OpenBSD 4.6 distributed through Linux For You magazine India
hi. http://www.lfymag.com/currentissue.asp?id=13 towards the end OpenBSD 4.6 Eclipse 3.5 OpenBSD being security guru Theo de Raadts baby, includes a number of security features absent or optional in other OS. Siju
Re: OpenBSD 4.6 pfsync kernel panic
Hi David Thank you for the quick reply! The stack trace from the console at the time of the crash: Starting stack trace panic(d07a8c58,0,de1b4b28,0,d8a282b8) at panic+0x65 panic(d071ad67,6,0,d031baf5,de1b4b20) at panic+0x65 trap() at trap+0x119 --- trap (number 6) --- pfsync_state_import(d899e83a,2,2d0,de1b4bc8) at pfsync_state_import+0x75 pfsync_in_ins(de1b4c00,d8a3d400,2c,3) at pfsync_in_ins+0xe3 pfsync_input(d8a3d400,14,0,0,d2a8d030) at pfsync_input+0x148 ipv4_input(d8a3d400,d2a82440,f0279,f0275) at ipv4input+0x498 ipintr(58,d8310010,de1b0010,d0350010,f0275) at ipintr+0x64 bad fram pointer: 0xde1b4c88 End of stack trace And here is the output from cvs status if_pfsync.? # cvs status if_pfsync.? === File: if_pfsync.c Status: Up-to-date Working revision:1.127 Repository revision: 1.127 /cvs/src/sys/net/if_pfsync.c,v Sticky Tag: OPENBSD_4_6 (branch: 1.127.4) Sticky Date: (none) Sticky Options: (none) === File: if_pfsync.h Status: Up-to-date Working revision:1.38 Repository revision: 1.38/cvs/src/sys/net/if_pfsync.h,v Sticky Tag: OPENBSD_4_6 (branch: 1.38.4) Sticky Date: (none) Sticky Options: (none) Please let me know if there is anything else that I can do to help, Best regards Anders -Original Message- From: David Gwynne [mailto:l...@animata.net] Sent: Wednesday, November 18, 2009 01:04 To: Anders Pettersson Cc: misc@openbsd.org Subject: Re: OpenBSD 4.6 pfsync kernel panic hi anders, could you get me a full trace from ddb when the fault occurs? id also like the output of 'cvs info if_pfsync.?' in src/sys/net in the tree you built this kernel from? cheers, dlg On 17/11/2009, at 11:07 PM, Anders Pettersson wrote: Hi We get kernel panics when we reboot either one of our two OpenBSD 4.6 servers running pf. It seems that the kernel panic always happens at the point where the pf sync state import happens. Sometimes we can reboot the servers, one at the time, a number of times in a row without any problems. We have tried to understand why this occurs but to no avail, is there anyone who could advise us what to do to try and resolve this? The error message say: fatal page fault (6) in supervisor mode trap type 6 code 0 eip d031baf5 cs 50 eflags 10297 cr2 2c4 cpl 40 panic: trap type 6, code=0, pc=d031baf5 . . . --- trap (number 6) --- pfsync_state_import(d899e83a,2,2d0,de1b4bc8) at pfsync_state_import+0x75 We have two identical servers running OpenBSD 4.6 and pf, they are build on the Supermicro X7SBT motherboard: http://www.supermicro.com/products/motherboard/Xeon3000/X48/X7SBT.cfm They have a totalt of six nic; two internal Intel PRO/1000MT (82573E) and (82573L) and four Intel PRO/1000 QP (82571EB). The pfsync interface uses em4 (that is the first of the two internal network cards - Intel PRO/1000MT (82573E)); pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: em4 maxupd: 128 defer: off groups: carp pfsync And we have a simple rule pass quick on { em4 } proto pfsync ps -N /var/crash/bsd.0 -M /var/crash/bsd.0.core -O paddr gives; PID PADDR TT STAT TIME COMMAND 12176 d89f216c p0 Is+ 0:00.00 (ksh) 28044 d8ae82c4 C0- R/0 0:01.00 (snortsam) 18169 d8b9e2c0 C0 Is+ 0:00.00 (ksh) 3045 d8ae8834 C1 Is+ 0:10.00 (getty) 10861 d8ae8aec C2 Is+ 0:09.00 (getty) 3111 d8ae8c48 C3 Is+ 0:09.00 (getty) 5674 d8ae8da4 C5 Is+ 0:09.00 (getty) I have attached the dmesg output from one of the machines at the end of this email, Best regards Anders Mainloop Anders Pettersson and...@mainloop.se Stora Nygatan 5, 2tr 111 27 Stockholm Sweden mobile: +46 (70) 634 5818 OpenBSD 4.6-stable (GENERIC.MP) #0: Fri Nov 6 10:18:43 CET 2009 r...@puffy46.intranet.mainloop.net:/usr/src/sys/arch/i386/compile/GENERIC .MP cpu0: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16, xTPR real mem = 2145402880 (2046MB) avail mem = 2065686528 (1969MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/19/08, BIOS32 rev. 0 @ 0xfdbc0, SMBIOS rev. 2.5 @ 0x7fedf000 (34 entries) bios0: vendor Phoenix Technologies LTD version 1.2a date 12/19/2008 bios0: Supermicro X7SBT acpi0 at bios0: rev 2 acpi0: tables DSDT FACP _MAR MCFG APIC BOOT SPCR ERST HEST BERT EINJ SLIC SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PEG_(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5) USB7(S5) ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5) USB6(S5) ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5)
PF per-ip statistics
Hi all, reading pfctl manpage I've seen this: # pfctl -t test -vTshow 129.128.5.191 Cleared: Thu Feb 13 18:55:18 2003 In/Block:[ Packets: 0Bytes: 0] In/Pass: [ Packets: 10 Bytes: 840 ] Out/Block: [ Packets: 0Bytes: 0] Out/Pass:[ Packets: 10 Bytes: 840 ] but my output is quite different :-) Here it is: # pfctl -t MYTABLE -vTshow 10.102.15.66 Cleared: Thu Oct 29 08:28:35 2009 10.102.15.70 Cleared: Thu Oct 29 08:28:35 2009 10.102.15.74 Cleared: Thu Oct 29 08:28:35 2009 There is no data per ip, even if pftop shows all the data correctly. Surely is my mistake... but I can't figure out. Thanks to all for the uncomparable work on this o.s. Leonardo
Stacking RAID sets
It was said in http://marc.info/?l=openbsd-miscm=125139976027774w=2 that stacking RAID sets is not a good idea. I.e. this # bioctl -ih softraid0 Volume Status Size Device softraid0 0 Online 447G sd2 RAID0 0 Online 149G 0:0.0 noencl wd1a 1 Online 149G 0:1.0 noencl wd2a 2 Online 149G 0:2.0 noencl wd3a softraid0 1 Online 190G sd3 RAID1 0 Online 190G 1:0.0 noencl sd0a 1 Online 190G 1:1.0 noencl sd1a softraid0 2 Online 447G sd4 CRYPTO 0 Online 447G 2:0.0 noencl sd2a softraid0 3 Online 190G sd5 CRYPTO 0 Online 190G 3:0.0 noencl sd3a is not a good idea? Why not? /Markus
Re: anyone, low power rack-mount server for home usage?
Just a note, although supermicro says max 2g of ram, the X7SLA-H works well with 4G of ram. spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem1 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem1 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-5300CL5 hw.physmem=3748265984 hw.usermem=3748057088 Fits in our 1u chassis well. Sensors work. David On Mon, Nov 09, 2009 at 01:40:18AM +0100, Henning Brauer wrote: * Daniel Ouellet dan...@presscom.net [2009-11-09 00:57]: supermicro has atom-based systems. i have such a board an am happy with it. Henning, how's the remote console redirection on that box? Any feedback may be? same as on the real supermicros: works like a charm. Just looking for minimum like the LOM on the old SUN V100 and the like. Don't need CD remote mount and all that. SSH over Ethernet would be nice, but I can deal without it. Sad that none of these board actually have a decent remote console without the need for additional board when it's possible. err, they have console redirection, not a LOM. you can use the bios over cereal, that's it. i haven't seen anything as good as sun's LOMlite and ALOM anywhere. Ironically, I have seen total failures trying to make something like LOM - from sun. Epic fail in their X2100 and X4250 (or so). don't get me started on ipmi. just noticed dmesg might be useful. cardbus slot (and the 3G card therein) are on a PCI card, all the rest onboard. OpenBSD 4.6-stable (GENERIC.MP) #0: Sat Aug 8 05:30:38 CEST 2009 henn...@terak.bsws.de:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR real mem = 2145595392 (2046MB) avail mem = 2065874944 (1970MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/05/09, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xfd160 (27 entries) bios0: vendor American Megatrends Inc. version 1.0 date 05/05/2009 bios0: Supermicro X7SLA acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC MCFG OEMB HPET acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4) EUSB(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) LAN0(S1) P0P9(S4) LAN1(S1) USB0(S4) USB1(S4) USB2(S4) USB3(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz cpu2: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Atom(TM) CPU 330 @ 1.60GHz (GenuineIntel 686-class) 1.61 GHz cpu3: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,CX16,xTPR ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 1, remapped to apid 4 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P2) acpiprt2 at acpi0: bus 4 (P0P1) acpiprt3 at acpi0: bus 1 (P0P4) acpiprt4 at acpi0: bus -1 (P0P5) acpiprt5 at acpi0: bus -1 (P0P6) acpiprt6 at acpi0: bus -1 (P0P7) acpiprt7 at acpi0: bus 2 (P0P8) acpiprt8 at acpi0: bus 3 (P0P9) acpicpu0 at acpi0 acpicpu1 at acpi0 acpicpu2 at acpi0 acpicpu3 at acpi0 acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xaa00! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02 vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 (irq 10) drm0 at inteldrm0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 4 int 16 (irq 10) pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 4 int 16 (irq 10) pci2 at ppb1 bus 2 re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), apic 4 int 16 (irq 10), address 00:30:48:db:03:f2 rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 ppb2 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: apic 4 int 17
Re: PF per-ip statistics
* Leonardo Lombardo l.lomba...@jwizard.it [2009-11-18 10:23]: Hi all, reading pfctl manpage I've seen this: # pfctl -t test -vTshow 129.128.5.191 Cleared: Thu Feb 13 18:55:18 2003 In/Block:[ Packets: 0Bytes: 0] In/Pass: [ Packets: 10 Bytes: 840 ] Out/Block: [ Packets: 0Bytes: 0] Out/Pass:[ Packets: 10 Bytes: 840 ] but my output is quite different :-) Here it is: # pfctl -t MYTABLE -vTshow 10.102.15.66 Cleared: Thu Oct 29 08:28:35 2009 10.102.15.70 Cleared: Thu Oct 29 08:28:35 2009 10.102.15.74 Cleared: Thu Oct 29 08:28:35 2009 you need to enable counters for the table. they're off by default for some time now (saves memory, a lot). I won't paste an example here as reading the manpage bits about it will enlighten you more :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Spanish language resources for OpenBSD
Abel Abraham Camarillo Ojeda wrote: I also don't like too much translating... but can help whenever possible (native spanish speaker). It's just that all the people that I know that can use (thoroughly) OpenBSD in my city can also read english very well (at least)... On Tue, Nov 17, 2009 at 08:24:54AM +0100, Daniel Gracia Garallar wrote: I'm not aware of many spanish resources... AFAIK, the only big resource centre was the Mexican community, but now it seems to be gone with all their translated and own documents. I'd never been a big advocate of translating efforts, but as a native spanish speaker, I should help whenever possible :) The group of people I am working with don't speak English. They also have more limited needs for a computer. OpenBSD offers an excellent price (free), for basic computing needs: web browsing, sending email, word processing, editing photos, etc. Their main cost will be just buying a computer, even older equipment works very well with OpenBSD. Oh, yeah. I think it would be appropriate if I sent in a donation with each install I do like this. There is that website that records older websites, waybackmachine or something like that. Maybe the Mexican site has been recorded there? I will try and look for it. Chris Bennett -- A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. -- Robert Heinlein
Re: Spanish language resources for OpenBSD
On Wed, Nov 18, 2009 at 7:54 AM, Chris Bennett ch...@bennettconstruction.biz wrote: There is that website that records older websites, waybackmachine or something like that. Maybe the Mexican site has been recorded there? I will try and look for it. http://www.archive.org/index.php
Re: Spanish language resources for OpenBSD
On Wed, 18 Nov 2009, Chris Bennett wrote: There is that website that records older websites, waybackmachine or something like that. http://www.archive.org/
Re: why is pf reseting this ssh connection?
Todd Alan Smith wrote: This only happens with SSH connections? Are the rulesets identical between the two machines? Also, why are you still running 4.2? As I'm sure you know, there have been many improvements to pf since that release. No, I also see it happening with every TCP-based protocol and port I've tried (telnet, ftp, and iscsi) BTW, a more appropriate subject line would have been why is pf blocking a connection after having already accepting it Yes, I know I should upgrade, especially since I bought the CDs, but I haven't had the time yet - though this issue may force me to upgrade... P.S. Maybe send your dmesg(s) and ruleset(s) with your next reply. OK, see below, for the following: - uname on firewall - dmesg on firewall - ifconfig -a on firewall - ruleset on firewall Also, so this makes more sense, here is a small network diagram vlan4 trunk,tagged-vlans 10.0.4.6 managed -- carped -- internet 10.0.4.5 switch - firewalls -- feed || ||vlan1 |+ 10.0.1.24 +- 10.0.1.22 P.P.S. Part of my brain keeps thinking, Flaky NIC? I was thinking the same thing - so far I: - moved the 10.0.1.24 ethernet cable to another port in my switch - moved the 10.0.1.24 ethernet cable to another port on the host machine - failed the firewall over to it's CARP peer (also running 4.2) - tried a different client computer (10.0.4.5) instead of (10.0.4.6) -UNAME- # uname -a OpenBSD fw2.watsen.net 4.2 GENERIC.RAID#0 sparc64 -DMESG- # dmesg console is /p...@1f,0/p...@1,1/i...@7/ser...@0,3f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2007 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.2 (GENERIC.RAID) #0: Fri Dec 28 22:26:28 EST 2007 r...@fw1.watsen.net:/usr/src/sys/arch/sparc64/compile/GENERIC.RAID real mem = 536870912 (512MB) avail mem = 507109376 (483MB) mainbus0 at root: Netra T1 200 (UltraSPARC-IIe 500MHz) cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 500 MHz, version 0 FPU cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64 b/l) psycho0 at mainbus0: SUNW,sabre, impl 0, version 0, ign 7c0 psycho0: bus range 0-2, PCI bus 0 psycho0: dvma map c000-dfff, iotdb 962000-9e2000 pci0 at psycho0 ppb0 at pci0 dev 1 function 1 Sun Simba PCI-PCI rev 0x13 pci1 at ppb0 bus 1 ebus0 at pci1 dev 12 function 0 Sun RIO EBus rev 0x01 flashprom at ebus0 addr 0-f not configured clock1 at ebus0 addr 0-1fff: mk48t59 SUNW,lomh at ebus0 addr 20-23 ipl 42 not configured Acer Labs M7101 Power rev 0x00 at pci1 dev 3 function 0 not configured ebus1 at pci1 dev 7 function 0 Acer Labs M1533 ISA rev 0x00 power0 at ebus1 addr 2000-2007 ipl 37 com0 at ebus1 addr 3f8-3ff ipl 43: ns16550a, 16 byte fifo com0: console com1 at ebus1 addr 2e8-2ef ipl 43: ns16550a, 16 byte fifo gem0 at pci1 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, address 00:03:ba:0f:2c:d3 ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 ohci0 at pci1 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 1.0, legacy support pciide0 at pci1 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x7cc for native-PCI interrupt atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, 1.7A SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) gem1 at pci1 dev 5 function 1 Sun ERI Ether rev 0x01: ivec 0x7dc, address 00:03:ba:0f:2c:d4 ukphy1 at gem1 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI 0x0010dd, model 0x0002 ohci1 at pci1 dev 5 function 3 Sun USB rev 0x01: ivec 0x7e6, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0: Sun OHCI root hub, rev 1.00/1.00, addr 1 usb1 at ohci1: USB revision 1.0 uhub1 at usb1: Sun OHCI root hub, rev 1.00/1.00, addr 1 ppb1 at pci0 dev 1 function 0 Sun Simba PCI-PCI rev 0x13 pci2 at ppb1 bus 2 siop0 at pci2 dev 8 function 0 Symbios Logic 53c896 rev 0x07: ivec 0x7e0, using 8K of on-board RAM scsibus1 at siop0: 16 targets sd0 at scsibus1 targ 0 lun 0: IBM, DNES-309170Y, SA60 SCSI3 0/direct fixed sd0: 8683MB, 11474 cyl, 5 head, 309 sec, 512 bytes/sec, 17783301 sec total sd1 at scsibus1 targ 1 lun 0: IBM, DNES-309170Y, SA60 SCSI3 0/direct fixed sd1: 8683MB, 11474 cyl, 5 head, 309 sec, 512 bytes/sec, 17783301 sec total siop1 at pci2 dev 8 function 1 Symbios Logic 53c896 rev 0x07: ivec 0x7e0, using 8K of on-board RAM scsibus2 at siop1: 16 targets em0 at pci2 dev 5 function 0 Intel PRO/1000MT (82545EM) rev 0x01: ivec 0x7d5, address 00:07:e9:1a:19:62 pcons at mainbus0 not
PCI ADSL2+ watchdog timeout
I've been getting frequent 'watchdog timeout' errors with 4.6: Nov 18 18:00:13 net /bsd: re0: watchdog timeout Nov 18 18:01:03 net /bsd: re0: watchdog timeout Nov 18 18:18:55 net /bsd: re0: watchdog timeout Nov 18 18:28:56 net last message repeated 4 times Nov 18 18:36:47 net last message repeated 9 times It's been going on though an upgrade from -current (4.6) to -release (4.6) to -stable (4.6). What should I look at to figure out the cause or solution? re0 is a Viking PCI ADSL2+ from Traverse: re0 at pci0 dev 14 function 0 Realtek 8139 rev 0x20: RTL8139C+ (0x7480), irq 10, address 00:0a:fa:33:41:56 rlphy0 at re0 phy 0: RTL internal PHY /Lars
Changing the NIC on installed system?
Hello, I did not yet understand very well, how the NIC drivers are selected. Is it done while installing OpenBSD or is it done at boot? In the latter case, I assume, I can replace a PCI network interface without changing any driver settings. If the logical interface name will be different, I maybe will have to rename hostname.vge0 to hostname.XX0 or similar. Or are there much more changes necessary, when replacing a MikroTik NIC by an Intel one? System in OpenBSD-4.5 Regards, Roger.
Re: Changing the NIC on installed system?
On Wed, Nov 18, 2009 at 06:01:26PM +0100, Roger Schreiter wrote: Hello, I did not yet understand very well, how the NIC drivers are selected. Is it done while installing OpenBSD or is it done at boot? In the latter case, I assume, I can replace a PCI network interface without changing any driver settings. If the logical interface name will be different, I maybe will have to rename hostname.vge0 to hostname.XX0 or similar. Or are there much more changes necessary, when replacing a MikroTik NIC by an Intel one? System in OpenBSD-4.5 It identifies them at boot. Just rename your hostname.XX file accordingly and update any service configurations (e.g. pf, dhcpd) that may rely on the interface name. HTH. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD blog software
[...] P.S. And this will be the last you hear about it from me. ;) I hope this doesn't come to mean the project falls dead. I've been reading the source and seems surprisingly simple, but those damned regulars... hehehe. My treat!
Re: OpenBSD blog software
On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote: [...] P.S. And this will be the last you hear about it from me. ;) I hope this doesn't come to mean the project falls dead. I've been reading the source and seems surprisingly simple, but those damned regulars... hehehe. Not at all. I intentionally wrote Blogsum so I could begin blogging. I avoided installing the bloat-heavy CMS/blogging alternatives out there until I was satisfied it would meet my own criteria. I intend to add new features at a very slow pace, and only if they truly make it a better piece of software. Focus is on maintainability and security. But it's here to stay. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Authpf and more than 992 users
On Thu, Jan 08, 2009 at 03:21:42PM +0100, Janusz Gumkowski wrote: I'm running out of PTYs on my authpf firewall. Simply, more than 992 (max pty limit) users are trying to log in simultaneously. In theory I could disable (in authpf.c) checking whether or not session has been successfully allocated a pty, and force clients not to allocate a pty when connecting. But I suppose it was made for a reason -- could some kind soul please tell me what side-effects disabling this would have ? Is it at all possible to have more than 992 simultaneous authpf users ? Digging out an old post of mine, still not having any real solution but a couple of ugly hacks instead, trying to get rid of them finally. To the point: is allocating a pty for authpf logins really necessary ? What side-efects can I expect if I disable it ? Any input is welcome. -- Janusz Gumkowski http://www.am.torun.pl/~ja
Intel PRO/1000 QP
Hi, we have a Dell PowerEdge R610 with two Intel PRO/1000 QP cards connected to a Cisco 2960G switch. Each card has four giga interfaces, but only two interfaces per card work properly. Works only the first and third interface of each card. The other interfaces do not negotiate the correct speed. Forcing the speed of the interfaces does not solve the problem. But, it is not just a question of speed, interfaces do not work, no traffic at all. The problem occurs even with a single card. Also tried the latest snapshot. Any help is appreciated. Regards, Andrea # ifconfig em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:2a:70 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::21b:21ff:fe3f:2a70%em0 prefixlen 64 scopeid 0x1 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:2a:71 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::21b:21ff:fe3f:2a71%em1 prefixlen 64 scopeid 0x2 em2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:2a:74 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::21b:21ff:fe3f:2a74%em2 prefixlen 64 scopeid 0x3 em3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:2a:75 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::21b:21ff:fe3f:2a75%em3 prefixlen 64 scopeid 0x4 em4: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:19:38 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::21b:21ff:fe3f:1938%em4 prefixlen 64 scopeid 0x5 em5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:19:39 priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::21b:21ff:fe3f:1939%em5 prefixlen 64 scopeid 0x6 em6: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:19:3c priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::21b:21ff:fe3f:193c%em6 prefixlen 64 scopeid 0x7 em7: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:1b:21:3f:19:3d priority: 0 media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::21b:21ff:fe3f:193d%em7 prefixlen 64 scopeid 0x8 switch#show interfaces status Port Name StatusVlan Duplex Speed Type Gi0/20 em0 connected 100 a-full a-1000 10/100/1000BaseTX Gi0/21 em1 connected 100 a-full a-100 10/100/1000BaseTX Gi0/22 em2 connected 100 a-full a-1000 10/100/1000BaseTX Gi0/23 em3 connected 100 a-full a-100 10/100/1000BaseTX Gi0/24 em4 connected 100 a-full a-1000 10/100/1000BaseTX Gi0/25 em5 connected 100 a-full a-100 10/100/1000BaseTX Gi0/26 em6 connected 100 a-full a-1000 10/100/1000BaseTX Gi0/27 em7 connected 100 a-full a-100 10/100/1000BaseTX # dmesg OpenBSD 4.6 (GENERIC.MP) #89: Thu Jul 9 21:32:39 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(R) CPU E5502 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR real mem = 3479375872 (3318MB) avail mem = 3374891008 (3218MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 07/17/09, BIOS32 rev. 0 @ 0xfa1c0, SMBIOS rev. 2.6 @ 0xcf79c000 (83 entries) bios0: vendor Dell Inc. version 1.2.6 date 07/17/2009 bios0: Dell Inc. PowerEdge R610 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ SRAT TCPA SSDT acpi0: wakeup devices PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 16 (boot processor) cpu0: unknown i686 model 0x1a, can't get bus clock (0x0) cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 20 (application processor) cpu1: Intel(R) Xeon(R) CPU E5502 @ 1.87GHz (GenuineIntel 686-class) 1.87 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0: apid 1 pa 0xfec8, version 20, 24 pins ioapic1: misconfigured as apic 0, remapped to apid 1 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX1) acpiprt2 at acpi0: bus 2 (PEX3) acpiprt3 at acpi0: bus -1 (PEX4) acpiprt4 at acpi0: bus -1 (PEX5) acpiprt5 at acpi0: bus -1 (PEX6)
Re: OpenBSD blog software
now a wiki On Wed, Nov 18, 2009 at 12:33:32PM -0500, Jason Dixon wrote: On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote: [...] P.S. And this will be the last you hear about it from me. ;) I hope this doesn't come to mean the project falls dead. I've been reading the source and seems surprisingly simple, but those damned regulars... hehehe. Not at all. I intentionally wrote Blogsum so I could begin blogging. I avoided installing the bloat-heavy CMS/blogging alternatives out there until I was satisfied it would meet my own criteria. I intend to add new features at a very slow pace, and only if they truly make it a better piece of software. Focus is on maintainability and security. But it's here to stay. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD blog software
On Wed, 18 Nov 2009, Jason Dixon wrote: Not at all. I intentionally wrote Blogsum so I could begin blogging. I avoided installing the bloat-heavy CMS/blogging alternatives out there until I was satisfied it would meet my own criteria. howabout a Blogsum LKM ? ;-)
Re: OpenBSD blog software
On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote: now a wiki And before you know, it, a social networking site. I want you to be my friend on Dixonspace!!! On Wed, Nov 18, 2009 at 12:33:32PM -0500, Jason Dixon wrote: On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote: [...] P.S. And this will be the last you hear about it from me. ;) I hope this doesn't come to mean the project falls dead. I've been reading the source and seems surprisingly simple, but those damned regulars... hehehe. Not at all. I intentionally wrote Blogsum so I could begin blogging. I avoided installing the bloat-heavy CMS/blogging alternatives out there until I was satisfied it would meet my own criteria. I intend to add new features at a very slow pace, and only if they truly make it a better piece of software. Focus is on maintainability and security. But it's here to stay. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD blog software
I was actually being serious :-) But a little ragging never hurt anyone. I be teh jdixon freind!! On Wed, Nov 18, 2009 at 07:37:48PM +0100, Bret S. Lambert wrote: On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote: now a wiki And before you know, it, a social networking site. I want you to be my friend on Dixonspace!!! On Wed, Nov 18, 2009 at 12:33:32PM -0500, Jason Dixon wrote: On Tue, Nov 17, 2009 at 06:56:40PM +0100, Daniel Gracia Garallar wrote: [...] P.S. And this will be the last you hear about it from me. ;) I hope this doesn't come to mean the project falls dead. I've been reading the source and seems surprisingly simple, but those damned regulars... hehehe. Not at all. I intentionally wrote Blogsum so I could begin blogging. I avoided installing the bloat-heavy CMS/blogging alternatives out there until I was satisfied it would meet my own criteria. I intend to add new features at a very slow pace, and only if they truly make it a better piece of software. Focus is on maintainability and security. But it's here to stay. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenBSD blog software
Bret S. Lambert wrote: On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote: now a wiki And before you know, it, a social networking site. Wake me when it becomes a cloud.
Re: OpenBSD blog software
Bret S. Lambert wrote: On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote: now a wiki And before you know, it, a social networking site. I want you to be my friend on Dixonspace!!! so you can draw ascii-art penises on his Dixonspace profile ? :-) Gilles
Re: OpenBSD blog software
On Wed, Nov 18, 2009 at 07:37:48PM +0100, Bret S. Lambert wrote: On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote: now a wiki And before you know, it, a social networking site. I want you to be my friend on Dixonspace!!! Gotta have realtime plaintext chat for it to be a *true* social networking site...
Re: Authpf and more than 992 users
2009/11/18 Janusz Gumkowski janusz.gumkow...@am.torun.pl: Is it at all possible to have more than 992 simultaneous authpf users ? Yes, use more than one machine. Digging out an old post of mine, still not having any real solution but a couple of ugly hacks instead, trying to get rid of them finally. To the point: is allocating a pty for authpf logins really necessary ? Yes. What side-efects can I expect if I disable it ? Probably bad things.
php5-core package install problems
I am having trouble with installing a package, php5-core for OpenBSD 4.6 (i386). There is a dependency that cannot be resolved. php5-core requires libiconv-1.12, and a package only exists for libiconv-1.13. # pkg_add -r php5-core Can't install php5-core-5.2.10: lib not found iconv.6.0 Dependencies for php5-core-5.2.10 resolve to: libiconv-1.12, libxml-2.6.32p3, gettext-0.17p0 Full dependency tree is libiconv-1.12,libxml-2.6.32p3,gettext-0.17p0 iconv.6.0: partial match in /usr/local/lib: major=5, minor=0 (bad major) I've also tried building php from ports with no luck due to a problem with one of the patches... === Extracting for php5-core-5.2.11 === Patching for php5-core-5.2.11 `/usr/ports/obj/php5-core-5.2.11/.prepatch_done' is up to date. === Applying distribution patches for php5-core-5.2.11 Ignoring previously applied (or reversed) patch. 2 out of 2 hunks ignored--saving rejects to ext/date/lib/parse_date.re.rej *** patch-ext_date_lib_parse_date_re did not apply cleanly Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to ext/date/lib/timelib.h.rej *** patch-ext_date_lib_timelib_h did not apply cleanly Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to ext/date/php_date.c.rej *** patch-ext_date_php_date_c did not apply cleanly *** Error code 1 Stop in /usr/ports/www/php5/core (line 2091 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/www/php5/core (line 1444 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/www/php5/core (line 1984 of /usr/ports/infrastructure/mk/bsd.port.mk). *** Error code 1 Stop in /usr/ports/www/php5/core (line 1474 of /usr/ports/infrastructure/mk/bsd.port.mk). === Exiting www/php5/core with an error *** Error code 1 Stop in /usr/ports/www/php5 (line 129 of /usr/ports/infrastructure/mk/bsd.port.subdir.mk).
Odd name lookup behavior
Can anyone xplain this behavior to me? Given the following resolv.conf file: r...@pm3fw:root# cat /etc/resolv.conf lookup file bind search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com nameserver 127.0.0.1 nameserver 10.209.128.20 nameserver 10.209.128.26 nameserver 10.209.142.158 And: r...@pm3fw:root# nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. exit Why does this happen ? And how? r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 cvsup Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST Initiating Ping Scan at 15:05 Scanning 10.209.142.151 [8 ports] Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:05 Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed Initiating SYN Stealth Scan at 15:05 Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports] Is nmap not using the resolver libraries? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: OpenBSD blog software
On Wed, 18 Nov 2009 20:04:01 +0100 Gilles Chehade gil...@poolp.org wrote: Bret S. Lambert wrote: On Wed, Nov 18, 2009 at 12:00:21PM -0600, Marco Peereboom wrote: now a wiki And before you know, it, a social networking site. I want you to be my friend on Dixonspace!!! so you can draw ascii-art penises on his Dixonspace profile ? :-) Gilles Little bit of ajax preload magic in the background and in random intervals flash for a fraction of a second a picture of bob's... hh, noes, get out of my head!
5 PKK'lı İmralıya gönderildi
BC6lgesel Haberler GCnlCk Flash Haber 5 PKK'lD1 D0mralD1ya gC6nderildi CcalanD1n yalnD1zlD1DD1 sona erdi. BC6lCcCbaED1nD1n komEularD1 D0mralD1ya gC6nderildi bile... Eimdilik 5 PKK'lD1 Ccalana arkadaElD1k edecek; DevamD1nD1 okumak iC'in Tiklayiniz BC6lgesel Haberler Haber AboneliDi D0ptali D0C'in TD1klayD1nD1z..
Questions about chrooted apache and exec() in php
Hello, Iam running the apache in base 4.5 with the chroot. Iam trying to run this simple script (as a test) but I cannot make it to output anything... I have done a cp /usr/bin/whoami /var/www/bin/ , made sure that ownership is root:daemon, and permissions are 600, i have even tried 777 i have tried the following combinations: ?php echo exec('whoami 21'); ? ?php echo exec('/bin/whoami'); ? ?php echo exec('/var/www/bin/whoami'); ? ?php echo exec('(whoami)'); ? ?php echo exec('./bin/whoami'); ? No go, no output. What could
Re: php5-core package install problems
On Thu, Nov 19, 2009 at 05:10:12AM +1100, John wrote: I am having trouble with installing a package, php5-core for OpenBSD 4.6 (i386). There is a dependency that cannot be resolved. php5-core requires libiconv-1.12, and a package only exists for libiconv-1.13. # pkg_add -r php5-core Can't install php5-core-5.2.10: lib not found iconv.6.0 Dependencies for php5-core-5.2.10 resolve to: libiconv-1.12, libxml-2.6.32p3, gettext-0.17p0 Full dependency tree is libiconv-1.12,libxml-2.6.32p3,gettext-0.17p0 iconv.6.0: partial match in /usr/local/lib: major=5, minor=0 (bad major) maybe you have a broken php5-core package in your PKG_PATH? $ ftp ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.6/packages/i386/php5-core-5.2.10.tgz [...] $ pkg_info -f ./php5-core-5.2.10.tgz | grep iconv @depend converters/libiconv:libiconv-*:libiconv-1.13 @wantlib iconv.6.0 [...] $ ftp ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.6/packages/i386/libiconv-1.13.tgz [...] $ pkg_info -f ./libiconv-1.13.tgz | grep \...@lib @lib lib/libcharset.so.1.0 @lib lib/libiconv.so.6.0 I've also tried building php from ports with no luck due to a problem with one of the patches... === Extracting for php5-core-5.2.11 === Patching for php5-core-5.2.11 `/usr/ports/obj/php5-core-5.2.11/.prepatch_done' is up to date. === Applying distribution patches for php5-core-5.2.11 Ignoring previously applied (or reversed) patch. 2 out of 2 hunks ignored--saving rejects to ext/date/lib/parse_date.re.rej *** patch-ext_date_lib_parse_date_re did not apply cleanly Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to ext/date/lib/timelib.h.rej *** patch-ext_date_lib_timelib_h did not apply cleanly Ignoring previously applied (or reversed) patch. 1 out of 1 hunks ignored--saving rejects to ext/date/php_date.c.rej *** patch-ext_date_php_date_c did not apply cleanly *** Error code 1 all those messages are the same: previously applied (or reversed) patch. you need to 'make clean'. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: php5-core package install problems
On Thu, 19 Nov 2009 05:10:12 +1100 John john.n.t...@live.com wrote: I am having trouble with installing a package, php5-core for OpenBSD 4.6 (i386). There is a dependency that cannot be resolved. php5-core requires libiconv-1.12, and a package only exists for libiconv-1.13. # pkg_add -r php5-core Can't install php5-core-5.2.10: lib not found iconv.6.0 Dependencies for php5-core-5.2.10 resolve to: libiconv-1.12, libxml-2.6.32p3, gettext-0.17p0 Full dependency tree is libiconv-1.12,libxml-2.6.32p3,gettext-0.17p0 iconv.6.0: partial match in /usr/local/lib: major=5, minor=0 (bad major) hm, # ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.6/packages/i386/php5-core-5.2.10.tgz # pkg_info -f ./php5-core-5.2.10.tgz | grep iconv @depend converters/libiconv:libiconv-*:libiconv-1.13 @wantlib iconv.6.0 [...] i see a dep on 1.13, not 1.12. why pkg_add -r? do you have another php5-core installed that you want to replace? -r/replace doesn't make much sense if you want to install a package. are you updating your packages after an upgrade to 4.6? if so, give -F update,updatedepends a try and let pkg_add do it's -u magic. - Robert
Re: midwest US mirror
I should mention things that I didn't before and reiterate others . . . 1) I am committed to maintaining this service 2) At the moment, I have a ~300G hard drive devoted to it (and willing to devotre more, in the future) 3) I have a DSL (high-speed) connection i'm not sure what kind of outbound speeds your dsl connection is capable of, but the old second level mirror rt.fm saw spikes of up to 80mbps and a constant 20mbps outbound for many days around each release time.
Re: Questions about chrooted apache and exec() in php
On Wed, 18 Nov 2009 14:23:42 -0600 Matthew Young myoung24...@gmail.com wrote: Hello, Iam running the apache in base 4.5 with the chroot. Iam trying to run this simple script (as a test) but I cannot make it to output anything... I have done a cp /usr/bin/whoami /var/www/bin/ , made sure that ownership is root:daemon, and permissions are 600, i have even tried 777 i have tried the following combinations: ?php echo exec('whoami 21'); ? ?php echo exec('/bin/whoami'); ? ?php echo exec('/var/www/bin/whoami'); ? ?php echo exec('(whoami)'); ? ?php echo exec('./bin/whoami'); ? No go, no output. What could # ktrace whoami [...] # kdump ktrace.out 25471 ktrace RET ktrace 0 25471 ktrace CALL execve(0x7f7f8690,0x7f7f8c08,0x7f7f8c18) 25471 ktrace NAMI /usr/bin/whoami 25471 ktrace NAMI /bin/sh [...] # ls /var/www/bin/sh ls: /var/www/bin/sh: No such file or directory - Robert
Re: Questions about chrooted apache and exec() in php
On Wed, 18 Nov 2009 22:44:51 +0100 Robert rob...@openbsd.pap.st wrote: # kdump ktrace.out kdump -f ...
Re: Odd name lookup behavior
On Wed, 18 Nov 2009, stan wrote: Can anyone xplain this behavior to me? Without access to your nameservers it's not possible to be sure, but see below -- this looks normal to me. Given the following resolv.conf file: r...@pm3fw:root# cat /etc/resolv.conf lookup file bind search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com nameserver 127.0.0.1 nameserver 10.209.128.20 nameserver 10.209.128.26 nameserver 10.209.142.158 And: r...@pm3fw:root# nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. exit Why does this happen ? And how? You apparently have a system with multiple names and a single IP address. Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned address 10.209.142.151, but the reverse-lookup entry can't return both names. Given the order of domains in your 'search' directive, cvsup.mcn.chs is looked up first and so is the name that nslookup reports, but cvsup.meadwestvaco.com was chosen as the 'official' name for the reverse lookup by whoever set up your DNS. r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 cvsup Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST Initiating Ping Scan at 15:05 Scanning 10.209.142.151 [8 ports] Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:05 Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed Initiating SYN Stealth Scan at 15:05 Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports] Is nmap not using the resolver libraries? I've never looked at the innards of nmap, but I expect that it's reporting the 'official' name from the reverse lookup regardless of how you initially specified the system to scan. Given that it can scan multiple hosts this makes sense, since it may not have been given names for all of them. Dave -- Dave Anderson d...@daveanderson.com
Re: Odd name lookup behavior
On Wed, 18 Nov 2009 15:06:28 -0500 stan st...@panix.com wrote: Can anyone xplain this behavior to me? Given the following resolv.conf file: r...@pm3fw:root# cat /etc/resolv.conf lookup file bind search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com nameserver 127.0.0.1 nameserver 10.209.128.20 nameserver 10.209.128.26 nameserver 10.209.142.158 And: r...@pm3fw:root# nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. exit Why does this happen ? And how? r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 cvsup Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST Initiating Ping Scan at 15:05 Scanning 10.209.142.151 [8 ports] Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:05 Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed Initiating SYN Stealth Scan at 15:05 Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports] Is nmap not using the resolver libraries? Your dns at 127.0.0.1 does not resolve 151.142.209.10.in-addr.arpa? 127.0.0.1:53 allows recursiv querys so it looks elsewhere and serves the real hostname? - Robert
SPAMd blacklists unavailable
Hi, While trying to get http://www.openbsd.org/spamd/chinacidr.txt.gz and http://www.openbsd.org/spamd/koreacidr.txt.gz i'm getting 404's. Have those resources been moved ? I'm in the meantime using http://ipdeny.com/ipblocks/data/countries/cn.zone and http://ipdeny.com/ipblocks/data/countries/kr.zone Thanks Laurent
Re: Odd name lookup behavior
On Wed, Nov 18, 2009 at 05:00:02PM -0500, Dave Anderson wrote: On Wed, 18 Nov 2009, stan wrote: Can anyone xplain this behavior to me? Without access to your nameservers it's not possible to be sure, but see below -- this looks normal to me. Given the following resolv.conf file: r...@pm3fw:root# cat /etc/resolv.conf lookup file bind search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com nameserver 127.0.0.1 nameserver 10.209.128.20 nameserver 10.209.128.26 nameserver 10.209.142.158 And: r...@pm3fw:root# nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. exit Why does this happen ? And how? You apparently have a system with multiple names and a single IP address. Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned address 10.209.142.151, but the reverse-lookup entry can't return both names. Given the order of domains in your 'search' directive, cvsup.mcn.chs is looked up first and so is the name that nslookup reports, but cvsup.meadwestvaco.com was chosen as the 'official' name for the reverse lookup by whoever set up your DNS. Your analysis is correct, in that thier are multiple names (don't ask :-(). I have control of some of the nameservers. They are bind 9 on OpenBSD, can you clarify what you mean by offical name are you talking about a A entry, as oposed to a CNAME entry? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Odd name lookup behavior
On Wed, Nov 18, 2009 at 11:21:41PM +0100, Robert wrote: On Wed, 18 Nov 2009 15:06:28 -0500 stan st...@panix.com wrote: Can anyone xplain this behavior to me? Given the following resolv.conf file: r...@pm3fw:root# cat /etc/resolv.conf lookup file bind search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com nameserver 127.0.0.1 nameserver 10.209.128.20 nameserver 10.209.128.26 nameserver 10.209.142.158 And: r...@pm3fw:root# nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. exit Why does this happen ? And how? r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 cvsup Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST Initiating Ping Scan at 15:05 Scanning 10.209.142.151 [8 ports] Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:05 Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed Initiating SYN Stealth Scan at 15:05 Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports] Is nmap not using the resolver libraries? Your dns at 127.0.0.1 does not resolve 151.142.209.10.in-addr.arpa? 127.0.0.1:53 allows recursiv querys so it looks elsewhere and serves the real hostname? Yes the Bind 9 instance on this OpenBSD machine does allow recursion, but the machines that it points to _should not_ have a reverse record for this address that points to the meadwestvaco name. Sounds like I need to check that out thoug. Thanks. -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: Odd name lookup behavior
On Wed, Nov 18, 2009 at 11:21:41PM +0100, Robert wrote: On Wed, 18 Nov 2009 15:06:28 -0500 stan st...@panix.com wrote: Can anyone xplain this behavior to me? Given the following resolv.conf file: r...@pm3fw:root# cat /etc/resolv.conf lookup file bind search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com nameserver 127.0.0.1 nameserver 10.209.128.20 nameserver 10.209.128.26 nameserver 10.209.142.158 And: r...@pm3fw:root# nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. exit Why does this happen ? And how? r...@pm3fw:root# nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 cvsup Starting Nmap 4.76 ( http://nmap.org ) at 2009-11-18 15:05 EST Initiating Ping Scan at 15:05 Scanning 10.209.142.151 [8 ports] Completed Ping Scan at 15:05, 0.20s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:05 Completed Parallel DNS resolution of 1 host. at 15:05, 0.00s elapsed Initiating SYN Stealth Scan at 15:05 Scanning cvsup.meadwestvaco.com (10.209.142.151) [1000 ports] Is nmap not using the resolver libraries? Your dns at 127.0.0.1 does not resolve 151.142.209.10.in-addr.arpa? 127.0.0.1:53 allows recursiv querys so it looks elsewhere and serves the real hostname? OK here are the servers that the local nameserver recurses to: forwarders { 10.209.142.158; 10.209.144.150; 10.209.142.154; }; And if I use nslookup and set it to each of them in turn, i still get the mcn.chs name: s...@pm3fw:stan$ nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. server 10.209.142.158 Default server: 10.209.142.158 Address: 10.209.142.158#53 cvsup Server: 10.209.142.158 Address:10.209.142.158#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 server 10.209.144.150 Default server: 10.209.144.150 Address: 10.209.144.150#53 cvsup Server: 10.209.144.150 Address:10.209.144.150#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 server 10.209.142.154 Default server: 10.209.142.154 Address: 10.209.142.154#53 cvsup Server: 10.209.142.154 Address:10.209.142.154#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 Of course, I do see the Non-authoritative answer: clause in each of these. Would that mean that a program could request an authoritative answer? If so, how? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
OT: Have you hugged your local OpenBSD dev lately?
So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 no one offered a diff to implement that feature on OpenBSD yet ? it can easily be done by writing a sudoKit policy :-) Gilles -- Gilles Chehade freelance developer/sysadmin/consultant http://www.poolp.org
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 Wow that's tremendously funny. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda acam...@the00z.org wrote: On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 Wow that's tremendously funny. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds. I particular like comment #8, where one of the devs basically says this is a feature, not a bug
Re: OT: Have you hugged your local OpenBSD dev lately?
Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: OT: Have you hugged your local OpenBSD dev lately?
Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? Not everyone runs firefox as root, like you Ted. Blurring all the lines is the wrong assesment. Yes, a lot of safety is about hurdles. The sidewalk is raised to a different height than the road as a hurdle, and it has a safety benefit. It reduces the danger for pedestrians because drivers don't what want the hurdle of replacing their rims. That is safety. I prefer the hurdles.
Re: OT: Have you hugged your local OpenBSD dev lately?
2009/11/19 Ted Unangst ted.unan...@gmail.com: Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? And then you create a guest account on your netbook... Read the comments. There are some interesting exploits for this... Best Martin
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 17:08 -0800, Bryan bra...@gmail.com wrote: On Wed, Nov 18, 2009 at 16:55, Abel Abraham Camarillo Ojeda acam...@the00z.org wrote: On Wed, Nov 18, 2009 at 04:05:04PM -0800, Bryan wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 Wow that's tremendously funny. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds. I particular like comment #8, where one of the devs basically says this is a feature, not a bug Holy crap, you're right! This is funny as hell. I originally had not read the comments section. I especially liked; I don't particularly care how UNIX has always worked. In other words; I don't particularly care about security you masturbating monkeys. :)
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 well i think that the problem is that the new *feature* is enabled by default, it will definitely be useful on desktops/netbook/whatever. -- DISCLAIMER: http://goldmark.org/jeff/stupid-disclaimers/ This message will self-destruct in 3 seconds.
Re: OT: Have you hugged your local OpenBSD dev lately?
--- On Wed, 11/18/09, Bryan bra...@gmail.com wrote: From: Bryan bra...@gmail.com Subject: OT: Have you hugged your local OpenBSD dev lately? To: Misc OpenBSD misc@openbsd.org Received: Wednesday, November 18, 2009, 7:05 PM So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047 This is a blatant ID10T error. Comments 9 and 10 are my favorite. Last I looked it *was* insecure to let non-root users install software let alone do it by default and without a password! --- James A. Peltier james_a_pelt...@yahoo.ca __ Looking for the perfect gift? Give the gift of Flickr! http://www.flickr.com/gift/
Re: Match rule with scrub options cause some websites to hang
Here's a brief overview of what I did. If it's not what you are looking for, let me know (or we can take a more detailed discussion off-list). I don't claim to be an expert in this. I did a lot of Googling/reading, and cobbled together my strategy from several sources. Even then, I think I'm going to change it a bit with the next snapshot I load. I installed the snapshot onto a 8GB CF card mounted as a raw disk in Sun VirtualBox PUEL. I'm sure you could do it all on the Soekris as well, but VirtualBox on my Core i7 workstation is faster than the Soekris :/ I then dd'ed the image to a raw disk file and worked from it to set most everything up, then dd'ed it back to the CF, popped it in the Soekris, and there did the final config and testing. I have /tmp, /dev, and /var in MFS, and everything else mounted read-only, so that I can unplug the thing with impunity. From what I read that's really the only reason to put things in MFS, because a modern CF card will last years even used as a hard disk, and doing the MFS thing is definitely extra effort. If it's your home router and you are willing to treat it like a regular computer, it's easier to just use the CF like any other hard disk and install in the normal manner. My one big change I'll make is actually having some swap space. I have a very small amount now to support the MFS, but based on discussion on this list in the last month or so there's no reason not to have a normal amount of swap with a 4GB or more CF. The Soekris makes a fine home firewall, but I'm not sure how it would perform under heavier loads. The VIA vr network interfaces are not known as the most efficient (though there is a PCI slot to add something different if you desire), and I don't know how the Geode CPU would handle a lot of encryption, say, several simultaneous IPSec or ssh users. I'm looking at mini-ITX Atom boards as the basis for a multipurpose, CF-booting platform (firewall, X-terminal, NAS/backup server) I want to use at work. Each machine would do only one thing in that list, but I could keep one spare for all and just swap out CF cards to change their role. The Atom boards probably don't have much more horsepower than the Soekris, but some have better network interfaces (Intel em), and they can be had with dual video interfaces too. stan wrote: On Sun, Nov 08, 2009 at 10:32:07PM -0600, Cor wrote: I'm running a late-October post-4.6 snapshot on a new Soekris firewall, and noticed something peculiar after setting up the rules per the new pf.conf(5) man page. I had a few lesser-known websites just hang and eventually time out (the majors still work fine), but thought little of it until I went to the ISA web site (www.isa.org) to renew my membership there and noticed the same effect. I need to build a couple of those. Which methodolgy are you using to build these?
Re: OT: Have you hugged your local OpenBSD dev lately?
On Nov 18, 2009, at 5:47 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? Not everyone runs firefox as root, like you Ted. It's the easiest way to nice it to -10... Blurring all the lines is the wrong assesment. Yes, a lot of safety is about hurdles. The sidewalk is raised to a different height than the road as a hurdle, and it has a safety benefit. It reduces the danger for pedestrians because drivers don't what want the hurdle of replacing their rims. That is safety. I prefer the hurdles.
Re: OT: Have you hugged your local OpenBSD dev lately?
If you give untrusted people unsupervised access to your laptop, I hope you have a better lock than I do. On Nov 18, 2009, at 5:45 PM, Martin SchrC6der mar...@oneiros.de wrote: 2009/11/19 Ted Unangst ted.unan...@gmail.com: Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? And then you create a guest account on your netbook... Read the comments. There are some interesting exploits for this... Best Martin
Re: OT: Have you hugged your local OpenBSD dev lately?
Not a change i would make, but for a desktop? Not a big deal. On Nov 18, 2009, at 5:48 PM, Eric Furman misc@openbsd.org wrote: but making it *default* behaviour?? On Wed, 18 Nov 2009 17:38 -0800, Ted Unangst ted.unan...@gmail.com wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. Food for thought. Think to yourself: what *exactly* is the difference between the only user account on your machine and root? How are you safe? On Nov 18, 2009, at 4:05 PM, Bryan bra...@gmail.com wrote: So glad we don't have these kinds of issues... https://bugzilla.redhat.com/show_bug.cgi?id=534047
Re: Odd name lookup behavior
On Wed, 18 Nov 2009, stan wrote: On Wed, Nov 18, 2009 at 05:00:02PM -0500, Dave Anderson wrote: On Wed, 18 Nov 2009, stan wrote: Can anyone xplain this behavior to me? Without access to your nameservers it's not possible to be sure, but see below -- this looks normal to me. Given the following resolv.conf file: r...@pm3fw:root# cat /etc/resolv.conf lookup file bind search mcn.chs kapstonepaper.com pm3.charleston.meadwestvaco.com nameserver 127.0.0.1 nameserver 10.209.128.20 nameserver 10.209.128.26 nameserver 10.209.142.158 And: r...@pm3fw:root# nslookup cvsup Server: 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: Name: cvsup.mcn.chs Address: 10.209.142.151 10.209.142.151 Server: 127.0.0.1 Address:127.0.0.1#53 151.142.209.10.in-addr.arpa name = cvsup.meadwestvaco.com. exit Why does this happen ? And how? You apparently have a system with multiple names and a single IP address. Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned address 10.209.142.151, but the reverse-lookup entry can't return both names. Given the order of domains in your 'search' directive, cvsup.mcn.chs is looked up first and so is the name that nslookup reports, but cvsup.meadwestvaco.com was chosen as the 'official' name for the reverse lookup by whoever set up your DNS. Your analysis is correct, in that thier are multiple names (don't ask :-(). I have control of some of the nameservers. They are bind 9 on OpenBSD, can you clarify what you mean by offical name are you talking about a A entry, as oposed to a CNAME entry? Sorry I wasn't clear. I was referring to the *.in-addr.arpa 'PTR' DNS entry which provides the translation from IPv4 address to host name. Dave -- Dave Anderson d...@daveanderson.com
Re: Changing the NIC on installed system?
Roger Schreiter ro...@planinternet.de writes: Hello, I did not yet understand very well, how the NIC drivers are selected. Is it done while installing OpenBSD or is it done at boot? In the latter case, I assume, I can replace a PCI network interface without changing any driver settings. NIC drivers are all in a GENERIC kernel, I think. So, if you are running a GENERIC, you don't have to change many driver settings. If the logical interface name will be different, I maybe will have to rename hostname.vge0 to hostname.XX0 or similar. true. Or are there much more changes necessary, when replacing a MikroTik NIC by an Intel one? System in OpenBSD-4.5 If you write your interface name at somewhere else, you have to change them accordingly, I guess. Regards, Roger. regards. -- tamgya |aT| GmAiL |DoT| cOm
pam-devel package??
Hi all, I need to build a pam-dependent plugin (openvpn-auth-pam) that requires the pam-devel libraries; I think that's why it's failing to build. I can't seem to find them in any OpenBSD port or package list; can someone point me in the right direction or tell me what to look for? ...Alternatively, a pre-built openvpn-auth-pam.so for i386 would suffice as well. :) Thanks! -elliott-
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. but did they also by default restrict the system to 1 user? it's not so much the idea that's laughable, but the way it was implemented. What I contest is that to *undo* it you need to be an experienced system admin that knows how to write policykit policies and where to drop them. I think we can count the number of people able to do that on the tips of my fingers. - Simo Sorce, Software Engineer at Red Hat, Inc. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: Odd name lookup behavior
You apparently have a system with multiple names and a single IP address. Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned address 10.209.142.151, but the reverse-lookup entry can't return both names. snip You made that up. Yes it can. If it's configured to do so. I'm guessing that the confusion is based on the assumption that forward and reverse zones are linked -- they aren't. You can edit A records all ay long and it won't change the ptr records in the reverse zone. Figure out where the reverse zone is being served from (possibly with dig +trace -x 10.209.142.151) and edit that.
Re: OT: Have you hugged your local OpenBSD dev lately?
To be sure, I don't think it's the best idea. But practically? For actual users running fedora? I doubt the change makes much difference for many of them. The reason I even brought this up is not because I like the idea, but because I think it is a good opportunity to reflect on what user permissions accomplish on a typical desktop machine. Consider where your secrets, whatever they may be, are kept and how you access them. How many people are aware that any X program can listen to the keystrokes of any other X program? When you type your password into sudo, how do you know it's the real sudo? How do you know you aren't running badsudo because you're actually running badsh and it redirected your path? On Nov 18, 2009, at 8:49 PM, Jacob Meuser jake...@sdf.lonestar.org wrote: On Wed, Nov 18, 2009 at 05:38:38PM -0800, Ted Unangst wrote: Before everyone goes too bonkers, consider exactly how safe/dangerous this behavior actually is on a single user machine. but did they also by default restrict the system to 1 user? it's not so much the idea that's laughable, but the way it was implemented. What I contest is that to *undo* it you need to be an experienced system admin that knows how to write policykit policies and where to drop them. I think we can count the number of people able to do that on the tips of my fingers. - Simo Sorce, Software Engineer at Red Hat, Inc. -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: Odd name lookup behavior
On Wed, 18 Nov 2009, Bryan Irvine wrote: You apparently have a system with multiple names and a single IP address. Both cvsup.mch.chs and cvsup.meadwestvaco.com are assigned address 10.209.142.151, but the reverse-lookup entry can't return both names. snip You made that up. Yes it can. If it's configured to do so. Sorry, you're quite right -- there can be multiple PTR records. Evidently my brain wasn't fully engaged. Dave -- Dave Anderson d...@daveanderson.com
Re: pam-devel package??
On Wed, 18 Nov 2009 19:28:55 -0800, Elliott Barrere wrote: Hi all, I need to build a pam-dependent plugin (openvpn-auth-pam) that requires the pam-devel libraries; I think that's why it's failing to build. I can't seem to find them in any OpenBSD port or package list; can someone point me in the right direction or tell me what to look for? ...Alternatively, a pre-built openvpn-auth-pam.so for i386 would suffice as well. :) I doubt that you NEED pam. Why do you think you do? PAM is a toy for Linux that is not half as smart as its users believe. There are other ways to do auth. Perhaps you could ask for a better idea with a bit of info regarding just where your problem lies rather than choosing a solution and trying to implement it. PAM is not a solution on OpenBSD. http://www.auscert.org.au/render.html?it=5821 (paragraph E.3.3) *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: pam-devel package??
Openbsd doesn't use pam, so you aren't going to have much luck getting openvpn to use it either. On Nov 18, 2009, at 7:28 PM, Elliott Barrere elli...@mywedding.com wrote: Hi all, I need to build a pam-dependent plugin (openvpn-auth-pam) that requires the pam-devel libraries; I think that's why it's failing to build. I can't seem to find them in any OpenBSD port or package list; can someone point me in the right direction or tell me what to look for? ...Alternatively, a pre-built openvpn-auth-pam.so for i386 would suffice as well. :) Thanks! -elliott-
Re: OT: Have you hugged your local OpenBSD dev lately?
On Wed, 18 Nov 2009 16:05:04 -0800 Bryan wrote: So glad we don't have these kinds of issues... New around here, but I'm noticing a lot of tooting of our own horn...so to speak. With all the possible vectors for compromising a system that are available it just sounds naive to keep touting how secure this or that is. Do you own the physical network that your bits traverse? Do you guard your computer 24-7? And on and on. I will say the Fedora has bigger issues than allowing users to install pkgs. I just went through trying out Fedora 11 and it was a nightmare to me. Doing simple things with the network has been made so painful that clawing out my eyes started to seem like relief. But maybe all flavors are going this way. Part of the never ending bloat.
Re: pam-devel package??
Check out the port net/openbsd_bsdauth. While not PAM auth, it will actually work on OpenBSD. (Hint: we don't do PAM) On 2009 Nov 18 (Wed) at 19:28:55 -0800 (-0800), Elliott Barrere wrote: :Hi all, : :I need to build a pam-dependent plugin (openvpn-auth-pam) that requires the :pam-devel libraries; I think that's why it's failing to build. I can't seem :to find them in any OpenBSD port or package list; can someone point me in the :right direction or tell me what to look for? : :...Alternatively, a pre-built openvpn-auth-pam.so for i386 would suffice as :well. :) : :Thanks! : :-elliott- : -- Weinberg's First Law: Progress is made on alternate Fridays.