Typo in ftp-proxy
CONFIGURATION To make use of the proxy, needs the following rules. Adjust the rules as needed. anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr to 127.0.0.1 port 8021 # NEW? # pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 regards Karl-Heinz [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Typo in ftp-proxy
On Mon, Sep 07, 2009 at 11:02:31AM +0200, Karl-Heinz Wild wrote: CONFIGURATION To make use of the proxy, needs the following rules. Adjust the rules as needed. anchor ftp-proxy/* pass in quick proto tcp to port ftp rdr to 127.0.0.1 port 8021 # NEW? # pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 fixed, thanks. jmc
Re: 802.11n AP mode adapter
On 2009-09-06, Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar wrote: I'm about to set up an small box as an 802.11n access point/gateway/firewall. I've been doing my research in order to purchase a compatible adapter, and all except one I've found use the run(4). According to the information I've managed to find, as of April 2007, run did not support hostapd(8). I don't know if this has changed since. The ONLY other adapter I've found available in my country uses the otus(4) driver. According to what I understand from it's man pages, it doesn't support hostapd, but I'm not too sure. So, does run support hostapd? Does otus (I might have been wrong)? If not, what are my alternatives? The USB adapters aren't really a good choice for hostap. rum(4) and ural(4) are workable, but can't automatically control transmit speed in hostap mode. On 2009-09-07, Hugo Osvaldo Barrera h...@osvaldobarrera.com.ar wrote: Thanks. I guess I'll have to use 802.11g for now. The issue is I tend to have a lot of interference in the 2.4GHz area. 11n can be at either 2.4GHz or 5GHz, if 2.4GHz is crowded you need to move to 5GHz, not move to n. There are various devices which can work at 5GHz (802.11a) supported by OpenBSD. They're usually a bit harder to get hold of, but that's not a bad thing; if they were easily available, that part of the spectrum would be just as crowded at 2.4GHz...
Re: Cyrillic fonts in X Window. (fwd)
Actually I cannot get it to work also with xterm*locale: true. But never mind, because having solved the cyrillic input I would have to solve the chinese input, which I also need, and in xterm seems to be quite problematic to have all of this together (scim input does seem to work only with gtk or qt apps, or course there is uim...). This is why I use roxterm instead, where everything works out of the box. Thank you anyway On Sun, 6 Sep 2009, 4625 wrote: On Sun, 06 Sep 2009 13:00:04 +0400 Kaltashkin Eugene zhe...@gmail.com wrote: try run xterm -fn koi9x15 -rv As I told before (see my reply to shweg...@...), 'XTerm*locale: true' in ~.Xdefaults will be enough to solve the problem with cyrillic in xterm. Anyway, thanks for reply. -- xorg.conf -- Section InputDevice Identifier keyboard Driver kbd ... -- xorg.conf -- I have add string 'FontPath /usr/X11R6/lib/X11/fonts/cyrillic/' into xorg.conf, then I execute fc-cache. However, these fonts unavailable in X. What is going wrong? fc-cache -v Fontconfig error: Cannot load default config file /usr/X11R6/lib/X11/fonts/TTF: skipping, 23 fonts, 0 dirs /usr/X11R6/lib/X11/fonts/Type1: skipping, 29 fonts, 0 dirs /usr/X11R6/lib/X11/fonts/cyrillic: skipping, 0 fonts, 0 dirs - 4625
Re: ifstated not honouring my if clauses ?
Hi,
as a different approach, you can use the new router option from
relayd(8) in -current.
1.) Replace the complex ifstated state machine with a relayd using a
router configuration block. Specifing a source address in the checks
is currently not supported, but you can specify an IP TTL of 1 to make
sure that the reply is really from a next hop and not routed from
somewhere else. A possible relayd.conf based on your setup:
---
interval 20
table links { 192.168.5.2 ip ttl 1, 192.168.6.1 ip ttl }
router internet {
route 0.0.0.0/0
forward to links check icmp
}
---
2.) Run relayd. Now you can use the 'route' and the 'relayctl show'
commands to monitor your state.
3.) You can replace the alldown case by adding fallback-routes with
a higher priority value. Identical routes with different priorities
can co-exist in the routing table and the kernel will handle the
fallback automatically. Note: A higher priorty value means actually a
lower priority, the kernel will use any active routes with a lower
value first.
# route add -mpath -priority 12 default 192.168.5.2
# route add -mpath -priority 12 default 192.168.6.1
(You can put these commands with a '!' in your hostname.if files)
reyk
On Mon, Sep 07, 2009 at 09:56:31AM +1000, a complex ifstated.conf was posted:
---
link1 = '( ping -I 192.168.5.10 -q -c 1 -w 1 192.168.5.2 /dev/null
every 20 )'
link2 = '( ping -I 192.168.6.10 -q -c 1 -w 1 192.168.6.1 /dev/null
every 20 )'
init-state primary
state primary {
init {
run route add -mpath default 192.168.5.2
run route add -mpath default 192.168.6.1
}
if ! $link1
set-state link2only
if ! $link2
set-state link1only
}
# only link1 is up
state link1only {
init {
run route delete default 192.168.6.1
run route add -mpath default 192.168.5.2
}
if ! $link1
set-state alldown
if $link2
set-state primary
}
# only link2 is up
state link2only {
init {
run route delete default 192.168.5.2
run route add -mpath default 192.168.6.1
}
if $link1
set-state primary
if ! $link2
set-state alldown
}
# all down !
state alldown {
init {
run route add -mpath default 192.168.5.2
run route add -mpath default 192.168.6.1
}
if $link1
set-state link1only
if $link2
set-state link2only
}
---
typo on the ftp page
I suspect there is a typo on the ftp page: http://www.openbsd.org/ftp.html#rsync The Redwood City and Boulder second level (rsync) mirrors have the same address. Isn't the Redwood City address supposed to be 'ftp5'? If not, sorry for the noise. Also, sorry to see rt.fm is gone!
Re: CARP problem : slave rioting
Hello, I found the cause of the problem : the CARP interface vas configured with a /24 mask on the master, and a /25 mask on the slaves. With coherent masks everything works like a charm now. -- Cordialement, Pierre BARDOU -Message d'origine- De : BARDOU Pierre Envoyi : lundi 29 juin 2009 10:12 @ : 'uday' Cc : misc@openbsd.org Objet : RE: CARP problem : slave rioting Hello, I thought it had to be unique _on the same network segment_, but not necessarily on the same machine. And everything works again since I moved the firewall off the backbone (2*procurve 5400zl, 1 firewall on each) to another switch (1*procurve 3400cl, 2 firewalls on it). But everything seems to be configured identically on those two switches, and the error log of the 5400zl shows nothing about the ports where my firewalls are... I also set up 2 new BSD boxes to test, 1 on each 5400, configured as follows : # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 5 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 5 pass mipih31 description DMZ Internet # cat /etc/hostname.carp* 217.109.108.243/28 vhid 11 advskew 10 pass mipih31 description Internet 217.109.108.99/25 vhid 11 advskew 10 pass mipih31 description DMZ Internet They also run like a charm !? I have run out of ideas about the cause of the problem. -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 21:17 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1
OT cpu temp on system-A 1.2 ghz machine?
Any body know what safe a temperature range is for this cpu? I'm trying to resurrect this thing, but the cpu fan was bad. I replaced it with a new spare fan and I can watch the temp via cmos and it runs about 125F closed case and 120F with case open. Only protection is for CPUFan off. It's an old Abit kt7a-raid motherboard, but I couldn't find anything about it either. Any help appreciated.
Your friends are awaiting your response
=== To login to Facebook, follow the link below: http://www.facebook.com/n/?find-friends/mid=10a2050G5af31ca17623G33539G2b === Hi Yamidt, You haven't been back to Facebook recently. You have received notifications while you were gone. You have the following notifications: 1 message Thanks, The Facebook Team To login to Facebook, follow the link below: http://www.facebook.com/n/?find-friends/mid=10a2050G5af31ca17623G33539G2b === This message was intended for m...@cvs.openbsd.org. If you do not wish to receive this type of email from Facebook in the future, please click on the link below to unsubscribe. http://www.facebook.com/o.php?ck=310323u=10203896355mid=10a2050G5af31c a17623G33539G2b Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA 94304.
Re: Cyrillic fonts in X Window. (fwd)
Those of us using keymaps not being listed in base have similar problem. I use setxkbmap command for X, namely: $setxkbmap us $setxkbmap hr $setxkbmap sr So I can switch back from Serbian / Croatian to US keyboard once I need to type the command that should be understood by the system. On 9/7/09, shweg...@gmail.com shweg...@gmail.com wrote: Actually I cannot get it to work also with xterm*locale: true. But never mind, because having solved the cyrillic input I would have to solve the chinese input, which I also need, and in xterm seems to be quite problematic to have all of this together (scim input does seem to work only with gtk or qt apps, or course there is uim...). This is why I use roxterm instead, where everything works out of the box. Thank you anyway On Sun, 6 Sep 2009, 4625 wrote: On Sun, 06 Sep 2009 13:00:04 +0400 Kaltashkin Eugene zhe...@gmail.com wrote: try run xterm -fn koi9x15 -rv As I told before (see my reply to shweg...@...), 'XTerm*locale: true' in ~.Xdefaults will be enough to solve the problem with cyrillic in xterm. Anyway, thanks for reply. -- xorg.conf -- Section InputDevice Identifier keyboard Driver kbd ... -- xorg.conf -- I have add string 'FontPath /usr/X11R6/lib/X11/fonts/cyrillic/' into xorg.conf, then I execute fc-cache. However, these fonts unavailable in X. What is going wrong? fc-cache -v Fontconfig error: Cannot load default config file /usr/X11R6/lib/X11/fonts/TTF: skipping, 23 fonts, 0 dirs /usr/X11R6/lib/X11/fonts/Type1: skipping, 29 fonts, 0 dirs /usr/X11R6/lib/X11/fonts/cyrillic: skipping, 0 fonts, 0 dirs - 4625
Re: X crashes with snapshot
On Mon, Sep 07, 2009 at 11:27:31AM +0200, LEVAI Daniel wrote: Fatal server error: Caught signal 11. Server aborting Please checkout the xenocara tree and follow the instructions in README in order to provide a gdb backtrace with debug symbols. I have no idea why people think that X is different in this respect to other applications... Cheers, -0- -- Signs of crime: screaming or cries for help. -- from the Brown University Security Crime Prevention Pamphlet
Re: Kernel msg creating a ISO file from CD-ROM
sorry for the late, but I've been busy. After burning some CDs and doing some test I have learned this: *short version If the CD-ROM was burned with DAO option (Disk At Once) then dd or any other program (cdio, readcd, etc) will not report any problem. If TAO mode was used, then you will have problems with the end of the dump. *long version When doing dd if=/dev/rcd0c of=myfile.iso bs=32k I was having a message from kernel: Check condition error 0x70. This means dd is trying to read beyond the end of the track and it can't so return that error (and also kernel message) no matter if bs option was 2k or 32k. I was confused because I some CDs did that, and others don't. As cdio and readcd were having exactly the same issue, i understood that it's not a dd problem. And also I had the same behaviour on other PC, with exactly the same CD-ROMs, so the hardware issue was discarded. Then I noticed that the CDs burned as DAO (cdrecord with -dao option) were the ones wich hadn't the problem. I burned some CD-ROMs with the same data with and without the TAO option and now I'm sure that's the cause. My problem trying to create an ISO file from a Nintendo Wii is a completely different issue.
Atencao esse assunto e de seu enteresse...
Ola Meu nome i Cleber Galdino e venho por meio desse email, trazer ao seu conhecimento nossos servigos e informagco: -- - Plano Sossegado Criado para futuros empreendedores, lhe oferecemos um site (loja, portal, guia comercial, classificado etc), espago e trafego ilimitado, suporte e manutengco ticnica, ou seja vocj nco se preocupa com nada. http://www.galdino.ws/Plano_ Sossegado.htm --- Hospedagem de Sites Qualidade, estabilidade, seguranga, servidores super rapidos, links de 1Gbps, planos a partir de 10,00 http://www.galdino.ws/hospedagem. htm -- - Revenda de Hospedagem de Site Vocj mesmo administra e cobra o valor que deseja, monta planos, seja vocj dono de uma empresa de hospedagem de sites. http://www.galdino.ws/revenda.htm --- Registro de Dommnios Autonomia total na administragco do dommnio, suporte a protegco de Who is(dados pzblicos do dono do dommnio). http://www.galdino.ws/R egistro_de_Dominios.htm WebRadio - Streaming de auto Tenha vocj tambim uma radio em seu site onde pode transmitir carregando uma lista de musicas ou ao vivo em tempo real. http://www.galdino.ws/webradio.htm /A -- - Servidores Virtuais (VPS) Precisa de uma arquitetura de acesso root com baixo custo, esse servigo i o que precisa... http://www.galdino.ws/vps.htm --- - --- Servidores Dedicados Disponmveis para Cliente que procuram um servigo znico e restrito para suas aplicagues, loque uma maquina ss para vocj. http://www.galdino.ws/dedicado.htm /A -- - Campanha de envio de Email Vocj tem um produto ou empresa e gostaria de fazer uma campanha de email e sua regico? Veja mais... http://www.galdino.ws/eMarketing. htm -- - E-News - envio por criditos Um software para envio de email, com controle estatmstico completo e simples manipulagco, coloque um campo de newsletter em seu site. http://www.galdino.ws/eNewslette r.htm --- Locagco de SMTP Gostaria de disparar grandes quantidades de envio de email? loque um servidor de envio de email e envie toneladas de emails pela rede. http://www.galdino.ws/eSMTP.htm --- BR Otimizagco de Csdigo para indexagco em Buscadores Seu site ainda nco esta sendo listado nos sites de busca? Vocj ta sendo listado mais gostaria de aparecer mais prsximo do primeiro lugar? Esse i o servigo que vocj procura. http://www.galdino.ws/otimizacao. htm -- - Cadastro de sites em buscadores Vocj tem a responsabilidade de facilitar o encontro de seu site na internet e esse servigo o faz, cadastrando vocj em milhares de sites... http://www.galdino.ws/MetaCadas tro.htm -- - Marketing Viral Faga parte dessa nova realidade, acessamos e publicamos seu link em fsruns, comunidades e grupos que tem algo em comum com sua empresa, marca ou produto. http://www.galdino.ws/redesocial. htm -- - Web Design - Criagco de sites Para aquele que busca um site, elaborado da forma que deseja, nos manda os requisito e criamos esbogo, um site e um layout znico e elaborado de forma diferenciada http://www.galdino.ws/webdesign.ht m --- Comercio Eletrtnico - Loja Virtual Vocj tem uma loja fmsica e gostaria de ter uma virtual? Vocj nco tem nem empresa nem loja e gostaria de vender na internet? Esse servigo lhe oferecer um sistema completo com pagamento por boleto, cartco, deposito etc., i uma loja pronta para vender na internet... http://www.galdino.ws/ecomm erce/index.html -- - Atendimento Online no seu site Atenda seu cliente ou chame ele para atendimento em tempo real no seu site, monitore a estadia do visitante no seu site tenha todas as conversas tidas entre seus atendentes e seus clientes, estatmstica e desempenho de atendimento... http://www.galdino.ws/chatsrv.htm --- Controle Financeiro Online Controle contas a pagar, receber, cheques, monte planos, cobre por email de forma automatizada, emita boletos, tudo online de forma
PF: state key linking mismatch with -current
I've just updated -current, and am a few days beyond henning@'s huge PF
change.
I'm getting state mismatch warnings from the kernel. I do not understand
the entries, so am not sure what to correct, if anything, in my new version
of the rule.
-
The rule used to be:
rdr pass log on $external_nic proto {tcp udp} from any to any port x \
- 192.168.1.42 port x
The rule now is:
pass in log quick on $external_nic proto {tcp udp} from any to any port x \
rdr-to 192.168.1.42 port x
-
Here are two example warning messages. In each warning message, the
first a0 IP address is different from the second a0 IP address, which
matches the second a1 address. There are multiple valid states in the
state table, so not every state produces these messages:
-
pf: state key linking mismatch! dir=OUT, if=dc0, stored af=2,
a0: a.b.c.d:39944, a1: 192.168.1.42:x, proto=17,
found af=2, a0: e.f.g.h:65519, a1: e.f.g.h:48042, proto=17.
pf: state key linking mismatch! dir=OUT, if=dc0, stored af=2,
a0: i.j.k.l:61418, a1: 192.168.1.42:x, proto=17,
found af=2, a0: m.n.o.p:65519, a1: m.n.o.p:48042, proto=17.
-
Any suggestions would be greatly appreciated. Thanks!
New spammers' behaviour pattern
Hi folks, I'm seeing a new pattern of behaviour from spammers over the last few months, which shows signs of growing. Briefly: - Mail originates from a correctly-configured mailserver, typically called ssl.somedomain.com, so spamd doesn't catch it. - The domain is entirely sacrificial, and may only exist for a few days before being blocked by the registrar (or blacklisted by me). - Mailserver IP addresses tend to be in blocks (I'm logging them in order to anticipate and block new senders). - Spam content is commercial, and identical spams turn up from various of these domains. This is *almost* the only type of spam I'm seeing these days, which says a lot for the (continued) power of greylisting. Anyone else seeing this? Would it make sense for me to publish the IP addresses I've harvested so far? (I'm currently blocking these via accessdb; it would make far more sense for me to tarpit them...) Steve -- http://www.fivetrees.com
Re: New spammers' behaviour pattern
On Mon, Sep 7, 2009 at 1:53 PM, Steve Fairheadst...@fivetrees.com wrote: Hi folks, I'm seeing a new pattern of behaviour from spammers over the last few months, which shows signs of growing. Briefly: - Mail originates from a correctly-configured mailserver, typically called ssl.somedomain.com, so spamd doesn't catch it. - The domain is entirely sacrificial, and may only exist for a few days before being blocked by the registrar (or blacklisted by me). - Mailserver IP addresses tend to be in blocks (I'm logging them in order to anticipate and block new senders). - Spam content is commercial, and identical spams turn up from various of these domains. This is *almost* the only type of spam I'm seeing these days, which says a lot for the (continued) power of greylisting. Anyone else seeing this? Would it make sense for me to publish the IP addresses I've harvested so far? (I'm currently blocking these via accessdb; it would make far more sense for me to tarpit them...) Add them to your own black-list. I was seeing a lot of the ssl.*.com spam sources some six months ago and prior. This has fizzled down so far as I can tell. Last net-block I black-listed was dnspointkey.net (Sep. 3rd). --patrick
