Re: Automatic OS updates
FWIW if you guys want to yell at me for spreading bad ideas, I've posted how to do automatic updates here: https://openbsd.pages.dev/auto-updates/ I'm both trying out the Hugo package and like, documenting how I've set things up in case I have to reinstall. Time moves fast and I'm damn impressed by how smooth the BSD experience is.
Re: Block HTTP requests from non-browser clients
Sorry I posted to the wrong thread. Please disregard.
Re: Block HTTP requests from non-browser clients
FWIW if you guys want to yell at me for spreading bad ideas, I've posted how to do automatic updates here: https://openbsd.pages.dev/auto-updates/ I'm both trying out the Hugo package and like, documenting how I've set things up in case I have to reinstall. Time moves fast and I'm damn impressed by how smooth the BSD experience is.
Re: Automatic OS updates
On Fri, Feb 16, 2024, at 17:09, Jan Stary wrote: > And this saves you what, ten keystrokes a day? Yes, it felt silly typing the same things every day and waiting for the computer to update. (If an update takes 4 minutes per day to babysit, that's about 2 hours per month) On Fri, Feb 16, 2024, at 21:10, Lyndon Nerenberg (VE7TFX/VE6BBM) wrote: > Blind updating out of cron is utter madness. If there are any merge > errors in /etc (think sshd_config for starters), you can end up > with a machine you cannot log in to, or that's just acting out > destructively. Yeah! But you guys are sysadmins, I'm basically a 'gamer', I mostly use my OpenBSD computer for an online game. Thus an upgrade problem mostly risks me being late for a 'war', which is not the end of the world. SSH not coming back up is a non-issue, I have screen and keyboard connected. (I'll probably turn off auto-updates when traveling tho as remote access is nice although non-essential.) I also have a second computer I can boot up if this one doesn't work.
Re: Automatic OS updates
On Thu, Feb 15, 2024, at 21:52, Florian Obser wrote: > > 0 3 * * * root sysupgrade > > This will stop working at the next release. Assuming you want to run -current. Thanks, changed to 'sysupgrade -s'. > >30 3 * * * root pkg_add -u > > This will most likely run after package daemons have started. There is an > example in upgrade.site(5) how to do this differently. Thanks, very helpful, now using /upgrade.site to update packages after sysupgrades.
Automatic OS updates
So I was curious, am I the only one using automatic OS updates in cron to keep the fish fresh and the bits dust free? I think I read somewhere that it's not recommended but I'm not running a server so it seems like a good idea to me. /etc/crontab: # Example of job definition: # . minute (0 - 59) # | .- hour (0 - 23) # | | .-- day of month (1 - 31) # | | | .--- month (1 - 12) OR jan,feb,mar,apr ... # | | | | . day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 0 3 * * * root sysupgrade 30 3 * * * root pkg_add -u
KeyTrap DNS vulnerability
“A single packet can exhaust the processing capacity of a vulnerable DNS server, effectively disabling the machine, by exploiting a 20-plus-year-old design flaw in the DNSSEC specification. https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/
Re: Screenshotting using PrtScr in cwm?
Here's someone who apparently had the same or similar problem on Arch Linux, and managed to solve it: https://unix.stackexchange.com/questions/669853/printscreen-key-not-registering-in-arch-linux Just changing the SysRq keycode doesn't work for me tho.
Re: Screenshotting using PrtScr in cwm?
On Sat, Feb 10, 2024, at 17:24, Omar Polo wrote: > If xev doesn't report the keypress there's a chance something else has > bound that key. Double-check that you don't have other bind directives > in your cwmrc file and that no running application may have bound that > key. > > Running a test with xev using an empty .cwmrc and a .xsession consisting > of only `exec cwm' could help in ruling out whether the key is really > not available for other reason or is 'just' a configuration error > somewhere in your .xsession or .cwmrc. I did this now: ~$ mv .xsession .xsession.old ~$ mv .cwmrc .cwmrc.old ~$ doas reboot This landed me in fvwm. Even here, xev doesn't see the keypress. I then did 'echo exec cwm > .xsession' and restarted X. Here too, xev did not detect the keypress.
Re: Screenshotting using PrtScr in cwm?
On Sat, Feb 10, 2024, at 16:00, Christian Weisgerber wrote: > > It would make more sense to use the dedicated PrtScr key, but I > > can't work out what it's called; I've tried to brute force the name. > > Print Thanks. Not working unfortunately. > > Also, xev doesn't detect the keypress. > > That's odd, because I just used xev to find out. Yep. Also I have this: ~$ xmodmap -pke | grep Print keycode 111 = Print Sys_Req Print Sys_Req Seems to me it should totally be bindable like any other key, but it seems something eats the keypress as xev can't see it either. --- On Sat, Feb 10, 2024, at 15:34, PM wrote: > This works for me using my laptop keyboard.(T460s) > > bind-key Print "bin/screenshot" > > Does not work when using an external keyboard on my Docking station. This is intriguing. My computer is a 'desktop' so I'm using an external keyboard; wireless if that matters.
Screenshotting using PrtScr in cwm?
So, this work for me in .cwmrc: bind-key 4-F11"bin/screenshot" It would make more sense to use the dedicated PrtScr key, but I can't work out what it's called; I've tried to brute force the name. Also, xev doesn't detect the keypress.
Re: Firefox, Chrome, Libreoffice bogus syscall on -current
On Thu, Dec 28, 2023, at 00:41, Ax0n wrote: > I had been running #1471 since December 5th without issue, and this week > upgraded to the latest snapshot (#1567) after which some apps such as > Firefox won't run. They display "msyscall a8000 error" followed by a > core dump. dmesg(1) shows a bogus syscall. I did ensure that I had properly > sysmerged and updated packages.I waited until the next snapshot hit > mirrors, and verified that this issue persists with build #1572 and fresh > packages as well. Lenovo X1 Carbon Gen 8. dmesg in body. I can put core > dumps somewhere if it helps. I'm on #1576 and both ungoogled-chromium and firefox work fine.
cwm on wayland
So they're putting a Wayland in our BSD. I've never used that before. Is a port of cwm planned?
Re: Multicast Routing issues with OpenBSD
On 9.11.2022 12.39 PM, Barbaros Bilek wrote: Hi again, I've added this route : ''route add 239.0.1.2/32 172.16.1.1'' But nothing changed. Is OpenBSD capable of multicast routing? Am I doing a wrong configuration? Any thoughts? Thanks in advance. On Tue, Nov 8, 2022 at 6:28 PM Barbaros Bilek wrote: Hi Folks, I try to do multicast routing with OpenBSD 7.2 Here is my setup: # Default GW to internet echo 'inet autoconf' > /etc/hostname.em0 # Get 10.10.12.81/24 from dhcp-server with gw 10.10.12.1 # Multicast Server Interface (transmit packets) echo 'inet 172.16.1.1 255.255.255.0 NONE' > /etc/hostname.em1 # Multicast Client interface (receive packets) echo 'inet 172.16.55.1 255.255.255.0 NONE' > /etc/hostname.em2 # Forward ip & multicast echo 'sysctl net.inet.ip.forwarding=1' > /etc/sysctl.conf echo 'sysctl net.inet.ip.mforwarding=1' >> /etc/sysctl.conf # Enable Multicast on OpenBSD rcctl enable multicast # Disable PF rcctl disable pf # Mrouted Configuration multicast_test# cat /etc/mrouted.conf name STD 239.0.0.0/16 pruning on phyint 172.16.1.1 threshold 16 boundary STD altnet 172.16.0.0/16 phyint 172.16.55.1 threshold 16 boundary STD altnet 172.16.0.0/16 phyint 10.10.12.81 disable # Enable mrouted on startUp rcctl enable mrouted # Reboot system reboot For testing purposes I use this application : Singlewire Software IC Test Multicast (It uses ) I'm sure about my testing environment. Because when I use a Brocade ICX L3 switch with router pim configuration everything is ok. But with OpenBSD multicast routing fails: Here some logs : multicast_test# mrinfo 127.0.0.1 (localhost) [version 3.8,prune,genid,mtrace]: 10.10.12.81 -> 0.0.0.0 (local) [1/1/disabled] 172.16.1.1 -> 0.0.0.0 (local) [1/16/querier/leaf] 172.16.55.1 -> 0.0.0.0 (local) [1/16/querier/leaf] multicast_test# netstat -g Virtual Interface Table Vif Thresh Local-AddressRemote-Address Pkt_in Pkt_out 1 16 172.16.1.1 4580 2 16 172.16.55.100 Multicast Forwarding Cache Hash Origin Mcastgroup Traffic In-Vif Out-Vifs/Forw-ttl 0 172.16.1.1 239.0.1.2 458B 1 Total no. of entries in cache: 1 IPv6 Multicast Interface Table is empty IPv6 Multicast Routing Table is empty Output when I run mrouted at debug mode : multicast_test# mrouted -d mrouted: debug level invalid debug level 2 18:06:55.405 mrouted version 3.8 18:06:55.407 Getting vifs from kernel interfaces 18:06:55.408 installing em0 (10.10.12.81 on subnet 10.10.12/24) as vif #0 - rate=0 18:06:55.408 installing em1 (172.16.1.1 on subnet 172.16.1/24) as vif #1 - rate=0 18:06:55.408 installing em2 (172.16.55.1 on subnet 172.16.55/24) as vif #2 - rate=0 18:06:55.408 Getting vifs from /etc/mrouted.conf 18:06:55.408 Installing vifs in mrouted... 18:06:55.408 vif #1, phyint 172.16.1.1 18:06:55.409 vif #2, phyint 172.16.55.1 pruning on 18:06:55.410 Installing vifs in kernel... 18:06:55.410 vif #1, phyint 172.16.1.1 18:06:55.410 vif #2, phyint 172.16.55.1 vifs_with_neighbors = 0 Virtual Interface Table Vif Name Local-Address M Thr Rate Flags 0em0 10.10.12.81 subnet: 10.10.12/24 1 1 0 disabled 18:06:55.411 warning - SIOCGETVIFCNT fails 1em1 172.16.1.1 subnet: 172.16.1/24 1 16 0 querier alternate subnets: 172.16/16 boundaries: 239.0/16 18:06:55.411 warning - SIOCGETVIFCNT fails 2em2 172.16.55.1 subnet: 172.16.55/241 16 0 querier alternate subnets: 172.16/16 boundaries: 239.0/16 18:06:55.411 warning - SIOCGETVIFCNT fails Multicast Routing Table (3 entries) Origin-Subnet From-GatewayMetric Tmr In-Vif Out-Vifs 172.16.55/24 1 0 21* 172.16.1/24 1 0 12* 172.16/16 1 0 12* 18:07:15.583 update 0 starting at 3 of 3 18:07:16.593 update 0 starting at 3 of 3 18:07:17.602 update 0 starting at 3 of 3 18:07:18.612 update 0 starting at 3 of 3 When i watch packets on em1 i can see multicast packets are arriving: (constantly increasing...) multicast_test# tcpdump -nettti em1 host 239.0.1.2 tcpdump: listening on em1, link-type EN10MB Nov 08 18:19:33.344608 2c:f0:5d:73:f8:c4 01:00:5e:00:01:02 0800 73: 172.16.1.2.50665 > 239.0.1.2.20480: udp 31 Nov 08 18:19:34.358455 2c:f0:5d:73:f8:c4 01:00:5e:00:01:02 0800 73: 172.16.1.2.50665 > 239.0.1.2.20480: udp 31 But at the receiver side (em2) there are no multicast packets transmitted by em1 After a while i saw only one packet as igmp nreport with TTL 1 multicast_test# tcpdump -nettti em2 host 239.0.1.2 tcpdump: listening on em2, link-type EN10MB Nov 08 18:21:12.994258 2c:f0:5d:73:f8:c3 01:00:5e:00:01:02 0800 60: 172.16.55.2 >
Patch for www:upgrade66
16 Oct 2019 19:15:14 - @@ -627,8 +627,13 @@ ike dynamic esp transport proto udp from psk mekmitasdigoat +<<<<<<< faq17.html +Once the IKEv1 tunnel is up and running, the L2TP tunnel need to be configured. +OpenBSD doesn't provide an L2TP client by default, so installing +=== Once the IKEv1 tunnel is up and running, the L2TP tunnel needs to be configured. OpenBSD doesn't provide an L2TP client by default, so installing +>>>>>>> 1.5 xl2tpd is required. Index: faq/upgrade66.html === RCS file: /cvs/www/faq/upgrade66.html,v retrieving revision 1.10 diff -u -p -r1.10 upgrade66.html --- faq/upgrade66.html 16 Oct 2019 17:48:16 - 1.10 +++ faq/upgrade66.html 16 Oct 2019 19:15:14 - @@ -36,10 +36,10 @@ local system first. Start by performing the pre-upgrade steps. Next, boot from the install kernel, bsd.rd: -use bootable install media, or place the -6.6 version of bsd.rd in the root of your filesystem and +use bootable install media, or place the +6.6 version of bsd.rd in the root of your filesystem and instruct the boot loader to boot this kernel. -Once this kernel is booted, choose the (U)pgrade option and +Once this kernel is booted, choose the (U)pgrade option and follow the prompts. @@ -136,7 +136,7 @@ any post-release fixes. acme-client(1). https://man.openbsd.org/OpenBSD-6.6/acme-client.1;>acme-client(1) - has been updated to implement the recently published RFC8555. Users + has been updated to implement the recently published RFC8555. Users must change the api url in https://man.openbsd.org/OpenBSD-6.6/acme-client.5;> /etc/acme-client.conf from @@ -286,7 +286,7 @@ any post-release fixes. Remove files associated with client use of the X Font Service: rm -f /usr/X11R6/lib/pkgconfig/libfs.pc \ -/usr/X11R6/include/X11/fonts/FSlib.h +/usr/X11R6/include/X11/fonts/FSlib.h; rm -rf /usr/X11R6/share/doc/libFS -- ~ " Fully Basic System Distinguish Life! " ~ " Libre as a BSD " +=<<< Stephane HUC as PengouinBSD or CIOTBSD b...@stephane-huc.net
Re: Postscript printer recommendations
On 7/16/19 11:03 AM, Jonathan Drews wrote: On Tue, Jul 16, 2019 at 10:36:03AM -0700, BSD user wrote: On 7/16/19 4:13 AM, Jonathan Drews wrote: On Tue, Jul 16, 2019 at 08:06:20AM +, Roderick wrote: At this point, I am going to look for another printer that is more OpenBSD friendly. My Desjet 6940 is pretty old and the cartridges cost a lot (> USD $120.00) Kind regards, Jonathan I may just be a luddite, but after wasting multiple days messing around with cups, ghostscript, hplip et al, I decided it was just easier to print everything via postscript. . . . This solution doesn't offer the convenience of automagically converting arbitrary file formats to PCL or whatever the printer format of the day is, but it works for me without having to have add a ridiculous number of packages and configs. Thanks Roderick: I got to this instruction in the CUPS Readme: *** WARNING *** ulpt(4) needs to be disabled in the kernel (see config(8)) or the printer will not be available to libusb. I read the manpage for config (8) and I can't seem to find the appropriate configuration file in /usr/src/sys/arch/amd64/compile. I'll have to read up on compiling the kernel and modifying it's configuration file. Once again thanks for all the generous help form you guys. Regards, Jonathan I think you can temporarily disable ulpt via ukc, but I can't confirm as I'm currently travelling. As sthen@ said (IIRC) earlier in the thread, if your printer has networking (ethernet or wifi) support, it's usually easiest to just print over the network as it saves having to mess with kernel configs and device node permissions. Because I don't trust printers and their ancient firmware and "cloud" features, I threw my printer on an isolated VLAN with a firewall rule set in my router to block any outgoing internet traffic from the printer. Cheers
Re: Postscript printer recommendations
On 7/16/19 4:13 AM, Jonathan Drews wrote: On Tue, Jul 16, 2019 at 08:06:20AM +, Roderick wrote: At this point, I am going to look for another printer that is more OpenBSD friendly. My Desjet 6940 is pretty old and the cartridges cost a lot (> USD $120.00) Kind regards, Jonathan I may just be a luddite, but after wasting multiple days messing around with cups, ghostscript, hplip et al, I decided it was just easier to print everything via postscript. My printing "workflow" is quite rudimentary, but it has yet to fail me. I set up a simple lpd server on my desktop pointing to my Brother printer, from which I can print raw .txt, pdf or postscript files directly via lpr/lpd. If I find myself needing to print a file that isn't in one of these formats, I simply convert them to that format manually. If I need to print a .doc or .odt file, I just open them in LibreOffice and export them to pdf, which can then be printed via lpr. (As an aside, LibreOffice supports rendering pages to postscript and printing them directly as it seems to detect my lpd setup and offers "Generic Printer" as an option, allowing me to print directly from within LibreOffice.) This solution doesn't offer the convenience of automagically converting arbitrary file formats to PCL or whatever the printer format of the day is, but it works for me without having to have add a ridiculous number of packages and configs.
Re: Moving from Bird to OpenBGPD
On 7/14/19 11:24 PM, Claudio Jeker wrote: On Sun, Jul 14, 2019 at 07:28:29PM -0700, BSD user wrote: On 7/14/19 12:52 AM, Denis Fondras wrote: On Sat, Jul 13, 2019 at 09:44:28PM -0700, BSD user wrote: Hello, My apologies for sending this email multiple times. I was so mortified by Tutanota's awful text formatting that I created a new mail account that supported IMAP so that I could load it up in Thunderbird with text only mode enabled. Once again, my apologies for my rookie mistake choosing Tutanota for use on an international mailing list such as this one. I hope you guys will give me one more chance. My (hopefully) unmangled message is below. You did not include which version you are running, I'll assume this is 6.5. It seems you do not have any filter, OpenBGPD denies everything by default. Thanks for the reply Denis. You were right, I was missing my allow rules. After setting "allow from any AS 64515" and "allow to any" rules, everything started working. I was able to get IPv6 working as well without a hitch. Are there any other filter rules I should be setting to secure my BGP deployment? I'm on a private ASN assigned to me by Vultr. This is my first forray into BGP land, so any advice or tips would be much appreciated. Ideally you want to limit the filters to only announce what you really need to announce to prevent leaking of prefixes because of a missconfiguration. Also what is Vultr sending you via BGP? Depending on that you may be able to limit the input as well. I guess in this simple setup it does not matter to have simple allow filters since this bgpd instance is not connected to the default free zone and so there is less risk of leaking or receiving leaked routes. In general if your BGP setup has more than one external neighbor you need to take care of your filters to make sure that you don't leak updates from one neighbor to the other. Thanks for the reply Claudio! You were right, my "allow from" rule was unnecessary, Vultr doesn't appear to be sending me anything. I managed to get my "allow to" rule tightened up to look like this: allow to any prefix {xxx.xxx.xxx.141/32 2001:::::/64} I tried tightening the rule down further to restrict to Vultr's upstream AS and IP addresses like so: 'allow to 169.254.169.254 AS 64515 prefix 140.82.0.141/32' Unfortunately the rule doesn't work properly as my prefixes immediately become unpingable after loading that rule. I'm probably missing something obvious. Any suggestions on how to tighten down the rule further? My final question is concerning assigning prefixes to interfaces. Is it best practice to assign the addresses to something like 'lo1' loopback interface, or should assigning it as an alias on an egress interface suffice? I tried and they both seem to work. Thanks
Re: Moving from Bird to OpenBGPD
On 7/14/19 12:38 PM, Rudy Baker wrote: It's sad how hostile this mailing list is that you need to beg forgiveness for using a different email client because you may have triggered some of these people. I'm not too concerned. I'm grateful for the fact that the OpenBSD community has high standards. Upon reading my message on marc.info, I my self was irritated by the poor formatting. I appreciate that Ingo contacted my privately and informed me that tutanota was mangling my mail. Upon realizing this, I rectified the issue, as it's a matter of etiquette-- I'm already asking strangers to take time out of their day to assist me, the least I can do is make it easy for them to understand my request.
Re: Moving from Bird to OpenBGPD
On 7/14/19 12:52 AM, Denis Fondras wrote: On Sat, Jul 13, 2019 at 09:44:28PM -0700, BSD user wrote: Hello, My apologies for sending this email multiple times. I was so mortified by Tutanota's awful text formatting that I created a new mail account that supported IMAP so that I could load it up in Thunderbird with text only mode enabled. Once again, my apologies for my rookie mistake choosing Tutanota for use on an international mailing list such as this one. I hope you guys will give me one more chance. My (hopefully) unmangled message is below. You did not include which version you are running, I'll assume this is 6.5. It seems you do not have any filter, OpenBGPD denies everything by default. Thanks for the reply Denis. You were right, I was missing my allow rules. After setting "allow from any AS 64515" and "allow to any" rules, everything started working. I was able to get IPv6 working as well without a hitch. Are there any other filter rules I should be setting to secure my BGP deployment? I'm on a private ASN assigned to me by Vultr. This is my first forray into BGP land, so any advice or tips would be much appreciated. Cheers
Moving from Bird to OpenBGPD
Hello, My apologies for sending this email multiple times. I was so mortified by Tutanota's awful text formatting that I created a new mail account that supported IMAP so that I could load it up in Thunderbird with text only mode enabled. Once again, my apologies for my rookie mistake choosing Tutanota for use on an international mailing list such as this one. I hope you guys will give me one more chance. My (hopefully) unmangled message is below. -- Hello, I’m having some trouble configuring OpenBGPD to replace my Bird deployment. I’m trying to set up redundant web infrastructure for a few websites I host with Vultr. To do so, I followed this guide: https://www.vultr.com/docs/high-availability-on-vultr-with-floating-ip-and-bgp It works flawlessly with Bird running on OpenBSD, but I obviously prefer to run utilities from the base system wherever possible. I’ve spent more time than I’d like to admit trying to get this setup working on OpenBGPD. The only thing I did different from the above guide was use lo1 rather than a dummy interface, as dummy interfaces appear to be a linuxism as per this mailing list thread I found: http://openbsd-archive.7691.n7.nabble.com/Dummy-Interface-In-OpenBGPd-td34009.html Basically, all I’m trying to do is port my Bird config over to OpenBGPD. At this point I’m just banging my head against a wall. I’ve spent several days googling, reading man pages and trying different configs. I must be missing something basic, and it’s likely something obvious I’m missing, as I am by no means a BGP expert. My bird config looks like this: log "/var/log/bird" all; router id xxx.xxx.224.9; protocol device { scan time 60; } protocol direct { interface "lo1"; } protocol bgp vultr { local as 65xxx; source address xxx.xxx.224.9; import none; export all; graceful restart on; next hop self; multihop 2; neighbor 169.254.169.254 as 64515; password "xx"; } My attempt at a bgpd.conf looks like this: # Global Configuration AS 65xxx router-id xxx.xxx.224.9 # Our Address Space network xxx.xxx.0.141/32 network inet connected # IPv4 Peers neighbor 169.254.169.254 { remote-as 64515 tcp md5sig password xx set nexthop self multihop2 descr Vultr local-address xxx.xxx.224.9 announceIPv4 unicast } Any assistance you fine folks could provide to help me get this working would be hugely appreciated. I've also attached my config files to eliminate any chance of them being mangled. Thanks so much for your time. # Global Configuration AS 65xxx router-id xxx.xxx.224.9 # Our Address Space network xxx.xxx.0.141/32 network inet connected # IPv4 Peers neighbor 169.254.169.254 { remote-as 64515 tcp md5sig password xx set nexthop self multihop2 descr Vultr local-address xxx.xxx.224.9 announceIPv4 unicast } log "/var/log/bird" all; router id xxx.xxx.224.9; protocol device { scan time 60; } protocol direct { interface "lo1"; } protocol bgp vultr { local as 65xxx; source address xxx.xxx.224.9; import none; export all; graceful restart on; next hop self; multihop 2; neighbor 169.254.169.254 as 64515; password "xx"; }
Re: alternative method for "gtar --delete"
Aaron, Thank you for putting me down this path. A few flags aside, this is the solution I was looking for. BTW, OpenBSD's man pages are a cut above the rest; and I'd like to thank everyone involved in the project for such an awesome OS. All the best, Keith Larsen CPS Coatings On Mon, 21 Nov 2016 13:26:29 +1100 Aaron Mason <simplersolut...@gmail.com> wrote: > Your best bet is to generate a list and use it to build your archive - > save a bit of effort and create your omit list: > > # cd /site1/omit > # find . > /tmp/siteXX-omit.lst > > Then use this list to filter out any unwanted files from /share > and /append: > > # cd /share > # find . | grep -v -f /tmp/siteXX-omit.lst | xargs tar > -czpvf /site1/siteXX.tgz # cd /append > # find . | grep -v -f /tmp/xiteXX-omit.lst | xargs tar > -rzpvf /site1/siteXX.tgz > > Then, for cleanliness' sake: > > # rm /tmp/siteXX-omit.lst > > Hope this helps > > On Sat, Nov 19, 2016 at 3:44 AM, BSD <b...@cpscoatings.net> wrote: > > On Fri, 18 Nov 2016 14:07:45 +1100 > > Aaron Mason <simplersolut...@gmail.com> wrote: > > > >> It's a bit long winded, but here's a possibility: > >> > >> # cd / > >> # tar zcpvf siteXX.tgz /share/* /siteX/* > >> > >> # tar ztf siteXX.tgz | grep '^/share' | xargs rm -f > >> > >> Though I'm not entirely sure what you mean by "on a per site > >> basis" in this context, can you elaborate please, especially if > >> the above solution is not what you need. > >> > >> On Fri, Nov 18, 2016 at 10:20 AM, BSD <b...@cpscoatings.net> > >> wrote: > >> > Does misc@ have an alternative method for "gtar --delete"? > > > > Sorry for any vagueness! I don't wish to delete any files > > from /share, but have a subset of /share in siteXX.tgz. Also should > > have mentioned that /share, /append, and /omit cannot be in the > > path because siteXX.tgz is plopped on / during an install. > > > > What I have so far is to first create an archive using files > > in /share. > > > > # cd /share > > # tar -cpvf /site1/siteXX.tgz * > > > > > > Then I append to that archive using files in /site1/append. > > > > # cd /site1/append/ > > # tar -rpvf /site1/siteXX.tgz * > > > > > > Next is where I am stuck. Removing files from the archive that are > > FROM /share that are not wanted in /site1/siteXX.tgz. I planned to > > have an empty file of the same name in /site1/omit for each file to > > delete from the archive. > > > > # cd /site1/omit/ > > # tar --delete /site1/siteXX.tgz * > > > > invalid flag > > > > Or perhaps I need to have a list of the files that gets appended and > > redacted before ever creating the archive. > > > > Hope this picture got clearer...
Re: alternative method for "gtar --delete"
On Fri, 18 Nov 2016 14:07:45 +1100 Aaron Mason <simplersolut...@gmail.com> wrote: > It's a bit long winded, but here's a possibility: > > # cd / > # tar zcpvf siteXX.tgz /share/* /siteX/* > > # tar ztf siteXX.tgz | grep '^/share' | xargs rm -f > > Though I'm not entirely sure what you mean by "on a per site basis" in > this context, can you elaborate please, especially if the above > solution is not what you need. > > On Fri, Nov 18, 2016 at 10:20 AM, BSD <b...@cpscoatings.net> wrote: > > Does misc@ have an alternative method for "gtar --delete"? Sorry for any vagueness! I don't wish to delete any files from /share, but have a subset of /share in siteXX.tgz. Also should have mentioned that /share, /append, and /omit cannot be in the path because siteXX.tgz is plopped on / during an install. What I have so far is to first create an archive using files in /share. # cd /share # tar -cpvf /site1/siteXX.tgz * Then I append to that archive using files in /site1/append. # cd /site1/append/ # tar -rpvf /site1/siteXX.tgz * Next is where I am stuck. Removing files from the archive that are FROM /share that are not wanted in /site1/siteXX.tgz. I planned to have an empty file of the same name in /site1/omit for each file to delete from the archive. # cd /site1/omit/ # tar --delete /site1/siteXX.tgz * invalid flag Or perhaps I need to have a list of the files that gets appended and redacted before ever creating the archive. Hope this picture got clearer...
alternative method for "gtar --delete"
Does misc@ have an alternative method for "gtar --delete"? I'm making siteXX.tgz's for multiple sites. There is a directory that is shared between all sites. Then, each site may have a directory of files to append to the archive. I'd also like to be able to remove files from the yet to be zipped archive that come from the shared directory on a per site basis. Just looking to stay within base if possible. Example files: /share/etc/pf.conf /share/etc/vi.exrc /share/usr/X11R6/lib/X11/fonts/TTF/Collection/... /site1/append/install.conf /site1/omit/X11R6/lib/X11/fonts/TTF/Collection/... Any advise in my methods or scheme in general would be appreciated! All the best, Keith Larsen CPS Coatings
Re: SPARC minimum hardware specification
On Thu, 16 Jul 2015 21:09:30 +0300 Mihai Popescu mih...@gmail.com wrote: Hello, I never used a SPARC machine but I recall there are some people on the list doing this. What are the minimum requirements for a decent SPARC machine? I mean by that a machine who is able to run OpenBSD as a desktop. I am currently use a Pentium 4 3.2GHz with 2 GB DDR and it barely meets my needs. Tell me please the CPU or the machine name, I will search the prices :-). Thanks Hello Misc, As a new user, I find myself in the same position as the OP: very interested in non-Intel products. But there seems to be a vacuum of information around this topic. (Which tells me I'm on the right track) No operating system can protect itself from its own hardware. So how does one protect one's family in these hostile and trying times and what-not? The replies to the OP seem discouraging. If not Oracle, and not Fujitsu, then what? If not a sparc desktop, then what about a sparc router? A RISC anything?? I have yet to achieve that warm fuzzy feeling, and I fear that it is not within my reach. Long live Puffy! All the best, Keith Larsen CPS Coatings 318-222-6100
Re: Thinkpad x220i hangs after a few days of uptime
Well, thanks for your replies so far. I am currently trying to repeat the problem but it didn't happen the last four days (apmd is running). @Ville alkonen: what applications do you use? I have quite a few big ones (chrome, firefox, xombrero, eclipse, java). I suspect that one of those programs is causing the trouble (they have coredumps quite often), so, I close the programs when I don't need them. Is there a way to activate enhanced/deeper logging functionality? On 12/18/13, Ville Valkonen weezeld...@gmail.com wrote: On 17 December 2013 14:10, Christian Weisgerber na...@mips.inka.de wrote: Stuart Henderson s...@spacehopper.org wrote: i am using a Thinpad x220i and I have a weired problem. Most of the time, i just put my notebook into suspend mode (zzz), so, I do not often reboot. After 4 or 5 days, my notebook suddenly stops and I can't do anything except pressing the power button for 4 or 5 seconds and reboot. Try disabling apmd, it is known to cause hangs on some systems. Which seems odd because my X230 suffers those hangs only when it is sitting there idling, but not when it is flat out busy or during interactive use. -- Christian naddy Weisgerber na...@mips.inka.de Hello Christian, X230i here and running smoothly. Out of curiosity, do you have the latest bios updates? $ uptime 2:06PM up 8 days, 13:08, 5 users, load averages: 0.25, 0.33, 0.36 ..and still going strong. This includes several cycles of suspend resume. Regards, Ville Valkonen
Upstream error: Nginx, slowcgi, and perl/cgi support.
Hello everyone. I'm having troubles of setting cgi/perl support for Nginx, on OpenBSD 5.3. I get 502 Bad Gateway on the browser when I type /cgi-bin/test.cgi - which is a simple Hello World cgi file, doesn't work with my setup. The error.log says: [error] 29912#0: *6 upstream prematurely closed FastCGI stdout while reading response header from upstream, server: localhost, request: GET /cgi-bin/test.cgi HTTP/1.1, upstream: fastcgi://unix:/run/slowcgi.sock: # pwd /var/www/htdocs/cgi-bin # cat test.cgi #!/usr/bin/perl print Content-type: text/html\n\n; print htmlbodyHello, world./body/html; both cgi-bin folder and test.cgi file has appropriate chmod sets for executing. Slowcgi is running (I follow 5.3-stable branch, but I downloaded Makefile, slowcgi.8 and slowcgi.c files and compiled it) : www 20010 0.0 0.1 636 1104 ?? Is 8:58PM0:01.11 ./slowcgi the socket is also there: # ls -al /var/www/run/slowcgi.sock srw-rw 1 www www 0 Jul 8 20:58 /var/www/run/slowcgi.sock Thinking of chroot(), I have even tried adding a copy of perl binary to: # ls -l /var/www/usr/bin/ -rwxr-xr-x 1 root daemon 10725 Jul 9 19:15 perl And my nginx.conf: server { listen 192.168.1.4:80; server_name localhost local.web.ns; root /var/www/htdocs; location ~ ^/cgi-bin/.*\.cgi$ { root/var/www/htdocs; gzip off; fastcgi_pass unix:/run/slowcgi.sock; fastcgi_index index.cgi; fastcgi_param SCRIPT_FILENAME$document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param GATEWAY_INTERFACE CGI/1.1; fastcgi_param SERVER_SOFTWAREnginx; fastcgi_param SCRIPT_NAME$fastcgi_script_name; fastcgi_param REQUEST_URI$request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL$server_protocol; fastcgi_param REMOTE_ADDR$remote_addr; fastcgi_param REMOTE_PORT$remote_port; fastcgi_param SERVER_ADDR$server_addr; fastcgi_param SERVER_PORT$server_port; fastcgi_param SERVER_NAME$server_name; } } } What would be the problem that I don't get the right output on the browser with Nginx from any .cgi files? Thanks.
[patch] Huawei E1750 support
Hi, I got E1750 with O2 and noticed it's not working with -current. Here is the little patch, that should do the trick. Without this patch, device shows up as a sdX (just the flash part of device, and /dev/cuaU0 is not set up) Cheers, Jurij Index: dev/usb/umsm.c === RCS file: /cvs/src/sys/dev/usb/umsm.c,v retrieving revision 1.77 diff -u -p -r1.77 umsm.c --- dev/usb/umsm.c 8 Jul 2011 23:10:31 - 1.77 +++ dev/usb/umsm.c 20 Jul 2011 17:22:33 - @@ -140,6 +140,7 @@ static const struct umsm_type umsm_devs[ {{ USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_Mobile }, DEV_HUAWEI}, {{ USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_K3765_INIT }, DEV_UMASS5}, {{ USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_K3765 }, 0}, + {{ USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_E1750 }, DEV_UMASS5}, {{ USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_E1752 }, 0}, {{ USB_VENDOR_HYUNDAI, USB_PRODUCT_HYUNDAI_UM175 }, 0}, Index: dev/usb/usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.548 diff -u -p -r1.548 usbdevs --- dev/usb/usbdevs 8 Jul 2011 23:09:06 - 1.548 +++ dev/usb/usbdevs 20 Jul 2011 17:22:34 - @@ -1963,6 +1963,7 @@ product HUAWEI E220 0x1003 HUAWEI Mobil product HUAWEI Mobile 0x1008 HUAWEI Mobile Modem product HUAWEI E1800x140c HUAWEI Mobile E180 product HUAWEI E5100x1411 HUAWEI Mobile E510 +product HUAWEI E1750 0x1406 HUAWEI Mobile Modem product HUAWEI E1752 0x1417 HUAWEI Mobile Modem product HUAWEI E1820x1429 HUAWEI Mobile Modem product HUAWEI E1610x1446 HUAWEI Mobile Modem Index: dev/usb/usbdevs.h === RCS file: /cvs/src/sys/dev/usb/usbdevs.h,v retrieving revision 1.558 diff -u -p -r1.558 usbdevs.h --- dev/usb/usbdevs.h 8 Jul 2011 23:09:28 - 1.558 +++ dev/usb/usbdevs.h 20 Jul 2011 17:22:34 - @@ -1970,6 +1970,7 @@ #defineUSB_PRODUCT_HUAWEI_Mobile 0x1008 /* HUAWEI Mobile Modem */ #defineUSB_PRODUCT_HUAWEI_E180 0x140c /* HUAWEI Mobile E180 */ #defineUSB_PRODUCT_HUAWEI_E510 0x1411 /* HUAWEI Mobile E510 */ +#defineUSB_PRODUCT_HUAWEI_E17500x1406 /* HUAWEI Mobile Modem */ #defineUSB_PRODUCT_HUAWEI_E17520x1417 /* HUAWEI Mobile Modem */ #defineUSB_PRODUCT_HUAWEI_E182 0x1429 /* HUAWEI Mobile Modem */ #defineUSB_PRODUCT_HUAWEI_E161 0x1446 /* HUAWEI Mobile Modem */ Index: dev/usb/usbdevs_data.h === RCS file: /cvs/src/sys/dev/usb/usbdevs_data.h,v retrieving revision 1.552 diff -u -p -r1.552 usbdevs_data.h --- dev/usb/usbdevs_data.h 8 Jul 2011 23:09:28 - 1.552 +++ dev/usb/usbdevs_data.h 20 Jul 2011 17:22:36 - @@ -4010,6 +4010,10 @@ const struct usb_known_product usb_known HUAWEI Mobile E510, }, { + USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_E1750, + HUAWEI Mobile Modem, + }, + { USB_VENDOR_HUAWEI, USB_PRODUCT_HUAWEI_E1752, HUAWEI Mobile Modem, },
Re[2]: [patch] Huawei E1750 support
20 P8QP;Q 2011, 23:00 PQ David Coppa dco...@gmail.com: On Wed, Jul 20, 2011 at 8:34 PM, bsd user bsd.u...@mail.ru wrote: Hi, I got E1750 with O2 and noticed it's not working with -current. Here is the little patch, that should do the trick. Without this patch, device shows up as a sdX (just the flash part of device, and /dev/cuaU0 is not set up) Cheers, Jurij Please, can you provide us a dmesg with your patch applied? I've snipped dmesg from unimportant things (hope that's not problem) dmesg before patching: --- umsm0 at uhub0 port 3 configuration 1 interface 0 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 umsm1 at uhub0 port 3 configuration 1 interface 1 HUAWEI Technologies HUAWEI Mobile Modem rev 2.00/0.00 addr 2 umsm0 detached umsm1 detached umass0 at uhub0 port 3 configuration 1 interface 3 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd2 at scsibus2 targ 1 lun 0: HUAWEI, SD Storage, 2.31 SCSI2 0/direct removable ugen0 at uhub0 port 3 configuration 1 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 -- and dmesg after patching: -- umsm0 at uhub0 port 3 configuration 1 interface 0 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 umsm1 at uhub0 port 3 configuration 1 interface 1 HUAWEI Technologies HUAWEI Mobile Modem rev 2.00/0.00 addr 2 umsm0 detached umsm1 detached umsm0 at uhub0 port 3 configuration 1 interface 0 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 ucom0 at umsm0 umsm1 at uhub0 port 3 configuration 1 interface 1 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 ucom1 at umsm1 umsm2 at uhub0 port 3 configuration 1 interface 2 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 ucom2 at umsm2 umsm3 at uhub0 port 3 configuration 1 interface 3 HUAWEI Technology HUAWEI Mobile rev 2.00/0.00 addr 2 -- Is the device working with ppp? Yes, it's working with ppp as /dev/cuaU0 ciao, David Cheers, Jurij
Re: Vmail perm
On 04/08/11 05:00, Gianluca D'Auri Muscelli wrote: Hi, i cant read my /var/vmail/mysitre.org/gdrm perms vmail vmail Siti mutt i can read email but i can't send: permission denied Anyone say why??? Tks vvm o#? Da iPhone I can not find the part of the email where you describe your system and how it is openbsd related. It could be very well be my MUA fault. -luis
Re: bandwidth problem
On 03/16/11 12:30, R0me0 *** wrote: Hello misc, I have a network with wireless and bridge mode on AP's. I put IP address on both sides and ping it normally. On left side have a notebook with windows vista and smb share and on right side have other notebook with same configuration. When I try copy the file on smb, the speed is 10MB/s, it is very fast, I copied files with 50mb size, 500 and 2gb . realy, it is very fast. this test I do on both sides But now, begin my problems. On both sides I have a OpenBSD 4.8 i386. If I set on both side ifconfigiface media 100baseTX mediaopt full-duplex , my speed down dramatical, +/- the download of same file is 25kb/s , but if set ifconfigiface media autoselect The speed is 1,8mb/s The problem is the speedy, I'm rebelled ! As the fu* of windows is 10x more fast that my OpenBSD box! I cannot believe in this ! what are occur ? I replaced my ethernet on both sides, but I cannot have the same speed as in test. I tried many configuration with IFCONFIG media , with and without pf enabled and the same thing. BOX 1 ; ( offboard ethernet ) # dmesg | grep ste0 ste0 at pci3 dev 1 function 0 Sundance ST201 rev 0x31: apic 2 int 16 (irq 10), address aa:bb:cc:dd:ee:ff ukphy0 at ste0 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 0x0090c3, model 0x0018 BOX 2 : ( offboard ethernet ) # dmesg | greo ste1 ste1 at pci0 dev 9 function 0 Sundance ST201 rev 0x31: irq 11, address gg:hh:ii:jj:ll:kk ukphy1 at ste1 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 0x0090c3, model 0x0018 The test that i do with OpenBSD was: Box 1: apachectl start Box 2: wget http://ip_address/instal48-i386.iso Tried too: scp ... on both sides, the speed is the same Please, someone can indicate the right direction to resove this ? Regards,, Guilherme Hakme The list is going to ask you for some of these points: http://www.openbsd.org/report.html -luis
Re: network bandwith with em(4)
On 02/22/11 11:19, Mark Nipper wrote: On 22 Feb 2011, Patrick Lamaiziere wrote: The problem is that we don't get more than ~320 Mbits/s of bandwith beetween the internal networks and internet (gigabit). Have you already looked at: --- https://calomel.org/network_performance.html Henning Brauer have some very interesting thoughts about the content of that particular page. Recent changes on the network stack make those sysctl settings useless. -luis
Re: set nano as deafult when editing crontab
On 12/23/10 15:48, Orestes Leal R. wrote: I want to edit the crontab with nano but by default vi it's invoked when I do 'crontab -e' What is wrong with mg? -luis
Re: FBI And OpenBSD...
On 12/15/10 16:17, Randy Wrench wrote: http://www.phoronix.com/scan.php?page=news_itempx=ODkxMw Government organizations, whether they be from the United States, the European Union, or anywhere else for that matter, contributing to open-source projects is not new. Heck, Security Enhanced Linux (SELinux) in the mainline kernel can largely be attributed to the United State's National Security Agency (NSA). More organizations contributing to open-source isn't bad -- government or not -- when it's mutually beneficial work with good intentions. However, there are new allegations being made today about OpenBSD's networking stack, in particular it's IPsec code. The FBI allegedly paid OpenBSD developers to insert back-doors into the code-base... The above url carried an article which is disturbing to say the least... Anyone know more about this??? How about /. and the rest of the world? Theo forwarded the original email hours ago. -luis
Re: Broadcom BCM4322 wifi support?
On 09/09/10 19:28, James Hozier wrote: Since Broadcom has released their sources for drivers, will I be able to get support for my BCM4322 wireless card for OpenBSD? The BCM4322 chipset ID was removed from bwi(4) a while back: http://marc.info/?l=openbsd-cvsm=122116715708453w=2 It would be so awesome if it was supported now so that I don't have to spend money on a wireless card. I've been using a wireless router as my wireless card (putting it in bridge mode from my modem/wireless router and connecting my bridge to my laptop via ethernet cable) and it's a hassle lugging it around. Code is not proper hardware documentation. Another factor to consider is the availability of the firmware to be distributed under real open conditions. So this announcement could really mean nothing to openbsd. The wifi hardware devs will know better than me though. -luis
Ports problem
Hi all! I have an Ibm Thinkpad r50e. I install OpenBSD, configure the X, install fluxbox and other applications with pkg_add but when I try to install unrar (its not in the pkg_add) unsing the ports the compilation fail. I try to compilate other ports and fails again. I download the ports from the ftp ports.tar.gz and using cvs but i cant compile the ports. I get this error: http://pastebin.com/mm1tp9za A friend told me that I need to install the perl module Build.pm using: perl -MCPAN -e 'shell' install Build but when I do it I get other error: YAML not installed... http://pastebin.com/Dfbn6Myx I try to install YAML and get other error again... When I install YAML try to install Build again and get the 1: error. I dont know what to do. Maybe you can help me. Thank you very much. This is my dmesg: http://pastebin.com/zJ45BciQ
Which netbook for OpenBSD
Hi. I'm planning to buy a netbook and I wonder which one is the best choice for running OpenBSD? Any sugestion? Thanks -- Rafal Brodewicz
Re: Why I Love Open Source - NSA helped with Windows 7 development
On Fri, Nov 20, 2009 at 3:19 AM, patrick keshishian pkesh...@gmail.com wrote: On Thu, Nov 19, 2009 at 11:40 PM, Felipe Alfaro Solana felipe.alf...@gmail.com wrote: On Fri, Nov 20, 2009 at 12:43 AM, Obiozor Okeke obiozorok...@yahoo.comwrote: From Network World: NSA helped with Windows 7 development Privacy expert voices 'backdoor' concerns, security researchers dismiss idea By Gregg Keizer , Computerworld , 11/18/2009 Why would NSA need backdoors when they have a front-door via DHS, national security and things like that? Same reason there exist unconstitutional congressional acts/bills that allow for secret torture prisons, detention of persons without due process, complete bypassing of fouth and sixth amendments, voiding of the Posse Comitatus Act, etc. etc. ... naive voters like you are the reason we are in this shithole right now. --patrick The NSA's mandate is to protect American computer systems from attack. It's perfectly reasonable to believe their contributions are honest and legitimate. Note that the NSA's work on DES, which was rumored to have been backdoored by them, actually proved to strengthen it against differential cryptanalysis.
Re: Authpf and more than 992 users
On Thu, Nov 19, 2009 at 7:43 PM, Aaron Mason simplersolut...@gmail.com wrote: On Thu, Nov 19, 2009 at 7:57 PM, Joachim Schipper joac...@joachimschipper.nl wrote: On Wed, Nov 18, 2009 at 12:55:03PM -0700, Bob Beck wrote: 2009/11/18 Janusz Gumkowski janusz.gumkow...@am.torun.pl: Is it at all possible to have more than 992 simultaneous authpf users ? Yes, use more than one machine. Digging out an old post of mine, still not having any real solution but a couple of ugly hacks instead, trying to get rid of them finally. To the point: is allocating a pty for authpf logins really necessary ? Yes. What side-efects can I expect if I disable it ? Probably bad things. Wouldn't it be possible to crank the number of ptys? I'm by no means an expert, but src/sys/kern/tty_pty.c does have some interesting-looking #defines. (Of course, you'd also have to path libutil and who knows what else...) Joachim You'd be better off getting a second machine and CARPing them together rather than mess with the kernel. You'd also be far more likely to get support than if you modified the kernel (in which case you'd get little or none I'm sure). You'd also get a degree of redundancy if one machine bails. HTH -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse Throwing more hardware at it can't be the real solution, not when the problem is an arbitrary system constant, and especially since the number of ptys has little to do with how many users an authpf system can support.
Re: Package dependencies size estimate script
Jan Stary wrote: dir=/var/db/pkg/$pkg Since you use the above mechanism to read the package list, your script only works for already installed packages. Srikant.
Re: Package dependencies size estimate script
Jan Stary wrote: cat /var/db/pkg/$PACKAGE/+REQUIRING | xargs pkg_info -s Thats just the first level of dependencies. What about the dependencies of the dependencies, and so on? It is a tree structure. Recursion is needed if you want to know the 'real collateral damage' :) Srikant.
machdep.allowaperture=1 setting is safer?
Hello All I have a Intel Core2Duo desktop (dmesg attached below) running fully patched i386 4.6 GENERIC.MP. xdriinfo and glxinfo o/p doesn't change whether machdep.allowaperture is set to 1 or 2. And X is fully functional/stable in both cases as it has been for the past 6 months (with 4.5-stable too). xf86(4) seemed to suggest 1 is better security-wise than 2, and that led me to try this setting. glxgears gives the same 247 fps for both settings. In this light, is it more secure to us 1 than 2 and am I missing some functionality of my hardware in the process? Could someone please clarify. Yours Srikant. OpenBSD 4.6 (GENERIC.MP) #1: Thu Oct 29 09:04:24 IST 2009 root@:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) 3.02 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR real mem = 3747770368 (3574MB) avail mem = 3639156736 (3470MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/22/09, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xf06b0 (49 entries) bios0: vendor American Megatrends Inc. version 0411 date 05/22/2009 bios0: ASUSTeK Computer INC. P5KPL-AM/PS acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI acpi0: wakeup devices P0P2(S4) P0P1(S4) PS2K(S4) PS2M(S4) UAR1(S4) UAR2(S4) MC97(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) P0P8(S4) P0P9(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) EUSB(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 334MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz (GenuineIntel 686-class) 3.02 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 3 (P0P1) acpiprt2 at acpi0: bus 2 (P0P4) acpiprt3 at acpi0: bus 1 (P0P5) acpiprt4 at acpi0: bus -1 (P0P6) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xb400! cpu0: Enhanced SpeedStep 3011 MHz: speeds: 2997, 1998 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82G33 Host rev 0x10 vga1 at pci0 dev 2 function 0 Intel 82G33 Video rev 0x10 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0 at vga1: apic 2 int 16 (irq 10) drm0 at inteldrm0 azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: apic 2 int 16 (irq 10) azalia0: codecs: Realtek ALC662 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 2 int 16 (irq 10) pci1 at ppb0 bus 2 ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01: apic 2 int 17 (irq 11) pci2 at ppb1 bus 1 re0 at pci2 dev 0 function 0 Realtek 8168 rev 0x02: RTL8168C/8111C (0x3c00), apic 2 int 17 (irq 11), address 00:24:8c:e9:45:fd rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 2 int 23 (irq 5) uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 2 int 19 (irq 10) uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 2 int 18 (irq 11) uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 2 int 16 (irq 10) ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 2 int 23 (irq 5) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb2 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1 pci3 at ppb2 bus 3 vr0 at pci3 dev 0 function 0 VIA VT6105 RhineIII rev 0x8b: apic 2 int 19 (irq 10), address 00:21:91:8d:e8:be ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 9: OUI 0x004063, model 0x0034 ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 Intel 82801GB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide1: using apic 2 int 19 (irq 10) for native-PCI interrupt wd0 at pciide1 channel 0 drive 0: ST3500418AS wd0: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: apic 2 int 19 (irq 10) iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 2GB DDR2
Re: machdep.allowaperture=1 setting is safer?
BTW, does anyone know if any other (X?) programs require '2', and in which cases? mplayer? I have been running mplayer, xine and openarena without any problems with value 1 for more than 6 months. Yours Srikant.
Re: Defending OpenBSD Performance
On 14.09-20:43, Nick Holland wrote: [ ... ] Speed matters. Almost as much as some things, and nowhere near as much as others. beautifully specific and vague, i'd challenge anyone to sum up benchmarking better. if that's not a quote, it is now; i'm writing it down and sticking it to my wall. [ ... ] Practically speaking, the people who need the performance at the edge of what OpenBSD can deliver usually are too busy to argue benchmarks. careful, that could be seen as an admission ;-)
Re: OpenBSD server with samba and openldap
On Thu, May 14, 2009 at 11:11 AM, Pedro Almeida palme...@securenetworks.pt wrote: This was probably true by the time of this document write, but hopefully things change over time. Please take a look at ypldap(8). I think it solves the problem you refer. There are some small issues, but I bet they are being worked, and you'll find an workaround for them meanwhile. ;) Best regards, Pedro Thanks to everyone that replied (both public and in private), pointing me in the right direction. I'll have a look at ypldap. /bsdnuub
OpenBSD server with samba and openldap
Dear misc@ readers, I'm planning to set up a OpenBSD 4.5 based server serving a local network with Windows XP based client computers. There's no mention of this in the OpenBSD faq, but I found a nice guide that seems to be pretty recent and up-to-date. http://www.kernel-panic.it/openbsd/pdc/pdc4.html On this page, there's something that bothers me: Please note that, though Samba account information will be stored in LDAP, smbd(8) will still obtain the user's UNIX account information via the standard C library calls, such as getpwnam() (see documentation); unfortunately, OpenBSD's standard C libraries don't support LDAP, thus forcing us to define Samba users also as local Unix accounts. This means a little more work for the system administrator, who will need to define users twice, but won't affect the overall system security since Unix users won't need to be able to logon to the system. Now, I'm thinking that this problem maybe can be solved with this: http://openbsd.rutgers.edu/bsdauth/ + http://openports.se/sysutils/login_ldap ? Anyone else already done this in a better/smarter way? Thanks for your time! /bsdnuub
Re: Samsung HD License Issue
On 04.05-08:17, Jochem Kossen wrote: [ ... ] today i bought a Samsung Laptop Drive, 160GB, Model Number is HM160HC. It came in a anti-static plastic bag together with a little leaflet. Usually i don't read those, but today i did, and came across the following paragraph: Hybrid Disk Drive products are licensed for use only on devices that deploy the Windows VISTA Operating System as their principal operating System. If you or any other party install(s) an operating system on the computing device that is not Windows Vista, the use of this Hybrid Disk Drive may require an additional license from Microsoft. For further information, please contact Microsoft. [ ... ] It appeared more people were confused by the text, and both Microsoft and Samsung have explained that the terms mean, that if you use a different operating system than Windows with this drive, you need to get the appropriate license to use said different operating system. If you want to use an operating system owned by Microsoft with it, you have to get a license from them; if the operating system is not owned by Microsoft, you don't need to get a license from Microsoft. this is a legal two-step and i recommend that you refuse to be satisfied with the clarification by Samsung and Microsoft and contact the appropriate consumer bodies within your duristictions to have this matter lodged with them (assuming the drive is sold under those terms within your country).
Re: BSD User Group in Spain | Grupo de Usuarios de BSD en Espanya.
Hi, Im from Asturias (north of Spain) Im newbie on OpenBSD. But I have a friend who helps me (debug...@gmail). But still like to participate. Greetings
Re: Donations (was, sadly, European orders)
On 02.04-09:49, Alf Schlichting wrote: [ ... ] as far as i am concerned (and most likely the majority of OpenBSD users) there is no need for you to justify yourself (or any other developer) in public. The product (OpenBSD) speeks for itself. +1
Re: ssh tunneling
On 01.04-17:21, Jay Jesus Amorin wrote: [ ... ] I have a firewall rule that allow ssh from computer-1 to computer-2 and deny ssh from computer-2 to computer-1. is it possible to a tunnel *ssh **myu...@computer-2* myu...@computer-2*'svn update svn+ssh://u...@computer-1/svn/data /home/myuser' *and use the same tunnel when *svn update svn+ssh://u...@computer-1/svn/data /home/myuser* is invoke going to computer-1 from computer2 through ssh, when ssh not allowed from computer-2 to computer-1. not sure i understand precisely what you're intending here but you can open a remote tunnel via the connection 'computer-1' to 'computer-,' which would allow 'computer-2' to connect through a localhost connection, via the tunnel, back to 'computer-1'. look up '-R' instead of '-L' in the man page.
Re: pppoe server
On 08.03-11:13, Lo?=?VAI DC!niel wrote: [ ... ] I wish to experiment setting up a PPPoE server (AC) on OpenBSD 4.4. Although I've read the pppoe(8) man page and googled around, it is not clear for me how to set up such configuration. man sppp
load balanced carp and local routes
Greetings list. I have a set of four load-balanced carp servers. Here are there hostname.carp files: box1: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:0,2:100,3:100,4:100 box2: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:100,2:0,3:100,4:100 box3: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:100,2:100,3:0,4:100 box4: inet 10.104.72.0 255.255.224.0 NONE carpdev em0 balancing ip-stealth carpnodes 1:100,2:100,3:100,4:0 We notice that the first box (or whichever box holds vhid 1, advskew 0) has the following route: 10.104.72.010.104.72.0UH 04 - carp0 Thus when box1 pings the carp IP, it responds to itself and none of the other carp hosts sees the traffic. This behavior is expected, and useful to us. The other three boxes however do not have this route, possessing instead a route for the carp IP that points to em0: 10.104.72.0 00:00:5e:00:01:01 UHLc127000 - em0 When one of the other three boxes attempts to ping the carp IP all four boxes sees the traffic and none of them responds. This behaviour is neither expected, nor useful to us. So my question is, what is carp thinking in this configuration? Am I wrong to expect that all four load balanced carp hosts should contain a local route to the carpdev for a shared carp IP? Why would vhid1,advskew0 be different than the other three? Thanks in advance. --dave josephsen [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Limit number of login sessions
On 24.09-09:48, Maximo Pech wrote: Well I guess I will have to resolve this by coding something. What do you think about this: [ ... ] would you not be better to use ALTQ to limit the bandwidth available to each user? then if they share their password their only sharing their own use? if not then i'd suggest you create a BSD auth module for processing the login sessions and add a 'login-max' capability.
Re: UPDATE: mozilla-firefox-3.0
On 17.07-10:26, Jason Dixon wrote: [ ... ] I don't have any customers that use Java for client-side image rendering, so I can't speak as to how it would compare. I suspect that Java wouldn't be as efficient as flash for passing instructions to the client, but that's just a hunch. performance of image rendering ? ? ? passing instructions ??? that's as meaningful as the banana flavoured lube. ;-) java is a language, flash is a solution. many would like to see an open alternative to flash but since flash is not microsoft i think it's below most radars. it's also, as many here have noted, 99.9% meaningless junk; and i'm 100% confident that any flash application could be re-implemented in Java, should needs, must. personally, i avoid flash as a retard filter; remove it and lots of sh1t suddenly disappears. p.s: java's image rendering is perfectly performant (assuming you accept java as an overhead in the first place ... of course, flashplayer is just as bad)
Re: timezone issue
On 10.04-11:06, Jordi Espasa Clofent wrote: [ ... ] [EMAIL PROTECTED] [~] [10:59:59] $ date -u Thu Apr 10 09:00:01 UTC 2008 presumably the prompt is showing local time which is UTC +2 (+1 for CET and +1 for summer time). so all is well. as for the sysmon output you'll probably find (but i don't know) that it's deliberately working in UTC.
cvs comparisons [ot]
been setting up a repository of various development stuff and finding subversion to be horrifically slow and very hard on resources. struggling to find actual comparisons with CVS (lots of opinions and statements about SVN tagging and branching being better) but hoping someone here could help with links or experiences. currently switching back to CVS but hopeful of something quantative for future reference.
Re: IPSec tunnel problem
On 01.03-00:39, Alexey Vatchenko wrote: [ ... ] No, i don't use same network address for two networks. then you need to alter you settings to specify the actual networks that you're using. for example, you could define the remote network to be 192.168.123.123/32 and then route everything for 192.168.0.0/16 through the tunnel. if you define a home network (like 192.168.123.0/24) then you'll need the bypass rule to avoid routing that through the tunnel. the fact that the tunnel end point moves is irrelevant but you will need to define a local network alias within the home network (i.e. 192.168.123.123 or something) so that the system knows to route that traffice through the tunnel. for routing you only need to define a route to the office gw system (e.g. 192.168.111.111) for the entire 192.168/16 space . note, if your networks don't overlap (i.e. 192.168.123/24 and 192.168.111/24) then you won't need the bypass rule.
vpn client configuration
Hi, I'm trying to connect Checkpoint VPN-1 using OpenBSD 3.8. Basic set up is as follows: Host-A - Gateway-A -- - Gateway-B - Host-B Gateway-A: OpenBSD3.8 Gateway-B: Checkpoint VPN1 Aim: Establish connection to Host-B from Host-A. I've no control on Gateway-B and Host-B. First of all, I'm able to connect Gateway-B from Gateway-A. Configuration files that I've used are as follows: === isakmpd.conf [Phase 1] IP-OF-GATEWAY-B=peer-machineB [Phase 2] Connections=VPN-A-B # ISAKMP phase 1 peers (from [Phase 1]) [peer-machineB] Phase= 1 Transport= udp Address=IP-OF-GATEWAY-B Configuration= Default-main-mode Authentication= PRESHAREDKEY # IPSEC phase 2 connections (from [Phase 2]) [VPN-A-B] Phase= 2 ISAKMP-peer=peer-machineB Configuration= Default-quick-mode Local-ID= machineA-internal-network Remote-ID= machineB-internal-network # ID sections (as used in [VPN-A-B]) [machineA-internal-network] ID-type=IPV4_ADDR Address= IP-OF-HOST-A [machineB-internal-network] ID-type=IPV4_ADDR Address=IP-OF-HOST-B # Main and Quick Mode descriptions (as used by peers and connections) [Default-main-mode] DOI=IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI=IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE === === isakmpd.policy Keynote-version: 2 Authorizer: POLICY Conditions: app_domain == IPsec policy esp_present == yes esp_enc_alg != null - true; === Using these files, when I run isakmpd (isakmpd -d -DA=90) I can successfully connect to GATEWAY-B. tcpdump output is as follows: === tcpdump: listening on em0, link-type EN10MB 14:44:40.315165 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 202: IP-OF-GATEWAY-A.500 IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1- msgid: len: 160 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 25076, len 188) 14:44:40.333719 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 122: IP-OF-GATEWAY-B.500 IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid: len: 80 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 (DF) (ttl 53, id 3115, len 108) 14:44:40.356321 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 222: IP-OF-GATEWAY-A.500 IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid: len: 180 payload: KEY_EXCH len: 132 payload: NONCE len: 20 (ttl 64, id 1228, len 208) 14:44:40.376569 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 226: IP-OF-GATEWAY-B.500 IP-OF-GATEWAY-A.500: [udp sum ok] isakmp v1.0exchange ID_PROT cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid: len: 184 payload: KEY_EXCH len: 132 payload: NONCE len: 24 (DF) (ttl 53, id 3116, len 212) 14:44:40.396111 0:4:23:a7:f0:d3 0:4:23:c1:4c:57 0800 134: IP-OF-GATEWAY-A.500 IP-OF-GATEWAY-B.500: [udp sum ok] isakmp v1.0exchange ID_PROT encrypted cookie: 07c9dbce8da4a5b1-b4278095f145b1b6 msgid: len: 92 (ttl 64, id 23041, len 120) 14:44:40.617927 0:4:23:c1:4c:57 0:4:23:a7:f0:d3 0800 110:
Re: 4.2 patchset for PR#5563/#5704
On 17.01-22:14, [EMAIL PROTECTED] wrote: need an education here. created a patchset for this problem and i'm about to test that against 4.2 GENERIC and have a couple of questions 1. are the results generally intersting? should i post them somewhere (assuming tests go right) assuming above is yes 2. had to manually add the line from r1.94 to 'mbuf.h' to skip the other changes in r1.93. is there a cvs way to do that or should it be manual and i assume there's nothing for me relevant to branching etc as that is only relevant to the repository/commiter, right? 3. m_gethdr duplicates the new m_inithdr code which seems ... not great ... would it be better to (a) call the m_inithdr function from m_gethdr (b) change it to a macro (c) change the m_inithdr to inline and call it from m_gethdr (no idea whether the function would get inlined anyway). i guess the answer to '1' in no but i'm posting this for anyone who may find it useful. it's working nicely for me. comments welcome. nb: this should patch against 4.2 Index: sys/sys/mbuf.h === RCS file: /cvs/src/sys/sys/mbuf.h,v retrieving revision 1.92 diff -r1.92 mbuf.h 220a221,254 * mbuf initialisation macros: * *MINITDATA(struct mbuf *m, int type, u_short flags, caddr_t data) * initialize mbuf internal data (pulled in by MINIT and MINITHDR) * *MINIT(struct mbuf *m, int type) * initialize an mbuf * *MINITHDR(struct mbuf *m, int type) * initialize mbuf with packet header */ #define MINITDATA(m, type, flags, data) \ (m)-m_type = (type); \ (m)-m_flags = (flags); \ (m)-m_data = (data); \ (m)-m_next = (struct mbuf *)NULL; \ (m)-m_nextpkt = (struct mbuf *)NULL #define MINIT(m, type) \ MINITDATA((m), (type), 0, (m)-m_dat); #define MINITHDR(m, type) \ MINITDATA((m), (type), M_PKTHDR, (m)-m_pktdat); \ (m)-m_pkthdr.rcvif = NULL; \ SLIST_INIT((m)-m_pkthdr.tags); \ (m)-m_pkthdr.csum_flags = 0; \ (m)-m_pkthdr.pf.hdr = NULL; \ (m)-m_pkthdr.pf.rtableid = 0; \ (m)-m_pkthdr.pf.qid = 0; \ (m)-m_pkthdr.pf.tag = 0; \ (m)-m_pkthdr.pf.flags = 0; \ (m)-m_pkthdr.pf.routed = 0 /* Index: sys/kern/uipc_mbuf.c === RCS file: /cvs/src/sys/kern/uipc_mbuf.c,v retrieving revision 1.85 diff -r1.85 uipc_mbuf.c 167d166 m-m_type = type; 169,172c168 m-m_next = (struct mbuf *)NULL; m-m_nextpkt = (struct mbuf *)NULL; m-m_data = m-m_dat; m-m_flags = 0; --- MINIT(m, type); 187d182 m-m_type = type; 189,201c184 m-m_next = (struct mbuf *)NULL; m-m_nextpkt = (struct mbuf *)NULL; m-m_data = m-m_pktdat; m-m_flags = M_PKTHDR; m-m_pkthdr.rcvif = NULL; SLIST_INIT(m-m_pkthdr.tags); m-m_pkthdr.csum_flags = 0; m-m_pkthdr.pf.hdr = NULL; m-m_pkthdr.pf.rtableid = 0; m-m_pkthdr.pf.qid = 0; m-m_pkthdr.pf.tag = 0; m-m_pkthdr.pf.flags = 0; m-m_pkthdr.pf.routed = 0; --- MINITHDR(m, type); Index: sys/dev/ic/elink3.c === RCS file: /cvs/src/sys/dev/ic/elink3.c,v retrieving revision 1.69 diff -r1.69 elink3.c 1390c1390 /* Convert one of our saved mbuf's. */ --- /* Convert one of our saved mbuf's ... */ 1392,1395c1392,1393 m-m_data = m-m_pktdat; m-m_flags = M_PKTHDR; m_tag_init(m); m-m_pkthdr.csum_flags = 0; --- /* ... and reset the buffer info */ MINITHDR(m, m-m_type);
4.2 patchset for PR#5563
need an education here. created a patchset for this problem and i'm about to test that against 4.2 GENERIC and have a couple of questions 1. are the results generally intersting? should i post them somewhere (assuming tests go right) assuming above is yes 2. had to manually add the line from r1.94 to 'mbuf.h' to skip the other changes in r1.93. is there a cvs way to do that or should it be manual and i assume there's nothing for me relevant to branching etc as that is only relevant to the repository/commiter, right? 3. m_gethdr duplicates the new m_inithdr code which seems ... not great ... would it be better to (a) call the m_inithdr function from m_gethdr (b) change it to a macro (c) change the m_inithdr to inline and call it from m_gethdr (no idea whether the function would get inlined anyway). and finally, how do i create a patchset? is it simply a concat of the individual file patches?
Re: no 4.2-stable package updates??
On 12.12-16:25, [EMAIL PROTECTED] wrote: I tried using pkgsrc-2007Q3 but it sucks. Updating userland in production environment with pkgsrc on a non-NetBSD platform is a nightmare. i'm working on this. will post when significant progress has been made. in my opinion having a working pkgsrc tree is better for everyone, doesn't mean we can't have an openbsd branch (so to speak) but unifying our efforts with others in this field will have benefits.
Re: HUAWEI not recognized properly (3 modem)
On 11.12-16:11, Stuart Henderson wrote: On 2007/12/11 16:13, Markus Bergkvist wrote: I borrowed a HUAWEI modem just to see how it is recognized. With umass enabled it is recognized as a CD. Disabling umass and it is found as ugen. From this thread http://marc.info/?l=openbsd-miscm=118468178731619w=2 I figured it should have been recognized as ubsa. Any suggestions? I was wrong with ubsa, it looks like it should actually be umsm, but the device needs poking with a USB command before it switches off the umass-based Windows driver CD, and turns on the other interfaces (the AT-compatible modem-like interface, and the control interface). I'm not aware of it being supported yet. with my version of this device it *appears* to timeout to the modem interface if it is inserted during boot. i won't go into the reasons as to why i believe that, suffice to say they're thin in evidence but it'd suggest you try forcing a rescan of the device after a couple of minutes (assuming the umass interface hasn't been tickled, activating it).
pf max-src-conn states
two questions relating to the above 1. trying to use 'max-src-conn 1' to limit service to one connection per host (with overload table) but when i disconnect and re-reconnect i get blocked. should this state expire when correctly closed, allowing a second connection, or is the timeout needed? 2. is source-track required for the above? i can't decipher the relationship. current confusion is does source-track turn 'max' into a per-IP match or simply allow the per-IP functions to operate? nb: not sure the service is closing the connection correctly which may be causing the timeout issue.
Re: PPD vs printer driver question
On 10.11-17:01, Predrag Punosevac wrote: [ ... ] PPD files are post script description files that act as a drivers for post script printers. This seems clear to me. no. they simply describe the functions available on the printer. this allows the interface to display those printer options to you. for PS compatible printers this is enough, you select the options and the document, with the selected options, are passed along to the printer. for non-PS printers the options are passed to the backend processor which produces the relevant commands for that printer. with CUPS you'll (most likely) have ghostscript as a backend processor. this comes with support for a good range of printer backends (e.g. PCL) as well as being easily extensible with vendor processors (like the hpijs processor from HP). with lpd and apsfilter you process the incoming text or latex file into postscript. this works fine if the printer supports PS. if not then you'll pipe that postscript onto ghostscript which will then process the PS into the native printer language (e.g. PCL).
Re: Printing with apsfilter
On 11.11-06:51, Girish Venkatachalam wrote: [ ... ] Now I only know what you people seem to be saying about PPD files and drivers. I have never used CUPS either. However long ago I have read that postscript is a PCL - printer command language. And most printers these days support printing using postscript and the LPD daemon which listens at TCP port 515 . PCL is a printer control language. PS is a stack based programming language with graphics primitives for drawing. it may also be classed as a PDL (page description language). i would guess that you are assuming that most printers can process PS because most unix print services use ghostscript to process these files into a native printer langauge. in fact most printers cannot process PS because implementing a PS processor is quite expensive (requires significant processing and memory) compared to control protocols (like PCL), although PS has other advantages. this pre-processing is supported by cups and lpr but installation is generally simpler with cups (due to greater vendor attention). cups also has better integration with the new ghostscript processing structure, which allows more feedback from the print processor. this is particularly useful when using control languages (or host based raster processing) instead of PDLs. the lpr protocol also has some fundamental issues in it's design (much like FTP does). in short, i'd suggest you use, use cups unless you have a specific reason not to.
Re: OpenBSD kernel janitors
On 31.10-08:40, Theo de Raadt wrote: [ ... ] Yeah, right. [ ... ] I don't understand. Is newbies learning new things a waste to you? Do you think they won't really learn anything unless the patch is approved? Or will the patches not be subject to peer review? Or are you worried at who would pass for peer review getting overwhelmed by a huge volume of poor quality patches? and i would suggest that the severe and prevelant attitude toward the possibilty of poor patches or under-educated actions is the most significant barrier to encouraging new/young developers.
Re: OpenBSD kernel janitors
On 31.10-08:20, Theo de Raadt wrote: [ ... ] They don't need a list. They could already have started coding. Yet we see how few people actually do start coding. Instead, they choose to write in english... on the counter-side we appear to have people who can code but are unable to communicate productively otherwise. surely there must be _some_ merit to creating a list of lower level development tasks (as dictated by those with experience to judge) to encourage people to enter the development cycle. of course, there will be a large attrition rate, most people like the idea but can't stick the learning curve. others may be intelligent and able but less confident and just need pointed in the right direction. obviously the intention should be to try and capture the latter without loosing energy on the former.
Hoststated check https; what am I missing?
Greetings list, Long story short, we're moving from some alteon AD3's to openbsd, and in support of that effort I've constructed a small testing environment including two carp'd openbsd boxes running hoststated, and a single webserver sitting behind them. The problem is that I can't seem to get hoststated to recognize via check https digest that the webserver is up and running. Check http works for the non-ssl side of the site, and changing the ssl check to check https code yields an operational ssl rdr. Since the webserver runs a small healthcheck jsp which outputs simply healthy, I'd like to use the digest method if possible. I'm generating the digest with: wget -O - https://172.16.51.31/healthcheck/tomcatok.jsp \ --no-check-certificate | sha1 I'm wondering how sensitive hoststated is to the certificate (might check https digest fail because the server certificate and the name I'm asking for don't match?), or could it be that hoststated computes the https digest before the html output is decrypted? Thanks advance for your help. Configs pasted below. hoststated.conf: # Macros # extern_addr=192.168.26.53 intern_addr=172.16.51.31 table generic_vhosts { real port http check http /healthcheck/tomcatok.jsp digest 187ddb23c590d6b7e576313b135e7201099cf726 host $intern_addr } table ssl_box { real port https check https /dbghealth/tomcatok.jsp code 200 #check https /healthcheck/tomcatok.jsp digest 187ddb23c590d6b7e576313b135e7201099cf726 host $intern_addr } service generic_http { virtual host $extern_addr port http interface fxp3 tag HOSTSTATED sticky-address table generic_vhosts } service ssl { virtual host $extern_addr port https interface fxp3 tag HOSTSTATED sticky-address table ssl_box } -dave josephsen [demime 1.01d removed an attachment of type application/pgp-signature]
Re: To whom can I direct email for artwork use permission pls?
On 02.10-09:56, Marcus Andree wrote: Theo is the copyright holder of the CD directory structure used by the install CDs. If someone wanna sell a CD (or DVD) legally, s/he will have to: - get a written permission from Theo or - code an entirely new installation procedure i find this all rather sad and mis-guided, the software is freely available to those who wish to use it. we should also endeavour to make it as widely available as possible. the artwork is another question for theo (assuming he's the owner of that), i mean, openbsd is his brand and what he does there is his business. it is also not possible to limit use of the directory structure with copyright. you would need to alter the license to include a clause around installation media and distribution or release the install scripts and programs under a different license; of course such a clause would be almost directly contradictory to current license. i.e. some stupid trick around CD directory structure is directly contradictory to the priciples encapsulated in our licensing. paying for it requires a choice, no matter what tricks we put in place around CDs. surely we can simply trust and encourage contributions particularly when people intend to profit. and if the original poster reads this you may read that as, whatever the actual outcome, if you make a profit please ensure you give something back. and oh, yeah, try to encourage the users to do the same once they get the CD home (though i have to confess, i haven't made a donation since i upgraded my gateway to 4.1 ... i have an excuse !!! and it was only last week. and i will)
Re: OpenBSD sticker considered cool by a layman
On 02.10-15:43, ?ke Nordin wrote: [ ... ] http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 Cool link... Information about an article about privacy, and for downloading it you need javascript and whatever more... (I didn't manage to get the full text). Not to mention no download unless registration. just for the record i managed without any trouble. and don't think it required javascript either.
Re: To whom can I direct email for artwork use permission pls?
On 02.10-11:46, Bob Beck wrote: (though i have to confess, i haven't made a donation since i upgraded my gateway to 4.1 ... i have an excuse !!! and it was only last week. and i will) And this is exactly the problem. Look, you guys can quibble all you want about awww, we should be able to make our own distros Yes, you can. no, this is a problem. and there's no question that it's important but the relevant discussion was above your cut. even less to the point, i contribute more than the cost of a CD set without the overhead (but then it's value is greater to me than it may be to others). encouraging people to purchase CD sets is great (bit like a suggested donation at a museum) but more important is iterating to people the value of the software and that it is their *responsibility* to refelect that value in their contibutions; whatever form that contribution takes.
Re: OpenBSD sticker considered cool by a layman
On 30.09-10:03, Anton Karpov wrote: [ ... ] The same here. I have wireframe puffy on the back of my car. VERY attractive: of course, if you were _really_ security conscious you would have cropped the license plate no ;-)
Re: Loading PF after pppoe
On 27.09-08:59, Amit Finkler wrote: I now use the in-kernel pppoe and pf, but on boot pf loads itself before the networking is up. How does one cause the networking to be up before the pf rules? i tend to load a basic ruleset during boot and then either overwrite it or update it with alternative confgurations / anchors as part of '/etc/hostname.if' configurations.
Re: The Atheros story in much fewer words
but it allows some users to not have the freedoms you claim to defend. think you'll struggle to find people here who claim to defend freedom. personally, i'm a believer and practitioner, i leave the defending to the mis-guided and the hypocrites.
Re: OBSD's perspective on SELinux
On 24.09-10:25, Jason Dixon wrote: [ ... ] What I'm trying to say is that all the services I listed before make their own little SELinux layer with appropriate policy built into them. Better than SELinux though is that the monitor is enabled by default and generally can't be turned off. Even more interesting is that this policy enforcement is portable to other unix like operating systems, it's not restricted to the OpenBSD kernel. What makes this so effective is that it's built-in by the people who understand it best, the developers. Not some Jr. Sysadmin tasked with standing up a new Linux server and trying to write his own SELinux policy from scratch. little sad to see such slating of extended security feature sets by such a security conscious group. policy cannot be defined or implemented in the application. it must be enforced by the kernel to be meaningful. this, of course, does not preclude privilage seperation within an application but that is good application programming not secure policy. SELinux's policy features are a superset of standard Unix. I was unaware of 'systrace' in openbsd but have found these poor and cumbersome previously but will certainaly review it. i agree completely with the general tack of opinion here, there is very little that cannot be done with consious administration and intelligent use of available features. it's a little like ACLs, it's definately a security feature but getting real value add from it is rare (particularly when you take into account the overhead of these features) and whether it increases or decreses overall security is a serious question too. in many instances (on various trusted operating systems and policy systems, not just selinux) i have seen the most appalling policies simply because administrators became significantly frustrated that they simply opened stuff until the application worked.
Re: OBSD's perspective on SELinux
On 24.09-11:49, Can E. Acar wrote: [ ... ] The guy can be some stupid binary software with an if(uid!=root) bail(); People running arbitrary binary software requiring root on their systems deserve what they get. You can not work around this stupidity by ANY policy. that is not the case and is, in fact, the entire point of defining policy. to define what the applications on the system can and cannot do, irrespective of how stupid they (or their programmer), or how malicious they (or their programmer) is / was.
Re: OBSD's perspective on SELinux
On 24.09-13:48, Darren Spruell wrote: [ ... ] Oh, that sounds like a recipe for success. - Run _arbitrary_ _binary_ application on system. Intend to use policy wrapper to restrict to allowed operations. exactly, if the application cannot run within the defined policies it will not be allowed to run, this is precisely the assurance that some businesses look for. it is, in fact, a process that helps identify poor applications. whether the system is opened up or not depends on the business. The intentions are great and look good on paper. The reality is a bit different, as others have pointed out. indeed, i am one of them. and probably as painfully aware of it as any. that is not the point, writing them off wholesale is folly, and suggesting the same can be achieved with current toolsets available is just plain wrong.
Re: OBSD's perspective on SELinux
On 24.09-14:28, Luke Bakken wrote: [ ... ] Intelligent sysadmins know every setuid binary on their system. Unintelligent ones get owned. you'll forgive me if this does not sound intelligent to me. a consiencous sysadmin looks at the requirements and picks the best tools to match. in the vast majority of cases best results can be achieved with simplicity and an intelligent use of basic tools. complex policy systems have diminising returns but there is no question that they bring additional tools to the toolkit.
Re: OpenBSD firewalls as virtual machine ?
On 22.09-02:06, Luca Corti wrote: [ ... ] We are talking about OpenBSD here, and support for VRF is not there. That may change faster then you expect These are great news. If the implementation will allow to assign interfaces to different VRFs it would solve the virtual router/firewall setup without the need for OS virtualization. i have a feeling that the funds currently available for your virtualisation project would improve the quality and delivery of these requirements.
Re: OBSD's perspective on SELinux
On 22.09-16:21, Douglas A. Tutty wrote: [ ... ] exercise for the reader: find somebody using SELinux. ask them to describe their policy over the phone. then repeat it back to them. did you get it right? [ ... ] In other words, since debian packages, by policy, must just work on install (come with a reasonable default setup), (except for a few things like the Shorewall firewall builder that installs to a disabled state that prints a warning), once Debian decides on a SELinux policy, all the thousands of packages have to be set up to detect the SELinux policy on the box at the time and integrate themselves into it. i would be willing to bet this will never happen, particularly in a community like debian's. if, by some miracle, it does i'd make a further bet that they'll have to roll back the decision because their users will be crippled. basically, good programming practices get you a lot more for a lot less than wide ethos changes. having said that the extended feature set of selinux can solve issues that unix systems are not able to. in short, stick to openbsd. if you need selinux you'll know it ... then you'll go find another product that's not such a nightmare ... actually, nearly all of them are but that's another story.