Collision with dbus-daemon-launch-helper and latest snapshot/packages
Hello all, I updated to the latest snapshot (dmesg below) and when trying to update my packages to the lastest from ftp.eu.openbsd.org, I get: quirks-2.61 signed on 2015-04-05T21:43:07Z Collision in dbus-daemon-launch-helper-1.8.16: the following files already exist /usr/local/libexec/dbus-daemon-launch-helper (dbus-1.8.16v0 and dbus-daemon-launch-helper-1.8.16) Can't install avahi-0.6.31p15-0.6.31p17: can't resolve dbus-daemon-launch-helper-1.8.16 Can't install polkit-0.112p7-0.112p8: can't resolve dbus-daemon-launch-helper-1.8.16 Can't install consolekit-0.4.6p12-0.4.6p14: can't resolve dbus-daemon-launch-helper-1.8.16 Can't install geoclue2-2.1.10p1-2.1.10p2: can't resolve dbus-daemon-launch-helper-1.8.16 Can't install upower-0.99.2p0-0.99.2p6: can't resolve dbus-daemon-launch-helper-1.8.16 Couldn't find updates for avahi-0.6.31p15, consolekit-0.4.6p12, geoclue2-2.1.10p1, polkit-0.112p7, upower-0.99.2p0 I can't remove dbus without removing most of my GUI packages, so I'm not sure how to proceed from here. Below is my dmesg and list of manually installed packages, then list of all packages installed. OpenBSD 5.7-current (GENERIC.MP) #903: Thu Apr 2 13:47:34 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4209770496 (4014MB) avail mem = 4078329856 (3889MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries) bios0: vendor Phoenix Technologies LTD version V1.04 date 10/22/2009 bios0: Gateway NV53 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4) PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3) OHC2(S3) OHC3(S3) OHC4(S3) EHC0(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.97 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) II Dual-Core M300, 2000.04 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-9 acpihpet0 at acpi0: 14318180 Hz acpi0: unable to load \\_SB_.PCI0._INI.EXH2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PB2_) acpiprt2 at acpi0: bus -1 (PB3_) acpiprt3 at acpi0: bus 3 (PB4_) acpiprt4 at acpi0: bus -1 (PB5_) acpiprt5 at acpi0: bus 9 (PB6_) acpiprt6 at acpi0: bus -1 (PB7_) acpiprt7 at acpi0: bus -1 (PB9_) acpiprt8 at acpi0: bus -1 (PB10) acpiprt9 at acpi0: bus 10 (P2P_) acpiprt10 at acpi0: bus 1 (AGP_) acpiec0 at acpi0 acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpitz0 at acpi0: critical temperature is 95 degC acpitz1 at acpi0: critical temperature is 95 degC acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB acpibat0 at acpi0: BAT0 model AS09A61 serial 4548 type LION oem 494453 acpiac0 at acpi0: AC unit online acpivideo0 at acpi0: VGA_ acpivideo1 at acpi0: VGA_ acpivout0 at acpivideo1: LCD_ cpu0: 2000 MHz: speeds: 2000 1400 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS880 Host rev 0x00 ppb0 at pci0 dev 1 function 0 vendor Acer, unknown product 0x9602 rev 0x00 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 5 function 0 ATI Mobility Radeon HD 4200 rev 0x00 drm0 at radeondrm0 radeondrm0: apic 2 int 18 azalia0 at pci1 dev 5 function 1 ATI Radeon HD 4200 HD Audio rev 0x00: msi azalia0: no supported codecs ppb1 at pci0 dev 4 function 0 AMD RS780 PCIE rev 0x00: msi pci2 at ppb1 bus 3 bge0 at pci2 dev 0 function 0 Broadcom BCM5784 rev 0x10, BCM5784 A1 (0x5784100): msi, address 00:26:2d:6f:6b:e2 brgphy0 at bge0 phy
Re: Collision with dbus-daemon-launch-helper and latest snapshot/packages
Thanks for the quick response. Glad to know my system isn't randomly busted. On Tue, Apr 7, 2015 at 10:29 AM, Marc Espie es...@nerim.net wrote: On Tue, Apr 07, 2015 at 09:59:08AM -0400, Jason Crawford wrote: Hello all, I updated to the latest snapshot (dmesg below) and when trying to update my packages to the lastest from ftp.eu.openbsd.org, I get: quirks-2.61 signed on 2015-04-05T21:43:07Z Collision in dbus-daemon-launch-helper-1.8.16: the following files already exist /usr/local/libexec/dbus-daemon-launch-helper (dbus-1.8.16v0 and dbus-daemon-launch-helper-1.8.16) Bad timing. Wait for dbus-daemon-launch-helper-1.8.16p0, which will probably show up in a day or two on your favorite mirror. ajacoutot@ did a slight mistake in his first commit to separate dbus into two packages. The mistake has been fixed, but a set of broken packages was shipped.
Re: OpenBSD as a Mailserver
I've done latest openbsd stable with dovecot and postfix with postgres back end and roundcube for web interface. OpenSMTPd has some SQL support but I haven't tried it. On Mar 25, 2015 9:01 AM, Markus Rosjat ros...@ghweb.de wrote: Hi there, what's the usual setup these days for mailserver ? I have a old machine and like to jump into the future :) old setup: OpenBSD 4.2 Courier Sendmail LDAP I would like to keep LDAP because I may want to migrate my mailboxes. thanks for the advice Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Software for time management calendar
I use redmine for project management and that includes a calendar and time tracking system. On Mar 22, 2015 1:44 PM, Lampshade lampsh...@poczta.fm wrote: What software you use for this purposes?
Re: Secure Secure Shell
Stop cross posting. Stop posting articles from people who don't know what they're talking about. Or possibly just stop posting. On Tue, Jan 6, 2015 at 9:33 AM, whoami toask whoamito...@safe-mail.net wrote: https://stribika.github.io/2015/01/04/secure-secure-shell.html Is the default config for SSHD enough secure? Or the different distros modifications are the ones that make it not the best regarding security? Thanks.
Re: kernel panic from sys/dev/acpi/dsdt.c rev1.210 change
I can also confirm that newest snapshot works now. On Thu, Jun 26, 2014 at 7:45 AM, Nils R m...@hxgn.net wrote: Works now with the latest snapshot (dsdt.c rev. 1.211), thanks!
Re: kernel panic from sys/dev/acpi/dsdt.c rev1.210 change
I know on my laptop no acpi meant doesn't work. My saving grace is I always keep a kernel from the previous snapshot I tried as obsd. So if bsd doesn't work, I just boot from that. Do you have an older snapshot kernel you can tell tech support to boot into? On Thu, Jun 26, 2014 at 7:36 PM, Scott Vanderbilt li...@datagenic.com wrote: Having done a little man page reading on boot-time configuration, I learned about the existence of ukc. I'm wondering whether something like ukc disable acpi0 might circumvent the kernel panic and allow the boot to successfully complete. I'm hoping that since this is a server, ACPI is non-essential. Just grasping at straws in an effort to get this machine up and running again. Thanks. On 6/26/2014 4:21 PM, Scott Vanderbilt wrote: I have this exact same kernel panic. Unfortunately, it's occurring on a host at a remote co-lo. Does anyone know a way that I can get the on-site tech to suppress the assertion by way of some boot-time configuration? Then at least I can get this machine up and running so I can immediately upgrade to the latest snapshot, which apparently fixes this issue. Thanks. On 6/25/2014 8:05 AM, Jason Crawford wrote: My system panic's from the KASSERT() call at line 2269 after dsdt.c was updated to 1.210. All I have is the basic panic message and the dmesg from the last known working snapshot kernel. I tried to get more information but my USB keyboard does not work in the kernel debugger, and my on-board keyboard no longer works at all (I use the laptop as a desktop now). I typed up everything I could see of that panic message by hand. Any patches that need to be tested I will be glad to try out. Here's the panic message and dmesg output. --- panic --- acpi0 at bios0: rev 2panic: kernel diagnostic assertion rgn-v_opregion.iobase % sz == 0 failed: file ../../../../dev/acpi/dsdt.c, line 2269 Stopped atDebugger+0x9:leave panic() at panic+0xfe __assert() at __assert+0x25 aml_rwgas() at aml_rwgas+0x1fd aml_rwfield() at aml_rwfield+0x205 aml_eval() at aml_eval+0x1ae aml_parse() at aml_parse+0x183d aml_parse() at aml_parse+0x1ff aml_parse() at aml_parse+0x1ff aml_parse() at aml_parse+0x1ff end trace frame: 0x81ef48f0, count: 0 RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO. DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! --- dmesg --- OpenBSD 5.5-current (GENERIC.MP) #219: Thu Jun 19 22:16:22 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4209770496 (4014MB) avail mem = 4088930304 (3899MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries) bios0: vendor Phoenix Technologies LTD version V1.04 date 10/22/2009 bios0: Gateway NV53 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4) PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3) OHC2(S3) OHC3(S3) OHC4(S3) EHC0(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.97 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINI T,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) II Dual-Core M300, 2000.03 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINI T,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-9 acpihpet0 at acpi0: 14318180 Hz acpi0: unable to load \\_SB_.PCI0
kernel panic from sys/dev/acpi/dsdt.c rev1.210 change
My system panic's from the KASSERT() call at line 2269 after dsdt.c was updated to 1.210. All I have is the basic panic message and the dmesg from the last known working snapshot kernel. I tried to get more information but my USB keyboard does not work in the kernel debugger, and my on-board keyboard no longer works at all (I use the laptop as a desktop now). I typed up everything I could see of that panic message by hand. Any patches that need to be tested I will be glad to try out. Here's the panic message and dmesg output. --- panic --- acpi0 at bios0: rev 2panic: kernel diagnostic assertion rgn-v_opregion.iobase % sz == 0 failed: file ../../../../dev/acpi/dsdt.c, line 2269 Stopped atDebugger+0x9:leave panic() at panic+0xfe __assert() at __assert+0x25 aml_rwgas() at aml_rwgas+0x1fd aml_rwfield() at aml_rwfield+0x205 aml_eval() at aml_eval+0x1ae aml_parse() at aml_parse+0x183d aml_parse() at aml_parse+0x1ff aml_parse() at aml_parse+0x1ff aml_parse() at aml_parse+0x1ff end trace frame: 0x81ef48f0, count: 0 RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! IF RUNNING SMP, USE 'mach ddbcpu #' AND 'trace' ON OTHER PROCESSORS, TOO. DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! --- dmesg --- OpenBSD 5.5-current (GENERIC.MP) #219: Thu Jun 19 22:16:22 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4209770496 (4014MB) avail mem = 4088930304 (3899MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries) bios0: vendor Phoenix Technologies LTD version V1.04 date 10/22/2009 bios0: Gateway NV53 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4) PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3) OHC2(S3) OHC3(S3) OHC4(S3) EHC0(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.97 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINI T,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) II Dual-Core M300, 2000.03 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINI T,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-9 acpihpet0 at acpi0: 14318180 Hz acpi0: unable to load \\_SB_.PCI0._INI.EXH2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PB2_) acpiprt2 at acpi0: bus -1 (PB3_) acpiprt3 at acpi0: bus 3 (PB4_) acpiprt4 at acpi0: bus -1 (PB5_) acpiprt5 at acpi0: bus 9 (PB6_) acpiprt6 at acpi0: bus -1 (PB7_) acpiprt7 at acpi0: bus -1 (PB9_) acpiprt8 at acpi0: bus -1 (PB10) acpiprt9 at acpi0: bus 10 (P2P_) acpiprt10 at acpi0: bus 1 (AGP_) acpiec0 at acpi0 acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpitz0 at acpi0: critical temperature is 95 degC acpitz1 at acpi0: critical temperature is 95 degC acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB acpibat0 at acpi0: BAT0 model AS09A61 serial 4548 type LION oem 494453 acpiac0 at acpi0: AC unit online acpivideo0 at acpi0: VGA_ acpivideo1 at acpi0: VGA_ acpivout0 at acpivideo1: LCD_ cpu0: 2000 MHz: speeds: 2000 1400 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS880 Host rev 0x00 ppb0 at pci0 dev 1 function 0 vendor Acer, unknown product 0x9602 rev 0x00 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 5 function 0 ATI Mobility Radeon HD 4200 rev 0x00 drm0 at radeondrm0 radeondrm0: apic 2 int 18 azalia0 at pci1 dev 5 function 1 ATI Radeon HD 4200 HD Audio rev 0x00: msi azalia0: no supported codecs ppb1 at pci0 dev 4 function 0 AMD RS780 PCIE rev 0x00: msi pci2 at ppb1
Lost battery and A/C info on March 26 snapshot
Upgrading from March 25 snapshot to March 26 snapshot caused me to lose status on the battery and A/C for my laptop. Dmesg's are below, acpidump from both snapshots are attached. If there's any other needed info please let me know and I'll get that when possible. OpenBSD 5.5-current (GENERIC.MP) #25: Tue Mar 25 15:40:38 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4209770496 (4014MB) avail mem = 4088979456 (3899MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdbeda000 (35 entries) bios0: vendor Phoenix Technologies LTD version V1.04 date 10/22/2009 bios0: Gateway NV53 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC SSDT APIC MCFG HPET acpi0: wakeup devices LID0(S3) SLPB(S3) PB2_(S4) PB3_(S4) PB4_(S4) PB5_(S4) PB6_(S4) PB7_(S4) PB9_(S4) PB10(S4) OHC0(S3) OHC1(S3) OHC2(S3) OHC3(S3) OHC4(S3) EHC0(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) II Dual-Core M300, 2000.93 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu0: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu0: AMD erratum 721 detected and fixed cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 200MHz cpu0: mwait min=64, max=64, C-substates=0.0.0.0.0, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: AMD Athlon(tm) II Dual-Core M300, 2000.04 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,CX16,POPCNT,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,3DNOWP,OSVW,IBS,SKINIT,ITSC cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu1: ITLB 32 4KB entries fully associative, 16 4MB entries fully associative cpu1: DTLB 48 4KB entries fully associative, 48 4MB entries fully associative cpu1: AMD erratum 721 detected and fixed cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 21, 24 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-9 acpihpet0 at acpi0: 14318180 Hz acpi0: unable to load \\_SB_.PCI0._INI.EXH2 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PB2_) acpiprt2 at acpi0: bus -1 (PB3_) acpiprt3 at acpi0: bus 3 (PB4_) acpiprt4 at acpi0: bus -1 (PB5_) acpiprt5 at acpi0: bus 9 (PB6_) acpiprt6 at acpi0: bus -1 (PB7_) acpiprt7 at acpi0: bus -1 (PB9_) acpiprt8 at acpi0: bus -1 (PB10) acpiprt9 at acpi0: bus 10 (P2P_) acpiprt10 at acpi0: bus 1 (AGP_) acpiec0 at acpi0 acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpitz0 at acpi0: critical temperature is 95 degC acpitz1 at acpi0: critical temperature is 95 degC acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB acpibat0 at acpi0: BAT0 model AS09A61 serial 4548 type LION oem 494453 acpiac0 at acpi0: AC unit online acpivideo0 at acpi0: VGA_ acpivideo1 at acpi0: VGA_ acpivout0 at acpivideo1: LCD_ cpu0: 2000 MHz: speeds: 2000 1400 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 AMD RS880 Host rev 0x00 ppb0 at pci0 dev 1 function 0 vendor Acer, unknown product 0x9602 rev 0x00 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 5 function 0 ATI Mobility Radeon HD 4200 rev 0x00 drm0 at radeondrm0 radeondrm0: apic 2 int 18 azalia0 at pci1 dev 5 function 1 ATI Radeon HD 4200 HD Audio rev 0x00: msi azalia0: no supported codecs ppb1 at pci0 dev 4 function 0 AMD RS780 PCIE rev 0x00: msi pci2 at ppb1 bus 3 bge0 at pci2 dev 0 function 0 Broadcom BCM5784 rev 0x10, BCM5784 A1 (0x5784100): msi, address 00:26:2d:6f:6b:e2 brgphy0 at bge0 phy 1: BCM5784 10/100/1000baseT PHY, rev. 4 ppb2 at pci0 dev 6 function 0 AMD RS780 PCIE rev 0x00: msi pci3 at ppb2 bus 9 athn0 at pci3 dev 0 function 0 Atheros AR9281 rev 0x01: apic 2 int 18 athn0: AR9280 rev 2 (2T2R), ROM rev 22, address 70:1a:04:80:80:93 ahci0 at pci0 dev 17 function 0 ATI SBx00 SATA rev 0x00: apic 2 int 22, AHCI 1.1 scsibus0 at ahci0: 32 targets sd0 at scsibus0 targ 0 lun 0: ATA, Hitachi HTS54505, PB4O SCSI3 0/direct fixed naa.5000cca59ec6ae72 sd0: 476940MB, 512 bytes/sector, 976773168 sectors cd0 at scsibus0 targ 1 lun 0: HL-DT-ST, DVDRAM GT30N, 1.01 ATAPI 5/cdrom removable ohci0 at pci0 dev 18 function 0 ATI SB700 USB rev 0x00: apic 2 int 16, version 1.0, legacy support ohci1 at pci0 dev 18 function 1 ATI SB700 USB rev 0x00: apic 2 int 16, version 1.0, legacy support ehci0 at pci0 dev 18 function 2 ATI SB700 USB2 rev 0x00: apic 2 int 17 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 ATI EHCI root
Re: Something similar to Soekris boards, for server applications
On 11/30/11 11:27, Sime Ramov wrote: Hello, I am looking for something in the spirit of Soekris boards, but more suited for server applications, e.g. for hosting Django apps. Current net6501 is maxed out at 2 GB of RAM and 1.6 Ghz *single-core* (two threads) atom. The reason I am considering Soekris is because dedicated servers are often underused and idling. Few GB of memory, anemic processor and SSD gets one a surprisingly long way, especially with properly chosen stack and caching. So the general idea is: one Django app = one Soekris board. This is much better than virtualization (bare metal forever) or putting more apps on a big server. Some apps would run great on this, but a more powerful CPU and more memory would be needed for more demanding workloads. Any recommendations for similar, but a bit more powerful and versatile hardware (think one app = one hardware device)? Thanks. Maybe look at this: http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364 It's cheaper, has twice the RAM, 6 SATA ports, 1.8GHz Atom dual core. Oh, and rackmount case. -- Jason
Re: Donations
Better add Visa to the list as well http://www.salon.com/news/feature/2010/12/07/wikileaks_17/ On Sat, Dec 4, 2010 at 10:25 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: In the future, if people can show preference for the non-Paypal transaction methods when they donate, we would appreciate that over Paypal. Since the projects hackathons (and many other things) are very much funded by donations, it is hard for us to fully dissasociate completely from Paypal. However we can ask and recommend that people pass less money through them. If you don't know why I am sending this mail.. you are reading US managed news, and need to much much more informed Thanks.
Re: Donations
Which sucks because I was ver pro-sweedish women! Damn it all to hell... On Dec 7, 2010 5:19 PM, Clint Pachl pa...@ecentryx.com wrote: Jason Crawford wrote: Better add Visa to the list as well And Swiss banks and Swedish women. :-)
Re: Stopped at pf_test_rule+0xa87
On Tue, Dec 1, 2009 at 1:25 PM, Brynet bry...@gmail.com wrote: Jason Crawford wrote: I subscribe to http://flirble.disruptiveproactivity.com/rss/openbsd_stable_src.rss and that picked up the change to stable in question. That site also offers feeds for changes to ports -stable http://flirble.disruptiveproactivity.com/rss/openbsd_stable_ports.rss That was the RSS feed I was talking about, it does NOT mention this change at all. -Bryan. Then you need a better rss reader, as I am staring at the change right now, sent to me via that exact rss feed. Maybe Google Reader has the elusive crystal ball that so many users here assume the devs have. -- Jason
Re: Stopped at pf_test_rule+0xa87
I subscribe to http://flirble.disruptiveproactivity.com/rss/openbsd_stable_src.rss and that picked up the change to stable in question. That site also offers feeds for changes to ports -stable http://flirble.disruptiveproactivity.com/rss/openbsd_stable_ports.rss On Tue, Dec 1, 2009 at 11:49 AM, Brynet bry...@gmail.com wrote: Hi, Here is the change that Henning made to pf in -STABLE, I wasn't even aware of it. http://marc.info/?l=openbsd-cvsm=124955744915786w=2 http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c.diff?r1=1.655.4.1;r2=1.655;only_with_tag=OPENBSD_4_6 Would it be possible to track commits to -STABLE? a few RSS feeds exist but none of them appeared to have noticed this one. Thanks, @Alastair, you should at least be following errata's. http://www.openbsd.org/errata46.html -Bryan.
Re: gcc to 4.1 openbsd
On Mon, Aug 17, 2009 at 5:20 PM, Yamidt Henaoyamidthe...@gmail.com wrote: Hi, where I find the gcc version for OpenBSD 4.1. Best Regards, Y.H http://www.openbsd.org/41.html -- Jason
Re: Parallel build in ports - make -j4
On Sun, Mar 22, 2009 at 2:34 PM, Pedro de Oliveira fa...@rdk.homeip.net wrote: Hello, I was wondering if there's any way to use make -j4 when building ports from source? Any obscure option on mk.conf? Currently if I run on a port, for example: make -j4 install it just uses one thread on the makefile of the port. Is there any way to pass the -j4 option to make command inside the port? My guess is you want to use the MAKE_JOBS environment variable. Take a look in bsd.port.mk -- Jason
Re: Longest Uptime?
On Tue, Oct 28, 2008 at 8:54 PM, new_guy [EMAIL PROTECTED] wrote: I know. Longest uptime is silly, macho, pointless stuff... but I ran across an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The only reason it was not an open mail relay is that /var was full. So, I thought to myself, I bet I could run an OpenBSD box for that amount of time or longer without getting hacked and without doing much to it. Just wondering what's the longest OpenBSD uptime some folks on misc have seen? Thanks -- View this message in context: http://www.nabble.com/Longest-Uptime--tp20219082p20219082.html Sent from the openbsd user - misc mailing list archive at Nabble.com. Hmm, yeah sure I'll bite. The longest I've seen that I still have a record of (screen shot of the uptime command) was a machine I installed as a firewall for a very important mail server. Please note, I was not in charge of maintaining it, otherwise it would not have reached this uptime, but it was over two years. As far as I could tell (I got onto the box once in a blue moon) it was not hacked, but seeing as all it did was run pf, and only allowed ssh from 2 IP addresses (both I controlled, and were firewalled themselves), that doesn't seem extraordinary. I will type out the uptime/uname command as in the picture: $ uptime 10:54AM up 745 days, 22:36, 0 users, load averages: 0.13, 0.09, 0.08 $ uname -a OpenBSD bassfishing 3.1 GENERIC#0 i386 $ As far as uptimes I don't have records of, a friend of mine has worked on old systems that weren't rebooted because they were afraid it would not boot back up again. One of them pre-internet, I believe it did some financial stuff. However, no proof there. -- Jason
Re: Update release 3.8 on AMD64 with a “fix” for the recent “DNS cache poisoning” vulnerability?
On Wed, Jul 30, 2008 at 2:43 PM, skogzort [EMAIL PROTECTED] wrote: Hello, Ib m trying to protect our DNS server from the vulnerability referred to in: CVE -2008-1447 and US-Cert Vulnerability Note VU#800113. I see that there is a patch for BIND in 4.2 and 4.3 that addresses this vulnerability, but not for 3.8. I have inherited an Open BSD DNS server that provides external DNS for our web server and serves NTP for our infrastructure. I donb t know UNIX or Open BSD. Ib m reading through the Open BSD website and asking questions on the mailing lists to try and get an overview of what I need to do to upgrade/update/patch this server.B It was suggested to me that I may have to b manually merge the patchb , but I canb t find any instructions for that. I know that if I could upgrade our release to 4.2 or 4.3 then I could follow the instructions in the patch itself, but I wonder if that would be more work and potential for mistakes then necessary. I was also told to use b portsb , but I read that using ports was only for people who have experience with Open BSD and beginners were not allowed to ask questions in mailing lists about using ports. What do you think: manually merge the patch, upgrade to 4.2 or 4.3 and apply, or use ports? My inexperience is a factor, I am looking for the shortest steps (so there will be less chance for error) that will still allow for a quick revert, should the b fixb fail. Thanks again to everyone who helped with my last question and who may help with this. I really appreciate your time and opinions. B B B Kyle The shortest step that is officially supported by OpenBSD would be upgrade to 4.3, then recompile /usr/src/usr.sbin/bind after patching/cvs'ing the source code. It might be possible to backport the patches, but that is not something for the inexperienced/lighthearted. -- Jason
Re: How can the bootprompt be removed from the bootloader on an amd64 system?
On Wed, Jul 2, 2008 at 6:36 PM, Jon [EMAIL PROTECTED] wrote: I would like the bootloader to accept no user input and do nothing but load the kernel. man boot.conf look for timeout
Re: ssh_config, chroot, or user rights to restrict user access?
On Wed, Feb 20, 2008 at 2:02 PM, LeRoy, Ted [EMAIL PROTECTED] wrote: I'm taking a class on system security. We're in teams and we have to allow attacking teams ssh access to our devices. I'd like to limit the user account access for the other groups, permitting them a shell and a few commands, but no ability to browse the box or do things like cat or cp /etc/passwd. I'm running OpenBSD 4.2 on the server they'll be attacking. I'm an OpenBSD noob. Learning under fire. If someone can help me figure out whether using ssh_config, chroot, or just using permissions will be the easiest, most effective way to go about it, and how to proceed, it will be much appreciated. Alternatives would be great too. The easiest way is to upgrade to -current, as openssh in -current has the ChrootDirectory option in sshd_config now. Look at: http://undeadly.org/cgi?action=articlesid=20080220110039mode=expandedcount=5 for more details.
Re: How to specify 256bit AES keys in Automatic Keying mode for ipsecctl
On Feb 7, 2008 11:09 AM, Christian Weisgerber [EMAIL PROTECTED] wrote: Jason Crawford [EMAIL PROTECTED] wrote: While I was reading through the man pages for ipsec.conf and ipsecctl, I noticed that for automatic keying there is no way to specify any type of key size. I was wondering if anyone know of a way to do that, because I am very interested in setting up strong crypto ipsec tunnels using AES with 256bit keys, You currently can't do this. Somebody sent a patch for isakmpd to tech@ as a first step towards adding AES-192 and AES-256 support in ipsecctl, but that hasn't been picked up yet. The person who posted that patch has gotten back to me in private. I currently do not have a test bed for this, but I will see what I can do in the future as I would love to see this commited.
How to specify 256bit AES keys in Automatic Keying mode for ipsecctl
Hello Misc, While I was reading through the man pages for ipsec.conf and ipsecctl, I noticed that for automatic keying there is no way to specify any type of key size. I was wondering if anyone know of a way to do that, because I am very interested in setting up strong crypto ipsec tunnels using AES with 256bit keys, and ipsec.conf says AES only uses 128bit keys. I'm sure it can be done in Manual Keying mode, as I've used blowfish up to 448bit keys in manual mode, however I would really like to use Automatic Keying mode in a future installation I am planning.
Re: wireless support with OpenBSD vmware guest
On 6/18/07, Juan Miscaro [EMAIL PROTECTED] wrote: Hi gang, I would like to run VMware on Linux and use OpenBSD as a VM to act as my Internet gateway (pf, postfix, spamfilter). I will have another Linux VM or two that will act as fileserver and lan services. I would like to provide internet access to my lan using wireless protocols. Is this possible? That is, will I be able to use a wireless network card with an OpenBSD VM? Juan As long as you only use USB Wireless cards, I see no reason why you couldn't do this, as you can hand off USB devices directly to vmware (I've used USB stuff in VMware all the time). However, I DON'T think you should set up your network this way, as you've basically ruined any real security. But, it should be possible. Jason
Re: cvsync broken?
On 5/10/07, Claus Assmann [EMAIL PROTECTED] wrote: On Thu, May 10, 2007, Hannah Schroeter wrote: Just trying to cvsync my stuff. And it wants to remove quite much: hostname cvsync.de.openbsd.org same problem with anoncvs1.usa.openbsd.org and anoncvs3.usa.openbsd.org I talked with Todd Miller about this (anoncvs3 specifically) and he said it is a problem with the upstream mirror that appears to be fixed now (my cvsup server doesn't delete stuff anymore). Jason
Re: rmoption INET6
On 3/28/07, John Brahy [EMAIL PROTECTED] wrote: So if I use GENERIC and then disable ipv6 is that a safe thing do to? In light of the recent security issue and since I don't use ipv6 I thought it would make the system more secure, but I definitely don't want to make it unstable. If you follow stable, your system will be patched and no longer vulnerable. If you REALLY want to disable IPv6, enable pf, and put: block in quick inet6 That was even recommended as the workaround for the latest IPv6 issue, and would fix any future issues. Jason
Re: Daylight savings fix with OpenNTPD
If you set /etc/localtime to /usr/share/zoneinfo/US/Eastern, it'll automatically switch between EST and EDT. On 3/21/07, Dan Farrell [EMAIL PROTECTED] wrote: I'm using the EST timezone (as reported in 'date') and yet I'm still an hour behind... much like you... NTPD is running and syncing up with pool.ntp.org. And in looking further Bob's right (as usual)... I'm not using the correct timezone setting. I had to change that to the 'correct' EST setting... zic -I EST5EDT Perhaps you need to do something similar? I got this from- http://archives.neohapsis.com/archives/openbsd/2005-08/0756.html danno -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bob Beck Sent: Tuesday, March 20, 2007 3:44 PM To: Bray Mailloux Cc: misc@openbsd.org Subject: Re: Daylight savings fix with OpenNTPD * Bray Mailloux [EMAIL PROTECTED] [2007-03-20 13:33]: Have a patch been issued? Yes. see the errata page It might just be the time servers, but date is reporting 11:04:31 when it is 12:05. It aint the time servers they report in UCT. Your timezone is wrong -Bob
Re: Groklaw artical about the BSD license
On 1/16/07, Vim Visual [EMAIL PROTECTED] wrote: yes, the article is somehow misleading... at this point I would like to ask another question here, in misc; namely... how do you feel/ what do you think of big companies making profit out of o'bsd or whatever bsd variant and not giving anything back for that? Think of, for instance, the MacOSX case... How would you feel like if o'bsd had another kind of license, for instance a GPLv3 one? just curious... License flame war program initiatingNOW seriously, please read the archives, especially these two: http://marc.theaimsgroup.com/?l=openbsd-cvsm=99118909527873w=2 http://marc.theaimsgroup.com/?l=openbsd-techm=110809672612810w=2 Jason
Re: {ftp3,anoncvs3}.usa.openbsd.org outage?
I talked with Todd earlier today, hard disk failure, he's currently working on getting everything back up. On 11/14/06, Ben Calvert [EMAIL PROTECTED] wrote: plier.ucar.edu ( {ftp3,anoncvs3}.usa.openbsd.org ) has been down for the last several days. Does anyone know if this is a permanent or temporary outage? scanning the anoncvs mirror list at http://www.openbsd.org/anoncvs.html#CVSROOT i notice that at least one other mirror is pulling from anoncvs3.usa, Thanks, ben - I think what we need to do is convince people who live in the lands they live in to build the nations. George W. Bush October 11, 2000 Presidential Debate -- Winston-Salem, North Carolina.
Re: Fwd: Oldest Server you run
On 10/13/06, DoN. Nichols [EMAIL PROTECTED] wrote: On 2006/10/12 at 05:04:10PM -0400, Jason Crawford wrote: And I ment to send this to the whole list A nuisance, having the From: set to the individual poster, not the list, isn't it? [ ... ] Oldest machine I had running (until I moved to an appartment that can't accomodate more than a couple machines) was a sparc station2 at 40MHz and 32MB ram with two 512MB hard drives. Didn't have an onboard nic, Huh? I though that the SS-2 had an AUI connector, so all you need is an external transceiver, not a NIC. I've used them with Thicknet, Thinnet, and 10BaseT at various times. Yes you are right. It's been a little while since I've pulled that machine out, but all it needed was an external transceiver. Hopefully I'll be able to dust it off at some point in the near future and see if it runs 4.0 well. but I put one on it and it was my DNS server just fine with OpenBSD up to 3.7 or so until I moved, and as far as I know it should still work. I also run a friend's firewall on a p166 machine with 64MB of ram. The oldest one which I am still running (at present) is an old Sun LX -- running an older Solaris, but a planned changeover to OpenBSD. Intended function is DNS server. Enjoy, DoN. -- Email: [EMAIL PROTECTED] | Voice (all times): (703) 938-4564 (too) near Washington D.C. | http://www.d-and-d.com/dnichols/DoN.html --- Black Holes are where God is dividing by zero ---
Fwd: Oldest Server you run
And I ment to send this to the whole list -- Forwarded message -- From: Jason Crawford [EMAIL PROTECTED] Date: Oct 12, 2006 5:03 PM Subject: Re: Oldest Server you run To: Falk Husemann [EMAIL PROTECTED] On 10/12/06, Falk Husemann [EMAIL PROTECTED] wrote: Hello List! We're trying to put an old server to good use again and would like to know what's exactly the oldest machine running OpenBSD? As machine we defined something with processor, ram, network, hard disk and a connection to the internet. So no Newton or toaster (at least not if there's no disk being toasted). Thank you in advance, Falk Oldest machine I had running (until I moved to an appartment that can't accomodate more than a couple machines) was a sparc station2 at 40MHz and 32MB ram with two 512MB hard drives. Didn't have an onboard nic, but I put one on it and it was my DNS server just fine with OpenBSD up to 3.7 or so until I moved, and as far as I know it should still work. I also run a friend's firewall on a p166 machine with 64MB of ram. Jason
Re: dd problem
1) stat(2), the st_blksize field in the stat struct 2) no, because it's the device, not dd, that's not letting it work. CD-ROMS only want to output 2K of data at a time, so if you request less than that, they just won't do it. Generally though, most devices will output less than st_blksize, but it'll just go damn slow. Jason On 5/31/06, akonsu [EMAIL PROTECTED] wrote: thanks everybody. 1. how do i determine the corect block size for a device? 2. is the fact that dd does not work without any bs parameter a bug and should be reported? thanks konstantin try dd if=/dev/rcd0c of=disk.iso bs=32k note the rcd0c instead of cd0a. The 'a' vs. 'c' doesn't (seem to) matter, I just philosophically prefer the 'c' implying entire disk, rather than just one partition. The raw mode of access makes a lot of difference here. I put the bs=32k in there for a bit of additional performance, but it turns out that without the bs= line, it didn't work at all. After a little thought (and testing), I remembered that on most modern platforms, CDROM drives have a 2k block size, so apparently dd has trouble moving 512 bytes at a time out of CDROM drives. I confirmed that bs=2k worked, bs=1k does not, so I might possibly be not totally wrong on that. bs=32k seemed to go about twice as fast as bs=2k. Well, I learned something. :) Nick.
Re: license for getopt.c?
On 5/31/06, Ted Unangst [EMAIL PROTECTED] wrote: On 5/31/06, Will H. Backman [EMAIL PROTECTED] wrote: While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? $OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $ it would be helpful if you mentioned *which* getopt.c. the one in libc (before it was deleted) certainly did have a license. i also doubt david wrote the file in question if that's why you're asking. Well he mentioned the usr.bin source tree, and there is only one getopt.c file in usr.bin source tree. And he mentioned david because he's the last one to edit the file according to the $OpenBSD$ RCS Id. If I recall correctly, not having a license means full Copyright law is in effect, which means no copying allowed, however getopt.c in /usr/src/usr.bin/getopt/ doesn't seem to have much of anything except a call to getopt(3). Jason
Re: keeping spamd's whitelist over a rebuild
On 5/26/06, Craig Hammond [EMAIL PROTECTED] wrote: I am wanting up upgrade a 3.8 system to 3.9 I normally do this by backing up any data I need and doing a clean install. It's mainly the whitelisted entries I want to keep over the rebuild. I figured out to extract them by going: spamdb | grep WHITE | cut -d | -f 2 ~/spamd-white But i can't figure out how to load it back in. spamdb -a only lets you load one IP at a time. Can I just grab a copy of /var/db/spamd, and then restore in on the new system, or would that break something. Why not just save the /var/db/spamd file on another computer, and copy it back over before you start spamd on a fresh install? That's the db file that stores your white/grey list. Jason
Re: Static functions in C code
On 5/26/06, Diego Giagio [EMAIL PROTECTED] wrote: On 5/25/06, Ted Unangst [EMAIL PROTECTED] wrote: how many parse_config functions do you think spamd needs? It was an example. The point is: is there a reason for not using static on functions with internal linkage? There's at least one reason to use static: name clashes. And Marco was explaining why he (and probably other OpenBSD devs) don't use static: name clashes. static makes things more difficult to debug, and having 50 different static functions named the same thing could get pretty confusing in large projects.
Re: clamav-0.88.2
On 5/26/06, Peter Fraser [EMAIL PROTECTED] wrote: 3.8 had clamav-088.2 and 3.9 only has clamav-088 Is there going to be (soon) and update to the 3.9 packages for clamav ? According to http://www.openbsd.org/pkg-stable.html 3.9 does have clamav-0.88.2 in it's packages. And my spam/virus email filter runs 3.9-stable with clamav-0.88.2. Check the site next time. Jason
Re: clamav-0.88.2
It's on cvs, I don't think they update the src and ports tar files on the ftp site with stable cvs updates. Jason On 5/26/06, Peter Fraser [EMAIL PROTECTED] wrote: I just pulled down ftp.openbsd.org/pub/OpenBSD/3.9/ports.tar.gz and it too contains only clamav-0.88 not clamav-0.88.2 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Fraser Sent: Friday, May 26, 2006 2:57 PM To: misc@openbsd.org Subject: Re: clamav-0.88.2 I did check, I still have the output of my screen I did an ftp to ftp.openbsd.org/pub/OpenBSD/3.0/packages/i386 And clamav-0.88.2 is still not listed there. Clicking the clamav-0.88.2.tgz. i386 in www.openbsd.org/pkg-statble.html in firefox give 550 Failed to change director I suppose that someone, no me has a caching proxy, that giving me trouble if other people can find the package -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Crawford Sent: Friday, May 26, 2006 2:41 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: clamav-0.88.2 On 5/26/06, Peter Fraser [EMAIL PROTECTED] wrote: 3.8 had clamav-088.2 and 3.9 only has clamav-088 Is there going to be (soon) and update to the 3.9 packages for clamav ? According to http://www.openbsd.org/pkg-stable.html 3.9 does have clamav-0.88.2 in it's packages. And my spam/virus email filter runs 3.9-stable with clamav-0.88.2. Check the site next time. Jason
Re: clamav-0.88.2
Well it appears that stable packages havn't been completely updated on the ftp sites. I would then suggest you grab the stable ports tree and install via that method. This may not always be easy, but in the case of a virus scanner, you probably want it to be updated as quick as possible. I always try to have a build machine on any site that I run OpenBSD on if possible (or my house if nowhere else), so I can build stable releases for src and ports, and push it to a local ftp server to do local ftp upgrades, makes my life a lot easier. Jason On 5/26/06, Peter Fraser [EMAIL PROTECTED] wrote: I did check, I still have the output of my screen I did an ftp to ftp.openbsd.org/pub/OpenBSD/3.0/packages/i386 And clamav-0.88.2 is still not listed there. Clicking the clamav-0.88.2.tgz. i386 in www.openbsd.org/pkg-statble.html in firefox give 550 Failed to change director I suppose that someone, no me has a caching proxy, that giving me trouble if other people can find the package -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Crawford Sent: Friday, May 26, 2006 2:41 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: clamav-0.88.2 On 5/26/06, Peter Fraser [EMAIL PROTECTED] wrote: 3.8 had clamav-088.2 and 3.9 only has clamav-088 Is there going to be (soon) and update to the 3.9 packages for clamav ? According to http://www.openbsd.org/pkg-stable.html 3.9 does have clamav-0.88.2 in it's packages. And my spam/virus email filter runs 3.9-stable with clamav-0.88.2. Check the site next time. Jason
Re: altq pf and interface group
On 5/18/06, holger glaess [EMAIL PROTECTED] wrote: hi i try to use an interface group name together with altq in my firewall config . example ifconfig bge0 group wan_if altq on wan_if cbq bandwidth 100Mb queue { std, www, ssh, admin } if i try to aktivate this i got an syntax error from pfctl. if i do the interface as macro and the altq line like this altq on $wan_if cbq bandwidth 100Mb queue { std, www, ssh, admin } everything works perfekt. all other kinds rules works perfect with the interface group name ( rules , rdr , nat ) it is an bug ? Unless things have changed that I havn't noticed (and I try to follow pf development closely), no altq is not supported on interface groups. Here is the thread where I asked the same question back in August 2005, and Henning provided the answer: http://marc.theaimsgroup.com/?t=11242975202r=1w=2n=4
Re: Laptop recommendations
On 5/11/06, rjn [EMAIL PROTECTED] wrote: Hi all, I'm looking into getting a new laptop (I start college in the fall). In particular, I'm looking for something OpenBSD compatible. I considering either a Lenovo Thinkpad or the MacBook Pro. From what I've seen you can only boot the macbook pro if you have windows installed. I'm wondering if anybody has experience with the new Lenovo models and the macbook pro? Thanks, RJ The official page for compatible laptops can be found here: http://www.openbsd.org/i386-laptop.html
Re: Anyone Interested in Programmable AMD Coprocessors?
On 4/23/06, Falk Husemann [EMAIL PROTECTED] wrote: I (maybe like you) just read the corresponding article on TheRegister (http://www.theregister.co.uk/2006/04/21/drc_fpga_module/). I'd bet it wont make it to mainstream if compilers don't support it. What do you think? I think FPGA's are about to hit mainstream. Take a look at the CELL processor (and PS3). That processor is f'ing sweet, and you can already buy IBM servers with it in there. Basically, it's a Power5 based CPU that controls 8 FPGA's, and is extremely fast, 4.0GHz is about 256GFLOPS. Jason
Re: anoncvs + OPENBSD_3_9_BASE
On 3/23/06, Bob Bostwick (Lists) [EMAIL PROTECTED] wrote: Is that why /snapshots/packages/i386/ is not available? I'm probably going to get yelled at for asking this, but I really don't know the answer. I just upgraded to -current, if I can't use /snapshots/packages/i386/ for installing packages, where should I install from? Yes I ordered a 3.9 CD, but would like to use this system before the release. Do I have to re-install 3.8? Yes I am installing what I can from /usr/ports/xxx (yes I updated that too) but some things I want are not in there... This has been beaten to death in other threads. The developers are busy making sure that OpenBSD 3.9 is going to be released on schedule, and don't really have that much time to spend on snapshots (right now). If you really want to follow current, try getting the current ports tree and compiling the packages yourself until the packages dir is back in the snapshots dir. Jason
Re: IDS solution
On 3/21/06, Hutger H. [EMAIL PROTECTED] wrote: Hi folks, I've been looking for a consolidated IDS solution that I can deploy in my network. Snort is really a good option but currently it seems that they are charging for updates, it that true? I'd like to find out a free of charge Linux, or BSD, solution that can works as good as snort works and, rather with some successful deployment cases. Any ideas? Well as far as charging for updates goes, that's only for rulesets I believe. Basically, the rules that you get with the snort tar ball are all you get, if you want updates to them you gotta pay. But later versions of snort are free, so upgrading from 2.4.3 to 2.4.4 is free, just not the extra snort rules. And even then, only the SourceFire VRT Certified Rules cost money (for subscriptions and redistribution rights I believe), a community driven rule group is still free, however they don't Guarentee the rules. If I were you, I'd stick with snort, you'll be hard pressed to find a free NIDS that is as robust, and I speak from experience, as I've setup some pretty damn large and complex snort deployments for my work in the past. Jason
SGI's
I am soon going to be getting an Octane with dual R12000SC CPUs. I was wondering how well OpenBSD would work on this computer (I am pretty sure there isn't SMP support on the SGI stuff yet) and how much help is needed in getting the SGI port to work even better. Jason
Re: SGI's
On 3/11/06, Roger Neth Jr [EMAIL PROTECTED] wrote: On 3/11/06, Jason Crawford [EMAIL PROTECTED] wrote: I am soon going to be getting an Octane with dual R12000SC CPUs. I was wondering how well OpenBSD would work on this computer (I am pretty sure there isn't SMP support on the SGI stuff yet) and how much help is needed in getting the SGI port to work even better. Jason Hello, I setup an SGI 02 with 3.8 last year and runs without a problem. The only problem I had was understanding the SGI boot methods and partitions. Once I understood that no problem. As far as I know there isn't any X yet and I connect serially. I think X is being worked on. Serial would be best for me, the SGI monitor I have is like 21+ inches. I am pretty excited about trying this out, mips is one of the archs I don't have much experience with yet (some basic IRIX admin before, but that's it), so when I found one I thought I'd add it to my already somewhat large personal collection of differnet archs. I just wish I had a second one I could donate to the OpenBSD guys (SMP support would kick ass). Jason
Re: SGI's
On 3/11/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Sat, 11 Mar 2006 11:51:24 -0500, Jason Crawford [EMAIL PROTECTED] wrote: I am soon going to be getting an Octane with dual R12000SC CPUs. I was wondering how well OpenBSD would work on this computer (I am pretty sure there isn't SMP support on the SGI stuff yet) and how much help is needed in getting the SGI port to work even better. Jason Hi Jason, Octane support is a planned project but currently there is no support for Octane as far as I know. The only currently supported model is the SGI O2. The little blue toaster O2 systems are a lot of fun and amazingly quick when they have lots of RAM. When you stuff them full of RAM, they just scream, moreso than any other arch I've used. I've got a few O2 systems over here but I haven't touched the for months and haven't used them with OpenBSD since 3.6/3.7. Even with the earlier OpenBSD releases, once you get past the SGI-isms, they work very well. Well on the OpenBSD sgi page, it says that the R12000 CPUs are supported. Is it some other piece of hardware like disk controller or something that prevents OpenBSD from running on an Octane? Jason
Re: Sun Ultra 1 and Ultra 5
On 3/3/06, Gustavo Rios [EMAIL PROTECTED] wrote: Hey folks, i have an sun workstation in hand and had never had a previous experience with sun hardare before. I would like redirect console to serial port. These machine are very old, and hardware documentation has been lost. It has a serial port, doesn't it? I was trying to get X working, but no lucky. Does anybody have openbsd 3.8 running on such hardware? Could you send your xorg.conf file? I've run OpenBSD on both, however never with X so I can't help you there, sorry. But as far as getting serial console to work, all you have to do is make sure that a keyboard and monitor are NOT plugged into the back, and a null-modem cable plugged into the serial port A, and when you boot the box, it'll just work. The great thing about sun boxes is the serial support, it Just Works. Jason
Re: Sun Ultra 1 and Ultra 5
On 3/3/06, Matthew Weigel [EMAIL PROTECTED] wrote: Jason Crawford wrote: there, sorry. But as far as getting serial console to work, all you have to do is make sure that a keyboard and monitor are NOT plugged Actually, just the keyboard has to be unplugged. :-) Cool since I sold my U5 and I don't have a Sun monitor for my U1, I could never confirm whether the monitor had to be plugged in or not, but I figured better safe than sorry. Thanks for confirming. Jason
Re: PF or BPF
On 2/13/06, Dave Feustel [EMAIL PROTECTED] wrote: On Monday 13 February 2006 13:51, dereck wrote: This is getting ridiculous! The guy said he was under attack.(!) What is the point of a _misc_ list anyway? He's not clogging the dev list! The responses here are totally out of line. Haven't any of you guys EVER had a desperate situation before? Dereck, Thanks for the support. However, my situation is not desparate. By refusing to answer a question to which he indicated he had an answer, Ted has left all of us hanging as to whether he *really* knows what the differences are between the capabilities of pf and bpf. *I* could certainly not testify that Ted actually knows the answer to that question as he claims to. :-) If he can code rthreads, I think it's pretty safe to say he understands the differences between bpf and pf, those seem like some really inflammatory remarks to me. If you bother to take some time to read the manuals instead of expecting to be spoon fed the information on the mailing list, then you'll learn a lot more, as well as not get flamed by others on the list. Ted has much better things to do (like make rthreads kick even more ass) than to answer silly questions by a user who is too lazy to read. (BTW, I had read the bpf man page and, frankly, I couldn't make any sense out of it on first reading. I started getting a better idea of bpf by the time I started reading the freebsd bpf man page, but then I started wondering why bother with bpf? How do I even use it?. It must have a useful purpose or it wouldn't be in OpenBSD.) You cannot learn all there is to know about bpf and how to effectively use it in 10 minutes, so you, personally, do NOT need to use bpf at all. It's what the other utilities like pf and tcpdump use to do what they do. The utilities are nice user friendly wrappers to the bpf interfaces, and someone with your experience (lack there of?) should probably not be touching bpf directly. bpf is very powerful and very useful, but you really need to understand a lot more than what you have grasped so far to use bpf effectively. Jason
Re: PF or BPF
On 2/13/06, Dave Feustel [EMAIL PROTECTED] wrote: On Monday 13 February 2006 14:52, Jason Crawford wrote: You cannot learn all there is to know about bpf and how to effectively use it in 10 minutes, so you, personally, do NOT need to use bpf at all. It's what the other utilities like pf and tcpdump use to do what they do. The utilities are nice user friendly wrappers to the bpf interfaces, and someone with your experience (lack there of?) should probably not be touching bpf directly. bpf is very powerful and very useful, but you really need to understand a lot more than what you have grasped so far to use bpf effectively. Well, one thing is for certain, the caustic responders to this thread aren't psychic. So let's try a r e a l s i m p l e q u e s t i o n : What OpenBSD programs use bpf. Please don't try to figure out why I am asking the question. Just answer it or go do something else that won't upset you. You're right, none of the responders are psychic, which is why if you don't include some information, the responses may be inaccurate. Reading the man page (and some unix common sense) will easily answer that for you. 1) you have all the source code 2) the man page says what exact include file bpf has for it's ioctl interface and 3) you can use find and/or grep to search text files. It's really not hard, just try to actually think. While you may get upset about this kind of stuff, I have much better and more important things to worry about. Trust me, nothing on an internet mailing list is that important to me. Jason
Re: PF or BPF
On 2/13/06, Matthias Kilian [EMAIL PROTECTED] wrote: On Mon, Feb 13, 2006 at 02:03:27PM -0700, Diana Eichert wrote: find /usr/src -name *.[c|h] -exec grep 'bpf.h' /dev/null {} \; ^(a) ^(b) (a) I doubt there are any file names ending in a pipe symbol in /usr/src. man ksh (b) pipeing to xargs(1) may be faster. why? Jason
Re: PF or BPF
On 2/13/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/02/13 16:53, Jason Crawford wrote: On 2/13/06, Matthias Kilian [EMAIL PROTECTED] wrote: On Mon, Feb 13, 2006 at 02:03:27PM -0700, Diana Eichert wrote: find /usr/src -name *.[c|h] -exec grep 'bpf.h' /dev/null {} \; ^(a) ^(b) (a) I doubt there are any file names ending in a pipe symbol in /usr/src. man ksh it's in quotes, this is handled by find, not the shell. Right, my mistake. (b) pipeing to xargs(1) may be faster. why? grep foo 1 2 3 4 5 6 7 ... vs. grep foo 1 grep foo 2 grep foo 3 grep foo 4 grep foo 5 grep foo 6 grep foo 7 Well in the case of /usr/src, I think you must MIGHT hit the maximum argument length for the shell by using xargs, unless you did it inside of each directory in /usr/src. That and well, explaining xargs to Dave will end up leading to another 20+ mail thread Jason
Re: PF or BPF
On 2/13/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/02/13 17:28, Jason Crawford wrote: Well in the case of /usr/src, I think you must MIGHT hit the maximum argument length for the shell by using xargs I haven't seen xargs do the wrong thing here. Embedded spaces annoy, but that's what -print0 (to find) and -0 (to xargs) are for. I almost always use xargs here, to the extent I have to look up how to do a 'find -exec' most times that I want to use it. I guess I'm used to older behavior I've seen on other non-OpenBSD systems. Thanks for the corrections from everyone. Like someone has previously stated, you learn something new from some of these threads that were previously thought useless. That and well, explaining xargs to Dave will end up leading to another 20+ mail thread I think an actual utility that doesn't need programming skills to experiment with it might be easier than explaining Berkeley Packet Filter vs. Packet Filter. I know most of us know what BPF is, but googling around from a beginner's point of view I'm still not quite sure how I learnt about it. There's a paper at http://www.tcpdump.org/papers/bpf-usenix93.pdf (section 2, 'the network tap', for example) but I know I haven't read that before. Learning xargs and find (not to mention regular expressions, shell syntax - for/while/..., and so on) are probably more useful to general sysadmin tasks than learning what BPF is, though.. (even learning how to use tcpdump is probably more generally useful than learning about BPF - and let's pre-empt one possible path down that avenue: root being able to see certain passwords with 'tcpdump -s1500 -X' is not a security hole, it's just a demonstration of why some protocols should be buried). He couldn't even figure out how to find the applications that use bpf, so I think figuring out all the features in a utility might be out of his grasp... Jason
Re: xargs PF or BPF
On 2/13/06, Andrew Pinski [EMAIL PROTECTED] wrote: On Feb 13, 2006, at 9:24 PM, Damien Miller wrote: Because that will fail when there are too many arguments, and will probably break on filenames with spaces (use xargs -0 for these). Why not use -exec in find? find . -type f -name ttt -exec rm {}\; Because as stated many times on this list already (originally to correct me), that will execute rm for each file, while piping to xargs will only run rm once xargs stops getting input, or when it hits max command line length, in which case it will execute another rm based on input from the pipe. Jason
Re: xargs PF or BPF
On 2/13/06, Andrew Pinski [EMAIL PROTECTED] wrote: On Feb 13, 2006, at 9:53 PM, Jason Crawford wrote: On 2/13/06, Andrew Pinski [EMAIL PROTECTED] wrote: On Feb 13, 2006, at 9:24 PM, Damien Miller wrote: Because that will fail when there are too many arguments, and will probably break on filenames with spaces (use xargs -0 for these). Why not use -exec in find? find . -type f -name ttt -exec rm {}\; Because as stated many times on this list already (originally to correct me), that will execute rm for each file, while piping to xargs will only run rm once xargs stops getting input, or when it hits max command line length, in which case it will execute another rm based on input from the pipe. Time to write your own program in C instead if the time to invoke rm is taking too much time. No point, xargs does what I need it to do, and is much more efficient than having find execute rm itself. The fewer times you call execve(2) the better. Jason
Re: The Apache Question
On 2/7/06, Marcin Wilk [EMAIL PROTECTED] wrote: Why change that It is apache, but with some pathes. But still iti s apache (changing name may be bad for futurre coders, that wouldl ike to make somep lugin for OpenBSD http server, before they will start to make it, theyw ill have to learn, that httpd in OBSD is just apache 1.3). Besides i don't understand why so many people would like to change current web server, when it's working fine well it is enough secure? Is there any realy nice argument besides the digit ? I think no, so, why people always ask that I think the biggest argument for changing the web server is the fact that the Apache in tree doesn't do IPv6, and Apache 2.x does. And, btw, if you look at early 2.0 releases, you'll see they are still under the Apache 1.1 License or whatever 1.3 was under. The incompatible Apache license wasn't put in until after a few 2.x releases. At 22:11 2006-02-07, you wrote: Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: The Apache Question
On 2/8/06, Jason Crawford [EMAIL PROTECTED] wrote: On 2/7/06, Marcin Wilk [EMAIL PROTECTED] wrote: Why change that It is apache, but with some pathes. But still iti s apache (changing name may be bad for futurre coders, that wouldl ike to make somep lugin for OpenBSD http server, before they will start to make it, theyw ill have to learn, that httpd in OBSD is just apache 1.3). Besides i don't understand why so many people would like to change current web server, when it's working fine well it is enough secure? Is there any realy nice argument besides the digit ? I think no, so, why people always ask that I think the biggest argument for changing the web server is the fact that the Apache in tree doesn't do IPv6, and Apache 2.x does. And, btw, if you look at early 2.0 releases, you'll see they are still under the Apache 1.1 License or whatever 1.3 was under. The incompatible Apache license wasn't put in until after a few 2.x releases. Sorry to reply to myself, but I was curious as to how far along 2.0.x was still the Apache 1.1 License, so I checked out older versions of source from: http://archive.apache.org/dist/httpd/ And I have found that 2.0.48 is the last version with the Apache 1.1 License (compatible with OpenBSD) and that 2.0.49 is the first version with the Apache 2.0 License (incompatible with OpenBSD). So if anyone is truely interested in Apache 2.0.x, it looks like as far as the license is concerned, it's doable if 2.0.48 is used. At 22:11 2006-02-07, you wrote: Wouldn't it be better then to start a spinoff project (openhttpd or something comes to mind) instead of still calling it apache httpd 1.3? Stuart Henderson wrote: On 2006/02/07 21:23, RedShift wrote: I've noticed OpenBSD still uses Apache httpd 1.3. Well, not exactly. Diff the source trees and you'll see it's not quite the same thing...
Re: view available inodes on partition
On 1/25/06, Matthew Closson [EMAIL PROTECTED] wrote: Hello, Is there a way to view how many inodes are still available on a partition. I'm decompressing a ton of small files onto a 60Gb onto my /dev/wd1a. And I'm not really concerned about running out of space, but possibly out of inodes, I just used the default parameters creating the filesystem, which is ffs. Thanks, man 1 df
Re: CVSync servers not syncing?
On 1/20/06, Alexander Farber [EMAIL PROTECTED] wrote: Maybe because they are tagging it 3.9? Unless they decided to suddenly change how they release OpenBSD, they most certainly are not. 3.9 has JUST moved to beta yesterday (or 2 days ago, I forget) and trust me, you don't want to tag early beta code as release. Jason
Re: patch management on larger install bases
On 1/9/06, Russell Fulton [EMAIL PROTECTED] wrote: I am just starting to upgrade all my obsd boxes to 3.8. I have a copy of the official CDs -- I know the the ISOs are copyright but is there a way of burning an updated set so I don't have to patch each system individually? Alternately, with the kernel I'm guessing I can replace /bsd (and /bsd.rd) using the little shuffle recommended in the upgrade docs. Which perl files need replacing? How do others who manage several boxes apply patches like the recent ones? This has been beaten to death on the archives. But I'll be nice and give you a hint: man 8 release I'm sure you can figure it out from there, especially while searching the archives. Jason
Re: OpenBSD is popular as a VM image
On 12/22/05, Graham Toal [EMAIL PROTECTED] wrote: Just an update on the popularity of the OpenBSD 3.8 VM image: Since it was posted on Dec 19 (4 days ago), apache logs have shown 2826 hits on the file with just over 277 gigs of traffic created by those downloads. Not bad for only a few days. I hope this isn't too OT for this list, but... do you know if it is possible under VMWare to have the virtual system be the only one which talks to the real ether card, while having the hosted PC only communicate to the net by routing via the VM'd system? What I'm thinking is that we could set up an OpenBSD as a personal firewall to a (cough, spit) Windows machine, and channel all the IP for the Windows machine through that VM'd OpenBSD system. Currently I'm using an extra box under my desk for a BSD firewall but since my main PC is already running 3 emulated systems as my development environment (one 'clean' PC for programming, one Linux for a dev web server, and believe it or not one emulated Vax/VMS for legacy work) it would be really nice to throw the OBSD firewall under VMware as well and have everything in one box! (incidentally this is one of the nicest development environments I've had for some time. VMware is cool, but having a PC with 3 flat panel displays is pretty nice too!) I have a very similar setup going on, but not with that VMware player or whatever it is. I have my host machine with 3 network cards in it, only 1 of which has an IP on the host machine, the other two network cards are ip-less for the host, but virtuals use them with IPs, and the hosted machine routes through one of the virtual machines to actually get out to the Internet. I won't go into any further details on-list, as this is pretty OT, so email me privately if you need further explanation. Jason
Re: Unable to build Gateway route
On 12/22/05, martin [EMAIL PROTECTED] wrote: Hello. I've been running other firewalls on this IP address with the same settings in the past, but am having problems setting up the Gateway with OpenBSD 3.8. It comes back with no route to host and when I do a nestat -rn, the Gateway is missing even though /etc/mygate exists. IP - 209.216.76.1 Netmask - 255.255.255.252 GW - 209.216.77.6 Either a typo in your netmask, or a typo in your gateway, since your gateway IP does not belong to the current netmask you assigned to your external IP. I have a feeling it's a typo in the netmask as that's a very very small one. Jason
Re: Unable to build Gateway route
On 12/22/05, martin [EMAIL PROTECTED] wrote: --- Jason Crawford [EMAIL PROTECTED] wrote: IP - 209.216.76.1 Netmask - 255.255.255.252 GW - 209.216.77.6 Either a typo in your netmask, or a typo in your gateway, since your gateway IP does not belong to the current netmask you assigned to your external IP. I have a feeling it's a typo in the netmask as that's a very very small one. Jason Jason. The figures are correct (I wondered about the unusual GW when I first rx'd it but they said it was correct). The thing is, I've had this connection for a couple of years and have run a number of firewalls with no issue with these ie. Linux Router Project, Freesco and others I have tested. It is running now with a commercial firewall with no problems. Can I force it to accept the gateway IP ? Regards...Martin Unless they don't follow IPv4 specs properly, with those exact numbers, none of them should work. 209.216.76.1 is nowhere near 209.216.77.6 so the netmask of 255.255.255.252 will not let you talk to 209.216.77.6 without another route. My guess, 255.255.252.0 is the netmask you want, as that would include both IPs. Or maybe you mistyped the 3rd set, and they should both be 76 or 77, although you'll still have to change the netmask to something like 255.255.255.240. Whether other OS's worked or not is irrelevant, the current WILL NOT WORK with an OS that follows the IPv4 spec PROPERLY. If your ISP is indeed handing this info to you, then they are complete morons, as it WILL NOT WORK. Jason
Re: BerkeleyDB on 3.8
On 12/22/05, J.D. Bronson [EMAIL PROTECTED] wrote: How can I tell what version the BDB is that comes within OpenBSD 3.8? thanks Check out http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/db/ to see the one included with OpenBSD, and /usr/ports/databases/db/ for other versions. Jason
Re: How can I switch the terminal?
On 12/19/05, openbsd shen [EMAIL PROTECTED] wrote: How to switch the terminal in OpenBSD, it looks is not Alt+F[1-7] likes Linux. http://www.openbsd.org/faq/faq7.html#SwitchConsole Try reading the damn documentation first. Also try reading http://www.openbsd.org/mail.html as well, thoroughly since you didn't do it right the first time, you would have to have read it to get on this mailing list. Btw, CTRL+ALT+F[1-7] worked on Linux before just Alt+F[1-7] did. Jason
Re: Hardware RNG speed
On 12/19/05, Michael Alexander Hamburg [EMAIL PROTECTED] wrote: Hello to the list, I'm working on a cryptography project, and one of the things the project requires is a moderately high-bandwidth source of truly random numbers. To accomplish this, I set up OpenBSD on a board with a (Soekris) Hifn 7955 accelerator card, but the rate I'm getting by reading out of /dev/srandom is pretty low (200B/s). However, this has to be coming from the card, because the machine has no other reasonable source of entropy other than the network: no hard drive, no keyboard, etc. Now, unless the card's specs are deceptive, its random number generator must support a higher rate than this: it claims 70 1024-bit Diffie-Hellman key exchanges per second, and each such key exchange requires a full 1024-bit random number, which comes out to 8.8kB/s. The minimum data rate for my application is about 1k/s, and I would strongly prefer not to use a PRNG. Is there a more direct way to query the RNG? random(4) claims that the RNG is not mapped directly to a device (/dev/random is not currently implemented), but rather that it periodically refreshes the system entropy pool. Is there a way to force this to occur more often, or to transfer more data? Or do the numbers lie, and I'm getting all the data I can? Thanks for your time, Mike Hamburg P.S. I'm looking at different sources of random numbers, and cost and integration are important factors. Would an AMD Geode LX or VIA C3 or C7 processor's on-board RNG provide a significantly higher data rate than a Soekris card, at a comparable quality? What about taking a cord that's plugged into the sound card port and microphone port, and reading in from the microphone? I've heard that is a pretty good source of randomness (all that annoying feedback), although I may be completely wrong, feel free to correct me if I am. Jason
Re: stuck on upgrading from 3.7 to 3.8 - Exception handling flag day
On 16 Dec 2005 14:41:38 -0800, Randal L. Schwartz merlyn@stonehenge.com wrote: Theo == Theo de Raadt [EMAIL PROTECTED] writes: Theo If you get stuck doing an upgrade build, please do a standard upgrade Theo or reinstall. Theo We have never promised that such builds will work perfectly, nor can we Theo dedicate 3-4 developers full-time to making sure they do. Which is Theo pretty much what it would take. I understand that. However, I'm hoping that someone else reading this mailing list will have tried the paragraph given in the FAQ, and either succeeded with a workaround, or discovered the futility as well. I'm upgrading a remote box, so a standard upgrade is not an option, nor is a reinstall. There was no warning in the FAQ that the information was definitely broken. It must have worked for *someone* or it wouldn't have been put in the FAQ, I presume. First off, I fail to see how extracting the install sets via ssh can't be done, as that's mentioned in the FAQ as one upgrade method. Second, the source upgrade stuff has worked for people in the past, but they usually know enough about the system to actually fix something if it breaks. A source upgrade probably has less of a chance of working as extracting the install sets via ssh as mentioned in the FAQ, so you're running a risk either way. My suggestion, get the box shipped back to you or ship out a new hard drive with the new install on it, and all the other data copied over. Since OpenBSD is compiled to work on all i386 boxes, it shouldn't really matter which box you install it on, as long as you properly set the network config how it should be on the remote box. Jason
Re: dd performance
I think the very first thing you should change is use the raw device in OpenBSD (/dev/rsd0c) and that should speed things up a bit. Jason On 12/15/05, chefren [EMAIL PROTECTED] wrote: Wiping identical 18GB SCSI disks on same Dell 1750 machine: OpenBSD 3.8: dd if=/dev/zero of=/dev/sd0c bs=1024k 6MB/s Linux 2.4: dd if=/dev/zero of=/dev/sda bs=1024k 53MB/S Any clue about the difference? Of course I'm also interested in different ways to do this but the difference is what puzzles me. +++chefren
Re: Just confirming: no way to do a pf rdr based on hostname?
On 12/12/05, Peter Landry [EMAIL PROTECTED] wrote: Hi All, We're migrating an old Microsoft ISA Server system to OpenBSD pf. First off, before I ask any questions, kudos to everyone -- Installing OpenBSD 3.8 was a very pleasant, painless experience for someone who's never used it before. Setting up pf/nat was also extraordinarily easy. The docs are great. Welcome, glad to hear you enjoyed it so far. That aside, the only thing that I haven't been able to migrate yet is ISA's ability to redirect web requests coming in on the same IP to different machines based on the host name. IE- www.a.com (IP 123.123.0.1) gets redirected to the internal IP 192.168.0.1 while www.b.com (also IP 123.123.0.1) gets redirected to the internal IP 192.168.0.2. This is application level filtering and such, pf doesn't do that. I haven't found anything in the docs, and all the list archive questions I've found were specific to ipnat, not pf. I'm thinking that I can't do it. In that case, my options seem to be 1) use different external IP's for each website, and redirect to different internal servers based on IP 2) redirect all web traffic to the legacy ISA system, which will then redirect based on hostname. I'm hesitant to use up all our IPs for option 1, but I'm thinking option 2 is even worse... Are there any options I haven't thought of? I would suggest looking at squid for reverse proxying. It's transparent, and you can have pf redirect all port 80 traffic to squid, which will then decide where to route the http request based on what site they asked for. This would also help protect your web servers from various attacks (but not all) since they wouldn't be talking directly with your web server, as well as squid being in a chroot and running as an unprivileged user. You could also setup squid to do caching which would reduce the load on your web server if need be. Good luck, Jason
Re: removing old files - /usr grows with each release
On 12/11/05, Andreas Bartelt [EMAIL PROTECTED] wrote: Hi all, according to http://www.openbsd.org/faq/faq4.html#SpaceNeeded 250 MB for /usr is sufficient, in case X isn't installed on an OpenBSD system. My /usr partition (located on a 512 MB CompactFlash drive) recently has reached its limits after living through multiple releases (3.4 - 3.8). du -h: ... /dev/wd0e 359M311M 30.3M91%/usr folders in my /usr partition: bin 19.9M games 1.4M include 16.8M lib 100M libdata 76.8M libexec 2.6M lkm 2.0K local 10.8M mdec 220K obj - /home/obj ports - /home/ports sbin 15.9M share 62.6M src - /home/src My goal is to savely remove all files from older releases, which aren't needed anymore. At least in /usr/lib, there seem to be some directories, which exclusively contain files from older releases, namely /usr/lib/gcc-lib/i386-unknown-openbsd[release number]. Is it save to remove them after upgrading to a newer release? The content of /usr/libdata seems to be growing with each release, too. Which directories/files may be removed from /usr without risking too much? Is it better to wipe /usr and do a complete reinstall of all /usr content from a fresh OpenBSD system? You might want to try something like having find search / and show any files with a creation or modification time that would be before 3.8 release files, and redirecting the output to a file. I think that would be one way to at least get started, but any files needed for 3.8 would have been created or modified at the same time as specified in the installation sets. Or you could do a mix of creating a 3.8 file list via the installation sets and the find output, making sure that none of the files in your 3.8 file list are listed in the find output, then starting to remove. I would strongly suggest though, that you test them on another system that you purposefully install older versions and upgrade on before doing it on your production system. The best option though, if possible, is a reformat and reinstall, as you run no risk of breaking dependencies and only use space needed. Jason
Re: Why Perl (a request to the developer sof the Ports-System)
On 12/2/05, Jimmy Scott [EMAIL PROTECTED] wrote: On Fri, Dec 02, 2005 at 06:14:18PM +0100, Sebastian Rother wrote: I scrited with pdksh all the time lon for now. Now I'm interested into learning another Scripting-Language. I can't decide between Perl and Python. Perl has a lot modules but it's GPLed. Python on the other hand is under a BSD-compatible License and has less modules. http://www.perl.com/download.csp#srclic It is NOT gpl'ed. According to this: http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/perl/README?rev=1.8content-type=text/x-cvsweb-markup it is GPL'd. I would like to know some facts why Perl is in the base system on a BSD even Python is a BSD-licensed alternativ. Does it have some advantages I don#t know? I read a lot papers about both languages. Also CS-related Papers but I can't decide. I advice to try both, Python is nice in it's syntax and it's harder to misuse, I mean, there are a LOT of Perl programmers out there that do theire best to make theire program unreadable, to say it softly. The downside about Perl (in my opinion) is the whole you can do it in more than one way and you can do it on a single line spirit. Definitely try both, as no one can really tell you which language is better for your situation except...you. And if you try both, you'll definitely learn more than if you only tried one. There are always downsides and upsides to any language, and the best way to judge which fits your situation the most is just to dive in and get dirty. snip Jason
Re: Why Perl (a request to the developer sof the Ports-System)
On 12/2/05, Miod Vallat [EMAIL PROTECTED] wrote: http://www.perl.com/download.csp#srclic It is NOT gpl'ed. According to this: http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/perl/README?rev=1.8content-type=text/x-cvsweb-markup it is GPL'd. According to this very same file, it is not. It is dual-licensed, which is VERY different from being GPL only. I didn't say GPL ONLY, I was just pointing out that it's wrong to say it's GPL'd. And the fact that it's in the gnu directory of OpenBSD would suggest to people that OpenBSD seems to choose the GPL license for distributing perl. Jason
Re: cvsup of OpenBSD-src is old
On 12/1/05, Jeremy C. Reed [EMAIL PROTECTED] wrote: I am trying to get the latest OpenBSD HEAD (-current) of the CVS repository (RCS ,v files) using cvsup. But it is old. My retrieved CVSROOT/ChangeLog goes up to 2005/05/03 23:12:53 CVSROOT/config and CVSROOT/options has: tag=OpenBSD umask=002 dlimit=49152 Have tried cvsup.jp.OpenBSD.org and cvsup.de.openbsd.org. cvsup config is: *default host=cvsup.de.openbsd.org *default base=/usr *default prefix=/archive/OpenBSD-CVS *default release=cvs *default delete use-rel-suffix *default compress #OpenBSD-all OpenBSD-src Unless I'm mistaken, OpenBSD-src means the actual source code, not the CVS repository. You want to use OpenBSD-all which will mirror the CVS repository (the whole thing, not just src). #OpenBSD-www #OpenBSD-ports #OpenBSD-x11 #OpenBSD-xf4 How or where can I get the latest? I have looked at http://www.openbsd.org/cvsup.html and a few examples and docs from the mirrors. Note that I am not using the OpenBSD-provided cvsup client. I am not doing this on OpenBSD. Please carbon-copy me on replies. Once you change OpenBSD-src to OpenBSD-all, it should work just fine (but get the 2.5GB CVS repository as a whole). jason
Re: cvsup of OpenBSD-src is old
On 12/1/05, Jason Crawford [EMAIL PROTECTED] wrote: On 12/1/05, Jeremy C. Reed [EMAIL PROTECTED] wrote: I am trying to get the latest OpenBSD HEAD (-current) of the CVS repository (RCS ,v files) using cvsup. But it is old. My retrieved CVSROOT/ChangeLog goes up to 2005/05/03 23:12:53 CVSROOT/config and CVSROOT/options has: tag=OpenBSD umask=002 dlimit=49152 Have tried cvsup.jp.OpenBSD.org and cvsup.de.openbsd.org. cvsup config is: *default host=cvsup.de.openbsd.org *default base=/usr *default prefix=/archive/OpenBSD-CVS *default release=cvs *default delete use-rel-suffix *default compress #OpenBSD-all OpenBSD-src Unless I'm mistaken, OpenBSD-src means the actual source code, not the CVS repository. You want to use OpenBSD-all which will mirror the CVS repository (the whole thing, not just src). Oops, I am mistaken, silly little tag keyword changes quite a bit. I guess it's been a while since I've used anything other than OpenBSD-all with cvsup #OpenBSD-www #OpenBSD-ports #OpenBSD-x11 #OpenBSD-xf4 How or where can I get the latest? I have looked at http://www.openbsd.org/cvsup.html and a few examples and docs from the mirrors. Note that I am not using the OpenBSD-provided cvsup client. I am not doing this on OpenBSD. Please carbon-copy me on replies. Once you change OpenBSD-src to OpenBSD-all, it should work just fine (but get the 2.5GB CVS repository as a whole). jason
Re: Telnet daemon retired in 3.8 ?
telnetd was completely removed from the source tree around the end of may, soon after 3.7 was released. As far as an alternative, why does sshd not work? There are ssh daemons for almost all other operating systems, unless maybe you're using OpenVMS or Plan9 (although I think there is at least one for those as well, just not OpenSSH). On 11/7/05, Matthew S Elmore [EMAIL PROTECTED] wrote: I cannot appear to locate a telnet daemon in 3.8 installs now. It appears to have silently disappeared between 3.7 and 3.8. I see no mention of this in the release notes or after a cursory search of the mailing lists. It's possible it is mentioned somewhere and I am missing it. I understand the advantages of ssh over telnet, but telnet is still heavily used in many environments. Is it merely hiding somewhere or can someone recommend an alternative for me? Regards, Matt
Re: Telnet daemon retired in 3.8 ?
Well, the parent poster asked for an alternative, so I said sshd. If he wanted telnetd, then he wouldn't ask for an alternative, very simple. And you act as if I had anything to do with telnetd being removed. I have nothing to do about anything OpenBSD does, short of maybe helping to fix a bug or two I might happen to find. You don't like telnetd being gone, use another OS or just use an alternative, like the parent poster asked about in his first email (sshd). On 11/7/05, Ioan Nemes [EMAIL PROTECTED] wrote: It in not the question of sshd works or, not! In large environments, where you have a large number of legacy hardware (like Apollo 700, HP 3000, HP 7000, Solaris 2.5.1 etc., etc.), and the purpose of a UNIX box is other than to run a firewall, a webserver, mail-server, or MySQL, plus you have thousand + users, and clients (internal/external on different client platforms), yes it is bad not have telnetd running. Matthew is quite right, telnet is live and will be for very long time. It was a bad choice to be removed from the source tree. You reduce your options. Above, I am not arguing pro/contra telnetd, or sshd! Ioan Jason Crawford [EMAIL PROTECTED] 08/11/2005 11:55:55 am telnetd was completely removed from the source tree around the end of may, soon after 3.7 was released. As far as an alternative, why does sshd not work? There are ssh daemons for almost all other operating systems, unless maybe you're using OpenVMS or Plan9 (although I think there is at least one for those as well, just not OpenSSH). On 11/7/05, Matthew S Elmore [EMAIL PROTECTED] wrote: I cannot appear to locate a telnet daemon in 3.8 installs now. It appears to have silently disappeared between 3.7 and 3.8. I see no mention of this in the release notes or after a cursory search of the mailing lists. It's possible it is mentioned somewhere and I am missing it. I understand the advantages of ssh over telnet, but telnet is still heavily used in many environments. Is it merely hiding somewhere or can someone recommend an alternative for me? Regards, Matt --- Scanned by Fairfield City Council - NetCleanse for all known viruses. http://www.netcleanse.com
Re: pf and altq group interface ...
Unless things have changed since I last asked this same question, interface groups don't work in altq. Next time search the archives. Jason On 10/10/05, Karl-Heinz Wild [EMAIL PROTECTED] wrote: maybe i've missed something. ifconfig rl0 group wan_if pf.conf: - altq on wan_if cbq bandwidth 100Mb queue { http ssh } produce an error when loading the ruleset. but every other rules like - pass in on wan_if proto tcp to port ssh keep state queue ssh will be accepted. isn't that a bit confusing? Karl-Heinz
Re: 3.6 - 3.7 make build problem
I ran into the same issue myself, as I have a server with the aac raid card, and no way to upgrade from 3.6 to 3.7 (I'm running 3.8-release on it now). Reading the archives and various upgrade faq's on OpenBSD's website, I found a method that worked for me, but no guarantees for anyone else. First, I made sure my 3.6 source was fully up to date with the OPENBSD_3_6 tag, then I compiled gcc3 from the openbsd 3.6 sources, which involved me changing around the bsd.own.mk file in /usr/share/mk to remove i386 from the list of gcc2 archs. You run through the new compiler faq, which is compiling gcc3 twice, first to get a workable gcc3 compiler from gcc2, then to recompile gcc3 with gcc3 you just did. Next I ran through the entire make build in 3.6 using the gcc3 compile, the change to bsd.own.mk automatically makes it compile the right version of everything to use the gcc3 compiler. It failed for me on texinfo (or something in the gnu directory), but I just ran through the rest of the make build process by hand. Then I installed all the binaries, having to do the parts after gnu by hand since the one app failed, so now I was running 3.6 with gcc3 binaries. Next I moved /usr/src to /usr/src.old and grabbed OpenBSD 3.7 source into /usr/src (also move /usr/obj to /usr/obj.old and a new /usr/obj for 3.7 source). Then I compiled the new gcc3 compiler in 3.7 (later version) twice like the faq says for new compilers, and then compiled the 3.7 kernel with aac support, rebooted, and recompiled my system. One part that I was unclear about was whether I tried to recompile some parts of 3.7 before rebooting into the kernel, or whether i rebooted into the kernel before compiling the system, which could make a big difference. I can do some more research if you wish, but again this is a completely unsupported method of upgrade, and I don't guarantee that this will work for anyone other than myself. The process of upgrading source from 3.7 to 3.8 was much easier than 3.6 to 3.7, mostly because there wasn't a huge compiler change. On 9/29/05, eric [EMAIL PROTECTED] wrote: [ Note: I don't like doing this. I would rather use a snapshot and ] [ just get -current, but I have the Adaptec bullshit on this machine ] [ and need a kernel that support aac(4). ] I'm going from 3.6 to 3.7, and just trying to get the fscking adaptec controller working. Following information found in release(8), I wind up with this: 1. Reboot new GENERIC.MP kernel. Works fine. 2. Clean up /usr/obj/* 3. I have to upgrade my compiler. # gcc -v Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.6/2.95.3/specs gcc version 2.95.3 20010125 (prerelease, propolice) Alas, /usr/obj/gnu/egcs/gcc/ isn't found on this machine. Do I need to rebuild all my 3.6-STABLE sources first? Then upgrade the 2.x compile, then move to 3.x? If I follow instructions in the FAQ and try and compile gcc 3.x, I get this far. # rm -r /usr/obj/gnu/usr.bin/gcc/* # cd /usr/src/gnu/usr.bin/gcc # make -f Makefile.bsd-wrapper clean # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper [snip] /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:139: error: `PT_LOOS' undeclared (first use in this function) /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:139: error: (Each undeclared identifier is reported only once /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:139: error: for each function it appears in.) /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c: In function `_Unwind_Find_FDE': /usr/src/gnu/usr.bin/gcc/gcc/unwind-dw2-fde-glibc.c:283: warning: implicit declaration of function `dl_iterate_phdr' *** Error code 1 Stop in /usr/src/gnu/usr.bin/gcc/obj (line 208 of libgcc.mk). *** Error code 1 Stop in /usr/src/gnu/usr.bin/gcc/obj (line 2160 of Makefile). *** Error code 1 Stop in /usr/src/gnu/usr.bin/gcc (line 84 of /usr/src/gnu/usr.bin/gcc/Makefile.bsd-wrapper). # Thanks for hitting me with a cluestick. MANTRA: don't buy adaptec. don't buy adaptec. don't buy adaptec.
Re: 3.6 - 3.7 make build problem
Well the compiler issue was pretty simple for me, follow the compiler upgrade faq here: http://www.openbsd.org/faq/faq5.html#NewCompiler But make sure you first compile gcc 3 from 3.6 source code (by adding i386 to the gcc3 list in bsd.own.mk file in /usr/share/mk) and then recompile 3.6 source code completely. Then recompile the gcc 3 compiler using 3.7 source code, and recompile the 3.7 source from there (3.7 uses gcc 3 by default for i386). This following thread from April helped me out as well: http://marc.theaimsgroup.com/?t=11141833565r=1w=2 On 9/29/05, eric [EMAIL PROTECTED] wrote: On Thu, 2005-09-29 at 13:40:36 -0400, Jason Crawford proclaimed... I ran into the same issue myself, as I have a server with the aac raid card, and no way to upgrade from 3.6 to 3.7 (I'm running 3.8-release on it now). Reading the archives and various upgrade faq's on OpenBSD's website, I found a method that worked for me, but no guarantees for anyone else. First, I made sure my 3.6 source was fully up to date with the OPENBSD_3_6 tag, then I compiled gcc3 from the openbsd 3.6 sources, which involved me changing around the bsd.own.mk file in /usr/share/mk to remove i386 from the list of gcc2 archs. You run through the new compiler faq, which is compiling gcc3 twice, first to get a workable gcc3 compiler from gcc2, then to recompile gcc3 with gcc3 you just did. Next I ran through the entire make build in 3.6 using the gcc3 compile, the change to bsd.own.mk automatically makes it compile the right version of everything to use the gcc3 compiler. It failed for me on texinfo (or something in the gnu directory), but I just ran through the rest of the make build process by hand. Then I installed all the binaries, having to do the parts after gnu by hand since the one app failed, so now I was running 3.6 with gcc3 binaries. Next I moved /usr/src to /usr/src.old and grabbed OpenBSD 3.7 source into /usr/src (also move /usr/obj to /usr/obj.old and a new /usr/obj for 3.7 source). Then I compiled the new gcc3 compiler in 3.7 (later version) twice like the faq says for new compilers, and then compiled the 3.7 kernel with aac support, rebooted, and recompiled my system. One part that I was unclear about was whether I tried to recompile some parts of 3.7 before rebooting into the kernel, or whether i rebooted into the kernel before compiling the system, which could make a big difference. I can do some more research if you wish, but again this is a completely unsupported method of upgrade, and I don't guarantee that this will work for anyone other than myself. The process of upgrading source from 3.7 to 3.8 was much easier than 3.6 to 3.7, mostly because there wasn't a huge compiler change. If you can let me know if there was anything else I'd appreciate it. I just need to get over the compiler hump. No support is expected, by the way. Thanks a bunch. - Eric
Re: question about OPENBSD_3_8_BASE
I believe this has been discussed many times on the list, however here is a basic rundown: OPENBSD_X_Y_BASE is the code that appears on the CD, it's a sticky tag of the release code that doesn't change OPENBSD_X_Y is the stable branch that is based off of the previous tag, and is mostly just security and reliability fixes, and not program upgrades (except openssh). This branch is maintained until 1 month after the 2nd release after the X.Y release. If you want the code from the CD, use OPENBSD_X_Y_BASE, if you want the stable code for X.Y release, with security/reliability fixes, use OPENBSD_X_Y. Please search the archives/read the website for more info. Jason On 9/28/05, Didier Wiroth [EMAIL PROTECTED] wrote: Hi, I have a few questions regarding TAGs, especially for a new ones. When a X_Y_BASE TAG is issued for example OPENBSD_3_8_BASE, does that mean the sources are not changing anymore or are there still changes? How do you know when the code is fixed and will be the same as on the cd. When the code doesn't change anymore, is it published on a specific mailing list or is it possible to use a cvs command (I'm not very familiar with cvs actually) to find out? Many thx Didier
Re: Dell PowerEdge 2650
On 9/20/05, John Brahy [EMAIL PROTECTED] wrote: I've got two poweredge 2650's w/ PERC 3/di raid cards and I've tried OpenBSD 3.7, 3.6 and 3.5. I've found that the aac in 3.7 is completely unstable, the aac in 3.6 would have problems after an hour or so of heavy use. BUT, 3.5 seems to be stable but now I'm stuck on a version of an os that is about to become unsupported. aac support in 3.8 seems to be much better than 3.7 in my experience, however I still suggest better hardware if possible. I think the only long term solution is to change hardware. I have been considering Sun's trade in offer. I haven't found it on Sun's site but it is mentioned here (http://www.theinquirer.net/?article=26143) I have a friend that's a Sun dealer www.acsacs.com and they said they honor it. I don't believe they sell online. Does anyone know if OpenBSD likes this hardware? It's really Adaptec's fault. Those fuckers won't give up the source so the OpenBSD developers can't provide a good driver for their hardware. My company will not purchase any more servers from Dell as long as they continue to use Adaptec cards. First off, we never asked for source from adaptec, we were only asking for documentation to make the driver more stable, and write management utilities. However they only provide documentation if you sign an NDA, which is unacceptable for any free software. Second, all the PERC4 cards Dell uses are no longer Adaptec, but LSI Logic (unless they've changed again reciently), which is fully supported in OpenBSD, including completely open management utilities. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jan Johansson Sent: Tuesday, September 20, 2005 8:14 AM To: Ryan Rothert Cc: misc@openbsd.org Subject: Re: Dell PowerEdge 2650 Ryan Rothert [EMAIL PROTECTED] wrote: 3.6 will install on it. I believe the aac driver still exists but is disabled by default. You could install 3.6, recompile the kernel with aac support enabled then upgrade. This is a bad advice. The aac driver was disabled because it was broken and could not be fixed because there was no documentation. Using aac is like playing Russian Roulette with your data.
Re: Crash in recient snapshot of current.
On 8/25/05, Jason Crawford [EMAIL PROTECTED] wrote: On 8/25/05, Jason Crawford [EMAIL PROTECTED] wrote: I updated my cvs tree today, and recompiled GENERIC with today's source, and now the system crashes on boot, telling me that it cannot read the disk label, but a GENERIC from two days ago can read the disk label just fine. Here is the working dmesg from GENERIC of two days ago, and dmesg from GENERIC from today with the trace and ps output. Any other information that's needed, please ask, I'm not sure what else to include, but this stuff is always asked for. snip dmesgs A little more info, as I downloaded the August 24 snapshot, to see if my source tree had somehow gotten corrupted. I got an error message while in the bsd.rd kernel, that both fdisk and disklabel reported: DIOCGDINFO: Input/output error I'm not sure what that means exactly, but I'm sure that info would help in figuring out the problem. Even more information, I found the exact code that causes the crash. It is whatever code that was commited between revision 1.86 and 1.87 of sd.c inside /usr/src/sys/scsi that is the culprit. I compiled the most recient kernel except sd.c being revision 1.86, and it works. I changed sd.c to revision 1.87 and the system crashes with the error message reported in my first mail. I really hope that there is a developer out there who will figure out why this is causing the crash, because I can't see an obvious reason from the code. Here is the exact diff for r1.86 to r1.87: Index: sd.c === RCS file: /cvs/src/sys/scsi/sd.c,v retrieving revision 1.86 retrieving revision 1.87 diff -u -r1.86 -r1.87 --- sd.c21 Aug 2005 16:25:52 - 1.86 +++ sd.c23 Aug 2005 23:31:04 - 1.87 @@ -1,4 +1,4 @@ -/* $OpenBSD: sd.c,v 1.86 2005/08/21 16:25:52 krw Exp $ */ +/* $OpenBSD: sd.c,v 1.87 2005/08/23 23:31:04 krw Exp $ */ /* $NetBSD: sd.c,v 1.111 1997/04/02 02:29:41 mycroft Exp $ */ /*- @@ -216,10 +216,9 @@ scsi_autoconf | SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE | SCSI_SILENT); - /* Try to start the unit if it wasn't ready. */ - if (error == EIO) - error = scsi_start(sc_link, SSS_START, - SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE); + /* Spin up the unit ready or not. */ + error = scsi_start(sc_link, SSS_START, scsi_autoconf | SCSI_SILENT | + SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE); if (error) result = SDGP_RESULT_OFFLINE; @@ -386,11 +385,10 @@ (part == RAW_PART fmt == S_IFCHR) ? SCSI_SILENT : 0 | SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE); - /* Try to start the unit if it wasn't ready. */ - if (error == EIO) - error = scsi_start(sc_link, SSS_START, - SCSI_IGNORE_ILLEGAL_REQUEST | - SCSI_IGNORE_MEDIA_CHANGE); + /* Spin up the unit, ready or not. */ + error = scsi_start(sc_link, SSS_START, + (part == RAW_PART fmt == S_IFCHR) ? SCSI_SILENT : 0 | + SCSI_IGNORE_ILLEGAL_REQUEST | SCSI_IGNORE_MEDIA_CHANGE); if (error) { if (part == RAW_PART fmt == S_IFCHR) {
Re: How to configure bind to work under OpenBSD 3.7
Put: named_flags= in /etc/rc.conf.local and bind will work. Edit files in /var/named/ directory to suit your needs as well, but the above line in /etc/rc.conf.local will start named on boot, and it will just work. Read /etc/rc.conf to see how to start other daemons, but put changes into /etc/rc.conf.local Jason On 8/25/05, Joco Salvatti [EMAIL PROTECTED] wrote: HI all, I'd like to know where I could find informations about how to configure bind to work under OpenBSD 3.7. I've already made a search in the net, but the available documents are vacant. I've already looked at FAQ files, but I also cound't find a thing. Thanks. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://salvatti.expert.com.br e-mail: [EMAIL PROTECTED]
Crash in recient snapshot of current.
I updated my cvs tree today, and recompiled GENERIC with today's source, and now the system crashes on boot, telling me that it cannot read the disk label, but a GENERIC from two days ago can read the disk label just fine. Here is the working dmesg from GENERIC of two days ago, and dmesg from GENERIC from today with the trace and ps output. Any other information that's needed, please ask, I'm not sure what else to include, but this stuff is always asked for. Working dmesg: OpenBSD 3.8-beta (GENERIC) #0: Tue Aug 23 12:02:11 EDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class) 3.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3 real mem = 133734400 (130600K) avail mem = 115408896 (112704K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(77) BIOS, date 04/21/04, BIOS32 rev. 0 @ 0xfd880 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1a00! 0xca000/0x1000 0xdc000/0x4000! 0xe4000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 ignored (disabled) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 Intel 82371AB Power rev 0x08 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) bha3 at pci0 dev 16 function 0 BusLogic MultiMaster rev 0x01: irq 11, BusLogic 9xxC SCSI bha3: model BT-958, firmware 5.07B bha3: sync, parity scsibus1 at bha3: 8 targets sd0 at scsibus1 targ 0 lun 0: VMware,, VMware Virtual S, 1.0 SCSI2 0/direct fixed sd0: 4096MB, 522 cyl, 255 head, 63 sec, 512 bytes/sec, 8388608 sec total pcn0 at pci0 dev 17 function 0 AMD 79c970 PCnet-PCI rev 0x10, Am79c970A, rev 0: irq 9, address 00:0c:29:6c:86:aa isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec biomask fd65 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled dkcsum: sd0 matches BIOS drive 0x80 root on sd0a rootdev=0x400 rrootdev=0xd00 rawdev=0xd02 Crashing dmesg: OpenBSD 3.8-beta (GENERIC) #0: Thu Aug 25 11:54:29 EDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class) 3.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3 real mem = 133734400 (130600K) avail mem = 115408896 (112704K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(77) BIOS, date 04/21/04, BIOS32 rev. 0 @ 0xfd880 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1a00! 0xca000/0x1000 0xdc000/0x4000! 0xe4000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 ignored (disabled) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar,
Re: /usr/share/pf/ suggestion
On 8/24/05, Bryan Irvine [EMAIL PROTECTED] wrote: I personally like to 'pass keep state' with a 'scrub all' rule. This at least gives me some interesting statistics to poke at when I'm bored. Plus, I can firewall who gets to ssh into my machine. Another good use is {max-src-states ##} for webservers and the like. I have a webserver that would crash at 9am every morning when a few bots (2 in particaular) would crawl the site. They are poorly configured and open roughly 120 simlutaneous connections. They were very low bandwidth, but there went all available connections. To quote Theo it's Horse-shit to say you don't need to filter single hosts. I left out a lot of my reasoning for feeling the way I do in my first mail about not needing a packet filter on single hosts, and it's more a personal preference, not telling everyone that you're all idiots for wanting to. If your web server crashes because it has 240 connections open (I'm assuming 120 per bot) then there seems to be something else wrong with it, and shouldn't be ignored by just throwing up pf. It was more that for me, if I throw up pf to protect a single host, I tend to get lazy in the administration of it, and start ignoring things that should really be looked at (like applications opening up random ports, in reference to an earlier KDE post). I really don't think that a desktop environment should be opening up anything at all, and so I'd rather just not run it instead of run a desktop environment that I have no idea what it's doing on the network. If anyone is interested any further as to why I feel the way I do, email me privately, since this is getting way off topic and doesn't belong on the openbsd-misc mailing list anyways. Jason
Re: /usr/share/pf/ suggestion
On 8/23/05, Will H. Backman [EMAIL PROTECTED] wrote: -Original Message- From: j knight [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 23, 2005 4:47 PM To: Will H. Backman Subject: Re: /usr/share/pf/ suggestion --- Quoting Will H. Backman on 2005/08/23 at 14:59 -0400: Would it be useful to add an example pf rule set for just a simple host? All of the examples assume a router. This would be more useful in the faq. Please send what you've written. :-) .joel # pf rules for a stand alone machine. #Change external interface to match yours ext_if=xl0 scrub in all block in all pass out keep state pass quick on lo all First off, it should be, set skip on lo0 (or lo, but by default there's only one lo interface anyways). Secondly, it seems pretty pointless to setup pf on a single host. Instead of worrying about the firewall, which takes up more memory and cpu and all that, just shut off services that you don't need and be done with it. If the attacker can hurt your OpenBSD machine, then your firewall is vulnerable as well, and it won't protect any applications that need open ports listening. Turning off services is always much better than turning on services (pf) if you need protection. And the way OpenBSD is setup by default, nothing is listening except a couple inetd services (which I always turn off), and sshd if you said y in install, that's it. Jason
Re: /usr/share/pf/ suggestion
On 8/23/05, Stuart Henderson [EMAIL PROTECTED] wrote: --On 23 August 2005 17:25 -0400, Jason Crawford wrote: Secondly, it seems pretty pointless to setup pf on a single host. It has it's uses - spamd, for one... Which is already covered in the spamd man page and doesn't need another entry in the FAQ.
Re: /usr/share/pf/ suggestion
On 8/23/05, Theo de Raadt [EMAIL PROTECTED] wrote: Secondly, it seems pretty pointless to setup pf on a single host. That is the most ridiculous thing I've heard all day. Lots of people run servers and must block them, on the same machine. Probably every single one of us. I'm not sure I understand what you mean. If you're going to run a server, what's the point of blocking it? Might as well turn it off. Instead of worrying about the firewall, which takes up more memory and cpu and all that, just shut off services that you don't need and be done with it. If the attacker can hurt your OpenBSD machine, then your firewall is vulnerable as well, and it won't protect any applications that need open ports listening. Turning off services is always much better than turning on services (pf) if you need protection. And the way OpenBSD is setup by default, nothing is listening except a couple inetd services (which I always turn off), and sshd if you said y in install, that's it. Anyone who says I only need to block packets in my firewall has got it all wrong. I never said that. PF isn't the only way to block packets, like TCP wrappers or ACL's within the server itself. It seems that adding another layer to the mix takes up more CPU and RAM than needed, since most servers have some sort of ACL list for acceptable hosts, and tcp wrappers does a good job too. Jason
Re: /usr/share/pf/ suggestion
On 8/23/05, Theo de Raadt [EMAIL PROTECTED] wrote: That is the most ridiculous thing I've heard all day. Lots of people run servers and must block them, on the same machine. Probably every single one of us. I'm not sure I understand what you mean. If you're going to run a server, what's the point of blocking it? Might as well turn it off. My laptops filter port 6000 and up, thank you very much. I will not stop running X. You must just just plain not understand what you are saying. Your statements are beyond ridiculous. You are saying If you need to filter it, you should not be running it. X doesn't have to listen on TCP 6000, you can setup a unix socket, and it's no longer reachable from the network, and you still have full functionality (I know, I do just that). There's more than one way to do anything. If something needs to only be locally accessable, only have it listen locally, or use unix sockets instead of tcp/udp sockets completely. Jason
Re: How to patch a physically weak system recommended use of sudo?
On 8/18/05, Tim [EMAIL PROTECTED] wrote: Hello 1. I have a old computer that is slow and has little memory. But I want to keep it updated with patches. I can't compile these patches on the system but I could do it on another faster system. But how can I later apply the compiled patches to the weak system? I would suggest getting a fast machine to build whatever version of OpenBSD you're running, then make a release(8) of that version. I impliment this in any networks I run multiple OpenBSD installations and it works quite well. After I build the release, I then put it on an ftp server and I can mass upgrade/install OpenBSD machines in a very short period of time. 2. Alot of you seem to use sudo instead of su - when you want to do something that requires privileges. Why is this? What settings are you using for sudo? This has been discussed a lot in the past, and I'm sure you can find plenty in the archives about it. I know I could ramble on and on about the advantages and disadvantages of both su and sudo, it's more a matter of which tool you feel most comfortable with, know best, and the type of usage and administration the system in question requires. Jason
Re: How to patch a physically weak system recommended use of sudo?
On 8/18/05, Scott Plumlee [EMAIL PROTECTED] wrote: Nick Holland wrote: Tim wrote: Hello 1. I have a old computer that is slow and has little memory. But I want to keep it updated with patches. I can't compile these patches on the system but I could do it on another faster system. But how can I later apply the compiled patches to the weak system? In addition to the previously mentioned release(8) process (also documented here: http://www.openbsd.org/faq/faq5.html#Release), there is another thing you could do: run snapshots. They will have all the security and reliability updates (before they are in -stable, in fact), but also feature updates. 2. Alot of you seem to use sudo instead of su - when you want to do something that requires privileges. Why is this? What settings are you using for sudo? Took me a while to get interested in sudo, which is unfortunate. Way cool program. When I set up an OpenBSD system, one of the first things I do is create a personal user for myself, put myself in the wheel group, configure sudo to let wheel users do anything, log in as that user, and disable root logins. Completely disable. This does a few things... Is your preferred method for doing so to remove the root user, or set the shell to nologin, or something else? I like the idea, but I'd rather not shoot myself in the foot doing it. Disabling root locally is extremely dangerous in my opinion. Just disable any remote root logins, but keep root locally accessable. If the attacker has local access, not being able to login as root doesn't do much. Jason
interface groups and altq
Do interface groups support altq? It would appear that they do not, but I might have a borked kernel/pfctl utility, so wanted to ask the list to make sure. When I try to put altq on an interface group, i get the following when parsing my pf.conf: $ sudo pfctl -f /etc/pf.conf -n pfctl: SIOCGIFDATA: Device not configured $ However if I change the altq line to use the actual interface, it works: $ sudo pfctl -f /etc/pf.conf -n $ here is my pf.conf and dmesg, although the simple answer will probably be either, yes or no. ### MACROS ### ext_if=egress int_if=intnet ext_ip=( $ext_if ) int_ip=( $int_if ) kyle=172.17.101.7/32 terrance=172.17.101.1/32 kenny=192.168.17.5/32 tweak=192.168.17.62/32 craig=192.168.17.61/32 wendy=192.168.17.60/32 table high_hosts { $kyle, $kenny } table low_hosts { $tweak, $craig, $wendy } ext_net=$ext_if:network int_net=$int_if:network unpriv== 1024 ### OPTIONS ### set limit states 2 set optimization aggressive set block-policy drop set skip on lo0 ### TRAFFIC NORMALIZATION ### scrub in all no-df random-id fragment reassemble ### QUEUEING ### # external interface queue list #altq on $ext_if priq queue { std_ext, high_ext, low_ext } #queue std_ext on $ext_if priq( default, red ) #queue high_ext on $ext_if priority 10 priq( red ) #queue low_ext on $ext_if priority 0 priq( red ) # internal interface queue list altq on le2 priq queue { std_int, high_int, low_int } queue std_int on le2 priq( default, red ) queue high_int on le2 priority 10 priq( red ) queue low_int on le2 priority 0 priq( red ) ### TRANSLATION ### ### PACKET FILTERING ### block in log all block out log all pass in quick on $ext_if inet proto tcp from high_hosts port $unpriv to $ext_ip port ssh flags S/FSRPA modulate state queue high_ext pass in quick on $ext_if inet proto tcp from low_hosts port $unpriv to $ext_ip port ssh flags S/FSRPA modulate state queue low_ext pass in quick on $ext_if inet proto tcp from any port $unpriv to $ext_ip port ssh flags S/FSRPA modulate state queue std_ext pass in quick on $int_if inet proto tcp from high_hosts port $unpriv to $int_ip port ssh flags S/FSRPA modulate state queue high_int pass in quick on $int_if inet proto tcp from low_hosts port $unpriv to $int_ip port ssh flags S/FSRPA modulate state queue low_int pass out quick on $ext_if inet proto udp from $ext_ip to $kyle port ntp modulate state queue high_ext pass out quick on $ext_if inet proto udp from $ext_ip to $terrance port domain modulate state queue high_ext pass out quick on $ext_if inet proto tcp from $ext_ip port $unpriv to anoncvs_hosts port 5999 flags S/FSRPA modulate state queue high_ext pass out quick on $ext_if inet proto tcp from $ext_ip port $unpriv to any port www flags S/FSRPA modulate state queue std_ext OpenBSD 3.8-beta (GENERIC) #85: Sun Aug 14 13:55:19 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.20GHz (GenuineIntel 686-class) 3.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,PNI real mem = 133734400 (130600K) avail mem = 115433472 (112728K) using 1658 buffers containing 6791168 bytes (6632K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(77) BIOS, date 04/21/04, BIOS32 rev. 0 @ 0xfd880 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries) pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1a00! 0xca000/0x1000 0xcb000/0x1000 0xdc000/0x4000! 0xe4000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x01 pci1 at ppb0 bus 1 pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x08 pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 ignored (disabled) atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: NECVMWar, VMware IDE CDR10, 1.00 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 Intel 82371AB Power rev 0x08 at pci0 dev 7 function 3 not configured vga1 at pci0 dev 15 function 0 VMware Virtual SVGA II rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) bha3 at pci0 dev 16 function 0 BusLogic MultiMaster rev 0x01: irq 11, BusLogic 9xxC SCSI bha3: model BT-958, firmware 5.07B bha3: sync, parity scsibus1 at bha3: 8 targets sd0 at scsibus1 targ 0 lun 0: VMware,, VMware Virtual S, 1.0 SCSI2 0/direct fixed sd0: 2048MB, 261 cyl, 255 head, 63 sec, 512 bytes/sec, 4194304 sec total sd1 at scsibus1 targ
Re: GMT / BST Question
Well, I know when I set /etc/localtime to /usr/share/zoneinfo/US/Eastern, it automatically compensates for daylight savings time, so I imagine if you set /etc/localtime to /usr/share/zoneinfo/GB it would do the same, unless I'm completely misunderstanding how the time zone files work (or that GB is Great Britain). Jason On 8/17/05, Gerald Davies [EMAIL PROTECTED] wrote: hi all, i've noticed my obsd box hasn't altered it's time (BST). I'm linked using: ln -fs /usr/share/zoneinfo/GMT /etc/localtime and i'm using the uk pool of ntp servers. but that's an hour behind. Is there a recommended way to get this to BST (I've noticed the date -dst option and the kernel options, but I've not used them). ideally, i would like it to automatically adjust itself when BST ends, etc. apologies if i've missed something and thanks in advance. cheers, g
Re: interface groups and altq
On 8/17/05, Henning Brauer [EMAIL PROTECTED] wrote: * Jason Crawford [EMAIL PROTECTED] [2005-08-17 18:47]: Do interface groups support altq? in the sense of queuing on interface groups, no, not really. Is this a work in progress? Planned but after 3.8? Or is this not possible? Thanks, Jason
Re: hifn crypto acc.
On 7/30/05, Theo de Raadt [EMAIL PROTECTED] wrote: Hifn has a new crypto card out since may, HIPP 7855 HXL, does anyone know if this is supported? Regards, Fredrik Widlund http://www.hifn.com/products/HIPP7855HXLboard.html I got tired of talking to hifn. We keep saying make all your docs available, and people will write code. They keep giving the docs only to specific people we mention, after many many emails. The process is mind-numbingly dull. I have no personal interest in helping hifn at all anymore. What we have working right now is fine. If they want to sell future chips, let them open their docs completely. Feel free to forward this mail to them. They keep mailing me, at various levels of their company, but I won't reply to anything more from them except fully open docs. So what would a good alternative be for crypto accel cards? Jason
Re: segfaults in OpenBSD 3.7
On 7/28/05, Sharad Birmiwal [EMAIL PROTECTED] wrote: hi all i'm new to OpenBSD. i've worked on linux but wanted to try OpenBSD for a test firewall and file server that i have to build. i'm using a Pentium-1 (133 Mhz) box with 16 MB ram. i downloaded the iso file and all the packages for version 3.7. during installation, in the last step when it creates the devices in /dev, the process seg faulted. i still continued and tried booting the systen and it didn't work. There is a note somewhere on the OpenBSD website about installing on machines with little ram. Basically, you need to drop to a shell, manually enable swap, then go back to the installation process you were at, and then have it make the device nodes. so i booted from the CD again and found the MAKEDEV script. i ran './MAKEDEV all' and it segfaulted again. so i manually created all the nodes as './MAKEDEV ramdisk', 'std', 'local' etc. and then the system seemed to work. what could be the reason for this because when i install any package with pkg_add, it always segfaults. could they be related? thing is i'm here now. another problem that has come up is that i had moved this server to a new location (several hundreds of kilometer away) and now the system crashes to a ddb prompt usually within 30 minutes of booting. any ideas? i can make out it's to debug the system? could it be a problem with the ram or hdd? i can't make out anything from the message. the error says there was some problem doing a mov instruction. any advice?? is there something else i should add? thanks sharad birmiwal india You're problems are all starting from the fact that you have very little ram. To solve pretty much everything, install AT LEAST 32MB ram (I'd go with 96MB or more) and then install from scratch. Jason
Re: Can't make 3.7-stable release (tries to exceed capacity of /dev/svnd0a?)
On 7/11/05, Chris [EMAIL PROTECTED] wrote: On Mon, 11 Jul 2005, Adam Fabian wrote: I've tried building an OpenBSD release from the 3.7-stable branch a few times in the last few days, on two different i386 machines, and both stopped in the same place. I'm following release(8) closely and not trying to reuse /usr/obj, and dealing with new, clean, complete, consistent checkouts of the code. The failure comes on step 4, (make and validate the system release) during the make release command in /usr/src/etc. Here's a log of the failure. It seems to be working on RAMDISKC: Ummm - maybe I don't understand but, how can you make a RELEASE from You aren't understanding. Read the release(8) manpage, it'll explain. It is fully supported. STABLE? Isnt STABLE following the patch branch? And RELEASE is jsut that - what's on the CD? If i'm correct - then you can't do that. If I'm correct, think of it this way: RELEASE = what you buy. STABLE = is what you follow for security patches CURRENT = is what you run as a developer. It's kinda like a Beta of the next RELEASE. Basically, you take the stable source branch, and build a CD release from that source. the release branch is what's on the cds, but building a release is just making a CD that's like the CD release, but from different sources if you so choose. The problem the OP is having was caused by one of the stable patches to the 3.7 kernel, making it just too big to fit on a floppy, which has been talked about in at least one previous thread. Jason
Re: Release/version/patch management question
On 7/7/05, Markus Wernig [EMAIL PROTECTED] wrote: Hello all! After some years of other unices, I finally got a chance to have a go at a very interesting project with openbsd (redundant hot failover ipsec gateway + firewall). Everything works just fine up to now, but when I tried to determine how to further manage (update, patch) the boxes, I stumbled about some questions that neither google nor openbsd.org nor various searchable archives could solve or I was not cabable of understanding. Maybe somebody here more literate that me can help me out with some pointers. Systems were installed with 3.7 from /pub/OpenBSD/3.7/i386/floppy37.fs and ftp set files (bsd, bsd.rd, base, etc, comp, misc, man). Then added sys.tar.gz and src.tar.gz to /usr/src. I want to follow the -stable branch. 1) With the above install lots of software came onto my disk that I do not want nor need (named, httpd, inetd ...). How can I get rid of those in a consistent way, since they don't show in pkg_info? Everything (excluding X) doesn't take up more than 250MB. It's hard to find a drive smaller than 20GB, so I think httpd, named, and inetd really aren't that big of a problem. If they aren't running (they aren't by default) then all they do is take up some disk space, that's it. Leave the base system alone, you'll only screw up a perfectly working system. 2) I assume that the answer to the following question is yes, but I'd like to double-check: Is there really no way to upgrade a single package/program to a recent version in a consistent way? The packages for the base system are, base37.tgz, etc37.tgz etc... but there is a consistent way to upgrade. 3) At the time I installed the systems, openssl.org was at version 0.98. Openbsd 3.7 still came with openssl 0.97d. What about the various issues/bugs that have been raised against the openssl versions since 0.97d (ASN parsing etc.)? Do I just have to wait for 3.8 to have them fixed or have the fixes been backported and are already included in 3.7-stable? Or were they just not severe enough to be considered for patching? I've cvs up'd and recompiled the whole system just now and openssl remains at 0.97d. Are there any features in OpenSSL 0.98 that you need that aren't in the one installed on your OpenBSD system? If not, there isn't much point in upgrading. The OpenBSD guys will fix any security problems that are in the version included in OpenBSD 3.7, but the whole point of the stable branch is that it's stable (as in unchanging). 4) Are patched binary packages released if there is a patch to the source? If yes, do those packages carry the same version numbers as the original one or do they have new ones? The OpenBSD guys don't release official patched binaries, but there are easy ways around that. One method that I do, having so many OpenBSD installations, is have one machine with source code, recompile with the stable patches (http://www.openbsd.org/faq/faq5.html#Bld), then make my own release (http://www.openbsd.org/faq/faq5.html#Release), put it on a local ftp server, and ftp upgrade all my machines at appropriate times, depending on when they can go down. You see: The openbsd software management concept is rather arcane to me. Would somebody shed a little light for a lost soul? Hints? Pointers? Howtos? How about read the faq (http://www.openbsd.org/faq/index.html), and start reading the very well written man pages Jason
Re: DOS Attacks?
Come on, seriously. Do you expect any type of useful help with a plea that consists of: Things stopped working! Some important network info (which I won't include) didn't seem to show anything wrong! help! Do YOU think you could help someone that gave you so little information? You even mention a time when it usually happens, but NO logs at all. Seriously, we need more information. Jason On 6/30/05, Dave Beckstrom [EMAIL PROTECTED] wrote: I've been fighting a problem with my openbsd firewall for a few days now. The system is a 1 ghz Pentium processor with 512 meg of ram. It's running as a transparent bridged firewall doing nothing but packet filtering. The problem I run into is that it will suddenly stop processing and my internet connection drops. I'll have a ping running against an external site and the firewall might stop processing packets for 2 or 3 minutes and then it starts working again. Then it may run for 20 minutes and stop working for 5 minutes. It may run 8 or 10 hours without any problems and then suddenly it gets flakey for an hour or two where I have to keep rebooting to keep it processing. The system ran for a year prior with no such problems. I have tried installing OBSD 3.4, OBSD 3.6 and OBSD 3.7 (which I'm currently running on). It has done it on all 3 versions of OBSD. I even built a new, temporary, firewall on a completely different machine and the same thing happened. It doesn't seem to be a hardware problem. The firewall sits behind a CISCO 2610 router which means a 10 meg Ethernet connection coming into the firewall. If I remove the firewall I can watch the pings and they never miss a beat. It is definitely the firewall that stops processing packets. Netstat -m shows plenty of available clusters (66% in use at peak). The packet filter table shows 600 packets per second around the time that it fails. CPU usage is very low with plenty of ram available. Has anyone heard anything about any worms or DOS attacks happening which might account for this? The problems predominantly happen late evening or in the middle of the night. Thanks, Dave
Re: DOS Attacks?
On 6/30/05, Dave Beckstrom [EMAIL PROTECTED] wrote: Jason, Uh...your inexperience is showing. :) The title of the post is DOS My inexperience is showing? Bad assumption on your part. attacks? My question was, Has anyone heard anything about any worms or DOS attacks happening which might account for this? There is NO WAY that anyone could tell whether or not this is a DOS attack WITHOUT LOGS. And you say MY inexperience is showing? Saying, hey my system doesn't work!! really doesn't tell us whether you are receiving a DOS attack or not. And whether or not someone heard of a DOS attack doesn't matter. Read the security forums if you are really interested in knowing this, as someone always posts it there. Even if we did hear of one, that doesn't mean this is what's happening to your system. Assuming it's a DOS attack based on someone hearing that there is a possible DOS is really really bad to do. Of course I expect useful information such as confirmation that someone else is experiencing attacks that result in similar symptoms on the server or perhaps there was a security bulletin released for OBSD that I have missed. There was a bulletin just released for FreeBSD's TCP stack which talked about an exposure to DOS attacks that could cause TCP to stop working. If TCP stopped working, then you'd be able to ICMP PING now wouldn't you, since ICMP has nothing to do with TCP. Again, are you sure you didn't mean your inexperience is showing? Maybe you meant the IP stack, but that's very very different. Treating the two as the same is stupid. Seems reasonable to inquire about OBSD when I'm having a problem that sounds like it might possibly be related, doesn't it? Don't expect any type of good response when your question consists of, hey, my system stops working, could it be for this reason? Sure it could be a DOS attack. Hell, it could be thousands of reasons. No one will give you an intelligent answer without proper information. Since you don't seem interested in getting my help what-so-ever, good luck, I'm sure your lack of information will get you an answer real quick. Actually, here I'll answer you: Yes it could be a DOS attack. Glad I could be of help. Jason
Re: DOS Attacks?
On 6/30/05, Dave Beckstrom [EMAIL PROTECTED] wrote: Eric, I haven't posted that information because we haven't ascertained yet that the problem lies with my system. Well considering that this doesn't appear to be happening to ANYONE ELSE, I'd say that's good enough reason for you to AT LEAST provide network traffic logs of the times when the system crashes. The first rule of troubleshooting, when something has worked flawlessly for a long time, is to ask yourself what changed? My system ran a year without a hiccup. Suddenly this problems starts and nothing has changed in my configuration. I more or less assumed there was probably some kind of DOS attack happening. Assumption without any type of basis is VERY BAD. An experienced person would know this, and either provided network traffic logs to show why he/she made the assumption, or would have included all the information neccessary for others to come to this assumption (or show why it's wrong). The reason I tried a few versions of BSD as a solution is because I can install a version and have it running in about 30 minutes. There was a very good chance that something in one version might be different enough than another version that it might take care of the problem without a lot of research and debugging. I also tried some changes to my packet filter but later discovered that I could turn packet filtering off and the problem still happened. So its not the ruleset. However, if it's a DOS issue adding a rule might solve the problem too. So before I spend any more time trying to fix something which might not be broken I wanted to find out if anyone had heard anything or experienced anything which might confirm the problem is originating outside my network. Make sense? No one has asked you to fix anything, just to provide them with neccessary information to debug a seemingly core issue. If this is indeed a DOS on the IP stack of OpenBSD, it's very core, and should be addressed as quickly as possible. Too bad you havn't given anyone enough information to help out. I once spent 2 days trying to fix a windows server and I was so intent on fixing it that I never looked around elsewhere. Turns out a worm was This is why you need to look at ALL THE INFORMATION before deciding what the issue is. Too bad we can't do this. You must not want this issue solved. attacking SQL servers and a patch from Microsoft that took 5 minutes to apply fixed it. How did I hear about the worm? A friend called me. Had I been smart and started with the simple things first, like a question or reading about current security issues, I'd not have wasted those two days. If everyone else is good and there are no bulletins or similar problems happening elsewhere and the problem starts looking like my system I will continue working on it. I just thought it wise to poke my head out of the box for a minute and look around. :) I VERY strongly suggest reading (or re-reading) http://www.openbsd.org/mail.html and especially the part about INCLUDING IMPORTANT INFORMATION. The OpenBSD mailing list webpage even says that it's better to include too much information than too little. Please don't flame me offlist either, as it really accomplishes nothing, except annoying me.