Re: Apache Firefox and Ogg Theora (Byte-range requests)

[Dan Harnett]

On Wed, Feb 17, 2010 at 02:04:03AM +, Stuart Henderson wrote:
 On 2010-02-16, trustlevel-...@yahoo.co.uk trustlevel-...@yahoo.co.uk wrote:
  I've seen examples of earlier versions than Apache 1.3.29 said to be working
  with byte-range requests, has anyone got the byte range requests to work 
  with
  openbsd without using php code or know how this can be done or if it works 
  by
  default.
 
 sorry, it's broken, maybe someone who uses base httpd and has some
 spare time might like to look into fixing it...
 
 http://permalink.gmane.org/gmane.os.openbsd.misc/169541
 


This appears to be due to the format of the string being passed to
strtonum().  ap_strtol() was tolerant of it.  It's being passed the
string from the Range: header.

For example, the following valid request (taken directly from sniffing a
wget session).

  GET /testfile HTTP/1.0
  Range: bytes=300417024-

This ends up following the code path of the first strtonum() call around
line 159 in http_protocol.c in the parse_byterange() function.  The
string passed to strtonum to convert (r-range) not only contains the
number from the header, but the trailing dash (300417024-), which
strtonum does not like.  As strtonum fails, the start offset is set to
0.

This bug should be present on a 64-bit arch as well.

Re: OpenBGP filter question

[Ivo Chutkin]

On 12.2.2010 P3. 11:10, Stuart Henderson wrote:

On 2010-02-11, Ivo Chutkinopen...@bgone.net  wrote:

match to $my_upstream_1 source-as {some_as} set prepend-self 4

I would like to prepend my as to make as path longer for some_as
trough my_upstream_1 and make it to prefer path trough my_upstream_2.
It does not produce error with bgpd-n but there is no effect as well.


Are you certain it has no effect (and how?) - you can't rely on
AS path prepending to change how traffic flows, if someone gives you
a higher localpref they'll use that path irrespective of the path length.



Hi Stuart,
I am certain as I don't see my prepend on some_as looking glass.

The actual filter looks like this without the comment:

match to $spnet_bg #(AS8717) sourse_as 9070 set prepend-seff 4

and this is what I see on 9070 looking glass:


This filter affects prefixes you send to the peer, and only those
with source_as 9070. Unless you are providing transit for 9070
you won't be sending anything to 34224 that matches this (and if
you are, it wouldn't be a useful thing to do, as 9070 won't
accept routes with their own AS in the path).

If I understand correctly, you'd like 9070 to see a longer path
to you via 34224, but not affect things for other AS that see you
via 34224.

I think there are just two ways you can do this via prepending

1. ask 34224 to prepend their announcements to 9070.
Some providers let you set communities on your prefixes to
do this, see e.g. whois -r as3356|more +/ties.acc
but many do not.

2. ask 9070 to prepend the paths they receive from 34224.




Hi Stuart, hi list,

Sorry for being away for so long.

You get me correct, that is what I wanted to achieve. The as 9070 is 
just an example. Obviously it is not the correct way to do it.

Thank you for clarifying it for me.

Regards,
Ivo

Re: PF log parser and dynamic PF rules...

[Kenneth R Westerback]

On Wed, Feb 17, 2010 at 07:51:03AM +0100, Per-Olov Sj?holm wrote:
 On 17 feb 2010, at 02.07, Randal L. Schwartz wrote:
 
  Paul == Paul de Weerd we...@weirdnet.nl writes:
 
  Paul Jeez... As an asker, you don't really get to decide how or what other
  Paul people answer, or if they even answer at all.
 
  As I snipped off a Usenet group once:
 
 Get real!  This is a discussion group, not a helpdesk.  You post
 something -- we discuss its implications.  If the discussion happens
 to answer a question you've asked, that's incidental.  If you post a
 question that implies that you've got a problem finding answers to
 trivial questions in the manual, then it is perfectly reasonable for
 us to discuss how to do that.
 
  --
  Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
  mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/
  Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
  See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion
 
 I have been on this list for many years. Sometimes asking and sometimes
 helping others.
 
 you are wrong
 
 http://www.openbsd.org/mail.html
 --snip--
 User questions and answers, general questions
 --snip--
 
 
 Answer correctly or don't answer at all. A winning concept in real life as
 well.
 
 ^d
 
 Regards
 /Per-Olov
 --
 GPG keyID: 5231C0C4
 GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
 GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4
 

I have been on this list for many years ... and Answer correctly
or don't answer at all..

You've been on misc@ for many years and expect correct answers or
respectful silence? My goodness, your optimism seems impervious to
experience.

You've been on misc@ for many years, yell at several developers
giving you correct answers and expect to get better support?
Interesting approach.

Looks like my first post to misc@ was only in 1998 so perhaps I have
insufficient experience to opine.

 Ken

Re: PF log parser and dynamic PF rules...

[Peter Hessler]

On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote:
:Answer correctly or don't answer at all.

It seems to me that people *did* answer correctly.  But, their answer
was not what you wanted to hear.

The answer: don't use port knocking, use a randomized url.

https://example.com/64482a3717737695e4dd254a4d57da4f6c0795f3e811e8b12347625fb285.rss

Google, Apple, etc use this scheme for webcal access.  I strongly doubt
your rss feed requires more privacy than people's private calendars.


-- 
Beware of altruism.  It is based on self-deception, the root of all
evil.

active-active firewall setup

[Kapetanakis Giannis]

I've setup successfully a pair of 4.7-current obsd load balanced 
firewall/routers

I'd like some clarification on the manual page of carp(4).

from carp(4):

If IP balancing is being used on a firewall, it is recommended to config-
 ure the carpnodes in a symmetrical manner.  This is achieved by simply
 using the same carpnodes list on all sides of the firewall.

Does the manual mean (A)
(fw1-carp0) 1:0,2:100  -  1:100,2:0 (fw2-carp0)
(fw1-carp1) 3:0,4:100  -  3:100,4:0 (fw2-carp1)
or (B)
(fw1-carp0) 1:0,2:100  - 1:0,2:100 (fw2-carp0)
(fw1-carp1) 3:0,4:100  - 3:0,4:100 (fw2-carp1)

It seems to me that the manual is referring to the (B) pattern.
However for me only the (A) pattern works.
Just to be sure that I'm not doing something wrong here which works by 
accident.


I'm using ip-stealth. There is a window of time, when one of the 
firewalls boots,
where the Virtual MAC address appears on the switch. When it timeouts 
(I've set 60 seconds on the switch)
it does not appear again and everything works. Is there a way I can 
prevent this or does it have to do with the switch?

It's an HP 2810-48G.

There might also be a chance of ip-unicast to work but my inner test 
client/router has problem with that.
The outer interfaces works fine. This way I see 4 VMACs on the switch 
which stay there (2 of them are mystery cause

they do not appear in any of the firewalls).

Which setup (unicast vs stealth) do you use for Cisco's and HP switches?

And last, how do your firewalls themselves access the internet (cvs 
updates) or have internal DNS.
It seems only one of the two (at the same time) can access the internet 
(direct) which seems logical.
Do you create some sort of access VLAN for DNS? I could do the DNS 
(internal)
that way, but if the obsd take my outer IP then how could both of them 
access internet?


regards,

Giannis

Re: network performance problems

[Pete Vickers]

On 17. feb. 2010, at 08.47, Claudio Jeker wrote:

 On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote:
 On 17/02/10 03:16, FRLinux wrote:

 Mmmh, you picked my interest here. You mentioned your cisco 6500 but I
 guess you are going to use only gigabit NICs, so you have no need on
 the 10gb range? Just asking, not trying to start a war :)

 Cheers,
 Steph


 ps. the cisco crawled when I enabled IOS firewall features (statefull).
 Firewall interface == $35K come one now... Too much money!


 The 6500 and 7600 cisco systems are not able to do stateful firewalling
 in HW and have also issues with stuff like netflow exports. Unless you buy
 the super expensive line cards. Even the big SUP boards come with a tiny
 CPU running at the speed of a loongson -- those can be killed with a few
 Mbps of multicast traffic.

 --
 :wq Claudio


Just to balance the anti-cisco viewpoint:

If you want to do deep packet stuff in HW, then Cisco offer the FWSM  ACE 
NAM modules for 6500/7600.

The SUPs (meant for switching/routing, not FWing) support CoPP (control-plane
policing) in HW, which should be configured to prevent abusive traffic hitting
the CPU, this (amongst a large list of others) includes high PPS multicast.
For example see:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_p
aper0900aecd802ca5d6.html


/Pete

Re: network performance problems

[Tomas Bodzar]

I'm not an expert in this area, but it looks like OpenBSD can do some
parts too and for much more lower price.

DHCP snooping

From info on Cisco page it looks like simple combination of
lists/macros for blocking/allowing certain ports. Tables are possible
with OpenBSD too and you can limit flow rate of packets too

Dynamic ARP Inspection

If I'm not wrong then pf(4) don't operate on this layer, but then
good, secure and simple design come to game

IP Source Guard

sounds like antispoof quick for

Unicast Reverse Path Forwarding (URPF)

sounds like block in quick from urpf-failed to any  # use with care

Access Control Lists

something like SELinux and similar? It's first thing which every good
sysadmin turn off because of unneeded complexity and often bugs too.
If I read this :

More generally, security ACLs can be used to protect against source
address spoofing or to restrict network access to only legitimate
sources, networks, and applications. For example, ACLs should be used
to deny private address space at the ingress of the Internet and
perform some filtering in the campus such that packets can only
originate from customer-assigned addresses. ACLs should also be used
to deny unused multicast addresses, to prevent multicast DoS attacks.
Another interesting example is that of MAC ACLs which could be used to
deny packets with invalid IP versions.

then I can say that all of this is possible with pf(4) without need for ACL


Quality of Service

don't know much about this in OpenBSD, but sounds like at least
something similar is possible with this
http://www.openbsd.org/faq/pf/queueing.html

Port security

buy HW which is capable to avoid CAM overflow

CONTROL PLANE AND MANAGEMENT PLANE PROTECTION

some parts looks like possible with pf(4) some not, but as I said this
must be confirmed by someone who knows much more

Built-In Special-Case CPU Rate Limiters

read users' stories and try pf(4) you will see that it can handle DoS very well



It's quite long reading, but for me it looks like it's not needed to
spend so much money in most cases.

On Wed, Feb 17, 2010 at 2:21 PM, Pete Vickers p...@systemnet.no wrote:
 On 17. feb. 2010, at 08.47, Claudio Jeker wrote:

 On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote:
 On 17/02/10 03:16, FRLinux wrote:

 Mmmh, you picked my interest here. You mentioned your cisco 6500 but I
 guess you are going to use only gigabit NICs, so you have no need on
 the 10gb range? Just asking, not trying to start a war :)

 Cheers,
 Steph


 ps. the cisco crawled when I enabled IOS firewall features (statefull).
 Firewall interface == $35K come one now... Too much money!


 The 6500 and 7600 cisco systems are not able to do stateful firewalling
 in HW and have also issues with stuff like netflow exports. Unless you buy
 the super expensive line cards. Even the big SUP boards come with a tiny
 CPU running at the speed of a loongson -- those can be killed with a few
 Mbps of multicast traffic.

 --
 :wq Claudio


 Just to balance the anti-cisco viewpoint:

 If you want to do deep packet stuff in HW, then Cisco offer the FWSM  ACE 
 NAM modules for 6500/7600.

 The SUPs (meant for switching/routing, not FWing) support CoPP (control-plane
 policing) in HW, which should be configured to prevent abusive traffic hitting
 the CPU, this (amongst a large list of others) includes high PPS multicast.
 For example see:

 http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_p
 aper0900aecd802ca5d6.html


 /Pete

Security feed

[Jean-Francois]

Hello All,

I am a little bit out of subject but please allow me to ask you about feeds of 
security issues.

Thank you

Re: Security feed

[Thomas Pfaff]

On Wed, 17 Feb 2010 20:05:47 +0100
Jean-Francois jfsimon1...@gmail.com wrote:

 Hello All,
 
 I am a little bit out of subject but please allow me to ask you about
 feeds of security issues.
 

http://www.undeadly.org has it and the errata pages are of course updated.

I just have a cron that diffs a local copy of the last errata page with
the one on the OpenBSD site and mail myself if it has changed (and then
replace the local copy with the new one).

Re: Security feed

[Brad Tilley]

On Wed, 17 Feb 2010 20:05 +0100, Jean-Francois jfsimon1...@gmail.com
wrote:
 Hello All,
 
 I am a little bit out of subject but please allow me to ask you about
 feeds of 
 security issues.
 
 Thank you

I read this page and the links off of it:

http://www.openbsd.org/errata.html 

How to change pciide to ahci if there is no option for this in BIOS

[Tomas Bodzar]

Hi all,

my friend started using of OpenBSD on his server, but he has quite bad
perfomance with his disk. Actually it's running under native mode :

pciide1 at pci0 dev 31 function 2 Intel 82801EB SATA rev 0x02: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 2 int 18 (irq 9) for native-PCI interrupt


and there is no chance to switch it to AHCI. So he will install newer
BIOS (there is no info about possible new option for it in release
notes). So before additional tests it will be ok if it will be
possible to switch to AHCI directly. Is there this option? From man
page for pciide I can see that it's possible to set some options for
some controllers over config so is it possible for AHCI too? Soft
updates aren't enabled and I know that it will have impact on
performance so he will enable it. Then it's only on AHCI/native, namei
cache and combination of all HW involved.

ttycd0 wd0 cpu
 tin tout  KB/t t/s MB/s   KB/t t/s MB/s  us ni sy in id
   0   18  0.00   0 0.00  26.55  49 1.27   3  0  3  3 92
   0   89  0.00   0 0.00  14.93 214 3.12  13  0 21 14 53
   00  0.00   0 0.00  15.54 171 2.60  13  0 11 10 65
   00  0.00   0 0.00  15.91 161 2.51  16  0 12 10 62
   00  0.00   0 0.00  15.83 168 2.60  17  0 12  8 62
   00  0.00   0 0.00  15.87 165 2.56  14  0 14  8 64
   0  176  0.00   0 0.00  16.00 199 3.10  14  0 11 11 63
   00  0.00   0 0.00  15.84 179 2.77  11  0 14 14 60
   00  0.00   0 0.00  15.49 150 2.26  14  0 14  9 62
   00  0.00   0 0.00  14.24 130 1.81  13  0 12  5 69

procsmemory   pagediskstraps  cpu
 r b wavm fre  flt  re  pi  po  fr  sr cd0 wd0  int   sys   cs us sy id
 0 5 0  19584  414996  508   0   0   0   0   0   0  54 1006  5732 1859  3  5 92
 0 5 0  19592  414988   25   0   0   0   0   0   0 116 8059 43686 14876 17 30 53
 1 5 0  19592  4149887   0   0   0   0   0   0   0 4384 26122 9199 15 27 57
 0 5 0  19592  414956   11   0   0   0   0   0   0   0 4486 26236 9287 17 23 60
 1 5 0  19592  414972   34   0   0   0   0   0   0   0 4005 24506 8873 14 16 70
 0 5 0  19592  4149887   0   0   0   0   0   0   0 4594 26552 9348 15 21 63
 0 5 0  19592  4149487   0   0   0   0   0   0   0 4493 26480 9379 17 23 59
 0 5 0  19592  4149487   0   0   0   0   0   0   2 4086 24244 8709 17 19 64
 1 5 0  19592  414964   11   0   0   0   0   0   0   0 4096 24023 8595 14 18 67
 0 5 0  19592  415012   34   0   0   0   0   0   0   0 4582 26632 9397 19 21 59







OpenBSD 4.7-beta (GENERIC.MP) #409: Sun Feb  7 17:09:00 MST 2010
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 18memory_size,fixed_disk
cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem  = 534806528 (510MB)
avail mem = 509517824 (485MB)
RTC BIOS diagnostic error 18memory_size,fixed_disk
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/29/04, BIOS32 rev. 0 @
0xffe90, SMBIOS rev. 2.3 @ 0xf0450 (69 entries)
bios0: vendor Dell Computer Corporation version A06 date 09/29/2004
bios0: Dell Computer Corporation OptiPlex GX270
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP SSDT APIC BOOT ASF!
acpi0: wakeup devices VBTN(S4) PCI0(S3) USB0(S3) USB1(S3) USB2(S3)
USB3(S3) PCI1(S5) MOU_(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PCI1)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: VBTN
bios0: ROM list: 0xc/0xa800 0xca800/0x1800!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G Host rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xe800, size 0x800
inteldrm0 at vga1: apic 2 int 16 (irq 11)
drm0 at inteldrm0
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: apic
2 int 16 (irq 11)
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: apic
2 int 19 (irq 10)
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: apic
2 int 18 (irq 9)
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: apic
2 int 16 (irq 11)
ehci0 at pci0 dev 29 function 7 

OSPFd on Feb 17th 2010 -current Incompatibilities

[Insan Praja SW]

Hi Misc@,
Recently I updated one of my routers into current. We runs OSPFd as an IGP  
for our network. The update went success, but OSPFd wont get synchronized.  
On the kernel-updated routers ospfctl sh neig shows:


$ ospfctl sh neig
ID  Pri StateDeadTime Address Iface Uptime


on dec 20 kernel routers shows:

$ ospfctl sh nei
ID  Pri StateDeadTime Address Iface Uptime
2ab.cde.fgh.229  1   FULL/DR  00:00:31 2ab.cde.fgh.6vlan6  
01w2d21h

2ab.cde.fgh.226  1   DOWN/OTHER   00:36:21 2ab.cde.fgh.3vlan6 -
2ab.cde.fgh.227  1   FULL/BCKUP   00:00:31 2ab.cde.fgh.4vlan6  
01w2d21h

2ab.cde.fgh.228  1   2-WAY/OTHER  00:00:31 2ab.cde.fgh.5vlan6 -

The router-ids are their loopback interfaces. Below are their configs.

--- DEC 20 KERNEL ---
$ sudo ospfd -vnf /etc/ospfd.conf
Password:
password = XX

router-id 2ab.cde.fgh.225
fib-update yes
rfc1583compat no
no redistribute 10.10.10.0/24
no redistribute default
redistribute connected
spf-delay 1
spf-holdtime 5

area 0.0.0.0 {
interface vlan6:2ab.cde.fgh.2 {
hello-interval 10
metric 10
retransmit-interval 5
router-dead-time 40
router-priority 1
transmit-delay 1
auth-type crypt
auth-md-keyid 1
auth-md 1 XX
}
}


$ ospfctl sh
Router ID: 2ab.cde.fgh.225
Uptime: 01w2d22h
RFC1583 compatibility flag is disabled
SPF delay is 1 sec(s), hold time between two SPFs is 5 sec(s)
Number of external LSA(s) 28
Number of areas attached to this router: 1

Area ID: 0.0.0.0
  Number of interfaces in this area: 1
  Number of fully adjacent neighbors in this area: 1
  SPF algorithm executed 293 time(s)
  Number LSA(s) 18




--- 17 FEB KERNEL ---
$ sudo ospfd -vnf /etc/ospfd.conf
Password:
password = XX

router-id 2ab.cde.fgh.226
fib-update yes
rfc1583compat no
no redistribute 10.10.10.0/24
no redistribute default
redistribute connected
spf-delay msec 1000
spf-holdtime msec 5000

area 0.0.0.0 {
interface vlan6:2ab.cde.fgh.3 {
metric 10
retransmit-interval 5
router-dead-time 40
hello-interval 10
router-priority 1
transmit-delay 1
auth-type crypt
auth-md-keyid 1
auth-md 1 XX
}
}


$ ospfctl sh
Router ID: 2ab.cde.fgh.226
Uptime: 00:40:28
RFC1583 compatibility flag is disabled
SPF delay is 1000 msec(s), hold time between two SPFs is 5000 msec(s)
Number of external LSA(s) 7
Number of areas attached to this router: 1

Area ID: 0.0.0.0
  Number of interfaces in this area: 1
  Number of fully adjacent neighbors in this area: 0
  SPF algorithm executed 3 time(s)
  Number LSA(s) 1

Thanks,


Insan Praja SW
--
insandotpraja(at)gmaildotcom

Re: Security feed

[Jim Dew]

If you're set on a rss feed:
http://page2rss.com/rss/ba0de3240eb2c00c09f20d963c4a9067

On Wed, Feb 17, 2010 at 02:57:38PM -0500, Brad Tilley wrote:
 On Wed, 17 Feb 2010 20:05 +0100, Jean-Francois jfsimon1...@gmail.com
 wrote:
  Hello All,
  
  I am a little bit out of subject but please allow me to ask you about
  feeds of 
  security issues.
  
  Thank you
 
 I read this page and the links off of it:
 
 http://www.openbsd.org/errata.html 
 

-- 
Jim

Re: PF log parser and dynamic PF rules...

[Per-Olov Sjöholm]

On 17 feb 2010, at 12.38, Peter Hessler wrote:

 On 2010 Feb 17 (Wed) at 07:51:03 +0100 (+0100), Per-Olov Sjvholm wrote:
 :Answer correctly or don't answer at all.

 It seems to me that people *did* answer correctly.  But, their answer
 was not what you wanted to hear.

 The answer: don't use port knocking, use a randomized url.


https://example.com/64482a3717737695e4dd254a4d57da4f6c0795f3e811e8b12347625fb
285.rss

 Google, Apple, etc use this scheme for webcal access.  I strongly doubt
 your rss feed requires more privacy than people's private calendars.


 --
 Beware of altruism.  It is based on self-deception, the root of all
 evil.



I know what I am doing and it's a simple test. A production environment will
for sure be more secured. As said. I _very_ much appreciate if people give
their opinion _and_ an answer to the actual question if the person know how to
do what I ask for. But what  I don't like about it is that some just reply to
tell it's done wrong, even though they don not know the context and the
tradeoffs that have been made and why. Professional people could nicely tell
their opinion and a hint to my question IF they have any clue. If they think I
should have provided more info, they could say so I am a member of a few
helicopter forums, some Dreambox HTPC forums (TuxBOX), a bunch of Linux forums
(i.e many different kind of forums). Nowehere they hack at each other like
they do at the OpenBSD lists. This is the only sad thing about OpenBSD, the
mailinglist. Therefor I don't use it as much as before. A few of my developer
friends share this sadness with me.

You are right, Peter.  My rss feed does not require more privacy (at this
stage) than private google calendars. However there are a few problems with
randomized urls that I simply want to spend time on later. This as I at this
stage just want to sell in the idea with a test containing less important data
and therefor use less work. A prod environment will be more secured to fulfill
the security policies etc.


Tnx to the people who contributed with something.

This thread is closed for me now

/Per-Olov
--
GPG keyID: 5231C0C4
GPG fingerprint: B232 3E1A F5AB 5E10 7561 6739 766E D29D 5231 C0C4
GPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x766ED29D5231C0C4

Cursos intensivos

[Psicología Aplicada]

IAPSA

Instituto Argentino de Psicologma Aplicada

Si no se muestra correctamente el contenido del mensaje (por ejemplo, si
los acentos estan sustituidos por otros smmbolos) puede ver la
informacisn aqum: www.iapsa.org


Modificacisn de la conducta: qui es y csmo aplicarla. Msdulo I

Dictado por: Lic. Eduardo Iyaca (psicslogo)

Sabado 13 de marzo, de 9 a 18 horas Jornada de 8 horas, dividida en dos
bloques, con una hora de receso.

Lugar: Ciudad de Buenos Aires

Costo del msdulo: $230 (por inscripcisn conjunta de dos o mas personas el
costo baja a $200 por persona)

Informes e inscripcisn: ia...@iapsa.org o TE 4863-3853

Este curso esta dirigido a psicslogos, psicopedagogos, terapistas
ocupacionales, maestros integradores, acompaqantes terapiuticos, midicos.
La modificacisn de conducta es un enfoque que se ha mostrado ztil en los
ambitos mas diversos. El objetivo de este curso es enseqar los principios
y procedimientos de la modificacisn de conducta, ilustrados con ejemplos
y aplicaciones. Se enseqaran los conceptos tesricos y las ticnicas
correspondientes para observar y registrar situaciones, y para diseqar,
implementar y evaluar programas comportamentales. Se proponen ejercicios
de aplicacisn para el analisis de situaciones, y para el diseqo y puesta
en practica de programas de modificacisn de conducta, con el fin de que
los profesionales interesados desarrollen habilidades ztiles para mejorar
deficiencias y excesos comportamentales en una gran variedad de
poblaciones y ambientes

Ver mas informacisn

Se entregaran certificados de asistencia

Informes e inscripcisn: ia...@iapsa.org o TE 4863 3853

Intoduccisn al tratamiento cognitivo conductual de la obesidad

Dirigido a: psicslgos, nutricionistas, midicos.
Dictado por: Lic. Mariana Elmasian (psicsloga)

Sabado 20 de marzo, de 9 a 13 horas

Lugar: Ciudad de Buenos Aires

Costo: $130 (por inscripcisn conjunta de dos o mas personas el costo baja
a $110 por persona)

Informes e inscripcisn: ia...@iapsa.org o TE 4863-3853

La obesidad constituye un fensmeno complejo que afecta a gran parte de la
poblacisn y cuya prevalencia va en aumento. Sus causas incluyen variables
biolsgicas, psicolsgicas y sociales que se articulan de diversas formas
en cada sujeto, por lo que para su abordaje sptimo es necesario el
trabajo interdisciplinario. En esta jornada abordaremos de modo
introductorio la perspectiva psicolsgica y presentaremos ticnicas de
intervencisn cognitivo conductual.

Se entregaran certificados de asistencia
Ver mas informacisn

-

IAPSA - Instituto Argentino de Psicologma Aplicada
www.iapsa.org | ia...@iapsa.org

Si no desea seguir recibiendo este boletmn puede desuscribirse
automaticamente enviando un mensaje con la palabra desuscribir en el
asunto a desuscri...@iapsa.org

Re: OSPFd on Feb 17th 2010 -current Incompatibilities

[Stuart Henderson]

On 2010-02-17, Insan Praja SW insan.pr...@gmail.com wrote:
 On the kernel-updated routers ospfctl sh neig shows:

kernel-updated routers - you did update kernel and binaries in-sync, right??

Re: OSPFd on Feb 17th 2010 -current Incompatibilities

[Claudio Jeker]

On Thu, Feb 18, 2010 at 03:03:34AM +0700, Insan Praja SW wrote:
 Hi Misc@,
 Recently I updated one of my routers into current. We runs OSPFd as
 an IGP for our network. The update went success, but OSPFd wont get
 synchronized. On the kernel-updated routers ospfctl sh neig shows:
 
 $ ospfctl sh neig
 ID  Pri StateDeadTime Address Iface Uptime
 
 
 on dec 20 kernel routers shows:
 
 $ ospfctl sh nei
 ID  Pri StateDeadTime Address Iface Uptime
 2ab.cde.fgh.229  1   FULL/DR  00:00:31 2ab.cde.fgh.6vlan6
 01w2d21h
 2ab.cde.fgh.226  1   DOWN/OTHER   00:36:21 2ab.cde.fgh.3vlan6 -
 2ab.cde.fgh.227  1   FULL/BCKUP   00:00:31 2ab.cde.fgh.4vlan6
 01w2d21h
 2ab.cde.fgh.228  1   2-WAY/OTHER  00:00:31 2ab.cde.fgh.5vlan6 -
 
 The router-ids are their loopback interfaces. Below are their configs.
 

Did you run ospfd -dvv on the box that is not working? Is there any info
in the log? My ospfd's are quite happy at the moment. Few old ones, for
non openbsd ones and a few -current ones.

-- 
:wq Claudio

xterm + tmux 256 colors

[frantisek holop]

hi there,

i am trying to make tmux use 256 colors.

i have found this:
http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html

i have done step 2:

$ xterm
$ echo TERM
$ TERM=xterm-256color
$ tput colors
256

but it is not clear to me how can i do step 1.
what is the proper way to:

1) Set TERM=screen-256color inside so that applications INSIDE tmux know that
it supports 256 colours, you can do this however you like but default-terminal
is usually easiest.

actually the man page states, somewhat misleadingly, that:

 The TERM environment variable must be set to ``screen'' for all
 programs running inside tmux.  New windows will automatically
 have ``TERM=screen'' added to their environment, but care must be
 taken not to reset this in shell start-up files.

what i have done in the end is to put
TERM=screen-256color
in my .kshrc that is referenced also by .profile's ENV
but it doesn't feel 100% right.

-f
-- 
there are 10 types of people: those that do binary, and those that don't.

Re: xterm + tmux 256 colors

[James Records]

Here is how I handle this,

*make sure you have vim and colorls packages installed, then for your .vimrc
do something like this:*

syntax on
set nocompatible
set autoindent
set smartindent
set tabstop=4
set shiftwidth=4
set showmatch
set vb t_vb=
set ruler
set incsearch
set number

*put this in your .profile:*

# $OpenBSD: dot.profile,v 1.4 2005/02/16 06:56:57 jrecords Exp $
#
# sh/ksh initialization

alias ls='colorls -G'
alias vi=vim

PATH=$HOME/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
export PATH HOME TERM=xterm-256color

tmux attach || tmux new


#if you don't use vim , this might not really apply but you'll get colors
when you type ls, which is probably what you want.

Jim






On Wed, Feb 17, 2010 at 2:38 PM, frantisek holop min...@obiit.org wrote:

 hi there,

 i am trying to make tmux use 256 colors.

 i have found this:

 http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html

 i have done step 2:

 $ xterm
 $ echo TERM
 $ TERM=xterm-256color
 $ tput colors
 256

 but it is not clear to me how can i do step 1.
 what is the proper way to:

 1) Set TERM=screen-256color inside so that applications INSIDE tmux know
 that
 it supports 256 colours, you can do this however you like but
 default-terminal
 is usually easiest.

 actually the man page states, somewhat misleadingly, that:

 The TERM environment variable must be set to ``screen'' for all
 programs running inside tmux.  New windows will automatically
 have ``TERM=screen'' added to their environment, but care must
 be
 taken not to reset this in shell start-up files.

 what i have done in the end is to put
 TERM=screen-256color
 in my .kshrc that is referenced also by .profile's ENV
 but it doesn't feel 100% right.

 -f
 --
 there are 10 types of people: those that do binary, and those that don't.

Re: xterm + tmux 256 colors

[Ted Unangst]

On Wed, Feb 17, 2010 at 5:38 PM, frantisek holop min...@obiit.org wrote:
 i am trying to make tmux use 256 colors.

 i have found this:
 http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html

 i have done step 2:

 $ xterm
 $ echo TERM
 $ TERM=xterm-256color

It's probably worth noting at this point that the xterm shipped with
OpenBSD doesn't support 256 colors.

Re: OSPFd on Feb 17th 2010 -current Incompatibilities

[Stuart Henderson]

On 2010-02-17, Stuart Henderson s...@spacehopper.org wrote:
 On 2010-02-17, Insan Praja SW insan.pr...@gmail.com wrote:
 On the kernel-updated routers ospfctl sh neig shows:

 kernel-updated routers - you did update kernel and binaries in-sync, right??



 spf-delay msec 1000
 spf-holdtime msec 5000

...hmm, yes you did. Anything useful in logs (maybe with verbose)?

Re: xterm + tmux 256 colors

[Nicholas Marriott]

The two common ways are to set default-terminal and not touch TERM elsewhere,
or to do something like

[ -n $TMUX ]  export TERM=screen-256color.

in .profile or whatnot.

You can do it whichever way you like.


On Wed, Feb 17, 2010 at 11:38:22PM +0100, frantisek holop wrote:
 hi there,
 
 i am trying to make tmux use 256 colors.
 
 i have found this:
 http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html
 
 i have done step 2:
 
 $ xterm
 $ echo TERM
 $ TERM=xterm-256color
 $ tput colors
 256
 
 but it is not clear to me how can i do step 1.
 what is the proper way to:
 
 1) Set TERM=screen-256color inside so that applications INSIDE tmux know that
 it supports 256 colours, you can do this however you like but default-terminal
 is usually easiest.
 
 actually the man page states, somewhat misleadingly, that:
 
  The TERM environment variable must be set to ``screen'' for all
  programs running inside tmux.  New windows will automatically
  have ``TERM=screen'' added to their environment, but care must be
  taken not to reset this in shell start-up files.
 
 what i have done in the end is to put
 TERM=screen-256color
 in my .kshrc that is referenced also by .profile's ENV
 but it doesn't feel 100% right.
 
 -f
 -- 
 there are 10 types of people: those that do binary, and those that don't.

Re: xterm + tmux 256 colors

[joshua stein]

 It's probably worth noting at this point that the xterm shipped with
 OpenBSD doesn't support 256 colors.

it is supported in snapshots after january 13th; it was enabled
following nicm's ncurses update:

http://www.openbsd.org/cgi-bin/cvsweb/xenocara/app/xterm/xtermcfg.h

Re: xterm + tmux 256 colors

[frantisek holop]

hmm, on Wed, Feb 17, 2010 at 05:58:12PM -0500, Ted Unangst said that
 On Wed, Feb 17, 2010 at 5:38 PM, frantisek holop min...@obiit.org wrote:
  i am trying to make tmux use 256 colors.
 
  i have found this:
  http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html
 
  i have done step 2:
 
  $ xterm
  $ echo TERM
  $ TERM=xterm-256color
 
 It's probably worth noting at this point that the xterm shipped with
 OpenBSD doesn't support 256 colors.

maybe technically it's not all of the 256, but i get the same pallette image
that is here: http://frexx.de/xterm-256-notes/

$ perl 256colors2.pl

-f
-- 
bungee diving - living it up when you're going down!

Re: xterm + tmux 256 colors

[Ted Unangst]

On Wed, Feb 17, 2010 at 5:58 PM, Ted Unangst ted.unan...@gmail.com wrote:
 It's probably worth noting at this point that the xterm shipped with
 OpenBSD doesn't support 256 colors.

Oh never mind, I missed a commit.  If you're running current, you do
get 256 colors.

Re: xterm + tmux 256 colors

[Ryan Flannery]

On Wed, Feb 17, 2010 at 5:58 PM, Ted Unangst ted.unan...@gmail.com wrote:
 On Wed, Feb 17, 2010 at 5:38 PM, frantisek holop min...@obiit.org wrote:
 i am trying to make tmux use 256 colors.

 i have found this:
 http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html

 i have done step 2:

 $ xterm
 $ echo TERM
 $ TERM=xterm-256color

 It's probably worth noting at this point that the xterm shipped with
 OpenBSD doesn't support 256 colors.

Really?  I was hoping in light of the following, OpenBSD now supported it:
http://marc.info/?l=openbsd-cvsm=126339496810703w=2

After seeing that I was hoping to play around with this eventually.

-Ryan

Re: xterm + tmux 256 colors

[Ryan Flannery]

On Wed, Feb 17, 2010 at 6:17 PM, Ted Unangst ted.unan...@gmail.com wrote:
 Nice catch, I missed that.


I know getting 256 color support working requires touching a few things.
I don't know if that commit says it now works or simply it's one step closer

So ya, I was really asking.  :)

Re: xterm + tmux 256 colors

[J.C. Roberts]

On Wed, 17 Feb 2010 23:38:22 +0100 frantisek holop min...@obiit.org
wrote:

 i am trying to make tmux use 256 colors.
 
 i have found this:
 http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html
 
 i have done step 2:
 
 $ xterm
 $ echo TERM
 $ TERM=xterm-256color
 $ tput colors
 256

xenocara does *NOT* compile xterm with 256 color support. 
Well, at least it had to be recompiled manually in 4.5 when I last
tested it.

-jcr

Installer caching selections across different installations... how?

[Matt Van Mater]

I have been installing OpenBSD 4.6 inside a VMWare ESXi 4.0 virtual machine
and ran into a strange behavior I can't explain... it seems to cache my
installation options between totally unrelated virtual machines.  The
process goes like this:

I create a new 'Typical' virtual machine, select 'Other' as the guest OS and
choose 'Other (32-bit)' in the Version pulldown menu.  I accept all default
settings (256MB ram, 1 vCPU, 8GB disk, etc) and check the Thin Provisioning
disk allocation checkbox.  I then associate the cd46.iso file (stored on a
datastore) with the virtual cdrom drive and boot off of it to begin the
installation process, where I specify a local LAN ftp server to fetch the
install media from.

The install process goes as expected and the virtual machine is running
happily along...  The thing is, when I create a second brand new virtual
machine using the process described above and get to the 'select install
media' step, it already has my local ftp server's name populated!  As far as
I can tell, the only thing in common between the two installation processes
is the cd46.iso file.

This isn't necessarily bad, I just can't explain why its happening.  Two
questions:

1) Is anyone else observing this behavior?
2) Can anyone explain why it is occurring?

Re: Installer caching selections across different installations... how?

[joshua stein]

 The install process goes as expected and the virtual machine is running
 happily along...  The thing is, when I create a second brand new virtual
 machine using the process described above and get to the 'select install
 media' step, it already has my local ftp server's name populated!  As far as
 I can tell, the only thing in common between the two installation processes
 is the cd46.iso file.
 
 This isn't necessarily bad, I just can't explain why its happening.  Two
 questions:
 
 1) Is anyone else observing this behavior?
 2) Can anyone explain why it is occurring?

the installer pulls the list of installation mirrors from
ftp.openbsd.org and defaults to one that is assumed to be closest to
you based on your ip address (using geolocation).

at the end of the installation, the mirror you chose (in your case,
your local ftp server) is sent back to ftp.openbsd.org so that it
will be given to you again the next time, assuming your ip is the
same.

from distrib/miniroot/install.sh:

# If we managed to talk to the ftplist server before, tell it what
# location we used... so it can perform magic next time
if [[ -s $SERVERLISTALL ]]; then
_i=
[[ -n $installedfrom ]]  _i=install=$installedfrom
[[ -n $TZ ]]  _i=$_iTZ=$TZ
[[ -n $method ]]  _i=$_imethod=$method

[[ -n $_i ]]  ftp $FTPOPTS -a -o - \
http://129.128.5.191/cgi-bin/ftpinstall.cgi?$_i; /dev/null 21 
fi

because your vmware installations are presumably all coming from the
same ip address, you keep receiving your local ftp server as a
default.

Re: Installer caching selections across different installations... how?

[Matt Van Mater]

On Wed, Feb 17, 2010 at 7:45 PM, joshua stein j...@openbsd.org wrote:

 at the end of the installation, the mirror you chose (in your case,
 your local ftp server) is sent back to ftp.openbsd.org so that it
 will be given to you again the next time, assuming your ip is the
 same.
 ...

because your vmware installations are presumably all coming from the
 same ip address, you keep receiving your local ftp server as a
 default.


Ah, this definitely makes sense.  It is a handy little feature but I am a
little surprised the privacy advocates out there in OpenBSD-land didn't cry
foul about reporting information back to the mothership like that.  (I
couldn't find any inside MARC anyway when searching for installer-related
posts).

Thanks for taking the time, I appreciate the effort.

Matt

Re: Jacek Books

[ropers]

On 16 February 2010 12:26, SJP Lists sjp.li...@flashbsd.net wrote:
 In fact, I have worked in landmark copyright cases for one of the
 Worlds most successful IP lawyers (and continue to do so).

IP lawyers, eh? Exactly what is this IP you speak of?

(SCNR.)

regards,
--ropers

Re: xterm + tmux 256 colors

[J.C. Roberts]

On Wed, 17 Feb 2010 15:48:42 -0800 J.C. Roberts
list-...@designtools.org wrote:

 On Wed, 17 Feb 2010 23:38:22 +0100 frantisek holop min...@obiit.org
 wrote:
 
  i am trying to make tmux use 256 colors.
  
  i have found this:
  http://www.mail-archive.com/debian-bugs-d...@lists.debian.org/msg707066.html
  
  i have done step 2:
  
  $ xterm
  $ echo TERM
  $ TERM=xterm-256color
  $ tput colors
  256
 
 xenocara does *NOT* compile xterm with 256 color support. 
 Well, at least it had to be recompiled manually in 4.5 when I last
 tested it.
 

ugh! It seems I missed a commit in January. If you're running -current
it's a different story now.

OT: opinions on IDS / IPS solutions

[Jason Beaudoin]

Hi There,

As I often have greater respect for a much larger portion of this list
than the rest of the internet, I am curious what is thought about
current IDS/IPS hardware from vendors like Trustwave, Checkpoint,
Alert Logic, mod_security, even snort.. etc, and in particular, the
sensibility and effectiveness of using them in high-security
environments.

From a compliance perspective, I don't have much choice. From the
costs, infrastructure, and administrative perspectives, I am currently
evaluating whether or not I should be leaning towards and IDS or IPS
solution, and of course which system/vendor. My understanding is that
something like snort requires a fair bit of maintenance and
IT-attention, the trade-off being cost, so I am leaning away from
this. Between detection and prevention, preventing break-ins seems a
bit sillier than trying to actively monitor what's going on and to
then look for threats, so this pushes me more towards IDS over IPS.

Thoughts, suggestions, flames, are all welcome.

Thanks.

~Jason

Re: network performance problems

[David Gwynne]

a lot of the features you list below are only useful or usable at the
switching layer, and therefore not really fair when compared to what openbsd
can do. eg, the dhcp snooping is done on the switches at the client access
layer to prevent rouge dhcp servers on an l2 network. unless you put openbsd
bridges between each of your client machines and the switch then you cant do
that on openbsd.

the feature you do list that is worth comparing is the acl stuff. it is true
that on cisco gear you can filter packets (emphasis on packets) in hardware,
which is extremely fast, however, you can only filter on attributes of each
individual packet. if you want to do stateful filtering though (ie, filter
streams/flows of packets), then its a completely different story.

personally the decision between openbsd and cisco for stateful filtering comes
down to three factors: speed, cost, and the quality/usability of the
implementation.

i find it far easier to manage openbsd boxes, and i really love the features
available to me in pf. i guess im biased since i have some code in there now.
i havent had the opportunity to do a speed test between a cisco and my current
openbsd firewalls, but i would be extremely surprised if the performance of
the cisco scaled at the same rate as the price when compared to the openbsd
boxes. so to me openbsd wins based on cost vs performance, and on usability
and features. i can do 200 or 300k pps on openbsd systems we bought 2 or 3
years ago for about 5 grand. im not sure cisco sell a stateful firewall module
for 5 grand.

dlg

On 18/02/2010, at 12:05 AM, Tomas Bodzar wrote:

 I'm not an expert in this area, but it looks like OpenBSD can do some
 parts too and for much more lower price.

 DHCP snooping

 From info on Cisco page it looks like simple combination of
 lists/macros for blocking/allowing certain ports. Tables are possible
 with OpenBSD too and you can limit flow rate of packets too

 Dynamic ARP Inspection

 If I'm not wrong then pf(4) don't operate on this layer, but then
 good, secure and simple design come to game

 IP Source Guard

 sounds like antispoof quick for

 Unicast Reverse Path Forwarding (URPF)

 sounds like block in quick from urpf-failed to any# use with care

 Access Control Lists

 something like SELinux and similar? It's first thing which every good
 sysadmin turn off because of unneeded complexity and often bugs too.
 If I read this :

 More generally, security ACLs can be used to protect against source
 address spoofing or to restrict network access to only legitimate
 sources, networks, and applications. For example, ACLs should be used
 to deny private address space at the ingress of the Internet and
 perform some filtering in the campus such that packets can only
 originate from customer-assigned addresses. ACLs should also be used
 to deny unused multicast addresses, to prevent multicast DoS attacks.
 Another interesting example is that of MAC ACLs which could be used to
 deny packets with invalid IP versions.

 then I can say that all of this is possible with pf(4) without need for ACL


 Quality of Service

 don't know much about this in OpenBSD, but sounds like at least
 something similar is possible with this
 http://www.openbsd.org/faq/pf/queueing.html

 Port security

 buy HW which is capable to avoid CAM overflow

 CONTROL PLANE AND MANAGEMENT PLANE PROTECTION

 some parts looks like possible with pf(4) some not, but as I said this
 must be confirmed by someone who knows much more

 Built-In Special-Case CPU Rate Limiters

 read users' stories and try pf(4) you will see that it can handle DoS very
well



 It's quite long reading, but for me it looks like it's not needed to
 spend so much money in most cases.

 On Wed, Feb 17, 2010 at 2:21 PM, Pete Vickers p...@systemnet.no wrote:
 On 17. feb. 2010, at 08.47, Claudio Jeker wrote:

 On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote:
 On 17/02/10 03:16, FRLinux wrote:

 Mmmh, you picked my interest here. You mentioned your cisco 6500 but I
 guess you are going to use only gigabit NICs, so you have no need on
 the 10gb range? Just asking, not trying to start a war :)

 Cheers,
 Steph


 ps. the cisco crawled when I enabled IOS firewall features (statefull).
 Firewall interface == $35K come one now... Too much money!


 The 6500 and 7600 cisco systems are not able to do stateful firewalling
 in HW and have also issues with stuff like netflow exports. Unless you
buy
 the super expensive line cards. Even the big SUP boards come with a tiny
 CPU running at the speed of a loongson -- those can be killed with a few
 Mbps of multicast traffic.

 --
 :wq Claudio


 Just to balance the anti-cisco viewpoint:

 If you want to do deep packet stuff in HW, then Cisco offer the FWSM  ACE

 NAM modules for 6500/7600.

 The SUPs (meant for switching/routing, not FWing) support CoPP
(control-plane
 policing) in HW, which should be configured to prevent abusive traffic
hitting
 the CPU, this 

Re: OT: opinions on IDS / IPS solutions

[Johan Beisser]

On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin jasonbeaud...@gmail.com wrote:
 From a compliance perspective, I don't have much choice. From the
 costs, infrastructure, and administrative perspectives, I am currently
 evaluating whether or not I should be leaning towards and IDS or IPS
 solution, and of course which system/vendor. My understanding is that
 something like snort requires a fair bit of maintenance and
 IT-attention, the trade-off being cost, so I am leaning away from
 this. Between detection and prevention, preventing break-ins seems a
 bit sillier than trying to actively monitor what's going on and to
 then look for threats, so this pushes me more towards IDS over IPS.

I agree with you. High rates of false positives, but fairly low rates
of false negatives. Once the care and feeding is taken care of
(turning off everything and gradually fine tuning to your current
traffic helps), they're useful for alerting against unusual traffic
leaving your network; not so much against automated attacks coming in
the network. My own deployments are specifically to monitor for odd
outbound traffic from my office. It's a rapid way to find out about
the latest trojan, worm, or other infection my users have brought in
on their laptops.

That said, the usefulness of an IDP is specifically preventing most
automated and known attacks from passing in to your network. By using
one of the commercial systems, you gain support, tuning, and the fact
that you don't have to spend as much time with the care and feeding or
writing/testing new rulesets against your current version.

As a compliance feature, I've found most administrators put them in
place and promptly turn the reporting off due to the high rate of
false positives reducing the signal from the noise.

jb

Re: OT: opinions on IDS / IPS solutions

[mehma sarja]

 Don't bypass Snort because PFSense package makes it so easy to install and
configure. A a one-click install of Snort and the only thing left to do was
register and select what you want it to do.

Mehma
===
On Wed, Feb 17, 2010 at 8:28 PM, Johan Beisser j...@caustic.org wrote:

 On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin jasonbeaud...@gmail.com
 wrote:
  From a compliance perspective, I don't have much choice. From the
  costs, infrastructure, and administrative perspectives, I am currently
  evaluating whether or not I should be leaning towards and IDS or IPS
  solution, and of course which system/vendor. My understanding is that
  something like snort requires a fair bit of maintenance and
  IT-attention, the trade-off being cost, so I am leaning away from
  this. Between detection and prevention, preventing break-ins seems a
  bit sillier than trying to actively monitor what's going on and to
  then look for threats, so this pushes me more towards IDS over IPS.

 I agree with you. High rates of false positives, but fairly low rates
 of false negatives. Once the care and feeding is taken care of
 (turning off everything and gradually fine tuning to your current
 traffic helps), they're useful for alerting against unusual traffic
 leaving your network; not so much against automated attacks coming in
 the network. My own deployments are specifically to monitor for odd
 outbound traffic from my office. It's a rapid way to find out about
 the latest trojan, worm, or other infection my users have brought in
 on their laptops.

 That said, the usefulness of an IDP is specifically preventing most
 automated and known attacks from passing in to your network. By using
 one of the commercial systems, you gain support, tuning, and the fact
 that you don't have to spend as much time with the care and feeding or
 writing/testing new rulesets against your current version.

 As a compliance feature, I've found most administrators put them in
 place and promptly turn the reporting off due to the high rate of
 false positives reducing the signal from the noise.

 jb

Re: Jacek Books

[Bill Dunshie]

By posting regarding this situation, possibly it will help others from 
being swindled. I paid for the Firewall Book, and as stated, did 
receive a few PDF's, but that's it, no paper copy. Going through PayPal 
is is waste of time, as their time limits have been exceeded many times 
over (my purchase was Feb 13, 2009) for filing a complaint, unless I'm 
mistaken.
When someone is ripping others off  left and right, who gives a hang 
about copyrights ? Were I not honest, I surely wouldn't; I'd get what I 
paid for any way I could. Alas, I guess I just lost out, as it's evident 
from the site that business is in full swing and payment is being
accepted by 2 methods. I guess I should have also noted that Artymiak 
was a Non-verified US vendor on PayPal.
Live and learn I guess, at times the very hard way. I really expected 
much more from Artymiak.


On 2/15/2010 2:31 PM, Corey wrote:

On 02/15/2010 01:33 PM, open...@e-solutions.re wrote:
Im agree with you Aaron, but i bought his books on 14 september 2009, 
and

an other book on 14 october 2009.
If you want i can send you my Paypal receipts to prove it. I never 
received

the books.
It is a swindle ! nothing else ... And why sell books when nobody to
occupies his website? Even if he is ill, it is not a reason (he has 
to stop

selling ebooks)
Thank's



Report him to PayPal.

Depending on the terms of his copyrights, it may not be legal for 
someone else to send you a copy of his works.  And if he is not 
responding to your personal emails, it is unlikely that posting on 
this list is going to help any further.

write uhid0 error EIO

[Kemtole Ernesto]

hi all, i'm new here :)

i have a I/O card in the usb port, can read but can't write uhid0

uname -a:
OpenBSD myhost.my.domain 4.6 GENERIC.MP#81 amd64

dmesg:
uhidev0 at uhub5 port 2 configuration 1 interface 0 Anchor Chips
product 0x7453 rev 2.00/0.00 addr 2

uhidev0: iclass 3/0
uhid0 at uhidev0: input=31, output=21, feature=0

ls -l /dev/uhid0:
crw-rw  1 root  wheel   62,   0 Feb 12 02:00 /dev/uhid0

user groups:
users wheel

usbhidctl -vv -f uhid0:
report ID=0
usbhidctl: USB_GET_REPORT (probably not supported by device):
Input/output error

usbhidctl -r -f uhid0:
Report descriptor:
Collection page=0xffa0 usage=0x00a5
Input  size=8 count=1 page=0xffa0 usage=0x00a6, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Input  size=8 count=1 page=0xffa0 usage=0x00a7, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
Output size=8 count=1 page=0xffa0 usage=0x00a9, logical range -128..127
End collection
Total   input size 31 bytes
Total  output size 21 bytes
Total feature size 0 bytes

uhid(4):
Use read(2) to get data from the device.  Data should be read in chunks
of the size prescribed by the report descriptor.

Use write(2) send data to the device.  Data should be written in chunks
of the size prescribed by the report descriptor.

read uhid0 is OK

read.c:
#include unistd.h
#include fcntl.h
#include err.h

#define USB_DEV /dev/uhid0

int
main(void)
{
char buff[31];
int fd, ret;

fd = open(USB_DEV, O_RDONLY);
if (fd == -1)
err(1, NULL);

ret 

Re: Jacek Books

[Scott Learmonth]

The real point in all of this is that, right or wrong, it doesn't belong on 
this mailing list.


On Wed, Feb 17, 2010 at 10:51:16PM -0600, Bill Dunshie wrote:
 By posting regarding this situation, possibly it will help others
 from being swindled. I paid for the Firewall Book, and as stated,
 did receive a few PDF's, but that's it, no paper copy. Going through
 PayPal is is waste of time, as their time limits have been exceeded
 many times over (my purchase was Feb 13, 2009) for filing a
 complaint, unless I'm mistaken.
 When someone is ripping others off  left and right, who gives a hang
 about copyrights ? Were I not honest, I surely wouldn't; I'd get
 what I paid for any way I could. Alas, I guess I just lost out, as
 it's evident from the site that business is in full swing and
 payment is being
 accepted by 2 methods. I guess I should have also noted that
 Artymiak was a Non-verified US vendor on PayPal.
 Live and learn I guess, at times the very hard way. I really
 expected much more from Artymiak.
 
 On 2/15/2010 2:31 PM, Corey wrote:
 On 02/15/2010 01:33 PM, open...@e-solutions.re wrote:
 Im agree with you Aaron, but i bought his books on 14 september
 2009, and
 an other book on 14 october 2009.
 If you want i can send you my Paypal receipts to prove it. I
 never received
 the books.
 It is a swindle ! nothing else ... And why sell books when nobody to
 occupies his website? Even if he is ill, it is not a reason (he
 has to stop
 selling ebooks)
 Thank's
 
 
 Report him to PayPal.
 
 Depending on the terms of his copyrights, it may not be legal for
 someone else to send you a copy of his works.  And if he is not
 responding to your personal emails, it is unlikely that posting on
 this list is going to help any further.

Re: Apache Firefox and Ogg Theora (Byte-range requests)

[Pierre-Yves Ritschard]

 This appears to be due to the format of the string being passed to
 strtonum().  ap_strtol() was tolerant of it.  It's being passed the
 string from the Range: header.

 For example, the following valid request (taken directly from sniffing a
 wget session).

  GET /testfile HTTP/1.0
  Range: bytes=300417024-

 This ends up following the code path of the first strtonum() call around
 line 159 in http_protocol.c in the parse_byterange() function.  The
 string passed to strtonum to convert (r-range) not only contains the
 number from the header, but the trailing dash (300417024-), which
 strtonum does not like.  As strtonum fails, the start offset is set to
 0.

 This bug should be present on a 64-bit arch as well.


Hi,

I broke it when unbreaking support for large files in Content-Length (which
would otherwise report 0). I'll have a diff ready soon which fixes that.

  - pyr.

Re: Strange problem | routing issue

[Shailesh Tyagi]

It seems there is a bug in routing with current 4.7 amd64 (build 10 Feb.). I
tried i386 and it worked with same configuration and without any issues. Just
to make sure I even tried reinstalling the amd64 once again thinking I might
have made some mistakes the first time but same results. Following are the
dmsegs from both installations.



amd64

# dmesg

OpenBSD 4.7-beta (GENERIC.MP) #85: Sun Feb  7 17:06:57 MST 2010

t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MPmailto:
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

real mem = 3210317824 (3061MB)

avail mem = 3117477888 (2973MB)

mainbus0 at root

bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xbf79c000 (62 entries)

bios0: vendor Dell Inc. version 1.1.4 date 10/30/2009

bios0: Dell Inc. PowerEdge R210

acpi0 at bios0: rev 2

acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ
TCPA SSDT

acpi0: wakeup devices PCI0(S5) USBA(S0) USBB(S0) acpitimer0 at acpi0: 3579545
Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0:
apid 0 (boot processor)

cpu0: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2660.41 MHz

cpu0:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu0: 256KB 64b/line 8-way L2 cache

cpu0: apic clock running at 132MHz

cpu1 at mainbus0: apid 2 (application processor)

cpu1: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2659.99 MHz

cpu1:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu1: 256KB 64b/line 8-way L2 cache

cpu2 at mainbus0: apid 4 (application processor)

cpu2: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2659.99 MHz

cpu2:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu2: 256KB 64b/line 8-way L2 cache

cpu3 at mainbus0: apid 6 (application processor)

cpu3: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2659.98 MHz

cpu3:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu3: 256KB 64b/line 8-way L2 cache

cpu4 at mainbus0: apid 1 (application processor)

cpu4: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2659.99 MHz

cpu4:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu4: 256KB 64b/line 8-way L2 cache

cpu5 at mainbus0: apid 3 (application processor)

cpu5: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2659.98 MHz

cpu5:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu5: 256KB 64b/line 8-way L2 cache

cpu6 at mainbus0: apid 5 (application processor)

cpu6: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2659.99 MHz

cpu6:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu6: 256KB 64b/line 8-way L2 cache

cpu7 at mainbus0: apid 7 (application processor)

cpu7: Intel(R) Xeon(R) CPU X3450 @ 2.67GHz, 2659.99 MHz

cpu7:

FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,C

X16,xTPR,NXE,LONG

cpu7: 256KB 64b/line 8-way L2 cache

ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins acpihpet0 at
acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0)

acpiprt1 at acpi0: bus 1 (LYD0)

acpiprt2 at acpi0: bus -1 (LYD2)

acpiprt3 at acpi0: bus -1 (HVD0)

acpiprt4 at acpi0: bus -1 (HVD2)

acpiprt5 at acpi0: bus 5 (PEX0)

acpiprt6 at acpi0: bus -1 (PEX4)

acpiprt7 at acpi0: bus -1 (PEX5)

acpiprt8 at acpi0: bus 6 (COMP)

acpicpu0 at acpi0: C3, C2, C1

acpicpu1 at acpi0: C3, C2, C1

acpicpu2 at acpi0: C3, C2, C1

acpicpu3 at acpi0: C3, C2, C1

acpicpu4 at acpi0: C3, C2, C1

acpicpu5 at acpi0: C3, C2, C1

acpicpu6 at acpi0: C3, C2, C1

acpicpu7 at acpi0: C3, C2, C1

ipmi at mainbus0 not configured

cpu0: unknown i686 model 0x1e, can't get bus clock

cpu0: EST: PSS not yet available for this processor pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel Core DMI rev 0x11 ppb0 at pci0 dev 3
function 0 Intel Core PCIE rev 0x11: apic 0 int 16 (irq

0)

pci1 at ppb0 bus 1

ppb1 at pci1 dev 0 function 0 IDT 89HPES12N3A rev 0x0e

pci2 at ppb1 bus 2

ppb2 at pci2 dev 2 function 0 IDT 89HPES12N3A rev 0x0e

pci3 at ppb2 bus 3

em0 at pci3 dev 0 function 0 Intel PRO/1000 QP (82576) rev 0x01: apic 0 int

18 (irq 15), address 00:1b:21:48:66:58

em1 at pci3 dev 0 function 1 Intel PRO/1000 QP (82576) rev 0x01: