Re: Sudo YPLDAP
Am Thu, 22 Jan 2009 14:04:00 +1100 schrieb Gavin Norman gav...@rcservices.com.au: Greetings, Anyone had any luck getting sudo working with YPLDAP/LDAP? Regards. You don't need ypldap. This is a LDAP-to-NIS server which provides NIS maps for users and groups so You can fetch passwd/groups from LDAP via 'NIS'. I suggest to simply compile sudo from src with ldap after installing openldap, see README.LDAP in src. Regards Uwe
Re: Router ping one way only
Still no joy with this issue. I was asked to try: Try this, . Go the the ubuntu machine (network 192...) and listen to icmp packets in the interface connected to the 172... network. Then get a machine from network 172... and try to ping it. You did a tcpdump on the pf pseudo-interface before but you're problem doesn't seem to be routing and or pf filter rules. If you see ICMP requests coming from another ip, you have a nat in between and that would justify your one way ping. I got these results from this: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 08:30:28.359774 IP pupil-laptop.local.ssh 172.16.0.6.49797: P 1505958084:15059 58280(196) ack 379641432 win 566 08:30:28.361092 IP pupil-laptop.local.50398 212.23.3.100.domain: 33472+ PTR? 6 .0.16.172.in-addr.arpa. (41) 08:30:28.361960 IP 172.16.0.6.49797 pupil-laptop.local.ssh: . ack 196 win 66 08:30:28.375114 IP pupil-laptop.local 172.168.0.6: ICMP echo request, id 4893, seq 5, length 64 08:30:29.375137 IP pupil-laptop.local 172.168.0.6: ICMP echo request, id 4893, seq 6, length 64 08:30:30.375146 IP pupil-laptop.local 172.168.0.6: ICMP echo request, id 4893, seq 7, length 64 08:30:31.375134 IP pupil-laptop.local 172.168.0.6: ICMP echo request, id 4893, seq 8, length 64 08:30:32.375144 IP pupil-laptop.local 172.168.0.6: ICMP echo request, id 4893, seq 9, length 64 08:30:33.359178 IP pupil-laptop.local.50845 212.23.6.100.domain: 33472+ PTR? 6 .0.16.172.in-addr.arpa. (41) 08:30:33.375117 IP pupil-laptop.local 172.168.0.6: ICMP echo request, id 4893, seq 10, length 64 08:30:34.375156 IP pupil-laptop.local 172.168.0.6: ICMP echo request, id 4893, Does this look irregular? Martin Toft-2 wrote: What happens when you ping from the OpenBSD router? Does any of the other equipment reply? The Ubuntu machine's firewall settings can be seen by running 'sudo iptables -L -v -n'. Are you sure it doesn't block incoming ICMP requests? Martin -- View this message in context: http://www.nabble.com/Router-ping-one-way-only-tp21569634p21600393.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBSD 4.4 pf+vlan+bridge problem
Hi! Wouldn't it be better to not use the bridge and use (multicast-)routing and pf to solve your problem? Multicast routing with dvrmpd is tested with pf, does not work. the same thing happens, if streamX is allowed to pass out on vlanX and streamY is allowed to pass out on vlanY, result is pretty similar: vlanX outputs both streams (streamX, streamY) and the same thing with vlanY. pf is not 100% percent multicast compat.? Since these days i tried out anyway how multicast routing is and decided to set up also similar configuration as described in the beginning of this thread assuming for pf multicast traffic is no different from any other 'ordinary' traffic. I believe the reason why with a rule like this pass out quick on vlan1101 proto udp from any to 239.16.1.1 you see the same traffic on every interface which is set up to multicast is because how pf decides to pass packets. Default state-policy is floating and it means that decision to pass traffic is based on packet's direction and src and dst ip and ports and not on what interface packet leaves (or enters). Normally this is ok and as i understand this approach for example saves memory not to keep information which excact interface is used for passing. But problem arises with multicast traffic as src ja dst addresses and ports are the same. I tried and adding 'keep state (if-bound)' seems to solve the problem. Imre Actually i experimented with tags, something like this .. pass in quick on $if_onelan inet to 239.x.x.x keep state (if-bound) tag MC pass out quick on $if_otherlan keep state (if-bound) tagged MC ...
Re: net5501 crypto driver
Yes, I can confirm that glxsb.c 1.15 works fine with 4.4. stable. Now AES 256 works again. Thanks -Urspr|ngliche Nachricht- Von: Markus Friedl [mailto:markus.r.fri...@arcor.de] Gesendet: Dienstag, 20. Januar 2009 13:53 An: Christoph Leser Cc: misc@openbsd.org Betreff: Re: net5501 crypto driver 1.15 should just work fine in stable. -m On Tue, Jan 20, 2009 at 12:19:34PM +0100, Christoph Leser wrote: As described in http://kerneltrap.org/mailarchive/openbsd-misc/2008/9/22/3364064 there is a problem with the driver for the AMD Geode LX series processor security block for openBSD 4.4 ( glxsb.c ). This has been fixed in version 1.15 of this file, but this fix has not been committed to 4.4. stable ( still on 1.14 ). Is it ok to use 1.15 with 4.4 stable or do I have to switch to current inorder to use this patch. Regards Christoph
Re: Sudo YPLDAP
I'm aware of that, but sudo whinges about uid x not being in /etc/passwd if they are from ypldap. Regards. -- Gavin Norman IT Manager RC Services Vic M: +614 0935 4020 E: gav...@rcservices.com.au
Re: now OT Re: Virtualization, OpenBSD as host
On Thu, 22 Jan 2009, Josh wrote: I am in the process of building NetBSD dom0 machines after having problems with trying to get linux to work beyond a snails pace on the hardware we have. I just used the howto provided here: http://www.netbsd.org/ports/xen/howto.html Only issue from that was grub did not boot the xen.gz kernel, but just gunzip it and alter grubs menu.lst to suit. First, this isn't a NetBSD mail list, so we've definitely veered off topic for the list. How well does PF run for you? diana
Apache file upload
Hi I need a very simple web page to upload files on my Apache web server. I found some cgi script like this one http://www.raditha.com/megaupload/ but I always face internal server error message. Did anyone done some like that ? Thanks
rfc1918
Hi all, I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? Cheers, Steve -- I like Linux. I used it to download OpenBSD!!!
pf.conf and tags
Hello all (again), I was wondering if someone could tell me if using tags in pf.conf makes anything better apart from setting up trusts between interfaces etc. Basically, what I'm trying to ask is how can I make pf faster? What is important? More RAM? Faster CPU? Using tags? A smaller rule file? Using architecture other than x86? I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM. Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the moment? top shows the machine is only using around 70MB. What would you consider as the optimum configuration for a machine built with pf in mind? Also, is it wrong to allow everything out of your network? I'm only allowing HTTP/S, SMTP, FTP... the usual suspects but I'm blocking every other unnecessary port in and out of the int_if, ext_if and dmz_if. I bought a book once that talked about, My network can do no harm and ever since then, I've blocked all that's not needed. Is this an overkill that could be chocking my performance since if you were to print my rules out, the paper would go from here to China and back? Cheers, Steve Laurie -- Windows constantly reminds me of my daughter - Honest Daddy, I wasn't doing anything and it just broke!
Re: rfc1918
On Thu, Jan 22, 2009 at 1:37 PM, Steve Laurie st...@foo-unix.org wrote: I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? An RFC that says they shouldn't be routeable over the Internet doesn't mean that they aren't. I've seen plenty of cases where a misconfigured router has sent RFC1918 packets out onto the net. Blocking them at your border is cheap, so it makes sense to do so. Tet -- Perl is like vise grips. You can do anything with it but it is the wrong tool for every job. -- Bruce Eckel
Re: Apache file upload
On 22 January 2009 c. 16:26:08 pcnico...@freesurf.fr wrote: Hi I need a very simple web page to upload files on my Apache web server. I found some cgi script like this one http://www.raditha.com/megaupload/ but I always face internal server error message. Did you look at the logs in /var/www/logs? Did anyone done some like that ? See the code at the end of letter. I'm using such page myself, secured by HTTP authorization, so there are not so many security and reliability checks in the code. You need to install php5-core package, of course. -- WBR, Pereresus ne Vlezaet Buggy ?php // $Id$ ? !DOCTYPE HTML PUBLIC -//W3C//DTD HTML 4.01//EN http://www.w3.org/TR/html4/strict.dtd; html head titleFile download page/title /head body h1File uploading/h1 ?php if (count($_FILES) 0 $_FILES['userfile']['tmp_name'] != '' is_uploaded_file($_FILES['userfile']['tmp_name'])) { $basename = basename($_FILES['userfile']['name']); $t = time(); $newname = '/upl/files/'.$t.'_'.$basename; if (rename($_FILES['userfile']['tmp_name'], $newname)) { chmod($newname, 0644); echo 'pFile strong'.htmlspecialchars($basename). '/strong uploaded successfully!/p'; $linkpath = '/dnl/auto/'.$t.'_'.$basename; if (link($newname, '/htdocs'.$linkpath)) { $url = 'http://'.$_SERVER['SERVER_NAME'].$linkpath; echo 'pFile can be downloaded via link: a target=_blank href='. htmlspecialchars($url).''.htmlspecialchars($url).'/a/p'; } else { $linkFailed = 1; echo 'pFor downloading the file please ask the administrator./p'; } } else { echo 'pSorry, server error occured. Please try again later./p'; } require 'Net/SMTP.php'; $host = 'mail.my.domain'; $subj = Subject: New file uploaded\r\n; $body = New file\r\n$basename\r\n. can be found in /upl/files/ directory.\r\n; if (isset($renameFailed)) $body .= ERROR: failed to move uploaded file\r\n; if (isset($linkFailed)) $body .= WARNING: failed to create hard link in /htdocs/dnl/auto\r\n; if (($smtp = new Net_SMTP($host))) { if (!PEAR::isError($smtp-connect())) { if (!PEAR::isError($smtp-mailFrom('w...@my.domain'))) { if (!PEAR::isError($smtp-rcptTo('ad...@my.domain'))) { $smtp-data($subj . \r\n . $body); } } $smtp-disconnect(); } } } ? p form method=post enctype=multipart/form-data label for=userfileFile:/label input name=userfile type=file id=userfile input type=submit value=Upload / /form /p /body /html -- Best wishes, Vadim Zhukov
Re: pf.conf and tags
Hi Steve, 2009/1/23 Steve Laurie st...@foo-unix.org: I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM. Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the moment? I'd be surprised if that U5 was faster than the 1GHz x86. Back with OpenBSD 3.7 or so, I found with Ultra 5's that those which had the lower sized L2 cache, were a lot slower than those with the 2MB L2 cache. Direct crossover connection: 94.1 Mbits/sec (end-point directly to end-point). 360MHz in the Ultra 5 (256k L2): pf OFF: 67.2 Mbits/sec pf ON: 47.3 Mbits/sec. 333MHz in the Ultra 5 (2M L2): pf OFF: 77.0 Mbits/sec pf ON: 74.0 Mbits/sec. The 270MHz UltraSPARC in your Ultra 5 probably has 256k of L2 cache, so I think you'll get a speed penalty due to cycle speed and the small L2 cache size. Although lots of pf performance gains have been made since then and I don't know if any of them would have made the L2 difference less dramatic. Shane
Re: rfc1918
On 22 January 2009 c. 16:37:52 Steve Laurie wrote: Hi all, I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? - Home Internet provider give you public IP but their internal network is still one of described in RFC 1918; - OpenBSD machine is bridging some traffic; - etc. And when you set up such rule you can control flow of matched packets (tag them, label them, etc); otherwise you cannot. -- WBR, Pereresus ne Vlezaet Buggy
Re: pf.conf and tags
On 2009-01-22, Steve Laurie st...@foo-unix.org wrote: Basically, what I'm trying to ask is how can I make pf faster? What is important? More RAM? Faster CPU? Using tags? A smaller rule file? Using architecture other than x86? Is it currently too slow for you? I've got a Sun Microsystems Ultra 5 270MHz 64bit CPU with 128MB of RAM. Would that be better than the 1GHz 1024MB RAM x86 bitsa I'm using at the moment? Unlikely. Looking at a dmesg might give some things to suggest.
Re: rfc1918
On 2009-01-22, Steve Laurie st...@foo-unix.org wrote: Hi all, I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? They don't usually appear in full internet routing tables, but that's not always the case, sometimes they do show up. And even if you can't send packets _to_ them, they can still be used as a source address on malicious packets, a lot of providers don't do BCP38 ingress filtering.
Re: Sending email in Apache chroot?
2009/1/21 Sunnz sun...@gmail.com: So in summary, the following was done: - Setup sendmail such as the sendmail that came with OpenBSD or use some other agent like Postfix such that you can do a `dmesg | mail -s Sony VAIO 505R laptop, apm works OK dm...@openbsd.org` on the command line. - Install femail-chroot from package, this places a binary called femail in /var/www/bin/ - Change sendmain_path in php.ini. This defaults to sendmail -t -i. Change it to /bin/femail -t -i - cp /bin/ksh /var/www/bin/; cp /bin/sh /var/www/bin/; femail itself does not use or need sh. whatever invokes it might need it., Henning Brauer. Oh I almost forgot, need resolv.conf in /var/www/etc as well. Cheers.
Re: rfc1918
Stevoid wrote: I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? If you have a cable modem, run tcpdump on your ext_if for a few minutes some time. _azure -- View this message in context: http://www.nabble.com/rfc1918-tp21604345p21608318.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
trying to install LPRng
I am running 4.4 and tried to install LPRng: uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386 When I type sudo pkg_add LPRng, I get the following: parsing LPRng-3.8.21p2 Can't install LPRng-3.8.21p2: lib not found c.43.0 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major) Can't install LPRng-3.8.21p2: lib not found crypto.13.0 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major) found libspec ssl.11.0 in /usr/lib found libspec util.11.0 in /usr/lib I don't know what crypto is so I tried installing cryptokit. (at least I tried even though that didn't help. Tried google, but got only 1 hit and it was in Chinese, and then the translation timed out. What do I install now? Thanks.
Re: trying to install LPRng
On 2009-01-22, Michael ber...@opensuse.us wrote: I am running 4.4 and tried to install LPRng: uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386 When I type sudo pkg_add LPRng, I get the following: parsing LPRng-3.8.21p2 Can't install LPRng-3.8.21p2: lib not found c.43.0 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major) Can't install LPRng-3.8.21p2: lib not found crypto.13.0 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major) found libspec ssl.11.0 in /usr/lib found libspec util.11.0 in /usr/lib I don't know what crypto is so I tried installing cryptokit. (at least I tried even though that didn't help. Tried google, but got only 1 hit and it was in Chinese, and then the translation timed out. What do I install now? You need to update your PKG_PATH, it currently has 4.3 in. e.g. PKG_PATH=ftp://some.mirror/pub/OpenBSD/`uname -r`/packages/`arch -s`/
Re: rfc1918
On Thu, Jan 22, 2009 at 8:37 AM, Steve Laurie st...@foo-unix.org wrote: I was wondering if someone could tell me why there's a need to write a rule to block addresses that come under the private address space if these addresses aren't routable over the Internet? Even if they aren't routed over the Internet, they may well be present within the local network environment provided by your ISP. The miscreant next door is just as dangerous (potentially) as the miscreant on the other side of the planet. Besides, it's a cheap bit of protection, so why not do it? -- Dave K Unix Systems Network Administrator Mount Laurel NJ
Re: trying to install LPRng
On Thu, Jan 22, 2009 at 10:08 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2009-01-22, Michael ber...@opensuse.us wrote: I am running 4.4 and tried to install LPRng: uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386 When I type sudo pkg_add LPRng, I get the following: parsing LPRng-3.8.21p2 Can't install LPRng-3.8.21p2: lib not found c.43.0 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major) Can't install LPRng-3.8.21p2: lib not found crypto.13.0 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major) found libspec ssl.11.0 in /usr/lib found libspec util.11.0 in /usr/lib I don't know what crypto is so I tried installing cryptokit. (at least I tried even though that didn't help. Tried google, but got only 1 hit and it was in Chinese, and then the translation timed out. What do I install now? You need to update your PKG_PATH, it currently has 4.3 in. e.g. PKG_PATH=ftp://some.mirror/pub/OpenBSD/`unameftp://some.mirror/pub/OpenBSD/%60uname-r`/packages/`arch -s`/ Guess I'm confused. Here is my .profile : $ more .profile # $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $ # # sh/ksh initialization PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:. export PATH HOME TERM export PKG_PATH=ftp://rt.fm/pub/OpenBSD/4.4/packages/i386/ Thanks for your help.
Find - Sillyness
I know this is more of a general 'huh' kind of thing, but I figured someone could kick start my brain for me. Anyone know why this doesn't work? It appears to find the files ok but the -exec part thinks it can't? spider:/var/log# find . -name daemon.*.gz -exec echo {} \; find: echo ./daemon.2.gz: No such file or directory find: echo ./daemon.1.gz: No such file or directory find: echo ./daemon.5.gz: No such file or directory find: echo ./daemon.4.gz: No such file or directory find: echo ./daemon.3.gz: No such file or directory find: echo ./daemon.0.gz: No such file or directory
Re: Find - Sillyness
do you have any programs called echo ./daemon.2.gz? you want -exec echo {} \; On Thu, Jan 22, 2009 at 12:54 PM, Morris, Roy rmor...@internetsecure.com wrote: I know this is more of a general 'huh' kind of thing, but I figured someone could kick start my brain for me. Anyone know why this doesn't work? It appears to find the files ok but the -exec part thinks it can't? spider:/var/log# find . -name daemon.*.gz -exec echo {} \; find: echo ./daemon.2.gz: No such file or directory find: echo ./daemon.1.gz: No such file or directory find: echo ./daemon.5.gz: No such file or directory find: echo ./daemon.4.gz: No such file or directory find: echo ./daemon.3.gz: No such file or directory find: echo ./daemon.0.gz: No such file or directory -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Find - Sillyness
Remove the quotes from echo {}. The No such file or directory error is because find cannot run a program named echo ./daemon.2.gz. Remove the quotes and it will try to run echo with an argument of daemon.2.gz. On Thursday January 22 2009 13:54, you wrote: I know this is more of a general 'huh' kind of thing, but I figured someone could kick start my brain for me. Anyone know why this doesn't work? It appears to find the files ok but the -exec part thinks it can't? spider:/var/log# find . -name daemon.*.gz -exec echo {} \; find: echo ./daemon.2.gz: No such file or directory find: echo ./daemon.1.gz: No such file or directory find: echo ./daemon.5.gz: No such file or directory find: echo ./daemon.4.gz: No such file or directory find: echo ./daemon.3.gz: No such file or directory find: echo ./daemon.0.gz: No such file or directory -- Dan RamaleyDial Center 118, Drake University Network Programmer/Analyst 2407 Carpenter Ave +1 515 271-4540Des Moines IA 50311 USA
Re: Find - Sillyness
On Thu, Jan 22, 2009 at 02:54:21PM -0500, Morris, Roy wrote: I know this is more of a general 'huh' kind of thing, but I figured someone could kick start my brain for me. Anyone know why this doesn't work? It appears to find the files ok but the -exec part thinks it can't? spider:/var/log# find . -name daemon.*.gz -exec echo {} \; find: echo ./daemon.2.gz: No such file or directory find: echo ./daemon.1.gz: No such file or directory find: echo ./daemon.5.gz: No such file or directory find: echo ./daemon.4.gz: No such file or directory find: echo ./daemon.3.gz: No such file or directory find: echo ./daemon.0.gz: No such file or directory Try: find . -name daemon.*.gz -exec echo {} \; without the double quotes after exec. John
Re: Find - Sillyness
On 22 Jan 2009 at 14:54, Morris, Roy wrote: I know this is more of a general 'huh' kind of thing, but I figured someone could kick start my brain for me. Anyone know why this doesn't work? It appears to find the files ok but the -exec part thinks it can't? spider:/var/log# find . -name daemon.*.gz -exec echo {} \; find: echo ./daemon.2.gz: No such file or directory find: echo ./daemon.1.gz: No such file or directory find: echo ./daemon.5.gz: No such file or directory find: echo ./daemon.4.gz: No such file or directory find: echo ./daemon.3.gz: No such file or directory find: echo ./daemon.0.gz: No such file or directory specifying echo {} -- i.e. putting both `words' in the same set of quotes -- you made it a single token as far as the find command is concerned, which is what it passes to the exec call.
getting random icmp host unreachable messages while accessing host from behind nat with 4.4 amd64
Hi! I have following problem with my OpenBSD amd64 version firewall and would be very thankful if you can help me with it. Quite accidentally my collegue discovered that while he is accessing content over http from behind natting firewall he doest get it every time. And it happens seemengly randomly, say about ten times per 300 attempts (vise versa firewall is working all right and also with routing). I tested it on living firewall and confirmed it and after that i set up other computers dedicated to test this case more throughly. This is my test setup http server em1 firewall bge0 --- mgm computer server 10.0.5.2 -- 192.168.2.38 172.16.0.12| em0 | | | computer accessing http server (10.0.6.242) firewall has following addresses em0 - 10.0.6.248 em1 - 172.16.0.78 bge0 - 10.0.5.7 mgm computer actually is 192.168.2.38, a hop away. I used 4.4 amd64 system with latest kernel patches (and userspace patches between them) but i also tried original 4.4 kernel, results seem to be the same. dmesg and full pfctl -sa are included in the end of this letter. rules on the firewall are no more no less like this # pfctl -sn nat on em1 inet all tagged ICMP_TEST - 172.16.0.78 # pfctl -sr block drop log all pass in quick on bge0 inet from 192.168.2.0/24 to 10.0.5.7 flags S/SA keep state (tcp.established 1064000) pass in quick on bge0 inet from 10.0.5.0/24 to 10.0.5.7 flags S/SA keep state (tcp.established 1064000) pass in quick on em0 inet proto tcp from 10.0.6.242 to 172.16.0.12 port = www flags S/SA keep state tag ICMP_TEST pass out quick on em1 all flags S/SA keep state tagged ICMP_TEST Here is my testing. I access http in this manner (after fresh reboot) $ for i in `seq 1 300`; do wget http://172.16.0.12/README?count=$i; -O - 1dhs.$i.log; done and the results are like this, i.e. this time five responses are not succeeding $ find . -size 0 ./dhs.251.log ./dhs.171.log ./dhs.179.log ./dhs.188.log ./dhs.149.log while listening on firewall on em0 for icmp i get # tcpdump -nettti em0 icmp Jan 22 21:06:45.787661 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:45.995783 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:46.067863 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:46.150686 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable Jan 22 21:06:46.765440 00:04:23:09:14:30 70:10:00:00:62:42 0800 70: 10.0.6.248 10.0.6.242: icmp: host 172.16.0.12 unreachable It may also be essential to say that there does not appear anything relevant (on this network there are other traffic as well to be honest) in pflog. I also saved all traffic on both relevant firewall interfaces during test and followed it and tcpdump shows that during connection failure 1. http client sends syn packet which do not get to the other side of firewall 2. firewall answers this with icmp host unreachable message 3. wget saves zero result 4. client then sends out next syn which gets properly served In the end i tested removing nat and it worked well i.e. without errors (16k of queries). I also tested the same thing with OpenBSD 4.3 and i did work for 24k queries all right (didnt try longer). If someone could please confirm whether this holds true generally on amd64 and i386 (havent tried it yet) platform or it still is some kind of specific combination of my computer and networking hardware, skills and luck. Best regards Imre OpenBSD 4.4 (GENERIC) #1562: Tue Aug 12 17:15:53 MDT 2008 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1060478976 (1011MB) avail mem = 1029427200 (981MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xec000 (73 entries) bios0: vendor HP version P54 date 02/14/2006 bios0: HP ProLiant DL360 G4p acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SPCR MCFG APIC SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiprt0 at acpi0: bus 1 (IP2P) acpiprt1 at acpi0: bus 2 (ICHR) acpiprt2 at acpi0: bus 7 (PCXA) acpiprt3 at acpi0: bus 10 (PCXB) acpiprt4 at acpi0: bus 6 (PTB0) acpiprt5 at acpi0: bus 13 (PTA0) acpiprt6 at acpi0: bus 3 (PTC0) acpiprt7 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 acpitz0 at acpi0: critical temperature 31 degC cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Xeon(TM) CPU 3.60GHz, 3600.60 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,T M2,CNXT-ID,CX16,xTPR,LONG cpu0: 2MB 64b/line 8-way L2 cache pci0 at mainbus0 bus 0: configuration mode 1 pchb0 at pci0 dev 0 function 0 Intel E7520 Host rev 0x0c ppb0 at pci0 dev 2
Re: trying to install LPRng
I am running 4.4 and tried to install LPRng: uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386 When I type sudo pkg_add LPRng, I get the following: parsing LPRng-3.8.21p2 Can't install LPRng-3.8.21p2: lib not found c.43.0 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major) Can't install LPRng-3.8.21p2: lib not found crypto.13.0 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major) found libspec ssl.11.0 in /usr/lib found libspec util.11.0 in /usr/lib Your $PKG_PATH is wrong. It is downloading packages for a previous version of OpenBSD, rather than 4.4.
Accessing PostgreSQL using LedgerSMB with chrooted Apache
I can get LedgerSMB to work fine with httpd -u, but can't it to work correctly with Apache chrooted. I've added a tmp dir to chroot, imported the files from /usr/lib /usr/local/lib tried moving socket into chroot. No luck. Seems to connect OK with PSQL, but database creation is failing to work properly. Not sure what to try next.
Re: trying to install LPRng
On Thu, Jan 22, 2009 at 10:22 AM, Michael ber...@opensuse.us wrote: On Thu, Jan 22, 2009 at 10:08 AM, Stuart Henderson s...@spacehopper.orgwrote: On 2009-01-22, Michael ber...@opensuse.us wrote: I am running 4.4 and tried to install LPRng: uname: OpenBSD getlost.my.domain 4.4 GENERIC#0 i386 When I type sudo pkg_add LPRng, I get the following: parsing LPRng-3.8.21p2 Can't install LPRng-3.8.21p2: lib not found c.43.0 c.43.0: partial match in /usr/lib: major=48, minor=0 (bad major) Can't install LPRng-3.8.21p2: lib not found crypto.13.0 crypto.13.0: partial match in /usr/lib: major=14, minor=0 (bad major) found libspec ssl.11.0 in /usr/lib found libspec util.11.0 in /usr/lib I don't know what crypto is so I tried installing cryptokit. (at least I tried even though that didn't help. Tried google, but got only 1 hit and it was in Chinese, and then the translation timed out. What do I install now? You need to update your PKG_PATH, it currently has 4.3 in. e.g. PKG_PATH=ftp://some.mirror/pub/OpenBSD/`unameftp://some.mirror/pub/OpenBSD/%60uname-r`/packages/`arch -s`/ Guess I'm confused. Here is my .profile : $ more .profile # $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 matthieu Exp $ # # sh/ksh initialization PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:. export PATH HOME TERM export PKG_PATH=ftp://rt.fm/pub/OpenBSD/4.4/packages/i386/ Thanks for your help. Got LPRng installed. Sorry for the noise. Ran pkg_add as root rather than sudo.
Re: Accessing PostgreSQL using LedgerSMB with chrooted Apache
You might try connecting via tcp/ip rather than Unix sockets. I haven't used LedgerSMB but I do use phpPgAdmin under chrooted Apache over tcp/ip. (Same thing with phpMysqlAdmin.) I tried getting phpMysqlAdmin to run over Unix sockets and that was an exercise in frustration. Tcp/ip is the way to go with chrooted Apache, though I'd be happy to learn how otherwise. Make sure you have /var/postgres/data/pg_hba.conf configured to allow connections over tcp/ip for localhost addresses. I think it does by default but review the section at the bottom of the file to be sure. --Aaron On Jan 22, 2009, at 16:06, Chris Bennett wrote: I can get LedgerSMB to work fine with httpd -u, but can't it to work correctly with Apache chrooted. I've added a tmp dir to chroot, imported the files from /usr/lib /usr/local/lib tried moving socket into chroot. No luck. Seems to connect OK with PSQL, but database creation is failing to work properly. Not sure what to try next.
hoststated on OpenBSD
Greetings List, I would like to ask some folks here regarding hoststated is it still available for OpenBSD? All i got through google is http://cvs.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/ I'm looking for a tool that would be able me to setup OpenBSD as a High-availability appliance where i place behind it win or *nix webservers and have them load-balance through it. I know that pf(4) would be able to aid me on this but getting info for hoststated would really help me a lot. any help would be appreciated. -b
Re: hoststated on OpenBSD
http://marc.info/?l=openbsd-announcem=120959605703777w=2 it was renamed to relayd On Thu, Jan 22, 2009 at 5:09 PM, Beavis pfu...@gmail.com wrote: Greetings List, I would like to ask some folks here regarding hoststated is it still available for OpenBSD? All i got through google is http://cvs.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/ I'm looking for a tool that would be able me to setup OpenBSD as a High-availability appliance where i place behind it win or *nix webservers and have them load-balance through it. I know that pf(4) would be able to aid me on this but getting info for hoststated would really help me a lot. any help would be appreciated. -b -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: hoststated on OpenBSD
thank you all for the pointers. On Thu, Jan 22, 2009 at 6:19 PM, Chris Kuethe chris.kue...@gmail.com wrote: http://marc.info/?l=openbsd-announcem=120959605703777w=2 it was renamed to relayd On Thu, Jan 22, 2009 at 5:09 PM, Beavis pfu...@gmail.com wrote: Greetings List, I would like to ask some folks here regarding hoststated is it still available for OpenBSD? All i got through google is http://cvs.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/ I'm looking for a tool that would be able me to setup OpenBSD as a High-availability appliance where i place behind it win or *nix webservers and have them load-balance through it. I know that pf(4) would be able to aid me on this but getting info for hoststated would really help me a lot. any help would be appreciated. -b -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Accessing PostgreSQL using LedgerSMB with chrooted Apache
On Thu, 22 Jan 2009, Aaron Poffenberger wrote: You might try connecting via tcp/ip rather than Unix sockets. I haven't used LedgerSMB but I do use phpPgAdmin under chrooted Apache over tcp/ip. (Same thing with phpMysqlAdmin.) I tried getting phpMysqlAdmin to run over Unix sockets and that was an exercise in frustration. Tcp/ip is the way to go with chrooted Apache, though I'd be happy to learn how otherwise. Make sure you have /var/postgres/data/pg_hba.conf configured to allow connections over tcp/ip for localhost addresses. I think it does by default but review the section at the bottom of the file to be sure. And you should be using 127.0.0.1 for the cgi and not localhost. This is a perfect way to shoot yourself in the foot if the resolver is not available. BTDT. Kind regards, Markus