Re: OpenBGPd SNMP

[Bret Lambert]

On Mon, Oct 05, 2015 at 10:34:01AM +, Stuart Henderson wrote:
> On 2015-10-04, Mike Hammett  wrote:
> > Are there any packages out there that expose OpenBGPd or other OpenBSD
> > parameters via SNMP? Would like to check generic health of the system,
> > number of routes, number of peers, number of routes per peer, etc.
> 
> System sensors ("sysctl hw.sensors") are exported by snmpd(8) as
> OPENBSD-SENSORS-MIB, this is non-standard but if you spend a little
> time with the standard ENTITY-SENSOR-MIB and its dependency ENTITY-MIB
> you'll soon understand why. (lm_sensor on linux also uses its own MIB
> for this).
> 
> There's nothing currently public for bgpd. Bret has a WIP diff though.
> 

I'd contacted the author of the original email off-list, but after
much ill-mannered name calling from sthen have mailed the diff
to tech, for those interested in guineaing in the pig fashion.

Re: SNMP on 5.7/5.8

[Bret Lambert]

On Sat, Aug 08, 2015 at 08:47:21PM +0300, Kapetanakis Giannis wrote:
 sorry for top post.
 
 I believe I had the problem with both base and netsnmpd versions.

Believe and have verified that are two functionally different
statements. I've only seen evidence that netsnmp, not snmpd from
OpenBSD base, has this issue.

Those who have reported the issue with netsnmp are encouraged to
report that to the netsnmp project in order to hopefully receive
a timely response.

If someone can replicate the issue with software included in the
base OpenBSD distribution, please do so.

 
 On 06/08/15 00:33, Steven Surdock wrote:
 Thanks Stuart.  It is also my understanding that the base snmpd suffers the 
 same issue.
 
 http://marc.info/?l=openbsd-miscm=143143933919367w=2
 
 I will try the debug shortly.
 
 -Steve S.
 
 -Original Message-
 From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of
 Stuart Henderson
 Sent: Wednesday, August 5, 2015 5:58 AM
 To: misc@openbsd.org
 Subject: Re: SNMP on 5.7/5.8
 
 On 2015-08-04, Steven Surdock ssurd...@engineered-net.com wrote:
 The broken SNMP on i386/5.7 is preventing me from upgrading.  I tried
 i386/5.8 but I'm still seeing net-snmpd crash with the following error.
 NET-SNMP version 5.7.3
 Error expanding HCInReceives to 64bits in ipSystemStatsTable.ipv4
 Error expanding HCInDelivers to 64bits in ipSystemStatsTable.ipv4
 Error expanding HCOutRequests to 64bits in ipSystemStatsTable.ipv4
 Oh, I wasn't aware of this, if a port is broken on some arch please let
 the maintainer know rather than hope they notice a report on misc@...
 
 Can you get output with debugging enabled for c64? Should be something
 like snmpd -Dc64 -f -Le
 
 Do you particularly need something from Net-SNMP or could you use snmpd
 from base instead? If it does what you need, the latter is always
 preferable.
 
 Is amd64 the new i386?
 yes.
 
 Would my energy be best spent migrating my default install to amd64?
 Thanks.
 
 that's up to you to decide :)

Re: httpd

[Bret Lambert]

On Tue, Nov 18, 2014 at 02:20:40PM +0200, Gregory Edigarov wrote:
 Hi,
 
 While downloading a big file from httpd it eats somewhere from 77 to 100% or
 even 150% cpu.
 Is it normal?
 I've never seen such numbers with nginx.

There was a known issue with that that has been fixed in -current;
if you aren't running -current, you should update and see if the issue
persists.

 
 --
 With best regards,
   Gregory Edigarov

Re: Shadow TCP stacks

[Bret Lambert]

On Thu, Oct 16, 2014 at 02:48:22PM +0200, Martin Schr??der wrote:
 2014-10-16 13:16 GMT+02:00 Kevin Chadwick ma1l1i...@yahoo.co.uk:
  I still don't see the benefit though but do see added complexity or
  more code to audit.
 
  Reducing DDOS against a visible SSH service maybe? Reduce password
  attempts on your logs allowing them to go after targets that might
  actually use passwords (port change also works there, I find)?
 
 The impossibility to scan for services - which the NSA/GHCQ/... do.

It's a good thing that traffic analysis isn't a thing, then. Otherwise
they'd be able to check if traffic purporting to go to port 80/443
doesn't look like HTTP traffic, or something.

Re: Shadow TCP stacks

[Bret Lambert]

On Fri, Oct 17, 2014 at 12:56:48PM +0200, Martin Schr??der wrote:
 2014-10-17 10:24 GMT+02:00 Bret Lambert bret.lamb...@gmail.com:
  On Thu, Oct 16, 2014 at 02:48:22PM +0200, Martin Schr??der wrote:
  The impossibility to scan for services - which the NSA/GHCQ/... do.
 
  It's a good thing that traffic analysis isn't a thing, then. Otherwise
  they'd be able to check if traffic purporting to go to port 80/443
  doesn't look like HTTP traffic, or something.
 
 That's not the scenario here. The scenario is defense against port scans.
 
 You look like a fool who hasn't read the original paper.
 

Quoting the OP a few emails back:

 The idea is that the existence of this entire 'ultranet' is
 undetectable by even someone snooping all national traffic. So a TCP
 port 80 connection looks to the snooper _exactly_ like an HTTP
 connection handshake. Only the ISN and the source address mark the
 connection as 'ultra' and take it into a back room where it connects
 to the real network.

Just sayin'.

Re: Shadow TCP stacks

[Bret Lambert]

On Fri, Oct 17, 2014 at 12:13:55PM -0400, Ian Grant wrote:
 On Fri, Oct 17, 2014 at 4:24 AM, Bret Lambert bret.lamb...@gmail.com wrote:
  On Thu, Oct 16, 2014 at 02:48:22PM +0200, Martin Schr??der wrote:
  2014-10-16 13:16 GMT+02:00 Kevin Chadwick ma1l1i...@yahoo.co.uk:
  The impossibility to scan for services - which the NSA/GHCQ/... do.
 
  It's a good thing that traffic analysis isn't a thing, then. Otherwise
  they'd be able to check if traffic purporting to go to port 80/443
  doesn't look like HTTP traffic, or something.
 
 They don't have any clue which traffic to analyze though, so this
 traffic is a needle in a haystack.

Well, if, as Herr Schroeder seems to be implying, this is used to
avoid port scans, I'd look for traffic to/from address:port which
don't show up on scans.

 Also, the VPN could be tunneled
 over HTTP if necessary.

I know of at least one company which sells a product which doesn't
just read headers, but classifies traffic based upon behavior, e.g.,
small request receives large response - bulk transfer, or
series of tiny packets which receive a single, larger response -
interactive session. I assume nation-states have developed similar
capabilities.

The ability to use statistical methods to eavesdrop on encrypted
SIP sessions comes to mind as an example of traffic analysis as a
tool to defeat adversaries who are attempting to secure their
communications.

Re: Shadow TCP stacks

[Bret Lambert]

On Fri, Oct 17, 2014 at 02:59:26PM -0400, Ian Grant wrote:
 On Fri, Oct 17, 2014 at 2:49 PM, Bret Lambert bret.lamb...@gmail.com wrote:
  Well, if, as Herr Schroeder seems to be implying, this is used to
  avoid port scans, I'd look for traffic to/from address:port which
  don't show up on scans.
 
 That's why I want to hide it behind an ordinary service.

The point being, Herr Schroeder appears to be a man who would become
one of your users, and has apparently missed that step. A manual that
includes an advisory to do so would likely be a good idea.

 
  Also, the VPN could be tunneled
  over HTTP if necessary.
 
  I know of at least one company which sells a product which doesn't
  just read headers, but classifies traffic based upon behavior, e.g.,
  small request receives large response - bulk transfer, or
  series of tiny packets which receive a single, larger response -
  interactive session. I assume nation-states have developed similar
  capabilities.
 
 That's fine. But they have to analyze all the traffic. This is a
 needle in a haystack.

It's a good thing we don't know any nation-states that analyze all
the traffic, then. That would probably be bad.

 
  The ability to use statistical methods to eavesdrop on encrypted
  SIP sessions comes to mind as an example of traffic analysis as a
  tool to defeat adversaries who are attempting to secure their
  communications.
 
 Again, a needle in a haystack.

Assuming that your adversary is going into this blind, and hasn't been
given a list of interesting targets that includes your systems. States
also have access to human intelligence as well.

 
 Please read the OP before refuting stuff on the list. If you want to
 argue, and you aren't sure of your argument, e-mail me off the list.
 Otherwise it just adds to the general level of confusion, which is
 already higher than I'd expected on this list.

Quoting the original email you sent:

 If anyone here has a better idea, or any other useful advice (even if
 it's this has already been done! or It won't work, but please
 explain exactly why.) or pointers

I'm not attempting to refute the validity of what you're attempting,
I'm pointing out things that probably should be taken into consideration
during implementation/deployment, which I think falls under the heading
of useful advice. Whether or not it's useful is a judgement left to the
reader.

Re: Does OpenBSD's wpa_supplicant support PSK?

[Bret Lambert]

On Mon, Feb 10, 2014 at 10:20:44PM +0100, Zbigniew wrote:
 2014-02-10 22:00 GMT+01:00, Jeff Goettsch j...@primal.ucdavis.edu:
  I don't know anything about wpa_supplicant, but does
 
   # ifconfig rum0 nwid nwid wpakey wpakey
 
  work?
 
 No, it says it wants passphrase length in range from 8 to 63
 characters, while the PSK-passphrase has 64 characters, unfortunately.

Did you notice the following portion of the ifconfig man page:

 wpakey passphrase | hexkey
 Set the WPA key and enable WPA.  The key can be given using
 either a passphrase or a full length hex key, starting with 0x.

?

 -- 
 regards,
 Z.

Re: Documentation on rc.conf.local lacks important warning

[Bret Lambert]

On Sun, Feb 09, 2014 at 08:28:43PM +0200, VaZub wrote:
 Hi all,
 
 There is a small nuisance I've stumbled upon during my first
 experiments with OpenBSD.
 
 Both the man page for rc.conf(8) as well as the official OpenBSD FAQ
 (10.3) suggest to avoid editing /etc/rc.conf directly and instead copy
 it to /etc/rc.conf.local and edit afterwards. Yet it seems both fail
 to mention, that in order to prevent your system from going ballistic
 after doing this, you should also comment out or delete a particular
 line of code in /etc/rc.conf.local, namely this one:
 [ -f /etc/rc.conf.local ]  . /etc/rc.conf.local. Not good,
 especially for those who do follow official instructions and still
 suddenly find themselves with a broken system on their hands for no
 apparent reason.
 
 This might seem like a trivial issue for old-timers, and one is sure
 to find the appropriate solution with a little bit of deeper googling,
 but having short relevant notices in the aforementioned manuals could
 save newcomers some introductory frustration. What do you think? Is
 there anyone among those looking after the official documentation up
 to consider such a suggestion?

You've probably confused rc.conf.local for rc.local, but it's impossible
to tell, given that you've delivered a polemic, and not a description
of what you tried to do, and how it didn't end up as you expected.

 
 Regards,
 Vasyl Zubko

Re: More detailed information about last commands executed than lastcomm

[Bret Lambert]

On Mon, Sep 16, 2013 at 07:28:21AM -0400, Jiri B wrote:
 On Mon, Sep 16, 2013 at 11:38:18AM +0200, Wies??aw Kielas wrote:
  Dear misc@,
  
  Is there any way to get information about last commands executed on a
  OpenBSD machine? I'm interested in getting the command name along with
  arguments passed to it.
  
  From what I gathered so far, lastcomm can't show command arguments - is
  there any way/other tool which can do that?
 
 Usual unix process accounting does not take care about commands' args.
 Anyway, you probably won't care about what normal users execute, you
 probably want that only for admins/root. Then I would propose to build
 a server with conserve (console server) which would be used as source
 host to ssh/console to destination servers for admins/root. conserve
 can save sessions in text form, you could have a filter and send it via
 syslog/whatever to central logging server.
 
 j.
 

Why make shit more difficult than it need be? From the sudo man page:

sudo also supports logging a command's input and output streams.

Re: More detailed information about last commands executed than lastcomm

[Bret Lambert]

On Mon, Sep 16, 2013 at 01:31:58PM +0200, Bret Lambert wrote:
 On Mon, Sep 16, 2013 at 07:28:21AM -0400, Jiri B wrote:
  On Mon, Sep 16, 2013 at 11:38:18AM +0200, Wies??aw Kielas wrote:
   Dear misc@,
   
   Is there any way to get information about last commands executed on a
   OpenBSD machine? I'm interested in getting the command name along with
   arguments passed to it.
   
   From what I gathered so far, lastcomm can't show command arguments - is
   there any way/other tool which can do that?
  
  Usual unix process accounting does not take care about commands' args.
  Anyway, you probably won't care about what normal users execute, you
  probably want that only for admins/root. Then I would propose to build
  a server with conserve (console server) which would be used as source
  host to ssh/console to destination servers for admins/root. conserve
  can save sessions in text form, you could have a filter and send it via
  syslog/whatever to central logging server.
  
  j.
  
 
 Why make shit more difficult than it need be? From the sudo man page:
 
 sudo also supports logging a command's input and output streams.

Er, I meant to copy

 sudo can log both successful and unsuccessful attempts

I blame the lack of something in my something system.

Re: More detailed information about last commands executed than lastcomm

[Bret Lambert]

On Mon, Sep 16, 2013 at 07:48:14AM -0400, Jiri B wrote:
 On Mon, Sep 16, 2013 at 01:33:33PM +0200, Bret Lambert wrote:
  On Mon, Sep 16, 2013 at 01:31:58PM +0200, Bret Lambert wrote:
   On Mon, Sep 16, 2013 at 07:28:21AM -0400, Jiri B wrote:
Usual unix process accounting does not take care about commands' args.
Anyway, you probably won't care about what normal users execute, you
probably want that only for admins/root. Then I would propose to build
a server with conserve (console server) which would be used as source
host to ssh/console to destination servers for admins/root. conserve
can save sessions in text form, you could have a filter and send it via
syslog/whatever to central logging server.
 
   Why make shit more difficult than it need be? From the sudo man page:
   
   sudo also supports logging a command's input and output streams.
  
  Er, I meant to copy
  
   sudo can log both successful and unsuccessful attempts
  
  I blame the lack of something in my something system.
 
 Yes it would be better to use sudo but some env are setup to allow direct
 login to root :/

And the fact that they can do this via sudo should serve as an impetus
for those admins to stop Doing it Wrong(tm).

I understand that there are exceptions to the best practices dictate
root-level access through sudo, but the original email that started
this thread seems to indicate that there's a need to keep tabs on some
henchmen/underlings/poorly-trained monkies. That screams don't give
them direct root logins, to me.

Re: bioctl replacing a failed mirror

[Bret Lambert]

On Mon, Sep 02, 2013 at 02:30:23PM +0200, Stefan Sperling wrote:
 On Mon, Sep 02, 2013 at 08:17:27AM -0400, John Hynes wrote:
  On Mon, Sep 2, 2013 at 8:10 AM, Stefan Sperling s...@openbsd.org wrote:
   What commands did you run to copy the disklabel?
  Oh - I did a disklabel sd0  disklabel.sd2; disklabel -R sd2 disklabel.sd2
 
 Did that change the duid of sd2?
 

If it didn't, it's a bug; from revision 1.163 of disklabel.c:

When restoring a disklabel do not restore the uid. Let the kernel allocate
a new uid instead.

Re: OpenBSD's webpage desing

[Bret Lambert]

Talk ajax to me, baby.

On Thu, Jun 28, 2012 at 10:31 AM, Marc Espie es...@nerim.net wrote:
 On Wed, Jun 27, 2012 at 03:46:12PM -0700, Chris Cappuccio wrote:
 IIRC, Theo did the current design himself after everyone else failed to come 
 up with something good.

 Well, Theo had some rather fun constraints, like making a web site that works
 with antiquated browsers, like no css.

 If that constraint gets lifted (Theo ? is your browser still stuck in 1990 ?),
 then it would probably be possible to have something that looks the same /
 looks better and less painful to change...

Re: OpenBSD's webpage desing

[Bret Lambert]

 PHP is like s early 2000s.  When's Python gonna go into base?

You're behind the times; python's been replaced by ruby running on top
of mongodb

Re: Can someone describe these possible long term effects and provide an explicit description of these kernel parameters?

[Bret Lambert]

On Thu, Jun 14, 2012 at 8:54 PM, Tristin Davis tristin.co...@gmail.com
wrote:
 Upgrading is simply not an option. It all comes down to having the
 engineering staff, money, and downtime available. Unfortunatly, we have
 none of the above right now.  I realize we *need* to upgrade, but right
 now, tuning the kernel is the only option.

So...you're running something so mission-critical that it can't afford
to be down, but haven't made it redundant, which would allow you to
weather both upgrades and acts of god?

Re: spamd-setup fails from cron

[Bret Lambert]

 Please avoid 15 minutes past the hour ;-)

sleep $(($RANDOM % 2048))  /usr/libexec/spamd-setup -d

Re: undeadly

[Bret Lambert]

well, I've been gathering responses off-list, and have been putting
together at least two articles. Sorry if the speed is not to your
satisfaction, but major version release time at work is eating me
right now.

/snark

On Tue, Apr 24, 2012 at 10:32 AM, Marc Espie es...@nerim.net wrote:
 Come on guys, the rthreads hackathon in Paris, not newsworthy ?

 Or sqlite in base ?

 Dudes, if you're just sitting on things because of the pending announcement of
 official 5.1, that's stupid. Undeadly isn't exactly thriving, more frequent
 news would be good.

Re: No schizophrenia

[Bret Lambert]

On Wed, Jan 11, 2012 at 12:19 AM, John Tate j...@johntate.org wrote:
 Just an idiot, Jan Stary, who turned the sentence 7 years of
 FreeBSD/OpenBSD experience into OpenBSD Guru. I wish I had more time and
 less faith in minds like hers. What an embarrassment... oh dear. She should
 learn to read.

 I'm back, healthy as can be. I had a nice holiday.

 I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD
 GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE
 WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER
 SAID THE WORD GURU I NEVER SAID THE WORD GURU I NEVER SAID THE WORD GURU I
 NEVER SAID THE WORD GURU

The intertruck begs to differ:

I was a Linux hacker since I was 13. I am a bit of a guru[1]

[1] http://marc.info/?l=openbsd-miscm=132275346807070w=2

Re: pfsync and ifstated

[Bret Lambert]

On Mon, Mar 21, 2011 at 10:27 PM, Kapetanakis Giannis
bil...@edu.physics.uoc.gr wrote:
 Hi,

 I'm testing a new setup of a pair of firewalls (master/backup) using carp,
 pfsync etc.

 Can I use ifstated to monitor virtual interfaces like pfsync0 and enc0?

 I want the master after it reboots (if backup is up) to wait for pfsync0
 interface to come up, get the missing states from backup firewall and only
 then advskew carp. This is because pfsync runs on ipsec, which sometimes
 takes about 2 minutes to become operational (at least on some of my tests).

Are you running sasyncd as well?


 thanx

 Giannis

Re: Removing secondary groups with usermod -G

[Bret Lambert]

On Mon, Mar 21, 2011 at 9:45 PM, William Boshuck bos...@math.mcgill.ca wrote:
 On Mon, Mar 21, 2011 at 01:18:41PM -0500, Chris Bennett wrote:

 OpenBSD's form of sed requires you to output to a new file and
 mv that back to original.

 .. or one could use ed, or perl, to change a file in place.

What happens if ed, or perl, corrupts a system file in place?


 -wb

Re: Firewall rules to block unwanted protocolls on given ports

[Bret Lambert]

On Sat, Mar 19, 2011 at 2:05 PM, johhny_at_poland77
johhny_at_polan...@zoho.com wrote:
 Does somebody has an idea, that what kind of iptables/pf rule must i use to 
 achieve this?:

 i only want to allow these connections [on the output chain]:

 on port 53 output only allow udp - dns
 on port 80 output only allow tcp - http
 on port 443 output only allow tcp - https
 on port 993 output only allow tcp - imaps
 on port 465 output only allow tcp - smtps
 on port 22 output only allow tcp - ssh
 on port 20-21 output only allow cp - ftp
 on port 989-990 output only allow tcp - ftps
 on port 1194 output only allow udp - OpenVPN

 So that e.g.: OpenVPN on port 443 would be blocked, because only HTTPS is 
 allowed on port 443 outbound.

 Any ideas? :\



Yes, write some sort of traffic-classification daemon that uses divert
sockets to pass/deny traffic based on what that traffic is. I will
personally check it in to the ports system once you are done and it
has undergone a complete audit.

Re: Choosing a window manager...

[Bret Lambert]

On Tue, Mar 15, 2011 at 8:03 PM, Kevin Smith openbsd...@gmail.com wrote:
 I'm deciding between kde, xfce, gnome, and fluxbox (in order of
 preference). Any experiences? Any relevant security issues on any of them?


 What you're asking is akin to:

 Hey everyone, I'm trying to decide between:
  Catholicism, Judaism, Buddhism, and Hinduism.

 What's the best?

Obviously, the answer is Zoroastrianism. Ahura Mazda bless you all.

Re: kernel leaks (was: Re: network bandwith with em(4))

[Bret Lambert]

On Fri, Mar 11, 2011 at 12:22 AM, Leen Besselink
open...@consolejunkie.net  Hi folks,

 Sorry for hijacking this thread.

 I also have a Dell machine with em(4)'s.

 When I upgraded a machine from 4.3 or 4.4 to 4.7 the kernel is leaking
 memory I've been looking at it ever since. This was just before 4.8 came
 out so it didn't get 4.8.


There have been a number of mbuf leak fixes between 4.8 and 4.9.

Reinstall with 4.9/current and repeat your tests.

Re: is SHA256 file used or not ?

[Bret Lambert]

 Maybe some of user will eventually
 get a clue glueing all the answer scattered on this list and FAQ.

http://www.openbsd.org/faq/faq4.html#shamismatch

That entry contains all the relevant details end users should need,
which is we're aware that checksum mismatches happen on snapshots;
it's not dangerous; you need to learn to live with it

Re: nat static-port option

[Bret Lambert]

On Fri, Feb 4, 2011 at 2:45 PM, Martin Schrvder mar...@oneiros.de wrote:
 2011/2/4 Pete Vickers p...@systemnet.no:
 He don't appear to 'have' IPv6...

 DTAG will offer v6 to all it's customers later this year.
 It's only the largest telco in Germany. :-)

The US has been offering freedom to the world for a while now.
It's only the largest republic in the world :-)

Re: nat static-port option

[Bret Lambert]

On Wed, Feb 2, 2011 at 11:57 PM, Martin Schrvder mar...@oneiros.de wrote:
 2011/2/2 Bret S. Lambert bret.lamb...@gmail.com:
 On Wed, Feb 02, 2011 at 10:23:43PM +0100, Martin Schr?der wrote:
 Yeah. And there'll never be more than 2^32 IP devices in the world.

 Inorite? I mean, if I can't get an IP for my toaster, I'm just gonna
*die*!

 Currently there are about 2^32.7 living humans; I expect to live long
 enough to see 2^33.3
 Imagine everyone having at least two devices. How many do you have?

Counting my toaster?

Re: nat static-port option

[Bret Lambert]

On Thu, Feb 3, 2011 at 2:17 PM, Martin Schrvder mar...@oneiros.de wrote:
 2011/2/3 Bret Lambert bret.lamb...@gmail.com:
 Counting my toaster?

 Your toaster has an IP?

yes, and can be viewed at http://www.goldentoasting.com/

Re: Let's talk about HTTPS Everywhere

[Bret Lambert]

I think you mispelled gene...@mozilla.org

On Wed, Jan 19, 2011 at 12:29 PM, S Mathias smathias1...@yahoo.com wrote:
 Ok. It's a Firefox Add-on:

 https://www.eff.org/https-everywhere

 Questions:

 1) But: Why can't i find it on the offical Firefox Add-ons site?: 
 https://addons.mozilla.org/en-US/firefox/

 2) Did anyone audited the HTTPS Everywhere code?

 3) Can someone trust this Add-on? Is it safe to install/use?

 4) If it's so great why isn't it more prevalent?

 What's youre opinion? Or answer? :\

 Thanks!

Re: Final Penultimate last Call for Papers for CanSecWest 2011 (deadline Jan. 17th, conf March 9-11)

[Bret Lambert]

On Thu, Jan 13, 2011 at 5:02 PM, Randal L. Schwartz
mer...@stonehenge.com wrote:
 Dragos == Dragos Ruiu d...@kyx.net writes:

 Dragos It's been up on the site for a while with a Dec 29 deadline,
 Dragos but this is the real last call for submissions.

 Really?  Then why did you use Penultimate (which means next to last)
 instead of Ultimate in the subject line?

http://en.wikipedia.org/wiki/Humor


 Yours for a more literate education,

 --
 Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 mer...@stonehenge.com URL:http://www.stonehenge.com/merlyn/
 Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
 See http://methodsandmessages.posterous.com/ for Smalltalk discussion

Re: remove users from group

[Bret Lambert]

On Fri, Dec 24, 2010 at 1:56 PM, Henning Brauer lists-open...@bsws.de wrote:
 * Bret Lambert bret.lamb...@gmail.com [2010-12-13 10:32]:
 You're all wrong. We obviously need XML user databases.

 go play with phk, only JSON is web scale.

Talk YAML to me, baby.


 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting

Re: remove users from group

[Bret Lambert]

On Mon, Dec 13, 2010 at 10:14 AM, MERIGHI Marcus mcmer-open...@tor.at
wrote:
 h...@stare.cz (Jan Stary), 2010.12.13 (Mon) 09:15 (CET):
 On Dec 13 12:01:58, OpenBSD Geek wrote:
  I have 100 users in groups : clients, and ftp_group
  How can i remove these 100 users from ftp_group ?
  I have already try usermod, but it only add users to group, not remove.
  Is there a way to achieve my task ?
 Sadly, no. These users will be members of these groups forever.
 There's nothing you can do about it. You can only reinstall.

 And do not forget to wipe your hard disk to make sure you have a clean
 re-install!

 Jan, you just brightened my monday morning, thanks!

 On the more serious side and for the OP: how about the unix way of
 combining simple tools to accomplish more complex tasks:
 1) use id(1) to get the groups
 2a) use sed(1) to get rid of the unwanted ones
 2b) use tr(1) to get a newline seperated list and grep(1) to get rid of
the unwanted groups.
 3) use tr(1) again to transform the new list to a format suitable for
   usermod(8).
 4) feed ``usermod -G'' the new list.

 OR just ``vi /etc/groups''.



You're all wrong. We obviously need XML user databases.

Re: OpenBSD in Rock Band 3

[Bret Lambert]

My guess would be strlcpy() and/or friends, but IIRC that's millert@'s
copyright.

Time to get a lawyer, Todd!

On Tue, Dec 7, 2010 at 11:55 PM, Ted Unangst ted.unan...@gmail.com wrote:
 That's a little strange, because I don't think there is any code
 anywhere copyrighted by OpenBSD.  All the code is copyright by the
 individual contributors.

 On Tue, Dec 7, 2010 at 5:47 PM, Doug Clements dcleme...@gmail.com wrote:
 On Tue, Dec 7, 2010 at 12:09 AM, Jeffrey 'jf' Lim jfs.wo...@gmail.com
wrote:
 :) well, possible to sit through those again? This time, prepare your
 camera. :)

 Here's the best I got:
 http://www.freeimagehosting.net/image.php?5bec65cccf.jpg - SGI
 http://www.freeimagehosting.net/image.php?29f575c27e.jpg - Rgindael/AES
 http://www.freeimagehosting.net/image.php?80e8f1270b.jpg - Mark Borgerding
 http://www.freeimagehosting.net/image.php?7b8ba7a5c6.jpg - Simon Brown
 http://www.freeimagehosting.net/image.php?3bd1000b8f.jpg - RSA/MD5
 http://www.freeimagehosting.net/image.php?be87682cdd.jpg - OpenBSD
 http://www.freeimagehosting.net/image.php?2b516d12eb.jpg - Nvidia

 Not much info there, so it's hard for me to speculate.

 --Doug

Re: nis/ldap/login class

[Bret Lambert]

login_ldap (not in base) or ypldap (in base)

On Wed, Dec 8, 2010 at 11:49 AM, Friedrich Locke
friedrich.lo...@gmail.com wrote:
 Dear friends,

 i am running my OBSD server using NIS and i would like to change this for 
 LDAP.
 My doubt is: how is the login class field handle in a scenario defined
 by OpenLDAP?

 Thanks in advance

Re: Advice on learning C as first language

[Bret Lambert]

On Wed, Nov 24, 2010 at 3:55 PM, James Hozier guitars...@yahoo.com wrote:
 My first programming language ever was Visual Basic, but I was 11 years old
at the time and it was just a mandatory elective class I had to take to get
credits in order to graduate school, and I didn't even know what a programming
language was back then. I thought I was just writing words on the screen to
make the program do things (we made stuff like tic-tac-toe, shooting a
basketball into a hoop by inputting correct coordinates/arch, etc.) I forgot
everything I learned since then, so I have absolutely no recollection at all
of VB except rem which I recall as being equivalent to a comment in any
other language.

 Later when I began to edit code to make programs do exactly what I wanted, I
basically guessed what all the functions did and how the programs worked to
modify them, and as long as they worked, I really wasn't concerned at all
about how crappy the quality of the code was. So I decided to actually learn a
language and I had heard Python was easy so I started learning Python first.
But before finishing the first chapter I was told by several people that Perl
was much better. Considering their opinion was probably better than mine, I
switched to Perl and picked up a book for Perl beginners but again before I
even learned the print function, I read online that the first programming
language one learns could be crucial to the person's future programming skills
and habits that become ported to other programming languages they learn later
on, and I don't want to develop any bad habits and practices. I've decided to
choose C as my first language, for various
  personal reasons (mostly to audit code for security).

 So, as a newbie with no knowledge in programming at all whatsoever and
wanting to learn C, I bought KR's The C Programming Language (2nd edition) as
per the suggestion on the OpenBSD website. I read the disclaimers in the intro
of the book, and read on anyway. But the book seems to move very fast and does
not elaborate too much on the features of the language, I guess due to the
book not being total-noob-friendly. I can barely follow along and get what's
going on, but have no idea what the terminologies and phrases being used in
the book mean since the book assumes the reader knows basic programming such
as arrays and stuff like that.

 Are there any books that are more noob-friendly that want to learn C as
their first language and explain basic programming terms along the way?



The classic The C Programming Language is good.

After that, learn from good sources; for raw C manipulation, OpenBSD
libc is full of neat tricks.

Re: OT: Disadvantages of using virtual firewalls like OpenBSd

[Bret Lambert]

On Tue, Nov 23, 2010 at 1:38 PM, carlopmart carlopm...@gmail.com wrote:
 Hi all,

  First of all, I don't want to start a flame. I will to know your opinion
 about using virtual firewalls in virtual infraestructures like vmware, kvm
 ,xen, etc ... like OpenBSD.

  Advantages are very clear for me: provisioning, administration tasks, etc
 ... But I will to know disadvantages. What is your opinion from the point
of
 view of security?

Because you're still relying on your host's network stack, you aren't
actually firewalling it.


  Thanks.
 --
 CL Martinez
 carlopmart {at} gmail {d0t} com

Re: Problems with 4.6

[Bret Lambert]

On Wed, Apr 7, 2010 at 6:37 PM, Mark Leisher b: mleis...@math.nmsu.edu
wrote:
 On 04/07/2010 09:43 AM, Otto Moerbeek wrote:

 On Wed, Apr 07, 2010 at 09:13:57AM -0600, Mark Leisher ??? wrote:

 I didn't see anything obvious in the archives, so apologies if I
 missed them.

 OpenBSD 4.6, Dell PowerEdge 2600

 Problem 1: Despite the existence of /etc/defaultdomain, the domain
 name is not being set at boot time. The domainname `cat
 /etc/defaultdomain` command is executed, but when the console
 becomes available, the domain name is no longer set. I had to do
 everything in rc.local to get NIS working.


 Strange, I have never have to do that. But you are giving no details,
 so it is not possible to see what you did or did not to make it not
 work.

 This was on a clean install. The only changes I made when I noticed this
 problem was a new root password, a different port number for sshd, and of
 course the creation of /etc/defaultdomain. And to answer Bret's private
 email, the exit code from the domainname call in /etc/rc is still 0. It
 isn't a permissions issue.

what does running

domainname `stripcom /etc/defaultdomain`

from the command line tell you?




 Problem 2: Using the secure httpd (1.3.something), I am unable to
 make it see the user public_html directories. On an OpenBSD 4.0
 system I have, it works fine, and the 2.2.11 web server package for
 4.6 works fine.

 I suppose the use dirs are outside the chroot. The httpd in base does
 chroot by default.

 I feel dumb! :-) I got so wrapped up in it I missed the obvious. Thanks.
 --
 Mark Leisher

Re: routing and pf at 10Gbps

[Bret Lambert]

On Fri, Feb 12, 2010 at 2:52 PM, Diana Eichert deich...@wrench.com wrote:
 On Thu, 11 Feb 2010, Claudio Jeker wrote:

 Henning, I told you, we should not talk about unfinsihed projects.
 We planned to announce this in exactly 7 weeks. Anyway, to late, the cat
 is out of the bag.
 So Henning and Oga are working at offloading pf into the graphic card
 cores by using the DRI interface. The shader will evaluate the ruleset
 and packets in parallel and use the graphic memory for the state table.
 Additionally if the speed of one card is not enough you can use SLI or
 crossfire to use multiple cards in parallel.

 --
 :wq Claudio

 okay, now you have piqued my interest

 I will sit back and wait for mor info

I, too, hope to get news of this shortly after March is over.


 thanks

 diana

Re: GNOBSD-Project introduction

[Bret Lambert]

On Mon, Jan 25, 2010 at 2:04 PM, Chris Dukes pak...@pr.neotoma.org wrote:
 On Tue, Jan 19, 2010 at 07:34:24PM +0100, Stefan Rinkes wrote:
 [SNEEP]

 Generally the best day to post these announcements is the first day
 of the fourth month of the year.

But the day these ideas are traditionally developed is on the twentieth
day of the fourth month of the year.


 And if you're into product life cycle management, it's a wonderful day
 for a product to be out of service...
 --
 Chris Dukes

Re: obsd as domU?

[Bret Lambert]

On Tue, Jan 12, 2010 at 8:59 AM, Vadkan Jozsef jozsi.avad...@gmail.com wrote:
 Can I run obsd as a xen guest?



http://lmgtfy.com/?q=Can+I+run+obsd+as+a+xen+guest

The internet: you're doing it wrong.

Re: obsd as domU?

[Bret Lambert]

On Tue, Jan 12, 2010 at 9:41 AM, Ciprian Dorin, Craciun
ciprian.crac...@gmail.com wrote:

[snipz0rz]

   So I bet that the initial poster expected an (authoritative) answer
 that should have came in the form of an advice based on experience or
 at least something useful... (Not lmgtfy, which I'm sure he already
 did, but did not found a good enough answer (as in authoritative)...)

When both of his questions were, verbatim:

OpenBSD as Dom0: Is it possible?

and

Can I run obsd as a xen guest?

it's unclear to me, since he's unwilling to document what he's
found in order to help others to help him, whether or not he's willing
to do the work required in finding those answers to begin with.

Re: Looking for Secure Architectures with OpenBSD pdf.

[Bret Lambert]

Awesome; another aggravating, whiny, entitled jackass.

You'll fit right in on the internet; the kool-aid's to the left.

On Thu, Dec 10, 2009 at 2:47 PM, jackwssp q jackw...@gmail.com wrote:
 2 Tomas Bodzar:
 Why you so ugly? I don't looking for pf manual. As you can see above, i'm
 not alone. When i got it, will share it for all on misc@, and you may
 furiously try to stop me.

Re: Why is getaddrinfo breaking POSIX?

[Bret Lambert]

On Wed, Dec 9, 2009 at 10:55 AM, Jonathan Schleifer
js-openbsd-m...@webkeks.org wrote:
 Am 08.12.2009 um 15:52 schrieb Bret Lambert:

 The existing resolver code is compleat balls, as oga@ would spell it.
 Frankly, it needs to be dragged behind the chemical sheds and
 quietly suffocated.


 Wouldn't it be possible to at least put a lock around it, so that at least

Yes. You're free to do so. Have fun.

 it does not produce bogus lookups, but is does sequentiel but correct
 lookups instead? This would at least not break POSIX and would be compatible
 to thread-safe implementations, though slower than thread-safe
 implementations. It would already be a big relieve for programmers if they
 can just use getaddrinfo and know that they at least get a correct result on
 any OS. ATM, I have to do a whitelist of operating systems that are known to
 have thread-safe implementations and do a lock for the others.

 --
 Jonathan

Re: Why is getaddrinfo breaking POSIX?

[Bret Lambert]

On Wed, Dec 9, 2009 at 10:56 AM, Jonathan Schleifer
js-openbsd-m...@webkeks.org wrote:
 Am 08.12.2009 um 15:41 schrieb Otto Moerbeek:

 Nobody did the work yet. If it's very important to you, consider
 spending effort making it thread safe. I believe netbsd and freebsd
 have thread safe implementations. But actullay verifying that is
 pretty hard.

 Yes, the NetBSD implementation is thread-safe since 4.0. For FreeBSD, I
 don't know since which version it is thread-safe, but it's thread-safe in
 recent versions.

 For the verifying part: If the implementation has no side-effects (like
 modifying some global variable that is not per-thread), the implementation
 is thread-safe.

I still don't see a diff attached.


 --
 Jonathan

Re: Why is getaddrinfo breaking POSIX?

[Bret Lambert]

On Tue, Dec 8, 2009 at 3:41 PM, Otto Moerbeek o...@drijf.net wrote:
 On Tue, Dec 08, 2009 at 02:44:27PM +0100, Jonathan Schleifer wrote:

 Just wondering: Why is getaddrinfo breaking POSIX by not being
 thread-safe and what is the thread-safe alternative to it? (Please
 don't tell me to use locks, as that would kill the possibility to
 lookup multiple hosts at once).

 I consider it very strange that an OS still has a thread-unsafe
 getaddrinfo in the year 2009, even though POSIX and RFC 2553 both
 require it to be thread-safe. And it makes it especially hard to
 write portable applications, as there is no way to check if
 getaddrinfo is thread-safe in a configure script.

 Nobody did the work yet. If it's very important to you, consider
 spending effort making it thread safe. I believe netbsd and freebsd
 have thread safe implementations. But actullay verifying that is
 pretty hard.


The existing resolver code is compleat balls, as oga@ would spell it.
Frankly, it needs to be dragged behind the chemical sheds and
quietly suffocated.

-Otto

Re: Variable ping time

[Bret Lambert]

 I start rain(6) on the server, via ssh, and the ping times immediatly 
 increases to an average of +/- 25ms :

spltty  splnet; man spl for further information

Re: Why I Love Open Source - NSA helped with Windows 7 development

[Bret Lambert]

On Fri, Nov 20, 2009 at 9:19 AM, patrick keshishian pkesh...@gmail.com wrote:

 Same reason there exist unconstitutional congressional acts/bills that
 allow for secret torture prisons, detention of persons without due
 process, complete bypassing of fouth and sixth amendments, voiding of
 the Posse Comitatus Act, etc. etc. ... naive voters like you are the
 reason we are in this shithole right now.

You stay classy, misc@

Re: openbsd programming resources?

[Bret Lambert]

On Fri, Nov 13, 2009 at 3:35 PM, elias r. obs...@crudp.ath.cx wrote:
 Hey out there!
 I started thinking about improving my C-programming knowledge, especially
 towards OpenBSD (and unix in general) -programming as well as secure
 programming.

 Does anyone have a hint which resources are worth reading (e.g. which books
 about the unix api?)

Read src/lib/libc/


 Hope this isn't worst question ever (yeah, i know internet searches)...
 I'd simply like some advice where to start ..

 greetings,

 elias

Re: openbsd programming resources?

[Bret Lambert]

On Fri, Nov 13, 2009 at 4:28 PM, David Gwynne l...@animata.net wrote:

 On 14/11/2009, at 12:56 AM, Bret Lambert wrote:

 On Fri, Nov 13, 2009 at 3:35 PM, elias r. obs...@crudp.ath.cx wrote:
 Hey out there!
 I started thinking about improving my C-programming knowledge, especially
 towards OpenBSD (and unix in general) -programming as well as secure
 programming.

 Does anyone have a hint which resources are worth reading (e.g. which books
 about the unix api?)

 Read src/lib/libc/

 sif, src/sys/

He said Unix API, not implementation ;)



 Hope this isn't worst question ever (yeah, i know internet searches)...
 I'd simply like some advice where to start ..

 greetings,

 elias

Re: Header re-writing and smtpd(8)

[Bret Lambert]

 the modules API that isn't written yet ;-)

ponies?

Re: Header re-writing and smtpd(8)

[Bret Lambert]

On Fri, Oct 30, 2009 at 10:39 AM, Gilles Chehade gil...@openbsd.org wrote:
 On Fri, Oct 30, 2009 at 10:28:27AM +0100, Bret Lambert wrote:
  the modules API that isn't written yet ;-)

 ponies?


 ponies!

8===D~~


 --
 Gilles Chehade
 freelance developer/sysadmin/consultant

   http://www.poolp.org

Re: mailq: unsupported mode with smtpd

[Bret Lambert]

 and by maulq i mean mailq ;-)

but maulq is much more full of awesome and win

Re: Reading kernel limit usage at runtime

[Bret Lambert]

On Thu, Oct 22, 2009 at 3:24 PM, stan st...@panix.com wrote:
 I have a nachine that has run out of process table entries. One of my
 co-workers asked how one could check for this, and I am afraid that I did
 not know the answwer.

 So, how can one read the usage of kernel limits at rutime?

sysctl kern.maxproc is probably what you're after

Re: how to trace a hardcore-bug in OpenBSD-4.5

[Bret Lambert]

More of that string leadership we've been warned about...

On Wed, Sep 16, 2009 at 11:40 AM,  paranoid.gand...@googlemail.com wrote:
 On Wed, 16 Sep 2009 02:08:03 -0500
 Marco Peereboom sl...@peereboom.us wrote:

 For everyone's reading pleasure:

 *cut*

 If violence makes you happy you might get statisfied some day.
 And you wonder why the Project gets less and less financial support?

 People like you make people like me not buying CD sets.
 Your code is flawed and your attitude just sucks.
 And you're the best poster child for what OpenBSD and the people behind
 it might became. If people like you go on like this the project will be
 dead soon.


 And now please try to fix your code except of trying to be somebody you
 can't be. Or focus on the bug report? THAT would be real awesome.


 Kind regards,
 Gandalf

Re: 4.6 will be released on October 1st?

[Bret Lambert]

On Tue, Aug 18, 2009 at 8:11 AM, Nice Daemonnicedae...@googlemail.com wrote:
 I don't mind. There's a plethora of free email accounts out there.

And I'm sure you'll touch yourself inappropriately when hitting send
from those too.

Re: How to write drivers?

[Bret Lambert]

On Thu, 2008-05-01 at 20:15 +0300, Sviatoslav Chagaev wrote:
 Hello!
 
 I need to write a driver for a primitive device which connects to the LPT 
 port, so I was wondering, are there any manuals/tutorials/HOWTOs/... on this 
 subject?
 
 I could probably just read the source code of OpenBSD and learn from there, 
 but I'm a beginner programmer, so this probably will take much more time and 
 there are no guarantees that I won't miss anything...
 

http://www.openbsd.org/papers/opencon06-drivers/index.html

is a pretty thorough runthrough

Re: OpenBSD kernel janitors

[Bret Lambert]

On Wed, 2007-10-31 at 13:41 -0200, Marcus Andree wrote:
snip
 If we had such documentation, even if it isn't kept up-to-date, it would be a
 start point. As I stated in an earlier message, OpenBSD code is very, very

Design and Implementation of the 4.4. BSD Operating System

Re: E-mail/calendar suite on OpenBSD (Kerio on OpenBSD)?

[Bret Lambert]

On Fri, 2007-08-24 at 15:14 +0200, Nikolaus Hiebaum wrote:
 Hi,
 
 I am currently searching for an e-mail/calendar application which is
 capable of the following:
 - support clients running on Windows machines (Outlook)
 - support clients running on Linux/OpenBSD machines (Evolution)
 - provide Webmail incl. the calendar
 
 One software, which looks like it can do all of that, I found is Kerio
 Mail Server (http://www.kerio.com/kms_home.html). It appears to be capable
 of synchronizing between the various sessions.
 
 My question is whether anyone of you has successfully installed this on
 OpenBSD. It seems to be supported by Linux (Redhat and Suse) and MacOS.
 
 My other question is whether you know of alternatives. Evolution looks
 very nice, but it doesn't have the webmail feature *with* the calendar.
 
 I am really open to suggestions.
 

My personal suggestion? Ask your users why, other than the fact that
Outlook does it, do you need one application to handle both calendaring
and email?

If you can get your users to break out of that (rather idiotic, IMO)
paradigm, an entire world of easier-to-support possibilities opens up
for you.

Just so you don't think I'm being a cocky ass, I asked that question,
and was rewarded with because I'm the president and I say so. I'm now
in the process of rolling out Scalix.

- Bert

 Thanks,
 Nick

Re: port knocking?

[Bret Lambert]

On Mon, 2007-06-25 at 10:48 -0700, John N. Brahy wrote:
 Hi Misc@,
 
 
 
 I was wondering what the general census on port knocking in the OpenBSD
 community is. I like the idea of hiding services but I don't like the
 idea of relying on a piece of code that's not part of the OpenBSD core.
 I know when it comes down to it, it's only hiding ports and not actually
 securing anything.
 
 
 
 I am assuming that it's not practiced in the OpenBSD world because there
 are no port knocking ports.
 
 
 
 Anyone not agree with that summation?
 

I can't speak for others, but I don't practice it because there are
better (and developer-supported) ways to keep people out. If you're
paranoid about hiding services, authpf is, in my opinion, superior to
any other solution that I've seen.

Re: Snapshots src/sys tarballs

[Bret Lambert]

On Wed, 2007-05-30 at 09:51 -0800, Jimmy Mitchener wrote:
 Is there a reason snapshots do not currently come with a
 src/sys.tar.gz as releases do? I would think this to be quite useful
 for people wishing/requiring building their own kernels, and using
 snapshots, as it would help to minimize damage from kernel/userland
 (and packages) coming out of sync.
 
 I'm sure there's a good reason for them not being included, but I'm
 just curious as to what it is, I was unable to find anything in the
 archives.
 

This has been answered in the past; it comes down to too much work for
too little gain.

You want to live safely, run -stable.

 Jimmy.

Re: extenal storage and backup

[Bret Lambert]

On Wed, 2007-05-16 at 10:21 -0400, Jason Dixon wrote:
 On Wed, 16 May 2007 11:10:06 -0300, John Nietzsche [EMAIL PROTECTED] 
 wrote:
  Dear gentleman,
  
  i am searching a dell 1u rack server for usage with openbsd 4.1 as a
  storage (nfs) device.
  
  I wonder which external backup option have you been using since?
 
 Talk about your generic questions.  Do you want a direct-attached SCSI backup 
 drive?  A direct-attached SCSI library w/robot?  A usb drive?  A NetApp SAN 
 with hot snapshots?  Dump-over-ssh to a network server?  What's your budget?  
 What is your restore plan?
 

I prefer base64 encoded printouts, to be rekeyed by interns should the
system fail.

Re: Prevent circumventing dansguardian with pf

[Bret Lambert]

On Fri, 2007-05-04 at 07:26 -0600, Open Phugu wrote:
  if you deny icmp, you shall burn in hell
 You may burn in hell, but ICMP can be used to infiltrate and exfiltrate data:
 http://www.cs.uit.no/~daniels/PingTunnel/
 
 

This looks like it's pretty trivially defeated; bzero()'ing the data
portion of the ICMP echo request/response removes the piggybacked data
channel.

For even more fun, you could overwrite the actual data in the covert
channel with a fun message about the Care Bears.

Or, for bonus points, some nice Harry Potter slashfic ;-)

- Bert

Re: Loading a Second Kernel

[Bret Lambert]

On Tue, 2007-04-17 at 14:33 -0400, Jon Steel wrote:
 Hi
 
 Im trying to find a way to do a sort of very soft reboot. For example I
 want to boot up the computer into a kernel on one drive, and then after
 saying reboot, the computer loads up a kernel from a second drive.
 
 I have gotten this to work with the use of a file to pass information
 between boots, but that is not an ideal solution. What I really want is
 either a way to pass a parameter to the BIOS so that it can pass it to
 boot upon restarting, or a way to reload the boot loader into memory and
 then execute it.
 
 It would even be fine to use another operating system on the first boot.
 So it boots up into say Gentoo, and then when Im done with that, I want
 to load OpenBSD.
 
 Does anybody have an idea how I can approach this?
 

You could install a bootloader that uses a conf file, and have a script
that edits that and then reboots into your chosen OS.

Of course, down that road may lie much frustration as a badly-written
script can cause you to reboot with a ramdisk or some such and edit by
hand.

 Thanks
 
 Jonathan Steel

Re: Routerboard 532 Bounty

[Bret Lambert]

On Wed, 2007-04-11 at 12:05 -0500, Sam Fourman Jr. wrote:
 Well, I would like to see the router board simply because, I would
 like to make a router / switch device to replace a Linksys 54G Router,
 maybe 3 or 4 lan ports and a 1 or 2 MPCI slots, 1 for hardware crypto
 and the other for a wireless device.
 
 if anyone has any ideas or links that would be great.

The propietor of magicbox.pl, which offers powerpc-based boards, had
offered to ship hardware to any and all interested OpenBSD devs; a few
confused me as the contact point, so it looks like there was some
developer interest in that hardware, but I haven't heard anything since.

This was something like a month, month and a half ago; if any dev who
contacted that vendor could give a quick it worked/he was jerking us
around response, I'd love to get an update.

Those boards are (unless I'm forgetting) based in the IBM405 chipset;
I'd like to see router boards based on the IBM440EBx (again, I may be
misremembering), which is supposed to have on-proc crypto support. The
only board based on that that I've been able to find in an admittedly
short and half-hearted googling was a 5-port w/linux on flash from AMCC.

- Bert

Re: bcw(4) is gone

[Bret Lambert]

On Thu, 2007-04-05 at 13:16 -0600, Diana Eichert wrote:
 and info why here,
 http://thread.gmane.org/gmane.linux.kernel.wireless.general/1558/
 
 

With apologies to everyone for off-color language...

What a bunch of douches.

Re: Saving memory on small machines

[Bret Lambert]

On Thu, 2007-03-22 at 11:11 +, David Given wrote:
 I have a machine with 48MB of RAM that I want to use as a server.
 
 The OpenBSD kernel is a bit over 5MB. I assume that gets loaded into memory
 and is not swappable, giving me 43MB left, which isn't a lot.
 
 Is it worth recompiling the kernel to remove support for features I'm not
 using --- IPv6, say, or the Microchannel bus --- on the principle that
 reducing the size of the kernel will give more memory for doing other things,
 and therefore generally speed the system up? Or will not using GENERIC cause
 more problems than it's worth?
 
 And if it is worth recompiling the kernel, can anyone recommend any
 particularly big features it would be worth taking out?

well, you could always compile with the small kernel option (forget the
actual #define that needs to be made, but grep is god's gift to
everybody).

Re: ctrl+alt+del reboot

[Bret Lambert]

On Tue, 2007-03-06 at 23:02 +0800, [EMAIL PROTECTED] wrote:
 i know about that sysctl.conf i will just uncomment
 machdep.kbdreset=1 but it will halt the system or in rc.shutdown change
 powerdown to YES. but what i want is a reboot, not halt or powerdown.
 

Code for allowing a shutdown on ctrl+alt+delete exists.

Code for rebooting the system exists.

Marrying the two is left as an exercise for the reader.

  [EMAIL PROTECTED] wrote:
  guys what file should i need to edit so that if i'm going to press ctrl
  alt del my box will just reboot?
 
  man sysctl
  man sysctl.conf
 
  ---
  Lars Hansson

OT: parallel programming book recs

[Bret Lambert]

Sorry for the OT post, but I wanted to pick the list's hive mind as to
any recommendations for solid, in-depth references for parallel
programming. College-level textbooks would be preferred.

Thanks!

- Bert

Re: fd.o HAL support / OpenBSD alternative for NetworkManager

[Bret Lambert]

On Fri, 2007-02-09 at 17:39 +0200, Stefan Parviainen wrote:
 Is there any work going on to get support for the freedesktop.org HAL
 specification (http://wiki.freedesktop.org/wiki/Software_2fhal)? It seems that
 there are quite a few programs that would benefit from this. Is there a 
 technical reason why this hasn't been implemented yet, or is the reason 
 simply lack of developers? I realize that the port would probably be fairly 
 difficult to make.
 
 The reason I'm asking is that on linux I can use this really wonderful 
 program 
 called NetworkManager which manages network connection (Who would have 
 guessed?). Unfortunately it requires fd.o HAL so using it under OpenBSD is 
 currently impossible. Is there any alternative for OpenBSD which supports 
 network roaming and such?
 

Just a thought, but it may have something to do with this:


HAL is licensed to you under your choice of the Academic Free
License version 2.1, or the GNU General Public License version 2.
Both licenses are included here. Some individual source code files 
and/or binaries may be under the GPL only or under the LGPG.

from COPYING, found at http://gitweb.freedesktop.org/?p=hal.git;a=tree,
with (my) emphasis strongly on that last sentence.

- Bret
 --
 Stefan Parviainen

Re: No buffer space available with a lot of queueing

[Bret Lambert]

On Wed, 2007-01-31 at 15:46 +0100, Federico Giannici wrote:
 We have a PC with OpenBSD 4.0-stable i386 that we use as a 
 firewall/gateway. It has a lot of HFSC queues.
 
 Today we had a flood if traffic and the outgoing interface started to 
 loss packets.
 
 If I tried to ping through the outgoing interface the No buffer space 
 available error occurred.
 
 When the traffic decreased the error disappeared.
 
 What buffer space it is talking about?
 Is there some parameter (kernel, sysctl, ALTQ, etc...) I can increase to 
 avoid this problem?


Running and tuning OpenBSD network servers
in a production environment:

http://www.openbsd.org/papers/tuning-openbsd.ps

may have the info you're looking for.

- Bert

 
 
 Thanks.

semi-OT: trunk usage poll

[Bret Lambert]

Good morning-

Some free time and inspiration last night got me to hack together
a shell script for trunk(4) startup. This morning, I realized that
I need to have a better understanding of how people use trunk to
make it usable by and for the masses.

So, if some of the good people of [EMAIL PROTECTED] would be kind enough
to reply to me off-list with their trunk setup commands, I would
be forever grateful.

Thanks.

- Bret

Re: carp for one server?

[Bret Lambert]

On Tue, 2007-01-09 at 10:12 -0800, John Brahy wrote:
 I know carp is the way to go to provide address redundancy but I was
 wondering if it's the best way to do it on one server? I've got two
 interfaces and I'd like to only use one public ip address.
 Is carp the way to go or is there a better way?
 

Depending on your setup, trunk(4) in failover mode might be just
as useful.

-Bert

 thanks!

Prospective hardware angels

[Bret Lambert]

Good afternoon misc@ -

A gentleman in the UK and I have decided
to pool our resources, and start semi-regularly
trolling want.html for items that we can get for
the devs. I'm able to do something like $50 US
each month (I have no idea how much he's in
for; he keeps talking about quid, which, as
far as I can tell, is some sort of telepathic
space crab).

If there are fellow-travelers who are interested
in going in with us on this, please don't hesitate
to let me know.

Please reply only to my email, so that we don't
clutter the list with chatter.

- Bert

Re: Which tools the OpenBSD developers are using?

[Bret Lambert]

Johan P. Lindstrvm wrote:

So far, only NetBSD runs on the AK* architecture.


Yeah, but it only boots single-user, so it don't count.




-- JPL

On 11/29/06, Ioan Nemes [EMAIL PROTECTED] wrote:

That's the problem, you should use an AK45! Much-much cheaper
than the AR-15 (I've been offred one for $US15.00 in Sudan),
and is widely available.

Ioan


 Diana Eichert [EMAIL PROTECTED] 11/29 9:58 am 
I use a soldering iron, dremel tool, sheet metal/plastic nibbler and
solder wick.

diana
PS  Then I load my AR-15 to see if I can shoot any holes in my code.

Re: openbsd on cisco hardware?

[Bret Lambert]

Jeffrey C. Ollie wrote:

On Sun, 2006-11-12 at 20:51 -0600, Jacob Yocom-Piatt wrote:

i know this is likely not possible for a number of reasons but i figured

i'd

ask: are there or have there been any plans to port openbsd to run on cisco
hardware?


It would only be interesting if you were able to develop drivers for the
various line cards.  Without these it would be pointless.  And I really
doubt that Cisco would be nice enough to open up their developer docs so
that drivers could be written.


Which leads to the obvious question (and one that I've had for a while,
but now seems an opportune time to ask) of whether or not there is
hardware that is custom-made for, or is well-suited to, the taks of
routing network traffic. I'm going to admit my near-total ignorance
of the subject, and hope someone with the knowledge is interested
enough to answer.

- Bret



Jeff

MosChip USB to Ethernet/Serial adapters

[Bret Lambert]

Any devs in the US/Canada who are going to the upcoming
hardware hackathon, please contact me off-list so that I
can mail these to you for carting to Europe.

Re: OpenBSD and high availability

[Bret Lambert]

knitti wrote:

On 8/7/06, Jens Mayer [EMAIL PROTECTED] wrote:
While the networking part can be handled by carp, I'm collecting ideas 
on how
to keep the local file systems in synch - especially for ftp users and 
the
mailinglist archives. The synchronization will be done via a dedicated 
cross

coonect cable directly between the boxes.


while I would do it with rsync (I know, depends on what you want to do),
I don't see any reason why ccd'ing two large nfs-exposed files shouldn't
work. But I think this would be more ugly and complicated than rsyncing
every x minutes...

--knitti




der Mouse released something last year that sounds for all the world
like it could be modified for use as a good filesystem failover
mechanism (obviously, this doesn't help the OP /now/):

overview: http://kerneltrap.org/node/5058
download: ftp://ftp.rodents.montreal.qc.ca/mouse/livebackup

Although it's based on a client/server architecture, a bit of
configuring could probably get it to work in a master/slave environment.

- Bret

UltraSparc III possibility in DC

[Bret Lambert]

Greetings all -

As I posted at undeadly.org, I'm in the DC area, and willing to pony up some
of my own cash to get jason@ a Blade 1000 [a]. I've already gotten one
solid response,
for a grand total of $200 towards the $450 + $50 shipping. Should I get promises
of the rest of the needed funds, I'll buy it up and deliver when I receive it.

Please contact me at this email off-list, as this email address is not
subscribed.

Thank you.

- Bret

[a] http://tinyurl.com/gtymq

Re: OT: opinion on this opinion...

[Bret Lambert]

Ted Unangst wrote:

On 5/2/06, poncenby [EMAIL PROTECTED] wrote:

Taken from http://wiki.noreply.org/noreply/TheOnionRouter/
TorFAQ#ServerAnonymity

FreeBSD 4.x, all versions of OpenBSD, and all versions of NetBSD
have broken gethostbyname_r() implementations that cause Tor's
threads to stomp on each other. So rather than threading on these
platforms, we made Tor fork new processes. This means you need way
more memory to run a Tor server, especially an exit server. If you
want to run a Tor server, we recommend you upgrade to a better OS.


i got a flat tire the other day, so now i have to buy a new car.

if using fork() really makes it use that much more memory than
threading, they've done something terribly weird.




Well, they appear to be claiming Linux as a better OS, so god only
knows what they've done to their server :)

Re: The Apache Question

[Bret Lambert]

Felipe Scarel wrote:

Well then, I'll take a look at you suggestion, Joachim, seems reasonable.
Too bad most developers actually *prefer* FTP over ssh, so it's going to be
difficult to convince them. Well, looks like I'll just have to implement...
they'll
get used to it anyway =)

Talking about the Apache2 port, as soon as I get the grasp of porting
software to OpenBSD I'll try to do that, would be quite helpful.

Erm... just a lazy question, but lighttpd has support for DAV?



From http://www.lighttpd.net/documentation/webdav.html:

The WebDAV module is a very minimalistic implementation of RFC 2518.
Minimalistic means that not all operations are implemented yet.

- Bret

Re: WebTools

[Bret Lambert]

Ricardo Lucas wrote:

Hello everybody,
that's my doubt, what program can I use to monitoring the traffic of my LAN,
and display, in a web based, informations such like the most visited site
and the PC tha most access the internet outside my intranet ofcourse, and
things like these.


Good morning -

	It seems like running a proxy and generating an HTML page from the logs 
is what you want to do; I haven't had a need to run web proxies, but 
Squid has a number of scripts that seem to do something similar to what 
you want:


http://www.squid-cache.org/Scripts/

The webalizer, squidalizer, and squidsites scripts seem (without looking 
too deeply) to most closely match what you seem to want.


HTH

- Bret Lambert


I had installed MRTG and symon, but it's do not feet my necessities.

Thank's for your attention

--
Ricardo Lucas

Re: Bridge with three IFs

[Bret Lambert]

http://www.openbsd.org/faq/pf/tagging.html

At the end of that, there's a section titled
Tagging Ethernet Frames which tells you how
to do what you want.

- Bert