OpenBSD 4.6 distributed through Linux For You magazine India

[Siju George]

hi.


http://www.lfymag.com/currentissue.asp?id=13

towards the end



OpenBSD 4.6  Eclipse 3.5
OpenBSD being security guru Theo de Raadts baby, includes a number of
security features absent or optional in other OS.

Siju

Re: OpenBSD 4.6 pfsync kernel panic

[Anders Pettersson]

Hi David

Thank you for the quick reply!

The stack trace from the console at the time of the crash:

Starting stack trace
panic(d07a8c58,0,de1b4b28,0,d8a282b8) at panic+0x65
panic(d071ad67,6,0,d031baf5,de1b4b20) at panic+0x65
trap() at trap+0x119
--- trap (number 6) ---
pfsync_state_import(d899e83a,2,2d0,de1b4bc8) at pfsync_state_import+0x75
pfsync_in_ins(de1b4c00,d8a3d400,2c,3) at pfsync_in_ins+0xe3
pfsync_input(d8a3d400,14,0,0,d2a8d030) at pfsync_input+0x148
ipv4_input(d8a3d400,d2a82440,f0279,f0275) at ipv4input+0x498
ipintr(58,d8310010,de1b0010,d0350010,f0275) at ipintr+0x64
bad fram pointer: 0xde1b4c88
End of stack trace

And here is the output from cvs status if_pfsync.?

# cvs status if_pfsync.?
===
File: if_pfsync.c   Status: Up-to-date

   Working revision:1.127
   Repository revision: 1.127   /cvs/src/sys/net/if_pfsync.c,v
   Sticky Tag:  OPENBSD_4_6 (branch: 1.127.4)
   Sticky Date: (none)
   Sticky Options:  (none)

===
File: if_pfsync.h   Status: Up-to-date

   Working revision:1.38
   Repository revision: 1.38/cvs/src/sys/net/if_pfsync.h,v
   Sticky Tag:  OPENBSD_4_6 (branch: 1.38.4)
   Sticky Date: (none)
   Sticky Options:  (none)

Please let me know if there is anything else that I can do to help,

Best regards

Anders

-Original Message-
From: David Gwynne [mailto:l...@animata.net]
Sent: Wednesday, November 18, 2009 01:04
To: Anders Pettersson
Cc: misc@openbsd.org
Subject: Re: OpenBSD 4.6 pfsync kernel panic

hi anders,

could you get me a full trace from ddb when the fault occurs? id also like the
output of 'cvs info if_pfsync.?' in src/sys/net in the tree you built this
kernel from?

cheers,
dlg

On 17/11/2009, at 11:07 PM, Anders Pettersson wrote:

 Hi

 We get kernel panics when we reboot either one of our two OpenBSD 4.6
servers
 running pf. It seems that the kernel panic always happens at the point
where
 the pf sync state import happens. Sometimes we can reboot the servers, one
at
 the time, a number of times in a row without any problems. We have tried to
 understand why this occurs but to no avail, is there anyone who could
advise
 us what to do to try and resolve this?

 The error message say:

 fatal page fault (6) in supervisor mode
 trap type 6 code 0 eip d031baf5 cs 50 eflags 10297 cr2 2c4 cpl 40
 panic: trap type 6, code=0, pc=d031baf5
 .
 .
 .
 --- trap (number 6) ---
 pfsync_state_import(d899e83a,2,2d0,de1b4bc8) at pfsync_state_import+0x75

 We have two identical servers running OpenBSD 4.6 and pf, they are build on
 the Supermicro X7SBT motherboard:
 http://www.supermicro.com/products/motherboard/Xeon3000/X48/X7SBT.cfm
 They have a totalt of six nic; two internal Intel PRO/1000MT (82573E) and
 (82573L) and four Intel PRO/1000 QP (82571EB).

 The pfsync interface uses em4 (that is the first of the two internal
network
 cards - Intel PRO/1000MT (82573E));

 pfsync0: flags=41UP,RUNNING mtu 1500
priority: 0
pfsync: syncdev: em4 maxupd: 128 defer: off
groups: carp pfsync

 And we have a simple rule
 pass quick on { em4 } proto pfsync

 ps -N /var/crash/bsd.0 -M /var/crash/bsd.0.core -O paddr gives;
  PID  PADDR TT  STAT   TIME COMMAND
 12176 d89f216c p0  Is+ 0:00.00 (ksh)
 28044 d8ae82c4 C0- R/0 0:01.00 (snortsam)
 18169 d8b9e2c0 C0  Is+ 0:00.00 (ksh)
 3045 d8ae8834 C1  Is+ 0:10.00 (getty)
 10861 d8ae8aec C2  Is+ 0:09.00 (getty)
 3111 d8ae8c48 C3  Is+ 0:09.00 (getty)
 5674 d8ae8da4 C5  Is+ 0:09.00 (getty)

 I have attached the dmesg output from one of the machines at the end of
this
 email,

 Best regards

 Anders
 
 Mainloop
 Anders Pettersson
 and...@mainloop.se
 Stora Nygatan 5, 2tr
 111 27 Stockholm
 Sweden
 mobile: +46 (70) 634 5818
 

 OpenBSD 4.6-stable (GENERIC.MP) #0: Fri Nov  6 10:18:43 CET 2009

r...@puffy46.intranet.mainloop.net:/usr/src/sys/arch/i386/compile/GENERIC
 .MP
 cpu0: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41
 GHz
 cpu0:

FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
 xTPR
 real mem  = 2145402880 (2046MB)
 avail mem = 2065686528 (1969MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 12/19/08, BIOS32 rev. 0 @ 0xfdbc0,
 SMBIOS rev. 2.5 @ 0x7fedf000 (34 entries)
 bios0: vendor Phoenix Technologies LTD version 1.2a date 12/19/2008
 bios0: Supermicro X7SBT
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP _MAR MCFG APIC BOOT SPCR ERST HEST BERT EINJ SLIC
SSDT
 SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT
 acpi0: wakeup devices PEG_(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5) USB7(S5)
 ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5) USB6(S5)
 ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) 

PF per-ip statistics

[Leonardo Lombardo]

Hi all,

reading pfctl manpage I've seen this:

# pfctl -t test -vTshow
 129.128.5.191
  Cleared: Thu Feb 13 18:55:18 2003
  In/Block:[ Packets: 0Bytes: 0]
  In/Pass: [ Packets: 10   Bytes: 840  ]
  Out/Block:   [ Packets: 0Bytes: 0]
  Out/Pass:[ Packets: 10   Bytes: 840  ]

but my output is quite different :-) Here it is:

# pfctl -t MYTABLE -vTshow
  10.102.15.66
   Cleared: Thu Oct 29 08:28:35 2009
  10.102.15.70
   Cleared: Thu Oct 29 08:28:35 2009
  10.102.15.74
   Cleared: Thu Oct 29 08:28:35 2009

There is no data per ip, even if pftop shows all the data correctly.

Surely is my mistake... but I can't figure out.

Thanks to all for the uncomparable work on this o.s.


Leonardo

Stacking RAID sets

[Markus Bergkvist]

It was said in
http://marc.info/?l=openbsd-miscm=125139976027774w=2
that stacking RAID sets is not a good idea. I.e. this

# bioctl -ih softraid0
Volume  Status   Size Device
softraid0 0 Online   447G sd2 RAID0
  0 Online   149G 0:0.0   noencl wd1a
  1 Online   149G 0:1.0   noencl wd2a
  2 Online   149G 0:2.0   noencl wd3a
softraid0 1 Online   190G sd3 RAID1
  0 Online   190G 1:0.0   noencl sd0a
  1 Online   190G 1:1.0   noencl sd1a
softraid0 2 Online   447G sd4 CRYPTO
  0 Online   447G 2:0.0   noencl sd2a
softraid0 3 Online   190G sd5 CRYPTO
  0 Online   190G 3:0.0   noencl sd3a

is not a good idea? Why not?

/Markus

Re: anyone, low power rack-mount server for home usage?

[David Cathcart]

Just a note, although supermicro says max 2g of ram, the X7SLA-H works well with
4G of ram. 

spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-5300CL5
hw.physmem=3748265984
hw.usermem=3748057088

Fits in our 1u chassis well. Sensors work. 

David

On Mon, Nov 09, 2009 at 01:40:18AM +0100, Henning Brauer wrote:
 * Daniel Ouellet dan...@presscom.net [2009-11-09 00:57]:
  supermicro has atom-based systems. i have such a board an am happy
  with it.
  
  Henning, how's the remote console redirection on that box? Any
  feedback may be?
 
 same as on the real supermicros: works like a charm.
 
  Just looking for minimum like the LOM on the old SUN V100 and the
  like. Don't need CD remote mount and all that. SSH over Ethernet
  would be nice, but I can deal without it. Sad that none of these
  board actually have a decent remote console without the need for
  additional board when it's possible.
 
 err, they have console redirection, not a LOM. you can use the bios
 over cereal, that's it. i haven't seen anything as good as sun's
 LOMlite and ALOM anywhere. Ironically, I have seen total failures
 trying to make something like LOM - from sun. Epic fail in their
 X2100 and X4250 (or so). don't get me started on ipmi.
 
 just noticed dmesg might be useful. cardbus slot (and the 3G card
 therein) are on a PCI card, all the rest onboard.
 
 OpenBSD 4.6-stable (GENERIC.MP) #0: Sat Aug  8 05:30:38 CEST 2009
 henn...@terak.bsws.de:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz
 cpu0: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR
 real mem  = 2145595392 (2046MB)
 avail mem = 2065874944 (1970MB)
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 05/05/09, BIOS32 rev. 0 @ 0xf0010, 
 SMBIOS rev. 2.5 @ 0xfd160 (27 entries)
 bios0: vendor American Megatrends Inc. version 1.0 date 05/05/2009
 bios0: Supermicro X7SLA
 acpi0 at bios0: rev 2
 acpi0: tables DSDT FACP APIC MCFG OEMB HPET
 acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4) EUSB(S4) MC97(S4) 
 P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) LAN0(S1) P0P9(S4) LAN1(S1) 
 USB0(S4) USB1(S4) USB2(S4) USB3(S4) SLPB(S4)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: apic clock running at 133MHz
 cpu1 at mainbus0: apid 2 (application processor)
 cpu1: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz
 cpu1: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR
 cpu2 at mainbus0: apid 1 (application processor)
 cpu2: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz
 cpu2: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR
 cpu3 at mainbus0: apid 3 (application processor)
 cpu3: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz
 cpu3: 
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR
 ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
 ioapic0: misconfigured as apic 1, remapped to apid 4
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus -1 (P0P2)
 acpiprt2 at acpi0: bus 4 (P0P1)
 acpiprt3 at acpi0: bus 1 (P0P4)
 acpiprt4 at acpi0: bus -1 (P0P5)
 acpiprt5 at acpi0: bus -1 (P0P6)
 acpiprt6 at acpi0: bus -1 (P0P7)
 acpiprt7 at acpi0: bus 2 (P0P8)
 acpiprt8 at acpi0: bus 3 (P0P9)
 acpicpu0 at acpi0
 acpicpu1 at acpi0
 acpicpu2 at acpi0
 acpicpu3 at acpi0
 acpibtn0 at acpi0: SLPB
 acpibtn1 at acpi0: PWRB
 bios0: ROM list: 0xc/0xaa00!
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
 pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02
 vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02
 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 intagp0 at vga1
 agp0 at intagp0: aperture at 0xe000, size 0x1000
 inteldrm0 at vga1: apic 4 int 16 (irq 10)
 drm0 at inteldrm0
 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 4 int 16 
 (irq 10)
 pci1 at ppb0 bus 1
 ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 4 int 16 
 (irq 10)
 pci2 at ppb1 bus 2
 re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C 
 (0x3c00), apic 4 int 16 (irq 10), address 00:30:48:db:03:f2
 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
 ppb2 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: apic 4 int 17 
 

Re: PF per-ip statistics

[Henning Brauer]

* Leonardo Lombardo l.lomba...@jwizard.it [2009-11-18 10:23]:
 Hi all,
 
 reading pfctl manpage I've seen this:
 
 # pfctl -t test -vTshow
  129.128.5.191
   Cleared: Thu Feb 13 18:55:18 2003
   In/Block:[ Packets: 0Bytes: 0]
   In/Pass: [ Packets: 10   Bytes: 840  ]
   Out/Block:   [ Packets: 0Bytes: 0]
   Out/Pass:[ Packets: 10   Bytes: 840  ]
 
 but my output is quite different :-) Here it is:
 
 # pfctl -t MYTABLE -vTshow
   10.102.15.66
Cleared: Thu Oct 29 08:28:35 2009
   10.102.15.70
Cleared: Thu Oct 29 08:28:35 2009
   10.102.15.74
Cleared: Thu Oct 29 08:28:35 2009

you need to enable counters for the table. they're off by default for
some time now (saves memory, a lot).
I won't paste an example here as reading the manpage bits about it
will enlighten you more :)

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Re: Spanish language resources for OpenBSD

[Chris Bennett]

Abel Abraham Camarillo Ojeda wrote:

I also don't like too much translating... but can help whenever
possible (native spanish speaker).

It's just that all the people that I know that can use (thoroughly)
OpenBSD in my city can also read english very well (at least)...

On Tue, Nov 17, 2009 at 08:24:54AM +0100, Daniel Gracia Garallar wrote:
  
I'm not aware of many spanish resources... AFAIK, the only big resource  
centre was the Mexican community, but now it seems to be gone with all  
their translated and own documents.


I'd never been a big advocate of translating efforts, but as a native  
spanish speaker, I should help whenever possible :)




The group of people I am working with don't speak English.
They also have more limited needs for a computer.

OpenBSD offers an excellent price (free), for basic computing needs:
web browsing, sending email, word processing, editing photos, etc.

Their main cost will be just buying a computer, even older equipment 
works very well with OpenBSD.


Oh, yeah. I think it would be appropriate if I sent in a donation with 
each install I do like this.


There is that website that records older websites, waybackmachine or 
something like that.

Maybe the Mexican site has been recorded there? I will try and look for it.

Chris Bennett

--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
  -- Robert Heinlein

Re: Spanish language resources for OpenBSD

[Brad Tilley]

On Wed, Nov 18, 2009 at 7:54 AM, Chris Bennett
ch...@bennettconstruction.biz wrote:

 There is that website that records older websites, waybackmachine or 
 something like that. Maybe the Mexican site has been recorded there? I will 
 try and look for it.

http://www.archive.org/index.php

Re: Spanish language resources for OpenBSD

[Diana Eichert]

On Wed, 18 Nov 2009, Chris Bennett wrote:

There is that website that records older websites, waybackmachine or 
something like that.


http://www.archive.org/

Re: why is pf reseting this ssh connection?

[Kent Watsen]

Todd Alan Smith wrote:

This only happens with SSH connections? Are the rulesets identical
between the two machines? Also, why are you still running 4.2? As I'm
sure you know, there have been many improvements to pf since that
release.

No, I also see it happening with every TCP-based protocol and port I've 
tried (telnet, ftp, and iscsi)


BTW, a more appropriate subject line would have been why is pf blocking 
a connection after having already accepting it


Yes, I know I should upgrade, especially since I bought the CDs, but I 
haven't had the time yet - though this issue may force me to upgrade...




P.S. Maybe send your dmesg(s) and ruleset(s) with your next reply.


OK, see below, for the following:
 - uname on firewall
 - dmesg on firewall
 - ifconfig -a on firewall
 - ruleset on firewall


Also, so this makes more sense, here is a small network diagram


vlan4 trunk,tagged-vlans
10.0.4.6  managed --  carped -- internet
10.0.4.5  switch   - firewalls -- feed
||
||vlan1
|+ 10.0.1.24
+- 10.0.1.22




P.P.S. Part of my brain keeps thinking, Flaky NIC?


I was thinking the same thing - so far I:
 - moved the 10.0.1.24 ethernet cable to another port in my switch
 - moved the 10.0.1.24 ethernet cable to another port on the host machine
 - failed the firewall over to it's CARP peer (also running 4.2)
 - tried a different client computer (10.0.4.5) instead of (10.0.4.6)




-UNAME-
# uname -a
OpenBSD fw2.watsen.net 4.2 GENERIC.RAID#0 sparc64


-DMESG-
# dmesg
console is /p...@1f,0/p...@1,1/i...@7/ser...@0,3f8
Copyright (c) 1982, 1986, 1989, 1991, 1993
   The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2007 OpenBSD. All rights reserved.  
http://www.OpenBSD.org


OpenBSD 4.2 (GENERIC.RAID) #0: Fri Dec 28 22:26:28 EST 2007
   r...@fw1.watsen.net:/usr/src/sys/arch/sparc64/compile/GENERIC.RAID
real mem = 536870912 (512MB)
avail mem = 507109376 (483MB)
mainbus0 at root: Netra T1 200 (UltraSPARC-IIe 500MHz)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 500 MHz, version 0 FPU
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K 
external (64 b/l)

psycho0 at mainbus0: SUNW,sabre, impl 0, version 0, ign 7c0
psycho0: bus range 0-2, PCI bus 0
psycho0: dvma map c000-dfff, iotdb 962000-9e2000
pci0 at psycho0
ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x13
pci1 at ppb0 bus 1
ebus0 at pci1 dev 12 function 0 Sun RIO EBus rev 0x01
flashprom at ebus0 addr 0-f not configured
clock1 at ebus0 addr 0-1fff: mk48t59
SUNW,lomh at ebus0 addr 20-23 ipl 42 not configured
Acer Labs M7101 Power rev 0x00 at pci1 dev 3 function 0 not configured
ebus1 at pci1 dev 7 function 0 Acer Labs M1533 ISA rev 0x00
power0 at ebus1 addr 2000-2007 ipl 37
com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo
com0: console
com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo
gem0 at pci1 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, 
address 00:03:ba:0f:2c:d3
ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x0010dd, model 0x0002
ohci0 at pci1 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 
1.0, legacy support
pciide0 at pci1 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: 
DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI

pciide0: using ivec 0x7cc for native-PCI interrupt
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 1.7A SCSI0 5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
gem1 at pci1 dev 5 function 1 Sun ERI Ether rev 0x01: ivec 0x7dc, 
address 00:03:ba:0f:2c:d4
ukphy1 at gem1 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 
0x0010dd, model 0x0002
ohci1 at pci1 dev 5 function 3 Sun USB rev 0x01: ivec 0x7e6, version 
1.0, legacy support

usb0 at ohci0: USB revision 1.0
uhub0 at usb0: Sun OHCI root hub, rev 1.00/1.00, addr 1
usb1 at ohci1: USB revision 1.0
uhub1 at usb1: Sun OHCI root hub, rev 1.00/1.00, addr 1
ppb1 at pci0 dev 1 function 0 Sun Simba PCI-PCI rev 0x13
pci2 at ppb1 bus 2
siop0 at pci2 dev 8 function 0 Symbios Logic 53c896 rev 0x07: ivec 
0x7e0, using 8K of on-board RAM

scsibus1 at siop0: 16 targets
sd0 at scsibus1 targ 0 lun 0: IBM, DNES-309170Y, SA60 SCSI3 0/direct fixed
sd0: 8683MB, 11474 cyl, 5 head, 309 sec, 512 bytes/sec, 17783301 sec total
sd1 at scsibus1 targ 1 lun 0: IBM, DNES-309170Y, SA60 SCSI3 0/direct fixed
sd1: 8683MB, 11474 cyl, 5 head, 309 sec, 512 bytes/sec, 17783301 sec total
siop1 at pci2 dev 8 function 1 Symbios Logic 53c896 rev 0x07: ivec 
0x7e0, using 8K of on-board RAM

scsibus2 at siop1: 16 targets
em0 at pci2 dev 5 function 0 Intel PRO/1000MT (82545EM) rev 0x01: ivec 
0x7d5, address 00:07:e9:1a:19:62

pcons at mainbus0 not 

PCI ADSL2+ watchdog timeout

[Lars Nooden]

I've been getting frequent 'watchdog timeout' errors with 4.6:

Nov 18 18:00:13 net /bsd: re0: watchdog timeout
Nov 18 18:01:03 net /bsd: re0: watchdog timeout
Nov 18 18:18:55 net /bsd: re0: watchdog timeout
Nov 18 18:28:56 net last message repeated 4 times
Nov 18 18:36:47 net last message repeated 9 times

It's been going on though an upgrade from -current (4.6) to -release
(4.6) to -stable (4.6).  What should I look at to figure out the cause
or solution?

re0 is a Viking PCI ADSL2+ from Traverse:

re0 at pci0 dev 14 function 0 Realtek 8139
rev 0x20: RTL8139C+ (0x7480), irq 10,
address 00:0a:fa:33:41:56 rlphy0 at
re0 phy 0: RTL internal PHY


/Lars

Changing the NIC on installed system?

[Roger Schreiter]

Hello,

I did not yet understand very well, how the NIC drivers are
selected. Is it done while installing OpenBSD or is it
done at boot?

In the latter case, I assume, I can replace a PCI network
interface without changing any driver settings.

If the logical interface name will be different, I maybe
will have to rename hostname.vge0 to hostname.XX0 or similar.

Or are there much more changes necessary, when replacing a
MikroTik NIC by an Intel one? System in OpenBSD-4.5


Regards,
Roger.

Re: Changing the NIC on installed system?

[Jason Dixon]

On Wed, Nov 18, 2009 at 06:01:26PM +0100, Roger Schreiter wrote:
 Hello,
 
 I did not yet understand very well, how the NIC drivers are
 selected. Is it done while installing OpenBSD or is it
 done at boot?
 
 In the latter case, I assume, I can replace a PCI network
 interface without changing any driver settings.
 
 If the logical interface name will be different, I maybe
 will have to rename hostname.vge0 to hostname.XX0 or similar.
 
 Or are there much more changes necessary, when replacing a
 MikroTik NIC by an Intel one? System in OpenBSD-4.5

It identifies them at boot.  Just rename your hostname.XX file
accordingly and update any service configurations (e.g. pf, dhcpd) that
may rely on the interface name.

HTH.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: OpenBSD blog software

[Daniel Gracia Garallar]

[...]
P.S. And this will be the last you hear about it from me.  ;)



I hope this doesn't come to mean the project falls dead. I've been 
reading the source and seems surprisingly simple, but those damned 
regulars... hehehe.


My treat!

Re: OpenBSD blog software

[Jason Dixon]

On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote:
 [...]
 P.S. And this will be the last you hear about it from me.  ;)

 I hope this doesn't come to mean the project falls dead. I've been  
 reading the source and seems surprisingly simple, but those damned  
 regulars... hehehe.

Not at all.  I intentionally wrote Blogsum so I could begin blogging.  I
avoided installing the bloat-heavy CMS/blogging alternatives out there
until I was satisfied it would meet my own criteria.

I intend to add new features at a very slow pace, and only if they truly
make it a better piece of software.  Focus is on maintainability and
security.  But it's here to stay.

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Authpf and more than 992 users

[Janusz Gumkowski]

On Thu, Jan 08, 2009 at 03:21:42PM +0100, Janusz Gumkowski wrote:
 I'm running out of PTYs on my authpf firewall.
 Simply, more than 992 (max pty limit) users are trying to log in
 simultaneously.
 
 In theory I could disable (in authpf.c) checking whether or not session 
 has been successfully allocated a pty, and force clients not to allocate
 a pty when connecting.
 But I suppose it was made for a reason --  could some kind soul please
 tell me what side-effects disabling this would have ?
 
 Is it at all possible to have more than 992 simultaneous authpf users ?
 

Digging out an old post of mine, still not having any real solution 
but a couple of ugly hacks instead, trying to get rid of them finally.

To the point:  is allocating a pty for authpf logins really necessary ?
What side-efects can I expect if I disable it ?

Any input is welcome.


-- 
Janusz Gumkowski
http://www.am.torun.pl/~ja

Intel PRO/1000 QP

[Andrea Parazzini]

Hi,
we have a Dell PowerEdge R610 with two Intel PRO/1000 QP cards
connected to a Cisco 2960G switch.

Each card has four giga interfaces,
but only two interfaces per card work properly.
Works only the first and third interface of each card.
The other interfaces do not negotiate the correct speed.
Forcing the speed of the interfaces does not solve the problem.
But, it is not just a question of speed,
interfaces do not work, no traffic at all.
The problem occurs even with a single card.
Also tried the latest snapshot.

Any help is appreciated.

Regards,
Andrea


# ifconfig
em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:2a:70
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:2a70%em0 prefixlen 64 scopeid 0x1
em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:2a:71
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:2a71%em1 prefixlen 64 scopeid 0x2
em2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:2a:74
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:2a74%em2 prefixlen 64 scopeid 0x3
em3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:2a:75
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:2a75%em3 prefixlen 64 scopeid 0x4
em4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:19:38
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:1938%em4 prefixlen 64 scopeid 0x5
em5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:19:39
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:1939%em5 prefixlen 64 scopeid 0x6
em6: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:19:3c
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:193c%em6 prefixlen 64 scopeid 0x7
em7: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:1b:21:3f:19:3d
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::21b:21ff:fe3f:193d%em7 prefixlen 64 scopeid 0x8


switch#show interfaces status
Port   Name StatusVlan Duplex  Speed Type
Gi0/20 em0  connected 100  a-full a-1000 10/100/1000BaseTX
Gi0/21 em1  connected 100  a-full  a-100 10/100/1000BaseTX
Gi0/22 em2  connected 100  a-full a-1000 10/100/1000BaseTX
Gi0/23 em3  connected 100  a-full  a-100 10/100/1000BaseTX
Gi0/24 em4  connected 100  a-full a-1000 10/100/1000BaseTX
Gi0/25 em5  connected 100  a-full  a-100 10/100/1000BaseTX
Gi0/26 em6  connected 100  a-full a-1000 10/100/1000BaseTX
Gi0/27 em7  connected 100  a-full  a-100 10/100/1000BaseTX


# dmesg
OpenBSD 4.6 (GENERIC.MP) #89: Thu Jul  9 21:32:39 MDT 2009
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU E5502 @ 1.87GHz (GenuineIntel 686-class) 1.87
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
real mem  = 3479375872 (3318MB)
avail mem = 3374891008 (3218MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/17/09, BIOS32 rev. 0 @ 0xfa1c0,
SMBIOS rev. 2.6 @ 0xcf79c000 (83 entries)
bios0: vendor Dell Inc. version 1.2.6 date 07/17/2009
bios0: Dell Inc. PowerEdge R610
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT
EINJ SRAT TCPA SSDT
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 16 (boot processor)
cpu0: unknown i686 model 0x1a, can't get bus clock (0x0)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 20 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5502 @ 1.87GHz (GenuineIntel 686-class) 1.87
GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 1 pa 0xfec8, version 20, 24 pins
ioapic1: misconfigured as apic 0, remapped to apid 1
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX1)
acpiprt2 at acpi0: bus 2 (PEX3)
acpiprt3 at acpi0: bus -1 (PEX4)
acpiprt4 at acpi0: bus -1 (PEX5)
acpiprt5 at acpi0: bus -1 (PEX6)

Re: OpenBSD blog software

[Marco Peereboom]

now a wiki

On Wed, Nov 18, 2009 at 12:33:32PM -0500, Jason Dixon wrote:
 On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote:
  [...]
  P.S. And this will be the last you hear about it from me.  ;)
 
  I hope this doesn't come to mean the project falls dead. I've been  
  reading the source and seems surprisingly simple, but those damned  
  regulars... hehehe.
 
 Not at all.  I intentionally wrote Blogsum so I could begin blogging.  I
 avoided installing the bloat-heavy CMS/blogging alternatives out there
 until I was satisfied it would meet my own criteria.
 
 I intend to add new features at a very slow pace, and only if they truly
 make it a better piece of software.  Focus is on maintainability and
 security.  But it's here to stay.
 
 -- 
 Jason Dixon
 DixonGroup Consulting
 http://www.dixongroup.net/

Re: OpenBSD blog software

[Diana Eichert]

On Wed, 18 Nov 2009, Jason Dixon wrote:


Not at all.  I intentionally wrote Blogsum so I could begin blogging.  I
avoided installing the bloat-heavy CMS/blogging alternatives out there
until I was satisfied it would meet my own criteria.


howabout a Blogsum LKM ? ;-)

Re: OpenBSD blog software

[Bret S. Lambert]

On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote:
 now a wiki

And before you know, it, a social networking site.

I want you to be my friend on Dixonspace!!!

 
 On Wed, Nov 18, 2009 at 12:33:32PM -0500, Jason Dixon wrote:
  On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote:
   [...]
   P.S. And this will be the last you hear about it from me.  ;)
  
   I hope this doesn't come to mean the project falls dead. I've been  
   reading the source and seems surprisingly simple, but those damned  
   regulars... hehehe.
  
  Not at all.  I intentionally wrote Blogsum so I could begin blogging.  I
  avoided installing the bloat-heavy CMS/blogging alternatives out there
  until I was satisfied it would meet my own criteria.
  
  I intend to add new features at a very slow pace, and only if they truly
  make it a better piece of software.  Focus is on maintainability and
  security.  But it's here to stay.
  
  -- 
  Jason Dixon
  DixonGroup Consulting
  http://www.dixongroup.net/

Re: OpenBSD blog software

[Marco Peereboom]

I was actually being serious :-)

But a little ragging never hurt anyone.

I be teh jdixon freind!!

On Wed, Nov 18, 2009 at 07:37:48PM +0100, Bret S. Lambert wrote:
 On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote:
  now a wiki
 
 And before you know, it, a social networking site.
 
 I want you to be my friend on Dixonspace!!!
 
  
  On Wed, Nov 18, 2009 at 12:33:32PM -0500, Jason Dixon wrote:
   On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote:
[...]
P.S. And this will be the last you hear about it from me.  ;)
   
I hope this doesn't come to mean the project falls dead. I've been  
reading the source and seems surprisingly simple, but those damned  
regulars... hehehe.
   
   Not at all.  I intentionally wrote Blogsum so I could begin blogging.  I
   avoided installing the bloat-heavy CMS/blogging alternatives out there
   until I was satisfied it would meet my own criteria.
   
   I intend to add new features at a very slow pace, and only if they truly
   make it a better piece of software.  Focus is on maintainability and
   security.  But it's here to stay.
   
   -- 
   Jason Dixon
   DixonGroup Consulting
   http://www.dixongroup.net/

Re: OpenBSD blog software

[Mike Pugh]

Bret S. Lambert wrote:

On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote:

now a wiki


And before you know, it, a social networking site.



Wake me when it becomes a cloud.

Re: OpenBSD blog software

[Gilles Chehade]

Bret S. Lambert wrote:

On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote:
  

now a wiki



And before you know, it, a social networking site.

I want you to be my friend on Dixonspace!!!
  

so you can draw ascii-art penises on his Dixonspace profile ? :-)

Gilles

Re: OpenBSD blog software

[J Sisson]

 On Wed, Nov 18, 2009 at 07:37:48PM +0100, Bret S. Lambert wrote:
  On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote:
   now a wiki
 
  And before you know, it, a social networking site.
 
  I want you to be my friend on Dixonspace!!!
 


Gotta have realtime plaintext chat for it to be a *true* social networking
site...

Re: Authpf and more than 992 users

[Bob Beck]

2009/11/18 Janusz Gumkowski janusz.gumkow...@am.torun.pl:

 Is it at all possible to have more than 992 simultaneous authpf users ?



Yes, use more than one machine.

 Digging out an old post of mine, still not having any real solution
 but a couple of ugly hacks instead, trying to get rid of them finally.

 To the point:  is allocating a pty for authpf logins really necessary ?

Yes.

 What side-efects can I expect if I disable it ?

Probably bad things.

php5-core package install problems

[John]

I am having trouble with installing a package, php5-core for OpenBSD 4.6
(i386). There is a dependency that cannot be resolved. php5-core
requires libiconv-1.12, and a package only exists for libiconv-1.13.

# pkg_add -r php5-core  
Can't install php5-core-5.2.10: lib not found iconv.6.0
Dependencies for php5-core-5.2.10 resolve to: libiconv-1.12,
libxml-2.6.32p3, gettext-0.17p0
Full dependency tree is libiconv-1.12,libxml-2.6.32p3,gettext-0.17p0
iconv.6.0: partial match in /usr/local/lib: major=5, minor=0 (bad major)

I've also tried building php from ports with no luck due to a problem
with one of the patches...

===  Extracting for php5-core-5.2.11
===  Patching for php5-core-5.2.11
`/usr/ports/obj/php5-core-5.2.11/.prepatch_done' is up to date.
===  Applying distribution patches for php5-core-5.2.11
Ignoring previously applied (or reversed) patch.
2 out of 2 hunks ignored--saving rejects to
ext/date/lib/parse_date.re.rej
***   patch-ext_date_lib_parse_date_re did not apply cleanly
Ignoring previously applied (or reversed) patch.
1 out of 1 hunks ignored--saving rejects to ext/date/lib/timelib.h.rej
***   patch-ext_date_lib_timelib_h did not apply cleanly
Ignoring previously applied (or reversed) patch.
1 out of 1 hunks ignored--saving rejects to ext/date/php_date.c.rej
***   patch-ext_date_php_date_c did not apply cleanly
*** Error code 1

Stop in /usr/ports/www/php5/core (line 2091
of /usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/php5/core (line 1444
of /usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/php5/core (line 1984
of /usr/ports/infrastructure/mk/bsd.port.mk).
*** Error code 1

Stop in /usr/ports/www/php5/core (line 1474
of /usr/ports/infrastructure/mk/bsd.port.mk).
=== Exiting www/php5/core with an error
*** Error code 1

Stop in /usr/ports/www/php5 (line 129
of /usr/ports/infrastructure/mk/bsd.port.subdir.mk). 

Odd name lookup behavior

[stan]

Can anyone xplain this behavior to me?

Given the following resolv.conf file:

r...@pm3fw:root# cat /etc/resolv.conf
lookup file bind
search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com
nameserver 127.0.0.1 
nameserver 10.209.128.20
nameserver 10.209.128.26
nameserver 10.209.142.158

And:

r...@pm3fw:root# nslookup
 cvsup
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   cvsup.mcn.chs
Address: 10.209.142.151
 10.209.142.151
Server: 127.0.0.1
Address:127.0.0.1#53

151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
 exit

Why does this happen ? And how?

r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 cvsup 

Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST
Initiating Ping Scan at 15:05
Scanning 10.209.142.151 [8 ports]
Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:05
Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed
Initiating SYN Stealth Scan at 15:05
Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports]

Is nmap not using the resolver libraries?


-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: OpenBSD blog software

[Robert]

On Wed, 18 Nov 2009 20:04:01 +0100
Gilles Chehade gil...@poolp.org wrote:

 Bret S. Lambert wrote:
  On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote:

  now a wiki
  
 
  And before you know, it, a social networking site.
 
  I want you to be my friend on Dixonspace!!!

 so you can draw ascii-art penises on his Dixonspace profile ? :-)
 
 Gilles

Little bit of ajax preload magic in the background and in random
intervals flash for a fraction of a second a picture of bob's...
hh, noes, get out of my head!

5 PKK'lı İmralıya gönderildi

[Bölgesel Haberler]

BC6lgesel Haberler GCnlCk Flash Haber
  
  
5 PKK'lD1 D0mralD1ya gC6nderildi

CcalanD1n yalnD1zlD1DD1 sona erdi. BC6lCcCbaED1nD1n komEularD1 D0mralD1ya 
gC6nderildi bile... Eimdilik 5 PKK'lD1 Ccalana arkadaElD1k edecek; 
DevamD1nD1 okumak iC'in Tiklayiniz

BC6lgesel Haberler
Haber AboneliDi D0ptali D0C'in TD1klayD1nD1z..

Questions about chrooted apache and exec() in php

[Matthew Young]

Hello,


Iam running the apache in base 4.5 with the chroot.

Iam trying to run this simple script (as a test) but I cannot make it
to output anything...


I have done a cp /usr/bin/whoami /var/www/bin/ , made sure that
ownership is root:daemon, and permissions are 600, i have even tried
777

 i have tried the following combinations:

?php echo exec('whoami 21'); ?
?php echo exec('/bin/whoami'); ?
?php echo exec('/var/www/bin/whoami'); ?
?php echo exec('(whoami)'); ?
?php echo exec('./bin/whoami'); ?


No go, no output.

What could

Re: php5-core package install problems

[Jacob Meuser]

On Thu, Nov 19, 2009 at 05:10:12AM +1100, John wrote:
 I am having trouble with installing a package, php5-core for OpenBSD 4.6
 (i386). There is a dependency that cannot be resolved. php5-core
 requires libiconv-1.12, and a package only exists for libiconv-1.13.
 
 # pkg_add -r php5-core  
 Can't install php5-core-5.2.10: lib not found iconv.6.0
 Dependencies for php5-core-5.2.10 resolve to: libiconv-1.12,
 libxml-2.6.32p3, gettext-0.17p0
 Full dependency tree is libiconv-1.12,libxml-2.6.32p3,gettext-0.17p0
 iconv.6.0: partial match in /usr/local/lib: major=5, minor=0 (bad major)

maybe you have a broken php5-core package in your PKG_PATH?

$ ftp 
ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.6/packages/i386/php5-core-5.2.10.tgz
[...]
$ pkg_info -f ./php5-core-5.2.10.tgz | grep iconv
@depend converters/libiconv:libiconv-*:libiconv-1.13
@wantlib iconv.6.0
[...]
$ ftp ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.6/packages/i386/libiconv-1.13.tgz
[...]
$ pkg_info -f ./libiconv-1.13.tgz | grep \...@lib
@lib lib/libcharset.so.1.0
@lib lib/libiconv.so.6.0

 I've also tried building php from ports with no luck due to a problem
 with one of the patches...
 
 ===  Extracting for php5-core-5.2.11
 ===  Patching for php5-core-5.2.11
 `/usr/ports/obj/php5-core-5.2.11/.prepatch_done' is up to date.
 ===  Applying distribution patches for php5-core-5.2.11
 Ignoring previously applied (or reversed) patch.
 2 out of 2 hunks ignored--saving rejects to
 ext/date/lib/parse_date.re.rej
 ***   patch-ext_date_lib_parse_date_re did not apply cleanly
 Ignoring previously applied (or reversed) patch.
 1 out of 1 hunks ignored--saving rejects to ext/date/lib/timelib.h.rej
 ***   patch-ext_date_lib_timelib_h did not apply cleanly
 Ignoring previously applied (or reversed) patch.
 1 out of 1 hunks ignored--saving rejects to ext/date/php_date.c.rej
 ***   patch-ext_date_php_date_c did not apply cleanly
 *** Error code 1

all those messages are the same: previously applied (or reversed) patch.

you need to 'make clean'.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: php5-core package install problems

[Robert]

On Thu, 19 Nov 2009 05:10:12 +1100
John john.n.t...@live.com wrote:

 I am having trouble with installing a package, php5-core for OpenBSD
 4.6 (i386). There is a dependency that cannot be resolved. php5-core
 requires libiconv-1.12, and a package only exists for libiconv-1.13.
 
 # pkg_add -r
 php5-core Can't install php5-core-5.2.10: lib not found iconv.6.0
 Dependencies for php5-core-5.2.10 resolve to: libiconv-1.12,
 libxml-2.6.32p3, gettext-0.17p0
 Full dependency tree is libiconv-1.12,libxml-2.6.32p3,gettext-0.17p0
 iconv.6.0: partial match in /usr/local/lib: major=5, minor=0 (bad
 major)

hm,

# ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/php5-core-5.2.10.tgz
# pkg_info -f ./php5-core-5.2.10.tgz | grep iconv
@depend converters/libiconv:libiconv-*:libiconv-1.13
@wantlib iconv.6.0
[...]

i see a dep on 1.13, not 1.12.

why pkg_add -r?
do you have another php5-core installed that you want to replace?
-r/replace doesn't make much sense if you want to install a package.
are you updating your packages after an upgrade to 4.6?
if so, give -F update,updatedepends a try and let pkg_add do it's
-u magic.

- Robert

Re: midwest US mirror

[joshua stein]

 I should mention things that I didn't before and reiterate others . . .
 
 1) I am committed to maintaining this service
 2) At the moment, I have a ~300G hard drive devoted to it (and willing
 to devotre more, in the future)
 3) I have a DSL (high-speed) connection

i'm not sure what kind of outbound speeds your dsl connection is
capable of, but the old second level mirror rt.fm saw spikes of up
to 80mbps and a constant 20mbps outbound for many days around each
release time.

Re: Questions about chrooted apache and exec() in php

[Robert]

On Wed, 18 Nov 2009 14:23:42 -0600
Matthew Young myoung24...@gmail.com wrote:

 Hello,
 
 
 Iam running the apache in base 4.5 with the chroot.
 
 Iam trying to run this simple script (as a test) but I cannot make it
 to output anything...
 
 
 I have done a cp /usr/bin/whoami /var/www/bin/ , made sure that
 ownership is root:daemon, and permissions are 600, i have even tried
 777
 
  i have tried the following combinations:
 
 ?php echo exec('whoami 21'); ?
 ?php echo exec('/bin/whoami'); ?
 ?php echo exec('/var/www/bin/whoami'); ?
 ?php echo exec('(whoami)'); ?
 ?php echo exec('./bin/whoami'); ?
 
 
 No go, no output.
 
 What could

# ktrace whoami
[...]
# kdump ktrace.out
 25471 ktrace   RET   ktrace 0
 25471 ktrace   CALL  execve(0x7f7f8690,0x7f7f8c08,0x7f7f8c18)
 25471 ktrace   NAMI  /usr/bin/whoami
 25471 ktrace   NAMI  /bin/sh
[...]
# ls /var/www/bin/sh
ls: /var/www/bin/sh: No such file or directory

- Robert

Re: Questions about chrooted apache and exec() in php

[Robert]

On Wed, 18 Nov 2009 22:44:51 +0100
Robert rob...@openbsd.pap.st wrote:

 # kdump ktrace.out
kdump -f ...

Re: Odd name lookup behavior

[Dave Anderson]

On Wed, 18 Nov 2009, stan wrote:

Can anyone xplain this behavior to me?

Without access to your nameservers it's not possible to be sure, but see
below -- this looks normal to me.

Given the following resolv.conf file:

r...@pm3fw:root# cat /etc/resolv.conf
lookup file bind
search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com
nameserver 127.0.0.1
nameserver 10.209.128.20
nameserver 10.209.128.26
nameserver 10.209.142.158

And:

r...@pm3fw:root# nslookup
 cvsup
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   cvsup.mcn.chs
Address: 10.209.142.151
 10.209.142.151
Server: 127.0.0.1
Address:127.0.0.1#53

151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
 exit

Why does this happen ? And how?

You apparently have a system with multiple names and a single IP
address.  Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned
address 10.209.142.151, but the reverse-lookup entry can't return both
names.  Given the order of domains in your 'search' directive,
cvsup.mcn.chs is looked up first and so is the name that nslookup
reports, but cvsup.meadwestvaco.com was chosen as the 'official' name
for the reverse lookup by whoever set up your DNS.

r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 cvsup

Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST
Initiating Ping Scan at 15:05
Scanning 10.209.142.151 [8 ports]
Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:05
Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed
Initiating SYN Stealth Scan at 15:05
Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports]

Is nmap not using the resolver libraries?

I've never looked at the innards of nmap, but I expect that it's
reporting the 'official' name from the reverse lookup regardless of how
you initially specified the system to scan.  Given that it can scan
multiple hosts this makes sense, since it may not have been given names
for all of them.

Dave

-- 
Dave Anderson
d...@daveanderson.com

Re: Odd name lookup behavior

[Robert]

On Wed, 18 Nov 2009 15:06:28 -0500
stan st...@panix.com wrote:

 Can anyone xplain this behavior to me?
 
 Given the following resolv.conf file:
 
 r...@pm3fw:root# cat /etc/resolv.conf
 lookup file bind
 search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com
 nameserver 127.0.0.1 
 nameserver 10.209.128.20
 nameserver 10.209.128.26
 nameserver 10.209.142.158
 
 And:
 
 r...@pm3fw:root# nslookup
  cvsup
 Server: 127.0.0.1
 Address:127.0.0.1#53
 
 Non-authoritative answer:
 Name:   cvsup.mcn.chs
 Address: 10.209.142.151
  10.209.142.151
 Server: 127.0.0.1
 Address:127.0.0.1#53
 
 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
  exit
 
 Why does this happen ? And how?
 
 r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
 cvsup 
 
 Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST
 Initiating Ping Scan at 15:05
 Scanning 10.209.142.151 [8 ports]
 Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts)
 Initiating Parallel DNS resolution of 1 host. at 15:05
 Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed
 Initiating SYN Stealth Scan at 15:05
 Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports]
 
 Is nmap not using the resolver libraries?
 
 

Your dns at 127.0.0.1 does not resolve 151.142.209.10.in-addr.arpa?
127.0.0.1:53 allows recursiv querys so it looks elsewhere and serves
the real hostname?

- Robert

SPAMd blacklists unavailable

[Laurent CARON]

Hi,

While trying to get http://www.openbsd.org/spamd/chinacidr.txt.gz and 
http://www.openbsd.org/spamd/koreacidr.txt.gz i'm getting 404's.


Have those resources been moved ?

I'm in the meantime using 
http://ipdeny.com/ipblocks/data/countries/cn.zone and 
http://ipdeny.com/ipblocks/data/countries/kr.zone


Thanks

Laurent

Re: Odd name lookup behavior

[stan]

On Wed, Nov 18, 2009 at 05:00:02PM -0500, Dave Anderson wrote:
 On Wed, 18 Nov 2009, stan wrote:
 
 Can anyone xplain this behavior to me?
 
 Without access to your nameservers it's not possible to be sure, but see
 below -- this looks normal to me.
 
 Given the following resolv.conf file:
 
 r...@pm3fw:root# cat /etc/resolv.conf
 lookup file bind
 search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com
 nameserver 127.0.0.1
 nameserver 10.209.128.20
 nameserver 10.209.128.26
 nameserver 10.209.142.158
 
 And:
 
 r...@pm3fw:root# nslookup
  cvsup
 Server: 127.0.0.1
 Address:127.0.0.1#53
 
 Non-authoritative answer:
 Name:   cvsup.mcn.chs
 Address: 10.209.142.151
  10.209.142.151
 Server: 127.0.0.1
 Address:127.0.0.1#53
 
 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
  exit
 
 Why does this happen ? And how?
 
 You apparently have a system with multiple names and a single IP
 address.  Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned
 address 10.209.142.151, but the reverse-lookup entry can't return both
 names.  Given the order of domains in your 'search' directive,
 cvsup.mcn.chs is looked up first and so is the name that nslookup
 reports, but cvsup.meadwestvaco.com was chosen as the 'official' name
 for the reverse lookup by whoever set up your DNS.
 
 
Your analysis is correct, in that thier are multiple names (don't ask :-().
I have control of some of the nameservers. They are bind 9 on OpenBSD, can
you clarify what you mean by offical name are you talking about a A
entry, as oposed to a CNAME entry?


-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: Odd name lookup behavior

[stan]

On Wed, Nov 18, 2009 at 11:21:41PM +0100, Robert wrote:
 On Wed, 18 Nov 2009 15:06:28 -0500
 stan st...@panix.com wrote:
 
  Can anyone xplain this behavior to me?
  
  Given the following resolv.conf file:
  
  r...@pm3fw:root# cat /etc/resolv.conf
  lookup file bind
  search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com
  nameserver 127.0.0.1 
  nameserver 10.209.128.20
  nameserver 10.209.128.26
  nameserver 10.209.142.158
  
  And:
  
  r...@pm3fw:root# nslookup
   cvsup
  Server: 127.0.0.1
  Address:127.0.0.1#53
  
  Non-authoritative answer:
  Name:   cvsup.mcn.chs
  Address: 10.209.142.151
   10.209.142.151
  Server: 127.0.0.1
  Address:127.0.0.1#53
  
  151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
   exit
  
  Why does this happen ? And how?
  
  r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
  cvsup 
  
  Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST
  Initiating Ping Scan at 15:05
  Scanning 10.209.142.151 [8 ports]
  Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts)
  Initiating Parallel DNS resolution of 1 host. at 15:05
  Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed
  Initiating SYN Stealth Scan at 15:05
  Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports]
  
  Is nmap not using the resolver libraries?
  
  
 
 Your dns at 127.0.0.1 does not resolve 151.142.209.10.in-addr.arpa?
 127.0.0.1:53 allows recursiv querys so it looks elsewhere and serves
 the real hostname?

Yes the Bind 9 instance on this OpenBSD machine does allow recursion, but
the machines that it points to _should not_ have a reverse record for this
address that points to the meadwestvaco name. 

Sounds like I need to check that out thoug.

Thanks.
-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Re: Odd name lookup behavior

[stan]

On Wed, Nov 18, 2009 at 11:21:41PM +0100, Robert wrote:
 On Wed, 18 Nov 2009 15:06:28 -0500
 stan st...@panix.com wrote:
 
  Can anyone xplain this behavior to me?
  
  Given the following resolv.conf file:
  
  r...@pm3fw:root# cat /etc/resolv.conf
  lookup file bind
  search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com
  nameserver 127.0.0.1 
  nameserver 10.209.128.20
  nameserver 10.209.128.26
  nameserver 10.209.142.158
  
  And:
  
  r...@pm3fw:root# nslookup
   cvsup
  Server: 127.0.0.1
  Address:127.0.0.1#53
  
  Non-authoritative answer:
  Name:   cvsup.mcn.chs
  Address: 10.209.142.151
   10.209.142.151
  Server: 127.0.0.1
  Address:127.0.0.1#53
  
  151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
   exit
  
  Why does this happen ? And how?
  
  r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389
  cvsup 
  
  Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST
  Initiating Ping Scan at 15:05
  Scanning 10.209.142.151 [8 ports]
  Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts)
  Initiating Parallel DNS resolution of 1 host. at 15:05
  Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed
  Initiating SYN Stealth Scan at 15:05
  Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports]
  
  Is nmap not using the resolver libraries?
  
  
 
 Your dns at 127.0.0.1 does not resolve 151.142.209.10.in-addr.arpa?
 127.0.0.1:53 allows recursiv querys so it looks elsewhere and serves
 the real hostname?

OK here are the servers that the local nameserver recurses to:

forwarders {
10.209.142.158;
10.209.144.150;
10.209.142.154;
};

And if I use nslookup and set it to each of them in turn, i still get the
mcn.chs name:

s...@pm3fw:stan$ nslookup
 cvsup
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   cvsup.mcn.chs
Address: 10.209.142.151
 10.209.142.151
Server: 127.0.0.1
Address:127.0.0.1#53

151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
 server 10.209.142.158
Default server: 10.209.142.158
Address: 10.209.142.158#53
 cvsup
Server: 10.209.142.158
Address:10.209.142.158#53

Non-authoritative answer:
Name:   cvsup.mcn.chs
Address: 10.209.142.151
 server 10.209.144.150
Default server: 10.209.144.150
Address: 10.209.144.150#53
 cvsup
Server: 10.209.144.150
Address:10.209.144.150#53

Non-authoritative answer:
Name:   cvsup.mcn.chs
Address: 10.209.142.151
 server 10.209.142.154
Default server: 10.209.142.154
Address: 10.209.142.154#53
 cvsup
Server: 10.209.142.154
Address:10.209.142.154#53

Non-authoritative answer:
Name:   cvsup.mcn.chs
Address: 10.209.142.151

Of course, I do see the Non-authoritative answer: clause in each of
these. Would that mean that a program could request an authoritative
answer? If so, how?

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

OT: Have you hugged your local OpenBSD dev lately?

[Bryan]

So glad we don't have these kinds of issues...

https://bugzilla.redhat.com/show_bug.cgi?id=534047

Re: OT: Have you hugged your local OpenBSD dev lately?

[Gilles Chehade]

On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote:
 So glad we don't have these kinds of issues...
 
 https://bugzilla.redhat.com/show_bug.cgi?id=534047
 

no one offered a diff to implement that feature on OpenBSD yet ?
it can easily be done by writing a sudoKit policy :-)

Gilles

-- 
Gilles Chehade
freelance developer/sysadmin/consultant

   http://www.poolp.org

Re: OT: Have you hugged your local OpenBSD dev lately?

[Abel Abraham Camarillo Ojeda]

On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote:
 So glad we don't have these kinds of issues...
 
 https://bugzilla.redhat.com/show_bug.cgi?id=534047
 

Wow that's tremendously funny.

-- 
DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ 
This message will self-destruct in 3 seconds.

Re: OT: Have you hugged your local OpenBSD dev lately?

[Bryan]

On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda
acam...@the00z.org wrote:
 On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote:
 So glad we don't have these kinds of issues...

 https://bugzilla.redhat.com/show_bug.cgi?id=534047


 Wow that's tremendously funny.

 --
 DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/
 This message will self-destruct in 3 seconds.


I particular like comment #8, where one of the devs basically says
this is a feature, not a bug

Re: OT: Have you hugged your local OpenBSD dev lately?

[Ted Unangst]

Before everyone goes too bonkers, consider exactly how safe/dangerous  
this behavior actually is on a single user machine.  Food for thought.


Think to yourself: what *exactly* is the difference between the only  
user account on your machine and root? How are you safe?


On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote:


So glad we don't have these kinds of issues...

https://bugzilla.redhat.com/show_bug.cgi?id=534047

Re: OT: Have you hugged your local OpenBSD dev lately?

[Theo de Raadt]

 Before everyone goes too bonkers, consider exactly how safe/dangerous  
 this behavior actually is on a single user machine.  Food for thought.
 
 Think to yourself: what *exactly* is the difference between the only  
 user account on your machine and root? How are you safe?

Not everyone runs firefox as root, like you Ted.

Blurring all the lines is the wrong assesment.  Yes, a lot of safety
is about hurdles.  The sidewalk is raised to a different height than
the road as a hurdle, and it has a safety benefit.  It reduces the
danger for pedestrians because drivers don't what want the hurdle of
replacing their rims.  That is safety.

I prefer the hurdles.

Re: OT: Have you hugged your local OpenBSD dev lately?

[Martin Schröder]

2009/11/19 Ted Unangst ted.unan...@gmail.com:
 Think to yourself: what *exactly* is the difference between the only user
 account on your machine and root? How are you safe?

And then you create a guest account on your netbook...

Read the comments. There are some interesting exploits for this...

Best
   Martin

Re: OT: Have you hugged your local OpenBSD dev lately?

[Eric Furman]

On Wed, 18 Nov 2009 17:08 -0800, Bryan bra...@gmail.com wrote:
 On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda
 acam...@the00z.org wrote:
  On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote:
  So glad we don't have these kinds of issues...
 
  https://bugzilla.redhat.com/show_bug.cgi?id=534047
 
 
  Wow that's tremendously funny.
 
  --
  DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/
  This message will self-destruct in 3 seconds.
 
 
 I particular like comment #8, where one of the devs basically says
 this is a feature, not a bug
 

Holy crap, you're right! This is funny as hell.
I originally had not read the comments section.
I especially liked;
I don't particularly care how UNIX has always worked.
In other words; I don't particularly care about security you
masturbating monkeys. :)

Re: OT: Have you hugged your local OpenBSD dev lately?

[Abel Abraham Camarillo Ojeda]

On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote:
 Before everyone goes too bonkers, consider exactly how safe/dangerous  
 this behavior actually is on a single user machine.  Food for thought.

 Think to yourself: what *exactly* is the difference between the only  
 user account on your machine and root? How are you safe?

 On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote:

 So glad we don't have these kinds of issues...

 https://bugzilla.redhat.com/show_bug.cgi?id=534047


well i think that the problem is that the new *feature* is enabled by
default, it will definitely be useful on desktops/netbook/whatever.

-- 
DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ 
This message will self-destruct in 3 seconds.

Re: OT: Have you hugged your local OpenBSD dev lately?

[James Peltier]

--- On Wed, 11/18/09, Bryan bra...@gmail.com wrote:

 From: Bryan bra...@gmail.com
 Subject: OT: Have you hugged your local OpenBSD dev lately?
 To: Misc OpenBSD misc@openbsd.org
 Received: Wednesday, November 18, 2009, 7:05 PM
 So glad we don't have these kinds of
 issues...
 
 https://bugzilla.redhat.com/show_bug.cgi?id=534047
 
 

This is a blatant ID10T error.  Comments 9 and 10 are my favorite.  Last I 
looked it *was* insecure to let non-root users install software let alone do it 
by default and without a password!


---
James A. Peltier james_a_pelt...@yahoo.ca


  __
Looking for the perfect gift? Give the gift of Flickr! 

http://www.flickr.com/gift/

Re: Match rule with scrub options cause some websites to hang

[Cor]

Here's a brief overview of what I did.  If it's not what you are looking 
for, let me know (or we can take a more detailed discussion off-list).


I don't claim to be an expert in this.  I did a lot of Googling/reading, 
and cobbled together my strategy from several sources.  Even then, I 
think I'm going to change it a bit with the next snapshot I load.


I installed the snapshot onto a 8GB CF card mounted as a raw disk in Sun 
VirtualBox PUEL.  I'm sure you could do it all on the Soekris as well, 
but VirtualBox on my Core i7 workstation is faster than the Soekris :/  
I then dd'ed the image to a raw disk file and worked from it to set most 
everything up, then dd'ed it back to the CF, popped it in the Soekris, 
and there did the final config and testing.


I have /tmp, /dev, and /var in MFS, and everything else mounted 
read-only, so that I can unplug the thing with impunity.  From what I 
read that's really the only reason to put things in MFS, because a 
modern CF card will last years even used as a hard disk, and doing the 
MFS thing is definitely extra effort.  If it's your home router and you 
are willing to treat it like a regular computer, it's easier to just 
use the CF like any other hard disk and install in the normal manner.


My one big change I'll make is actually having some swap space.  I have 
a very small amount now to support the MFS, but based on discussion on 
this list in the last month or so there's no reason not to have a normal 
amount of swap with a 4GB or more CF.


The Soekris makes a fine home firewall, but I'm not sure how it would 
perform under heavier loads.  The VIA vr network interfaces are not 
known as the most efficient (though there is a PCI slot to add something 
different if you desire), and I don't know how the Geode CPU would 
handle a lot of encryption, say, several simultaneous IPSec or ssh 
users.  I'm looking at mini-ITX Atom boards as the basis for a 
multipurpose, CF-booting platform (firewall, X-terminal, NAS/backup 
server) I want to use at work.  Each machine would do only one thing in 
that list, but I could keep one spare for all and just swap out CF cards 
to change their role.  The Atom boards probably don't have much more 
horsepower than the Soekris, but some have better network interfaces 
(Intel em), and they can be had with dual video interfaces too.



stan wrote:

On Sun, Nov 08, 2009 at 10:32:07PM -0600, Cor wrote:
  
I'm running a late-October post-4.6 snapshot on a new Soekris firewall, 
and noticed something peculiar after setting up the rules per the new 
pf.conf(5) man page.  I had a few lesser-known websites just hang and 
eventually time out (the majors still work fine), but thought little 
of it until I went to the ISA web site (www.isa.org) to renew my 
membership there and noticed the same effect.




I need to build a couple of those.

Which methodolgy are you using to build these?

Re: OT: Have you hugged your local OpenBSD dev lately?

[Ted Unangst]

On Nov 18, 2009, at 5:47 PM, Theo de Raadt dera...@cvs.openbsd.org  
wrote:



Before everyone goes too bonkers, consider exactly how safe/dangerous
this behavior actually is on a single user machine.  Food for  
thought.


Think to yourself: what *exactly* is the difference between the only
user account on your machine and root? How are you safe?


Not everyone runs firefox as root, like you Ted.


It's the easiest way to nice it to -10...




Blurring all the lines is the wrong assesment.  Yes, a lot of safety
is about hurdles.  The sidewalk is raised to a different height than
the road as a hurdle, and it has a safety benefit.  It reduces the
danger for pedestrians because drivers don't what want the hurdle of
replacing their rims.  That is safety.

I prefer the hurdles.

Re: OT: Have you hugged your local OpenBSD dev lately?

[Ted Unangst]

If you give untrusted people unsupervised access to your laptop, I
hope you have a better lock than I do.

On Nov 18, 2009, at 5:45 PM, Martin SchrC6der mar...@oneiros.de wrote:


2009/11/19 Ted Unangst ted.unan...@gmail.com:

Think to yourself: what *exactly* is the difference between the
only user
account on your machine and root? How are you safe?


And then you create a guest account on your netbook...

Read the comments. There are some interesting exploits for this...

Best
  Martin

Re: OT: Have you hugged your local OpenBSD dev lately?

[Ted Unangst]

Not a change i would make, but for a desktop? Not a big deal.

On Nov 18, 2009, at 5:48 PM, Eric Furman misc@openbsd.org wrote:


but making it *default* behaviour??

On Wed, 18 Nov 2009 17:38 -0800, Ted Unangst ted.unan...@gmail.com
wrote:

Before everyone goes too bonkers, consider exactly how safe/dangerous
this behavior actually is on a single user machine.  Food for  
thought.


Think to yourself: what *exactly* is the difference between the only
user account on your machine and root? How are you safe?

On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote:


So glad we don't have these kinds of issues...

https://bugzilla.redhat.com/show_bug.cgi?id=534047

Re: Odd name lookup behavior

[Dave Anderson]

On Wed, 18 Nov 2009, stan wrote:

On Wed, Nov 18, 2009 at 05:00:02PM -0500, Dave Anderson wrote:
 On Wed, 18 Nov 2009, stan wrote:

 Can anyone xplain this behavior to me?

 Without access to your nameservers it's not possible to be sure, but see
 below -- this looks normal to me.

 Given the following resolv.conf file:
 
 r...@pm3fw:root# cat /etc/resolv.conf
 lookup file bind
 search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com
 nameserver 127.0.0.1
 nameserver 10.209.128.20
 nameserver 10.209.128.26
 nameserver 10.209.142.158
 
 And:
 
 r...@pm3fw:root# nslookup
  cvsup
 Server: 127.0.0.1
 Address:127.0.0.1#53
 
 Non-authoritative answer:
 Name:   cvsup.mcn.chs
 Address: 10.209.142.151
  10.209.142.151
 Server: 127.0.0.1
 Address:127.0.0.1#53
 
 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com.
  exit
 
 Why does this happen ? And how?

 You apparently have a system with multiple names and a single IP
 address.  Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned
 address 10.209.142.151, but the reverse-lookup entry can't return both
 names.  Given the order of domains in your 'search' directive,
 cvsup.mcn.chs is looked up first and so is the name that nslookup
 reports, but cvsup.meadwestvaco.com was chosen as the 'official' name
 for the reverse lookup by whoever set up your DNS.

Your analysis is correct, in that thier are multiple names (don't ask :-().
I have control of some of the nameservers. They are bind 9 on OpenBSD, can
you clarify what you mean by offical name are you talking about a A
entry, as oposed to a CNAME entry?

Sorry I wasn't clear.  I was referring to the *.in-addr.arpa 'PTR' DNS
entry which provides the translation from IPv4 address to host name.

Dave

-- 
Dave Anderson
d...@daveanderson.com

Re: Changing the NIC on installed system?

[Denise H. G.]

Roger Schreiter ro...@planinternet.de writes:

 Hello,

 I did not yet understand very well, how the NIC drivers are
 selected. Is it done while installing OpenBSD or is it
 done at boot?

 In the latter case, I assume, I can replace a PCI network
 interface without changing any driver settings.

NIC drivers are all in a GENERIC kernel, I think. So, if you are running
a GENERIC, you don't have to change many driver settings.


 If the logical interface name will be different, I maybe
 will have to rename hostname.vge0 to hostname.XX0 or similar.

true.


 Or are there much more changes necessary, when replacing a
 MikroTik NIC by an Intel one? System in OpenBSD-4.5


If you write your interface name at somewhere else, you have to change
them accordingly, I guess.


 Regards,
 Roger.




regards.

-- 
tamgya |aT| GmAiL |DoT| cOm

pam-devel package??

[Elliott Barrere]

Hi all,

I need to build a pam-dependent plugin (openvpn-auth-pam) that requires the
pam-devel libraries; I think that's why it's failing to build.  I can't seem
to find them in any OpenBSD port or package list; can someone point me in the
right direction or tell me what to look for?

...Alternatively, a pre-built openvpn-auth-pam.so for i386 would suffice as
well.  :)

Thanks!

-elliott-

Re: OT: Have you hugged your local OpenBSD dev lately?

[Jacob Meuser]

On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote:
 Before everyone goes too bonkers, consider exactly how safe/dangerous  
 this behavior actually is on a single user machine.

but did they also by default restrict the system to 1 user?

it's not so much the idea that's laughable, but the way it was
implemented.

What I contest is that to *undo* it you need to be an experienced
system admin that knows how to write policykit policies and where
to drop them.

I think we can count the number of people able to do that on the
tips of my fingers. - Simo Sorce, Software Engineer at Red Hat, Inc.

-- 
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: Odd name lookup behavior

[Bryan Irvine]

 You apparently have a system with multiple names and a single IP
 address.  Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned
 address 10.209.142.151, but the reverse-lookup entry can't return both
 names.
snip

You made that up. Yes it can.  If it's configured to do so.

I'm guessing that the confusion is based on the assumption that
forward and reverse zones are linked -- they aren't.

You can edit A records all ay long and it won't change the ptr records
in the reverse zone.

Figure out where the reverse zone is being served from (possibly with
dig +trace -x 10.209.142.151) and edit that.

Re: OT: Have you hugged your local OpenBSD dev lately?

[Ted Unangst]

To be sure, I don't think it's the best idea. But practically? For  
actual users running fedora? I doubt the change makes much difference  
for many of them.


The reason I even brought this up is not because I like the idea, but  
because I think it is a good opportunity to reflect on what user  
permissions accomplish on a typical desktop machine. Consider where  
your secrets, whatever they may be, are kept and how you access them.


How many people are aware that any X program can listen to the  
keystrokes of any other X program?


When you type your password into sudo, how do you know it's the real  
sudo? How do you know you aren't running badsudo because you're  
actually running badsh and it redirected your path?


On Nov 18, 2009, at 8:49 PM, Jacob Meuser jake...@sdf.lonestar.org  
wrote:



On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote:

Before everyone goes too bonkers, consider exactly how safe/dangerous
this behavior actually is on a single user machine.


but did they also by default restrict the system to 1 user?

it's not so much the idea that's laughable, but the way it was
implemented.

What I contest is that to *undo* it you need to be an experienced
system admin that knows how to write policykit policies and where
to drop them.

I think we can count the number of people able to do that on the
tips of my fingers. - Simo Sorce, Software Engineer at Red Hat, Inc.

--
jake...@sdf.lonestar.org
SDF Public Access UNIX System - http://sdf.lonestar.org

Re: Odd name lookup behavior

[Dave Anderson]

On Wed, 18 Nov 2009, Bryan Irvine wrote:

 You apparently have a system with multiple names and a single IP
 address.  Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned
 address 10.209.142.151, but the reverse-lookup entry can't return both
 names.
snip

You made that up. Yes it can.  If it's configured to do so.

Sorry, you're quite right -- there can be multiple PTR records.
Evidently my brain wasn't fully engaged.

Dave

-- 
Dave Anderson
d...@daveanderson.com

Re: pam-devel package??

[Rod Whitworth]

On Wed, 18 Nov 2009 19:28:55 -0800, Elliott Barrere wrote:

Hi all,

I need to build a pam-dependent plugin (openvpn-auth-pam) that requires the
pam-devel libraries; I think that's why it's failing to build.  I can't seem
to find them in any OpenBSD port or package list; can someone point me in the
right direction or tell me what to look for?

...Alternatively, a pre-built openvpn-auth-pam.so for i386 would suffice as
well.  :)


I doubt that you NEED pam. Why do you think you do?
PAM is a toy for Linux that is not half as smart as its users believe.
There are other ways to do auth. Perhaps you could ask for a better
idea with a bit of info regarding just where your problem lies rather
than choosing a solution and trying to implement it.

PAM is not a solution on OpenBSD.
http://www.auscert.org.au/render.html?it=5821 (paragraph E.3.3)


*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
---
This life is not the real thing.
It is not even in Beta.
If it was, then OpenBSD would already have a man page for it.

Re: pam-devel package??

[Ted Unangst]

Openbsd doesn't use pam, so you aren't going to have much luck getting  
openvpn to use it either.


On Nov 18, 2009, at 7:28 PM, Elliott Barrere elli...@mywedding.com  
wrote:



Hi all,

I need to build a pam-dependent plugin (openvpn-auth-pam) that  
requires the
pam-devel libraries; I think that's why it's failing to build.  I  
can't seem
to find them in any OpenBSD port or package list; can someone point  
me in the

right direction or tell me what to look for?

...Alternatively, a pre-built openvpn-auth-pam.so for i386 would  
suffice as

well.  :)

Thanks!

-elliott-

Re: OT: Have you hugged your local OpenBSD dev lately?

[rhubbell]

On Wed, 18 Nov 2009 16:05:04 -0800
Bryan wrote:

 So glad we don't have these kinds of issues...

New around here, but I'm noticing a lot of tooting of our own horn...so to
speak.  With all the possible vectors for compromising a system that are
available it just sounds naive to keep touting how secure this or that is.
Do you own the physical network that your bits traverse? Do you guard your
computer 24-7? And on and on.

I will say the Fedora has bigger issues than allowing users to install
pkgs. I just went through trying out Fedora 11 and it was a nightmare to
me.  Doing simple things with the network has been made so painful that
clawing out my eyes started to seem like relief.  But maybe all flavors
are going this way. Part of the never ending bloat.

Re: pam-devel package??

[Peter Hessler]

Check out the port net/openbsd_bsdauth.  While not PAM auth, it will
actually work on OpenBSD.

(Hint: we don't do PAM)


On 2009 Nov 18 (Wed) at 19:28:55 -0800 (-0800), Elliott Barrere wrote:
:Hi all,
:
:I need to build a pam-dependent plugin (openvpn-auth-pam) that requires the
:pam-devel libraries; I think that's why it's failing to build.  I can't seem
:to find them in any OpenBSD port or package list; can someone point me in the
:right direction or tell me what to look for?
:
:...Alternatively, a pre-built openvpn-auth-pam.so for i386 would suffice as
:well.  :)
:
:Thanks!
:
:-elliott-
:

-- 
Weinberg's First Law:
Progress is made on alternate Fridays.