[patch] Minor niggle on pfctl
After spending over 30 minutes figuring out why a firewall refused to load
its config (turned out that the PCI card had unwedged itself).
Dw
*** pfctl.c.org Tue Jan 31 07:40:08 2006
--- pfctl.c Tue Jan 31 07:43:27 2006
***
*** 1358,1364
return (1);
}
if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
! warnx("DIOCSETSTATUSIF");
return (1);
}
return (0);
--- 1358,1364
return (1);
}
if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
! warnx("Failed to enable statistics accumulation on iterface
%s", ifname);
return (1);
}
return (0);
[EMAIL PROTECTED]
Re: identd - what am I missing
On Fri, 11 Nov 2005, J.D. Bronson wrote: > I am running 3.8 and on a single machine with no pf or nat... > > I disabled identd in inetd.conf. > I issued a kill -1 on the identd process. ^ identd process or inetd process ? After a change in inetd.conf you want to kill -HUP the latter, inetd. If you see an identd running than you may either see something spawned by inetd or a standalone identd which is not ran from inetd. In that case you'll need to kill identd and/or remove it from your rc startup. Dw.
Re: Blocking p2p via pf
On Tue, 11 Oct 2005, Jason Dixon wrote: > On Oct 11, 2005, at 11:15 AM, David Elze wrote: > > > Hi, > > > > I'm trying to block p2p traffic via pf on OpenBSD 3.x. > > > > Unfortunately, all new p2p-clients are able to use dynamic ports or > > even > > (ab-)use http-ports etc. so blocking well known p2p-ports is not > > enough. > > http://marc.theaimsgroup.com/?l=openbsd-pf&m=104592911709710&w=2 While auth/socks and accountability is your long term solution; for a quick stopgap: http://www.webweaving.org/kzdetect/ http://wleiden.webweaving.org:8080/svn/node-config/factory/trunk/kzdetect/ may help. Dw.
Re: USB to RS232
On Fri, 7 Oct 2005, Eric Dillenseger wrote: > I'll soon buy a soekris, but just realized i have no serial port on my > laptop (duh!), has someone already tried to use a usb serial adapter? Check out ubsa(4) that has a list. Dw
Re: Any advice on 'Indemnification'? (US Only, obviously)
On Fri, 23 Sep 2005, L. V. Lammert wrote: > so WE all know this isn't an issue here, but, unfortunately, the hosting > company has lawyer(s) asking for similar 'Indemnification' for OBSD before > they will officially allow OBSD on premesis. We've solved this in the past by running 'FooBSD' and simply indemnificate this 'inhouse FooBSD' product ourselves. Dw
Re: skey with apache?
On Wed, 10 Aug 2005, Alexander Farber wrote: > Or you could try to use a ticket - then you wouldn't need SSL: login > once using OTP, get a cookie (or hidden form field, or URL) protected by > MD5 and send that cookie around in the next requests > http://www.modperl.com/book/chapters/ch6.html#Cookie_Based_Access_Control You propably want to do that over SSL - or very tightly bind that crypto cookie to the client IP (and hope that there aint no NAT) - as otherwise sniffing and reusing that plaintext cookie sort of defeats the one-time password semantics. Dw.
Re: skey with apache?
On Wed, 10 Aug 2005, Didier Wiroth wrote: > Is it possible to use one time passwords with openbsd's httpd? The problem is that each HTTP request carries a new password - so in the general case you would run through a lot of those in short order. What I've done routinely is have a 'login' on http application level; verify a one time password theren and then issue a string cookie. And then allow access based on the precense of that cookie (and a check that the connection is over SSL, etc). Dw.
