Re: hier command not found: ksh: hier: not found

[Theo de Raadt]

> How to use hier?
> 
> i have run this command
> 
> # hier
> ksh: hier: not found
> 
> i try to
> 
> # man hier
> 
> i got the manual
> 
> but when i try to run hier, always say hier not found.
> 
> Something missing with my installation on OpenBSD 4.4

Yeah, it happens to me too:

# strcpy
ksh: strcpy: not found

Very strange...

hier command not found: ksh: hier: not found

[my mail]

How to use hier?

i have run this command

# hier
ksh: hier: not found

i try to

# man hier

i got the manual

but when i try to run hier, always say hier not found.

Something missing with my installation on OpenBSD 4.4

thx

Re: graphic card support

[Aaron Stellman]

On Tue, Mar 24, 2009 at 02:29:20AM +, Owain Ainsworth wrote:
> my PCI-E x800 works perfectly. So probably.
I thought that x800 series were based on R4xx chipsets. And based on
Mattheu's response, only r200/r300 supported DRI/DRM. Could you please
comment on that?
Thanks

Re: Browsers was: Re: firefox starts two times

[Jacob Meuser]

On Mon, Mar 23, 2009 at 05:22:34PM -0700, patrick keshishian wrote:
> On Mon, Mar 23, 2009 at 4:56 PM, Jacob Meuser  
> wrote:
> > On Mon, Mar 23, 2009 at 03:39:41PM -0700, patrick keshishian wrote:
> >> On Mon, Mar 23, 2009 at 1:35 PM, Nick Guenther  wrote:
> >> > Also, youtube matters. This is going to get me flamed but a lot of
> >> > worthwhile content is in form of video now and not making that work
> >> > disenfranchises yourself.
> >>
> >> There are methods of fetching just the video off youtube if that's all
> >> you want. I think I've even seen at least two scripts in ports that
> >> just do that (www/youtube-dl is one and the other I can't recall its
> >> names off top of my head). I don't know how well they work; never used
> >> them myself.
> >
> > isn't that sorta like using ftp(1) to get JPEGs from sites you're
> > browsing with lynx(1)?
> 
> Similar to how you might use `tar -zxvf some-port.tar.gz' after saving
> said attachment sent to po...@.

not really.  graphics and flash animations are intended to be seen in
the browser.  otherwise there would just be a link or an option to
download.

> Options to do things in different ways
> are always good.

sure.

> >> I agree with you on valuable/informative/entertaining content on youtube.
> >>
> >> Flash is open now, their specification docs were released. If it is
> >> important for folks, a truly open, reliable and secure versions
> >> should/could be implemented.
> >
> > I only got feedback from one person about swfdec update/sndio backend
> > addition.
> 
> do you read that as no interest in said port?

somewhat.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Network problems moving to new ISP (while keeping old ISP active)

[Albert Chin]

I have a network problem moving from our old ISP (ISPo) to the new ISP
(ISPn). Both ISPn and ISPo are active while we transition to ISPn.

Current config:

 --   --- 
| hisoka [em0] o-o ISPo  |
| (firewall)   |  ---
|[em1] o-+
|  | |    
|  | +--o SWITCH o--+
|[em4] o--+     |
| (69.67.212.126)  |  | |
|  (69.67.212.120/32)  |  | -   |
|  |  +o ISPn|  |
|[em5] o--+ -   |
|  (vlandev interface) |  | |
|  |  | |
|[vlan200] o--+   +--+  |
|   (10.123.40.6)  |  |  |  |
 --   +--+   |  |
 |   |  |
-o---o- |
   | SWITCH||
-o- |
 |  |
 |   -  |
 --   +--+  | hammer  | |
| killua   |  | | (firewall)   [fxp4] o-+
|   [bge0] o--+ | (69.67.212.94)  |
|   (10.123.40.2)  ||  (69.67.212.74/32)  |
 --  -

hisoka:/# ifconfig em0
em0: flags=8943 mtu 1500
lladdr 00:15:17:a6:32:5d
priority: 0
media: Ethernet autoselect (10baseT half-duplex)
status: active
inet6 fe80::215:17ff:fea6:325d%em0 prefixlen 64 scopeid 0x2
hisoka:/# ifconfig em1
em1: flags=8943 mtu 1500
lladdr 00:15:17:a6:32:5c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::215:17ff:fea6:325c%em1 prefixlen 64 scopeid 0x3
hisoka:/# ifconfig em4
em4: flags=8943 mtu 1500
lladdr 00:14:4f:7c:fd:82
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX half-duplex)
status: active
inet 69.67.212.126 netmask 0xffe0 broadcast 69.67.212.127
inet6 fe80::214:4fff:fe7c:fd82%em4 prefixlen 64 scopeid 0x7
inet 69.67.212.120 netmask 0x broadcast 69.67.212.120
hisoka:/# ifconfig vlan200
vlan200: flags=8843 mtu 1500
lladdr 00:14:4f:7c:fd:83
priority: 0
vlan: 200 priority: 0 parent interface: em5
groups: vlan
inet6 fe80::214:4fff:fe7c:fd83%vlan200 prefixlen 64 scopeid 0xb
inet 10.123.40.6 netmask 0xfff8 broadcast 10.123.40.7
hisoka:/# cat /etc/bridgename.bridge0 
add em4
add em0
add em1
up
hisoka:/# brconfig
bridge0: flags=41
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
em1 flags=3
port 3 ifpriority 0 ifcost 0
em0 flags=3
port 2 ifpriority 0 ifcost 0
em4 flags=3
port 7 ifpriority 0 ifcost 0
hisoka:/# netstat -rn -f inet
Routing tables

Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
default69.67.212.97   UGS999113 - 8 em4
10.123.40.0/29 link#11UC 20 - 4 vlan200
10.123.40.200:e0:81:2a:b5:1a  UHLc   2 3166 - 4 vlan200
10.123.40.400:1f:9e:7d:93:39  UHLc   113239 - 4 vlan200
69.67.212.96/27link#7 UC 20 - 4 em4
69.67.212.97   00:08:e3:b4:b8:e0  UHLc   12 - 4 em4
69.67.212.120  127.0.0.1  UGHS   01 33160 8 lo0
69.67.212.120/32   link#7 UC 00 - 4 em4
69.67.212.126  00:14:4f:7c:fd:82  UHLc   04 - 4 lo0
127/8  127.0.0.1  UGRS   00 33160 8 lo0
127.0.0.1  127.0.0.1  UH 2  405 33160 4 lo0
147.243.6.29   10.123.40.4UGHS   0   17 - 8 vlan200
224/4  127.0.0.1  URS00 33160 8 lo0

hammer:/# ifconfig fxp4  
fxp4: flags=8843 mtu 1500
lladdr 00:07:e9:5d:62:f8
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 69.67.212.94 netmask 0xffe0 broadcast 69.67.212.95
inet6 fe

Re: graphic card support

[Owain Ainsworth]

On Mon, Mar 23, 2009 at 12:37:23PM -0700, Aaron Stellman wrote:
> On Sun, Mar 22, 2009 at 08:52:43AM +0100, Matthieu Herrb wrote:
> > DRI/DRM on OpenBSD works on recent intel chips (i855 and up) and on
> > older ATI chips (r200/r300).
> > 
> Hello,
> I'm looking to get a X600 PCI-E card, which seems to be based on RV380
> chipset, which is supposedly almost identical to other R3xx series, but
> use PCI-e instead. Do you have any idea whether DRI/DRM works on these?

my PCI-E x800 works perfectly. So probably.

-0-
-- 
I used to work in a fire hydrant factory.  You couldn't park anywhere
near the place.
-- Steven Wright

Re: Browsers was: Re: firefox starts two times

[Noah Pugsley]

I've been using this for a month or two:

http://userscripts.org/scripts/show/34765

Works for more than just youtube also. Maybe I'm lazy but it's much 
easier than going to a shell and using yt or youtube-dl.

Matthias Kilian wrote:
> On Mon, Mar 23, 2009 at 03:39:41PM -0700, patrick keshishian wrote:
>   
>> There are methods of fetching just the video off youtube if that's all
>> you want. I think I've even seen at least two scripts in ports that
>> just do that (www/youtube-dl is one and the other I can't recall its
>> names off top of my head).
>> 
>
> net/yt

Re: Browsers was: Re: firefox starts two times

[Nick Guenther]

Thank you! And there's way more video sites than just youtube, and not
all of them are as rip-happy as it.

But flash support is only a small part of browsers and not really the point.

-Nick

On 23/03/2009, Jacob Meuser  wrote:
> On Mon, Mar 23, 2009 at 03:39:41PM -0700, patrick keshishian wrote:
>> On Mon, Mar 23, 2009 at 1:35 PM, Nick Guenther  wrote:
>> > Also, youtube matters. This is going to get me flamed but a lot of
>> > worthwhile content is in form of video now and not making that work
>> > disenfranchises yourself.
>>
>> There are methods of fetching just the video off youtube if that's all
>> you want. I think I've even seen at least two scripts in ports that
>> just do that (www/youtube-dl is one and the other I can't recall its
>> names off top of my head). I don't know how well they work; never used
>> them myself.
>
> isn't that sorta like using ftp(1) to get JPEGs from sites you're
> browsing with lynx(1)?
>
>> I agree with you on valuable/informative/entertaining content on youtube.
>>
>> Flash is open now, their specification docs were released. If it is
>> important for folks, a truly open, reliable and secure versions
>> should/could be implemented.
>
> I only got feedback from one person about swfdec update/sndio backend
> addition.
>
> --
> jake...@sdf.lonestar.org
> SDF Public Access UNIX System - http://sdf.lonestar.org

Re: Browsers was: Re: firefox starts two times

[patrick keshishian]

On Mon, Mar 23, 2009 at 4:56 PM, Jacob Meuser  wrote:
> On Mon, Mar 23, 2009 at 03:39:41PM -0700, patrick keshishian wrote:
>> On Mon, Mar 23, 2009 at 1:35 PM, Nick Guenther  wrote:
>> > Also, youtube matters. This is going to get me flamed but a lot of
>> > worthwhile content is in form of video now and not making that work
>> > disenfranchises yourself.
>>
>> There are methods of fetching just the video off youtube if that's all
>> you want. I think I've even seen at least two scripts in ports that
>> just do that (www/youtube-dl is one and the other I can't recall its
>> names off top of my head). I don't know how well they work; never used
>> them myself.
>
> isn't that sorta like using ftp(1) to get JPEGs from sites you're
> browsing with lynx(1)?

Similar to how you might use `tar -zxvf some-port.tar.gz' after saving
said attachment sent to po...@. Options to do things in different ways
are always good.

>> I agree with you on valuable/informative/entertaining content on youtube.
>>
>> Flash is open now, their specification docs were released. If it is
>> important for folks, a truly open, reliable and secure versions
>> should/could be implemented.
>
> I only got feedback from one person about swfdec update/sndio backend
> addition.

do you read that as no interest in said port?

--patrick

Re: Browsers was: Re: firefox starts two times

[Jacob Meuser]

On Mon, Mar 23, 2009 at 03:39:41PM -0700, patrick keshishian wrote:
> On Mon, Mar 23, 2009 at 1:35 PM, Nick Guenther  wrote:
> > Also, youtube matters. This is going to get me flamed but a lot of
> > worthwhile content is in form of video now and not making that work
> > disenfranchises yourself.
> 
> There are methods of fetching just the video off youtube if that's all
> you want. I think I've even seen at least two scripts in ports that
> just do that (www/youtube-dl is one and the other I can't recall its
> names off top of my head). I don't know how well they work; never used
> them myself.

isn't that sorta like using ftp(1) to get JPEGs from sites you're
browsing with lynx(1)?

> I agree with you on valuable/informative/entertaining content on youtube.
> 
> Flash is open now, their specification docs were released. If it is
> important for folks, a truly open, reliable and secure versions
> should/could be implemented.

I only got feedback from one person about swfdec update/sndio backend
addition.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: Install freezes on macppc

[Daniel Barowy]

Paul M wrote:


I was bitten by a similar issue on i386 hardware - freezes during 
install, or shortly thereafter.
After too many hours bashing on it, I reinstalled the original windows 
disk, and it worked perfectly. I stress tested it for several days 
without a single (aparent) problem, but swapping out the disk and 
attempting a reinstall of 4.3, it would freeze again every time. 
Turned out to be bad RAM.

OK, I finally sat down today and fiddled with this some more.

First, I pulled all of the RAM, plugged in 1 x 256 MB SIMM, cleared the 
PRAM for good measure, and then ran the installer again. It froze as before.


Next, I pulled the upgraded processor, dropped in a stock 350 MHz Apple 
processor, cleared the PRAM again, and then ran the installer again. 
This time, the installer ran all the way through, the machine booted 
without any issues, and seemed to run fine through all the normal tasks 
I gave it to do (network transfers, disk formatting, installing a 
package, etc).


Then I shut the machine down and put the original 2GB memory back in, 
cleared PRAM, and started up again. No issues.


Then I shut down and put the upgraded processor back in, cleared PRAM, 
and booted again. Within a couple minutes, the machine froze again. I 
was able to reproduce this several times. So it looks like the processor 
is the culprit (bummer).


Interestingly, though, the line from the dmesg that Nick pointed out, 
"mem at mainbus0 not configured", did not appear in the installed copy 
of OpenBSD regardless of which processor or how much memory was in the 
machine. That only showed up when I booted from the CD.


Also, as a side note-- this machine does not have a serial port. At 
least, none that I am aware of. There's nothing remotely serial-like 
(not counting USB, that is) on the back panel. Just USB, IEEE1394a, 
RJ-45, RJ-11, and audio. Maybe there's some kind of header on the 
motherboard, but I think I'm done messing around with this machine for 
today.


Dan

[off-topic] Attacks on Intel's System Management Mode

[João Salvatti]

Joanna Rutkowska and Loic Duflot have simultaneously disclosed details
of vulnerabilities in Intel's caching mechanisms, which permit the
injection of code into the System Management Mode and ultimately the
placing of a virtually invisible rootkit.

"System Management Mode (SMM) is a relatively obscure mode on Intel
processors used for low-level hardware control", explain Embleton,
Sparks and Zou in a paper on SMM rootkits that's well worth reading.
"It has its own private memory space [SMRAM], and execution
environment which is generally invisible to code running outside
[it.]" By poisoning the cache of the CPU, Rutkowska can successfully
inject her own code, which then runs with maximum privileges, while
remaining invisible to the operating system and applications.

She provides a harmless "proof of concept" exploit that she claims
works on Intel's DQ35 board, among others. Embleton, Sparks and Zou
demonstrate what a genuine SMM rootkit could look like. Not much more
is known about Duflot's presentation at CansecWest, other than the
title, "Getting into the SMRAM: SMM Reloaded".

Despite the far-reaching consequences of such SMM rootkits, there's no
need to panic. Fortunately, only theoretical concepts and a few
conceptual studies for laboratory environments have so far been heard
of. Nothing of the kind has yet been observed in the wild as a part of
malicious software.

Source: 
http://www.h-online.com/security/Attacks-on-Intel-s-System-Management-Mode--/news/112903

Re: Browsers was: Re: firefox starts two times

[Matthias Kilian]

On Mon, Mar 23, 2009 at 03:39:41PM -0700, patrick keshishian wrote:
> There are methods of fetching just the video off youtube if that's all
> you want. I think I've even seen at least two scripts in ports that
> just do that (www/youtube-dl is one and the other I can't recall its
> names off top of my head).

net/yt

Re: Browsers was: Re: firefox starts two times

[patrick keshishian]

On Mon, Mar 23, 2009 at 1:35 PM, Nick Guenther  wrote:
> Also, youtube matters. This is going to get me flamed but a lot of
> worthwhile content is in form of video now and not making that work
> disenfranchises yourself.

There are methods of fetching just the video off youtube if that's all
you want. I think I've even seen at least two scripts in ports that
just do that (www/youtube-dl is one and the other I can't recall its
names off top of my head). I don't know how well they work; never used
them myself.

I agree with you on valuable/informative/entertaining content on youtube.

Flash is open now, their specification docs were released. If it is
important for folks, a truly open, reliable and secure versions
should/could be implemented.

--patrick


>
> -Nick
>
> On 23/03/2009, Ingo Schwarze  wrote:
>> Hi Chris,
>>
>> very probably, you are not describing a bug, but the following feature.
>>
>> Chris wrote on Mon, Mar 23, 2009 at 02:15:10PM +1100:
>>
>>> When I start firefox (3.0.6) from the xterm shell, I get two firefox
>>> starting at the same time.
>>
>> Very probably, you are not getting two firefox processes,
>> but one firefox process managing two windows.
>> To check this, run
>>
>> B $ ps ax | grep firefox-bin
>>
>>> If I close one of them (by doing File - Exit),
>>
>> By chance, i still have the somewhat oldish firefox 3.0.6 installed
>> on a 4.5-current i386 box. B Here, the file menu doesn't contain
>> an "Exit" menu entry.
>>
>>> it closes both of them.
>>
>> When i do "File - Quit", i get a popup window
>>
>> B "Do you want Firefox to save your tabs and windows
>> B  for the next time it starts?
>>
>> B  [Checkbox] Do not ask next time
>>
>> B  Button: Quit
>> B  Button: Cancel
>> B  Button: Save and Quit"
>>
>> Maybe you checked the checkbox and clicked "Save and Quit"?
>> When doing that, i can reproduce the behaviour you describe.
>>
>>> I have the same behavior from two
>>> different window managers: awesome and scrotwm.
>>
>> Probably, what you describe has nothing to do with the
>> operating system or the window manger, but with firefox itself.
>>
>> You can go to "Edit - Preferences - Main - Startup"
>> and select "When Firefox starts, Show my home page".
>> Actually, you wouldn't believe it from what the dialogue
>> texts in the browser say: But that will revert *exactly*
>> the effect of checking the box "Do not ask next time".
>> I checked this by diffing the prefs.js file before and after.
>>
>> If you want to keep the behaviour of restoring tabs and windows
>> on startup but just want to use only one window in the future,
>> just click "File - Close" in one of your two windows.
>>
>>
>> Now don't get me started on firefox. B It has turned so damn
>> MS-Windows-ish: B Creeping featurism wherever you look, features
>> hidden so well and in so much layers that you simply do not find
>> most of them even when you actively search for them, almost
>> nothing documented, incomprehensible names of features,
>> unintellegible correspondance between UI texts and configuration
>> option names, unsecure to insane defaults and bloat, bloat, bloat...
>>
>> All the same, things you really need are not available, or you
>> need obscure plugins to achieve them.
>>
>>
>> So if anybody is going to write a browser that i would like,
>> i would probably contribute funding to allow several months of full
>> time work. B Yes, i know that a few months will hardly suffice.
>>
>> I would like the following:
>> B * Monolithic, fast, small and readable code; no plugins.
>> B * Secure, good privacy, high speed by default, and
>> B  B no way to move the global default settings away from that.
>> B * No useless knobs. B No drop-down menus. B No icon toolbars.
>> B * Do not bother about non-POSIX operating systems, i.e. assume that
>> B  B POSIX external utilities and C library calls are available.
>> B * Strict principle of not more than one HTTP request per click or ENTER.
>> B * No data ever sent across the wire without an explicit left click or
>> ENTER.
>> B * Never reuse a tab for a different URL unless explicitely requested.
>> B  B Always use a new tab for each new URL.
>> B * Two URL bars, the upper showing the URL displayed in the current tab,
>> B  B the lower showing the URL the mouse is currently pointing at,
including
>> B  B the TARGET tag, if any. B Prominently mark POST to distinguish it
from
>> GET.
>> B  B The lower URL bar can also be used for keyboard input.
>> B * A delete command (d) to close the current tab.
>> B * A goto command (g) to open a new tab and set the cursor to the URL
line,
>> B  B such that "ghttp://www.openbsd.org/" gets you there.
>> B * An alias command (a) to define a bookmark to the current URL,
>> B  B for example "aobsd" to make "gobsd" work.
>> B * Show meta-information about embedded content, not the content itself,
>> B  B i.e. content type (e.g. IMG), file name or URL, ALT text, size if it
>> B  B is large.
>> B * Per-site and per-URL configuration database, 

Re: SOEKRIS - How to install MTR to a Flashdist image

[Floor Terra]

> Now, if you run ldd on the pkg_add binary you would get:
>
> ldd: /usr/sbin/pkg_add: not an ELF executable
>
> and I am not really sure why is that. Experts comments welcome here!

That's because /usr/sbin/pkg_add is not an ELF executable.

$ file /usr/sbin/pkg_add
/usr/sbin/pkg_add: perl script text executable

You need to install Perl to be able to use the pkg_add script.

-- 
Floor Terra 
www: http://brobding.mine.nu/

Re: SOEKRIS - How to install MTR to a Flashdist image

[Frothingdog.ca]

Luis F Urrea wrote:
> 
> By default if I am not mistaken, flashdist does not include the "pkg_add"
> binary and therefore for the chroot suggestion you would at least need to
> get the "pkg_add" binary into the flash image.
> 
You are correcet


Luis F Urrea wrote:
> 
> The technique used in the flashdist script for getting things installed
> uses
> `ldd` on a binary to find it's library dependencies and have them copied
> to
> the image. This is more likely to work at least for dinamically linked
> binaries which are fairly straightforward and in which you often do not
> need
> anymore files than the binary and shared libraries.
> 
> You could use ldd as follows for wget as example:
> 
>  ldd /usr/local/bin/wget 2>/dev/null | egrep 'rlib|rtld' | awk '{print
> $7}'
> \
> |sort -u | xargs tar -cvf - | tar -C /mnt/flashdist-image -xpf -
> 
> Where flashdist-image is the directory in which you have mounted the
> flashdist image
> 
> 
> Now, if you run ldd on the pkg_add binary you would get:
> 
> ldd: /usr/sbin/pkg_add: not an ELF executable
> 
> and I am not really sure why is that. Experts comments welcome here!
> 
First attampt didn't work, but I'll work with it some more.


Luis F Urrea wrote:
> 
> Another option may be to use the -B option from pkg_add to define the
> chrooted environment as the destination dir, but I can't confirm that it
> would work as expected.
> 
Tryed the -B option but I couldn't get that to work either



Luis F Urrea wrote:
> 
> For packages in which the structure of required files is more complex,
> daemons such as samba an the like, using ldd may not suffice and such
> programs may fail to execute mysteriously. In  such cases, the ktrace(1)
> and
> kdump(1) may come in handy.
> 
> ktrace followed by the filename will produce an output file named
> ktrace.out
> in the directory in which you run it. Then you need to use kdump command
> to
> inspect the previously generated ktrace.out, look for files that the
> program
> is attempting to open, particularly for the NAMI (name-to-inode)
> translation
> in order to get a clue of what files may be missing.
> 
> A third option involves creating a chroot sandbox environment and use two
> cookies to track file changes in the filesystem as described here:
> 
> http://labs.calyptix.com/openbsd-binary-patches-chroot.php
> 
> Readers familiar with OpenBSD ports will notice that this cookie technique
> is borrowed from the make system in the OpenBSD ports tree.
> 
> Hope this helps
> 
I'll read up on this.


Thanks Luis, the help is very appreciated.

Cheers
Brad

-- 
View this message in context: 
http://www.nabble.com/SOEKRIS---How-to-install-MTR-to-a-Flashdist-image-tp22636740p22668748.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Browsers was: Re: firefox starts two times

[Nick Guenther]

I am no fan of firefox at all. I wish day and night it would work
without sucking so hard all the time. But tweak headers? Random
metacruft? That's feature creep too, just from a programmer's
perspective -- which is even worse if you want people to take it up
and use it and thus work out the bugs you missed.

What don't you like about lynx, w3m, links, links+, dillo, konqueror,
galeon, midori, or epiphany? If you're no fan on javascript then the
incompleteness of most of these browsers shouldn't bother you.
Personally I think that webkit is promising, even if epiphany+webkit
did segfault on me and doesn't have an OpenBSD package. With webkit it
*should* be possible to rapidly design any UI you want.

Also, youtube matters. This is going to get me flamed but a lot of
worthwhile content is in form of video now and not making that work
disenfranchises yourself.

-Nick

On 23/03/2009, Ingo Schwarze  wrote:
> Hi Chris,
>
> very probably, you are not describing a bug, but the following feature.
>
> Chris wrote on Mon, Mar 23, 2009 at 02:15:10PM +1100:
>
>> When I start firefox (3.0.6) from the xterm shell, I get two firefox
>> starting at the same time.
>
> Very probably, you are not getting two firefox processes,
> but one firefox process managing two windows.
> To check this, run
>
>  $ ps ax | grep firefox-bin
>
>> If I close one of them (by doing File - Exit),
>
> By chance, i still have the somewhat oldish firefox 3.0.6 installed
> on a 4.5-current i386 box.  Here, the file menu doesn't contain
> an "Exit" menu entry.
>
>> it closes both of them.
>
> When i do "File - Quit", i get a popup window
>
>  "Do you want Firefox to save your tabs and windows
>   for the next time it starts?
>
>   [Checkbox] Do not ask next time
>
>   Button: Quit
>   Button: Cancel
>   Button: Save and Quit"
>
> Maybe you checked the checkbox and clicked "Save and Quit"?
> When doing that, i can reproduce the behaviour you describe.
>
>> I have the same behavior from two
>> different window managers: awesome and scrotwm.
>
> Probably, what you describe has nothing to do with the
> operating system or the window manger, but with firefox itself.
>
> You can go to "Edit - Preferences - Main - Startup"
> and select "When Firefox starts, Show my home page".
> Actually, you wouldn't believe it from what the dialogue
> texts in the browser say: But that will revert *exactly*
> the effect of checking the box "Do not ask next time".
> I checked this by diffing the prefs.js file before and after.
>
> If you want to keep the behaviour of restoring tabs and windows
> on startup but just want to use only one window in the future,
> just click "File - Close" in one of your two windows.
>
>
> Now don't get me started on firefox.  It has turned so damn
> MS-Windows-ish:  Creeping featurism wherever you look, features
> hidden so well and in so much layers that you simply do not find
> most of them even when you actively search for them, almost
> nothing documented, incomprehensible names of features,
> unintellegible correspondance between UI texts and configuration
> option names, unsecure to insane defaults and bloat, bloat, bloat...
>
> All the same, things you really need are not available, or you
> need obscure plugins to achieve them.
>
>
> So if anybody is going to write a browser that i would like,
> i would probably contribute funding to allow several months of full
> time work.  Yes, i know that a few months will hardly suffice.
>
> I would like the following:
>  * Monolithic, fast, small and readable code; no plugins.
>  * Secure, good privacy, high speed by default, and
>no way to move the global default settings away from that.
>  * No useless knobs.  No drop-down menus.  No icon toolbars.
>  * Do not bother about non-POSIX operating systems, i.e. assume that
>POSIX external utilities and C library calls are available.
>  * Strict principle of not more than one HTTP request per click or ENTER.
>  * No data ever sent across the wire without an explicit left click or
> ENTER.
>  * Never reuse a tab for a different URL unless explicitely requested.
>Always use a new tab for each new URL.
>  * Two URL bars, the upper showing the URL displayed in the current tab,
>the lower showing the URL the mouse is currently pointing at, including
>the TARGET tag, if any.  Prominently mark POST to distinguish it from
> GET.
>The lower URL bar can also be used for keyboard input.
>  * A delete command (d) to close the current tab.
>  * A goto command (g) to open a new tab and set the cursor to the URL line,
>such that "ghttp://www.openbsd.org/" gets you there.
>  * An alias command (a) to define a bookmark to the current URL,
>for example "aobsd" to make "gobsd" work.
>  * Show meta-information about embedded content, not the content itself,
>i.e. content type (e.g. IMG), file name or URL, ALT text, size if it
>is large.
>  * Per-site and per-URL configuration database, allowing things like
> - embedded image 

Re: dhcpd and mitel options

[Stuart Henderson]

On 2009-03-23, Lars Hansson  wrote:
> Hey,
> I have some problems with using OpenBSD 4.4's dhcpd together with
> Mitel VoIP phones that I'd hope someone could shed some light on.
> Mitel VoIP phones requires custom options to load firmware, set VLAN
> etc and i cant quite get it to work with OpenBSD's dhcpd. it works
> fine one a Linux box running isc-dhcp 3.0.6 although curiously not
> enough on isc-dhcp on OpenBSd 4.4.
>
> ISC-DHCP:
> # MITEL specific options
> option space mitel;
> option mitel.tftp code 128 = ip-address;
> option mitel.icp code 129 = ip-address;
> option mitel.id code 130 = text;
> option mitel.vlan code 132 = signed integer 32;
> option mitel.l2p code 133 = signed integer 32;
> option mitel.dscp code 134 = unsigned integer 8;
>
> option mitel.tftp   172.30.179.7;
> option mitel.icp10.107.10.17;
> option mitel.id "MITEL IP PHONE";
> option mitel.vlan   11;
> option mitel.l2p6;
> option mitel.dscp   46;
>
> I know OpenBSd's dhcp does not support options the same way but I
> thought the below would work:
>
> option option-128   "172.30.179.7";
> option option-129   "10.107.10.17";
..
> option mitel.vlan  02;
> option mitel.l2p06;
> option mitel.dscp   46;

you are giving these as text strings, but the phone actually requires IP
addresses or numbers.

you can patch like this,

Index: tables.c
===
RCS file: /cvs/src/usr.sbin/dhcpd/tables.c,v
retrieving revision 1.8
diff -N -u -p tables.c
--- tables.c13 Jan 2009 21:11:57 -  1.8
+++ tables.c23 Mar 2009 19:53:22 -
@@ -190,13 +190,13 @@ struct option dhcp_options[256] = {
{ "option-125", "X",&dhcp_universe, 125 },
{ "option-126", "X",&dhcp_universe, 126 },
{ "option-127", "X",&dhcp_universe, 127 },
-   { "option-128", "X",&dhcp_universe, 128 },
-   { "option-129", "X",&dhcp_universe, 129 },
-   { "option-130", "X",&dhcp_universe, 130 },
+   { "mitel-tftp", "I",&dhcp_universe, 128 },
+   { "mitel-icp", "I", &dhcp_universe, 129 },
+   { "mitel-id", "X",  &dhcp_universe, 130 },
{ "option-131", "X",&dhcp_universe, 131 },
-   { "option-132", "X",&dhcp_universe, 132 },
-   { "option-133", "X",&dhcp_universe, 133 },
-   { "option-134", "X",&dhcp_universe, 134 },
+   { "mitel-vlan", "l",&dhcp_universe, 132 },
+   { "mitel-l2p", "l", &dhcp_universe, 133 },
+   { "mitel-dscp", "B",&dhcp_universe, 134 },
{ "option-135", "X",&dhcp_universe, 135 },
{ "option-136", "X",&dhcp_universe, 136 },
{ "option-137", "X",&dhcp_universe, 137 },

these ones have a whole bunch of clashes with other vendor options (see
http://www.iana.org/assignments/bootp-dhcp-parameters/) and they aren't
assigned or tentatively assigned, so I don't think they can be hard-
coded into our dhcpd by default.

Re: graphic card support

[Aaron Stellman]

On Sun, Mar 22, 2009 at 08:52:43AM +0100, Matthieu Herrb wrote:
> DRI/DRM on OpenBSD works on recent intel chips (i855 and up) and on
> older ATI chips (r200/r300).
> 
Hello,
I'm looking to get a X600 PCI-E card, which seems to be based on RV380
chipset, which is supposedly almost identical to other R3xx series, but
use PCI-e instead. Do you have any idea whether DRI/DRM works on these?
Thanks

Re: SOEKRIS - How to install MTR to a Flashdist image

[Luis F Urrea]

There may be use cases for using flashdist, such as not having "pkg_add"
package installed for security reasons and tailoring highly customized
images ready to be flashed for FWs, NAS, VoIP GWs and so on. So, in that
sense I am sure that the size of the flash is not the only motivation now a
days.

By default if I am not mistaken, flashdist does not include the "pkg_add"
binary and therefore for the chroot suggestion you would at least need to
get the "pkg_add" binary into the flash image.

The technique used in the flashdist script for getting things installed uses
`ldd` on a binary to find it's library dependencies and have them copied to
the image. This is more likely to work at least for dinamically linked
binaries which are fairly straightforward and in which you often do not need
anymore files than the binary and shared libraries.

You could use ldd as follows for wget as example:

 ldd /usr/local/bin/wget 2>/dev/null | egrep 'rlib|rtld' | awk '{print $7}'
\
|sort -u | xargs tar -cvf - | tar -C /mnt/flashdist-image -xpf -

Where flashdist-image is the directory in which you have mounted the
flashdist image


Now, if you run ldd on the pkg_add binary you would get:

ldd: /usr/sbin/pkg_add: not an ELF executable

and I am not really sure why is that. Experts comments welcome here!


Another option may be to use the -B option from pkg_add to define the
chrooted environment as the destination dir, but I can't confirm that it
would work as expected.

For packages in which the structure of required files is more complex,
daemons such as samba an the like, using ldd may not suffice and such
programs may fail to execute mysteriously. In  such cases, the ktrace(1) and
kdump(1) may come in handy.

ktrace followed by the filename will produce an output file named ktrace.out
in the directory in which you run it. Then you need to use kdump command to
inspect the previously generated ktrace.out, look for files that the program
is attempting to open, particularly for the NAMI (name-to-inode) translation
in order to get a clue of what files may be missing.

A third option involves creating a chroot sandbox environment and use two
cookies to track file changes in the filesystem as described here:

http://labs.calyptix.com/openbsd-binary-patches-chroot.php

Readers familiar with OpenBSD ports will notice that this cookie technique
is borrowed from the make system in the OpenBSD ports tree.

Hope this helps

Re: Tape Drive,

[Brynet]

Hey Milan,

I admit I haven't used a tape drive in some time, but could that be
indicative of a blank tape?

Make sure the tape really is rewound:

$ sudo mt rewind

-Brynet

Re: firefox starts two times

[Ingo Schwarze]

Hi Chris,

very probably, you are not describing a bug, but the following feature.

Chris wrote on Mon, Mar 23, 2009 at 02:15:10PM +1100:

> When I start firefox (3.0.6) from the xterm shell, I get two firefox
> starting at the same time.

Very probably, you are not getting two firefox processes,
but one firefox process managing two windows.
To check this, run

 $ ps ax | grep firefox-bin

> If I close one of them (by doing File - Exit),

By chance, i still have the somewhat oldish firefox 3.0.6 installed
on a 4.5-current i386 box.  Here, the file menu doesn't contain
an "Exit" menu entry.

> it closes both of them.

When i do "File - Quit", i get a popup window

 "Do you want Firefox to save your tabs and windows
  for the next time it starts?

  [Checkbox] Do not ask next time

  Button: Quit
  Button: Cancel
  Button: Save and Quit"

Maybe you checked the checkbox and clicked "Save and Quit"?
When doing that, i can reproduce the behaviour you describe.

> I have the same behavior from two
> different window managers: awesome and scrotwm.

Probably, what you describe has nothing to do with the
operating system or the window manger, but with firefox itself.

You can go to "Edit - Preferences - Main - Startup"
and select "When Firefox starts, Show my home page".
Actually, you wouldn't believe it from what the dialogue
texts in the browser say: But that will revert *exactly*
the effect of checking the box "Do not ask next time".
I checked this by diffing the prefs.js file before and after.

If you want to keep the behaviour of restoring tabs and windows
on startup but just want to use only one window in the future,
just click "File - Close" in one of your two windows.


Now don't get me started on firefox.  It has turned so damn
MS-Windows-ish:  Creeping featurism wherever you look, features
hidden so well and in so much layers that you simply do not find
most of them even when you actively search for them, almost
nothing documented, incomprehensible names of features,
unintellegible correspondance between UI texts and configuration
option names, unsecure to insane defaults and bloat, bloat, bloat...

All the same, things you really need are not available, or you
need obscure plugins to achieve them.


So if anybody is going to write a browser that i would like,
i would probably contribute funding to allow several months of full
time work.  Yes, i know that a few months will hardly suffice.

I would like the following:
 * Monolithic, fast, small and readable code; no plugins.
 * Secure, good privacy, high speed by default, and
   no way to move the global default settings away from that.
 * No useless knobs.  No drop-down menus.  No icon toolbars.
 * Do not bother about non-POSIX operating systems, i.e. assume that
   POSIX external utilities and C library calls are available.
 * Strict principle of not more than one HTTP request per click or ENTER.
 * No data ever sent across the wire without an explicit left click or ENTER.
 * Never reuse a tab for a different URL unless explicitely requested.
   Always use a new tab for each new URL.
 * Two URL bars, the upper showing the URL displayed in the current tab,
   the lower showing the URL the mouse is currently pointing at, including
   the TARGET tag, if any.  Prominently mark POST to distinguish it from GET.
   The lower URL bar can also be used for keyboard input.
 * A delete command (d) to close the current tab.
 * A goto command (g) to open a new tab and set the cursor to the URL line,
   such that "ghttp://www.openbsd.org/" gets you there.
 * An alias command (a) to define a bookmark to the current URL,
   for example "aobsd" to make "gobsd" work.
 * Show meta-information about embedded content, not the content itself,
   i.e. content type (e.g. IMG), file name or URL, ALT text, size if it
   is large.
 * Per-site and per-URL configuration database, allowing things like
- embedded image download (off by default)
- CSS download (off by default)
- frame content download (off by default)
- accepting cookies (off by default)
- JavaScript execution (off by default)
   Store this DB in plain text, easy to browse with cd, ls and vi.
 * Do not use any files in the user's home directory except this DB
   and the cache explained below.  In particular, no .mozilla-like
   configuration directories.
 * When showing frames, always prominently mark the frame borders,
   and in the top line of each frame, always show the frame name
   and the current URL.
 * When asking about cookies, always show the full cookie content.
 * Always ask about HTTPS certificates, even when signed by commercial
   root CAs, always show the full certificate content at once, and one
   line stating the supporting chain of trust, if any.
   Require exactly one click: "Use once" or "Save".
   Cancel is useless as you can just close the tab.
   Do not try to explain what this is all about.
 * When interpreting JavaScript, state what the code is trying to do,
   i.e. display

Re: dhcpd and mitel options

[Martin Gignac]

> The Mitel phones complain that option 128 is missing (I take this to
> mean that it have the wrong format or type since it's obviously there)
> and goes no further.

Have you tried taking a packet capture of the DHCP dialog when using
Linux and when using OpenBSD, and then comparing the DHCP Offer from
both using Wireshark or some other packet dissector? That way you
could compare if option 128 is present in the offer from OpenBSD, and
if so, what the difference is between it and the Linux offer.

That might steer you in the right direction.

Just a thought,
-Martin

-- 
"We look forward to the time when the power to love will replace the
love of power. Then will our world know the blessings of peace."

  --William Ewart Gladstone

Hardware request.

[Owain Ainsworth]

Hi guys,

I've heard of a few nasty bugs in dual-head support on radeon graphics
hardware, but I've only got one monitor and can't fix them. It would be
great if someone would be willing to donate a pair of monitors capable
of 1600x1200. Specifically, it would be best if the monitor's status
menu had data on the incoming clock rates (sync frequencies, etc).
It would be preferable if they had both vga and dvi inputs.

If anyone can help out with this, please contact me off-list. I'm based
in London, UK.

Cheers,

-0-
-- 
A person is just about as big as the things that make him angry.

Re: spamd handling multiple sending servers

[jmc]

--- Stuart Henderson [Mon, Mar 23, 2009 at 01:54:44PM +]: --- 
> On 2009-03-23, jmc  wrote:
> >> In getting our low traffic email server running, the first thing I
> >> noticed while following the logs that sites like gmail et al will
> >> retry a message from a different host.  Sometimes gmail will send
> >> once, try again very soon again from the same host and then queue it,
> >> but the queued email might be sent by a different server.
> >
> > check greylisting.org.
> 
> it's useless. it doesn't list common pool senders from a block of /24
> or less (i.e. most of them) and it's not updated regularly. dnswl.org is
> better but it's a damn big list and if you load it into a PF table, even
> if you aggregate the addresses, it uses a huge chunk of kernel memory.

thanks for the tip on that, Stuart. i had the feeling the info there was
a bit long in the tooth as well.

dealing with the round-robin/common pool smtp hosts is something i've
not been completely happy with in my setup, so maybe i'll revisit how i
handle things here.

dhcpd and mitel options

[Lars Hansson]

Hey,
I have some problems with using OpenBSD 4.4's dhcpd together with
Mitel VoIP phones that I'd hope someone could shed some light on.
Mitel VoIP phones requires custom options to load firmware, set VLAN
etc and i cant quite get it to work with OpenBSD's dhcpd. it works
fine one a Linux box running isc-dhcp 3.0.6 although curiously not
enough on isc-dhcp on OpenBSd 4.4.

ISC-DHCP:
# MITEL specific options
option space mitel;
option mitel.tftp code 128 = ip-address;
option mitel.icp code 129 = ip-address;
option mitel.id code 130 = text;
option mitel.vlan code 132 = signed integer 32;
option mitel.l2p code 133 = signed integer 32;
option mitel.dscp code 134 = unsigned integer 8;

option mitel.tftp   172.30.179.7;
option mitel.icp10.107.10.17;
option mitel.id "MITEL IP PHONE";
option mitel.vlan   11;
option mitel.l2p6;
option mitel.dscp   46;

I know OpenBSd's dhcp does not support options the same way but I
thought the below would work:

option option-128   "172.30.179.7";
option option-129   "10.107.10.17";
option option-130   "MITEL IP PHONE";
option mitel.vlan  02;
option mitel.l2p06;
option mitel.dscp   46;

The Mitel phones complain that option 128 is missing (I take this to
mean that it have the wrong format or type since it's obviously there)
and goes no further.
I'm hoping it's just a matter of figuring out how to use the options
and format them correctly.

Cheers,
Lars Hansson

Re: prioritizing carp interfaces

[Joerg Streckfuss]

Toni Mueller schrieb:
> Hi,
> 
> On Fri, 20.03.2009 at 14:28:46 +0100, Joerg Streckfuss 
>  wrote:
>> How does CARP behaves when on the master node two "unimportantly" interfaces
>> fail and on the backup node only the uplink interface fails? Does CARP
>> failover
>> to the backup node and as consequence the whole network will be disconnected
>> from the internet?
> 
> my reading of carp(4) is that the behaviour depends on the setting of
> 
> net.inet.carp.preempt
> 
> If set to 1, then firewalls only fail over as a whole, while if set to
> 0, interfaces fail over individually. With interfaces failing over
> individually, and with appropriate routing between your firewalls,
> traffic should flow through the remaining interfaces.
> 
> Please note that having interfaces fail over individually makes playing
> with pfsync and sasync *quite* interesting.
> Please also note that you could have more than two firewalls running
> CARP, so maybe the third (fourth, ...) firewall will keep you online.
> 
> I guess that the real solution is to have a known-good hardware that
> you can bring up in minutes sitting on the shelf, and yes, to live with
> some downtime.
> 
> 
> Kind regards,
> --Toni++
> 


Okey, sorry I forget to mention that on both hosts preemting is enabled.

So what happens when first on the master host two interfaces fail and an the
backup only one interface fails.

In my opinion preemption on both nodes effects that advskew is set to 240 on all
interfaces and as a consequence there is no host which could advertise faster
then the other host in the carp group.

Am I right in thinking that no failover should happen regardless of the number
of failed carp interfaces?

Kind regards,

Joerg

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]

Re: PF and CLamAV "Integration" - how to do it?

[Protocol Six Consulting]

Hi.

Thanks by the way for all this great feedback about ClamAV and PF
integration. Am learning a lot here. :-)

Just curious though about typical use-cases for smtp-vilter

I can see the PF integration being a great way to isolate virus-infected
hosts on a LAN by putting their IP addresses into a quarantine table on
the border firewall. Once the virus has been cleaned the host is removed
from the table (by the administrator) so that it can access the Internet
again.

Just curious, what response-policies do folks use (with smtp-vilter)
when hosts on the Internet send infected emails?
Do you block those hosts outright?
Or do you remove any attachments/pictures first and then forward just
the message body to the intended recipient?

I think smtp-vilter has just the right feature set.

:-)

Sarah




Marc Balmer wrote:


Well, I am biased (I wrote smtp-vilter).  I wrote it quite some time ago
because clamav-milter's quality was really bad.  And I needed
LDAP and PF integration.  smtp-vilter was written with OpenBSD in
mind.

Re: PKG_CACHE

[Stephan A. Rickauer]

export

thanks, Paul.

On Mon, 2009-03-23 at 16:49 +0100, Stephan A. Rickauer wrote:
> What magic do I miss to cache packages in PKG_CACHE? Must be really
> obvious, but I can't spot it.
> 
> # PKG_CACHE=/tmp
> # echo $PKG_CACHE
> /tmp
> # pkg_add -x nano
> Adding nano-2.0.7
> # ls -l /tmp/ 
> 
> (empty)
> 
> Thanks.
> 
-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWebwww.ini.uzh.ch

Re: PKG_CACHE

[Paul de Weerd]

On Mon, Mar 23, 2009 at 04:49:58PM +0100, Stephan A. Rickauer wrote:
| What magic do I miss to cache packages in PKG_CACHE? Must be really
| obvious, but I can't spot it.
| 
| # PKG_CACHE=/tmp
| # echo $PKG_CACHE
| /tmp
| # pkg_add -x nano
| Adding nano-2.0.7
| # ls -l /tmp/ 
| 
| (empty)

exporting the variable :

[p...@office414] $ export PKG_CACHE=/tmp/pkgs
[p...@office414] $ mkdir /tmp/pkgs
[p...@office414] $ sudo pkg_add -x nano
Adding nano-2.0.9
[p...@office414] $ ls -l /tmp/pkgs
total 800
-rw-r--r--  1 root  wheel  386855 Mar 23 16:57 nano-2.0.9.tgz

Cheers,

Paul 'WEiRD' de Weerd

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/ 

Re: spamd handling multiple sending servers

[Stephan A. Rickauer]

> I sometimes find this a problem when running spamd at low-to-medium volume
> sites. (I use postgrey instead for those, which only looks at the first 24
> bits of the sender's IP address by default).

Sounds like an interesing option for spamd, too, doesn't it? Could be
called 'sloppy' mode ;)

-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWebwww.ini.uzh.ch

Re: PKG_CACHE

[Tobias Ulmer]

On Mon, Mar 23, 2009 at 04:49:58PM +0100, Stephan A. Rickauer wrote:
> What magic do I miss to cache packages in PKG_CACHE? Must be really
> obvious, but I can't spot it.
> 
> # PKG_CACHE=/tmp
^^ export

> # echo $PKG_CACHE
> /tmp
> # pkg_add -x nano
> Adding nano-2.0.7
> # ls -l /tmp/ 
> 
> (empty)
> 
> Thanks.

PKG_CACHE

[Stephan A. Rickauer]

What magic do I miss to cache packages in PKG_CACHE? Must be really
obvious, but I can't spot it.

# PKG_CACHE=/tmp
# echo $PKG_CACHE
/tmp
# pkg_add -x nano
Adding nano-2.0.7
# ls -l /tmp/ 

(empty)

Thanks.

Re: Debugging "no route to host" problem?

[Falk Brockerhoff]

Am 16.03.2009 um 14:58 schrieb Falk Brockerhoff - smartTERRA GmbH:

I run OpenBSD 4.4 GENERIC#1021 i386 on a Dell Poweredeg 2650 System  
as a firewall. Lan side I configured multiple carp Interfaces -  
without any backup system at the moment (for testing purposes).  
Almost all is running fine, but sometimes I get a "no route to host"  
error - not for all routes/interfaces, but one or two...


I figured it out. I started monitoring severial system, interface und  
pf information and graphed them using cacti. So I was able to see a  
dependence  between the appearance of my problem and the amount of  
entries in pf's session state table. Increasing this value solves the  
problem.


Maybe, is there any possibility to get pf logging this "max entries of  
state table exceeded" to syslog?


Regards,

Falk

Re: spamd handling multiple sending servers

[Stuart Henderson]

On 2009-03-23, jmc  wrote:
>> In getting our low traffic email server running, the first thing I
>> noticed while following the logs that sites like gmail et al will
>> retry a message from a different host.  Sometimes gmail will send
>> once, try again very soon again from the same host and then queue it,
>> but the queued email might be sent by a different server.
>
> check greylisting.org.

it's useless. it doesn't list common pool senders from a block of /24
or less (i.e. most of them) and it's not updated regularly. dnswl.org is
better but it's a damn big list and if you load it into a PF table, even
if you aggregate the addresses, it uses a huge chunk of kernel memory.

Re: pf dynamic firewall for web portal ?

[dug]

Hello,

You can create table in your conf file. Give access to this table.
Then, you will be abble to modify this table without change your text
file or reloading it.
You can do this using pfctl option (specifically -T option).




Le 23 mars 09 ` 12:02, RJ45 a icrit :


Hello,
I implemented a OpenBSD solution for a soekris appliance.
My problem is that I have a web portal there and I need
a new pass rule for each client IP authenticating.
Actually this was easy to do with linux iptables,
but how to do it with PF ? Actually all the PF rules are
into a file, and can be read from file. This is fare
to be a dynamic system. Rules must first be deleted fomr file
and then reloaded with pfctl.
My problem is, how can I Remove a single PF rule without
modifying a text file and realoading all the rules ?


thanks

Rick

Re: firefox starts two times

[ropers]

2009/3/23 Chris :
> When I start firefox (3.0.6) from the xterm shell, I get two firefox
> starting at the same time. If I close one of them (by doing File -
> Exit), it closes both of them. I have the same behavior from two
> different window managers: awesome and scrotwm.
>
> Has anyone else seen this behavior before?

Three questions:

(0)

When you have Firefox open --two times, as you say-- and you do

$ pgrep -l firefox

or

$ ps ax | grep firefox | grep -v grep

at the command line, precisely what does it say?

(1)

What version of Firefox do you use?

(2)

Assuming a recent 3.x Firefox version, under Edit -- Preferences --
Main -- Startup, what does it say next to "When Firefox starts"?

regards,
--ropers

Re: intel 5400 chipset support, was: Re: raidframe and hotplugd on 4.4

[Toni Mueller]

Hi David,

On Mon, 23.03.2009 at 09:48:36 +0100, David Vasek  wrote:
> On Sun, 22 Mar 2009, Toni Mueller wrote:
>> isa0 at mainbus0
>> com0 at isa0 port 0x3f8/0 irq4: ns8240, .. fifo
>
> Not that I would be able to help with this, just note that these two 
> lines are very different from the dmesg you posted previously. My guess 
> is you should prepare yourself for retyping the full dmesg.

yesterday, I typed from a blurry handset photo.  Anyway, I re-did the
experiment and managed to write down the exact error message. As far as
I can see, booting proceeds as normal to this point:

pciide0: channel 1 ignored (disabled)

Then, AHCI is detected and immediately followed by a crash:

ahci0 at pci0 dev 31 function 2 "Intel 6321ESD AHCI" rev 0x09: irq 11, AHCI 1.1
fatal protection fault in supervisor mode
trap type 4 mode 18b rip 802ba2f8 cs8 rflags 10202 cr2  0 cpi e rsp 
80b21b20

The operating system has halted.
...


While poking around in the BIOS, I also saw an option which suggested
that the machine can do something called "EFI OS booting" (or similar).
Should I enable this?


Kind regards,
--Toni++

Re: pf dynamic firewall for web portal ?

[Arnaud van Cortenbosch]

Hi,


I implemented a OpenBSD solution for a soekris appliance.
My problem is that I have a web portal there and I need
a new pass rule for each client IP authenticating.
Actually this was easy to do with linux iptables,
but how to do it with PF ? Actually all the PF rules are
into a file, and can be read from file. This is fare
to be a dynamic system. Rules must first be deleted fomr file
and then reloaded with pfctl.
My problem is, how can I Remove a single PF rule without
modifying a text file and realoading all the rules ?



Maybe you can use tables :
http://www.openbsd.org/faq/pf/tables.html

and use pfctl(8) to update such tables (options -t and -T)

Re: pf dynamic firewall for web portal ?

[James Wright]

RJ45  slacknet.com> writes:

> 
> Hello,
> I implemented a OpenBSD solution for a soekris appliance.
> My problem is that I have a web portal there and I need
> a new pass rule for each client IP authenticating.
> Actually this was easy to do with linux iptables,
> but how to do it with PF ? Actually all the PF rules are
> into a file, and can be read from file. This is fare
> to be a dynamic system. Rules must first be deleted fomr file
> and then reloaded with pfctl.
> My problem is, how can I Remove a single PF rule without
> modifying a text file and realoading all the rules ?
> 
> thanks
> 
> Rick
> 
> 


This seems like a job for tables, just use a table as the match for your pass
rule and add and remove addresses from it. look at sysutils/tabled in ports if
you're manipulating this table from !root.

If you really need individual pass rules, look at anchors, though adding and
removing rules dynamically is a simple matter of programming (look at pf(4) for
details).  Failing that, you can also flush and reload your anchor ruleset (not
your whole ruleset) with pfctl -a, though from your mail that doesn't seem to
appeal.  If the number of IPs you are passing on is large enough, a table is
probably best.

relayd vs loopback interface

[Xavier Beaudouin]

Hello,

I'd like to create some setup with relayd to allow bounce-back access  
to VIP eg. allowing machines behind the load balancer to access other  
VIP.

In order to do that I want to set the VIP into loopback and set /32  
routes against public network to reach them.

Now is there any problems against such setup and clues about that ?

Thanks to your replies and any pointers.

/xavier

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Tape Drive,

[Milan Prihoda]

Hi,
I've got an old IBM tape drive.
When I connect it in my box, i get (in dmesg):
...
Mar 23 10:12:25 yetti /bsd: scsibus0 at ahc0: 16 targets, initiator 7
Mar 23 10:12:25 yetti /bsd: st0 at scsibus0 targ 0 lun 0: 4200, I09X> SCSI2 1/sequential removable
Mar 23 10:12:25 yetti /bsd: cd0 at scsibus0 targ 1 lun 0: CDRM00203 !K, RZ28> SCSI2 5/cdrom removable

...

If I feed an tape inside, drive rewind it and after
when i trying to access that drive (via mt(1) command or dump(8))

i get (in dmesg):

...
st0(ahc0:0:0): Check Condition (error 0x70) on opcode 0x15
   SENSE KEY: Illegal Request
ASC/ASCQ: End-Of-Partition/Medium Detected
st0: cannot set selected mode
...

I've bad knowledge about scsi, maybe it's stupid

Have You any idea ?
Thanks

Milan Prihoda

pf dynamic firewall for web portal ?

[RJ45]

Hello,
I implemented a OpenBSD solution for a soekris appliance.
My problem is that I have a web portal there and I need
a new pass rule for each client IP authenticating.
Actually this was easy to do with linux iptables,
but how to do it with PF ? Actually all the PF rules are
into a file, and can be read from file. This is fare
to be a dynamic system. Rules must first be deleted fomr file
and then reloaded with pfctl.
My problem is, how can I Remove a single PF rule without
modifying a text file and realoading all the rules ?


thanks

Rick

Re: spamd handling multiple sending servers

[jmc]

--- Mikel Lindsaar [Mon, Mar 23, 2009 at 06:59:03PM +1100]: --- 
> Hi all,
> 
> New user to spamd, love it.
> 
> In getting our low traffic email server running, the first thing I
> noticed while following the logs that sites like gmail et al will
> retry a message from a different host.  Sometimes gmail will send
> once, try again very soon again from the same host and then queue it,
> but the queued email might be sent by a different server.

check greylisting.org. there's a list of ``misbehaving mailers'' you can
consider starting with. you'll need to create whitelists for these
addresses to shunt them around spamd. note that this list calls it's
contents ``misbehaving mailers''. some of these addresses may be just
that, while others may be ranges that use pools of ip addresses for
sending mail.

there was once a script that was posted here that basically takes the
output of a site's SPF records and creates pf tables to be used as a
whitelist:

dig TXT _spf.google.com. +short

for example.

now anytime i see a domain i know i've heard from before, i suspect a
round-robining smtp send pool and just query that SPF record to create a
whitelist entry for it.

Re: spamd handling multiple sending servers

[Stuart Henderson]

On 2009-03-23, Mikel Lindsaar  wrote:
> In getting our low traffic email server running, the first thing I
> noticed while following the logs that sites like gmail et al will
> retry a message from a different host.  Sometimes gmail will send
> once, try again very soon again from the same host and then queue it,
> but the queued email might be sent by a different server.

I sometimes find this a problem when running spamd at low-to-medium volume
sites. (I use postgrey instead for those, which only looks at the first 24
bits of the sender's IP address by default).

> Has anyone looked at using the message ID in deciding to whitelist a
> host?  ie, track the hosts by IP address, but if a previously
> greylisted host has sent message id 1234 and another host tries to
> redeliver 1234 within the passtime requirements, whitelist both?
>
> Obviously it would be an optional flag, but it seems the likely hood
> of some spam bot being able to guess the message id and who has just
> sent you a message to bypass this would be low.

Far too easily defeated. People would just base the message-id on the
HELO/from/to addresses...

Re: Parallel build in ports - make -j4

[Stuart Henderson]

On 2009-03-23, Pedro de Oliveira  wrote:
> Thanks for that, it worked!
>
> I added the following to my root .profile:
> export PARALLEL_BUILD=Yes
> export MAKE_JOBS=4

N.B. this does not work with all ports.

If you're building a number of ports at the same time and want to do these
in parallel, look at /usr/ports/infrastructure/build/dpb, which normally runs
one build job per cpu in the system (and takes care of dependencies etc).

Re: Parallel build in ports - make -j4

[Pedro de Oliveira]

Thanks for that, it worked!

I added the following to my root .profile:
export PARALLEL_BUILD=Yes
export MAKE_JOBS=4

Someone should add this to bsd.port.mk(5).

Regards,
Pedro de Oliveira

On Sun, Mar 22, 2009 at 2:34 PM, Pedro de Oliveira 
wrote:
> Hello,
>
> I was wondering if there's any way to use make -j4 when building ports
from
> source? Any obscure option on mk.conf?
>
> Currently if I run on a port, for example: make -j4 install it just uses
one
> thread on the makefile of the port.
>
> Is there any way to pass the "-j4" option to make command inside the port?
>
>

My guess is you want to use the MAKE_JOBS environment variable. Take a
look in bsd.port.mk

-- 
Jason

Re: might be slightly OT: `probability in PF'

[Jeffrey 'jf' Lim]

On Mon, Mar 23, 2009 at 4:27 PM, Stephan A. Rickauer
 wrote:
> On Sat, 2009-03-21 at 12:14 +0100, Henning Brauer wrote:
>> * jmc  [2009-03-11 15:05]:
>> > so anyway, how are _you_ using probability?
>>
>> it's high on my list of useless features in pf I'd rather remove.
>> if anybody is actually using it, I'd like to hear about it.
>
> Once in a while a re-spot this 'feature' in the man pages and find it
> very cool. But then I can't come up with any idea of how to use it
> sanely. Could that be a case of 'uselessness'? ;)
>
> (never had to simulate bad lines so far, have enough of real ones)
>

Artur's use of throwing a spanner into the works of anybody who has
been blacklisted seems like a very good use case. I would use it that
way too. As opposed to outright blocking ("100%"), or outright
dropping, it makes it harder for them to think that they have been
found out. If you drop or block outright, that just means that they
will simply jump onto another different ip. I imagine they would call
up their own ISP, do network troubleshooting, blah blah, before they
conclude that it is you that is really causing the problem.

-jf

--
In the meantime, here is your PSA:
"It's so hard to write a graphics driver that open-sourcing it would not help."
-- Andrew Fear, Software Product Manager, NVIDIA Corporation
http://kerneltrap.org/node/7228

Re: intel 5400 chipset support, was: Re: raidframe and hotplugd on 4.4

[David Vasek]

On Sun, 22 Mar 2009, Toni Mueller wrote:


Hi,

[ hijacking my own thread in order to avoid posting the dmesg twice... ]

I tried to enable AHCI mode on this computer with the intel 5400
chipset on board. This resulted in the kernel not finding the disks,
after they were registered fine with the BIOS. So I thought, I'd peek
at the disks using the CD, but running bsd.rd caused a hard crash which
required me to press the reset button. This is the error message that I
got (typed from a blurred image):

...
isa0 at mainbus0
com0 at isa0 port 0x3f8/0 irq4: ns8240, .. fifo


Not that I would be able to help with this, just note that these two lines 
are very different from the dmesg you posted previously. My guess is you 
should prepare yourself for retyping the full dmesg. In addition to that, 
"ns8240" must be a typo.


Regards,
David

Re: might be slightly OT: `probability in PF'

[Stephan A. Rickauer]

On Sat, 2009-03-21 at 12:14 +0100, Henning Brauer wrote:
> * jmc  [2009-03-11 15:05]:
> > so anyway, how are _you_ using probability?
> 
> it's high on my list of useless features in pf I'd rather remove.
> if anybody is actually using it, I'd like to hear about it.

Once in a while a re-spot this 'feature' in the man pages and find it
very cool. But then I can't come up with any idea of how to use it
sanely. Could that be a case of 'uselessness'? ;)

(never had to simulate bad lines so far, have enough of real ones)

Re: spamd handling multiple sending servers

[Stephan A. Rickauer]

Hi,

On Mon, 2009-03-23 at 18:59 +1100, Mikel Lindsaar wrote:
> I understand that spamd is tracking messages based on sender, receiver
> and IP address, and then this can cause the problem.

Spamd doesn't 'track messages'. All it does is to store a tupal of
sender, recipient and IP address and quits the smtp dialog as soon as
the sender enters the DATA phase. No time for reading anything like the
message ID or other stuff of the email since the connection is aborted
ways earlier.

Cheers,
Stephan

-- 
---
StarTek - secure by design   Tel  ++41 44 500 111-0
Postfach 19  Fax  ++41 44 500 111-2
CH-8118 Pfaffhausen/ZH   Web  http://startek.ch

RSA public key for email: http://startek.ch/people/star/key
---

spamd handling multiple sending servers

[Mikel Lindsaar]

Hi all,

New user to spamd, love it.

In getting our low traffic email server running, the first thing I
noticed while following the logs that sites like gmail et al will
retry a message from a different host.  Sometimes gmail will send
once, try again very soon again from the same host and then queue it,
but the queued email might be sent by a different server.

I understand that spamd is tracking messages based on sender, receiver
and IP address, and then this can cause the problem.

Has anyone looked at using the message ID in deciding to whitelist a
host?  ie, track the hosts by IP address, but if a previously
greylisted host has sent message id 1234 and another host tries to
redeliver 1234 within the passtime requirements, whitelist both?

Obviously it would be an optional flag, but it seems the likely hood
of some spam bot being able to guess the message id and who has just
sent you a message to bypass this would be low.

Open to ideas and if it is already on the cards great, if not, willing
to look into the source myself.

Mikel