Re: acpithinkpad problems on thinkpad w500
Hello, Thanks for replying. It is now the exact same behaviour as mentioned in the bug report and email pending/6099 from Aaron W.Hsu. The message starts when opening the cd. Disabling acpithinkpad stops the message flood but it is still impossible to close the cd. Kind regards, Didier -Original Message- From: joshua stein [mailto:j...@openbsd.org] Sent: 09 March 2009 01:43 To: misc@openbsd.org Subject: Re: acpithinkpad problems on thinkpad w500 I came across a strange problem today. I (accidentally) opened the cd/dvd player of my thinkpad w500 laptop. Once the player is opened, it is impossible to close it, as it is immediately reopened. Dmesg is flawed with the following messages: acpithinkpad0: unknown type 3 event 0x006 Any ideas on how I can solve the problem? does the event log at the opening or closing of the drive? if you disable the acpithinkpad device (boot -c) does the drive work properly?
Re: PF firewall system capable of handling a multi-gigabit link
2009/3/9 Ted Unangst ted.unan...@gmail.com On Sun, Mar 8, 2009 at 2:14 PM, Alface Voadora alface.voad...@gmail.com wrote: Do you know about any installed firewall cluster that has pf+carp+pfsync working along with ALTQ on a multi-gigabit configuration with an acceptable performance? how many gigabits is multi-gigabit? 2, 10, 400? 2 Gbps can't you just test openbsd and see if it works? Yes I can, and obviously I will test it.
Re: PF Seems To Reload Its Default Rules Unexpectedly
On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga hilco.wijbe...@gmail.com wrote: I have pf running on my firewall box and I'm experiencing some strange behaviour. After several hours (this may even be 24 hours) of functioning normally, pf seems to reload its default rules which means that from that point on all traffic is blocked. A simple pfctl -f /etc/pf.conf fixes the problem but it is very annoying. ummm... no. Think about it for a moment. The default rules *are* stored in /etc/pf.conf --the very same file you are manually reloading, so it's obviously not magically reloading the default rules as you claim. What kind of connection are you running? Is your public IP address static or dynamic? More importantly, are you running some sort of tunneling/authentication such as PPPoE or simlar? In sort my first guess is your IP is changing every 24 hours or so due to your service provider using dynamic addressing (and trying to prevent you from having a particular IP for too long). If I'm right, then your problem is that pf is holding on to the old rules for your old IP address even though your IP had changed. In other words, you have a configuration error. -- J.C. Roberts
Re: pppoe server
On 08.03-11:13, Lo?=?VAI DC!niel wrote: [ ... ] I wish to experiment setting up a PPPoE server (AC) on OpenBSD 4.4. Although I've read the pppoe(8) man page and googled around, it is not clear for me how to set up such configuration. man sppp
x11 problems with lenovo w500
Hello, I have a strange problem which I never had in the past when using a lenovo laptop with a somewhat identical configuration. I'm using CURRENT with a lenovo w500 (model 4063-34G). This model has one of these switchable dual graphics. (ATI Mobility Radeon FireGL V5700 + Intel's integrated GMA 4500MHD) http://www5.pc.ibm.com/de/products.nsf/$wwwPartNumLookup/_NRC34GE?OpenDocume nt http://www.pcpro.co.uk/reviews/246624/lenovo-thinkpad-w500.html (X11 identifies the ati card as a ati mobility radeon HD 3650) http://www.wiroth.net/dmesg.ati http://www.wiroth.net/Xorg.0.log.ati For now, I'm using the intel adapter, as the ati adapter is very, very slow when watching a movie. I'm using the following display bios settings: a) Default Primary Video Device: Internal b) Boot Display Device: ThinkPad LCD c) Graphics Device: Integrated Graphics d) OS Detection for Switchable Graphics: Disabled Now, let me explain the problem in my simple words. I'm dualbooting between windows xp and openbsd: partition 1 - openbsd current partition 2 - windows xp Partition 2 is fully encrypted with truecrypt (http://www.truecrypt.org). In a non technical terminology when I boot, the following happens: the Truecrypt prompt/boot loader appears, I have two choices: a) Enter a passphrase to access the windows bootloader If I choose this option and enter a passphrase the windows xp bootloader appears and I can still choose to boot into windows xp or openbsd (I have followed the guidelines at http://www.openbsd.org/faq/faq4.html#Multibooting to add the openbsd partition boot record to the boot.ini of windows xp). Here is the Xorg.0.log: http://www.wiroth.net/Xorg.0.log Here is the dmesg: http://www.wiroth.net/dmesg.working If I boot via a) into Openbsd, X11 _IS_ working, no problem here! b) Now, if I bypass the authentication and boot directly into openbsd. The openbsd kernel is loaded, but now I'm _NOT_ able to start X11. Here is the NON-working Xorg.0.log: http://www.wiroth.net/Xorg.0.log.not.working Here is the dmesg.boot: http://www.wiroth.net/dmesg.not.working (I don't think there is a difference between the two DMESG, but I included them in case someone would like to have a look into it) Here is a snip of the error message: (II) Loading /usr/X11R6/lib/modules//libvgahw.so (II) Module vgahw: vendor=X.Org Foundation compiled for 1.5.3, module version = 0.1.0 ABI class: X.Org Video Driver, version 4.1 (II) intel(0): Creating default Display subsection in Screen section Builtin Default intel Screen 0 for depth/fbbpp 24/32 (==) intel(0): Depth 24, (--) framebuffer bpp 32 (==) intel(0): RGB weight 888 (==) intel(0): Default visual is TrueColor (II) intel(0): Integrated Graphics Chipset: Intel(R) Mobile IntelB. GM45 Express Chipset (--) intel(0): Chipset: Mobile IntelB. GM45 Express Chipset (--) intel(0): Linear framebuffer at 0xD000 (--) intel(0): IO registers at addr 0xF440 (EE) intel(0): Unable to map mmio range. Invalid argument (22) Fatal server error: Caught signal 11. Server aborting Thanks a lot for your help! Didier
Nuevas ofertas de Mercadonica.com
Si no puede ver bien el contenido de este boletmn, hacer clic AQUI Publicar anuncio www.mercadonica.com Anuncios promocionados Casas/Oficinas Alquilo Oficina PA : 150 Managua Ver mas Vendo Casa PV : 40,000 Managua Ver mas Vendo Casa PV : 50,000 Managua Ver mas Terrenos/Propiedades Vendo Lote PV : 403,040 Managua Ver mas Vendo Lote PV : 95,000 neg Masaya Ver mas Automotores Vendo Coupe 2 puertas PV : 17000 Ver mas Vendo Sedan PV : 3,600 Ver mas Anuncios varios Laptop DELL Inspiron E1505 PV : 600 neg. PA : N/A Ver mas Vendo/Alquilo Casa PV : 50,000 PA : N/A Ver mas Vendo/Alquilo Finca PV : 100,000.00 PA : N/A Ver mas Vendo/Alquilo Pick Up 4x4 PV : 3,000 neg PA : N/A Ver mas Vendo Laptop HP 510 PV : 650 neg. PA : N/A Ver mas ) Copyright MercadoNica.com Si no desea recibir este correo, escribir a ven...@mercadonica.com
Re: acpithinkpad problems on thinkpad w500
Just a thought... on motorized cd/dvd drives you can use cdio # cdio close Nope ... returns the following error: cd0(ahci0:1:0): Check Condition (error 0x70) on opcode 0x1b SENSE KEY: Illegal Request Didier
Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again
On Mon, Mar 09, 2009 at 12:25:12PM +0100, Arnoud Vermeer wrote: We commented out the following lines, to test if it is indeed an End-of-RIB-marker that is acting up, and it turns out it isn't. in rde.c line 2613 we commented out this: if (peer-capa_received.restart peer-capa_announced.restart) peer_send_eor(peer, afi, safi); This is the only place where the peer_send_eor function is called, and commented out, the bug remains. Hence we assume it is not an eor message that causes the issue... but an update generated somewhere else. Because the empty update is sent out to all connected parties, I think it has something to do with the 'announce all' capability. yes, I had a quick mail exchange with henning about that. There seems to be a wild update that causes this bad updates. I'm currently in Japan preparing everything for AsiaBSDCon plus some traveling. As soon as I can get my head free of all the rest I will look into it. I have a few ideas but nothing was obvious enough to be seen by glancing over the code. Btw. does this only happen with full IPv6 feeds or are a few announcements already enough? -- :wq Claudio
ichiic0 errors on 4.3
Hi I have been noticing these kernel messages once in a while on my i386 machine running 4.3 (+ all patches up to date). The drive is brand new 500GB SATA. ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0 ichiic0: abort failed, status 0x0 ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x0 ichiic0: abort failed, status 0x0 ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x40INUSE ichiic0: abort failed, status 0x0 ichiic0: exec: op 1, addr 0x2e, cmdlen 1, len 1, flags 0x00: timeout, status 0x40INUSE ichiic0: abort failed, status 0x40INUSE Is this the sign of an impending motherboard failure? It is an intel D915GVWB. Can someone please shed some light on the meaning of these. I know 4.5 is about to be released. I will definitely move on to it. If this regards some issue which was fixed in 4.4 or later, I apologize for bringing this up again. The dmesg is as follows. Let me know if anything else is required for analysis . OpenBSD 4.3 (GENERIC) #0: Thu Feb 12 22:22:54 IST 2009 root@:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.06GHz (GenuineIntel 686-class) 3.07 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CNXT-ID,CX16,xTPR real mem = 1599647744 (1525MB) avail mem = 1537679360 (1466MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/12/05, SMBIOS rev. 2.3 @ 0xe5bf1 (32 entries) bios0: vendor Intel Corp. version WB91X10J.86A.1319.2005.1012.0939 date 10/12/2005 bios0: Intel Corporation D915GVWB apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 0% apm0: AC off, battery charge unknown, estimated 0:00 hours acpi at bios0 function 0x0 not configured pcibios at bios0 function 0x1a not configured bios0: ROM list: 0xc/0xae00! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82915G Host rev 0x04 agp0 at pchb0: aperture at 0x6000, size 0x1000 vga1 at pci0 dev 2 function 0 Intel 82915G Video rev 0x04 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 27 function 0 Intel 82801FB HD Audio rev 0x03: irq 11 azalia0: codec[s]: Realtek ALC880 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x03 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 1 Intel 82801FB PCIE rev 0x03 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 2 Intel 82801FB PCIE rev 0x03 pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 3 Intel 82801FB PCIE rev 0x03 pci4 at ppb3 bus 4 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: irq 9 uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: irq 10 uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: irq 11 uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: irq 9 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xd3 pci5 at ppb4 bus 5 vr0 at pci5 dev 0 function 0 VIA VT6105 RhineIII rev 0x8b: irq 11, address 00:21:91:8e:3f:4b ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063, model 0x0034 vr1 at pci5 dev 1 function 0 VIA VT6105 RhineIII rev 0x8b: irq 11, address 00:21:91:8d:e8:be ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063, model 0x0034 fxp0 at pci5 dev 8 function 0 Intel 82801FB LAN rev 0x01, i82562: irq 11, address 00:16:76:63:2f:e3 inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0 ichpcib0 at pci0 dev 31 function 0 Intel 82801FB LPC rev 0x03: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801FB IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TSSTcorp, CDW/DVD SH-M522C, TS06 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) pciide1 at pci0 dev 31 function 2 Intel 82801FB SATA rev 0x03: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using irq 10 for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST3500320AS wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801FB SMBus rev 0x03: irq 10 iic0 at ichiic0 adt0 at iic0 addr 0x2e: emc6d100 rev 0x68 spdmem0 at iic0 addr 0x50: 256MB DDR SDRAM non-parity PC3200CL2.5 spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM non-parity PC3200CL3.0 spdmem2 at iic0 addr 0x52: 256MB DDR SDRAM non-parity PC2700CL2.5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB
Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again
* Arnoud Vermeer arnoud.verm...@ams-ix.net [2009-03-08 22:54]: No, this is not the only session. Here is the full config, I hope it helps: Things start going wrong when I add the following to a v6 session: tcp md5sig password hondjes wait. removing tcpmd5 fixes the problem? you gotta be kidding? this is on OpenBSD right? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: arp MiTM
Hello Misc, I am a customer and not the network administrator, and someone in the network makes MiTM attack, a network of billet in the uncontrolled swithes and ISP will not translate everything on the managed. Therefore, software implementation of this patch for openbsd. OpenBSD is most secure OS on the planet, but susceptible to a simple MiTM attack. How then can we talk about the security by default -- Best regards, irix mailto:i...@ukr.net
Re: Upgrade on non-live disk
Hi! On Thu, Mar 05, 2009 at 12:09:31PM +1030, Damon McMahon wrote: Tue, 03 Mar 2009 07:17:56 -0500 steve.shock...@shockley.net: On 3/2/2009 7:31 PM, Damon McMahon wrote: Is it possible/wise to follow the upgrade instructions on a non-live OpenBSD disk mounted on /altroot? I have a second drive I use as a non-live mirror with dd(1); can I use the Upgrading without install kernel instructions to upgrade this disk by mounting its file systems in /altroot and then substituting /altroot for / in the Upgrading without install kernel instructions? Why not just continue to use your existing mirror process, and update the mirror once your prod drive is upgraded? To minimise down-time to a simple reboot - best not to rush these things, and there's nothing like a production system being down to cause me to rush! Thanks to Nick for the advice, it seemed to work fine. For the archives, just make REALLY sure you replace / with /altroot at every step in the upgrade instructions (I slipped a couple of times, thankfully both instances were recoverable) and I did find some minor steps e.g. running newaliases(8) that would seem to require the system being upgraded to be live and running. chroot /mountpoint /usr/bin/newaliases Kind regards, Hannah.
Re: arp MiTM
irix wrote: Hello Misc, I am a customer and not the network administrator, and someone in the network makes MiTM attack, a network of billet in the uncontrolled swithes and ISP will not translate everything on the managed. Therefore, software implementation of this patch for openbsd. OpenBSD is most secure OS on the planet, but susceptible to a simple MiTM attack. How then can we talk about the security by default this sort of email will, even if you have a valid point, likely win you no points with the devs. i see no offer of funding or a demonstration of an attack vector so you are obviously a very serious player. you are being unbelievably rude and are likely a troll so this is the last time i'll ever read your emails. wouldn't be surprised if a lot of other folks did the same.
Re: arp MiTM
Jacob Yocom-Piatt wrote: irix wrote: Hello Misc, I am a customer and not the network administrator, and someone in the network makes MiTM attack, a network of billet in the uncontrolled swithes and ISP will not translate everything on the managed. Therefore, software implementation of this patch for openbsd. OpenBSD is most secure OS on the planet, but susceptible to a simple MiTM attack. How then can we talk about the security by default this sort of email will, even if you have a valid point, likely win you no points with the devs. i see no offer of funding or a demonstration of an attack vector so you are obviously a very serious player. you are being unbelievably rude and are likely a troll so this is the last time i'll ever read your emails. wouldn't be surprised if a lot of other folks did the same. Funny, I would say you are being more rude then he is
Where is Secure by default ?
Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? -- Best regards, irix mailto:i...@ukr.net
Re: Where is Secure by default ?
because it is. On Mon, Mar 09, 2009 at 04:36:47PM +0200, irix wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? -- Best regards, irix mailto:i...@ukr.net
Re: arp MiTM
On Mon, Mar 09, 2009 at 02:34:07PM +, michal wrote: Jacob Yocom-Piatt wrote: irix wrote: Hello Misc, I am a customer and not the network administrator, and someone in the network makes MiTM attack, a network of billet in the uncontrolled swithes and ISP will not translate everything on the managed. Therefore, software implementation of this patch for openbsd. OpenBSD is most secure OS on the planet, but susceptible to a simple MiTM attack. How then can we talk about the security by default this sort of email will, even if you have a valid point, likely win you no points with the devs. i see no offer of funding or a demonstration of an attack vector so you are obviously a very serious player. you are being unbelievably rude and are likely a troll so this is the last time i'll ever read your emails. wouldn't be surprised if a lot of other folks did the same. Funny, I would say you are being more rude then he is Awesome, a rude-off on misc@ I can't think of a better use of everybody's time.
Re: Where is Secure by default ?
On Mon, Mar 09, 2009 at 04:36:47PM +0200, irix wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? Hello Mr. Troll, thanks for flaming by. Have a good day!
Técnico de Prevenção de Riscos Laborais
Ticnico em Prevengco de Riscos Laborais Todas as empresas necessitam de um plano de riscos laborais Obtenha um diploma com futuro Acesso 24 horas ao nosso campus virtual Com completo material didactico Um certificado que avaliza os seus conhecimentos Em menos de 6 meses! CLICK JA se nco quiser receber mais emails da ESINE, clique aqui. Obrigado.
Re: Where is Secure by default ?
How do you define remote holes? Which remotely accessible services were compromised by this? Hey, somone hijacked facebook and I entered my password and submitted it to them AND OPENBSD DID NOT SAVE ME OMG!!! OpenBSD is so insecure. There may or may not be a reason for applying sth similar to that patch but OpenBSD cannot save you from everything, you know. Why the hell do I even bother replying to this? Sorry, list. /Alexander irix wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ?
Re: arp MiTM
On Mon, Mar 9, 2009 at 10:34 AM, michal mic...@sharescope.co.uk wrote: Funny, I would say you are being more rude then he is Why? Jacob was simply telling him why he was rude. -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 10:36 AM, irix i...@ukr.net wrote: When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? Then shouldn't you be using freebsd, and go bug them? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: PF Seems To Reload Its Default Rules Unexpectedly
On 3/9/09 2:05 AM, J.C. Roberts wrote: On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga hilco.wijbe...@gmail.com wrote: I have pf running on my firewall box and I'm experiencing some strange behaviour. After several hours (this may even be 24 hours) of functioning normally, pf seems to reload its default rules which means that from that point on all traffic is blocked. A simple pfctl -f /etc/pf.conf fixes the problem but it is very annoying. ummm... no. Think about it for a moment. The default rules *are* stored in /etc/pf.conf --the very same file you are manually reloading, so it's obviously not magically reloading the default rules as you claim. What kind of connection are you running? Is your public IP address static or dynamic? More importantly, are you running some sort of tunneling/authentication such as PPPoE or simlar? In sort my first guess is your IP is changing every 24 hours or so due to your service provider using dynamic addressing (and trying to prevent you from having a particular IP for too long). If I'm right, then your problem is that pf is holding on to the old rules for your old IP address even though your IP had changed. In other words, you have a configuration error. Interesting, that is brings up a question for me... what do we do in this case? My ISP seems to be content to give the same ip back over and over again. If they did not is there something I can do besides monitor my $ext_if and reload the rules on ip addr change? Just curious.
Re: pf does not log all block
Thank you all. Thanks to your indications, i've found my problem. It was just a block line (when i really looked at it, i still ask why she was here) which was at the end of my block group. I removed it, and my logging worked fine. Pierre, yes i know all these things. I use pf since OpenBSD 3.4, and i'm spent more time on pf than any other firewall. But, as i just did, i could still do some stupid stuff. 2009/3/9 Pierre Lamy pie...@userid.org Without the quick keyword, pf evaluates all of your rules and if a more-permissive rule exists to match the traffic flow, it is used. This is different than some commercial firewalls such as Check Point which stop when the traffic matches a rule, and the rules are processed in order. It's common in a pf setup, to block all at the beginning of the security rules, without the quick keyword, and then add the pass rules afterwards. Anything not matching a pass rule would by default hit your first block all rule. If you are very used to an in-order-stop-when-match firewall then using quick on every rule will be more familiar to you, and your block quick log all should be at the bottom of your rulebase after the pass rules. Pierre patrick keshishian wrote: On Sun, Mar 8, 2009 at 11:12 AM, Maxx Twayne maxxtwa...@gmail.com wrote: Hi, I would like to see all blocked packets with pf. And i used this : block in log on $ext_if all block out log all But when i read on pflog0 on the pflog file, i didn't got any blocked packets. Only the logged pass that i asked. Is there any kind of protection, or i did something wrong ? hard to tell with the small snippet of your pf.conf you included. It could be a problem with your rule-set that allows everything to pass. can't tell with the info you provided. --patrick
Re: NFS or SAMBA ?
* Guillermo Bernaldo de Quiros Maraver debug...@gmail.com [2009-02-13 21:06]: if you have a shared network between WINDOWS and OpenBSD i recommend Samba if not, NFS NFS = Insecure SAMBA = Have a problems, but, it's more secure. that is the most ridiculous bullshit I have ever read here in some time. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND.
Re: arp MiTM
On Mon, Mar 9, 2009 at 1:11 PM, irix i...@ukr.net wrote: Hello Misc, How to protect your server from such attacks without the use of static arp entries? By freebsd 5.0 patch was written arp_antidote ( http://freecap.ru/if_ether.c.patch), somebody could port it on openbsd? Also, in freebsd it is possible to specify a flag through the ifconfig on the interface staticarp, while If the Address Resolution Protocol is enabled, the host will only reply to requests for its addresses, and will never send anyrequests. May you made this flag in openbsd ? ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc.
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? Tet -- The greatest shortcoming of the human race is our inability to understand the exponential function -- Albert Bartlett
Re: Where is Secure by default ?
If FreeBSD solve your problem, use it. On Mon, Mar 9, 2009 at 12:10 PM, bofh goodb...@gmail.com wrote: On Mon, Mar 9, 2009 at 10:36 AM, irix i...@ukr.net wrote: When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? Then shouldn't you be using freebsd, and go bug them? -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related -- Se Debugar i a arte de remover bugs, programar i a arte de inserm-los. Donald E. Knuth. -- Joco Salvatti Graduated in Computer Science Federal University of Para - UFPA - Brazil E-Mail: salva...@gmail.com
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. So it wasn't default install anymore, was it ? And my OpenBSD were attacked, by simple MiTM attack in arp protocol. that's why OpenBSD comes with IPSec and OpenSSH by default : to let you create secure networks without having to install poorly-integrated 3rd party software. How then can we talk about the security by default Simply because it wasn't default install anymore. For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? My guess is this will never be in OpenBSD source tree. Security is a process, not a product, and blindly adding code inside kernel to cover a marginal use case for which there is already a solution is not my idea of a good process, and I'm pretty sure this is not OpenBSD developers's either. For authenticating remote hosts, have a look at ipsecctl, ssh and SSL. Cheers, -- Vincent Gross So, the essence of XML is this: the problem it solves is not hard, and it does not solve the problem well. -- Jerome Simeon Phil Wadler
Re: NFS or SAMBA ?
On Mon, Mar 9, 2009 at 4:56 PM, Henning Brauer lists-open...@bsws.dewrote: * Guillermo Bernaldo de Quiros Maraver debug...@gmail.com [2009-02-13 21:06]: if you have a shared network between WINDOWS and OpenBSD i recommend Samba if not, NFS NFS = Insecure SAMBA = Have a problems, but, it's more secure. that is the most ridiculous bullshit I have ever read here in some time. Why do you exactly thing that is bullshit?
Re: arp MiTM
Hello Misc, On Mon, Mar 9, 2009 at 1:11 PM, irix i...@ukr.net wrote: ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc. Sorry, if I been rude. I not administartor of network, i am client. And other client use MiTM. This network is use unmanaged switches, and ISP spit on it. That's why i try to find out to protect my workstation from MiTM, with out static arp entry. What would have been easy and transparent. Variant with the patch, I think the simplest and most effective. I am simply customer, and i try to find most simple solution. -- Best regards, irix mailto:i...@ukr.net
device not configured in SSH chroot
I've set up a chroot account using ssh's ChrootDirectory[1] keyword on OpenBSD 4.4 on a Soekris (i386) net4801. It works nicely, except that I get some device errors in the chroot, but not the regular accounts. Upon connecting with SSH with the chrooted account, there is an error about tty: ksh: No controlling tty (open /dev/tty: Device not configured) then in the chrooted account, other devices are not available: $ gpioctl -d /dev/gpio1 gpioctl: /dev/gpio1: Device not configured Outside the chroot, these are both available. Inside the chroot, there is a directory for these devices, /dev which was populated by getting MAKEDEV from the real /dev and then running ./MAKEDEV all What step am I missing? I've had it working before but cannot figure the difference. regards -Lars
Re: PF Seems To Reload Its Default Rules Unexpectedly
On Mon, Mar 09, 2009 at 08:10:00AM -0700, Dag Richards wrote: Interesting, that is brings up a question for me... what do we do in this case? My ISP seems to be content to give the same ip back over and over again. If they did not is there something I can do besides monitor my $ext_if and reload the rules on ip addr change? ($ext_if)
Re: Where is Secure by default ?
- Tethys wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? Tet I agree with your standpoint
Re: Kernel Panic on 6th March i386 build
Stefan Sperling wrote: On Sat, Mar 07, 2009 at 06:29:22PM -0500, Daniel Ouellet wrote: Claudio Jeker wrote: Fell free to disagree, that's fair. Sorry, I don't get it a non-developer tries to educate a developer about how kernel crashes should be reported? Sorry most of your standpoints are just wrong. Sure people are encuraged to run snapshot kernels but selfbuilt kernels are fine as long as they're built from a unmodified GENERIC config. Let us developers take care of yelling at those people who send in bad bug reports because we're acctually the people who may fix it in the end. Hi All, I stand corrected on this one. I was bias in my reply, I must admit it and come clean on it! No offense intended to anyone it may have offended. I was quick to reply to Steph as I did react to the content of the email and the linux name in the email address. My fault to react to quickly on this one. I should have know better! Mmmmh... Did you happen to confuse Steph and me? We have similar names. I did! My bad and I am very sorry for that. Not only did I put my foot in my mouth, swallow my boot, now I even lost my leg. I sure own you an apology! Sorry and I am crawling back under the biggest rock I can find! The clarifications on the kernel was well received never the less. Thanks. Daniel
Re: arp MiTM
On Mon, 9 Mar 2009 16:54:27 +0100, Felipe Alfaro Solana felipe.alf...@gmail.com said: On Mon, Mar 9, 2009 at 1:11 PM, irix i...@ukr.net wrote: Hello Misc, How to protect your server from such attacks without the use of static arp entries? By freebsd 5.0 patch was written arp_antidote ( http://freecap.ru/if_ether.c.patch), somebody could port it on openbsd? Also, in freebsd it is possible to specify a flag through the ifconfig on the interface staticarp, while If the Address Resolution Protocol is enabled, the host will only reply to requests for its addresses, and will never send anyrequests. May you made this flag in openbsd ? ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc. ARP was designed by Nazis. So, die now thread. DIE DIE
Re: Where is Secure by default ?
On Mon, Mar 09, 2009 at 03:48:05PM +, - Tethys wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? As a community, we don't suffer fools well. Take it or leave it, but don't try to change us. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Where is Secure by default ?
If this issue matters to you and you want the OS to fix it you are doing it wrong. ARP has some inherent qualities that are questionable. You can hack ARP all up but it won't ever fix it so instead one needs to embrace the issues and fix them where it makes sense. This is not about an issue with the community it is about a misunderstanding that is blown way out of proportion with condescending language to boot. You are on the other hand suggesting that we are not paying attention to security issues. On Mon, Mar 09, 2009 at 03:48:05PM +, - Tethys wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? Tet -- The greatest shortcoming of the human race is our inability to understand the exponential function -- Albert Bartlett
Re: Where is Secure by default ?
At 04:50 PM 3/9/2009 +0100, Felipe Alfaro Solana wrote: On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND. PMFJI, but isn't the issue simpler than that? If he has a MiTM attack via arp, doesn't that mean the attacker has access to the local subnet? That would be a physical security issue FIRST?? Lock the doors before you point fingers at the OS? In any case, facts are more useful than FUD BS. Lee
Canada immigration
WARNING: contains undecipherable part Received: from unicornia896a8 (adsl-245-183-192-81.adsl2.iam.net.ma [81.192.183.245]) by mail.cashcom.ma (Postfix/TrioOS) with ESMTP id 37DBD1200A3AE for MISC@OPENBSD.ORG; Mon, 9 Mar 2009 16:12:59 + (WET) From: Agence Casa ElFirdaous casa.elfirda...@dialcom.ma To: MISC@OPENBSD.ORG Subject: Canada immigration Date: Mon, 9 Mar 2009 17:12:09 +0100 MIME-Version: 1.0 X-Security: message sanitized on shear.ucar.edu See http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 1.147 $Date: 2004-10-02 11:16:26-07 Content-Type: text/plain; charset=us-ascii X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-MS-TNEF-Correlator: D67849FBE0A2614284D66D50471F1152842D2300 Message-Id: 20090309161259.37dbd1200a...@mail.cashcom.ma X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d X-Converted-To-Plain-Text: Alternative section used was text/plain The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050. Download the attached file to know about the required forms. The sender of this email got this article from our side and forwarded it to you. The original file name is IMM_Forms_E01.rar and compressed by WinRAR no virus found. Use WinRAR to decompress the file. [demime 1.01d removed an attachment of type application/ms-tnef which had a name of winmail.dat]
Re: PF Seems To Reload Its Default Rules Unexpectedly
2009/3/9 J.C. Roberts list-...@designtools.org: On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga hilco.wijbe...@gmail.com wrote: I have pf running on my firewall box and I'm experiencing some strange behaviour. After several hours (this may even be 24 hours) of functioning normally, pf seems to reload its default rules which means that from that point on all traffic is blocked. A simple pfctl -f /etc/pf.conf fixes the problem but it is very annoying. ummm... no. Think about it for a moment. The default rules *are* stored in /etc/pf.conf --the very same file you are manually reloading, so it's obviously not magically reloading the default rules as you claim. Ah, different semantics. :-) By default rules I mean whatever pf does *without* an /etc/pf.conf. Probably something like block all. What kind of connection are you running? Is your public IP address static or dynamic? More importantly, are you running some sort of tunneling/authentication such as PPPoE or simlar? I use DHCP so my IP can change. It's not particularly public though. My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part, I guess [no more running out of IPv4 addresses for them] but not very useful to me.) In sort my first guess is your IP is changing every 24 hours or so due to your service provider using dynamic addressing (and trying to prevent you from having a particular IP for too long). If I'm right, then your problem is that pf is holding on to the old rules for your old IP address even though your IP had changed. In other words, you have a configuration error. That definitely makes sense. However, I thought that by referring to an interface instead of an IP I was protected from that? I mean, it's fairly common to have a dynamic IP, is it not? Cheers, Hilco
Resolved - Re: device not configured in SSH chroot
Moving the chroot to a new CF with a different partitioning scheme meant that it ended up on one mounted 'nodev', changing the mount options fixed the problem. -Lars
Re: PF Seems To Reload Its Default Rules Unexpectedly
Dag Richards wrote: In sort my first guess is your IP is changing every 24 hours or so due to your service provider using dynamic addressing (and trying to prevent you from having a particular IP for too long). If I'm right, then your problem is that pf is holding on to the old rules for your old IP address even though your IP had changed. In other words, you have a configuration error. Interesting, that is brings up a question for me... what do we do in this case? My ISP seems to be content to give the same ip back over and over again. If they did not is there something I can do besides monitor my $ext_if and reload the rules on ip addr change? Just curious. To get an idea, you best take a look at the Example Rulesets in the PF FAQ. And off course, grind the PF documentation on how to use parentheses on interface names. ($ext_if)
Re: Kernel Panic on 6th March i386 build
Hi All, On Sun, 08 Mar 2009 18:01:50 +0700, FRLinux frli...@gmail.com wrote: On Sat, Mar 7, 2009 at 11:29 PM, Daniel Ouellet dan...@presscom.net wrote: I was clearly out of place. Same to you Steph, I shouldn't have reacted so quickly to your email address and have wrongly concluded to an other Linux quick miss place question, or reaction. What I've learned from this is fairly simple: sit still, watch and listen :) Cheers, Steph Apology (if there's anything to apologies) accepted. I love this mailing-list, big hearted people came here, discuss and make funny-cruel-evil jokes, and we all actually supporter of OpenBSD, the OpenBSD way, and the developers. Big Cheers, applaus and salute to all of You. From Indonesia with Cheers and Beers, Cag, -- insandotpraja(at)gmaildotcom
Re: PF Seems To Reload Its Default Rules Unexpectedly
Ah, different semantics. :-) By default rules I mean whatever pf does *without* an /etc/pf.conf. Probably something like block all. Without any rules, pf does not block anything. come on.. stop making assumptions.
rack mounted intro server lab
I've run an intial pilot of a Soekris net4801 with OpenBSD 4.4, using gpioctl to turn on and off other machines and netboot them for console installs. The notes below are a mess and there just to record until they can be arranged to make sense: http://www-personal.umich.edu/~lars/DES/des.html The other machines automatically boot via PXE when powered on and are connected to the Soekris via serial and via ethernet. The serial connection allows console installations, the ethernet allows tricks with PF. The OpenSSH chroot environment has only a few tools, two of which are scripts with permissions set so that each 'user' can only turn on / off or connect via console to a single machine. The long and the short is that it's possible to log in to the net4801, turn on a machine and install a system. Currently, I have the following working choices: (all i386) openbsd 4.3 openbsd 4.4 openbsd -current centos 5.2 debian etch debian lenny fedora 10 (k)ubuntu 8.04.2 (k)ubuntu 9.04alpha The subnet has another machine with squid available. A next step is to connect via OpenSSH vpn or maybe full OpenVPN so access to this this can be taken outside the room. I'll try some lab exercises with this soon so I can see what goes wrong in a real environment. Regards -Lars
Re: arp MiTM
Hello Paul, The problem is that, I am not an administrator of the network. I am a client of the network. The network is built on the unmanaged switches. ISP to the problem do not care, so interested in this patch. May you help with patch on OpenBSD ? Monday, March 9, 2009, 3:02:23 PM, you wrote: PdW From a quick glance over the patch, it seems pretty useless unless you PdW also prevent MAC spoofing. You may want to look into port security for PdW your switches or 802.1x if this is a big concern to you. PdW Cheers, PdW Paul 'WEiRD' de Weerd PdW On Mon, Mar 09, 2009 at 02:11:38PM +0200, irix wrote: PdW | Hello Misc, PdW | PdW | How to protect your server from such attacks without the use of static arp entries? PdW | By freebsd 5.0 patch was written arp_antidote PdW (http://freecap.ru/if_ether.c.patch), PdW | somebody could port it on openbsd? PdW | PdW | Also, in freebsd it is possible to specify a flag through the ifconfig PdW | on the interface staticarp, while If the Address Resolution Protocol is enabled, PdW | the host will only reply to requests for its addresses, and will never send anyrequests. PdW | May you made this flag in openbsd ? PdW | -- PdW | Best regards, PdW | irix mailto:i...@ukr.net PdW | -- Best regards, irixmailto:i...@ukr.net
Re: arp MiTM
On Mon, Mar 9, 2009 at 9:15 AM, Eric Furman ericfur...@fastmail.net wrote: On Mon, 9 Mar 2009 16:54:27 +0100, Felipe Alfaro Solana felipe.alf...@gmail.com said: On Mon, Mar 9, 2009 at 1:11 PM, irix i...@ukr.net wrote: Hello Misc, How to protect your server from such attacks without the use of static arp entries? By freebsd 5.0 patch was written arp_antidote ( http://freecap.ru/if_ether.c.patch), somebody could port it on openbsd? Also, in freebsd it is possible to specify a flag through the ifconfig on the interface staticarp, while If the Address Resolution Protocol is enabled, the host will only reply to requests for its addresses, and will never send anyrequests. May you made this flag in openbsd ? ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc. ARP was designed by Nazis. So, die now thread. DIE DIE delurk I believe that this qualifies as 'Quirk's exception'. lurk
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the Depends on whether it is a valid concern. I believe it was pointed out in the other thread that the patch doesn't really help. Think about it - do you want an openssh that only half secures your session? OpenBSD is about complete security, but also, at the same time, about the resources to do things. If this is something that is a real issue, a developer would have jumped on it. Maybe they still would. But coming in and flaming the developers for you say you're so secure, but this is proof that you're not surely doesn't help. is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? OpenBSD exists solely for the developers... [and yes, I'm a figment of my imagination] -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: Kernel Panic on 6th March i386 build
Hi Daniel and Misc@, On Sun, 08 Mar 2009 06:29:22 +0700, Daniel Ouellet dan...@presscom.net wrote: Claudio Jeker wrote: Fell free to disagree, that's fair. Sorry, I don't get it a non-developer tries to educate a developer about how kernel crashes should be reported? Sorry most of your standpoints are just wrong. Sure people are encuraged to run snapshot kernels but selfbuilt kernels are fine as long as they're built from a unmodified GENERIC config. Let us developers take care of yelling at those people who send in bad bug reports because we're acctually the people who may fix it in the end. Hi All, I stand corrected on this one. I was bias in my reply, I must admit it and come clean on it! No offense intended to anyone it may have offended. I was quick to reply to Steph as I did react to the content of the email and the linux name in the email address. My fault to react to quickly on this one. I should have know better! Not only did I put my foot in my mouth, but I swallow the boot as well. I follow cvs for years and I didn't see Insan as making changes to the tree, so I didn't know he actually was a developers or I would have known better and I miss a chance to just shut up! I didn't see his name on the list either. My bad! I'm not a developer, if You mean I did something/contribute on the source-tree. But yeah, I periodically sync my testbed machine source-tree and compiled them, test them (most part is network subsystem) and I hope in someways, it might be helping the developers to find out bugs or anything they might interested into. Insan, please accept my apologies on a misplace reply to you on my part! Oh come on, we got our share supporting and enjoying these wonderful system, yeah sure, apology accepted. I was clearly out of place. Same to you Steph, I shouldn't have reacted so quickly to your email address and have wrongly concluded to an other Linux quick miss place question, or reaction. I try to help when I can and over time stop reacting as much as I used to, but obviously I still have ways to go as this treed have shown. My bad and I have no one else to blame then myself here. Please accept my deepest apology where I should have know better and obviously missed a chance to shut up! And Claudio and J.C., you are both right. Thanks for taking the time to straighted me up! I deserved that one fully. One only get better by learning from their mistakes and that's not the first I did for sure and I am sure it will not the last either. Best regards, Daniel Ouellet Thanks, -- insandotpraja(at)gmaildotcom
Re: arp MiTM
The problem is that, I am not an administrator of the network. I am a client of the network. The network is built on the unmanaged switches. ISP to the problem do not care, so interested in this patch. May you help with patch on OpenBSD ? The network is built wrong. No, we will not build a workaround for this problem.
Re: Where is Secure by default ?
Paul Irofti wrote: Hello Mr. Troll, thanks for flaming by. Have a good day! Never attribute to malice that which is adequately explained by stupidity. # Han
Re: Where is Secure by default ?
On 2009-03-09, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Mon, Mar 9, 2009 at 3:36 PM, irix i...@ukr.net wrote: Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND. Ah yes, SeND. That would be the one registered as US20080307516 with the US Patent and Trademark Office wouldn't it.
Re: arp MiTM
On 2009-03-09, irix i...@ukr.net wrote: Hello Misc, On Mon, Mar 9, 2009 at 1:11 PM, irix i...@ukr.net wrote: ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc. Sorry, if I been rude. I not administartor of network, i am client. And other client use MiTM. This network is use unmanaged switches, and ISP spit on it. That's why i try to find out to protect my workstation from MiTM, with out static arp entry. What would have been easy and transparent. Variant with the patch, I think the simplest and most effective. I am simply customer, and i try to find most simple solution. You can set static entries in the ARP tables with arp(8), see the -f option with the permanent option. This is not security against spoofed MAC addresses. And I bet the management firmware on some NICs can be made to do really nasty things by an attacker with access to layer 2. If the network admins are unwilling to clean up their network, you should take your custom elsewhere.
Re: Where is Secure by default ?
2009/3/9 bofh goodb...@gmail.com: On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? OpenBSD exists solely for the developers That's a silly thing to say. -- jm
You have been unsubscribed from the Ektiposi mailing list
Re: Bug OpenBGPD, IPv6 peer gets cleared, never gets up again
Hi Henning and Claudio, Claudio Jeker wrote: Btw. does this only happen with full IPv6 feeds or are a few announcements already enough? We have two test setups. One actually includes real peers, none sending a full table though. The other one is a setup in our lab, with various routers we could find, which only send a couple of routes to each other. We have seen this happening if the peer we 'clear' announces at least one prefix to the route server, so there is actually something to update. The behavior is different in the two setups though. With the real peers: multiple sessions go Idle upon 'clearing' one session and the broken UPDATE that gets send out with that, but they all come up again after a while. In the lab: the Idle sessions never come up completely, because the broken UPDATE seems to be send out repeatedly, causing the peer to go back to Idle immediately every time we reach an Established state. Henning Brauer wrote: wait. removing tcpmd5 fixes the problem? you gotta be kidding? this is on OpenBSD right? Sorry, this was a wrong assumption we made based on your previous post that there might be something wrong with it (and too many changes in our config at the same time ;) We are still busy with doing one change at a time now and trying to figure out what in the config actually causes this to happen. Once we get any conclusive results from this we will get back to you. Thanks a lot for your help! Regards Elisa -- Elisa Jasinska - AMS-IX NOC http://www.ams-ix.net/
Re: Where is Secure by default ?
On Mar 09 15:48:05, - Tethys wrote: Maybe it's a troll. Maybe not. Take a wild guess. Can we afford to be turning away potential users on the off chance? Assuming that we means the dev team, of which neither you or me are members, then yes, we can. -- The greatest shortcoming of the human race is our inability to understand the exponential function -- Albert Bartlett Apparently not.
Re: Where is Secure by default ?
On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: On Mon, Mar 9, 2009 at 2:56 PM, Marco Peereboom sl...@peereboom.us wrote: because it is. And therein lies some of the problem with the OpenBSD community. Don't get me wrong, I like OpenBSD, I use it, and have donated to the project. But here we have a user that has security concerns, and rather than either admit there's a problem or point out why there's no security hole, the answer given is just that it's secure because it is. That wouldn't fill me with confidence if I was looking to deploy an OpenBSD system. I'm worried that some are getting complacent about OpenBSD's security here... Then one should ask a question, wait for replies, and read them. Not send a new email to the list every hour with ever escalating trollosity, nor start new threads with provocative subjects. If you want to borrow some eggs from your neighbor, you knock politely and wait. You don't keep bounding on the door and then piss in the window.
Re: arp MiTM
On Mon, Mar 09, 2009 at 07:18:59PM +0200, irix wrote: | Hello Paul, | | The problem is that, I am not an administrator of the network. | I am a client of the network. The network is built on the unmanaged switches. | ISP to the problem do not care, so interested in this patch. As has been pointed out by myself and numerous others by now, this is the way things are on ethernet. There's one thing you can do, and that is check the key fingerprint before logging in through SSH. Otherwise, your options are all network based. Get a vlan or get a new ISP that understands these issues and is prepared to deal with them. | May you help with patch on OpenBSD ? No. As I said in my previous mail, this is the wrong way to go. Feel free to break your own system in any way you like; you get to keep all the pieces. Just don't come here for support if you do, though. Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: arp MiTM
On Mon, Mar 09, 2009 at 02:34:07PM +, michal wrote: Jacob Yocom-Piatt wrote: irix wrote: Hello Misc, I am a customer and not the network administrator, and someone in the network makes MiTM attack, a network of billet in the uncontrolled swithes and ISP will not translate everything on the managed. Therefore, software implementation of this patch for openbsd. OpenBSD is most secure OS on the planet, but susceptible to a simple MiTM attack. How then can we talk about the security by default this sort of email will, even if you have a valid point, likely win you no points with the devs. i see no offer of funding or a demonstration of an attack vector so you are obviously a very serious player. you are being unbelievably rude and are likely a troll so this is the last time i'll ever read your emails. wouldn't be surprised if a lot of other folks did the same. Funny, I would say you are being more rude then he is the thing is, this isn't the first post by `irix'. `irix' always wants something. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: x11 problems with lenovo w500
On Mon, Mar 9, 2009 at 11:56 AM, Didier Wiroth didier.wir...@mcesr.etat.lu wrote: b) Now, if I bypass the authentication and boot directly into openbsd. The openbsd kernel is loaded, but now I'm _NOT_ able to start X11. Here is the NON-working Xorg.0.log: http://www.wiroth.net/Xorg.0.log.not.working Here is the dmesg.boot: http://www.wiroth.net/dmesg.not.working (I don't think there is a difference between the two DMESG, but I included them in case someone would like to have a look into it) Here is a snip of the error message: (II) Loading /usr/X11R6/lib/modules//libvgahw.so (II) Module vgahw: vendor=X.Org Foundation compiled for 1.5.3, module version = 0.1.0 ABI class: X.Org Video Driver, version 4.1 (II) intel(0): Creating default Display subsection in Screen section Builtin Default intel Screen 0 for depth/fbbpp 24/32 (==) intel(0): Depth 24, (--) framebuffer bpp 32 (==) intel(0): RGB weight 888 (==) intel(0): Default visual is TrueColor (II) intel(0): Integrated Graphics Chipset: Intel(R) Mobile IntelB. GM45 Express Chipset (--) intel(0): Chipset: Mobile IntelB. GM45 Express Chipset (--) intel(0): Linear framebuffer at 0xD000 (--) intel(0): IO registers at addr 0xF440 (EE) intel(0): Unable to map mmio range. Invalid argument (22) Fatal server error: Caught signal 11. Server aborting Can you send us the pcidump -v output for both cases? Also what kind of interface is truecrypt using? Is it switching to some graphics mode that would change the state of the card in some way? -- Matthieu Herrb
Re: Where is Secure by default ?
On 9 March 2009 P3. 21:29:47 Juan Miscaro wrote: 2009/3/9 bofh goodb...@gmail.com: On Mon, Mar 9, 2009 at 11:48 AM, - Tethys tet...@gmail.com wrote: Maybe it's a troll. Maybe not. Can we afford to be turning away potential users on the off chance? OpenBSD exists solely for the developers That's a silly thing to say. Then what do you do on this silly list made by silly people who also own a silly website (and, as one Unix here says, silly OSes too) which says such silly things too? -- Best wishes, Vadim Silly Zhukov
Re: IPSEC: certificate ignored
Hi, thanks for answering to Mitja and you. On Sat, 07.03.2009 at 19:28:09 +0100, Heinrich Rebehn reb...@ant.uni-bremen.de wrote: Am 06.03.2009 um 22:56 schrieb Toni Mueller: 223644.842092 Plcy 30 keynote_cert_obtain: failed to open /etc/ isakmpd/keynote//u...@road-warrior/credentials 223644.842516 Default get_raw_key_from_file: monitor_fopen (/etc/ isakmpd/pubkeys//ufqdn/u...@road-warrior, r) failed: Permission denied ?? Permission denied? Could this be the problem? No, it couldn't. These files don't exist. I was able to find my own errors so far, as that now the correct certificate gets used. This is what I have, and had, for several years now. The problem was a missing semicolon in isakmpd.policy. I still get no policy errors while in state INFO encrypted, which are imho hard to debug. If anyone has tips to share, I'd be very grateful. What I want to achieve (from my isakmpd.policy): Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg == aes phase_1 == main phase1_group_desc == 5 esp_encapsulation == tunnel ah_present == no esp_auth_alg == hmac-sha2-512 esp_key_length == 256 pfs == yes some-checks-on-the-remote-ids - true; But I don't know if Linux supports them all. OpenBSD - OpenBSD worked just fine... Kind regards, --Toni++
Re: generating passwords (crypt, md5)
2009/2/28 Stuart Henderson s...@spacehopper.org: On 2009-02-28, Juan Miscaro jmisc...@gmail.com wrote: What is the standard way of generating hashes (for me it's for passwords) in OpenBSD? B I once used userdbpw but it's package (courier-authlib-userdb) conflicts with another package I have installed. B So I'm looking for a cleaner, standard method. B Thanks. encrypt(1) is in base and covers MD5/Blowfish/DES. or there's htpasswd, handling SHA/apache modified MD5/Blowfish/DES. if you need other hashes, dovecotpw (from the dovecot package) knows of many more. Thanks everyone for the replies. In the end I discovered that the courier-authlib package has the utility 'authpasswd' which fits the bill. -- jm
Re: PF Seems To Reload Its Default Rules Unexpectedly
On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga hilco.wijbe...@gmail.com wrote: 2009/3/9 J.C. Roberts list-...@designtools.org: On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga hilco.wijbe...@gmail.com wrote: I have pf running on my firewall box and I'm experiencing some strange behaviour. After several hours (this may even be 24 hours) of functioning normally, pf seems to reload its default rules which means that from that point on all traffic is blocked. A simple pfctl -f /etc/pf.conf fixes the problem but it is very annoying. ummm... no. Think about it for a moment. The default rules *are* stored in /etc/pf.conf --the very same file you are manually reloading, so it's obviously not magically reloading the default rules as you claim. Ah, different semantics. :-) By default rules I mean whatever pf does *without* an /etc/pf.conf. Probably something like block all. :-) What kind of connection are you running? Is your public IP address static or dynamic? More importantly, are you running some sort of tunneling/authentication such as PPPoE or simlar? I use DHCP so my IP can change. It's not particularly public though. My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part, I guess [no more running out of IPv4 addresses for them] but not very useful to me.) I doubt your ISP only has 254 customers, so they are most likely using more than just the stated 192.168.1.0 - 192.168.1.255 range. If you are doing your own NAT'ing for other machines on your private LAN, the fact your ISP is assigning you an IP address from the private address space could lead to a conflict. The smart answer for an ISP is moving to IPv6 since it's the only long term solution. Unfortunately, with less than 1% uptake on IPv6, it doesn't get you much usability right now and network address translation hacks are still required in some cases. In sort my first guess is your IP is changing every 24 hours or so due to your service provider using dynamic addressing (and trying to prevent you from having a particular IP for too long). If I'm right, then your problem is that pf is holding on to the old rules for your old IP address even though your IP had changed. In other words, you have a configuration error. That definitely makes sense. However, I thought that by referring to an interface instead of an IP I was protected from that? I mean, it's fairly common to have a dynamic IP, is it not? It depends on *how* you refer to the interface in your rules. As mentioned in the thread, you may have left off the needed parenthesis around your interface variable. You would be neither the first nor last to make this mistake. If you would post your pf.conf it would be very helpful. p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply was due to my mistaken off-list reply. -- J.C. Roberts
Re: arp MiTM
Hello Misc, Theo and other, thanks. -- Best regards, irix mailto:i...@ukr.net
Re: relayd ssl to ssl not working. Sends http request to https port
Sorry to dredge this back up from a month ago, but I wanted to get some
clarification.
If I wanted to have a gateway that accepts https connections from clients
and then proxies them over to https servers am I just out of luck? Is it
that it cannot be done at all, or just that it cannot be done with relayd
and there is some other tool I should look at.
I'd like to look at making an open version of an Application Layer Firewall
(as required by the PCI DSS). Ideally, I would be able to have clients
connect to port 443 on the OpenBSD gateway and the OpenBSD gateway would
decrypt the traffic, reassemble it, run it through snort, and maybe check
the headers for some expected values. Then if everything is good, open a
connection to the server and pass the traffic on. Can it be done on
OpenBSD? Where do I need to look to learn more? I've poured over the
documentation for relayd and pf, but I'm not seeing the ability to do what
I'm talking about here.
It probably sounds like Man in the Middle mode described below. You're
right, dealing with bad certificates would be a pain in the butt. Maybe we
could require the firewall admin to provide the certificate that is expected
from the server. So whether it is bad or not, it has to match what the
firewall was expecting or the host is considered down and taken out of
rotation.
Kevin
On Mon, Feb 9, 2009 at 4:15 PM, Stuart Henderson s...@spacehopper.orgwrote:
On 2009-02-09, kevin thompson kevin.david.thomp...@gmail.com wrote:
Is there something in my configuration file that I need to specify to
ensure
that https requests are sent to the servers? I've looked at a few
examples
online and I haven't seen anything that fits the bill. Here is my
relayd.conf file
basically it looks like you want to decrypt, adjust the headers,
and then re-encrypt to the server.
relayd doesn't have this feature (mitm mode? :-)
it could probably be added as an option to forward to for a
relay, but this would bring some questions about how to handle
invalid certificates at the backend server, etc... (and without
safe ways to handle that, you might as well keep the cleartext
to the backend).
with what's currently available in relayd, you would have to
use a plain TCP relay for HTTPS.
table ssl_server { www.mnsu.edu, secure.mnsu.edu }
web_port=80
ssl_port=443
bge0_ip=134.29.32.88
interval 10
timeout 200
prefork 5
log updates
http protocol httpfilter {
# TCP Performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
# Return HTTP/HTML error pages
return error
# allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
# Set keep alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
# Close connection upon receipt
header change Connection to close
# Anonymize webservers name/type
response header change Server to Something
# SSL options
ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 }
}
relay web_proxy {
listen on $bge0_ip port $ssl_port ssl
protocol httpfilter
forward to ssl_server port $ssl_port mode loadbalance check https
/
code 200
}
Re: Where is Secure by default ?
L. V. Lammert wrote: PMFJI, but isn't the issue simpler than that? If he has a MiTM attack via arp, doesn't that mean the attacker has access to the local subnet? Remote access to a machine on that subnet would do. It does not have to be physical. Probably a compromised Windows box that got the ball rolling (that's been my experience anyway). Once a machine on your net is infected, the cracker may as well be physically in the building. -- View this message in context: http://www.nabble.com/Where-is-%22Secure-by-default%22---tp22414975p22426601.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: PF Seems To Reload Its Default Rules Unexpectedly
2009/3/9 J.C. Roberts list-...@designtools.org:
On Mon, 9 Mar 2009 09:07:51 -0700 Hilco Wijbenga
hilco.wijbe...@gmail.com wrote:
2009/3/9 J.C. Roberts list-...@designtools.org:
On Sun, 8 Mar 2009 16:01:57 -0700 Hilco Wijbenga
hilco.wijbe...@gmail.com wrote:
I have pf running on my firewall box and I'm experiencing some
strange behaviour. After several hours (this may even be 24 hours)
of functioning normally, pf seems to reload its default rules
which means that from that point on all traffic is blocked. A
simple pfctl -f /etc/pf.conf fixes the problem but it is very
annoying.
ummm... no. Think about it for a moment. The default rules *are*
stored in /etc/pf.conf --the very same file you are manually
reloading, so it's obviously not magically reloading the default
rules as you claim.
Ah, different semantics. :-) By default rules I mean whatever pf
does *without* an /etc/pf.conf. Probably something like block all.
:-)
What kind of connection are you running?
Is your public IP address static or dynamic?
More importantly, are you running some sort of
tunneling/authentication such as PPPoE or simlar?
I use DHCP so my IP can change. It's not particularly public though.
My ISP gives me an IP in 192.168.1.*. :-( (A smart move on their part,
I guess [no more running out of IPv4 addresses for them] but not very
useful to me.)
I doubt your ISP only has 254 customers, so they are most likely using
more than just the stated 192.168.1.0 - 192.168.1.255 range.
Let's hope so for them. :-) I always get an IP in that range, though.
Well, so far anyway.
If you are doing your own NAT'ing for other machines on your private
LAN, the fact your ISP is assigning you an IP address from the private
address space could lead to a conflict.
I had been wondering about that. I use 192.168.151.* internally. That
should be okay then, shouldn't it?
The smart answer for an ISP is moving to IPv6 since it's the only
long term solution. Unfortunately, with less than 1% uptake on IPv6, it
doesn't get you much usability right now and network address
translation hacks are still required in some cases.
We're talking about a very big ISP. Smart doesn't come into the picture. ;-)
In sort my first guess is your IP is changing every 24 hours or so
due to your service provider using dynamic addressing (and trying to
prevent you from having a particular IP for too long). If I'm right,
then your problem is that pf is holding on to the old rules for your
old IP address even though your IP had changed. In other words, you
have a configuration error.
That definitely makes sense. However, I thought that by referring to
an interface instead of an IP I was protected from that? I mean, it's
fairly common to have a dynamic IP, is it not?
It depends on *how* you refer to the interface in your rules. As
mentioned in the thread, you may have left off the needed parenthesis
around your interface variable. You would be neither the first nor last
to make this mistake. If you would post your pf.conf it would be very
helpful.
ext_if = sk0
int_if = sk1
set skip on lo
set block-policy return
scrub in
nat log on $ext_if from $int_if:network to any - ($ext_if)
block log
pass out quick from $int_if to $int_if:network
pass out quick from $ext_if to any
#pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if)
port { domain, ntp }
pass in quick on $int_if from $int_if:network to any
p.s. I hope you don't mind I cc'd m...@. I figured your off-list reply
was due to my mistaken off-list reply.
:-) Yep.
Cheers,
Hilco
You have just received a virtual postcard from a friend !
You have just received a virtual postcard from a friend ! . You can pick up your postcard at the following web address: . Click here to pick up your postcard . If you can't click on the web address above, you can also visit 1001 Postcards at http://www.postcards.org/postcards/ and enter your pickup code, which is: d21-sea-sunset . (Your postcard will be available for 60 days.) . Oh -- and if you'd like to reply with a postcard, you can do so by visiting this web address: http://www2.postcards.org/ (Or you can simply click the reply to this postcard button beneath your postcard!) . We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself! . Regards, 1001 Postcards http://www.postcards.org/postcards/
Re: acpitz0: THRM: failed to read _TMP
I'm seeing the following messages logged to the console: acpitz0: THRM: failed to read _TMP acpitz0: THRM: failed to read temp (both lines are repeated many times). It looks like OpenBSD (4.4) is unable to read the CPU temperature which would explain why my previously whisper quiet box now resembles a starting F16. I have the box under the desk running 24/7 so I really want it to be quiet. Have you tried a more recent snapshot? There have been fixes in acpitz for this kind of failure some time after 4.4, which might help your machine. Miod
