Re: Jan 28 snapshot - em0 disappeared
On Mon, Feb 1, 2010 at 07:32, Steve Williams st...@williamsitconsulting.com wrote: I have downloaded the current cvs code and compiled it. It exhibits the same problem, missing em0. It seems to nicely detect the hardware, just not liking its EEPROM contents and stopping initialisation there. While you should take a developer's word over mine, I suppose it's not surprising that ifconfig(8) does not show the hardware. Seeing a few Google searches seems to indicate it's not necessarily an OS problem. While some posts mention an Intel utility (IBAUTIL.EXE) to configure/manage the built-in boot agent, you will probably want to search for the correct NIC model and see which specific version/tool you need. I included a link [1] to the utility a 5 minute cursory search yielded me. Use at your own risk, since I can't really be sure it's the correct one. Regards, Rogier References: 1. Intel Boot Agent BIOS http://downloadcenter.intel.com/Detail_Desc.aspx?agr=YDwnldID=12344ProdId=2775lang=eng
Re: Jan 28 snapshot - em0 disappeared
On Mon, Feb 01, 2010 at 11:33:49AM +0100, Rogier Krieger wrote: On Mon, Feb 1, 2010 at 07:32, Steve Williams st...@williamsitconsulting.com wrote: I have downloaded the current cvs code and compiled it. It exhibits the same problem, missing em0. It seems to nicely detect the hardware, just not liking its EEPROM contents and stopping initialisation there. While you should take a developer's word over mine, I suppose it's not surprising that ifconfig(8) does not show the hardware. Seeing a few Google searches seems to indicate it's not necessarily an OS problem. While some posts mention an Intel utility (IBAUTIL.EXE) to configure/manage the built-in boot agent, you will probably want to search for the correct NIC model and see which specific version/tool you need. I included a link [1] to the utility a 5 minute cursory search yielded me. Use at your own risk, since I can't really be sure it's the correct one. I doubt this has todo with the boot rom. The card has a nvrom to store the macaddr etc and it seems that the access to that one is fubar-ed. There were many changes to em(4) to support newer models, some of the changes were quite intrusive and could result in failure of other cards. If possible please try some older kernels to find the commit which has caused the regression. -- :wq Claudio
Re: way to help: laptops and weekly
On Mon, Feb 01, 2010 at 07:42:57AM +0200, Jussi Peltola wrote: On Mon, Feb 01, 2010 at 04:54:49AM +, Jacob Meuser wrote: On Mon, Feb 01, 2010 at 05:57:11AM +0200, Jussi Peltola wrote: On Mon, Feb 01, 2010 at 02:35:54AM +, Jacob Meuser wrote: yeah, but wasn't the original issue that started this thread was that the locate database was too old? maybe if locate, apropos, etc would print databse last updated 3 weeks 2 days ago? This should be done in any case. IMHO it's a bug if they don't complain loudly, or even refuse to run with a stale database. Stale caches are evil, even if the man page warns about them. yeah, but if your computer hasn't been on for 3 weeks and then locate won't work because the database is 3 weeks old, that would suck. Of course it would need a switch to force it to run. But I guess a warning is better since locate might be used in scripts and it's not good to add extra knobs to existing programs where they don't gain much. Please, no. If nothing has changed on my machine in 3 weeks (say one of the laptops I use infrequently) I would utterly hate having locate et al. bitch at me continually. If *you* really want something like that, this is what shell functions are for, just check the database mtime, and print to stderr if it's too old, then run locate. Please don't try and force that on everyone else. -0- -- The District of Columbia has a law forbidding you to exert pressure on a balloon and thereby cause a whistling sound on the streets.
pf and apache: to stop a scripter
there is a website protected by pf and running apache on a recent openbsd snapshot that needs to be protected against scripting attacks. i can configure both pf and apache to help block this behavior but am not familiar with the best practices for such configurations. the situation is that a user who authenticates to apache via htpasswd has run a script a number of times in an attempt to mine a database. all of the user activity is already logged by apache and it is crystal clear that scripting is going on. i would like to stop this scripting in its tracks and here is what i am already looking at: - pf - use max-src-X to stop this behavior and log it at the firewall - apache - less clear on what tools are best, possibly mod_security stuff the sort of behavior that suggests scripting is more than ~20 http requests in 120 seconds, in this case all from one ip and using a single apache/htpasswd username. i'm looking for some guidance both on which dials to set and where to set them. i am already aware of the max-src settings but do not know which ones would be best to set here or a prescription for finding the right numbers to dial in. with apache i am much more clueless and believe that the trouble behavior being limited to a single apache user might be helpful in terms of countermeasures. cheers, jake
From Dr Phil Brown
BRITISH MINISTRY OF FINANCE OF UNITED KINGDOM LONDON. UNA GF/GB/24/2010 OVER DUE CONTRACT PAYMENT TRANSFER ADVICE IN YOUR FAVOR Attn: Sir With all due respect, this is to Officially Inform you of a New order on the release of your contract Payment held on the 24th Feb 2009 by the British ministry of finance (UNA-UK). The Senate commission on debt management and contract review payment, with the Accountant General of the federation. period to this proceeding meeting, we have been mandated by the senior economic adviser to the British ministry of finance under the auspices of the Accountant General of the federation, to transfer the sum of US$10,550M Usd to your nominated Bank Account from the British ministry of finance Reserved Account. On this note we will not hesitate as we are under mandate to ensure that your payment is been transferred immediately without further delay to your Bank Account. In respect to this, we have already programmed your fund to be transferred as soon as we hear from you. Please confirm urgently, to enable me process and proceed with the transfer logistics, immediately. Hence it has been already been programmed, pending on your response to the above information to facilitate the Transfer. Please note that your urgent attention in this respect will be highly appreciated as it will help us to clear this subject matter at the earliest time and proceed with your transfer immediately as instructed by The British ministry of finance. Nevertheless I'll assist you with all the required documents, whereas you will settle me with 20% of the contract fund thereafter transfer into your Bank account, And if there is any further delay from you will Amount in the cancellation of your contract Payment and makes the account unserviceable. And bear it that this office will not be held liable for any wrongful transfer thereafter. Assuredly, this transaction will be legitimately certified by the Debt Management Office and the auditor General of Federation to enable smooth transfer. Finally, you are advised to forward the following Details to us, for your easy accesses to British ministry of finance Reserved Bank Account to reference this transfer. Your Full Name: _ Your Complete Address:__ _ Country: Direct Telephone Number:__ Mobile Number:__ Fax Number:__ Age: ___ Occupation: __ Scan Copy of Identity_ Company Name (If any) Position and Address I hope this meets your due response as matter of Urgent. Best Regards (Dr) Phil Brown Telephone number: +447011128690 Deputy Executive Director, British ministry of finance
Re: pf and apache: to stop a scripter
On Mon, Feb 01, 2010 at 09:10:31AM -0600, Chris Bennett wrote: Jacob Yocom-Piatt wrote: there is a website protected by pf and running apache on a recent openbsd snapshot that needs to be protected against scripting attacks. i can configure both pf and apache to help block this behavior but am not familiar with the best practices for such configurations. the situation is that a user who authenticates to apache via htpasswd has run a script a number of times in an attempt to mine a database. all of the user activity is already logged by apache and it is crystal clear that scripting is going on. i would like to stop this scripting in its tracks and here is what i am already looking at: - pf - use max-src-X to stop this behavior and log it at the firewall - apache - less clear on what tools are best, possibly mod_security stuff the sort of behavior that suggests scripting is more than ~20 http requests in 120 seconds, in this case all from one ip and using a single apache/htpasswd username. i'm looking for some guidance both on which dials to set and where to set them. i am already aware of the max-src settings but do not know which ones would be best to set here or a prescription for finding the right numbers to dial in. with apache i am much more clueless and believe that the trouble behavior being limited to a single apache user might be helpful in terms of countermeasures. cheers, jake Some more details would be helpful. Is this a user who otherwise has a right to access other stuff? If not, just block that IP address completely with pf. I have a table in pf called badhosts. I have a script that scans error_log for certain bad behaviors and adds those IPs to badhosts table. Just scan for these things an access_log and/or error_log and block it from any address that shows up. If this user is allowed, but just behaving badly, that is a little harder to fix. Well, I can only really see one of two ways that this can go, regarding the business side of things: 1) either the OP runs the server on his own basis, in which case he can remove the user at his own discretion, or 2) the user is subject to some sort of usage agreement which includes some sort of don't hax our shitz clause, for which that account can be suspended with cause Either way, what are you doing allowing someone you *know* is trying to break into your system to have access there? The user is also potentially committing a crime, depending on the various jurisdictions involved.
MFM disk geometry
I'm trying to pull data off an old MFM HD, and I've gotten to the point where the only obstacle is disk geometry. I have a P3 machine which will disable the primary IDE controller in favor of the MFM controller, but boot off of an OpenBSD disk on the secondary IDE. OpenBSD sees the MFM disk just fine, but gives it the wrong CHS, which wouldn't matter except that it's evidently too old to do LBA, since OpenBSD is using CHS mode. I can pull the first few sectors off of the disk, but then I get errors I'm guessing are because of the geometry mismatch. Is there any way at all to change the CHS values the kernel is using for a disk? fdisk with -chs doesn't seem to produce a permanent change (I guess the values are just used for calculating?), and the machdep.bios.etc sysctls are read-only. Google and the archives haven't turned up anything terribly useful, although it sounds like what I'm trying to do may not be possible. If not, anyone have any alternate suggestions? Incidentally, I have a bunch of other old crap around, but my efforts to get everything working on a machine that will let me set the CHS in the BIOS haven't gotten anywhere yet...
Re: Dell Studio 1558
On Mon, Feb 1, 2010 at 4:32 PM, Robert rob...@openbsd.pap.st wrote: On Mon, 1 Feb 2010 15:43:30 +0100 Daniele Pilenga dpile...@gmail.com wrote: Is there something I could do to help improve support for this machine? disclaimer: i am not a dev! Looks like your system needs some love in the acpi department. It would help if you made the output from acpidump available. (Host a tgz of it somewhere, as i am not sure who would want/need it mailed, and post the link in a reply to your mail.) I left that out because I thought it could be asked for, if needed. Here it is: http://213.254.212.197/upload/acpidump_studio1558.tar.gz I think the output is partial because acpidump exists with acpidump: strange opcode 0xe. cpu0: unknown i686 model 0x25, can't get bus clock cpu0: EST: PSS not yet available for this processor i5 has a new identifier that is not yet matched by est. below is a patch to add that code, but no gurantee that it will be enough to make it work, as i didn't check the intel specs. I tried this but it dumps. I could hand-copy the message if it could be of any help. Thank you, Robert. Ciao, D.
January 28 snapshot, pf.conf(5) BNF missing egress keyword
Hi, I have just upgraded from 4.6 to a January 28 snapshot and have been working through the pf.conf changes. The spamd(8) has the following pf.conf snippets as an example: pass in on egress proto tcp from any to any port smtp \ rdr-to 127.0.0.1 port spamd Checking out pf.conf(5), it has a similar snippet: pass on egress proto tcp from any to any port smtp \ rdr-to 127.0.0.1 port spamd with the difference of a missing in (pass on egress vs. pass in on egress). I'm trying to fully understand the new syntax and was working through the BNF in pf.conf(5), but it is missing the egress keyword. I'd try to fix and propose a patch, but not understanding it in the first place poses a bit of problem when attempting to create documentation! Can anyone shed some light on the use of the egress keyword? Thanks, Steve Williams
Re: January 28 snapshot, pf.conf(5) BNF missing egress keyword
On Mon, Feb 01, 2010 at 09:47:23AM -0700, Steve Williams wrote: Hi, I have just upgraded from 4.6 to a January 28 snapshot and have been working through the pf.conf changes. The spamd(8) has the following pf.conf snippets as an example: pass in on egress proto tcp from any to any port smtp \ rdr-to 127.0.0.1 port spamd Checking out pf.conf(5), it has a similar snippet: pass on egress proto tcp from any to any port smtp \ rdr-to 127.0.0.1 port spamd with the difference of a missing in (pass on egress vs. pass in on egress). I'm trying to fully understand the new syntax and was working through the BNF in pf.conf(5), but it is missing the egress keyword. I'd try to fix and propose a patch, but not understanding it in the first place poses a bit of problem when attempting to create documentation! Can anyone shed some light on the use of the egress keyword? egress is not a keyword, it is a interface group. `ifconfig egress` will return you the interface that are in the egress group. -- :wq Claudio
Re: January 28 snapshot, pf.conf(5) BNF missing egress keyword
Steve Williams st...@williamsitconsulting.com writes: I'm trying to fully understand the new syntax and was working through the BNF in pf.conf(5), but it is missing the egress keyword. egress is the interface group that has your default route. for example on my laptop here the only really active network interface is iwn0, so pe...@deeperthought:~$ ifconfig iwn0 iwn0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:26:c6:1c:c9:44 priority: 4 groups: wlan egress media: IEEE802.11 autoselect (OFDM48 mode 11g) status: active ieee80211: nwid skinny chan 7 bssid 00:12:17:68:8c:e9 198dB nwkey not displayed inet6 fe80::226:c6ff:fe1c:c944%iwn0 prefixlen 64 scopeid 0x1 inet 172.16.30.47 netmask 0xff00 broadcast 172.16.30.255 shows that my iwn0 interface is a member of both the wlan and egress groups. we've had interface groups for a while, and yes, they're useful in filtering criteria. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
redundant recursive name servers with carp and ifstated?
Hi, before trying to implement it, I'd like to seek opinions on the sanity of the following: most resolver libs have quite long timeout on the DNS server they query, and generally start again from the 1st one in their configuration (typically /etc/resolv.conf) for each name resolution. So when the 1st name server is down, the impact on client machines is really noticeable and make users complain. So I would like to implement some kind of replication using carp to ensure that the ip address listed in the client configuration will always answer. First I'm making sure that this server is a recursive, caching only name server. The authoritative server is separate, and for him the multiple NS records (with one master and some slaves) works well. I'm using net/unbound to implement the server, but still I don't trust it enough to consider that as long the interface on one machine running unbound is up and getting carp advertisements the name server is answering. So I'm considering to use ifstated to monitor the unbound process and demote the interface if something goes wrong. Does this look sane ? If someone has already implemented something similar, I'd like to ear about it (and may be to see sample ifstated.conf that implement it). Hint if someone wants to do the same: in unbound.conf you have to explicitly set 'interface:' to the IP of your carp group (setting outgoing-interface is not enough) , otherwise unbound will answer from the IP of the carpdev interface. -- Matthieu Herrb
cvs using ssh an intermediary machine
I've been trying a method to use CVS with SSH using a middle machine as a stepping stone to cvs.eu.openbsd.org. 4.6 - current - cvs.eu.openbsd.org For regular ssh this works ok to other machines. CVS doesn't seem to like it. The symptom is the message: can't create temporary directory /tmp/cvs-serv29515 No space left on device CVSROOT is 'anon...@anoncvs.eu.openbsd.org:/cvs' CVS_RSH is 'ssh' The connection to the middle machine succeeds: debug1: Authentication succeeded (publickey). but it appears that ssh_config on the client (4.6) is somehow wrong for the connection onward to the cvs server. Host anoncvs.eu.openbsd.org Port 22 User anoncvs Compression no HostKeyAlias anoncvs.eu.openbsd.org ProxyCommand ssh -vv 10.10.10.1 nc %h %p Host net5501 Hostname 10.10.10.1 IdentityFile /home/foo/tunnel-rsa User foo Can/should that be done using netcat? The FAQ covers direct connections, and mentions pservers for firewalls, but then also mentions that pservers are mostly phased out. http://www.openbsd.org/anoncvs.html#WHICH Should a SOCKS5 proxy be used instead? What is the correct way to get a connection all the way through? /Lars $ cvs checkout -P -rOPENBSD_4_6 src OpenSSH_5.3, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /home/foo/.ssh/config debug1: Applying options for net5501 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.10.10.1 [10.10.10.1] port 22. debug1: Connection established. debug2: key_type_from_name: unknown key type '-BEGIN' debug2: key_type_from_name: unknown key type '-END' debug1: identity file /home/foo/tunnel-rsa type 1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 5 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blo debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server-client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client-server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 136/256 debug2: bits set: 515/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '10.10.10.1' is known and matches the RSA host key. debug1: Found key in /home/foo/.ssh/known_hosts:2 debug2: bits set: 473/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1:
Re: Dell Studio 1558
Hi Daniele, Your dmesg output shows that your webcam should work: uvideo0 at uhub3 port 4 configuration 1 interface 0 CN07RGXF724879BP08ER Laptop_Integrated_Webcam_2M rev 2.00/95.12 addr 3 video0 at uvideo0 If it wasn't, it would say not configured, come up as ugen0 or not come up at all. As for the others, I couldn't say.
Re: redundant recursive name servers with carp and ifstated?
On Tue, Feb 2, 2010 at 7:16 AM, Kenneth R Westerback kwesterb...@rogers.com wrote: On Mon, Feb 01, 2010 at 07:07:49PM +0100, Matthieu Herrb wrote: Hi, before trying to implement it, I'd like to seek opinions on the sanity of the following: most resolver libs have quite long timeout on the DNS server they query, and generally start again from the 1st one in their configuration (typically /etc/resolv.conf) for each name resolution. So when the 1st name server is down, the impact on client machines is really noticeable and make users complain. So I would like to implement some kind of replication using carp to ensure that the ip address listed in the client configuration will always answer. First I'm making sure that this server is a recursive, caching only name server. The authoritative server is separate, and for him the multiple NS records (with one master and some slaves) works well. I'm using net/unbound to implement the server, but still I don't trust it enough to consider that as long the interface on one machine running unbound is up and getting carp advertisements the name server is answering. So I'm considering to use ifstated to monitor the unbound process and demote the interface if something goes wrong. Does this look sane ? If someone has already implemented something similar, I'd like to ear about it (and may be to see sample ifstated.conf that implement it). Hint if someone wants to do the same: in unbound.conf you have to explicitly set 'interface:' to the IP of your carp group (setting outgoing-interface is not enough) , otherwise unbound will answer from the IP of the carpdev interface. -- Matthieu Herrb This sounds sane, in the sense that I have proposed doing very similar setups in the past to avoid the exact problem your users are seeing. However, the only one I did manage to get permissions to implement was with a pair of commercial DNS applicances however. Ken One thing I can suggest is a sort of transparent layer between the DNS servers and your clients that relays the request to each one simultaneously, and returns the first answer it gets. It's a possibility. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse
Is OpenBSD + PF accredited or certified in any way ?
I've used OpenBSD PF for a number of years without issue and am now in the position that I want to create a dmz between the Internet and my organisations WAN. Our security people are asking if the firewall that we use is accreditated by ITSEC and I am pretty sure it isn't but it turns out that our security people will be happy is the firewall is accredited for use by another government ! I am very happy with my PF firewalls and their reliability and don't want to be forced into purchasing some cisco / forenet comercial firewall that I've never used before so am desperate to find some details of any foreign governments that are using OpenBSD / PF as a firewall or any details of any certification of the PF firewall. Can anyone help me out ? Thanks Keith __ Information from ESET NOD32 Antivirus, version of virus signature database 4825 (20100201) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: Is OpenBSD + PF accredited or certified in any way ?
those are some funny clowns. OMGITSEC hilarious! On Mon, Feb 01, 2010 at 11:06:12PM +, Keith wrote: I've used OpenBSD PF for a number of years without issue and am now in the position that I want to create a dmz between the Internet and my organisations WAN. Our security people are asking if the firewall that we use is accreditated by ITSEC and I am pretty sure it isn't but it turns out that our security people will be happy is the firewall is accredited for use by another government ! I am very happy with my PF firewalls and their reliability and don't want to be forced into purchasing some cisco / forenet comercial firewall that I've never used before so am desperate to find some details of any foreign governments that are using OpenBSD / PF as a firewall or any details of any certification of the PF firewall. Can anyone help me out ? Thanks Keith __ Information from ESET NOD32 Antivirus, version of virus signature database 4825 (20100201) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: Is OpenBSD + PF accredited or certified in any way ?
On Mon, Feb 01, 2010 at 11:06:12PM +, Keith wrote: firewall that I've never used before so am desperate to find some details of any foreign governments that are using OpenBSD / PF as a firewall or any details of any certification of the PF firewall. Did you see the Governments section of http://www.openbsd.org/users.html ?
Re: GNOBSD-Project introduction
Bryan spake thusly: On Tue, Jan 19, 2010 at 12:34, Stefan Rinkes stefan.rin...@googlemail.com wrote: Hello, My name is Stefan Rinkes. I'm from munich in germany and I want to introduce my OpenBSD-Project. In the last months several OpenBSD-Live-Projects have been founded. And I really like them, but I always missed the option to install directly from the LiveCD or usb-stick. You can install to a USB stick with the OpenBSD CDs. What is special about yours? I guess you don't know much about how Linux live CDs work, do you? About 9 months ago I started to combine the LiveCD and the installation process. I named this project GNOBSD, the combination of OpenBSD and GNOME. After just 3 months I was able to publish GNOBSD 4.5, the first working OpenBSD Live/Install CD. Why add a bloated Desktop like GNOME? What's wrong with fvwm, or maybe even fluxbox (in a pinch)? FVWM is very dated, fluxbox is not easy for inexperienced users. Personally, I dislike fluxbox/openbox/blackbox... The best light desktops for my money are LXDE and XFCE. But I still prefer GNOME (or KDE) to anything else. Freedom of choice. That's the beauty of Open Source. Since 2 weeks the new release GNOBSD 4.6 is available. It is based on the release version of OpenBSD 4.6 and can be downloaded as DVD-Iso or image for usb-sticks. After burning the ISO-Image to a DVD or copying the image to an usb-stick, you boot, test and if you like it, install it with the installation-wizard. Again, installation from media that I buy to support OpenBSD to a USB stick is still easier than this... If I use yours, I am slowly helping to doom OpenBSD That is utter nonsense. Ever heard of PC-BSD? It's been around for a few years now and it's based on FreeBSD. FreeBSD isn't going anywhere anytime soon The GNOBSD-installer is written in ruby and uses the gtk2-toolkit. After the installation have been finished OpenBSD, the window-manager GNOME and some useful packages, e.g. firefox, are installed and ready to use. useful packages is opinion. I may see TeX as useful... You're geekier than the average person out there. The website is currently just available in german, I'm working on the english version. But I would really appreciate if some of you download and test it. And of course, give feedback ;) .I was good cop I beg to differ Furthermore, I won't be using your product. And anyone else should care because? I am afraid we are going in a different direction, and I choose to use a product that directly supports the developers of OpenBSD, mainly OpenBSD and OpenSSH. I've been a supporter for years, and will continue to help them in anyway I can. It looks like Stefan is an OpenBSD developer now. Keep using openBSD as you choose and stop worrying about others are using it. Open Source is all about freedom of choice.
Re: way to help: laptops and weekly
Jacob Meuser wrote on Mon, Feb 01, 2010 at 05:55:28AM +: how about if cron keeps track of the time it was last able to successfully run a job. then when cron starts, send an email for all jobs missed since that time? or maybe just send an email to remind that daily/weekly/ monthly was missed? I don't think missing one job, or even missing a few, is a problem. It's good enough to have the maintenance jobs running now and then. But your idea to send reminders might help, let's tweak it a bit. Some time ago, we discussed a potential maintenance(8) utility and decided to postpone the idea until we find more uses. Right here, maintenance(8) might help: 1. At 1:30 AM daily, run maintenance without any arguments, which will - run daily(8) unless it ran today - run security(8) in any case - run weekly(8)unless it ran this week - run monthly(8) unless it ran this month 2. Thirty minutes after reboot, run maintenance quick, which will - run the cheap parts of security(8), maybe everything except the SUID checks - check whether weekly(8) is massively overdue, say last run more than three weeks ago - if it is, produce output asking to run maintenance manually, but do not suggest this more than once every ten days Item 1 takes care of servers such that very little changes for them and they almost never run into 2 (unless you reboot your server on Saturday, January 1, at 1:00 AM). On your notebook, if you are in the habit of running weekly(8) manually once a week, very little changes for you - except that you now type maintenance instead of sh /etc/weekly, which will cover daily(8) and monthly(8), too, and that you get daily security(8) checks. In case you dislike the latter, just remove the respective line from the crontab(5). On the other hand, in case you keep forgetting weekly(8), it will remind you after three weeks, and then every ten days, until you come round to running maintenance. Maybe some people will develop a habit of typing sudo maintenance on their workstation just before leaving for lunch. When passing an argument to maintenance(8), it will run just that single script unconditionally, e.g. maintenance weekly. As discussed previously, this will also support running local maintenance scripts either manually or from cron(8), using the daily(8) shell functions, mailing output when there is any. Some people liked the idea and looked forward to using it. Except honouring a new a MAILTO environment variable (default: root), I don't think maintenance(8) needs any other options: KISS. As a bonus, this will reduce code duplication and shorten the scripts. P.S. I agree with Owain to not teach apropos(1) and locate(1) any nagging.
Re: GNOBSD-Project introduction
Scott Beamer wrote on Mon, Feb 01, 2010 at 11:53:51PM +: It looks like Stefan is an OpenBSD developer now. Neither stefan@ nor stsp@ are called Rinkes, so you are probably confusing different people.
Re: cvs using ssh an intermediary machine
On Mon, 1 Feb 2010, Lars Nooden wrote: I've been trying a method to use CVS with SSH using a middle machine as a stepping stone to cvs.eu.openbsd.org. 4.6 - current - cvs.eu.openbsd.org For regular ssh this works ok to other machines. CVS doesn't seem to like it. The symptom is the message: can't create temporary directory /tmp/cvs-serv29515 No space left on device Try another CVS server, eu.openbsd.org gave me the same problems, although it looks like a local quirk at first. .fr.openbsd.org suits me just fine. CVSROOT is 'anon...@anoncvs.eu.openbsd.org:/cvs' CVS_RSH is 'ssh' The connection to the middle machine succeeds: debug1: Authentication succeeded (publickey). but it appears that ssh_config on the client (4.6) is somehow wrong for the connection onward to the cvs server. Host anoncvs.eu.openbsd.org Port 22 User anoncvs Compression no HostKeyAlias anoncvs.eu.openbsd.org ProxyCommand ssh -vv 10.10.10.1 nc %h %p Host net5501 Hostname 10.10.10.1 IdentityFile /home/foo/tunnel-rsa User foo Can/should that be done using netcat? The FAQ covers direct connections, and mentions pservers for firewalls, but then also mentions that pservers are mostly phased out. http://www.openbsd.org/anoncvs.html#WHICH Should a SOCKS5 proxy be used instead? What is the correct way to get a connection all the way through? /Lars $ cvs checkout -P -rOPENBSD_4_6 src OpenSSH_5.3, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /home/foo/.ssh/config debug1: Applying options for net5501 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to 10.10.10.1 [10.10.10.1] port 22. debug1: Connection established. debug2: key_type_from_name: unknown key type '-BEGIN' debug2: key_type_from_name: unknown key type '-END' debug1: identity file /home/foo/tunnel-rsa type 1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 5 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blo debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: none,z...@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac...@openssh.com,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server-client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client-server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(102410248192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 136/256 debug2: bits set: 515/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '10.10.10.1' is known and matches the RSA host key. debug1: Found key in /home/foo/.ssh/known_hosts:2 debug2: bits set: 473/1024 debug1: ssh_rsa_verify: signature correct
Re: GNOBSD-Project introduction
On 23:53, Mon 01 Feb 10, Scott Beamer wrote: Bryan spake thusly: On Tue, Jan 19, 2010 at 12:34, Stefan Rinkes stefan.rin...@googlemail.com wrote: Hello, My name is Stefan Rinkes. I'm from munich in germany and I want to introduce my OpenBSD-Project. In the last months several OpenBSD-Live-Projects have been founded. And I really like them, but I always missed the option to install directly from the LiveCD or usb-stick. You can install to a USB stick with the OpenBSD CDs. What is special about yours? I guess you don't know much about how Linux live CDs work, do you? I know most of the time they actually _DONT_ work. About 9 months ago I started to combine the LiveCD and the installation process. I named this project GNOBSD, the combination of OpenBSD and GNOME. After just 3 months I was able to publish GNOBSD 4.5, the first working OpenBSD Live/Install CD. Why add a bloated Desktop like GNOME? What's wrong with fvwm, or maybe even fluxbox (in a pinch)? FVWM is very dated, fluxbox is not easy for inexperienced users. Personally, I dislike fluxbox/openbox/blackbox... Because you dont like it, it's not easy for inexperienced users ? Common. I gave my parents (they use a computer once a week to check email, and even that has to come with a printed manual) a thinclient that runs fluxbox and they never call me with questions. Still I get mail from them almost weekly with pictures of their garden and their cars and stuff. The best light desktops for my money are LXDE and XFCE. But I still prefer GNOME (or KDE) to anything else. Freedom of choice. That's the beauty of Open Source. Exactly. But this freedom does not mean GNOME isn't bloated. If what you say is true I should whine and complain about vim not being in base because I use it for every .txt file. Sure I don't use 99% of it's features by editing a simple .txt file. If I were to create a BSD based setup with VIM and announce it here I'll get the same response because ed is in base and very capable of handling txt files. Hell, even cat and sed can do that! Still my vim setup is bloated because I add a ton of files to my system I really dont need. Since 2 weeks the new release GNOBSD 4.6 is available. It is based on the release version of OpenBSD 4.6 and can be downloaded as DVD-Iso or image for usb-sticks. After burning the ISO-Image to a DVD or copying the image to an usb-stick, you boot, test and if you like it, install it with the installation-wizard. Again, installation from media that I buy to support OpenBSD to a USB stick is still easier than this... If I use yours, I am slowly helping to doom OpenBSD That is utter nonsense. Ever heard of PC-BSD? It's been around for a few years now and it's based on FreeBSD. FreeBSD isn't going anywhere anytime soon How much funding is FreeBSD getting from PC-BSD Right, NONE! That's the whole issue here. It's an almost default install of OpenBSD with pre-installed GNOME and there's totally no money flowing back from this 'project' into OpenBSD. So they are making money with OpenBSD (which is fine) and they are spamming the OpenBSD lists with it (which is of course not fine). The GNOBSD-installer is written in ruby and uses the gtk2-toolkit. After the installation have been finished OpenBSD, the window-manager GNOME and some useful packages, e.g. firefox, are installed and ready to use. useful packages is opinion. I may see TeX as useful... You're geekier than the average person out there. And that's an opinion as well. The website is currently just available in german, I'm working on the english version. But I would really appreciate if some of you download and test it. And of course, give feedback ;) .I was good cop I beg to differ I agree. He really was 'good cop' Furthermore, I won't be using your product. And anyone else should care because? Add me to the 'I wont be using your product' list. I am afraid we are going in a different direction, and I choose to use a product that directly supports the developers of OpenBSD, mainly OpenBSD and OpenSSH. I've been a supporter for years, and will continue to help them in anyway I can. It looks like Stefan is an OpenBSD developer now. Wrong Stefan. Keep using openBSD as you choose and stop worrying about others are using it. Open Source is all about freedom of choice. We dont worry about others, except when they start using the OpenBSD mailinglists as free advertisment channel for their crap. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
-CURRENT, VLANs, NAT
Hi All, I'm trying to setup a new router/firewall for multiple VLANs including one VLAN that must be NAT and I seem to be running into an odd issue. OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot from ftp.openbsd.org /etc/hostname.em0 -- up /etc/hostname.em0 -- up /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 description Uplink /etc/hostname.vlan303 -- inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em0 description NAT /etc/pf.conf -- #skip filtering on loopback set skip on lo # NAT VLAN 303 traffic on our Uplink VLAN nat on vlan301 from vlan303:network to any - (vlan301) pass# to establish keep-state So, starting with a very simple rule set, however, pfctl -nf /etc/pf.conf complains that the nat on line is incorrect. I used the similar example from http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=i386apropos=0manpath=OpenBSD+Current Am I missing something here? It would seem that this would map all VLAN 303 (10.0.0.0/24) addresses to VLAN 301 (1.2.3.4) address. Has the syntax changed and even -current documentation isn't correct? --- James A. Peltier james_a_pelt...@yahoo.ca
Re: redundant recursive name servers with carp and ifstated?
Matthieu Herrb wrote: Hi, before trying to implement it, I'd like to seek opinions on the sanity of the following: most resolver libs have quite long timeout on the DNS server they query, and generally start again from the 1st one in their configuration (typically /etc/resolv.conf) for each name resolution. So when the 1st name server is down, the impact on client machines is really noticeable and make users complain. yep. DNS is highly redundant, but you might end up waiting a bit... So I would like to implement some kind of replication using carp to ensure that the ip address listed in the client configuration will always answer. First I'm making sure that this server is a recursive, caching only name server. The authoritative server is separate, and for him the multiple NS records (with one master and some slaves) works well. I'm using net/unbound to implement the server, but still I don't trust it enough to consider that as long the interface on one machine running unbound is up and getting carp advertisements the name server is answering. So I'm considering to use ifstated to monitor the unbound process and demote the interface if something goes wrong. Does this look sane ? If someone has already implemented something similar, I'd like to ear about it (and may be to see sample ifstated.conf that implement it). Hint if someone wants to do the same: in unbound.conf you have to explicitly set 'interface:' to the IP of your carp group (setting outgoing-interface is not enough) , otherwise unbound will answer from the IP of the carpdev interface. I did this (CARPed DNS resolvers) with CARP and djbdns a few years ago, and been using it quite a while, unfortunately only in my home network (which has some complexity, but not massive amounts of DNS traffic). CARP+djbdns works great and the system stays answering DNS queries when upgrading the systems, so the basic idea is sound. (Regarding your hint, however... I know the one problem I did have with djbdns is it only listens on one interface at a time, so monitoring that both dnscache services were running was a bit tricky as it was bound to the CARP interface. tricky = don't seem to have come up with a good solution, though I don't think I tried very hard or long -- I have several more ideas, just haven't tried them) As for monitoring DNS services to make sure the DNS app itself don't fall over and force that interface down if it does, I'm quite torn. On the one side, yes, it's a risk and a failure point. However, I'd not want to be running a DNS server I felt had a reasonable likelihood of falling over and not answering queries. So, if we grant that the DNS resolver APP crapping out is unlikely, I'd be more concerned about the complexity of the solution than the actual failure of the app and the survival of the machine, or the app failing in some way that my monitoring system didn't anticipate. If the app failing is considered likely, then I'd look for a different solution. Though yes, it looks like it is time for me to start looking at moving to unbound... Nick.
Re: -CURRENT, VLANs, NAT
On Mon, Feb 01, 2010 at 04:27:12PM -0800, James Peltier wrote: Hi All, I'm trying to setup a new router/firewall for multiple VLANs including one VLAN that must be NAT and I seem to be running into an odd issue. OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot from ftp.openbsd.org /etc/hostname.em0 -- up /etc/hostname.em0 -- up /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 description Uplink /etc/hostname.vlan303 -- inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em0 description NAT /etc/pf.conf -- #skip filtering on loopback set skip on lo # NAT VLAN 303 traffic on our Uplink VLAN nat on vlan301 from vlan303:network to any - (vlan301) pass# to establish keep-state So, starting with a very simple rule set, however, pfctl -nf /etc/pf.conf complains that the nat on line is incorrect. I used the similar example from http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=i386apropos=0manpath=OpenBSD+Current Am I missing something here? It would seem that this would map all VLAN 303 (10.0.0.0/24) addresses to VLAN 301 (1.2.3.4) address. Has the syntax changed and even -current documentation isn't correct? --- James A. Peltier james_a_pelt...@yahoo.ca Yes, the syntax has changed. I only briefly looked, but the faq seems dated. The man page is correct. You'd want something like pass out on vlan301 from vlan303:network nat-to vlan301 Cheers
Correction: -CURRENT, VLANs, NAT
--- On Mon, 2/1/10, James Peltier james_a_pelt...@yahoo.ca wrote: From: James Peltier james_a_pelt...@yahoo.ca Subject: -CURRENT, VLANs, NAT To: OpenBSD Mail List misc@openbsd.org Received: Monday, February 1, 2010, 7:27 PM Hi All, I'm trying to setup a new router/firewall for multiple VLANs including one VLAN that must be NAT and I seem to be running into an odd issue. OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot from ftp.openbsd.org /etc/hostname.em0 -- up /etc/hostname.em0 -- up /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 description Uplink /etc/hostname.vlan303 -- inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em0 description NAT Please note a mistype. The VLAN device for this VLAN is em1 and not em0. It should read this inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em1 description NAT /etc/pf.conf -- #skip filtering on loopback set skip on lo # NAT VLAN 303 traffic on our Uplink VLAN nat on vlan301 from vlan303:network to any - (vlan301) pass# to establish keep-state So, starting with a very simple rule set, however, pfctl -nf /etc/pf.conf complains that the nat on line is incorrect. I used the similar example from http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=i386apro pos=0manpath=OpenBSD+Current Am I missing something here? It would seem that this would map all VLAN 303 (10.0.0.0/24) addresses to VLAN 301 (1.2.3.4) address. Has the syntax changed and even -current documentation isn't correct? --- James A. Peltier james_a_pelt...@yahoo.ca bookmark your favourite sites. Download it now http://ca.toolbar.yahoo.com. __ Make your browsing faster, safer, and easier with the new Internet Explorer. 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
ATI Device Documentation - Evergreen
If these docs are in line with what is needed to develop a usable driver and there are any developers @openbsd.org out there interested in developing a driver for this card and in need of a hardware donation, let me know. http://developer.amd.com/gpu/ATIStreamSDK/assets/AMD_Evergreen-Family_ISA_Instructions_and_Microcode.pdf - Axton Grams
Re: MFM disk geometry
Daniel Malament wrote: I'm trying to pull data off an old MFM HD, and I've gotten to the point where the only obstacle is disk geometry. I have a P3 machine which will disable the primary IDE controller in favor of the MFM controller, but boot off of an OpenBSD disk on the secondary IDE. OpenBSD sees the MFM disk just fine, but gives it the wrong CHS, which wouldn't matter except that it's evidently too old to do LBA, since OpenBSD is using CHS mode. I can pull the first few sectors off of the disk, but then I get errors I'm guessing are because of the geometry mismatch. Is there any way at all to change the CHS values the kernel is using for a disk? fdisk with -chs doesn't seem to produce a permanent change (I guess the values are just used for calculating?), and the machdep.bios.etc sysctls are read-only. Google and the archives haven't turned up anything terribly useful, although it sounds like what I'm trying to do may not be possible. If not, anyone have any alternate suggestions? Incidentally, I have a bunch of other old crap around, but my efforts to get everything working on a machine that will let me set the CHS in the BIOS haven't gotten anywhere yet... holy cow. of all the times NOT to post a dmesg! (and fdisk output). It probably wouldn't help diagnose the problem, but it would be cool to see. :) Obviously, you got a PIII machine with ISA slots, not the most common of beasts (though they certainly exist). (actually, the dmesg would probably just show wdc0 at ... , but it would be kinda cool to know that it was REALLY a wdc, not a low-end IDE interface pretending it was an AT controller). I think you need to go back to a P1 (or maybe some PII?) system before you will find one with manual drive parameter selections. That will lead to another problem, very, very very few of those will allow you to directly boot from the secondary controller. HOWEVER, you may be able to set the primary controller to the IDE, and put your MFM controller as secondary (many of the original ones had such a jumper) and be set, or install a SCSI controller and drive and use a boot floppy to boot from hd1a:/bsd... As you have probably (re)discovered, the OS takes its cues on the drive geometry from the BIOS. On modern IDE drives, it just doesn't matter, but on an MFM drive, head 3 was really head 3, cylinder 138 was really cylinder 138, and there were 17 sectors on each track, and where the OS requested is where the controller placed the drive and where the data came off, so yes, it really needs to be right. Yes, source could probably be modified to hard-code this in the OS, but getting it right would be interesting...and very much in untested code paths, I suspect. good luck, I'm curious how it all works out... Nick.
Re: -CURRENT, VLANs, NAT
On Mon, Feb 01, 2010 at 06:02:07PM -0800, Scott Learmonth wrote: On Mon, Feb 01, 2010 at 04:27:12PM -0800, James Peltier wrote: Hi All, I'm trying to setup a new router/firewall for multiple VLANs including one VLAN that must be NAT and I seem to be running into an odd issue. OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot from ftp.openbsd.org /etc/hostname.em0 -- up /etc/hostname.em0 -- up /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 description Uplink /etc/hostname.vlan303 -- inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em0 description NAT /etc/pf.conf -- #skip filtering on loopback set skip on lo # NAT VLAN 303 traffic on our Uplink VLAN nat on vlan301 from vlan303:network to any - (vlan301) pass# to establish keep-state So, starting with a very simple rule set, however, pfctl -nf /etc/pf.conf complains that the nat on line is incorrect. I used the similar example from http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=i386apropos=0manpath=OpenBSD+Current Am I missing something here? It would seem that this would map all VLAN 303 (10.0.0.0/24) addresses to VLAN 301 (1.2.3.4) address. Has the syntax changed and even -current documentation isn't correct? --- James A. Peltier james_a_pelt...@yahoo.ca Yes, the syntax has changed. I only briefly looked, but the faq seems dated. The man page is correct. You'd want something like pass out on vlan301 from vlan303:network nat-to vlan301 Cheers I stand somewhat corrected. The link you provided doesn't seem to jive with what my system gives me. I'm not going to comment further on that though without doing my homework and/or supplying a diff lest I look like even more of a fool. Nonetheless, pass out on vlan301 from vlan303:network to ! vlan301 nat-to vlan301 should work for you. You may want to look at match instead/as well. p.s. my last note was missing the to
Re: GNOBSD-Project introduction
On Mon, Feb 01, 2010 at 11:53:51PM +, Scott Beamer wrote: I guess you don't know much about how Linux live CDs work, do you? I do know that Live CDs are basically legacy, now that a) most newer machines can boot from USB, b) USB flash drives are relatively cheap, c) USB flash drives generally have more storage space than a CD, d) USB flash drives can actually be written to, e) many machines these days don't come with optical drives, f) USB flash drives are smaller than CDs, g) USB flash drives are more likely to be reused than tossed into the trash, ... -- jake...@sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org
Re: -CURRENT, VLANs, NAT
--- On Mon, 2/1/10, Scott Learmonth sc...@moosepile.net wrote: From: Scott Learmonth sc...@moosepile.net Subject: Re: -CURRENT, VLANs, NAT To: misc@openbsd.org Received: Monday, February 1, 2010, 10:04 PM On Mon, Feb 01, 2010 at 06:02:07PM -0800, Scott Learmonth wrote: On Mon, Feb 01, 2010 at 04:27:12PM -0800, James Peltier wrote: Hi All, I'm trying to setup a new router/firewall for multiple VLANs including one VLAN that must be NAT and I seem to be running into an odd issue. OS is OpenBSD 4.7-BETA; Jan 27, 2010 snapshot from ftp.openbsd.org /etc/hostname.em0 -- up /etc/hostname.em0 -- up /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 vlan 301 vlandev em0 description Uplink /etc/hostname.vlan303 -- inet 10.0.0.254 255.255.255.0 vlan 303 vlandev em0 description NAT /etc/pf.conf -- #skip filtering on loopback set skip on lo # NAT VLAN 303 traffic on our Uplink VLAN nat on vlan301 from vlan303:network to any - (vlan301) pass # to establish keep-state So, starting with a very simple rule set, however, pfctl -nf /etc/pf.conf complains that the nat on line is incorrect. I used the similar example from http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=i386apro pos=0manpath=OpenBSD+Current Am I missing something here? It would seem that this would map all VLAN 303 (10.0.0.0/24) addresses to VLAN 301 (1.2.3.4) address. Has the syntax changed and even -current documentation isn't correct? --- James A. Peltier james_a_pelt...@yahoo.ca Yes, the syntax has changed. I only briefly looked, but the faq seems dated. The man page is correct. You'd want something like pass out on vlan301 from vlan303:network nat-to vlan301 Cheers I stand somewhat corrected. The link you provided doesn't seem to jive with what my system gives me. I'm not going to comment further on that though without doing my homework and/or supplying a diff lest I look like even more of a fool. Nonetheless, pass out on vlan301 from vlan303:network to ! vlan301 nat-to vlan301 should work for you. You may want to look at match instead/as well. p.s. my last note was missing the to I did end up finding that the documentation had changed and match out did correct the problem. match out on vlan301 from vlan303:network nat-to vlan301 as could be found in http://www.openbsd.org/faq/current.html#20090901 Just needed to look harder.. Move along, nothing to see here. ;) __ Get a sneak peak at messages with a handy reading pane with All new Yahoo! Mail: http://ca.promos.yahoo.com/newmail/overview2/
Re: -CURRENT, VLANs, NAT
On 02/02/2010, at 1:51 PM, James Peltier wrote: match out on vlan301 from vlan303:network nat-to vlan301 all the cool kids are going: match out on vlan301 nat-to vlan301 received-on vlan303
Re: MFM disk geometry
holy cow. of all the times NOT to post a dmesg! (and fdisk output). It probably wouldn't help diagnose the problem, but it would be cool to see. :) Obviously, you got a PIII machine with ISA slots, not the most common of beasts (though they certainly exist). (actually, the dmesg would probably just show wdc0 at ... , but it would be kinda cool to know that it was REALLY a wdc, not a low-end IDE interface pretending it was an AT controller). Heh. It does. I'll have to remember to save copies when I finally get all this working. :) And the machine is a Dell Dimension with one PCI/ISA shared slot. I think you need to go back to a P1 (or maybe some PII?) system before you will find one with manual drive parameter selections. That will lead to another problem, very, very very few of those will allow you to directly boot from the secondary controller. HOWEVER, you may be able to set the primary controller to the IDE, and put your MFM controller as secondary (many of the original ones had such a jumper) and be set, or install a SCSI controller and drive and use a boot floppy to boot from hd1a:/bsd... Yeah, I found it rather odd that it would do that in the first place. I think what's happening is the BIOS can tell there's a controller there, but then it doesn't recognize the drive as something bootable, so it goes to the next hd. The 90 MHz Pentium I tried was, well, highly bizarre. For example, the IDE jumpers were labeled 'PCI IDE' and 'ISA IDE'... and even with the IDE turned off in the BIOS, and a drive attached to the 'ISA IDE', it attempted to boot from that drive, which gave me a dmesg including wdc0 @ pci0. Oh, and I have no docs on the controller, and haven't found any online, and the (many) jumpers are unlabeled. So unfortunately... Yeah. Plus, the controller is physically HUGE (lengthwise). Not all of the machines I've tried can even get it into a slot. (Just found this... Looks pretty similar. http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItemitem=250157575469 ) As you have probably (re)discovered, the OS takes its cues on the drive geometry from the BIOS. On modern IDE drives, it just doesn't matter, but on an MFM drive, head 3 was really head 3, cylinder 138 was really cylinder 138, and there were 17 sectors on each track, and where the OS requested is where the controller placed the drive and Yes. 615/4/17, although I've also seen 616 mentioned (it's an ST225 with no values on the label). The partition ends at 613 (i.e. 614th cyl), and I think the last track is the landing zone, so I'm going to go with 615 if I can get to that point... where the data came off, so yes, it really needs to be right. Yes, source could probably be modified to hard-code this in the OS, but getting it right would be interesting...and very much in untested code paths, I suspect. Well, on the one hand this seems like something you should be able to shoot yourself in the foot with if you really want, not to mention another way to be BIOS-agnostic. On the other, this is about the only time it would ever matter, so I guess the kernel doesn't need the added complexity of a way to change it... good luck, I'm curious how it all works out... Well, I can post the dmesg and fdisk when I get there. :) Thanks.
Re: USB voltmeter or DAQ module, small, inexpensive, with OpenBSD support
With a proto board and some skills, you could build a serial system with a total cost around US$30, small enough to not even need a rail support. You could also try to hang on the I2C iface of your mainboard and add you own devices, but if you're not so much into electronics... Go the Arduino way; readily available, cheap as chips and infinite expansion boards. Ralph Becker-Szendy escribis: For one of my OpenBSD machines, I need to be able to measure a few analog voltages, and act on them in a control process. The requirements are quite simple compared to typical data acquisition: I absolutely need two voltage inputs, either 0-20V or 0-100mV; doesn't have to be differential, acquisition can be slow (1s is fine), and resolution can be as small as 10-12 bits (1% accuracy is more than good enough). A few extra input channels, more accuracy/resolution, and a few digital IOs wouldn't hurt, but are not necessary. DIN rail mounting and connection breakout would be nice, but can be improvised. On the software side, there will be OpenBSD, with ad-hoc monitoring and control scripts. With a little programming and script-writing, I can adapt anything that the OS can reasonably access. Now come the issues: I can't use PCI cards, only external units, most likely connected via USB (as Ethernet and serial are expensive or rare). And it needs to have some software support under OpenBSD - a Windows- or Linux-only solution doesn't work. And this application is not worth spending thousands of $$$. For Windows and LabView, solutions are easy to find (for example EMant300, DAQPodMX, a variety of Omega products). Does anyone now of a solution that would work with OpenBSD?
