Re: PF Seems To Reload Its Default Rules Unexpectedly
* J.C. Roberts list-...@designtools.org [2009-03-21 09:54]: On Fri, 20 Mar 2009 20:16:32 +0100 Henning Brauer lists-open...@bsws.de wrote: * J.C. Roberts list-...@designtools.org [2009-03-10 02:03]: The smart answer for an ISP is moving to IPv6 that is about the least smart thing anybody could do. If everyone continues to avoid IPv6, then it will remain less than useful. I understand IPv6 has less than 1% uptake at the moment, but I don't understand why employing it (in addition to IPv4 NATing hacks) is about the least smart thing an ISP could do? Is it a cost issue? no, a lack of brain issue. v6 is broken by design in a thousand ways and way worse than you can imagine. of course it has been detailed here numerous times. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF Seems To Reload Its Default Rules Unexpectedly
On Fri, 20 Mar 2009 20:16:32 +0100 Henning Brauer lists-open...@bsws.de wrote: * J.C. Roberts list-...@designtools.org [2009-03-10 02:03]: The smart answer for an ISP is moving to IPv6 that is about the least smart thing anybody could do. Hi Henning, If everyone continues to avoid IPv6, then it will remain less than useful. I understand IPv6 has less than 1% uptake at the moment, but I don't understand why employing it (in addition to IPv4 NATing hacks) is about the least smart thing an ISP could do? Is it a cost issue? -- J.C. Roberts
Re: Install freezes on macppc
On Fri, 20 Mar 2009 15:39:24 -0400 (EDT) Daniel Barowy dbar...@barowy.net wrote: Needless to say, getting an operating system to play nice with firmware that is in an unknown patch state is a major pain in the ass. The first thing you should try is getting the OpenBSD 4.5-current ISO since your issue may have been fixed since 4.4-Release was completed in Sep 08. I also downloaded this and booted from it. Same problem-- this time it froze while setting up the disk, so it seems like we're still in the same boat. BTW, here's more information on the machine: http://lowendmac.com/ppc/sawtooth-power-mac-g4-agp.html Any other suggestions? Are there any boot-time options that I could try? As far as I've read in OpenBSD INSTALL.macppc (mandatory reading) and on the NetBSD website/docs, the suggested firmware options such as load-base and similar are geared towards just getting the kernel to boot properly. You are already past this hurdle. With the information provided, I cannot guess the reason why you're having problems with disk access, but at least the problem is fairly consistent. I'm curious if you've searched the archives of the p...@openbsd mailing list for similar issues? It would be a better list for this topic. One of the things you could try is seeing if you can get NetBSD running on the machine. My thinking is if you have an unknown hardware problem (failing disk or similar), NetBSD will most likely have similar failures. On the other hand, if NetBSD works, then we know we have a issue in OpenBSD (driver?, geometry?, flux-capacitor?, ...). -- J.C. Roberts
Re: prioritizing carp interfaces
Hi, On Fri, 20.03.2009 at 14:28:46 +0100, Joerg Streckfuss streckf...@dfn-cert.de wrote: How does CARP behaves when on the master node two unimportantly interfaces fail and on the backup node only the uplink interface fails? Does CARP failover to the backup node and as consequence the whole network will be disconnected from the internet? my reading of carp(4) is that the behaviour depends on the setting of net.inet.carp.preempt If set to 1, then firewalls only fail over as a whole, while if set to 0, interfaces fail over individually. With interfaces failing over individually, and with appropriate routing between your firewalls, traffic should flow through the remaining interfaces. Please note that having interfaces fail over individually makes playing with pfsync and sasync *quite* interesting. Please also note that you could have more than two firewalls running CARP, so maybe the third (fourth, ...) firewall will keep you online. I guess that the real solution is to have a known-good hardware that you can bring up in minutes sitting on the shelf, and yes, to live with some downtime. Kind regards, --Toni++
Re: arp MiTM
* irix i...@ukr.net [2009-03-09 17:40]: Sorry, if I been rude. I not administartor of network, i am client. And other client use MiTM. This network is use unmanaged switches, and ISP spit on it. That's why i try to find out to protect my workstation from MiTM, with out static arp entry. What would have been easy and transparent. Variant with the patch, I think the simplest and most effective. I am simply customer, and i try to find most simple solution. Q: I point a pistol at my head and shoot. How can I prevent getting hit. A: Put the pistol away and don't shoot Q: But I want that without putting the pistol away or not shooting! yeah... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF and CLamAV Integration - how to do it?
Am 20.03.2009 um 12:15 schrieb jmc: --- Marc Balmer [Thu, Mar 19, 2009 at 07:36:18PM +0100]: --- Am 19.03.2009 um 15:27 schrieb Protocol Six Consulting: Hi, I was wondering if anyone here knows how to integrate the PF firewall with ClamAV. smtp-vilter, which is in ports, does that, i started paying attention to this thread because i've been interested in setting up clamav for sometime. i noticed that there's a clamav-milter(8) that gets installed as part of the clamav package. is the general consensus of those in the know to use smtp-vilter instead of clamav-milter for these purposes? Well, I am biased (I wrote smtp-vilter). I wrote it quite some time ago because clamav-milter's quality was really bad. And I needed LDAP and PF integration. smtp-vilter was written with OpenBSD in mind.
Re: Where is Secure by default ?
* Felipe Alfaro Solana felipe.alf...@gmail.com [2009-03-09 17:07]: ARP is insecure by default. If you care, move to IPv6 and use IPSec/SeND. hah. IPv6 makes arp look like the brightest invention ever. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: How to break the httpd's 4G file size limit?
* Alexey Suslikov alexey.susli...@gmail.com [2009-03-11 16:38]: The limitation is 2Gb on 32-bit platforms because of off_t (man lseek). off_t is 64bit on all platforms we support. even vax. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: might be slightly OT: `probability in PF'
* jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Ramifications of blocking SYN+FIN TCP packets
not sure wether it wouldn't be smarter to just have pf scrub drop
these as well.
--- pf_norm.c Sat Mar 21 12:17:44 2009
+++ pf_norm.c.orig Sat Mar 21 12:16:56 2009
@@ -782,11 +782,8 @@
flags = th-th_flags;
if (flags TH_SYN) {
/* Illegal packet */
+ if (flags (TH_RST|TH_FIN))
- if (flags TH_RST)
goto tcp_drop;
-
- if (flags TH_FIN)
- flags = ~TH_FIN;
} else {
/* Illegal packet */
if (!(flags (TH_ACK|TH_RST)))
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: OpenBSD 4.4 amd64 bsd.mp can't detect 16GB memory
* Thomas Pfaff tpf...@tp76.info [2009-03-10 20:00]: OpenBSD does not currently support 4GB of RAM. that is not true. OpenBSD does not currently support more than 4GB of RAM on amd64, that is true. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Where is Secure by default ?
* irix i...@ukr.net [2009-03-09 15:55]: In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? yeah, that is a great patch. it breaks ethernet. it effectively makes arp static. great idea, great. move an IP to another machine and observe it not working (until the long-ish timeout expires). great eh. how about letting the one who knows about IP-mac relations decide. using arp(8). or fix the network from the beginning and make proper use of port security and vlans on the switches. yes, most ISPs don't do that. yes, most ISPs are stupid. you can work around that to some degree by using static arp and deal with the fallout, or get a decent ISP. they exist. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: might be slightly OT: `probability in PF'
On Sat, Mar 21, 2009 at 12:14:44PM +0100, Henning Brauer wrote: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. I used it once about two years ago, to simulate a bad line (testing some weird file transfer software at $CUSTOMER). It was fun, but I wouldn't have missed the feature if it weren't there. Ciao, Kili -- Fall is my favorite season in Los Angeles, watching the birds change color and fall from the trees. -- David Letterman
Re: How to find available wifi access points?
On Fri, Mar 20, 2009 at 09:14:49AM +, Stuart Henderson wrote: On 2009-03-20, Matt open...@women-at-work.org wrote: Thank you all - that worked (both 'chan' and 'scan'). you should use scan, chan does something else now. bah, this keeps changing! -- Best Regards Edd Barrett (Freelance software developer / technical writer / open-source developer) http://students.dec.bmth.ac.uk/ebarrett
Re: might be slightly OT: `probability in PF'
Henning Brauer wrote: * jmc j...@cosmicnetworks.net [2009-03-11 15:05]: so anyway, how are _you_ using probability? it's high on my list of useless features in pf I'd rather remove. if anybody is actually using it, I'd like to hear about it. PF is one of the main factors for me to use OpenBSD, but since I do little routing with it, I myself have not yet a use for probability. However, I also use only a small fraction of PF's capabilities. I'm training up others to take over these machines so in some months maybe they will have found a use. Regards -Lars
SOEKRIS - How to install MTR to a Flashdist image
I've been working on a OpenBSD image for a soekris boxes. I've actually made some headway with some help and pointers from Chris (maker of flashdist). I have the image mounted to /mnt/etc using vnconfig so I can modify the files before flashing the image (ie. boot.conf, rc, dhcpd.conf...etc). But I'd like to install a coupe packages into the image, such as MTR and TTCP. However I'm not quite sure how to do it or even where to start. I'm a newb to this. Any help would be great Thanks -- View this message in context: http://www.nabble.com/SOEKRIS---How-to-install-MTR-to-a-Flashdist-image-tp22636740p22636740.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: SOEKRIS - How to install MTR to a Flashdist image
On Sat, Mar 21, 2009 at 07:42:31AM -0700, Frothingdog.ca wrote: I have the image mounted to /mnt/etc using vnconfig so I can modify the files before flashing the image (ie. boot.conf, rc, dhcpd.conf...etc). But I'd like to install a coupe packages into the image, such as MTR and TTCP. However I'm not quite sure how to do it or even where to start. I'm a newb to this. chroot(8) into the directory, then pkg_add(8) the packages via ftp, http, or from an nfs mount. Ciao, Kili -- Krankheit als Weg -- wie verarbeite ich meinen Kopfdurchschu_? -- Ansgar Stein
Re: SOEKRIS - How to install MTR to a Flashdist image
Frothingdog.ca wrote: I have the image mounted to /mnt/... If you are running the same version, then one way is to chroot to the new image: chroot /mnt /bin/ksh then install the packages you wish. +Lars
Canada immigration
WARNING: contains undecipherable part Received: from unicornia896a8 (adsl-211-249-192-81.adsl.iam.net.ma [81.192.249.211]) by mail.cashcom.ma (Postfix/TrioOS) with ESMTP id 065961200A390 for MISC@OPENBSD.ORG; Sat, 21 Mar 2009 16:23:49 + (WET) From: Agence Casa ElFirdaous casa.elfirda...@dialcom.ma To: MISC@OPENBSD.ORG Subject: Canada immigration Date: Sat, 21 Mar 2009 17:21:07 +0100 MIME-Version: 1.0 X-Security: message sanitized on shear.ucar.edu See http://www.impsec.org/email-tools/sanitizer-intro.html for details. $Revision: 1.147 $Date: 2004-10-02 11:16:26-07 Content-Type: text/plain; charset=us-ascii X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 X-MS-TNEF-Correlator: D67849FBE0A2614284D66D50471F1152844B2300 Message-Id: 20090321162349.065961200a...@mail.cashcom.ma X-Converted-To-Plain-Text: from multipart/mixed by demime 1.01d X-Converted-To-Plain-Text: Alternative section used was text/plain The debate is no longer about whether Canada should remain open to immigration. That debate became moot when Canadians realized that low birth rates and an aging population would eventually lead to a shrinking populace. Baby bonuses and other such incentives couldn't convince Canadians to have more kids, and demographic experts have forecasted that a Canada without immigration would pretty much disintegrate as a nation by 2050. Download the attached file to know about the required forms. The sender of this email got this article from our side and forwarded it to you. The original file name is IMM_Forms_E01.rar and compressed by WinRAR no virus found. Use WinRAR to decompress the file. [demime 1.01d removed an attachment of type application/ms-tnef which had a name of winmail.dat]
Re: Ramifications of blocking SYN+FIN TCP packets
Henning Brauer skrev:
not sure wether it wouldn't be smarter to just have pf scrub drop
these as well.
--- pf_norm.c Sat Mar 21 12:17:44 2009
+++ pf_norm.c.orig Sat Mar 21 12:16:56 2009
@@ -782,11 +782,8 @@
flags = th-th_flags;
if (flags TH_SYN) {
/* Illegal packet */
+ if (flags (TH_RST|TH_FIN))
- if (flags TH_RST)
goto tcp_drop;
-
- if (flags TH_FIN)
- flags = ~TH_FIN;
} else {
/* Illegal packet */
if (!(flags (TH_ACK|TH_RST)))
IMHO: Yes it is smarter.
Will save time spent on the External Security Consultants.
/Johan
Re: Install freezes on macppc
Daniel Barowy wrote: Hello everyone, A little searching on the lists and Google don't reveal anyone else having this problem, so I thought I'd ask for help. I originally tried installing 4.3 on this machine awhile back, and when I ran into this problem, I had other things to do, so I never followed up on it. Now that I have my shiny 4.4 CD, I thought I'd give it a try again, alas, I'm still having the same problem. In short, the machine freezes at some point during the install process. It does not respond to any keypresses. It always gets past OpenFirmware and the OpenBSD boot prompt. I am usually able to start the installer. But then, at some arbitrary point, it hangs. Sometimes this is during the boot process; sometimes this is while I'm in the middle of typing something; sometimes it is while the installer sets up the disks. As I mentioned before, this happens with both 4.3 and 4.4. Oh-- and I've tried multiple hard disks, and I even tried plugging in a Sonnet PCI IDE controller, in case there was something broken with the integrated one. This machine is a standard Sawtooth G4, except that it has a different CD-ROM drive than the original, and the processor has been upgraded. You can see that in the dmesg below. Danger, Will Robinson... I looked at a link you provided later in this thread about the sawtooth G4 systems, and thought, hey, that looks familiar, but NOT like my 1+GHz macppc, but more like my 500MHz macppc...then went back and saw your processor has been upgraded comment. Keep in mind the Macs are basically closed, secretive hardware, supported by a closed, secretive OS provided by the same vendor...so they can stick workarounds in for odd hardware quirks that no one else knows about (and they do have some odd hardware quirks...like the inaccessible, incomplete gem(4) found on one of my machines...that apparently was replaced by an on-board dc(4)...???) It is entirely possible you are the only person who has a 1.2GHz proc upgrade in their 400-500MHz MacPPC attempting to run OpenBSD. And, it is entirely possible that THAT combination doesn't work for some reason (and I'd bet a US quarter that it is due to a HW bug the OS is expected to work around). Your machine is very similar to one of mine, which works pretty well, so I'm looking at the differences..and that one leaps out at me. Few other notes below: I just reinstalled the MacOS on the machine (10.5), and that runs OK. I haven't tried any other OSes, but I suppose I could. Anyway, here's my dmesg. Anyone have any suggestions, or things I could try to get some kind of debug info back? [ using 245420 bytes of bsd ELF symbol table ] console out [ATY,Pheonix_A]console in [keyboard] , using USB using parent ATY,PheonixParent:: memaddr 9800 size 800, : consaddr 9c008000, : ioaddr 9002, size 2: memtag 8000, iotag 8000: width 1280 linebytes 1280 height 1024 depth 8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2008 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.4 (RAMDISK) #1544: Mon Aug 11 13:51:46 MDT 2008 dera...@macppc.openbsd.org:/usr/src/sys/arch/macppc/compile/RAMDISK real mem = 2147483648 (2048MB) avail mem = 2078171136 (1981MB) Great Gobbs of Memory, Batchman! um. just for giggles, might want to knock that way down... mainbus0 at root: model PowerMac3,1 cpu0 at mainbus0: 7455 (Revision 0x303): 1200 MHz: 256KB L2 cache, 2MB L3 cache mem at mainbus0 not configured That doesn't look good... and not like my otherwise somewhat similar machine: OpenBSD 4.4-current (GENERIC) #2: Wed Jan 28 22:41:31 EST 2009 n...@ftp.in.nickh.org:/usr/src/sys/arch/macppc/compile/GENERIC real mem = 536870912 (512MB) avail mem = 509669376 (486MB) mainbus0 at root: model PowerMac3,3 cpu0 at mainbus0: 7400 (Revision 0x209): 500 MHz: 1MB backside cache mem0 at mainbus0 spdmem0 at mem0: 512MB SDRAM ECC PC100CL2 memc0 at mainbus0: uni-n (yep, need to upgrade it) (the memory is kinda odd, but I had it and it worked in this machine and not much else...so there it is...) memc0 at mainbus0: uni-n kiic0 at memc0 offset 0xf8001000 mpcpcibr0 at mainbus0 pci: uni-north, Revision 0xff pci0 at mpcpcibr0 bus 0 pchb0 at pci0 dev 11 function 0 Apple Uni-N AGP rev 0x00 vgafb0 at pci0 dev 16 function 0 ATI Radeon 9000 rev 0x01, mmio wsdisplay0 at vgafb0 mux 1: console (std, vt100 emulation) mpcpcibr1 at mainbus0 pci: uni-north, Revision 0xff pci1 at mpcpcibr1 bus 0 pchb1 at pci1 dev 11 function 0 Apple Uni-N rev 0x00 ppb0 at pci1 dev 13 function 0 DEC 21154 PCI-PCI rev 0x05 pci2 at ppb0 bus 1 macobio0 at pci2 dev 7 function 0 Apple Keylargo rev 0x02 openpic0 at macobio0 offset 0x4: version 0x4614 little endian macgpio0 at macobio0 offset 0x50 macgpio1 at macgpio0 irq 47 programmer-switch at macgpio0 not configured
Re: PF Seems To Reload Its Default Rules Unexpectedly
If everyone continues to avoid IPv6, then it will remain less than useful. I understand IPv6 has less than 1% uptake at the moment, but I don't understand why employing it (in addition to IPv4 NATing hacks) is about the least smart thing an ISP could do? Is it a cost issue? no, a lack of brain issue. v6 is broken by design in a thousand ways and way worse than you can imagine. of course it has been detailed here numerous times. So what are you going to do when all of IPv4 is exhausted? Do you have all the IPs you need so it won't matter? -- Garry Dolley ARP Networks, Inc. http://www.arpnetworks.com Data center, VPS, and IP transit solutions (818) 206-0181 Member Los Angeles County REACT, Unit 336 WQGK336 Bloghttp://scie.nti.st
Re: Install freezes on macppc
Hi Nick, Thanks for looking at this... Nick Holland wrote: Keep in mind the Macs are basically closed, secretive hardware, supported by a closed, secretive OS provided by the same vendor...so they can stick workarounds in for odd hardware quirks that no one else knows about (and they do have some odd hardware quirks...like the inaccessible, incomplete gem(4) found on one of my machines...that apparently was replaced by an on-board dc(4)...???) I am well aware of this-- we have about two dozen OpenBSD machines running on i386 and amd64. They run great, and when we have issues, they're usually very easy to track down. However, it pains me to have this machine sitting around doing nothing (our designers now turn their noses up at these machines), so I thought I'd poke around with it again. May not be worth it, but we'll see! mainbus0 at root: model PowerMac3,1 cpu0 at mainbus0: 7455 (Revision 0x303): 1200 MHz: 256KB L2 cache, 2MB L3 cache mem at mainbus0 not configured That doesn't look good... and not like my otherwise somewhat similar machine: This was my next step after JCR's suggestions. The trick is to track down the old processor. I know it's around here somewhere... umass0 at uhub0 port 1 configuration 1 interface 0 Memorex Flashdrive 303B rev 2.00/1.10 addr 2 umass0: using SCSI over Bulk-Only scsibus1 at umass0: 2 targets, initiator 0 sd0 at scsibus1 targ 1 lun 0: Memorex, Flashdrive 303B, PMAP SCSI0 0/direct removable sd0: 122MB, 15 cyl, 255 head, 63 sec, 512 bytes/sec, 251776 sec total um. I'd remove this until you figure out your issue... Actually-- this was here so that I could dump the dmesg. I wanted to try to do it quickly before the machine froze again. So no, it does not appear to be a USB issue-- I did do that. Another data point-- I quickly installed Linux (Ubuntu) on this machine to see if anything similar popped it. Like the MacOS, it seems to run fine. JCR suggested that I try NetBSD, so if the processor swap doesn't work, I'll try that as well. Many thanks everyone, Dan
Re: PF Seems To Reload Its Default Rules Unexpectedly
* Garry Dolley gdol...@arpnetworks.com [2009-03-21 20:32]:
If everyone continues to avoid IPv6, then it will remain less than
useful. I understand IPv6 has less than 1% uptake at the moment, but I
don't understand why employing it (in addition to IPv4 NATing hacks) is
about the least smart thing an ISP could do?
Is it a cost issue?
no, a lack of brain issue. v6 is broken by design in a thousand ways
and way worse than you can imagine. of course it has been detailed
here numerous times.
So what are you going to do when all of IPv4 is exhausted? Do you
have all the IPs you need so it won't matter?
personally? yes I have enough as far as I can tell today.
globally? I fear we are going to see a v6-- which still has way too
much shit in it. That is the way v6 standards (hey, there is not even a
STD RFC for v6 today!) went in the previous years, cutting some crap.
but way too much is still there, and some issues are
fundamental.
whoever claims v6 would be any good has never written network code
dealing with it.
hey, compare these two which do the same, one for v4 and one for v6:
u_int8_t
mask2prefixlen(in_addr_t ina)
{
if (ina == 0)
return (0);
else
return (33 - ffs(ntohl(ina)));
}
u_int8_t
mask2prefixlen6(struct sockaddr_in6 *sa_in6)
{
u_int8_t l = 0, i, len;
/*
* sin6_len is the size of the sockaddr so substract the offset of
* the possibly truncated sin6_addr struct.
*/
len = sa_in6-sin6_len -
(u_int8_t)(((struct sockaddr_in6 *)NULL)-sin6_addr);
for (i = 0; i len; i++) {
/* this beauty is adopted from sbin/route/show.c ... */
switch (sa_in6-sin6_addr.s6_addr[i]) {
case 0xff:
l += 8;
break;
case 0xfe:
l += 7;
return (l);
case 0xfc:
l += 6;
return (l);
case 0xf8:
l += 5;
return (l);
case 0xf0:
l += 4;
return (l);
case 0xe0:
l += 3;
return (l);
case 0xc0:
l += 2;
return (l);
case 0x80:
l += 1;
return (l);
case 0x00:
return (l);
default:
fatalx(non continguous inet6 netmask);
}
}
return (l);
}
don't get me started on the 160bit addresses (128 + 32 scope ID) which
fuck up all alignment.
just v4 with addresses extended to 64bit (that is still an integer!)
would have been sweet, with minor adjustments/additions like hopcount
instead of ttl. maybe better crypto integration than ipsec today (v6
doesn't solve that problem despite the claims it would either).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: PF Seems To Reload Its Default Rules Unexpectedly
On Sat, Mar 21, 2009 at 1:03 PM, Henning Brauer lists-open...@bsws.de
wrote:
* Garry Dolley gdol...@arpnetworks.com [2009-03-21 20:32]:
If everyone continues to avoid IPv6, then it will remain less than
useful. I understand IPv6 has less than 1% uptake at the moment, but I
don't understand why employing it (in addition to IPv4 NATing hacks)
is
about the least smart thing an ISP could do?
Is it a cost issue?
no, a lack of brain issue. v6 is broken by design in a thousand ways
and way worse than you can imagine. of course it has been detailed
here numerous times.
So what are you going to do when all of IPv4 is exhausted? Do you
have all the IPs you need so it won't matter?
personally? yes I have enough as far as I can tell today.
globally? I fear we are going to see a v6-- which still has way too
much shit in it. That is the way v6 standards (hey, there is not even a
STD RFC for v6 today!) went in the previous years, cutting some crap.
but way too much is still there, and some issues are
fundamental.
whoever claims v6 would be any good has never written network code
dealing with it.
hey, compare these two which do the same, one for v4 and one for v6:
u_int8_t
mask2prefixlen(in_addr_t ina)
{
if (ina == 0)
return (0);
else
return (33 - ffs(ntohl(ina)));
}
u_int8_t
mask2prefixlen6(struct sockaddr_in6 *sa_in6)
{
u_int8_t l = 0, i, len;
/*
* sin6_len is the size of the sockaddr so substract the offset of
* the possibly truncated sin6_addr struct.
*/
len = sa_in6-sin6_len -
(u_int8_t)(((struct sockaddr_in6 *)NULL)-sin6_addr);
for (i = 0; i len; i++) {
/* this beauty is adopted from sbin/route/show.c ... */
switch (sa_in6-sin6_addr.s6_addr[i]) {
case 0xff:
l += 8;
break;
case 0xfe:
l += 7;
return (l);
case 0xfc:
l += 6;
return (l);
case 0xf8:
l += 5;
return (l);
case 0xf0:
l += 4;
return (l);
case 0xe0:
l += 3;
return (l);
case 0xc0:
l += 2;
return (l);
case 0x80:
l += 1;
return (l);
case 0x00:
return (l);
default:
fatalx(non continguous inet6 netmask);
}
}
return (l);
}
don't get me started on the 160bit addresses (128 + 32 scope ID) which
fuck up all alignment.
just v4 with addresses extended to 64bit (that is still an integer!)
would have been sweet, with minor adjustments/additions like hopcount
instead of ttl. maybe better crypto integration than ipsec today (v6
doesn't solve that problem despite the claims it would either).
But then network admins would have been able to keep track of hosts in
their own networks.
;)
-B
Re: SOEKRIS - How to install MTR to a Flashdist image
I'm not sure of the command to run. Can you elaberate on the command. Please keep in mind I'm pretty new to this. if using MTR file from here: ftp://ftp.bitwizard.nl/mtr/mtr-0.75.tar.gz Thanks again for the help. Frothingdog.ca wrote: I've been working on a OpenBSD image for a soekris boxes. I've actually made some headway with some help and pointers from Chris (maker of flashdist). I have the image mounted to /mnt/etc using vnconfig so I can modify the files before flashing the image (ie. boot.conf, rc, dhcpd.conf...etc). But I'd like to install a coupe packages into the image, such as MTR and TTCP. However I'm not quite sure how to do it or even where to start. I'm a newb to this. Any help would be great Thanks -- View this message in context: http://www.nabble.com/SOEKRIS---How-to-install-MTR-to-a-Flashdist-image-tp22636740p22640404.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Install freezes on macppc
On Sat, 21 Mar 2009 15:40:22 -0400 Daniel Barowy m...@barowy.net wrote: umass0 at uhub0 port 1 configuration 1 interface 0 Memorex Flashdrive 303B rev 2.00/1.10 addr 2 umass0: using SCSI over Bulk-Only scsibus1 at umass0: 2 targets, initiator 0 sd0 at scsibus1 targ 1 lun 0: Memorex, Flashdrive 303B, PMAP SCSI0 0/direct removable sd0: 122MB, 15 cyl, 255 head, 63 sec, 512 bytes/sec, 251776 sec total um. I'd remove this until you figure out your issue... Actually-- this was here so that I could dump the dmesg. I wanted to try to do it quickly before the machine froze again. So no, it does not appear to be a USB issue-- I did do that. Serial is your best friend! --Yes, your friend does have a habit of picking fights when he's drunk, but none the less, he's still your best friend, and he will help you out of most bad situations. On the G3 Beige I have here, there are two serial ports, albeit one is marked with a phone icon (TTYA), and the other is marked with a printer icon (TTYB). The serial ports use a MiniDIN-8F connector, rather than the DE-9 (mistakenly called DB-9) connector more typically seen on x86 systems. I've got no clue what kind of serial connector is used on your G4 Sawtooth, but if it uses MiniDIN-8F, you can easily find a converter to DE-9. Run a null-modem cable between the G4 and your x86. On your x86 box just use cu(1): $ sudo cu -l /dev/tty00 -s 38400 Boot into OpenFirmware. Cmd-Opt-O-F setenv auto-boot? false setenv output-device ttya setenv input-device ttya reset-all If you need to go back to the original values (i.e. get your apple keyboard and display working again), just run `printenv` to see what they were (usually display and kbd). -- J.C. Roberts
Re: PF Seems To Reload Its Default Rules Unexpectedly
On Sat, 21 Mar 2009 21:03:45 +0100 Henning Brauer lists-open...@bsws.de wrote: whoever claims v6 would be any good has never written network code dealing with it. hey, compare these two which do the same, one for v4 and one for v6: snip great code example don't get me started on the 160bit addresses (128 + 32 scope ID) which fuck up all alignment. just v4 with addresses extended to 64bit (that is still an integer!) would have been sweet, with minor adjustments/additions like hopcount instead of ttl. maybe better crypto integration than ipsec today (v6 doesn't solve that problem despite the claims it would either). Thank you Henning. -- J.C. Roberts
Re: snapshot upgrades
On Sat, Mar 21, 2009 at 09:21:30PM -0500, Mark Bucciarelli wrote: Is there danger in upgrading to the latest snapshot using a script? - fetch tarballs and kernels - run sysmerge -s etc*.tgz - run sysmerge -x xetc*.tgz you realize that sysmerge(8) is interactive, right?
snapshot upgrades
Is there danger in upgrading to the latest snapshot using a script? - fetch tarballs and kernels - run sysmerge -s etc*.tgz - run sysmerge -x xetc*.tgz - extract tarballs to their place - copy over kernels to root dir - pkg_add -ui -F udate -F updatedepends - reboot Thanks, m
Re: Install freezes on macppc
J.C. Roberts wrote: ... I've got no clue what kind of serial connector is used on your G4 Sawtooth, but if it uses MiniDIN-8F, you can easily find a converter to DE-9. Run a null-modem cable between the G4 and your x86. well..here's another feature of the newer MacPPC systems: no serial port. Actually, in at least some (most?) the hardware exists inside the machine, intended for a (special) modem, but doesn't have the line drivers needed for real RS232. However, for a lot more than the $3 it would have cost Apple to put the serial port on the back of the machine, you CAN buy a doo-hickey which provides line drivers and a connection to the outside world. Baring that, however...no serial. Nick.
Re: SOEKRIS - How to install MTR to a Flashdist image
Frothingdog.ca wrote: I'm not sure of the command to run. Can you elaberate on the command. Please keep in mind I'm pretty new to this. How about just getting a 1G CF card, and doing a normal install? What do you gain by inflicting this pain upon yourself? http://www.openbsd.org/faq/faq14.html#flashmemBoot Nick.
Re: snapshot upgrades
Mark Bucciarelli wrote: Is there danger in upgrading to the latest snapshot using a script? Usually, or edge case? - fetch tarballs and kernels - run sysmerge -s etc*.tgz - run sysmerge -x xetc*.tgz as pointed out already, these are interactive programs... - extract tarballs to their place now have new userland, old kernel. Depending on how you did it, you may have just tried to use a new tar on an old kernel. - copy over kernels to root dir simple userland operation, probably will still work. Usually... - pkg_add -ui -F udate -F updatedepends More complicated userland operation, might still work. Lot less likely this time. - reboot if cp worked, this will probably work. If cp didn't, reboot might be broke now, too. In short, it will often work...but if there is a flag day event, you got an issue. USUALLY, a new kernel will run an older userland (though issues happen there, too, from time to time), but there is never a promise made or effort expended that a new userland app can run on an old kernel. If it were always this simple, don't you think maybe OpenBSD would include such an upgrade script? The new upgrade45.html process (in short) is: * copy over new kernels * save a copy of /sbin/reboot * unpack all tar files EXCEPT for baseXX.tgz and etcXX.tgz * unpack baseXX.tgz (boom. might have just broke everything but running apps and the saved reboot program) * reboot using saved reboot program * do the /etc stuff * do the packages * reboot THAT should work. Shortcuts are on a You've got to ask yourself one question: 'Do I feel lucky?' Well, do ya punk? basis. Nick.
Re: snapshot upgrades
On Sat, Mar 21, 2009 at 11:14:48PM -0400, Nick Holland wrote: Mark Bucciarelli wrote: Is there danger in upgrading to the latest snapshot using a script? ... - run sysmerge -s etc*.tgz - run sysmerge -x xetc*.tgz as pointed out already, these are interactive programs... ... - pkg_add -ui -F udate -F updatedepends More complicated userland operation, might still work. Lot less likely this time. and of course `-i' means to use interactive mode. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
