Re: OpenBSD/hppa 7.5: install kernel boots from cdrom, but not from disk on 715/50?
...on 2024-05-05 20:32:55, Alexander Bochmann wrote: > but when trying to reboot from disk, the kernel hangs > after "power0 at mainbus0: not available" 7.4 looks the same, by the way. Alex.
OpenBSD/hppa 7.5: install kernel boots from cdrom, but not from disk on 715/50?
Hi, I tried to install OpenBSD on an HP apollo 715/50 today: The install kernel boots from CD and installs the system, but when trying to reboot from disk, the kernel hangs after "power0 at mainbus0: not available" (right before the cpu0 line). Any idea what could be wrong here? I verified that /bsd on disk is the identical to the one from CD (installer says "Relinking to create unique kernel... failed." at the end). I have a dmesg from the install kernel, and below that another one when booting from disk (the same happens when manually booting /bsd.rd instead of /bsd): --- >>> cut >>> --- >> OpenBSD/hppa CDBOOT 0.2 booting dk6a:/bsd.rd: 2707456+5047296+519168=0xff817c SPID bits: 0x0, error = -2 pdc_coproc: 0xc0, 0xc0; model 9 rev 1 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2024 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 7.5 (RAMDISK) #933: Wed Mar 20 18:17:27 MDT 2024 dera...@hppa.openbsd.org:/usr/src/sys/arch/hppa/compile/RAMDISK HP 9000/715/50 (Scorpio) PA-RISC 1.1a real mem = 67108864 (64MB) rsvd mem = 524288 (512KB) avail mem = 53362688 (50MB) random: boothowto does not indicate good seed mainbus0 at root [flex fff8] pdc0 at mainbus0 power0 at mainbus0: not available cpu0 at mainbus0 offset ffbe000 irq 31: PCXT L1-A 50MHz, FPU PCXT (Rolex - CMOS-26B) rev 1 cpu0: 64K(32b/l) Icache, 64K(32b/l) wr-back Dcache, 120 coherent TLB, 16 BTLB mem0 at mainbus0 offset ffbf000: viper rev 0, size 64MB asp0 at mainbus0 offset 82f000: Scorpio rev 1, lan 1 scsi 7 gsc0 at asp0 irq 2 "Advanced audio (ext.)" at gsc0 (type a sv 7b mod 0 hv 70) offset 100 not configured "Core Centronics" at gsc0 (type a sv 74 mod 0 hv 70) offset 824000 not configured com1 at gsc0 offset 822000 irq 6: ns16550a, 16 byte fifo com0 at gsc0 offset 823000 irq 5: ns16550a, 16 byte fifo com0: console hil0 at gsc0 offset 821000 irq 1 ie0 at gsc0 offset 826000 irq 8: i82596DX v0.0, address 08:00:09:78:25:c4 oosiop0 at gsc0 offset 825000 irq 9: NCR53C700 rev 0, 50MHz scsibus0 at oosiop0: 8 targets, initiator 7 oosiop0: target 1 now using 8 bit asynchronous xfers oosiop0: target 1 now using 8 bit asynchronous xfers sd0 at scsibus0 targ 1 lun 0: serial.codesrc_SCSI2SD_2024050501_ sd0: 2048MB, 512 bytes/sector, 4194304 sectors oosiop0: target 2 now using 8 bit asynchronous xfers sd1 at scsibus0 targ 2 lun 0: serial.codesrc_SCSI2SD_2024050502_ sd1: 4096MB, 512 bytes/sector, 8388608 sectors oosiop0: target 3 now using 8 bit asynchronous xfers sd2 at scsibus0 targ 3 lun 0: serial.codesrc_SCSI2SD_2024050503_ sd2: 4096MB, 512 bytes/sector, 8388608 sectors oosiop0: target 4 now using 8 bit asynchronous xfers sd3 at scsibus0 targ 4 lun 0: serial.codesrc_SCSI2SD_2024050504_ sd3: 4736MB, 512 bytes/sector, 9700352 sectors oosiop0: target 6 now using 8 bit synchronous xfers oosiop0: target 6 now using 8 bit synchronous xfers cd0 at scsibus0 targ 6 lun 0: removable sti0 at mainbus0 offset 400: rev 8.02;10, ID 0x27F1239240A00499 sti0: HPA1991AC16, 2048x1024 frame buffer, 1024x768x8 display sti0: 8x16 font type 1, 16 bpc, charset 0-255 wsdisplay0 at sti0 mux 1 wsdisplay0: screen 0 added (std, vt100 emulation) softraid0 at root scsibus1 at softraid0: 256 targets oosiop0: target 1 now using 8 bit asynchronous xfers hilkbd0 at hil0 code 1: 109-key keyboard, layout 1f wskbd0 at hilkbd0 mux 1 wskbd0: connecting to wsdisplay0 "Mouse" at hil0 id 68 code 2 not configured oosiop0: target 2 now using 8 bit asynchronous xfers oosiop0: target 3 now using 8 bit asynchronous xfers oosiop0: target 4 now using 8 bit asynchronous xfers bootpath: 2/0/1.6 class=1 flags=0 hpa=0xf0825000 spa=0x0 io=0x6b24 root on rd0a swap on rd0b dump on rd0b clock: failed to fetch (-13) WARNING: bad clock chip time WARNING: CHECK AND RESET THE DATE! erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/hppa 7.5 installation program. --- <<< cut <<< --- Disk boot: --- >>> cut >>> --- >> OpenBSD/hppa BOOT 1.11 boot> NOTE: random seed is being reused. booting dk4a:/bsd: 5107712+1823748+650236 [284920+110+279184+258064]=0xff817c SPID bits: 0x0, error = -2 WARNING: PDC_COPROC error -3, assuming 1.1 FPU [ using 822812 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2024 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 7.5 (GENERIC) #946: Wed Mar 20 17:20:03 MDT 2024 dera...@hppa.openbsd.org:/usr/src/sys/arch/hppa/compile/GENERIC HP 9000/715/50 (Scorpio) PA-RISC 1.1a real mem = 67108864 (64MB) rsvd mem = 524288 (512KB) avail mem = 55631872 (53MB) random: boothowto does not indicate good seed mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root [flex fff8] pdc0 at mainbus0 power0 at mainbus0: not available --- <<< cut <<< --- Alex.
Re: cleaning up /usr/local/lib after (many) upgrades?
...on 2024-01-27 17:46:07, Alexander Bochmann wrote: > Is this expected, or a result of some error I made during upgrades? As it turns out, the error I made was not actually running pkg_delete -a at any point, and misinterpreting the output of pkg_delete -an (which is why I didn't run the former)... It seems now all the stray libraries are gone. Sorry for the extended noise, Alex.
Re: cleaning up /usr/local/lib after (many) upgrades?
...on 2024-01-27 19:58:45, Alexander Bochmann wrote: > I tried pkg_delete -a earlier today, but while it gave me a bunch > of files that I think were from base (/usr/X11R6 mostly), it didn't > turn up anything from /usr/local on this system. It's been pointed out that this is impossible, and indeed what I was thinking of was actually pkg_check -F output... Alex.
Re: cleaning up /usr/local/lib after (many) upgrades?
...on 2024-01-27 20:43:17, Jan Stary wrote: > That's definitely weird. Which packages own these files? > $ pkg_info -E /usr/local/lib/libvpx.so.8.0 > $ doas pkg_check -Fq pkg_info -E returns no output for any version but the latest, which is then (in this case - I just picked libvpx as an example from a long list of libs): > # pkg_info -E /usr/local/lib/libvpx.so.16.0 > /usr/local/lib/libvpx.so.16.0: libvpx-1.13.1v0 > libvpx-1.13.1v0 Google VP8/VP9 video codec The only files mentioned by pkg_check -Fq in /usr/local are from stuff I built myself, outside of packages. None of the outdated shared libs turn up. > > Usually I'm just running pkg_add -u to pull fresh versions of packages. > > And is there some "standard" way to get rid of the old versions? > pkg_add generally replaces the old version with the new versions. Yes, at least that's true for the binaries and manpages and such... Alex.
Re: cleaning up /usr/local/lib after (many) upgrades?
...on 2024-01-27 20:01:55, Omar Polo wrote: > I think you're mixing up pkg_delete and sysclean. sysclean will give > you a list of extra files that are not needed, while pkg_delete handles > packages. Nope, I looked at both, and neither handles old shared libraries from upgraded packages in /usr/local. I had a quick skim over the pkg* sources, and while my Perl is far too rusty to really understand what's going on, there's a comment in PkgAdd.pm that looks related: > sub delete_old_packages($set, $state) > { > [..] > $set->cleanup_old_shared($state); > # Here there should be code to handle old libs > } Hrm. I mean, it takes a couple of years of running pkg_add -u to turn into a problem, when your /usr/local is too small... ;) Alex.
Re: cleaning up /usr/local/lib after (many) upgrades?
...on 2024-01-27 18:50:01, Nowarez Market wrote: > _Did_ you check sysclean for your own purpose ? sysclean (also mentioned in a direct mail by someone else) doesn't seem to help in this case. While it gives me input for yet another cleanup task, none of the files mentioned in sysclean output on this system are from /usr/local Alex.
Re: cleaning up /usr/local/lib after (many) upgrades?
...on 2024-01-27 19:35:18, Omar Polo wrote: > does pkg_delete -a help? It should remove all the packages not needed, I tried pkg_delete -a earlier today, but while it gave me a bunch of files that I think were from base (/usr/X11R6 mostly), it didn't turn up anything from /usr/local on this system. Alex.
cleaning up /usr/local/lib after (many) upgrades?
Hi - I'm looking at one of my OpenBSD systems here that has been upgraded over a long time, and has /usr/local running out of space. It seems there's a lot of old versions of shared libraries in /usr/local/lib, like for example: > # ls -al /usr/local/lib/libvpx.so.* > -rw-r--r-- 1 root bin 1909442 Mar 27 2018 /usr/local/lib/libvpx.so.10.0 > -rw-r--r-- 1 root bin 2047296 Oct 11 2018 /usr/local/lib/libvpx.so.11.0 > -rw-r--r-- 1 root bin 3182104 Apr 19 2021 /usr/local/lib/libvpx.so.12.0 > -rw-r--r-- 1 root bin 2049592 Sep 26 2021 /usr/local/lib/libvpx.so.13.0 > -rw-r--r-- 1 root bin 2062112 Sep 29 2022 /usr/local/lib/libvpx.so.14.0 > -rw-r--r-- 1 root bin 2057584 Mar 25 2023 /usr/local/lib/libvpx.so.15.0 > -rw-r--r-- 1 root bin 2069504 Oct 6 00:20 /usr/local/lib/libvpx.so.16.0 > -rw-r--r-- 1 root bin 1869707 Jul 26 2016 /usr/local/lib/libvpx.so.7.0 > -rw-r--r-- 1 root bin 1909806 Oct 2 2017 /usr/local/lib/libvpx.so.8.0 Is this expected, or a result of some error I made during upgrades? Usually I'm just running pkg_add -u to pull fresh versions of packages. And is there some "standard" way to get rid of the old versions? I could probably compare whatever is there against the pkglocate database or check each file against pkglocate individually and parse the output or something, but I'd assume I'm not the first user to run into this? Alex.
Re: Historical Reasons For Default NAT Source Port Modification
...on 2022-05-16 17:57:06, Stuart Henderson wrote: > On 2022-05-16, Alexander Bochmann wrote: > > I seem to remember firewall rules that allowed only udp/53 as _source_ > > port > > for DNS traffic. > Such rules often existed to cover replies, before the days > of stateful firewalls. I admit this is rather useless trivia, but a copy of an old (1999) ORA bookshelf CD with the DNS & BIND book has this: > BIND 4 name servers always send queries from port 53, the well-known port > for DNS servers, to port 53. Resolvers, on the other hand, usually send > queries from high-numbered ports (above 1023) to port 53. Though name > servers clearly have to send their queries to the DNS port on a remote host, > there's no reason they have to send the queries from the DNS port. And, > wouldn't you know it, BIND 8 name servers don't send queries from port 53 by > default. Instead, they send queries from high-numbered ports, same as > resolvers do. > > This can cause problems with packet filtering firewalls that have been > configured to allow server-to-server traffic but not resolver-to-server > traffic, because they typically expect server-to-server traffic to originate > from port 53 and terminate at port 53. Also some old NFS servers required that client traffic originated from ports < 1024 in order to "prove" that the client service was running with root privileges. I assume that some other stuff worked on that kind of heuristics too, but I don't remember about any good examples. Alex.
Re: Historical Reasons For Default NAT Source Port Modification
Hi, ...on 2022-05-16 13:23:31, Philipp Buehler wrote: > I cannot recall many applications from 20y ago that have been very keen > on sending from certain ports (besides IKE already mentioned by JJ). I seem to remember firewall rules that allowed only udp/53 as _source_ port for DNS traffic. Might have been more than 20 years ago. Alex.
Re: lighttpd vs. libressl on 6.9?
Hi Ben - thanks for replying :) ...on Mon, Aug 23, 2021 at 09:48:16AM -0400, b...@0x1bi.net wrote: > Try compiling lighthttpd by hand from the ports tree with > debug flags and run it with ktrace to see what's happening. I fear that might be more effort than I'm able to invest right now, given that the problem occurs rather rarely (about once a month maybe), and I don't currently have a way to reproduce it other than by waiting for some random client that triggers the error. I have changed my historic (*cough*) lighttpd TLS configuration to support only "modern" encryption, which might have the side effect of just not permitting any problematic combinations. I'll just wait if it happens again now before I take any other action. > I'd recommend switching to the builtin httpd if the problem > persists. Yeah, unfortunately my configuration has a ton of rules, and I'm not too keen on rewriting all that. (I had one reply on the Fediverse from someone who had seen the same effect, just much more often, but they switched to a different web server and didn't look for a root cause either.) Alex.
lighttpd vs. libressl on 6.9?
Hi - I've been running lighttpd from ports as web server on one of my OpenBSD systems for years, with no problems. Ever since upgrading to 6.9, it's been crashing every few weeks, and the last lines in the lighttpd error log are something like this each time: > mod_openssl.c.3095) SSL: 1 error:06FFF064:digital envelope > routines:CRYPTO_internal:bad decrypt > mod_openssl.c.3095) SSL: 1 error:1404C119:SSL routines:ST_OK:decryption > failed or bad record mac Is there any known incompatibility between lighttpd-1.4.59 and the version of LibreSSL in OpenBSD 6.9? Alex.
Re: ssh X forwarding and google-chrome
...on Thu, Jul 02, 2020 at 05:33:20PM +0300, Gregory Edigarov wrote: > "ssh -Y google-chrome" just shows an empty and blank window, no > menu, no address bar. > May be there is some command line flags I am not aware of? You could try google-chome --disable-gpu, though I don't know if that still works. Alex.
Re: Adding default IPv6 route fails on 6.1
...on Wed, Apr 12, 2017 at 11:12:28AM +0200, Sterling Archer wrote: > On Wed, Apr 12, 2017 at 9:59 AM, Dimitris Papastamoswrote: > > Try this instead: > > !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 > That did the trick, dhcpcd is receiving router advertisments from > my ISP now. Thanks, Dimitris. On that note - there's several cloud VM providers out there who assign a IPv6 network to customer VMs and then expect that fe80::1 is used as default gateway. In those cases, an interface tag is required too, as the system will usually have at least one other link-local network on the lo0 interface (that's not new in 6.1)... So, depending on the interface name, something like this works: > # fgrep fe80 /etc/mygate > fe80::1%vio0 Alex.
Re: how to debug OpenBSD virtio-scsi killing qemu-kvm VM?
...on Wed, Mar 15, 2017 at 10:29:25AM -0400, Jiri B wrote: > > > bios0: vendor SeaBIOS version > > "debian/1.7.5-1-0-g506b58d-dirty-20140812_231322-gandalf" date 04/01/2014 > > > bios0: QEMU Standard PC (i440FX + PIIX, 1996) > it doesn't say anything about qemu-kvm version :/ Nope, but: > > > sd0 at scsibus2 targ 0 lun 0:SCSI3 > > 0/direct fixed That sais "2.1", and that's actually the version of the qemu-kvm package in Debian jessie. The qemu harddisk in your dmesg reports "2.5", so I'm probably wrong and you're actually on a newer qemu version than my VM. Alex.
Re: how to debug OpenBSD virtio-scsi killing qemu-kvm VM?
Hi, ...on Mon, Mar 13, 2017 at 11:26:42AM -0400, Jiri B wrote: > it seems virtio-scsi is not working correctly in OpenBSD, I gave it > a try today and OpenBSD VM was killed with: > 2017-03-13T15:29:00.814657Z qemu-kvm: wrong size for virtio-scsi headers > on EL7 with qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64. > I found a bug stating it is OpenBSD's fault > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768517 Hrm - I've been running a OpenBSD 6.0-stable VM with a hosting provider that seems to be using qemu-kvm for half a year, and have yet to run into that problem. I don't have any information about their platform except that their SeaBIOS identifies as debian: > bios0: vendor SeaBIOS version > "debian/1.7.5-1-0-g506b58d-dirty-20140812_231322-gandalf" date 04/01/2014 > bios0: QEMU Standard PC (i440FX + PIIX, 1996) [..] > virtio1 at pci0 dev 4 function 0 "Qumranet Virtio SCSI" rev 0x00 > vioscsi0 at virtio1: qsize 128 > scsibus2 at vioscsi0: 255 targets > probe(vioscsi0:0:0): Check Condition (error 0) on opcode 0x0 > sd0 at scsibus2 targ 0 lun 0:SCSI3 0/direct > fixed > sd0: 61440MB, 512 bytes/sector, 125829120 sectors, thin > virtio1: msix shared Maybe it is actually a Linux bug that has been fixed by everyone except Red Hat in their undead backports kernel? Alex.
Re: softraid crypto performance on Sun Fire T1000
Hi, ...on Sat, Oct 29, 2016 at 03:06:05PM +0200, Jonathan Schleifer wrote: > While a single core of the T1000 is quite slow, this just seems too slow, > making this setup unusable. openssl speed shows 10 MB/s for AES-128-CBC and 7 > MB/s for AES-256-CBC on a single core. So a single core is definitely capable > of more than just 2 MB/s. While even 10 MB/s is still slow for today, it's A long time ago, compiler flags made a hell of a difference for openssl on sparc64 (and I assume that kernel crypto might behave in a similar way)... I don't know about the current defaults in OpenBSD/sparc64, but for a T1 cpu, you could try rebuilding the kernel with something like "-mcpu=v9 -mtune=niagara" in mk.conf COPTS, and check if you see an improvement. You'll be on your own with any problems though - custom compiler otimizations for the system are generally frowned upon :) Alex.
Re: LibreSSL on old OpenBSD
...on Fri, Aug 12, 2016 at 08:53:36AM +, Roderick wrote: > I know, you will complain, because I mention here that I still use > OpenBSD 4.8 in a machine. But my question is more general. > I was unable to install LibreSSL-2.4.2, but installing openssl-1.0.2h > was possible without problems. As others have written, trying to mix up different versions of software from the OpenBSD project usually won't work, as their development is tightly coupled. If you're serious about backporting software to old OpenBSD releases for whatever reason, the -portable versions are usually a better starting point, but still will require a good chunk of knowledgeable work - much better spent on a system upgrade. That said, even ancient versions of OpenBSD are still a viable target for old-style UNIXy software. OpenSSL 1.0.1t and Sendmail 8.15.2 on OpenBSD 4.2? No problem. lighttpd and php 5.6.24 on OpenBSD 4.6? Works fine. Etc. Just don't expect any sympathy or even support from anyone. Don't ask, don't tell. (Especially, don't ask why I would know about any of those examples.) Alex.
Re: 5.8/sparc64 - boot from softraid(4) fails?
Hi, > ...on Sun, Dec 06, 2015 at 06:02:35PM +0100, Stefan Sperling wrote: > > Can you show the output of 'devalias' at the ok> prompt? > > If your disks are more than 4 levels deep inside the device tree > > then the diskprobe loop in the boot loader won't see them. Finally got around testing your patch (probably just barely, as disk0 is the 10. entry in the devalias list, see previous reply on the list): > Rebooting with command: boot disk0 sr0a:/bsd > Boot device: /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@0,0 File > and args: sr0a:/bsd > OpenBSD IEEE 1275 Bootblock 1.4 > >> OpenBSD BOOT 1.7 > Can't read disk label. > Can't open disk label package > sr0* > Booting sr0:a/bsd > 8311464@0x100+3416@0x17ed2a8+209312@0x180+3984992@0x18331a0 Thanks! Alex.
Re: 5.8/sparc64 - boot from softraid(4) fails?
Hi, coming back to this after some time... ...on Sun, Dec 06, 2015 at 06:02:35PM +0100, Stefan Sperling wrote: > Can you show the output of 'devalias' at the ok> prompt? > If your disks are more than 4 levels deep inside the device tree > then the diskprobe loop in the boot loader won't see them. I guess that's the reason then: ok devalias vx-rootmirr/pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@1,0:a net/pci@1e,60/pci@0/pci@9/pci@0/network@4 net0 /pci@1e,60/pci@0/pci@9/pci@0/network@4 net1 /pci@1e,60/pci@0/pci@9/pci@0/network@4,1 net2 /pci@1e,60/pci@0/pci@a/pci@0/network@4 net3 /pci@1e,60/pci@0/pci@a/pci@0/network@4,1 cdrom /pci@1e,60/pci@0/pci@1/pci@0/ide@1f/cdrom@0,0:f ide/pci@1e,60/pci@0/pci@1/pci@0/ide@1f disk /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@0,0 disk0 /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@0,0 disk1 /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@1,0 disk2 /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@2,0 disk3 /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1/disk@3,0 scsi /pci@1e,60/pci@0/pci@a/pci@0/pci@8/scsi@1 ttya /ebus@1f,464000/serial@2,80 ttyb /ebus@1f,464000/serial@2,40 sc-control /ebus@1f,464000/rmc-comm@2,0 name aliases > If so, the following (untested) diff might fix the problem (adjusting > to an arbitrarily chosen higher recursion level of 10). Ok, I'll try that now. Alex.
Re: 5.8/sparc64 - boot from softraid(4) fails?
Hi, thanks for your answer. ...on Sun, Dec 06, 2015 at 06:02:35PM +0100, Stefan Sperling wrote: > Can you show the output of 'devalias' at the ok> prompt? Will need a couple of days, as the machine is currently at a friend's place. I'll post an update as soon as I have the devalias output. > The easiest way to try this diff is to build a new release on another > sparc64 system (see man release(8)) and install that. That will need even more time, as I don't currently have another sparc64 box on 5.8 :) I can probably try that sometime late next week. Alex.
5.8/sparc64 - boot from softraid(4) fails?
I recently tried to install OpenBSD 5.8 on a Sun Fire, using a RAID-1 softraid as boot device. System doesn't boot though, and ends up with this: > Sun Fire V245, No Keyboard > Copyright 2007 Sun Microsystems, Inc. All rights reserved. > OpenBoot 4.25.10, 4096 MB memory installed, Serial #67141234. > Ethernet address 0:12:33:0:11:aa, Host ID: 8400123a. > > Rebooting with command: boot > Boot device: disk0 File and args: sr0a:/bsd > OpenBSD IEEE 1275 Bootblock 1.4 > >> OpenBSD BOOT 1.7 > Unknown device: sr0 > Cannot boot from softraid: Unknown error: code 19 > Program terminated As the documentation for booting from softraid on sparc64 feels somewhat sparse, I'm not actually shure I set things up correctly: - from the install cd, created disklabels with a RAID partition on sd0 and sd1 - assembled softraid with bioctl: > # bioctl -c 1 -l /dev/sd0a,/dev/sd1a softraid0 > sd4 at scsibus2 targ 1 lun 0:SCSI2 0/direct fixed > sd4: 70004MB, 512 bytes/sector, 143369136 sectors > softraid0: RAID 1 volume attached as sd4 (the system has two other disks) - ran ./install to install OpenBSD to sd4 - rebooted and set boot parameters as per boot_sparc64(8) Any steps I am missing? Any hints how to further debug this? Thanks, Alex.
Re: Backup of OpenBSD to Linux box
...on Mon, Jun 15, 2015 at 07:46:31AM +0100, Bernd Schoeller wrote: There are a number of remote backup systems floating around (rdiff-backup, rsnapshot, etc.) and of course there are in-house solutions (dump/restore), though I don't know if these are interoperable. restore on Linux can read backups created with dump on a BSD system. Is there somebody on the list who has a similar setup and could point me at a solution that works for him/her? If you're backing up more than one host, some backup management system like Amanda/Zmanda or Bacula might be useful. Alex.
Re: Comparing large amounts of files
Hi, ...on Fri, Dec 11, 2009 at 06:52:09PM -0500, STeve Andre' wrote: Compare how? I should have been more clear I suppose. I'd like to know the files that are identical, files that are of the same name but different across directories, possibly several directories. Maybe you could use something like this in the directory you're looking at: find . -type f -print0 | xargs -0 -r -n 100 md5 -r md5sums You could now just sort the md5sums file to find all entries with the same md5... Or sort by filename (will need some more logic if files are distributed over several subdirectories) to weed out those with the same name and different checksums. Alex.
Re: How to disable IPv6?
Hi, ...on Sun, Dec 06, 2009 at 05:15:14PM -0600, Todd T. Fries wrote: Between pf, 'ifconfig em0 -inet6' and 'echo family inet4 /etc/resolv.conf' you should have about all the anti v6 knobs a budding newbie should need. Thanks for putting all the required info into one place. Alex.
pf route-to doesn't work for me after upgrading to 4.6
Hi, did anything change in regard to pf rules with the route-to option in recent versions of OpenBSD? I've just reinstalled an old system that was running OpenBSD 3.9 with 4.6, and gave it my old pf rulesets. There is a rule that is supposed to send all traffic originating from a certain local network into a tunnel instead of to the default gateway. Which it did with 3.9. Now it seems to do nothing - outgoing traffic just follows the default route, regardless of the route-to rule. It was basically something like this: pass in quick on $int_if route-to $vpn_if from $special_net \ to ! localnets keep state (The relevant traffic comes in through $vpn_if by itself.) Also tried binding the rule on the external interface, and using the route-to syntax with gateway address, but that didn't work either. Alex.
Re: pf route-to doesn't work for me after upgrading to 4.6
Hi, ...on Fri, Dec 04, 2009 at 03:46:22PM +, Fred Crowson wrote: pf has virtually been rewritten in that time Ok, what bit me from that is that the default for rules was changed to keep state in the meantime and some other stuff that was relying on the old semantics interfered with the policy routing. After kicking that out, things magically work as expected... Seems I'll better rewrite the whole ruleset. (Why do I always find these things just after writing to the list, and not before?) Thanks for the answers, Alex.
Re: Anyone using munin?
Hi, ...on Thu, Apr 02, 2009 at 05:44:32PM -0700, Marc Runkel wrote: Trying to set up munin work with OpenBSD and was wondering if anyone had some plugins pre-written? In particular interface statistics but I'll take just about anything. I have a bunch of badly hacked munin plugins I've been running for some time, which you could try to use as an inspiration. Warning: Undocumented cut paste code from other existing plugins. I'll take no responsibility if it breaks your brain (or computer). They do at least basic IF Statistics, cpu, disk, temperature sensors. Can be downloaded from here: http://ozeanos.gxis.de/temp/filepile/munin-plugins-obsd39.tar.gz Alex.
Re: European orders
Hi, ...on Mon, Mar 30, 2009 at 10:35:08PM +0200, Daniel Seuffert wrote: I know Wim personally for many years, I have seen some of his work and I have the deepest respect for him and what he has done. Absolutely. From my point of view, Wim's constant presence and marketing activity was an important factor in the past success of the project, and he is to be commended for that. He did so much more than just reselling CDs and merchandise - which exactly seems to be the problem now. Wim was the figurehead who did all the talking and organizing, and that's why I was buying my stuff from him (and would continue to do so in the - improbable - case of a solution for all this mess). As for the bickering about details of obviously undocumented arrangements - well, they are just that: undocumented arrangements. Can work, can lead into a disaster, with a certain longterm bias to the second option, when money is involved. No surprises there. Alex.
the death of the oldest OpenBSD system on the net...
...was rather unspectacular: Hardware failiure. The system's name was base, originally installed with OpenBSD 2.3 on Jun 12, 1998: -rw-r--r-- 1 root wheel 5 Jun 12 1998 etc/myname It ran the OpenBSD 2.3 kernel and most of the userland until it stopped responding about three weeks ago and couldn't be resurrected. Small hardware problems had happened before, as with most systems that have been running uninterrupted for nearly 10 years, but this time I decided against getting it up again: Running modern software had gotten a real chore (never managed to backport OpenSSH, for example, so it still had the last version of the old ssh.com daemon (1.2.32?). (Well, that, and the 2.3 GENERIC kernel reliably shot down the VMWare session I tried to get it running in.) Good old internet software like sendmail or bind never were a problem though, even in their most recent versions (which may or may not be a compliment, depending on your point of view). To my knowlege, the system never was hacked - despite running software like qpop 2.53 or really, really old versions of apache and php. (I sometimes found core files, but I guess the system was just too obscure to be a valid target for any type of automated attack.) base had lots of old stuff still lying around, like an emergency netboot environment for the sun3/160 that it had replaced as main server for infra.de back at the time, an Amanda client for my old employer's network backup system that's long gone, or the configuration for half a dozen UUCP feeds which have lost their peers ages ago. Gone are the days when 32MB RAM was a lot, a stripped down OpenBSD kernel had a whopping 1MB, and a handful of blacklists got rid of almost all of the spam. -rwxr-xr-x 1 root wheel1056157 Jul 31 2002 /bsd Alex.
Re: the death of the oldest OpenBSD system on the net...
...on Sun, Mar 16, 2008 at 05:11:10PM +0300, Nickolay A. Burkov wrote: Thanks for interesting story; very sadly. Just out of curiosity, what hardware was it? Can't find a dmesg currently, but from memory the original setup was something like: Pentium-133, 32MB RAM. 4GB Quantum IDE HDD, 3Com 509(?) ISA. I think some 512k Trident VGA graphics card. As far as I remember, most of the stuff had been 2nd hand even in '98. Back then, that was more than enough to run a mailserver for maybe 100 users (sendmail, qpop, uucp), bind, an nntpcache, squid proxy, radius (for an Ascend Max E1 dialin router I still have at home), and the web server. A couple of years ago, the mainboard had been replaced by something with a K6-233 CPU as the old one had died. The harddisk survived to the end (although that may have been the component that finally failed - didn't have a chance to get access to the hardware yet). Alex.
Re: 202 days Uptime in OpenBSD 3.6
...on Mon, Jan 15, 2007 at 11:20:27AM -0700, Darren Spruell wrote: On 1/15/07, Alexander Bochmann [EMAIL PROTECTED] wrote: Last login: Sun Jan 7 19:22:19 2007 from xxx OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002 Do you sleep well at night exposing that system to the Internet? Yes. The setup is obscure enough to require a very targeted attack, and I'm still waiting for someone to come along and do that. Also, the services on the machine used to run on a SunOS 4 sun3 before this one was set up - so it's kind of a tradition to use an outdated system ;) One would question the amount of effort to ensure patch application Shure. But it's fun. Well, some strange kind of fun, at least. Also I can brag about it now and then. Alex.
Re: 202 days Uptime in OpenBSD 3.6
...on Thu, Jan 11, 2007 at 08:42:35AM +0100, Marc Balmer wrote: hmm, why are people so proud of their uptimes when it only show they don't care for their systems? Bah, uptimes (is it that time of the year again?)... Last login: Sun Jan 7 19:22:19 2007 from xxx OpenBSD 2.3 (LOCAL) #0: Wed Jul 31 12:51:38 CEST 2002 Welcome to OpenBSD: The proactively secure Unix-like operating system. {104} ls -al /etc/localtime lrwxr-xr-x 1 root wheel 33 Jun 12 1998 /etc/localtime - /usr/share/zoneinfo/Europe/Berlin That's an Internet-connected system, running mail, web, DNS. It gets increasingly difficult to talk current software into compiling on that platform, though. Alex.
Re: Compilers make a system less secure?
...on Tue, May 02, 2006 at 03:49:26PM +0400, Anton Karpov wrote: But what if your system has no compiler? When attacker should compile his sploit anywhere, and transfer binary evil code onto your box. E.g. he has to have access to the similar machine, maybe with similas OS version and arch. I know not having a compiler has been considered secure systems best practice for a long, long time - but it comes from a distant past when compilers for networked systems were expensive tools, using expensive operating systems on expensive hardware. So you wouldn't have had ready access to a Solaris box with Sun Forte on it to compile things yourself, and that may have been a major obstacle. In todays world, quickly whipping up a build environment for most systems out there is a no-brainer, and thanks to stuff like qemu you don't even need the appropriate hardware. In short, it may help to discourage a few low-skill attackers (same as getting rid of perl, for example), at the cost of making your own life as systems administrator so much more tedious. Just isn't worth the trade-off anymore, IMHO. Alex.
Re: Compilers make a system less secure?
...on Tue, May 02, 2006 at 09:46:01AM -0500, Graham Toal wrote: Back in the old days when the only access to a system was by a modem to a login prompt, and there was no networking available to make things easy, the only way to get a binary on to a machine was to somehow enter it from the keyboard (or equivalent, eg pulling it in via tip's ~ escapes) Ok, that was well before my time then :) I remember transferring binaries through a non 8-bit clean dialup pad with kermit, but that's another program you wouldn't want to have on a secure host. It did get me around a lot of restrictions the admins thought they had placed on the system, though... Alex.
Re: C Compiler Prob
...on Thu, Mar 30, 2006 at 12:49:29PM +0200, oliver simon wrote: checking for gcc... egcc egcc? Alex.
Re: openbsd and the money -solutions
...on Sat, Mar 25, 2006 at 08:25:32AM +0100, Jurjen Oskam wrote: There is no reason to provide funding from a business standpoint. What does the business gain? Does having a business standpoint require shutting off all common sense? In todays world: Mostly. Modern businesses have developed an own definition of morality and common sense, which is not necessarily compatible with whatever individuals may think. In that environment, the ethics applied by the OpenBSD community are deeply anachronistic - which makes them great for some people, and a pain for others, regardless of any technical merits. My guess is that especially (US-based) public companies don't want to be seen associated with OpenBSD (by donating, for example), as they fear damage to their business reputation from that. Alex.
Re: Sendmail security problem
...on Thu, Mar 23, 2006 at 12:22:37PM +0100, Anthony Howe wrote: I installed 8.13.6 last night from the source tar ball on two machines (one is OpenBSD 3.6, the other an old Linux box). Appears to be chugging along happily. Can't speak to the specific security issue though. Replacing OpenBSDs sendmail with sendmail.org's version is a non-issue (as in just works) on any OpenBSD version which ships = 8.12. If in doubt, /usr/src/gnu/usr.sbin/sendmail/Makefile.inc contains the ENVDEFs to add to site.config.m4. Alex.
Re: OpenBSD and the money
...on Thu, Mar 23, 2006 at 02:20:08PM -0500, Peter Fraser wrote: I recognize that government grants come with red-tape, and people are often disdainful of taking hand-outs. In this case, however, I'd think the pros outweigh the cons. Don't you have a wish-list of things you'd implement or improve if you got sufficient funding? I don't think it's a viable path for the project as a whole, although it may be remotely possible to get funding for certain development goals. It still takes away lots of freedoms, and needs some people who find fun in hacking organizational structures instead of coding. The PyPy people (http://pypy.org/) had a presentation on how they went for EU funding, http://events.ccc.de/congress/2005/fahrplan/attachments/557-Paper_OpenSourceEuFundingAndAgileMethods.pdf Start reading on page 3, How and why EU funding, and maybe replace the term sprint with hackathon. Then, have a look around here and think again... Nah. Alex.
Re: openbsd and the money
...on Fri, Mar 24, 2006 at 01:42:48PM +0100, Hannah Schroeter wrote: I don't actually understand what that whining about tax deduction is about. My guess is that it's not about the tax deduction in itself (although that certainly helps), it's about the receipt. Companies very much like to generate a proper paper trail when they hand out money, and not only for the tax office. So it's probably easier to get a company to order a few hundred CDs instead of a donation. (On the other side, I don't know how the incoming donations are handled by OpenBSD, but they most probably are also subject to taxation somewhere.) Alex.
Re: openbsd and the money
...on Fri, Mar 24, 2006 at 02:52:55PM +0100, Alexander Bochmann wrote: So it's probably easier to get a company to order a few hundred CDs instead of a donation. By the way, the golden CD signed by all core developers for $9000 might just be the thing to add to the store. :) Alex.
Re: Reminder about the X Aperture
...on Tue, Mar 14, 2006 at 05:41:44PM -0700, Theo de Raadt wrote: Yes, they have DMA engines. If the privilege seperate X server has a bug, it can still wiggle the IO registers of the card to do DMA to physical addresses, entirely bypassing system security. Wow. As if running a binary blob was not bad enough, video card binary blobs are suddenly found to be all-powerful. This issue is not about binary blobs for video cards. Using GPU shader programs to read from main memory was one of the ways mentioned as a possible attack on the XBox 360 security system in a presentation at 22C3 last year, though limited by the system's memory encryption in that case. (Could well be contained in some binary blob, but that's another issue.) Alex.
Re: Traffic analysis on a per service basis
...on Fri, Mar 03, 2006 at 03:33:53AM +0100, Martin Schr?der wrote: On 2006-03-02 19:01:13 -0600, eric wrote: Best you'll find for reliable traffic accounting (and the most flexible) is argus http://www.qosient.com/argus/. I'd recommend that route, then using Seems to be quiet since 2004-05 and has its own license :-( The argus mailinglist ist still quite active. Alex.
Re: help with source-routing
Hi, ...on Fri, Mar 03, 2006 at 01:08:43PM +0100, oliver simon wrote: hme1 - 10.50.0.10 hme0 - 217.5.23.69 hme0_alias - 217.5.23.70 default-gw is 10.50.0.1 If you want to connect to e.g. 193.44.25.2, the machine has to go there with one of it4s official IPs 217... Are you shure that's a sane setup? Why do you want to reach the outside world through an interface on a private segment when you have official addresses on another interface? And why is there no address translation elsewhere between your private segment and wherever it connects to the Internet? How can we solve that problem ? I read a lot about pf and other things, but nothing I tried is working ... You can NAT the traffic going out through hme1, but you will have a nice split routing situation, as the traffic flowing back to you will probably come in through hme0. Not that that's a problem, it just doesn't make any sense. Alex.
Re: help with source-routing
...on Fri, Mar 03, 2006 at 03:03:23PM +0100, oliver simon wrote: Internal Network is another IP-Range ... DMZ has official IPs for the services and its private ip-range for the hosts themself. DMZ: 10.50.0.0/24 + Official IPs for services Internal(!)Lan: 10.23.0.0/24 DBNet (e.g.): 10.28.0.0/24 Usually, you would do proxying or NAT for the official service addresses on your outer gateway. Not much use having them on the DMZ network, it just adds unneccessary complexity. Alex. (Yes, I know that doesn't answer your question :) ...)
Re: sendmail and Undeliverables
...on Wed, Mar 01, 2006 at 05:01:52PM -0600, Joel Gudknecht wrote: I'm concerned that sendmail is even accepting these messages as they have nothing to do with my domain and I don't know how to prevent this behavior, any info on this subject would be appreciated, thank you. From the snippet you posted, it seems as if someone sends spam using your address/domain as sender, and you get the bounces. Unfortunately, nothing unusual about that, and not much you can do. Alex.
Re: Problem with squirrelmail
...on Thu, Mar 02, 2006 at 01:07:09PM +0200, Gabriel George POPA wrote: I have a small problem with squirrelmail. The problem is that users cannot read their mail messages if they are too large (though not very [..] going on? Settings from /etc/inetd.conf: # IMAP server from PINE imap2streamtcpnowaitroot/usr/sbin/imapd imapd That doesn't really explain your problem, but if you are running an imapd from inetd and have enough users, you will certainly run into the default spawn limit of 256 connections in 60 seconds. Try cranking that up to a sensible number for your environment (nowait.2048 or something). Alex.
Re: Regarding a SPARCSTATION 1+
...on Sun, Jan 29, 2006 at 02:14:38PM +0200, Gabriel George POPA wrote: I'm wondering if OpenBSD 3.8 will work on a SPARCSTATION 1+ computer. Does anyone have a toy like this running OpenBSD? Not currently, but I had an SS1+ under OpenBSD until about 3.2 (I think). Everything should work fine, but don't try to use ffs softupdates (see http://www.openbsd.org/faq/faq14.html#SoftUpdates). The other standard advice is to recompile at least libssl with -mcpu=supersparc, otherwise you won't have much fun with ssh on this box (I rebuilt the whole system with that switch, but then that doesn't mean it works for anyone else). Alex.
Re: Regarding a SPARCSTATION 1+
...on Sun, Jan 29, 2006 at 07:38:50PM +0100, Alexander Bochmann wrote: The other standard advice is to recompile at least libssl with -mcpu=supersparc, otherwise you won't Sorry, that's crap - the SS1+ doesn't have a supersparc CPU. Alex.
Re: Squid and named DNS
Hi, ...on Fri, Jan 27, 2006 at 12:10:22PM +0200, Kiraly Zoltan wrote: I use Squid to filter web content like ad and pop-up (adzaper), I don't use Squid for cache. The problem is, when i use Squid many webpage open slow, for example sometimes i wait much in Firefox at Waiting for www.pagexy.com... message. Without Squid all page open faster. I assume that with your contentfilter setup squid won't pass data until it's been fully loaded - otherwise the content filter can't be shure to block the transmission if it detects anything harmful. So you will see a considerable delay more or less by design. Not using caching is also counterproductive, as you'll have the system scanning everything all over again. I hear Squid don't really like named, is true? or anyone use Squid with named and don't have problems, any idea? That sounds like a bit of crap to me, in what way should squid not like named? Ok, both can be memory hogs, depending on their configuration, so if you're low on memory you wouldn't want to have both on the same box, but that's about it... I doubt DNS is your problem, but your setup is probably suboptimal. Squid does it's own DNS caching, so letting it access a server that is forward-only itself (basically another cache level) at least won't do much good. Alex.
Re: Possible implication of a Sendmail on OpenBSD 3.8 in a spam attack
...on Wed, Jan 25, 2006 at 02:09:58PM +0200, Gabriel George POPA wrote: Yahoo! do not accept some mails from me). I've noticed that the mailstats command reports 13 (!!!) messages sent (!) outside. My computer is a small server running OpenBSD 3.8, MySQL+PHP+Apache for the website; it's a FRESH install so that I don't think it's a problem in the system. I have around 30 users that use POP3+Outlook Express to send and receive their mail messages. It's quite unprobable that your box can be used as relay without some additional software or some sort of configuration problem. How about some more info on what you are running on that web site? The usual feedback script abuse comes to mind. Also, you have all the logfiles on your machine, try to single out a specific spam message (I assume you have a few samples) and find out how it came into your system. Alex.
OpenBSD-specific plugins for Munin, anyone?
Hi, I've recently been playing with Munin again (http://munin.projects.linpro.no/), and noticed there are nearly no plugins for OpenBSD. While I have adapted a few for my needs, I shurely can't be the first to do that? (Munin is a(nother) simple, low-configuration software using rrdtool to create pretty graphs of different things happening on networked systems. I'm using it because I'm lazy. Having to write my own plugins is bad in that respect.) Alex.
Re: Apache logs filled with remote exploit trials
...on Mon, Jan 16, 2006 at 12:34:54PM +0100, Didier Wiroth wrote: [Sun Jan 15 20:53:24 2006] [error] [client 69.60.121.159] File does not exist: /htdocs/xmlsrv/xmlrpc.php How do you handle these kind of attacks? Ignoring them, mostly. It's the attack script of the month. How or what do I have to use to dynamically block client Ips, that tries these type of attacks? In my case, most of them seem to come from some dialup/DSL ranges with dynamic addresses, so blocking is not much use. If you're annoyed enough, you might try mod_security (if you run apache), or simply catch all access to an xmlrpc.php with a mod_rewrite rule. If you don't need it somewhere, that is. Alex.
Re: CPU time off by a factor of two
...on Fri, Nov 25, 2005 at 03:43:52PM +0800, Uwe Dippel wrote: It's a bug, so it seems now. Sorry, last night I didn't have access so my answer is late: I simply rebooted to single-CPU-kernel; compiled by myself, just as well, and it runs like hell. Exact, I mean. Not a single second off after three hours. (so says ntpdate.) That sounds quite a bit like what I remember reading about, something like the TSC might run at different speeds on different cores depending on thermal throttling, SpeedStep, ACPI state, whatever. So if you're switching to a counter on another core without taking that into account, you're in trouble. Which doesn't mean that's the problem here :) Alex. (no, I actually have no idea what I'm talking about)
Re: certification of firewall product / mess in my head
Hi, ...on Tue, Sep 13, 2005 at 10:12:11AM +0200, qstreb wrote: Yesterday i got surprised, it looks that in Germany (and some other countries) there are some lows/requirenments/obligations that in case a firewall (appliance) is owned by third parties and they produce any damages to others for the damage are responsible even the chiefs, but if this appliance is certified these people dont have such trouble. That sounds a bit like fallout from the Sarbanes-Oxley Act (for a short summary, see http://en.wikipedia.org/wiki/Sarbanes-oxley), and last time I looked, Germany was not a part of the USA. On the other hand, I haven't followed our legislation in that sector recently, and if your company is incorporated in the US or does business with US-based companies, you will be affected either way. I assume that certification in that context is supposed to prove kind of due diligence in your itsec efforts. A proper documentation of you firewall setup should do the same, but in the end it's probably better to talk to a lawyer than to system administrators :) Alex.
Re: sendmail and clamd
...on Tue, Sep 06, 2005 at 03:13:01PM +0200, Cristian Del Carlo wrote: i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Depends on your hardware and the amount of traffic you expect (and some other things). I'm successfully using smtp-vilter as milter for clamav, but I haven't followed the latest development on OpenBSD pthreads, and people used to say that there's problems with the thread implementation (search the archives for specifics) - so going with milters might not be the optimal solution for a high-volume system. I've done some setups with MailScanner, which works quite nice even unter extreme loads, but is queue-based instead of being plugged into the MTA like a milter in sendmail, so mails have to be fully accepted into the system befor MailScanner can work on them. Alex.
Re: Lifecycle question
...on Mon, Sep 05, 2005 at 03:35:19PM +0200, Stephan A. Rickauer wrote: Henning Brauer schrieb: you don't have to reinstall at all. hogwash by some people here. I have about a hundred servers in production, some are upgraded ever since 2.7 times or so. upgrade typically takes us 5 minutes and one reboot a box. Well, I am thinking of using OpenBSD for our firewalls. Those I do want to upgrade regularly. Not because of features, but because of patches. For a simple filtering firewall, you won't need to do much for an upgrade. Perhaps touching a few files in /etc according to the upgrade document, and if you use any ports or local binaries, getting them up to the current version. The basic layout of things hasn't been changed for a long time, it's not as if suddenly config files will have to be in a different directory because someone wants to be compatible with some standards document or so. On the other hand, there's little incentive to upgrade such a setup at all (except for the exercise) - there are rarely catastrophic bugs that will be able to compromise your system, and throwing in a new version of things like openssh or zlib will usually work a couple of versions back from the current release, even if there's no formal patch. (In reality, if there's a case where you really, really need to upgrade such a system after a few years, it will probably hurt - currently have that with a 3.3 box with so many local changes that it barely looks like OpenBSD anymore...). Alex.
Re: OpenBSD 3.8 negative free space (?WTF?)
...on Wed, Aug 24, 2005 at 12:24:46PM -0700, Ray Percival wrote: ~5% to be exact. To be more exact, it depends on the -m option value you used when last running newfs or tunefs on the filesystem. :) See the description in the tunefs(8) man page. Alex.
Re: 3.8 beta requests
...on Tue, Aug 23, 2005 at 09:42:02AM +0200, J. Lievisse Adriaanse wrote: I wonder what the theme for this release will be... Something like we help making your software more secure - by default? (Ok, it's not more secure, but more correct, probably...) Generally I think it's a really good idea to go ahead with this - everything that helps developing software with less errors is a step forward, even if some programmers (and users) may hate it. Alex.
Re: x86 rings?
...on Thu, Aug 04, 2005 at 08:18:40PM -0500, Dave Feustel wrote: some very specialized applications. Intel had a chip (the 960mp?) used in the military that used segmented addressing, but I don't think it has been used anywhere else but possibly in HP printers years ago, and (I think) without the segmentation). I've seen a lot of i960s as embedded CPUs on RAID controllers and the like in the 1990s, but obviously they were stripped down from the military i960MX version (see Wikipedia, http://en.wikipedia.org/wiki/Intel_i960). Alex.
Re: Need Quad Ethernet for router box
Hi, ...on Thu, Jul 21, 2005 at 11:50:20AM -0400, Bill Chmura wrote: Ethernet wise, currently the whole mess is at 100MB... It will be that way at least for 12 months after this. As far as heavily used, I just got on the scene myself and the usage is way down. School, summers off. But the end of the year is crazy for them network wise. So in the end, all I can say at this point is that its barely running at peak usage on 100MB. As others suggested, getting a decent switch with VLAN support and using a single GigE trunk to you router might be a good start (and even cheaper as a bunch of 4-port GigE cards). I don't think you will run into bandwidth problems on the trunk if everything is at 100mbit now, and you will just have much more flexibility with the segmentation. You can still push high-volume VLANs to another trunk port (or dedicated links to the router) later, if that turns out to be neccessary. Also, will all the traffic really pass the router, or will much of it be local to the respective segments? Thinking about how to redesign the network to reduce the load on the router might be a good idea. Alex.
Re: Amanda port WO gnuplot?
Hi, ...on Tue, Jul 19, 2005 at 09:43:45PM -0400, stan wrote: I'm building several new 3.7 machines. These machines will be Amanda clients (only, not servers)/ Looks like the amanda port depends on gnuplot, which depends on X11. Build on a machine that has the dependencies installed and then copy the -client package over to your systems. Should work fine, as there are no library dependencies against X11 or such (but I didn't test it, as I always build my amanda clients from the original sources instead of using the port). Alex.
Re: How to change flags of a route?
...on Tue, Jul 19, 2005 at 10:29:34AM +0200, Michael Adam wrote: The scenario is the following: On an OpenBSD firewall and router, I have an interface if0 with address 192.168.1.1/24. Now, there is a host 192.168.1.2 which sits behind a third host 192.168.1.3 from the network segment of if0. So I would like to set a host route as follows: route add -host 192.168.1.2 192.168.1.3 That setup is broken by design. The only real way to make this work is to have 192.168.1.2 do proxy-arp for 192.168.1.3, which will solve your routing problem automatically, as the ARP request won't fail anymore, and you won't need to set up anything on your gateway. Alex.
Re: Compiling for VIA Samuel 2 (CentaurHauls 686-class) 533 MHz
...on Sun, Jul 17, 2005 at 05:25:39PM +0100, matt lawless wrote: fed up of kernel panics on my EPIA 5000 I decided to make from source but can't find what settings use to get it to compile for this restricted processor. GCC borks when I try and compile it on the EPIA : /usr/src/sys/sys/time.h: In function `bintime2timeval': /usr/src/sys/sys/time.h:207: internal compiler error: Segmentation fault Please submit a full bug report, That seems to be a quite certain indicator for memory problems. From my experience, I can say that OpenBSD runs fine even on the more broken Via EPIA boards (except from the usual watchdog timeout and rx packet lost messages on the vr ethernet when running at 100/fdx). OpenBSD 3.7 (GENERIC) #50: Sun Mar 20 00:01:57 MST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Samuel 2 (CentaurHauls 686-class) 533 MHz cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX Looks exactly like one of mine, which has been running 3.5, 3.6, and 3.7 without any unexpected problems. Alex.
Re: getting dhclient to update bind forwarders IPs
Hi, ...on Tue, Jul 12, 2005 at 02:02:11PM +0200, Rapha??l Berbain wrote: I have a box running bind as a cache+forwarder setup. It connects to the ISP through DHCP. When dhclient kicks in, it fetches the ISP-provided DNS IPs and by default puts those in /etc/resolv.conf. Instead of that, I'd like /etc/resolv.conf to point to localhost. I'd also like dhclient to tell bind to use the DNS IPs it got by dhcp as forwarders. I can think of several ways to keep /etc/resolv.conf pointing to localhost, but I can't find a way to have dhclient update bind's idea of forwarders IPs. dhclient has the supersede option for the first part, something like supersede domain-name-servers 127.0.0.1; in your interface section, see dhclient.conf(5) for details. For the other part, if you're running your own nameserver, why would you want to use forwarders at all? The only way to change the bind settings would be through a script that does it. But I don't think you could run it from dhclient, as there's no way I know of to pass the retrieved name server information to a script. Possibly write a script that requests the name server data from the DHCP server independent of dhclient, and update the bind config from there. Alex.
Re: OT: Hardware keyloggers embedded in new keyboards?
...on Mon, Jun 20, 2005 at 07:08:18AM -0500, Dave Feustel wrote: If one-time passwords capability is built into OpenBSD, where can I read about how to use them? skey(1) will start you off. Alex.
Re: OT: Hardware keyloggers embedded in new keyboards?
...on Mon, Jun 20, 2005 at 07:32:09AM -0500, Dave Feustel wrote: One Time Passwords such as skey(1) are also good for insecure environments. I just read the man page for skey, but I still don't quite understand how it works. Would I use a calculator to generate a response that I type in response to a challenge, or what? s/key has been around for a long time. Ask Google. Alex.
Re: OT: Hardware keyloggers embedded in new keyboards?
...on Mon, Jun 20, 2005 at 07:24:16AM -0500, Dave Feustel wrote: Here is a relevant link: http://www.rumormillnews.com/cgi-bin/forum.cgi?read=73190 That's just the same thing all over. We may get to find out - see the above link which is apparently the source material for the snopes article you reference below. While it does pay to be sceptical of reports like the one snopes criticizes, I do not trust snopes The pictures from the original article have supposedly been taken from http://www.dansdata.com/keyghost.htm. The snippets which were used to fake the homeland security letter were in the same directory as the original lol.htm How do you make shure your version of OpenBSD isn't rigged to use some covert channel to send off keyboard input data to somewhere else, by the way? Alex.
Re: Sun ELC?
...on Fri, Jun 03, 2005 at 07:15:51AM +0100, Peter Galbavy wrote: Gordon Grieder wrote: Before I start following sparc@ (if I go ahead with this): I recently inherited a Sun ELC. It's an ancient all-in-one thing that looks Now ? Might work as a non caching nameserver - memory is rather limited, while CPU is OK-ish. Up until three years ago or so, I was running a backup MX for about 50 customers on an 25MHz SS1+ (and one of them had roughly 6000 mail users), with postfix on OpenBSD. Probably wouldn't work with today's spam levels though, regardless of the software used. At the time, disk space (an external 4GB disk for the spool filled up in about a day when the largest customer was offline) was more of a problem than CPU power. Alex.
Re: Wifi frustration (SUCCESS)
Hi, ...on Sun, May 22, 2005 at 03:16:51PM -0400, Steve Shockley wrote: No, it's hard to find new Prism-based cards anymore except for a few USB ones, and last I looked wi on usb didn't work as an access point. At least according to the manpage, it still doesn't work is supposed to be buggy alltogether... Alex.