Re: Automatic OS updates

[bsd]

FWIW if you guys want to yell at me for spreading bad ideas,
I've posted how to do automatic updates here:

https://openbsd.pages.dev/auto-updates/

I'm both trying out the Hugo package and like, documenting
how I've set things up in case I have to reinstall.

Time moves fast and I'm damn impressed by how smooth the
BSD experience is.

Re: Block HTTP requests from non-browser clients

[bsd]

Sorry I posted to the wrong thread. Please disregard.

Re: Block HTTP requests from non-browser clients

[bsd]

FWIW if you guys want to yell at me for spreading bad ideas,
I've posted how to do automatic updates here:

https://openbsd.pages.dev/auto-updates/

I'm both trying out the Hugo package and like, documenting
how I've set things up in case I have to reinstall.

Time moves fast and I'm damn impressed by how smooth the
BSD experience is.

Re: Automatic OS updates

[bsd]

On Fri, Feb 16, 2024, at 17:09, Jan Stary wrote:
> And this saves you what, ten keystrokes a day?

Yes, it felt silly typing the same things every day and waiting for
the computer to update.

(If an update takes 4 minutes per day to babysit, that's about 
2 hours per month)

On Fri, Feb 16, 2024, at 21:10, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote:
> Blind updating out of cron is utter madness.  If there are any merge
> errors in /etc (think sshd_config for starters), you can end up
> with a machine you cannot log in to, or that's just acting out
> destructively.

Yeah!  But you guys are sysadmins, I'm basically a 'gamer', I mostly
use my OpenBSD computer for an online game.

Thus an upgrade problem mostly risks me being late for a 'war',
which is not the end of the world.

SSH not coming back up is a non-issue, I have screen and keyboard
connected.  (I'll probably turn off auto-updates when traveling tho
as remote access is nice although non-essential.)

I also have a second computer I can boot up if this one doesn't work.

Re: Automatic OS updates

[bsd]

On Thu, Feb 15, 2024, at 21:52, Florian Obser wrote:
> >  0  3  *  *  * root  sysupgrade 
> 
> This will stop working at the next release. Assuming you want to run -current.

Thanks, changed to 'sysupgrade -s'.

> >30  3  *  *  * root  pkg_add -u
> 
> This will most likely run after package daemons have started. There is an 
> example in upgrade.site(5) how to do this differently.

Thanks, very helpful, now using /upgrade.site to update packages
after sysupgrades.

Automatic OS updates

[bsd]

So I was curious, am I the only one using automatic OS updates
in cron to keep the fish fresh and the bits dust free?

I think I read somewhere that it's not recommended but I'm not
running a server so it seems like a good idea to me.

/etc/crontab: 

# Example of job definition:
# . minute (0 - 59)
# |  .- hour (0 - 23)
# |  |  .-- day of month (1 - 31)
# |  |  |  .--- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  . day of week (0 - 6) (Sunday=0 or 7) OR 
sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
  0  3  *  *  * root  sysupgrade 
30  3  *  *  * root  pkg_add -u

KeyTrap DNS vulnerability

[bsd]

“A single packet can exhaust the processing 
capacity of a vulnerable DNS server, effectively
disabling the machine, by exploiting a 
20-plus-year-old design flaw in the DNSSEC
specification.

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

Re: Screenshotting using PrtScr in cwm?

[bsd]

Here's someone who apparently had the same or similar 
problem on Arch Linux, and managed to solve it:

https://unix.stackexchange.com/questions/669853/printscreen-key-not-registering-in-arch-linux

Just changing the SysRq keycode doesn't work for me tho.

Re: Screenshotting using PrtScr in cwm?

[bsd]

On Sat, Feb 10, 2024, at 17:24, Omar Polo wrote:
> If xev doesn't report the keypress there's a chance something else has
> bound that key.  Double-check that you don't have other bind directives
> in your cwmrc file and that no running application may have bound that
> key.
> 
> Running a test with xev using an empty .cwmrc and a .xsession consisting
> of only `exec cwm' could help in ruling out whether the key is really
> not available for other reason or is 'just' a configuration error
> somewhere in your .xsession or .cwmrc.

I did this now:

~$ mv .xsession .xsession.old   
 
~$ mv .cwmrc .cwmrc.old 
 
~$ doas reboot

This landed me in fvwm.  Even here, xev doesn't see the keypress.
I then did 'echo exec cwm > .xsession' and restarted X.
Here too, xev did not detect the keypress.

Re: Screenshotting using PrtScr in cwm?

[bsd]

On Sat, Feb 10, 2024, at 16:00, Christian Weisgerber wrote:
> > It would make more sense to use the dedicated PrtScr key,  but I 
> > can't work out what it's called; I've tried to brute force the name.  
> 
> Print

Thanks.  Not working unfortunately.

> > Also, xev doesn't detect the keypress.
> 
> That's odd, because I just used xev to find out.

Yep.  Also I have this:

~$ xmodmap -pke | grep Print 
keycode 111 = Print Sys_Req Print Sys_Req

Seems to me it should totally be bindable like any other key, 
but it seems something eats the keypress as xev can't see it either.

---

On Sat, Feb 10, 2024, at 15:34, PM wrote:
> This works for me using my laptop keyboard.(T460s)
> 
> bind-key Print "bin/screenshot"
> 
> Does not work when using an external keyboard on my Docking station.

This is intriguing.  My computer is a 'desktop' so I'm using an 
external keyboard; wireless if that matters.

Screenshotting using PrtScr in cwm?

[bsd]

So, this work for me in .cwmrc:

bind-key 4-F11"bin/screenshot"

It would make more sense to use the dedicated PrtScr key,  but I 
can't work out what it's called; I've tried to brute force the name.  

Also, xev doesn't detect the keypress.

Re: Firefox, Chrome, Libreoffice bogus syscall on -current

[bsd]

On Thu, Dec 28, 2023, at 00:41, Ax0n wrote:
> I had been running #1471 since December 5th without issue, and this week
> upgraded to the latest snapshot (#1567) after which some apps such as
> Firefox won't run. They display "msyscall  a8000 error" followed by a
> core dump. dmesg(1) shows a bogus syscall. I did ensure that I had properly
> sysmerged and updated packages.I waited until the next snapshot hit
> mirrors, and verified that this issue persists with build #1572 and fresh
> packages as well. Lenovo X1 Carbon Gen 8. dmesg in body. I can put core
> dumps somewhere if it helps.

I'm on #1576 and both ungoogled-chromium and firefox work fine.

cwm on wayland

[bsd]

So they're putting a Wayland in our BSD.

I've never used that before.

Is a port of cwm planned?

Re: Multicast Routing issues with OpenBSD

[Tarkan Erimer - BSD]

On 9.11.2022 12.39 PM, Barbaros Bilek wrote:

Hi again,

I've added this route :
''route add 239.0.1.2/32 172.16.1.1''
But nothing changed.
Is OpenBSD capable of multicast routing? Am I doing a wrong configuration?
Any thoughts?
Thanks in advance.

On Tue, Nov 8, 2022 at 6:28 PM Barbaros Bilek 
wrote:


Hi Folks,

I try to do multicast routing with OpenBSD 7.2
Here is my setup:

# Default GW to internet
echo 'inet autoconf' > /etc/hostname.em0
# Get 10.10.12.81/24 from dhcp-server with gw 10.10.12.1

# Multicast Server  Interface (transmit packets)
echo 'inet 172.16.1.1 255.255.255.0 NONE' > /etc/hostname.em1
# Multicast Client interface (receive packets)
echo 'inet 172.16.55.1 255.255.255.0 NONE' > /etc/hostname.em2
# Forward ip & multicast
echo 'sysctl net.inet.ip.forwarding=1' > /etc/sysctl.conf
echo 'sysctl net.inet.ip.mforwarding=1' >> /etc/sysctl.conf
# Enable Multicast on OpenBSD
rcctl enable multicast
# Disable PF
rcctl disable pf

# Mrouted Configuration
multicast_test# cat /etc/mrouted.conf
name STD 239.0.0.0/16
pruning on
phyint 172.16.1.1 threshold 16
boundary STD
altnet 172.16.0.0/16
phyint 172.16.55.1 threshold 16
boundary STD
altnet 172.16.0.0/16
phyint 10.10.12.81 disable
# Enable mrouted on startUp
rcctl enable mrouted
# Reboot system
reboot

For testing purposes I use this application : Singlewire Software IC Test
Multicast (It uses )
I'm sure about my testing environment. Because when I use a Brocade ICX L3
switch with router pim configuration everything is ok. But with OpenBSD
multicast routing fails:

Here some logs :

multicast_test# mrinfo

127.0.0.1 (localhost) [version 3.8,prune,genid,mtrace]:

   10.10.12.81 -> 0.0.0.0 (local) [1/1/disabled]

   172.16.1.1 -> 0.0.0.0 (local) [1/16/querier/leaf]

   172.16.55.1 -> 0.0.0.0 (local) [1/16/querier/leaf]


multicast_test# netstat -g


Virtual Interface Table

  Vif  Thresh  Local-AddressRemote-Address   Pkt_in  Pkt_out

1  16  172.16.1.1   4580

2  16  172.16.55.100


Multicast Forwarding Cache

  Hash  Origin   Mcastgroup   Traffic  In-Vif
Out-Vifs/Forw-ttl

 0  172.16.1.1   239.0.1.2   458B   1


Total no. of entries in cache: 1


IPv6 Multicast Interface Table is empty

IPv6 Multicast Routing Table is empty


Output when I run mrouted at debug mode :


multicast_test# mrouted -d




mrouted: debug level invalid

debug level 2

18:06:55.405 mrouted version 3.8

18:06:55.407 Getting vifs from kernel interfaces

18:06:55.408 installing em0 (10.10.12.81 on subnet 10.10.12/24) as vif #0
- rate=0

18:06:55.408 installing em1 (172.16.1.1 on subnet 172.16.1/24) as vif #1 -
rate=0

18:06:55.408 installing em2 (172.16.55.1 on subnet 172.16.55/24) as vif #2
- rate=0

18:06:55.408 Getting vifs from /etc/mrouted.conf

18:06:55.408 Installing vifs in mrouted...

18:06:55.408 vif #1, phyint 172.16.1.1

18:06:55.409 vif #2, phyint 172.16.55.1

pruning on

18:06:55.410 Installing vifs in kernel...

18:06:55.410 vif #1, phyint 172.16.1.1

18:06:55.410 vif #2, phyint 172.16.55.1

vifs_with_neighbors = 0


Virtual Interface Table

Vif  Name  Local-Address   M  Thr  Rate
Flags

  0em0  10.10.12.81 subnet: 10.10.12/24 1   1  0
disabled

18:06:55.411 warning - SIOCGETVIFCNT fails


  1em1  172.16.1.1  subnet: 172.16.1/24 1  16  0
querier

 alternate subnets: 172.16/16

boundaries: 239.0/16

18:06:55.411 warning - SIOCGETVIFCNT fails


  2em2  172.16.55.1 subnet: 172.16.55/241  16  0
querier

 alternate subnets: 172.16/16

boundaries: 239.0/16

18:06:55.411 warning - SIOCGETVIFCNT fails



Multicast Routing Table (3 entries)

  Origin-Subnet  From-GatewayMetric Tmr In-Vif  Out-Vifs

  172.16.55/24  1 0   21*

  172.16.1/24   1 0   12*

  172.16/16 1 0   12*


18:07:15.583 update 0 starting at 3 of 3

18:07:16.593 update 0 starting at 3 of 3

18:07:17.602 update 0 starting at 3 of 3

18:07:18.612 update 0 starting at 3 of 3


When i watch packets on em1 i can see multicast packets are arriving: 
(constantly
increasing...)

multicast_test# tcpdump -nettti em1 host 239.0.1.2

tcpdump: listening on em1, link-type EN10MB

Nov 08 18:19:33.344608 2c:f0:5d:73:f8:c4 01:00:5e:00:01:02 0800 73:
172.16.1.2.50665 > 239.0.1.2.20480: udp 31

Nov 08 18:19:34.358455 2c:f0:5d:73:f8:c4 01:00:5e:00:01:02 0800 73:
172.16.1.2.50665 > 239.0.1.2.20480: udp 31


But at the receiver side (em2) there are no multicast packets transmitted
by em1
After a while i saw only one packet as igmp nreport with TTL 1

multicast_test# tcpdump -nettti em2 host 239.0.1.2

tcpdump: listening on em2, link-type EN10MB

Nov 08 18:21:12.994258 2c:f0:5d:73:f8:c3 01:00:5e:00:01:02 0800 60:
172.16.55.2 > 

Patch for www:upgrade66

[bsd]

  16 Oct 2019 19:15:14 -
@@ -627,8 +627,13 @@ ike dynamic esp transport proto udp from
 psk mekmitasdigoat
 
 
+<<<<<<< faq17.html
+Once the IKEv1 tunnel is up and running, the L2TP tunnel need to be configured.
+OpenBSD doesn't provide an L2TP client by default, so installing
+===
 Once the IKEv1 tunnel is up and running, the L2TP tunnel needs to be 
configured.
 OpenBSD doesn't provide an L2TP client by default, so installing
+>>>>>>> 1.5
 xl2tpd is required.
 
 
Index: faq/upgrade66.html
===
RCS file: /cvs/www/faq/upgrade66.html,v
retrieving revision 1.10
diff -u -p -r1.10 upgrade66.html
--- faq/upgrade66.html  16 Oct 2019 17:48:16 -  1.10
+++ faq/upgrade66.html  16 Oct 2019 19:15:14 -
@@ -36,10 +36,10 @@ local system first.
 
 Start by performing the pre-upgrade steps.
 Next, boot from the install kernel, bsd.rd:
-use bootable install media, or place the 
-6.6 version of bsd.rd in the root of your filesystem and 
+use bootable install media, or place the
+6.6 version of bsd.rd in the root of your filesystem and
 instruct the boot loader to boot this kernel.
-Once this kernel is booted, choose the (U)pgrade option and 
+Once this kernel is booted, choose the (U)pgrade option and
 follow the prompts.
 
 
@@ -136,7 +136,7 @@ any post-release fixes.
   acme-client(1).
 
   https://man.openbsd.org/OpenBSD-6.6/acme-client.1;>acme-client(1)
-  has been updated to implement the recently published RFC8555. Users 
+  has been updated to implement the recently published RFC8555. Users
   must change the api url in
   https://man.openbsd.org/OpenBSD-6.6/acme-client.5;>
   /etc/acme-client.conf from
@@ -286,7 +286,7 @@ any post-release fixes.
   Remove files associated with client use of the X Font Service:
   
   rm -f /usr/X11R6/lib/pkgconfig/libfs.pc \
-/usr/X11R6/include/X11/fonts/FSlib.h
+/usr/X11R6/include/X11/fonts/FSlib.h;
  rm -rf  /usr/X11R6/share/doc/libFS
 

--
~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<<

Stephane HUC as PengouinBSD or CIOTBSD
b...@stephane-huc.net

Re: Postscript printer recommendations

[BSD user]

On 7/16/19 11:03 AM, Jonathan Drews wrote:

On Tue, Jul 16, 2019 at 10:36:03AM -0700, BSD user wrote:



On 7/16/19 4:13 AM, Jonathan Drews wrote:

On Tue, Jul 16, 2019 at 08:06:20AM +, Roderick wrote:

At this point, I am going to look for another printer that is more
OpenBSD friendly. My Desjet 6940 is pretty old and the cartridges
cost a lot (> USD $120.00)

Kind regards,
Jonathan



I may just be a luddite, but after wasting multiple days messing around
with cups, ghostscript, hplip et al, I decided it was just easier to
print everything via postscript.


.
.
.

This solution doesn't offer the convenience of automagically converting
arbitrary file formats to PCL or whatever the printer format of the day
is, but it works for me without having to have add a ridiculous number
of packages and configs.



Thanks Roderick:

I got to this instruction in the CUPS Readme:


*** WARNING ***
ulpt(4) needs to be disabled in the kernel (see config(8)) or the printer
will not be available to libusb.


I read the manpage for config (8) and I can't seem to find the appropriate
configuration file in /usr/src/sys/arch/amd64/compile. I'll have to
read up on compiling the kernel and modifying it's configuration file.
Once again thanks for all the generous help form you guys.

Regards,
Jonathan



I think you can temporarily disable ulpt via ukc, but I can't confirm as
I'm currently travelling.

As sthen@ said (IIRC) earlier in the thread, if your printer has
networking (ethernet or wifi) support, it's usually easiest to just
print over the network as it saves having to mess with kernel configs
and device node permissions.

Because I don't trust printers and their ancient firmware and "cloud"
features, I threw my printer on an isolated VLAN with a firewall rule
set in my router to block any outgoing internet traffic from the printer.

Cheers

Re: Postscript printer recommendations

[BSD user]

On 7/16/19 4:13 AM, Jonathan Drews wrote:

On Tue, Jul 16, 2019 at 08:06:20AM +, Roderick wrote:

At this point, I am going to look for another printer that is more
OpenBSD friendly. My Desjet 6940 is pretty old and the cartridges
cost a lot (> USD $120.00)

Kind regards,
Jonathan



I may just be a luddite, but after wasting multiple days messing around
with cups, ghostscript, hplip et al, I decided it was just easier to
print everything via postscript.

My printing "workflow" is quite rudimentary, but it has yet to fail me.
I set up a simple lpd server on my desktop pointing to my Brother
printer, from which I can print raw .txt, pdf or postscript files
directly via lpr/lpd. If I find myself needing to print a file that
isn't in one of these formats, I simply convert them to that format
manually.

If I need to print a .doc or .odt file, I just open them in LibreOffice
and export them to pdf, which can then be printed via lpr. (As an aside,
LibreOffice supports rendering pages to postscript and printing them
directly as it seems to detect my lpd setup and offers "Generic Printer"
as an option, allowing me to print directly from within LibreOffice.)

This solution doesn't offer the convenience of automagically converting
arbitrary file formats to PCL or whatever the printer format of the day
is, but it works for me without having to have add a ridiculous number
of packages and configs.

Re: Moving from Bird to OpenBGPD

[BSD user]

On 7/14/19 11:24 PM, Claudio Jeker wrote:

On Sun, Jul 14, 2019 at 07:28:29PM -0700, BSD user wrote:



On 7/14/19 12:52 AM, Denis Fondras wrote:

On Sat, Jul 13, 2019 at 09:44:28PM -0700, BSD user wrote:

Hello,

My apologies for sending this email multiple times.

I was so mortified by Tutanota's awful text formatting that I
created a new mail account that supported IMAP so that I could load
it up in Thunderbird with text only mode enabled.

Once again, my apologies for my rookie mistake choosing Tutanota for
use on an international mailing list such as this one. I hope you
guys will give me one more chance.

My (hopefully) unmangled message is below.



You did not include which version you are running, I'll assume this is
6.5.  It seems you do not have any filter, OpenBGPD denies everything
by default.



Thanks for the reply Denis. You were right, I was missing my allow
rules. After setting "allow from any AS 64515" and "allow to any" rules,
everything started working. I was able to get IPv6 working as well
without a hitch.

Are there any other filter rules I should be setting to secure my BGP
deployment? I'm on a private ASN assigned to me by Vultr. This is my
first forray into BGP land, so any advice or tips would be much
appreciated.


Ideally you want to limit the filters to only announce what you really
need to announce to prevent leaking of prefixes because of a
missconfiguration. Also what is Vultr sending you via BGP?  Depending on
that you may be able to limit the input as well.

I guess in this simple setup it does not matter to have simple allow
filters since this bgpd instance is not connected to the default free zone
and so there is less risk of leaking or receiving leaked routes.  In
general if your BGP setup has more than one external neighbor you need to
take care of your filters to make sure that you don't leak updates from
one neighbor to the other.



Thanks for the reply Claudio!

You were right, my "allow from" rule was unnecessary, Vultr doesn't
appear to be sending me anything.

I managed to get my "allow to" rule tightened up to look like this:

allow to any prefix {xxx.xxx.xxx.141/32 2001:::::/64}

I tried tightening the rule down further to restrict to Vultr's upstream
AS and IP addresses like so:

'allow to 169.254.169.254 AS 64515 prefix 140.82.0.141/32'

Unfortunately the rule doesn't work properly as my prefixes immediately
become unpingable after loading that rule. I'm probably missing
something obvious. Any suggestions on how to tighten down the rule further?

My final question is concerning assigning prefixes to interfaces. Is it
best practice to assign the addresses to something like 'lo1' loopback
interface, or should assigning it as an alias on an egress interface
suffice? I tried and they both seem to work.

Thanks

Re: Moving from Bird to OpenBGPD

[BSD user]

On 7/14/19 12:38 PM, Rudy Baker wrote:

It's sad how hostile this mailing list is that you need to beg forgiveness
for using a different email client because you may have triggered some of
these people. 



I'm not too concerned. I'm grateful for the fact that the OpenBSD
community has high standards. Upon reading my message on marc.info, I my
self was irritated by the poor formatting. I appreciate that Ingo
contacted my privately and informed me that tutanota was mangling my
mail. Upon realizing this, I rectified the issue, as it's a matter of
etiquette-- I'm already asking strangers to take time out of their day
to assist me, the least I can do is make it easy for them to understand
my request.

Re: Moving from Bird to OpenBGPD

[BSD user]

On 7/14/19 12:52 AM, Denis Fondras wrote:

On Sat, Jul 13, 2019 at 09:44:28PM -0700, BSD user wrote:

Hello,

My apologies for sending this email multiple times.

I was so mortified by Tutanota's awful text formatting that I created a
new mail account that supported IMAP so that I could load it up in
Thunderbird with text only mode enabled.

Once again, my apologies for my rookie mistake choosing Tutanota for use
on an international mailing list such as this one. I hope you guys will
give me one more chance.

My (hopefully) unmangled message is below.



You did not include which version you are running, I'll assume this is 6.5.
It seems you do not have any filter, OpenBGPD denies everything by default.



Thanks for the reply Denis. You were right, I was missing my allow
rules. After setting "allow from any AS 64515" and "allow to any" rules,
everything started working. I was able to get IPv6 working as well
without a hitch.

Are there any other filter rules I should be setting to secure my BGP
deployment? I'm on a private ASN assigned to me by Vultr. This is my
first forray into BGP land, so any advice or tips would be much
appreciated.

Cheers

Moving from Bird to OpenBGPD

[BSD user]

Hello,

My apologies for sending this email multiple times.

I was so mortified by Tutanota's awful text formatting that I created a
new mail account that supported IMAP so that I could load it up in
Thunderbird with text only mode enabled.

Once again, my apologies for my rookie mistake choosing Tutanota for use
on an international mailing list such as this one. I hope you guys will
give me one more chance.

My (hopefully) unmangled message is below.


--


Hello,


I’m having some trouble configuring OpenBGPD to replace my Bird deployment.

I’m trying to set up redundant web infrastructure for a few websites I
host with Vultr. To do so, I followed this guide:

https://www.vultr.com/docs/high-availability-on-vultr-with-floating-ip-and-bgp

It works flawlessly with Bird running on OpenBSD, but I obviously prefer
to run utilities from the base system wherever possible. I’ve spent more
time than I’d like to admit trying to get this setup working on OpenBGPD.

The only thing I did different from the above guide was use lo1 rather
than a dummy interface, as dummy interfaces appear to be a linuxism as
per this mailing list thread I found:

http://openbsd-archive.7691.n7.nabble.com/Dummy-Interface-In-OpenBGPd-td34009.html

Basically, all I’m trying to do is port my Bird config over to OpenBGPD.
At this point I’m just banging my head against a wall. I’ve spent
several days googling, reading man pages and trying different configs. I
must be missing something basic, and it’s likely something obvious I’m
missing, as I am by no means a BGP expert.

My bird config looks like this:


log "/var/log/bird" all;

router id xxx.xxx.224.9;

protocol device
{
scan time 60;
}

protocol direct
{
interface "lo1";
}

protocol bgp vultr
{
local as 65xxx;
source address xxx.xxx.224.9;
import none;
export all;
graceful restart on;
next hop self;
multihop 2;
neighbor 169.254.169.254 as 64515;
password "xx";
}


My attempt at a bgpd.conf looks like this:


# Global Configuration

AS 65xxx
router-id xxx.xxx.224.9

# Our Address Space
network xxx.xxx.0.141/32
network inet connected

# IPv4 Peers

neighbor 169.254.169.254 {
remote-as   64515
tcp md5sig password xx
set nexthop self
multihop2
descr   Vultr
local-address   xxx.xxx.224.9
announceIPv4 unicast
}



Any assistance you fine folks could provide to help me get this working
would be hugely appreciated.

I've also attached my config files to eliminate any chance of them being
mangled.

Thanks so much for your time.

# Global Configuration

AS 65xxx
router-id xxx.xxx.224.9

# Our Address Space
network xxx.xxx.0.141/32
network inet connected

# IPv4 Peers

neighbor 169.254.169.254 {
remote-as   64515
tcp md5sig password xx
set nexthop self
multihop2
descr   Vultr
local-address   xxx.xxx.224.9
announceIPv4 unicast
}
log "/var/log/bird" all;

router id xxx.xxx.224.9;

protocol device
{
scan time 60;
}

protocol direct
{
interface "lo1";
}

protocol bgp vultr
{
local as 65xxx;
source address xxx.xxx.224.9;
import none;
export all;
graceful restart on;
next hop self;
multihop 2;
neighbor 169.254.169.254 as 64515;
password "xx";
}

Re: alternative method for "gtar --delete"

[BSD]

Aaron,

Thank you for putting me down this path. A few flags aside, this is the
solution I was looking for. 

BTW, OpenBSD's man pages are a cut above the rest; and I'd like to thank
everyone involved in the project for such an awesome OS.

All the best,

Keith Larsen
CPS Coatings

On Mon, 21 Nov 2016 13:26:29 +1100
Aaron Mason <simplersolut...@gmail.com> wrote:

> Your best bet is to generate a list and use it to build your archive -
> save a bit of effort and create your omit list:
> 
> # cd /site1/omit
> # find . > /tmp/siteXX-omit.lst
> 
> Then use this list to filter out any unwanted files from /share
> and /append:
> 
> # cd /share
> # find . | grep -v -f /tmp/siteXX-omit.lst | xargs tar
> -czpvf /site1/siteXX.tgz # cd /append
> # find . | grep -v -f /tmp/xiteXX-omit.lst | xargs tar
> -rzpvf /site1/siteXX.tgz
> 
> Then, for cleanliness' sake:
> 
> # rm /tmp/siteXX-omit.lst
> 
> Hope this helps
> 
> On Sat, Nov 19, 2016 at 3:44 AM, BSD <b...@cpscoatings.net> wrote:
> > On Fri, 18 Nov 2016 14:07:45 +1100
> > Aaron Mason <simplersolut...@gmail.com> wrote:
> >  
> >> It's a bit long winded, but here's a possibility:
> >>
> >> # cd /
> >> # tar zcpvf siteXX.tgz /share/* /siteX/*
> >> 
> >> # tar ztf siteXX.tgz | grep '^/share' | xargs rm -f
> >>
> >> Though I'm not entirely sure what you mean by "on a per site
> >> basis" in this context, can you elaborate please, especially if
> >> the above solution is not what you need.
> >>
> >> On Fri, Nov 18, 2016 at 10:20 AM, BSD <b...@cpscoatings.net>
> >> wrote:  
> >> > Does misc@ have an alternative method for "gtar --delete"?  
> >
> > Sorry for any vagueness! I don't wish to delete any files
> > from /share, but have a subset of /share in siteXX.tgz. Also should
> > have mentioned that /share, /append, and /omit cannot be in the
> > path because siteXX.tgz is plopped on / during an install.
> >
> > What I have so far is to first create an archive using files
> > in /share.
> >
> > # cd /share
> > # tar -cpvf /site1/siteXX.tgz *
> > 
> >
> > Then I append to that archive using files in /site1/append.
> >
> > # cd /site1/append/
> > # tar -rpvf /site1/siteXX.tgz *
> > 
> >
> > Next is where I am stuck. Removing files from the archive that are
> > FROM /share that are not wanted in /site1/siteXX.tgz. I planned to
> > have an empty file of the same name in /site1/omit for each file to
> > delete from the archive.
> >
> > # cd /site1/omit/
> > # tar --delete /site1/siteXX.tgz *
> >   
> >   invalid flag
> >
> > Or perhaps I need to have a list of the files that gets appended and
> > redacted before ever creating the archive.
> >
> > Hope this picture got clearer...

Re: alternative method for "gtar --delete"

[BSD]

On Fri, 18 Nov 2016 14:07:45 +1100
Aaron Mason <simplersolut...@gmail.com> wrote:

> It's a bit long winded, but here's a possibility:
> 
> # cd /
> # tar zcpvf siteXX.tgz /share/* /siteX/*
> 
> # tar ztf siteXX.tgz | grep '^/share' | xargs rm -f
> 
> Though I'm not entirely sure what you mean by "on a per site basis" in
> this context, can you elaborate please, especially if the above
> solution is not what you need.
> 
> On Fri, Nov 18, 2016 at 10:20 AM, BSD <b...@cpscoatings.net> wrote:
> > Does misc@ have an alternative method for "gtar --delete"?

Sorry for any vagueness! I don't wish to delete any files from /share,
but have a subset of /share in siteXX.tgz. Also should have mentioned
that /share, /append, and /omit cannot be in the path because
siteXX.tgz is plopped on / during an install. 

What I have so far is to first create an archive using files in /share.

# cd /share
# tar -cpvf /site1/siteXX.tgz *


Then I append to that archive using files in /site1/append.

# cd /site1/append/
# tar -rpvf /site1/siteXX.tgz *


Next is where I am stuck. Removing files from the archive that are
FROM /share that are not wanted in /site1/siteXX.tgz. I planned to have
an empty file of the same name in /site1/omit for each file to delete
from the archive.

# cd /site1/omit/
# tar --delete /site1/siteXX.tgz *
  
  invalid flag

Or perhaps I need to have a list of the files that gets appended and
redacted before ever creating the archive. 

Hope this picture got clearer...

alternative method for "gtar --delete"

[BSD]

Does misc@ have an alternative method for "gtar --delete"?

I'm making siteXX.tgz's for multiple sites. There is a directory that
is shared between all sites. Then, each site may have a directory of
files to append to the archive.

I'd also like to be able to remove files from the yet to be zipped
archive that come from the shared directory on a per site basis. Just
looking to stay within base if possible.

Example files:
/share/etc/pf.conf
/share/etc/vi.exrc
/share/usr/X11R6/lib/X11/fonts/TTF/Collection/...
/site1/append/install.conf
/site1/omit/X11R6/lib/X11/fonts/TTF/Collection/...

Any advise in my methods or scheme in general would be appreciated!

All the best,

Keith Larsen
CPS Coatings

Re: SPARC minimum hardware specification

[BSD]

On Thu, 16 Jul 2015 21:09:30 +0300
Mihai Popescu mih...@gmail.com wrote:

 Hello,
 
 I never used a SPARC machine but I recall there are some people on the
 list doing this.
 
 What are the minimum requirements for a decent SPARC machine? I mean
 by that a machine who is able to run OpenBSD as a desktop. I am
 currently use a Pentium 4 3.2GHz with 2 GB DDR and it barely meets my
 needs. Tell me please the CPU or the machine name, I will search the
 prices :-).
 
 Thanks
 

Hello Misc,

As a new user, I find myself in the same position as the OP: very
interested in non-Intel products. But there seems to be a vacuum of
information around this topic. (Which tells me I'm on the right track) 

No operating system can protect itself from its own hardware. So how
does one protect one's family in these hostile and trying times and
what-not?

The replies to the OP seem discouraging. If not Oracle, and not
Fujitsu, then what? If not a sparc desktop, then what about a sparc
router? A RISC anything??

I have yet to achieve that warm fuzzy feeling, and I fear that it is
not within my reach. Long live Puffy!


All the best,

Keith Larsen
CPS Coatings
318-222-6100

Re: Thinkpad x220i hangs after a few days of uptime

[Bsd Club]

Well, thanks for your replies so far.
I am currently trying to repeat the problem but it didn't happen the
last four days (apmd is running).

@Ville alkonen:
what applications do you use? I have quite a few big ones (chrome,
firefox, xombrero, eclipse, java). I suspect that one of those
programs is causing the trouble (they have coredumps quite often), so,
I close the programs when I don't need them.

Is there a way to activate enhanced/deeper logging functionality?


On 12/18/13, Ville Valkonen weezeld...@gmail.com wrote:
 On 17 December 2013 14:10, Christian Weisgerber na...@mips.inka.de wrote:
 Stuart Henderson s...@spacehopper.org wrote:

  i am using a Thinpad x220i and I have a weired problem. Most of the
  time, i just put my notebook into suspend mode (zzz), so, I do not
  often
  reboot. After 4 or 5 days, my notebook suddenly stops and I
  can't do anything except pressing the power button for 4 or 5 seconds
  and reboot.

 Try disabling apmd, it is known to cause hangs on some systems.

 Which seems odd because my X230 suffers those hangs only when it
 is sitting there idling, but not when it is flat out busy or during
 interactive use.

 --
 Christian naddy Weisgerber  na...@mips.inka.de

 Hello Christian,

 X230i here and running smoothly. Out of curiosity, do you have the
 latest bios updates?
 $ uptime
 2:06PM  up 8 days, 13:08, 5 users, load averages: 0.25, 0.33, 0.36

 ..and still going strong. This includes several cycles of suspend  resume.

 Regards,
 Ville Valkonen

Upstream error: Nginx, slowcgi, and perl/cgi support.

[BSD Kazakhstan]

Hello everyone.
I'm having troubles of setting cgi/perl support for Nginx, on OpenBSD 5.3.

I get 502 Bad Gateway on the browser when I type /cgi-bin/test.cgi -
which is a simple Hello World cgi file, doesn't work with my setup.

The error.log says:

[error] 29912#0: *6 upstream prematurely closed FastCGI stdout while
reading response header from upstream,
server: localhost, request: GET /cgi-bin/test.cgi HTTP/1.1,
upstream: fastcgi://unix:/run/slowcgi.sock:

# pwd
/var/www/htdocs/cgi-bin

# cat test.cgi
#!/usr/bin/perl
print Content-type: text/html\n\n;
print htmlbodyHello, world./body/html;

both cgi-bin folder and test.cgi file has appropriate chmod sets for
executing.

Slowcgi is running (I follow 5.3-stable branch,
but I downloaded Makefile, slowcgi.8 and slowcgi.c files and compiled
it) :

www  20010  0.0  0.1   636  1104 ??  Is 8:58PM0:01.11 ./slowcgi

the socket is also there:

# ls -al /var/www/run/slowcgi.sock
srw-rw  1 www  www  0 Jul  8 20:58 /var/www/run/slowcgi.sock

Thinking of chroot(), I have even tried adding a copy of perl binary to:

# ls -l /var/www/usr/bin/
-rwxr-xr-x  1 root  daemon  10725 Jul  9 19:15 perl

And my nginx.conf:

server {
listen   192.168.1.4:80;
server_name  localhost local.web.ns;
root /var/www/htdocs;

location ~ ^/cgi-bin/.*\.cgi$ {
root/var/www/htdocs;
gzip   off;
fastcgi_pass   unix:/run/slowcgi.sock;
fastcgi_index  index.cgi;
fastcgi_param SCRIPT_FILENAME$document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD   $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH   $content_length;
fastcgi_param GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param SERVER_SOFTWAREnginx;
fastcgi_param SCRIPT_NAME$fastcgi_script_name;
fastcgi_param REQUEST_URI$request_uri;
fastcgi_param DOCUMENT_URI   $document_uri;
fastcgi_param DOCUMENT_ROOT  $document_root;
fastcgi_param SERVER_PROTOCOL$server_protocol;
fastcgi_param REMOTE_ADDR$remote_addr;
fastcgi_param REMOTE_PORT$remote_port;
fastcgi_param SERVER_ADDR$server_addr;
fastcgi_param SERVER_PORT$server_port;
fastcgi_param SERVER_NAME$server_name;
}
}
}

What would be the problem that I don't get the right output on the browser
with Nginx from any .cgi files?

Thanks.

[patch] Huawei E1750 support

[bsd user]

Hi,
I got E1750 with O2 and noticed it's not working with -current. Here is the 
little patch, that should do the trick.
Without this patch, device shows up as a sdX (just the flash part of device, 
and /dev/cuaU0 is not set up)
Cheers,
Jurij

Index: dev/usb/umsm.c
===
RCS file: /cvs/src/sys/dev/usb/umsm.c,v
retrieving revision 1.77
diff -u -p -r1.77 umsm.c
--- dev/usb/umsm.c  8 Jul 2011 23:10:31 -   1.77
+++ dev/usb/umsm.c  20 Jul 2011 17:22:33 -
@@ -140,6 +140,7 @@ static const struct umsm_type umsm_devs[
{{ USB_VENDOR_HUAWEI,   USB_PRODUCT_HUAWEI_Mobile }, DEV_HUAWEI},
{{ USB_VENDOR_HUAWEI,   USB_PRODUCT_HUAWEI_K3765_INIT }, DEV_UMASS5},
{{ USB_VENDOR_HUAWEI,   USB_PRODUCT_HUAWEI_K3765 }, 0},
+   {{ USB_VENDOR_HUAWEI,   USB_PRODUCT_HUAWEI_E1750 }, DEV_UMASS5},
{{ USB_VENDOR_HUAWEI,   USB_PRODUCT_HUAWEI_E1752 }, 0},

{{ USB_VENDOR_HYUNDAI,  USB_PRODUCT_HYUNDAI_UM175 }, 0},
Index: dev/usb/usbdevs
===
RCS file: /cvs/src/sys/dev/usb/usbdevs,v
retrieving revision 1.548
diff -u -p -r1.548 usbdevs
--- dev/usb/usbdevs 8 Jul 2011 23:09:06 -   1.548
+++ dev/usb/usbdevs 20 Jul 2011 17:22:34 -
@@ -1963,6 +1963,7 @@ product HUAWEI E220   0x1003  HUAWEI Mobil
 product HUAWEI Mobile  0x1008  HUAWEI Mobile Modem
 product HUAWEI E1800x140c  HUAWEI Mobile E180
 product HUAWEI E5100x1411  HUAWEI Mobile E510
+product HUAWEI E1750   0x1406  HUAWEI Mobile Modem
 product HUAWEI E1752   0x1417  HUAWEI Mobile Modem
 product HUAWEI E1820x1429  HUAWEI Mobile Modem
 product HUAWEI E1610x1446  HUAWEI Mobile Modem
Index: dev/usb/usbdevs.h
===
RCS file: /cvs/src/sys/dev/usb/usbdevs.h,v
retrieving revision 1.558
diff -u -p -r1.558 usbdevs.h
--- dev/usb/usbdevs.h   8 Jul 2011 23:09:28 -   1.558
+++ dev/usb/usbdevs.h   20 Jul 2011 17:22:34 -
@@ -1970,6 +1970,7 @@
 #defineUSB_PRODUCT_HUAWEI_Mobile   0x1008  /* HUAWEI 
Mobile Modem */
 #defineUSB_PRODUCT_HUAWEI_E180 0x140c  /* HUAWEI Mobile E180 */
 #defineUSB_PRODUCT_HUAWEI_E510 0x1411  /* HUAWEI Mobile E510 */
+#defineUSB_PRODUCT_HUAWEI_E17500x1406  /* HUAWEI Mobile Modem 
*/
 #defineUSB_PRODUCT_HUAWEI_E17520x1417  /* HUAWEI 
Mobile Modem */
 #defineUSB_PRODUCT_HUAWEI_E182 0x1429  /* HUAWEI Mobile Modem 
*/
 #defineUSB_PRODUCT_HUAWEI_E161 0x1446  /* HUAWEI Mobile Modem 
*/
Index: dev/usb/usbdevs_data.h
===
RCS file: /cvs/src/sys/dev/usb/usbdevs_data.h,v
retrieving revision 1.552
diff -u -p -r1.552 usbdevs_data.h
--- dev/usb/usbdevs_data.h  8 Jul 2011 23:09:28 -   1.552
+++ dev/usb/usbdevs_data.h  20 Jul 2011 17:22:36 -
@@ -4010,6 +4010,10 @@ const struct usb_known_product usb_known
HUAWEI Mobile E510,
},
{
+   USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_E1750,
+   HUAWEI Mobile Modem,
+   },
+   {
USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_E1752,
HUAWEI Mobile Modem,
},

Re[2]: [patch] Huawei E1750 support

[bsd user]

 20 P8QP;Q 2011, 23:00 PQ David Coppa dco...@gmail.com:
  On Wed, Jul 20, 2011 at 8:34 PM, bsd user bsd.u...@mail.ru wrote:
   Hi,
   I got E1750 with O2 and noticed it's not working with -current. Here is 
   the
  little patch, that should do the trick.
   Without this patch, device shows up as a sdX (just the flash part of 
   device,
  and /dev/cuaU0 is not set up)
   Cheers,
   Jurij
  
  Please, can you provide us a dmesg with your patch applied?

I've snipped dmesg from unimportant things (hope that's not problem)
dmesg before patching:
---
umsm0 at uhub0 port 3 configuration 1 interface 0 HUAWEI Technology HUAWEI 
Mobile rev 2.00/0.00 addr 2
umsm1 at uhub0 port 3 configuration 1 interface 1 HUAWEI Technologies HUAWEI 
Mobile Modem rev 2.00/0.00 addr 2
umsm0 detached
umsm1 detached
umass0 at uhub0 port 3 configuration 1 interface 3 HUAWEI Technology HUAWEI 
Mobile rev 2.00/0.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd2 at scsibus2 targ 1 lun 0: HUAWEI, SD Storage, 2.31 SCSI2 0/direct 
removable
ugen0 at uhub0 port 3 configuration 1 HUAWEI Technology HUAWEI Mobile rev 
2.00/0.00 addr 2
--

and dmesg after patching:
--
umsm0 at uhub0 port 3 configuration 1 interface 0 HUAWEI Technology HUAWEI 
Mobile rev 2.00/0.00 addr 2
umsm1 at uhub0 port 3 configuration 1 interface 1 HUAWEI Technologies HUAWEI 
Mobile Modem rev 2.00/0.00 addr 2
umsm0 detached
umsm1 detached
umsm0 at uhub0 port 3 configuration 1 interface 0 HUAWEI Technology HUAWEI 
Mobile rev 2.00/0.00 addr 2
ucom0 at umsm0
umsm1 at uhub0 port 3 configuration 1 interface 1 HUAWEI Technology HUAWEI 
Mobile rev 2.00/0.00 addr 2
ucom1 at umsm1
umsm2 at uhub0 port 3 configuration 1 interface 2 HUAWEI Technology HUAWEI 
Mobile rev 2.00/0.00 addr 2
ucom2 at umsm2
umsm3 at uhub0 port 3 configuration 1 interface 3 HUAWEI Technology HUAWEI 
Mobile rev 2.00/0.00 addr 2
--

  Is the device working with ppp?
Yes, it's working with ppp as /dev/cuaU0

  ciao,
  David
 
Cheers,
Jurij

Re: Vmail perm

[BSD]

On 04/08/11 05:00, Gianluca D'Auri Muscelli wrote:

Hi, i cant read my /var/vmail/mysitre.org/gdrm perms vmail vmail
Siti mutt i can read email but i can't send: permission denied
Anyone say why???
Tks vvm



o#? Da iPhone


I can not find the part of the email where you describe your system and 
how it is openbsd related. It could be very well be my MUA fault.


-luis

Re: bandwidth problem

[BSD]

On 03/16/11 12:30, R0me0 *** wrote:

Hello misc,

I have a network with wireless and bridge mode on AP's.

I put IP address on both sides and ping it normally.

On left side have a notebook with windows vista and smb share and on right
side have other notebook with same configuration. When I try copy the file
on smb, the speed is 10MB/s, it is very fast, I copied files with 50mb size,
500 and 2gb . realy, it is very fast. this test I do on both sides

But now, begin my problems.

On both sides I have a OpenBSD 4.8 i386.
If I set on both side
ifconfigiface  media 100baseTX mediaopt full-duplex , my speed down
dramatical, +/- the download of same file is 25kb/s , but if set
ifconfigiface  media autoselect

The speed is 1,8mb/s

The problem is the speedy, I'm rebelled ! As the fu* of windows is 10x more
fast that my OpenBSD box! I cannot believe in this !

what are occur ? I replaced my ethernet on both sides, but I cannot have the
same speed as in test.
I tried many configuration with IFCONFIG media  , with and without pf
enabled and the same thing.

BOX 1 ; ( offboard ethernet )

# dmesg | grep ste0

ste0 at pci3 dev 1 function 0 Sundance ST201 rev 0x31: apic 2 int 16 (irq
10), address aa:bb:cc:dd:ee:ff
ukphy0 at ste0 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI
0x0090c3, model 0x0018

BOX 2 : ( offboard ethernet )

# dmesg | greo ste1

ste1 at pci0 dev 9 function 0 Sundance ST201 rev 0x31: irq 11, address
gg:hh:ii:jj:ll:kk
ukphy1 at ste1 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI
0x0090c3, model 0x0018


The test that i do with OpenBSD was:

Box 1:
apachectl start

Box 2:
wget http://ip_address/instal48-i386.iso

Tried too: scp ... on both sides, the speed is the same

Please, someone can indicate the right direction to resove this ?



Regards,,


Guilherme Hakme


The list is going to ask you for some of these points: 
http://www.openbsd.org/report.html


-luis

Re: network bandwith with em(4)

[BSD]

On 02/22/11 11:19, Mark Nipper wrote:

On 22 Feb 2011, Patrick Lamaiziere wrote:

The problem is that we don't get more than ~320 Mbits/s of bandwith
beetween the internal networks and internet (gigabit).

Have you already looked at:
---
https://calomel.org/network_performance.html



Henning Brauer have some very interesting thoughts about the content of that 
particular page. Recent changes on the network stack make those sysctl settings 
useless.

-luis

Re: set nano as deafult when editing crontab

[BSD]

On 12/23/10 15:48, Orestes Leal R. wrote:

I want to edit the crontab with nano but by default vi it's invoked
when I do 'crontab -e'



What is wrong with mg?

-luis

Re: FBI And OpenBSD...

[BSD]

On 12/15/10 16:17, Randy Wrench wrote:

http://www.phoronix.com/scan.php?page=news_itempx=ODkxMw



Government organizations, whether they be from the United States, the European
Union, or anywhere else for that matter, contributing to open-source projects
is not new. Heck, Security Enhanced Linux (SELinux) in the mainline kernel can
largely be attributed to the United State's National Security Agency (NSA).
More organizations contributing to open-source isn't bad -- government or not
-- when it's mutually beneficial work with good intentions. However, there are
new allegations being made today about OpenBSD's networking stack, in
particular it's IPsec code. The FBI allegedly paid OpenBSD developers to
insert back-doors into the code-base...





The above url carried an article which is disturbing to say the least...
Anyone know more about this???


How about /. and the rest of the world? Theo forwarded the original 
email hours ago.


-luis

Re: Broadcom BCM4322 wifi support?

[BSD]

On 09/09/10 19:28, James Hozier wrote:

Since Broadcom has released their sources for drivers, will I be able to
get support for my BCM4322 wireless card for OpenBSD? The BCM4322 chipset
ID was removed from bwi(4) a while back:
http://marc.info/?l=openbsd-cvsm=122116715708453w=2

It would be so awesome if it was supported now so that I don't have to
spend money on a wireless card. I've been using a wireless router as my
wireless card (putting it in bridge mode from my modem/wireless router and
connecting my bridge to my laptop via ethernet cable) and it's a hassle
lugging it around.


   
Code is not proper hardware documentation. Another factor to consider is 
the availability of the firmware to be distributed under real open 
conditions. So this announcement could really mean nothing to openbsd. 
The wifi hardware devs will know better than me though.


-luis

Ports problem

[Warlock BSD]

Hi all! I have an Ibm Thinkpad r50e. I install OpenBSD, configure the X,
install fluxbox and other applications with pkg_add but when I try to
install unrar (its not in the pkg_add) unsing the ports the compilation
fail. I try to compilate other ports and fails again. I download the ports
from the ftp ports.tar.gz and using cvs but i cant compile the ports.
I get this error:

http://pastebin.com/mm1tp9za

A friend told me that I need to install the perl module Build.pm using:
perl -MCPAN -e 'shell'  install Build but when I do it I get other
error:  YAML not installed... http://pastebin.com/Dfbn6Myx I try to install
YAML and get other error again... When I install YAML try to install Build
again and get the 1: error. I dont know what to do. Maybe you can help
me. Thank you very much.

This is my dmesg: http://pastebin.com/zJ45BciQ

Which netbook for OpenBSD

[bsd]

Hi.

I'm planning to buy a netbook and I wonder which one is the best choice for
running OpenBSD?
Any sugestion?

Thanks
-- 
Rafal Brodewicz

Re: Why I Love Open Source - NSA helped with Windows 7 development

[bsd...@gmail.com]

On Fri, Nov 20, 2009 at 3:19 AM, patrick keshishian pkesh...@gmail.com wrote:
 On Thu, Nov 19, 2009 at 11:40 PM, Felipe Alfaro Solana
 felipe.alf...@gmail.com wrote:
 On Fri, Nov 20, 2009 at 12:43 AM, Obiozor Okeke 
 obiozorok...@yahoo.comwrote:

 From Network World:

 NSA helped with Windows 7 development
 Privacy expert voices 'backdoor' concerns, security researchers dismiss
 idea
 By Gregg Keizer , Computerworld , 11/18/2009


 Why would NSA need backdoors when they have a front-door via DHS, national
 security and things like that?

 Same reason there exist unconstitutional congressional acts/bills that
 allow for secret torture prisons, detention of persons without due
 process, complete bypassing of fouth and sixth amendments, voiding of
 the Posse Comitatus Act, etc. etc. ... naive voters like you are the
 reason we are in this shithole right now.

 --patrick



The NSA's mandate is to protect American computer systems from attack.
 It's perfectly reasonable to believe their contributions are honest
and legitimate.

Note that the NSA's work on DES, which was rumored to have been
backdoored by them, actually proved to strengthen it against
differential cryptanalysis.

Re: Authpf and more than 992 users

[bsd...@gmail.com]

On Thu, Nov 19, 2009 at 7:43 PM, Aaron Mason simplersolut...@gmail.com
wrote:
 On Thu, Nov 19, 2009 at 7:57 PM, Joachim Schipper
 joac...@joachimschipper.nl wrote:
 On Wed, Nov 18, 2009 at 12:55:03PM -0700, Bob Beck wrote:
 2009/11/18 Janusz Gumkowski janusz.gumkow...@am.torun.pl:
  Is it at all possible to have more than 992 simultaneous authpf users
?
 
 

 Yes, use more than one machine.

  Digging out an old post of mine, still not having any real solution
  but a couple of ugly hacks instead, trying to get rid of them finally.
 
  To the point:  is allocating a pty for authpf logins really necessary ?

 Yes.

  What side-efects can I expect if I disable it ?

 Probably bad things.

 Wouldn't it be possible to crank the number of ptys? I'm by no means an
 expert, but src/sys/kern/tty_pty.c does have some interesting-looking
 #defines. (Of course, you'd also have to path libutil and who knows what
 else...)

Joachim



 You'd be better off getting a second machine and CARPing them together
 rather than mess with the kernel.  You'd also be far more likely to
 get support than if you modified the kernel (in which case you'd get
 little or none I'm sure).  You'd also get a degree of redundancy if
 one machine bails.

 HTH

 --
 Aaron Mason - Programmer, open source addict
 I've taken my software vows - for beta or for worse



Throwing more hardware at it can't be the real solution, not when the
problem is an arbitrary system constant, and especially since the
number of ptys has little to do with how many users an authpf system
can support.

Re: Package dependencies size estimate script

[srikant . bsd]

Jan Stary wrote:
 dir=/var/db/pkg/$pkg

Since you use the above mechanism to read the package list,
your script only works for already installed packages.

Srikant.

Re: Package dependencies size estimate script

[srikant . bsd]

Jan Stary wrote:
 cat /var/db/pkg/$PACKAGE/+REQUIRING | xargs pkg_info -s

Thats just the first level of dependencies. What about the
dependencies of the dependencies, and so on? It is a tree
structure. Recursion is needed if you want to know the
'real collateral damage' :)

Srikant.

machdep.allowaperture=1 setting is safer?

[srikant . bsd]

Hello All

I have a Intel Core2Duo desktop (dmesg attached below)
running fully patched i386 4.6 GENERIC.MP.

xdriinfo and glxinfo o/p doesn't change whether
machdep.allowaperture is set to 1 or 2. And X is
fully functional/stable in both cases as it has been for 
the past 6 months (with 4.5-stable too). xf86(4) seemed to
suggest 1 is better security-wise than 2, and that
led me to try this setting.

glxgears gives the same 247 fps for both settings.

In this light, is it more secure to us 1 than 2 and
am I missing some functionality of my hardware in the
process? Could someone please clarify.

Yours

Srikant.



OpenBSD 4.6 (GENERIC.MP) #1: Thu Oct 29 09:04:24 IST 2009
root@:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) 
3.02 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
real mem  = 3747770368 (3574MB)
avail mem = 3639156736 (3470MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 05/22/09, BIOS32 rev. 0 @ 0xf0010, SMBIOS 
rev. 2.5 @ 0xf06b0 (49 entries)
bios0: vendor American Megatrends Inc. version 0411 date 05/22/2009
bios0: ASUSTeK Computer INC. P5KPL-AM/PS
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI
acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4) UAR1(S4) UAR2(S4) 
MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) USB0(S4) 
USB1(S4) USB2(S4) USB3(S4) EUSB(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 334MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) 
3.02 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P0P1)
acpiprt2 at acpi0: bus 2 (P0P4)
acpiprt3 at acpi0: bus 1 (P0P5)
acpiprt4 at acpi0: bus -1 (P0P6)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: PWRB
bios0: ROM list: 0xc/0xb400!
cpu0: Enhanced SpeedStep 3011 MHz: speeds: 2997, 1998 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82G33 Host rev 0x10
vga1 at pci0 dev 2 function 0 Intel 82G33 Video rev 0x10
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xe000, size 0x1000
inteldrm0 at vga1: apic 2 int 16 (irq 10)
drm0 at inteldrm0
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: apic 2 int 
16 (irq 10)
azalia0: codecs: Realtek ALC662
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 2 int 16 
(irq 10)
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01: apic 2 int 17 
(irq 11)
pci2 at ppb1 bus 1
re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), 
apic 2 int 17 (irq 11), address 00:24:8c:e9:45:fd
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 23 
(irq 5)
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 19 
(irq 10)
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 2 int 18 
(irq 11)
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 2 int 16 
(irq 10)
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 2 int 23 
(irq 5)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1
pci3 at ppb2 bus 3
vr0 at pci3 dev 0 function 0 VIA VT6105 RhineIII rev 0x8b: apic 2 int 19 (irq 
10), address 00:21:91:8d:e8:be
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063, 
model 0x0034
ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 
configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 2 int 19 (irq 10) for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: ST3500418AS
wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: apic 2 int 19 
(irq 10)
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 2GB DDR2 

Re: machdep.allowaperture=1 setting is safer?

[srikant . bsd]

 BTW, does anyone know if any other (X?) programs require '2', and in 
 which cases? mplayer?

I have been running mplayer, xine and openarena without
any problems with value 1 for more than 6 months.

Yours

Srikant.

Re: Defending OpenBSD Performance

[ttw+bsd]

On 14.09-20:43, Nick Holland wrote:
 [ ... ]
 Speed matters.  Almost as much as some things, and nowhere near as
 much as others.

beautifully specific and vague, i'd challenge anyone to sum up
benchmarking better.  if that's not a quote, it is now; i'm writing
it down and sticking it to my wall.

 [ ... ]
 Practically speaking, the people who need the performance at the
 edge of what OpenBSD can deliver usually are too busy to argue
 benchmarks.

careful, that could be seen as an admission
;-)

Re: OpenBSD server with samba and openldap

[BSD nuub]

On Thu, May 14, 2009 at 11:11 AM, Pedro Almeida
palme...@securenetworks.pt wrote:

 This was probably true by the time of this document write, but hopefully
 things change over time.
 Please take a look at ypldap(8). I think it solves the problem you refer.

 There are some small issues, but I bet they are being worked, and you'll
 find an workaround for them meanwhile. ;)

 Best regards,

 Pedro



Thanks to everyone that replied (both public and in private), pointing
me in the right direction.
I'll have a look at ypldap.

/bsdnuub

OpenBSD server with samba and openldap

[BSD nuub]

Dear misc@ readers,
I'm planning to set up a OpenBSD 4.5 based server serving a local
network with Windows XP based client computers.
There's no mention of this in the OpenBSD faq, but I found a nice
guide that seems to be pretty recent and up-to-date.

http://www.kernel-panic.it/openbsd/pdc/pdc4.html
On this page, there's something that bothers me:

Please note that, though Samba account information will be stored in
LDAP, smbd(8) will still obtain the user's UNIX account information
via the standard C library calls, such as getpwnam() (see
documentation); unfortunately, OpenBSD's standard C libraries don't
support LDAP, thus forcing us to define Samba users also as local Unix
accounts.

This means a little more work for the system administrator, who will
need to define users twice, but won't affect the overall system
security since Unix users won't need to be able to logon to the
system.


Now, I'm thinking that this problem maybe can be solved with this:
http://openbsd.rutgers.edu/bsdauth/
+
http://openports.se/sysutils/login_ldap
?

Anyone else already done this in a better/smarter way?

Thanks for your time!
/bsdnuub

Re: Samsung HD License Issue

[ttw+bsd]

On 04.05-08:17, Jochem Kossen wrote:
[ ... ]
  today i bought a Samsung Laptop Drive, 160GB, Model Number is HM160HC.  
  It came in a anti-static plastic bag together with a little leaflet.  
  Usually i don't read those, but today i did, and came across the  
  following paragraph:
 
  Hybrid Disk Drive products are licensed for use only on devices that  
  deploy the Windows VISTA Operating System as their principal operating  
  System. If you or any other party install(s) an operating system on the  
  computing device that is not Windows Vista, the use of this Hybrid Disk  
  Drive may require an additional license from Microsoft.
  For further information, please contact Microsoft.
[ ... ]
 It appeared more people were confused by the text, and both Microsoft
 and Samsung have explained that the terms mean, that if you use a
 different operating system than Windows with this drive, you need to
 get the appropriate license to use said different operating system. If
 you want to use an operating system owned by Microsoft with it, you
 have to get a license from them; if the operating system is not owned
 by Microsoft, you don't need to get a license from Microsoft.

this is a legal two-step and i recommend that you refuse to be satisfied
with the clarification by Samsung and Microsoft and contact the
appropriate consumer bodies within your duristictions to have this
matter lodged with them (assuming the drive is sold under those terms
within your country).

Re: BSD User Group in Spain | Grupo de Usuarios de BSD en Espanya.

[Warlock BSD]

 Hi, Im from Asturias (north of Spain) Im newbie on OpenBSD. But I have a
friend who helps me (debug...@gmail). But still like to participate.
Greetings

Re: Donations (was, sadly, European orders)

[ttw+bsd]

On 02.04-09:49, Alf Schlichting wrote:
[ ... ]
 as far as i am concerned (and most likely the majority of OpenBSD
 users) there is no need for you to justify yourself (or any other
 developer) in public.
 The product (OpenBSD) speeks for itself. 

+1

Re: ssh tunneling

[ttw+bsd]

On 01.04-17:21, Jay Jesus Amorin wrote:
[ ... ]
 I have a firewall rule that allow ssh from computer-1 to computer-2 and deny
 ssh from computer-2 to computer-1.
 
 is it possible to a tunnel *ssh **myu...@computer-2*
 myu...@computer-2*'svn update svn+ssh://u...@computer-1/svn/data
 /home/myuser' *and use the same tunnel when *svn update
 svn+ssh://u...@computer-1/svn/data /home/myuser* is invoke going to
 computer-1 from computer2 through ssh, when ssh not allowed from computer-2
 to computer-1.

not sure i understand precisely what you're intending here but you
can open a remote tunnel via the connection 'computer-1' to
'computer-,' which would allow 'computer-2' to connect through a
localhost connection, via the tunnel, back to 'computer-1'.  look up
'-R' instead of '-L' in the man page.

Re: pppoe server

[ttw+bsd]

On 08.03-11:13, Lo?=?VAI DC!niel wrote:
[ ... ]
 I wish to experiment setting up a PPPoE server (AC) on OpenBSD 4.4. 
 Although I've read the pppoe(8) man page and googled around, it is not 
 clear for me how to set up such configuration.

man sppp

load balanced carp and local routes

[dave-bsd]

Greetings list.

I have a set of four load-balanced carp servers. Here are there
hostname.carp files:

box1: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth
carpnodes 1:0,2:100,3:100,4:100

box2: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth
carpnodes 1:100,2:0,3:100,4:100

box3: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth
carpnodes 1:100,2:100,3:0,4:100

box4: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth
carpnodes 1:100,2:100,3:100,4:0

We notice that the first box (or whichever box holds vhid 1, advskew 0)
has the following route:
10.104.72.010.104.72.0UH 04  - carp0

Thus when box1 pings the carp IP, it responds to itself and none of the
other carp hosts sees the traffic.

This behavior is expected, and useful to us.

The other three boxes however do not have this route, possessing instead
a route for the carp IP that points to em0:
10.104.72.0 00:00:5e:00:01:01  UHLc127000  -   em0

When one of the other three boxes attempts to ping the carp IP all four
boxes sees the traffic and none of them responds.

This behaviour is neither expected, nor useful to us.

So my question is, what is carp thinking in this configuration? Am I
wrong to expect that all four load balanced carp hosts should contain a
local route to the carpdev for a shared carp IP? Why would
vhid1,advskew0 be different than the other three?

Thanks in advance.

--dave josephsen

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: Limit number of login sessions

[ttw+bsd]

On 24.09-09:48, Maximo Pech wrote:
 Well I guess I will have to resolve this by coding something. What do you
 think about this:
[ ... ]

would you not be better to use ALTQ to limit the bandwidth available
to each user?  then if they share their password their only sharing
their own use?

if not then i'd suggest you create a BSD auth module for processing
the login sessions and add a 'login-max' capability.

Re: UPDATE: mozilla-firefox-3.0

[ttw+bsd]

On 17.07-10:26, Jason Dixon wrote:
[ ... ]
 I don't have any customers that use Java for client-side image
 rendering, so I can't speak as to how it would compare.  I suspect that
 Java wouldn't be as efficient as flash for passing instructions to the
 client, but that's just a hunch.

performance of image rendering ? ? ?
passing instructions ???
that's as meaningful as the banana flavoured lube.
;-)

java is a language, flash is a solution.

many would like to see an open alternative to flash but since flash
is not microsoft i think it's below most radars.  it's also, as many
here have noted, 99.9% meaningless junk; and i'm 100% confident that
any flash application could be re-implemented in Java, should needs,
must.

personally, i avoid flash as a retard filter; remove it and lots of
sh1t suddenly disappears.

p.s: java's image rendering is perfectly performant (assuming you
accept java as an overhead in the first place ... of course, flashplayer
is just as bad)

Re: timezone issue

[ttw+bsd]

On 10.04-11:06, Jordi Espasa Clofent wrote:
[ ... ]
 [EMAIL PROTECTED] [~] [10:59:59]
 $ date -u
 Thu Apr 10 09:00:01 UTC 2008

presumably the prompt is showing local time which is UTC +2 (+1 for
CET and +1 for summer time).  so all is well.  as for the sysmon output
you'll probably find (but i don't know) that it's deliberately working
in UTC.

cvs comparisons [ot]

[ttw+bsd]

been setting up a repository of various development stuff and finding
subversion to be horrifically slow and very hard on resources.
struggling to find actual comparisons with CVS (lots of opinions and
statements about SVN tagging and branching being better) but hoping
someone here could help with links or experiences.

currently switching back to CVS but hopeful of something quantative
for future reference.

Re: IPSec tunnel problem

[ttw+bsd]

On 01.03-00:39, Alexey Vatchenko wrote:
[ ... ]
 No, i don't use same network address for two networks.

then you need to alter you settings to specify the actual networks
that you're using.

for example, you could define the remote network to be
192.168.123.123/32 and then route everything for 192.168.0.0/16 through
the tunnel.  if you define a home network (like 192.168.123.0/24) then
you'll need the bypass rule to avoid routing that through the tunnel.

the fact that the tunnel end point moves is irrelevant but you will
need to define a local network alias within the home network (i.e.
192.168.123.123 or something) so that the system knows to route that
traffice through the tunnel.

for routing you only need to define a route to the office gw system
(e.g. 192.168.111.111) for the entire 192.168/16 space .  note, if
your networks don't overlap (i.e. 192.168.123/24 and 192.168.111/24)
then you won't need the bypass rule.

vpn client configuration

[bsd bsd]

Hi,

I'm trying to connect Checkpoint VPN-1 using OpenBSD 3.8. Basic set up is as
follows:

Host-A - Gateway-A -- - Gateway-B - Host-B

Gateway-A: OpenBSD3.8
Gateway-B: Checkpoint VPN1
Aim: Establish connection to Host-B from Host-A.

I've no control on Gateway-B and Host-B.

First of all, I'm able to connect Gateway-B from Gateway-A. Configuration
files that I've used are as follows:

===
isakmpd.conf

[Phase 1]
IP-OF-GATEWAY-B=peer-machineB

[Phase 2]
Connections=VPN-A-B

# ISAKMP phase 1 peers (from [Phase 1])
[peer-machineB]
Phase=  1
Transport=  udp
Address=IP-OF-GATEWAY-B
Configuration=  Default-main-mode
Authentication= PRESHAREDKEY

# IPSEC phase 2 connections (from [Phase 2])
[VPN-A-B]
Phase=  2
ISAKMP-peer=peer-machineB
Configuration=  Default-quick-mode
Local-ID=   machineA-internal-network
Remote-ID=  machineB-internal-network

# ID sections (as used in [VPN-A-B])

[machineA-internal-network]
ID-type=IPV4_ADDR
Address=   IP-OF-HOST-A

[machineB-internal-network]
ID-type=IPV4_ADDR
Address=IP-OF-HOST-B

# Main and Quick Mode descriptions (as used by peers and connections)

[Default-main-mode]
DOI=IPSEC
EXCHANGE_TYPE=  ID_PROT
Transforms= 3DES-SHA

[Default-quick-mode]
DOI=IPSEC
EXCHANGE_TYPE=  QUICK_MODE
Suites= QM-ESP-3DES-SHA-SUITE
===

===
isakmpd.policy
Keynote-version: 2
Authorizer: POLICY
Conditions: app_domain == IPsec policy 
esp_present == yes 
esp_enc_alg != null - true;
===

Using these files, when I run isakmpd (isakmpd -d -DA=90) I can successfully
connect to GATEWAY-B. tcpdump output is as follows:

===
tcpdump: listening on em0, link-type EN10MB
14:44:40.315165 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202:
IP-OF-GATEWAY-A.500  IP-OF-GATEWAY-B.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1- msgid:  len: 160
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600
payload: VENDOR len: 20 (supports v2 NAT-T,
draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T,
draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports NAT-T, RFC 3947)
payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 25076, len
188)
14:44:40.333719 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 122:
IP-OF-GATEWAY-B.500  IP-OF-GATEWAY-A.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 80
payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0
xforms: 1
payload: TRANSFORM len: 32
transform: 1 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = SHA
attribute AUTHENTICATION_METHOD = PRE_SHARED
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 3600 (DF) (ttl 53, id
3115, len 108)
14:44:40.356321 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 222:
IP-OF-GATEWAY-A.500  IP-OF-GATEWAY-B.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 180
payload: KEY_EXCH len: 132
payload: NONCE len: 20 (ttl 64, id 1228, len 208)
14:44:40.376569 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 226:
IP-OF-GATEWAY-B.500  IP-OF-GATEWAY-A.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 184
payload: KEY_EXCH len: 132
payload: NONCE len: 24 (DF) (ttl 53, id 3116, len 212)
14:44:40.396111 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 134:
IP-OF-GATEWAY-A.500  IP-OF-GATEWAY-B.500:  [udp sum ok] isakmp
v1.0exchange ID_PROT encrypted
cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid:  len: 92
(ttl 64, id 23041, len 120)
14:44:40.617927 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 110:

Re: 4.2 patchset for PR#5563/#5704

[ttw+bsd]

On 17.01-22:14, [EMAIL PROTECTED] wrote:
 need an education here.  created a patchset for this problem and i'm
 about to test that against 4.2 GENERIC and have a couple of questions
 
   1.  are the results generally intersting? should i post
   them somewhere (assuming tests go right)
 
 assuming above is yes
 
   2.  had to manually add the line from r1.94 to 'mbuf.h' to skip the
   other changes in r1.93.  is there a cvs way to do that or
   should it be manual and i assume there's nothing for me relevant to
   branching etc as that is only relevant to the repository/commiter,
   right?
 
   3.  m_gethdr duplicates the new m_inithdr code which seems
   ... not great ... would it be better to (a) call the m_inithdr
   function from m_gethdr (b) change it to a macro (c) change
   the m_inithdr to inline and call it from m_gethdr (no idea
   whether the function would get inlined anyway).

i guess the answer to '1' in no but i'm posting this for anyone who
may find it useful.  it's working nicely for me.

comments welcome.

nb: this should patch against 4.2
Index: sys/sys/mbuf.h
===
RCS file: /cvs/src/sys/sys/mbuf.h,v
retrieving revision 1.92
diff -r1.92 mbuf.h
220a221,254
  * mbuf initialisation macros:
  *
  *MINITDATA(struct mbuf *m, int type, u_short flags, caddr_t data)
  * initialize mbuf internal data (pulled in by MINIT and MINITHDR)
  *
  *MINIT(struct mbuf *m, int type)
  * initialize an mbuf
  *
  *MINITHDR(struct mbuf *m, int type)
  * initialize mbuf with packet header
  */
 #define MINITDATA(m, type, flags, data) \
   (m)-m_type = (type); \
   (m)-m_flags = (flags); \
   (m)-m_data = (data); \
   (m)-m_next = (struct mbuf *)NULL; \
   (m)-m_nextpkt = (struct mbuf *)NULL
 
 #define MINIT(m, type) \
   MINITDATA((m), (type), 0, (m)-m_dat);
 
 #define MINITHDR(m, type) \
   MINITDATA((m), (type), M_PKTHDR, (m)-m_pktdat); \
   (m)-m_pkthdr.rcvif = NULL; \
   SLIST_INIT((m)-m_pkthdr.tags); \
   (m)-m_pkthdr.csum_flags = 0; \
   (m)-m_pkthdr.pf.hdr = NULL; \
   (m)-m_pkthdr.pf.rtableid = 0; \
   (m)-m_pkthdr.pf.qid = 0; \
   (m)-m_pkthdr.pf.tag = 0; \
   (m)-m_pkthdr.pf.flags = 0; \
   (m)-m_pkthdr.pf.routed = 0
 
 /*
Index: sys/kern/uipc_mbuf.c
===
RCS file: /cvs/src/sys/kern/uipc_mbuf.c,v
retrieving revision 1.85
diff -r1.85 uipc_mbuf.c
167d166
   m-m_type = type;
169,172c168
   m-m_next = (struct mbuf *)NULL;
   m-m_nextpkt = (struct mbuf *)NULL;
   m-m_data = m-m_dat;
   m-m_flags = 0;
---
   MINIT(m, type);
187d182
   m-m_type = type;
189,201c184
   m-m_next = (struct mbuf *)NULL;
   m-m_nextpkt = (struct mbuf *)NULL;
   m-m_data = m-m_pktdat;
   m-m_flags = M_PKTHDR;
   m-m_pkthdr.rcvif = NULL;
   SLIST_INIT(m-m_pkthdr.tags);
   m-m_pkthdr.csum_flags = 0;
   m-m_pkthdr.pf.hdr = NULL;
   m-m_pkthdr.pf.rtableid = 0;
   m-m_pkthdr.pf.qid = 0;
   m-m_pkthdr.pf.tag = 0;
   m-m_pkthdr.pf.flags = 0;
   m-m_pkthdr.pf.routed = 0;
---
   MINITHDR(m, type);
Index: sys/dev/ic/elink3.c
===
RCS file: /cvs/src/sys/dev/ic/elink3.c,v
retrieving revision 1.69
diff -r1.69 elink3.c
1390c1390
   /* Convert one of our saved mbuf's. */
---
   /* Convert one of our saved mbuf's ... */
1392,1395c1392,1393
   m-m_data = m-m_pktdat;
   m-m_flags = M_PKTHDR;
   m_tag_init(m);
   m-m_pkthdr.csum_flags = 0;
---
   /* ... and reset the buffer info */
   MINITHDR(m, m-m_type);

4.2 patchset for PR#5563

[ttw+bsd]

need an education here.  created a patchset for this problem and i'm
about to test that against 4.2 GENERIC and have a couple of questions

1.  are the results generally intersting? should i post
them somewhere (assuming tests go right)

assuming above is yes

2.  had to manually add the line from r1.94 to 'mbuf.h' to skip the
other changes in r1.93.  is there a cvs way to do that or
should it be manual and i assume there's nothing for me relevant to
branching etc as that is only relevant to the repository/commiter,
right?

3.  m_gethdr duplicates the new m_inithdr code which seems
... not great ... would it be better to (a) call the m_inithdr
function from m_gethdr (b) change it to a macro (c) change
the m_inithdr to inline and call it from m_gethdr (no idea
whether the function would get inlined anyway).

and finally, how do i create a patchset?  is it simply a concat of
the individual file patches?

Re: no 4.2-stable package updates??

[ttw+bsd]

On 12.12-16:25, [EMAIL PROTECTED] wrote:
 I tried using pkgsrc-2007Q3 but it sucks. Updating userland in
 production environment with pkgsrc on a non-NetBSD platform is a
 nightmare.

i'm working on this.  will post when significant progress has been
made.  in my opinion having a working pkgsrc tree is better for
everyone, doesn't mean we can't have an openbsd branch (so to speak)
but unifying our efforts with others in this field will have benefits.

Re: HUAWEI not recognized properly (3 modem)

[ttw+bsd]

On 11.12-16:11, Stuart Henderson wrote:
 On 2007/12/11 16:13, Markus Bergkvist wrote:
  I borrowed a HUAWEI modem just to see how it is recognized.
  With umass enabled it is recognized as a CD. Disabling umass and it is 
  found as ugen.
  From this thread http://marc.info/?l=openbsd-miscm=118468178731619w=2 I 
  figured it should have been recognized as ubsa. Any suggestions?
 
 I was wrong with ubsa, it looks like it should actually be umsm,
 but the device needs poking with a USB command before it switches
 off the umass-based Windows driver CD, and turns on the other
 interfaces (the AT-compatible modem-like interface, and the
 control interface).
 
 I'm not aware of it being supported yet.

with my version of this device it *appears* to timeout to the modem
interface if it is inserted during boot.  i won't go into the reasons
as to why i believe that, suffice to say they're thin in evidence
but it'd suggest you try forcing a rescan of the device after a
couple of minutes (assuming the umass interface hasn't been tickled,
activating it).

pf max-src-conn states

[ttw+bsd]

two questions relating to the above

1.  trying to use 'max-src-conn 1' to limit service to one
connection per host (with overload table) but when i disconnect and
re-reconnect i get blocked.  should this state expire when
correctly closed, allowing a second connection, or is the timeout
needed?

2.  is source-track required for the above?  i can't decipher the
relationship.  current confusion is does source-track turn 'max'
into a per-IP match or simply allow the per-IP functions to operate?

nb: not sure the service is closing the connection correctly which
may be causing the timeout issue.

Re: PPD vs printer driver question

[ttw+bsd]

On 10.11-17:01, Predrag Punosevac wrote:
[ ... ]
 PPD files are post script description files that act as a drivers for 
 post script printers. This seems clear to me.

no.  they simply describe the functions available on the printer.
this allows the interface to display those printer options to you.
for PS compatible printers this is enough, you select the options
and the document, with the selected options, are passed along to the
printer.  for non-PS printers the options are passed to the backend
processor which produces the relevant commands for that printer.

with CUPS you'll (most likely) have ghostscript as a backend processor.
this comes with support for a good range of printer backends (e.g.
PCL) as well as being easily extensible with vendor processors (like
the hpijs processor from HP).

with lpd and apsfilter you process the incoming text or latex file
into postscript.  this works fine if the printer supports PS.  if not
then you'll pipe that postscript onto ghostscript which will then
process the PS into the native printer language (e.g. PCL).

Re: Printing with apsfilter

[ttw+bsd]

On 11.11-06:51, Girish Venkatachalam wrote:
[ ... ]
 Now I only know what you people seem to be saying about PPD files and
 drivers. I have never used CUPS either.
 
 However long ago I have read that postscript is a PCL - printer command
 language.
 
 And most printers these days support printing using postscript and the
 LPD daemon which listens at TCP port 515 .

PCL is a printer control language.  PS is a stack based programming
language with graphics primitives for drawing.  it may also be
classed as a PDL (page description language).

i would guess that you are assuming that most printers can process
PS because most unix print services use ghostscript to process these
files into a native printer langauge.  in fact most printers cannot
process PS because implementing a PS processor is quite expensive
(requires significant processing and memory) compared to control
protocols (like PCL), although PS has other advantages.

this pre-processing is supported by cups and lpr but installation is
generally simpler with cups (due to greater vendor attention).  cups
also has better integration with the new ghostscript processing
structure, which allows more feedback from the print processor.  this
is particularly useful when using control languages (or host based
raster processing) instead of PDLs.

the lpr protocol also has some fundamental issues in it's design
(much like FTP does).

in short, i'd suggest you use, use cups unless you have a specific
reason not to.

Re: OpenBSD kernel janitors

[ttw+bsd]

On 31.10-08:40, Theo de Raadt wrote:
[ ... ]
Yeah, right.
[ ... ]
 I don't understand. Is newbies learning new things a waste to you? Do
 you think they won't really learn anything unless the patch is
 approved? Or will the patches not be subject to peer review? Or are
 you worried at who would pass for peer review getting overwhelmed by a
 huge volume of poor quality patches?

and i would suggest that the severe and prevelant attitude toward the
possibilty of poor patches or under-educated actions is the most
significant barrier to encouraging new/young developers.

Re: OpenBSD kernel janitors

[ttw+bsd]

On 31.10-08:20, Theo de Raadt wrote:
[ ... ]
 They don't need a list.  They could already have started coding.  Yet
 we see how few people actually do start coding.  Instead, they choose
 to write in english...

on the counter-side we appear to have people who can code but are
unable to communicate productively otherwise.

surely there must be _some_ merit to creating a list of lower level
development tasks (as dictated by those with experience to judge) to
encourage people to enter the development cycle.  of course, there
will be a large attrition rate, most people like the idea but can't
stick the learning curve.  others may be intelligent and able but less
confident and just need pointed in the right direction.

obviously the intention should be to try and capture the latter without
loosing energy on the former.

Hoststated check https; what am I missing?

[dave-bsd]

Greetings list,

Long story short, we're moving from some alteon AD3's to openbsd, and in
support of that effort I've constructed a small testing environment
including two carp'd openbsd boxes running hoststated, and a single
webserver sitting behind them.

The problem is that I can't seem to get hoststated to recognize via
check https digest that the webserver is up and running.  Check http
works for the non-ssl side of the site, and changing the ssl check to
check https code yields an operational ssl rdr.  Since the webserver
runs a small healthcheck jsp which outputs simply healthy, I'd like to
use the digest method if possible.

I'm generating the digest with:

wget -O - https://172.16.51.31/healthcheck/tomcatok.jsp \
--no-check-certificate | sha1

I'm wondering how sensitive hoststated is to the certificate (might
check https digest fail because the server certificate and the name
I'm asking for don't match?), or could it be that hoststated computes
the https digest before the html output is decrypted?

Thanks advance for your help. Configs pasted below.

hoststated.conf:
# Macros
#
extern_addr=192.168.26.53
intern_addr=172.16.51.31

table generic_vhosts {
real port http
check http /healthcheck/tomcatok.jsp digest
187ddb23c590d6b7e576313b135e7201099cf726
host $intern_addr
}

table ssl_box {
real port https
check https /dbghealth/tomcatok.jsp code 200
#check https /healthcheck/tomcatok.jsp digest
187ddb23c590d6b7e576313b135e7201099cf726
host $intern_addr
}

service generic_http {
virtual host $extern_addr port http interface fxp3
tag HOSTSTATED
sticky-address
table generic_vhosts
}

service ssl {
virtual host $extern_addr port https interface fxp3
tag HOSTSTATED
sticky-address
table ssl_box
}



-dave josephsen

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: To whom can I direct email for artwork use permission pls?

[ttw+bsd]

On 02.10-09:56, Marcus Andree wrote:
 Theo is the copyright holder of the CD directory structure used by the
 install CDs.
 If someone wanna sell a CD (or DVD) legally, s/he will have to:
 
  - get a written permission from Theo or
  - code an entirely new installation procedure

i find this all rather sad and mis-guided, the software is freely
available to those who wish to use it.  we should also endeavour to
make it as widely available as possible.  the artwork is another
question for theo (assuming he's the owner of that), i mean, openbsd
is his brand and what he does there is his business.

it is also not possible to limit use of the directory structure with
copyright.  you would need to alter the license to include a clause
around installation media and distribution or release the install
scripts and programs under a different license; of course such a clause
would be almost directly contradictory to current license.  i.e. some
stupid trick around CD directory structure is directly contradictory
to the priciples encapsulated in our licensing.

paying for it requires a choice, no matter what tricks we put in place
around CDs.  surely we can simply trust and encourage contributions
particularly when people intend to profit.  and if the original poster
reads this you may read that as, whatever the actual outcome, if you
make a profit please ensure you give something back. and oh, yeah,
try to encourage the users to do the same once they get the CD home

(though i have to confess, i haven't made a donation since i upgraded
my gateway to 4.1 ... i have an excuse !!!  and it was only last week.
and i will)

Re: OpenBSD sticker considered cool by a layman

[ttw+bsd]

On 02.10-15:43, ?ke Nordin wrote:
[ ... ]
  http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
 
  Cool link... Information about an article about privacy, and for
  downloading it you need javascript and whatever more... (I didn't manage
  to get the full text).
 
 Not to mention no download unless registration.

just for the record i managed without any trouble. and don't think
it required javascript either.

Re: To whom can I direct email for artwork use permission pls?

[ttw+bsd]

On 02.10-11:46, Bob Beck wrote:
  (though i have to confess, i haven't made a donation since i upgraded
  my gateway to 4.1 ... i have an excuse !!!  and it was only last week.
  and i will)
 
   And this is exactly the problem. Look, you guys can quibble
 all you want about awww, we should be able to make our own distros
 Yes, you can. 

no, this is a problem.  and there's no question that it's important
but the relevant discussion was above your cut.  even less to the
point, i contribute more than the cost of a CD set without the overhead
(but then it's value is greater to me than it may be to others).

encouraging people to purchase CD sets is great (bit like a suggested
donation at a museum) but more important is iterating to people the
value of the software and that it is their *responsibility* to refelect
that value in their contibutions; whatever form that contribution
takes.

Re: OpenBSD sticker considered cool by a layman

[ttw+bsd]

On 30.09-10:03, Anton Karpov wrote:
[ ... ]
 The same here. I have wireframe puffy on the back of my car. VERY
 attractive:

of course, if you were _really_ security conscious you would have
cropped the license plate no
;-)

Re: Loading PF after pppoe

[ttw+bsd]

On 27.09-08:59, Amit Finkler wrote:
 I now use the in-kernel pppoe and pf, but on boot pf loads itself before the
 networking is up.
 
 How does one cause the networking to be up before the pf rules?

i tend to load a basic ruleset during boot and then either overwrite
it or update it with alternative confgurations / anchors as part of
'/etc/hostname.if' configurations.

Re: The Atheros story in much fewer words

[ttw+bsd]

 but it allows some users to not have the freedoms you claim to defend.

think you'll struggle to find people here who claim to defend freedom.
personally, i'm a believer and practitioner, i  leave the defending
to the mis-guided and the hypocrites.

Re: OBSD's perspective on SELinux

[ttw+bsd]

On 24.09-10:25, Jason Dixon wrote:
[ ... ]
  What I'm trying to say is that all the services I listed before make
  their own little SELinux layer with appropriate policy built into
  them. Better than SELinux though is that the monitor is enabled by
  default and generally can't be turned off. Even more interesting is
  that this policy enforcement is portable to other unix like operating
  systems, it's not restricted to the OpenBSD kernel.
 
 What makes this so effective is that it's built-in by the people
 who understand it best, the developers.  Not some Jr. Sysadmin tasked
 with standing up a new Linux server and trying to write his own SELinux
 policy from scratch.

little sad to see such slating of extended security feature sets by
such a security conscious group.  policy cannot be defined or implemented
in the application.  it must be enforced by the kernel to be meaningful.
this, of course, does not preclude privilage seperation within an
application but that is good application programming not secure policy.

SELinux's policy features are a superset of standard Unix.  I was
unaware of 'systrace' in openbsd but have found these poor and cumbersome
previously but will certainaly review it.

i agree completely with the general tack of opinion here, there is
very little that cannot be done with consious administration and
intelligent use of available features.  it's a little like ACLs,
it's definately a security feature but getting real value add from it
is rare (particularly when you take into account the overhead of these
features) and whether it increases or decreses overall security is a
serious question too.  in many instances (on various trusted operating
systems and policy systems, not just selinux) i have seen the most
appalling policies simply because administrators became significantly
frustrated that they simply opened stuff until the application
worked.

Re: OBSD's perspective on SELinux

[ttw+bsd]

On 24.09-11:49, Can E. Acar wrote:
[ ... ]
  The guy can be some stupid binary software with an if(uid!=root) bail();
 
 People running arbitrary binary software requiring root on their systems
 deserve what they get. You can not work around this stupidity by ANY policy.

that is not the case and is, in fact, the entire point of defining
policy.  to define what the applications on the system can and
cannot do, irrespective of how stupid they (or their programmer),
or how malicious they (or their programmer) is / was.

Re: OBSD's perspective on SELinux

[ttw+bsd]

On 24.09-13:48, Darren Spruell wrote:
[ ... ]
 Oh, that sounds like a recipe for success.
 
 - Run _arbitrary_ _binary_ application on system. Intend to use policy
 wrapper to restrict to allowed operations.

exactly, if the application cannot run within the defined policies it
will not be allowed to run, this is precisely the assurance that some
businesses look for.  it is, in fact, a process that helps identify
poor applications.  whether the system is opened up or not depends on
the business.

 The intentions are great and look good on paper. The reality is a bit
 different, as others have pointed out.

indeed, i am one of them.  and probably as painfully aware of it as
any.  that is not the point, writing them off wholesale is folly, and
suggesting the same can be achieved with current toolsets available
is just plain wrong.

Re: OBSD's perspective on SELinux

[ttw+bsd]

On 24.09-14:28, Luke Bakken wrote:
[ ... ]
 Intelligent sysadmins know every setuid binary on their system.
 Unintelligent ones get owned.

you'll forgive me if this does not sound intelligent to me.  a
consiencous sysadmin looks at the requirements and picks the best
tools to match.  in the vast majority of cases best results can be
achieved with simplicity and an intelligent use of basic tools.
complex policy systems have diminising returns but there is no question
that they bring additional tools to the toolkit.

Re: OpenBSD firewalls as virtual machine ?

[ttw+bsd]

On 22.09-02:06, Luca Corti wrote:
[ ... ]
   We are talking about OpenBSD here, and support for VRF is not there.
  That may change faster then you expect
 
 These are great news. If the implementation will allow to assign
 interfaces to different VRFs it would solve the virtual router/firewall
 setup without the need for OS virtualization.

i have a feeling that the funds currently available for your virtualisation
project would improve the quality and delivery of these requirements.

Re: OBSD's perspective on SELinux

[ttw+bsd]

On 22.09-16:21, Douglas A. Tutty wrote:
[ ... ]
  exercise for the reader: find somebody using SELinux.  ask them to
  describe their policy over the phone.  then repeat it back to them.
  did you get it right?
 
  [ ... ]  In other words, since debian packages, by policy, must
 just work on install (come with a reasonable default setup), (except
 for a few things like the Shorewall firewall builder that installs to a
 disabled state that prints a warning), once Debian decides on a SELinux
 policy, all the thousands of packages have to be set up to detect the
 SELinux policy on the box at the time and integrate themselves into it.  

i would be willing to bet this will never happen, particularly in a
community like debian's.  if, by some miracle, it does i'd make a
further bet that they'll have to roll back the decision because
their users will be crippled.  basically, good programming practices
get you a lot more for a lot less than wide ethos changes.  having
said that the extended feature set of selinux can solve issues that
unix systems are not able to.

in short, stick to openbsd.  if you need selinux you'll know it ...
then you'll go find another product that's not such a nightmare ...
actually, nearly all of them are but that's another story.