liveboxes can cause troubles ?

 Because the two gates run a different version of OpenBSD ?
 I don't think so, however malenfant will be upgraded to 4.4-release
 tomorrow evening.

 My ipsec.confs :
  - on nemoto :
  st_cyr_net=192.168.2.0/24
  dugny_net=192.168.3.0/24
  st_cyr_addr=xx.xx.xx.xx
  ike esp tunnel from $dugny_net to $st_cyr_net peer $st_cyr_addr
  - on malenfant :
  st_cyr_net=192.168.2.0/24
  dugny_net=192.168.3.0/24
  dugny_addr=yy.yy.yy.yy
  ike esp tunnel from $st_cyr_net to $dugny_net peer $dugny_addr

 pf is correctly (I hope) configured on both gates with (here is a
 snippet from malenfant's pf.conf) :
  set skip on { lo enc0 }
  block in
  pass out
  pass in on $ext_if proto { tcp udp } \
  from $dugny_addr to ($ext_if) port ipsec-nat-t
  pass in on $ext_if proto udp to ($ext_if) port isakmp

 My two enc0 interfaces are up.

 If you find my mistake(s), have ideas, or need more informations please
 tell me. Full configuration files and isakmpd log are available at :
 http://www.kalessin.fr/stuff/openbsd_ipsec.tar.gz

 Best Regards, Louis Opter.





-- 
http://www.felipe-alfaro.org/blog/disclaimer/

Re: no pg_dump?

[Antoine Jacoutot]

On Thu, 6 Nov 2008, Charlie Farinella wrote:

 I've installed postgresql client, server and contribs from packages on a 
 new 4.4 OpenBSD machine and there is no pg_dump or pg_restore included 
 that I can find.  Where can I get these tools? 

They should be under /usr/local/bin/

-- 
Antoine

Re: no pg_dump?

[Pierre-Emmanuel André]

Le Thu, 6 Nov 2008 17:06:54 -0500,
Charlie Farinella [EMAIL PROTECTED] a icrit :

 I've installed postgresql client, server and contribs from packages
 on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore
 included that I can find.  Where can I get these tools?

 --charlie


http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents
.html

Re: no pg_dump?

[Charlie Farinella]

On Thursday 06 November 2008, Antoine Jacoutot wrote:
 On Thu, 6 Nov 2008, Charlie Farinella wrote:
 
  I've installed postgresql client, server and contribs from packages 
on a 
  new 4.4 OpenBSD machine and there is no pg_dump or pg_restore 
included 
  that I can find.  Where can I get these tools? 
 
 They should be under /usr/local/bin/

You would think, I know!  I have psql, pg_ctl, pg_standby, 
pg_controldata, pg_resetxlog, pgbench, postgres, but no pg_dump, 
pg_dumpall, or pg_restore.

pkg_info shows:

postgresql-client-8.3.3 PostgreSQL RDBMS (client)
postgresql-contrib-8.3.3 PostgreSQL RDBMS contributions
postgresql-server-8.3.3 PostgreSQL RDBMS (server)

I'm at a loss.

--charlie

-- 

Charles Farinella 
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: no pg_dump?

[Charlie Farinella]

On Thursday 06 November 2008, Pierre-Emmanuel Andri wrote:
 Le Thu, 6 Nov 2008 17:06:54 -0500,
 Charlie Farinella [EMAIL PROTECTED] a icrit :

  I've installed postgresql client, server and contribs from packages
  on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore
  included that I can find.  Where can I get these tools?
 
  --charlie
 


http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents
.html

Thank you.

I have everything on the list except:

/usr/local/bin/pg_config
/usr/local/bin/pg_dump
/usr/local/bin/pg_dumpall
/usr/local/bin/pg_restore

I also have a live system with data in it, so shutting it down is an
issue.

What would you suggest I do?  I can do pkg_delete on all installed
PostgreSQL packages and start over I suppose, or build PostgreSQL from
source.

I ran pkg_add -u for the client package, but that didn't help.


Charles Farinella
Appropriate Solutions, Inc. (www.AppropriateSolutions.com)
[EMAIL PROTECTED]
voice: 603.924.6079   fax: 603.924.8668

Re: no pg_dump?

[Stuart Henderson]

On 2008-11-06, Charlie Farinella [EMAIL PROTECTED] wrote:
 On Thursday 06 November 2008, Pierre-Emmanuel Andri wrote:
 Le Thu, 6 Nov 2008 17:06:54 -0500,
 Charlie Farinella [EMAIL PROTECTED] a icrit :

  I've installed postgresql client, server and contribs from packages
  on a new 4.4 OpenBSD machine and there is no pg_dump or pg_restore
  included that I can find.  Where can I get these tools?
 
  --charlie
 


 http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents
 .html

 Thank you.

 I have everything on the list except:

 /usr/local/bin/pg_config
 /usr/local/bin/pg_dump
 /usr/local/bin/pg_dumpall
 /usr/local/bin/pg_restore

These are certainly in the 4.4-release i386 package.

 I also have a live system with data in it, so shutting it down is an
 issue.

 What would you suggest I do?  I can do pkg_delete on all installed
 PostgreSQL packages and start over I suppose, or build PostgreSQL from
 source.

 I ran pkg_add -u for the client package, but that didn't help.

you can try pkg_add -ri -F installed postgresql-client,
but try and work out where they went...

Re: openbsd fail2ban

[Stuart Henderson]

On 2008-11-06, Joachim Schipper [EMAIL PROTECTED] wrote:
 On Thu, Nov 06, 2008 at 05:33:41PM +, Charlie Clark wrote:
 I have noticed that people constantly try to brute force sshd on my  
 openbsd box, on my server I use fail2ban to prevent this and wondered if  
 there is a similar solution for openbsd.

 Yes, but why would you want to do that? It doesn't help in any real
 sense

It helps reduce use of CPU and the /var/log disk.

But so does the simpler block proto tcp to port ssh /
pass proto tcp from ADMIN_NETS to port ssh.

Re: no pg_dump?

[Matthias Kilian]

On Thu, Nov 06, 2008 at 05:53:17PM -0500, Charlie Farinella wrote:
 http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents
 .html
 
 Thank you.
 
 I have everything on the list except:
 
 /usr/local/bin/pg_config
 /usr/local/bin/pg_dump
 /usr/local/bin/pg_dumpall
 /usr/local/bin/pg_restore

This is odd. Did your machine crash or got a full filesystem during
the update/install?

Do the inode change times of the actually installed files (like
/usr/local/bin/psql) match the time of your update/install?

Is there any partial-* stuff in /var/db/pkg?

Does pkg_delete -n -Fdependencies (and don't omit the `-n') complain
about some missing files?

Where do you get your packages from, i.e. what's your PKG_PATH?

 What would you suggest I do?  I can do pkg_delete on all installed
 PostgreSQL packages and start over I suppose, or build PostgreSQL from
 source.
 
 I ran pkg_add -u for the client package, but that didn't help.

Whatever happened to your system, you could (with a PKG_PATH pointing to
a place with correct packages) probably go with

pkg_add -r -Finstalled,update postgresql-client

(I'm a little bit unsure, because the manpage specifies -Finstalled
for update mode only, but IIRC, you can use it for enforcing `-r',
too)

Ciao,
Kili

Re: no pg_dump?

[Stuart Henderson]

On 2008-11-06, Matthias Kilian [EMAIL PROTECTED] wrote:
 On Thu, Nov 06, 2008 at 05:53:17PM -0500, Charlie Farinella wrote:
 http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents
 .html
 
 Thank you.
 
 I have everything on the list except:
 
 /usr/local/bin/pg_config
 /usr/local/bin/pg_dump
 /usr/local/bin/pg_dumpall
 /usr/local/bin/pg_restore

 This is odd. Did your machine crash or got a full filesystem during
 the update/install?

for softdep users, a crash shortly after installation would do it too.

Re: openbsd fail2ban

[Vinicius Vianna]

One more vote for sshguard, I use it here with success, just need to 
create a rule like:


block in on $ext_if proto tcp from sshguard to any port ssh

And run sshguard, it will get any host trying random passwords with no 
success to the sshguard table.


Don't know it there are any alternative more openbsd focused.

Alexander Polakov escreveu:

2008/11/6, Charlie Clark [EMAIL PROTECTED]:
  

Hi,

I have noticed that people constantly try to brute force sshd on my
openbsd box, on my server I use fail2ban to prevent this and wondered if
there is a similar solution for openbsd.



Have you tried sshguard?

recommended disk layout for small web/mail/db server

[Francisco Valladolid Hdez.]

Hi Folks.

I'm setting a small web/mail/db server for sell web hosting, it run OpenBSD 
4.4. I want to know the different view point about the disk layout for this 
purpose.

I don't have sufficient resources for buying three separate machines 
(web/mail/db) at this time.

I hope your advices.!


--- 

---
ficovh - http://bsdguy.net
In the beginning God created the heavens and the earth. Gen. 1:1

Re: no pg_dump?

[Stuart Henderson]

On 2008-11-07, Stuart Henderson [EMAIL PROTECTED] wrote:
 On 2008-11-06, Matthias Kilian [EMAIL PROTECTED] wrote:
 On Thu, Nov 06, 2008 at 05:53:17PM -0500, Charlie Farinella wrote:
 http://www.openbsd.org/4.4_packages/i386/postgresql-client-8.3.3.tgz-contents
 .html
 
 Thank you.
 
 I have everything on the list except:
 
 /usr/local/bin/pg_config
 /usr/local/bin/pg_dump
 /usr/local/bin/pg_dumpall
 /usr/local/bin/pg_restore

 This is odd. Did your machine crash or got a full filesystem during
 the update/install?

 for softdep users, a crash shortly after installation would do it too.

ehm, s/would/could/.

tap devices on bridge cannot connect

[Lord Sporkton]

I am running Qemu with 2 virtual machines. I have put the tap devices
into a bridge with a trunk interface, the trunk acts as a gateway,
allowing a virtual network inside the host server which can nat to
public IPs and be firewalled. For some reason the 2 vmhosts cannot
communicate. they will arp each other up but not actually ping each
other. THey are windows hosts. I have a site to site vpn back to my
house which i can ping both vm hosts successfully from my house
computer through the vpn. i can ping the trunk interface from the
hosts as well. just not vmhost to vmhost.

Any thoughts on why they can not ping each other?

thank you


Below is my pf.conf and output of ifconfig and brconfig


#   gorilla.sporkton.com
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#NORMAL ORDER - see no set require-order rule
#Macros
#Tables
#Options
#Traffic Normalization (e.g. scrub)
#Queueing
#Translation (Various forms of NAT)
#Packet Filtering


ext_if=em0
vm_if=trunk0
gorilla=38.102.248.178

table ssh-attack persist
table private const { 10/8, 172.16/12, 192.168/16 }


set skip on {enc0, lo0}
set block-policy drop

scrub in on $ext_if all fragment reassemble

no nat on $ext_if from private to private
nat on $ext_if from private to any - ($ext_if:0)

#--Default--#
block in
pass out
pass in on $vm_if
pass in on $ext_if proto tcp to $gorilla port ssh
#--Custom--#
pass in on $ext_if proto esp
pass in on $ext_if proto udp to $gorilla port {isakmp, ipsec-nat-t}
pass in on $ext_if proto {udp, tcp} to $gorilla port domain




# ifconfig
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:22:b0:d8:d2
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 38.102.248.178 netmask 0xfff8 broadcast 38.102.248.183
inet6 fe80::214:22ff:feb0:d8d2%em0 prefixlen 64 scopeid 0x1
em1: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500
lladdr 00:14:22:b0:d8:d3
media: Ethernet autoselect (none)
status: no carrier
enc0: flags=0 mtu 1536
trunk0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:00:00:00:00
trunk: trunkproto roundrobin
groups: trunk
media: Ethernet autoselect
status: no carrier
inet 10.0.1.1 netmask 0xff00 broadcast 10.0.1.255
inet6 fe80::214:22ff:feb0:d8d2%trunk0 prefixlen 64 scopeid 0x5
pflog0: flags=141UP,RUNNING,PROMISC mtu 33208
groups: pflog
tun0: flags=9942BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST mtu 1500
lladdr 00:bd:be:64:87:01
groups: tun
inet6 fe80::2bd:beff:fe64:8701%tun0 prefixlen 64 scopeid 0x8
bridge0: flags=41UP,RUNNING mtu 1500
groups: bridge
tun1: flags=9942BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST mtu 1500
lladdr 00:bd:3b:4f:63:02
groups: tun
inet6 fe80::2bd:3bff:fe4f:6302%tun1 prefixlen 64 scopeid 0xb



# brconfig
bridge0: flags=41UP,RUNNING
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
trunk0 flags=3LEARNING,DISCOVER
port 5 ifpriority 0 ifcost 0
tun1 flags=3LEARNING,DISCOVER
port 11 ifpriority 0 ifcost 0
tun0 flags=3LEARNING,DISCOVER
port 8 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 240):
#



-- 
-Lawrence

Re: trunk(4), VLANs and MTU problems

[Stuart Henderson]

On 2008-11-06, Johan Strvm [EMAIL PROTECTED] wrote:
 Anyone know how common this problem with blocked ICMP packets is?

Idiot firewall and router admins do it the world over.

If you can work out who's filtering ICMP, you can attempt to apply
a LART, but experience shows this is rarely successful :(

PF scrub (max-mss, maybe no-df) can be a useful tool here...

Re: tap devices on bridge cannot connect

[Girish Venkatachalam]

On 17:37:11 Nov 06, Lord Sporkton wrote:
 I am running Qemu with 2 virtual machines. I have put the tap devices
 into a bridge with a trunk interface, the trunk acts as a gateway,
 allowing a virtual network inside the host server which can nat to
 public IPs and be firewalled. For some reason the 2 vmhosts cannot
 communicate. they will arp each other up but not actually ping each
 other. THey are windows hosts. I have a site to site vpn back to my
 house which i can ping both vm hosts successfully from my house
 computer through the vpn. i can ping the trunk interface from the
 hosts as well. just not vmhost to vmhost.
 
 Any thoughts on why they can not ping each other?
 

I think qemu has two modes for networking and only TCP proxying works.
Not sure about UDP. But ping does not work.

If you configure qemu to do 'real' networking then I believe ping will
work.

People more knowledgeable than me should comment any further.

Thanks.

-Girish

Re: Laptop keyboard pictures

[Ted Unangst]

On Thu, Oct 30, 2008 at 7:42 PM, Ted Unangst [EMAIL PROTECTED] wrote:
 Can people with these new tiny notebooks send me a nice high res (1k x 1k is
 good) pic showing the keyboard layout?  Maybe with a quarter or euro to show
 scale?  Off list of course. I'd like to make a gallery because the keyboard
 is critical and it's hard to find decent pics of the keyboard sometimes.

http://ted.unangst.googlepages.com/laptopkeyboards

If anyone has one of the Lenovo IdeaPad U110, I'm particularly
interested.  From the web photos, it seems they have moved the tilde.

Re: Laptop keyboard pictures

[Andrew Konkol]

Heres a pic of a portion of the eee keyboard (excuse the crappy photo):
http://www.copyandwaste.com/wp-content/uploads/2008/11/img_0055.jpg

Not sure if this is completely useful... but here is a comparison on the
size of the eee and an old fujitsu lifebook

http://www.copyandwaste.com/2008/09/16/asus-netbook/

-a

On Thu, Nov 6, 2008 at 10:45 PM, Ted Unangst [EMAIL PROTECTED] wrote:

 On Thu, Oct 30, 2008 at 7:42 PM, Ted Unangst [EMAIL PROTECTED]
 wrote:
  Can people with these new tiny notebooks send me a nice high res (1k x 1k
 is
  good) pic showing the keyboard layout?  Maybe with a quarter or euro to
 show
  scale?  Off list of course. I'd like to make a gallery because the
 keyboard
  is critical and it's hard to find decent pics of the keyboard sometimes.

 http://ted.unangst.googlepages.com/laptopkeyboards

 If anyone has one of the Lenovo IdeaPad U110, I'm particularly
 interested.  From the web photos, it seems they have moved the tilde.

Re: recommended disk layout for small web/mail/db server

[Francisco Valladolid Hdez.]

Thanks for the suggest, I thin begin with a 100GB hard disk, for managing users 
(web-mail-db) and allocate some dynamic web sites.

I share the opinion about the  split /var, in the past only /var/postgresql was 
split for me, is a good suggest /var/mail /var/mysql and /var/log

Thanks and Best Regards.


--- On Fri, 11/7/08, Mikel Lindsaar [EMAIL PROTECTED] wrote:

 From: Mikel Lindsaar [EMAIL PROTECTED]
 Subject: Re: recommended disk layout for small web/mail/db server
 To: [EMAIL PROTECTED]
 Date: Friday, November 7, 2008, 2:05 AM
 On Fri, Nov 7, 2008 at 11:33 AM, Francisco Valladolid Hdez.
 
 [EMAIL PROTECTED] wrote:
 
  I'm setting a small web/mail/db server for sell
 web hosting, it run OpenBSD
  4.4. I want to know the different view point about the
 disk layout for this
  purpose.
  I don't have sufficient resources for buying three
 separate machines
  (web/mail/db) at this time.
 
 
 Depends on how big your hard drive is obviously, but here
 are some pointers:
 
 http://www.openbsd.org/faq/faq4.html#Disks
 
 Provides a good starting point for a 13G drive.  It says:
 
 / 150M
 Swap  300M
 /tmp   120M
 /var 80M
 /usr 6G
 /home  4G
 
 Now, you say that you want to use mail, web and database.
 
 In OpenBSD, if you install from ports or packages, your
 data for the mail,
 ftp and database is going to be under the /var partition,
 in /var/www,
 /var/db and /var/mail.
 
 To begin with, you are probably best off just allocating
 more to /var.   And
 in your case, I assume your drive is going to be a lot
 larger than 13Gb
 
 So just add more the /var partition, a bit more to the /usr
 partition.
 
 If you wanted to get really smart, you could add a /var/log
 parition and
 give it a few Gb, or split up /var/db, /var/mail and
 /var/www into separate
 partitions, but I think it is just overkill for what you
 want.
 
 By the time your server starts running out of space, you
 will know which
 apps are taking the room and will be able to migrate to a
 bigger and better
 configuration.
 
 Mikel
 
 
 -- 
 http://lindsaar.net/
 Rails, RSpec and Life blog

Re: Laptop keyboard pictures

[Ted Unangst]

On Fri, Nov 7, 2008 at 12:01 AM, Andrew Konkol [EMAIL PROTECTED] wrote:
 Not sure if this is completely useful... but here is a comparison on the
 size of the eee and an old fujitsu lifebook

 http://www.copyandwaste.com/2008/09/16/asus-netbook/

That's awesome, thanks.  I loved my lifebook, and used it several
years even after I had faster machines.  That really puts the eee in
perspective.

Re: HP DL180 hangs on boot

[Johan Fredin]

On 08-11-06 14.44, Alexander Hall wrote:

Hi!

I have issues booting a HP ProLiant DL180 G5 (456830-421) [1] which I
hope someone can shed some light on.

[ While writing thie email I've done some more testing and realized
that the behaviour is not really consistent, but what I describe
below is a typical case ]

1. The machine takes loong pauses (usually two; sometimes more) while
   loading the kernel.
   - The first long pause is after entry point at ... line,
 and is about 90s. [noticed now that pressing any key on the
 keyboard makes it go on... interrupt issues?]


See if the BIOS have an option to disable 8042 Emulation. That cured 
the entry point hang for me on a DL140 G3 system.


/Johan

Re: recommended disk layout for small web/mail/db server

[Lars Noodén]

Francisco Valladolid Hdez. wrote:
 I'm setting a small web/mail/db server for sell web hosting, it 
 run OpenBSD 4.4. I want to know the different view point
 about the disk layout for this purpose.

The partitioning depends on the usage.

How much mail (# of messages and KB / message) do you expect to receive
or stored ?

How many GB of Web material do you plan to have?

How many GB do you expect your databases to contain?

Regards
-Lars