Re: ftps?
* Stuart Henderson (s...@spacehopper.org) wrote: On 2012-11-28, Chris Smith obsd_m...@chrissmith.org wrote: Also wonder why anyone in their right mind would use FTPS!? Because they can just hack it on top of their crusty old ftp server software, whereas using sftp would need much bigger changes? Im working on a project where we have lots of boxes with X.509 certificates which we want to use to secure all types of protocols. As sftp does not support X.509 certs we will probably have to do ftps.. Cheers, /Joakim
Re: spammers getting less stupid?
(It seems like some of my mail do not go through to misc@, perhaps some of my ISPs outgoing mailservers are blacklisted..?) * Peter N. M. Hansteen (pe...@bsdly.net) wrote: http://undeadly.org/cgi?action=articlesid=20120604050025 and references therein show a 'works for me' example config (although the first ruleset block should really be discarded in favor of the second one, a true brainfart if there ever was one), with some further field notes to be found over at my blag. Interesting, will check that. I automated my trapping using greyscanner to automatically catch all mail servers sending to addresses with numbers in them. Then I don't need to update spamdb manually. Sometimes I see mailservers attempting delivery to both legit and non legit addresses in one connection and this will then catch that mailserver. I.e. in greyscanner.conf (use with caution..): @GOOD = ( qr'^[A-Za-z\.\+]+@mydomain.(com|se)$'i, ); $COMPREHENSIVE = 1; The main risk I see (as I am paranoid) is that a malicious person could use a bouncing mail to make my mailserver trap a legit mail server that I do not yet have as whitelisted. BR /Joakim
Re: spammers getting less stupid?
* Kurt Mosiejczuk (kurt-openbsd-m...@se.rit.edu) wrote: Jan Stary wrote: Strangely, the only occurence of 2.139.201.210 in the last month's maillog is just this; that's half an hour after it got WHITE. What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE? Anyway, it seems (some) spambots got less demented and actually do resend, getting themselves whitelisted - thus working themselves around the whole premise of greylisting. Are people seeing something similar? I'm seeing it. I recently tweaked my greyscanner settings to pick up some spammers getting through who shouldn't (they were staying just under the threshold for further scrutiny). But I've still been getting a couple a day, and they only just got themselves whitelisted. So, you are not alone... --Kurt Hi, I see it too. I also use greyscanner to catch spammers and I see a lot of spam to random numbers and letters@mydomains. So I trap all hosts sending to addresses with numbers in them (as I don't have any legit accounts with numbers). This catches almost all spam. But I also see some backscatter from legit mail servers sending delivery failure notifications to mails where my domains was used as sender. This then resulting in me blocking these legit servers in case they were not already whitelisted (not good..). Strangely enough it seems like I also get delivery failure notifications from nodes on e.g. xDSL networks, not sure if its 'real' mail servers or bot nodes, some of these retries delivery according to RFC. Needs looking into.. /Joakim
Re: Syslog to remote server and local file
* Andy Bradford (amb-open...@bradfords.org) wrote: Thus said Joakim Aronius on Thu, 01 Nov 2012 17:54:28 BST: !!spamd daemon.err;daemon.warn;daemon.info /var/log/spamd daemon.err;daemon.warn;daemon.info @logserver A careful reading of man syslog.conf would seem to indicate that you can do something like: !spamd daemon.err;daemon.warn;daemon.info/var/log/spamd !!spamd daemon.err;daemon.warn;daemon.info@logserver Indeed, thanks a lot Andy. /Joakim
Syslog to remote server and local file
Hi, A quick question on syslog to remote servers.. I would like to log my spamd logs localy and to a remote server, first I tried to ad a second row to syslog.conf pointing at the logserver: !!spamd daemon.err;daemon.warn;daemon.info /var/log/spamd daemon.err;daemon.warn;daemon.info @logserver daemon.debug/dev/null !* This does not work as the '!!spamd' makes syslog exit after the first match. Changing the first row to '!spamd' does make the logs go to both locations but will also make the log record go into /var/log/daemon as it matches those statements. And it seems like it is not possible to have multiple recipients of log records (except when sending log info to multiple logged on users according to the man page) so this does not work. !!spamd daemon.err;daemon.warn;daemon.info /var/log/spamd,@logserver daemon.debug/dev/null !* How shalt I do this? BR /Joakim
Re: spamd and greyscanner help needed..
* Boudewijn Dijkstra (sp4mtr4p.boudew...@indes.com) wrote: Op Tue, 16 Oct 2012 22:01:54 +0200 schreef Joakim Aronius joa...@aronius.com: Any ideas on what I am doing wrong? I would guess that there is a mistake in your pf.conf. Yep. I had added a 'log' keyword to the redirect rule for spamd (incoming 25 - 8025) to get some 'observability'... Spamlogd caught that log entry and immediately whitelisted the sender.. Its a bit unfortunate that it is then not possible to log the rdrs but I can live with that. Thx /Joakim
Re: spamd and greyscanner help needed..
* Otto Moerbeek (o...@drijf.net) wrote: Op 17 okt. 2012 om 09:16 heeft Joakim Aronius joa...@aronius.com het volgende geschreven: Yep. I had added a 'log' keyword to the redirect rule for spamd (incoming 25 - 8025) to get some 'observability'... Spamlogd caught that log entry and immediately whitelisted the sender.. Its a bit unfortunate that it is then not possible to log the rdrs but I can live with that. To avoid this problem, use another pflog interface for spamlogd. See the man page for details. Good point, thanks! Will look into that. /J
spamd and greyscanner help needed..
Hi all, I need somone to hit me with a clue-by-four.. Im trying to set up spamd and greyscanner to trap a flood of incoming spam. Now running with default settings for spamd and with recomended pf.conf rules. Can't get it to work properly.. joakim@heimdall$ uname -rsv OpenBSD 5.1 GENERIC#160 joakim@heimdall$ grep spam /etc/rc.conf.local spamd_flags=-v -h mail.aronius.se Example: joakim@heimdall$ grep 81.172.0.62 /var/log/spamd Oct 16 21:38:33 heimdall spamd[14216]: 81.172.0.62: connected (2/0) Oct 16 21:38:44 heimdall spamd[14216]: (GREY) 81.172.0.62: skeptic...@yahoo.nl - a8c9...@aronius.com Oct 16 21:38:44 heimdall spamd[14216]: 81.172.0.62: disconnected after 11 seconds. Hosts are _immediately_ listed as both WHITE and GREY: joakim@heimdall$ spamdb |grep 81.172.0.62 WHITE|81.172.0.62|||1350416314|1350416314|1353526714|1|0 GREY|81.172.0.62|81.172.0.62.dyn.user.ono.com|skeptic...@yahoo.nl|a8c9...@aronius.com|1350416324|1350430724|1350430724|1|0 Looking at the WHITE record it has the same time for 'first' and 'pass' joakim@heimdall$ date -r 1350416314 Tue Oct 16 21:38:34 CEST 2012 Is it not first supposed to be GREY until the sender tries again after 'passtime' but before 'greyexp' and then is added as WHITE? As the sender is now whitelisted 'greyscanner' will not touch it so I assume that the above is the root problem.. Any ideas on what I am doing wrong? Thanks, /joakim
Re: problem setting inet6 route
* Remi Locherer (remi.loche...@relo.ch) wrote: On Fri, Aug 31, 2012 at 09:01:44PM +0200, Joakim Aronius wrote: * Remi Locherer (remi.loche...@relo.ch) wrote: Hi I rented a server from Hetzner where I installed OpenBSD 5.1. Hetzner also provides IPv6 but somehow with a strange setup. I got something like the following from them: Gateway Address: 2001:db8:1:1110::1/64 Subnet I can use: 2001:db8:1:/64 You could begin with actually getting real IPv6 addresses. 2001:DB8::/32 is a reserved prefix for use in documentation. http://tools.ietf.org/html/rfc3849 Do you really think that these addresses are the ones I got from the provider? Well, with that kind of question and miss-typed address i figured you did not have a clue, maybe I was wrong, my bad. But I do not believe in keeping IP addresses secret, it doesn't help. Good luck with IPv6! /J
Re: problem setting inet6 route
* Remi Locherer (remi.loche...@relo.ch) wrote: Hi I rented a server from Hetzner where I installed OpenBSD 5.1. Hetzner also provides IPv6 but somehow with a strange setup. I got something like the following from them: Gateway Address: 2001:db8:1:1110::1/64 Subnet I can use: 2001:db8:1:/64 You could begin with actually getting real IPv6 addresses. 2001:DB8::/32 is a reserved prefix for use in documentation. http://tools.ietf.org/html/rfc3849 Cheers, /Joakim
Re: Quad-Gigabit 1U mini-itx board recommendations?
I have used Soekris for a few years and are very happy with them. They have a new board that will start shipping soon: http://soekris.com/net6501.htm /J
Re: spamd in blacklist mode 4.8 not working?
* Ivo Chutkin (open...@bgone.net) wrote: from pf.conf: pass in log on $ext300 proto tcp from spamd to any port smtp rdr-to 127.0.0.1 port spamd pass in log on $ext300 proto tcp from spamd-black to any port smtp rdr-to 127.0.0.1 port spamd Hard to tell as you only show parts of the config. It could be a problem related to the changes to pf between 4.6 and 4.7. You should probably take a look at the current spamd(8) man page and update your pf rules for spamd according to the example. And you need to check the pf logs to see what is actually happening. Regards, /Joakim
Re: opensmtp
* Hugo Osvaldo Barrera (h...@osvaldobarrera.com.ar) wrote: I've used it on my personal e-mail server since December, and it's worked just fine, no issues, crashed, nothing unusual. Me too, I switched to smtpd when I replaced my mailserver a little while ago. After using OpenBSD/sendmail for 10 years I just love using smtpd instead. Thanks Gilles! Cheers, /Joakim Ps. and remember to buy CDs/donate, the OpenBSD team is doing a great job.
Re: nat static-port option
* Ted Unangst (ted.unan...@gmail.com) wrote: On Wed, Feb 2, 2011 at 11:23 AM, Martin Schrvder mar...@oneiros.de wrote: 2011/2/2 Henning Brauer lists-open...@bsws.de: who sez that your made up isp has to hand out network-wide unique IPs to his customers? AFAIK Comcast already has 2^24 customers. And they seem to be doing just fine. What's the problem again? ..dont want to fuel a flame war here but i heard stuff like ATT is using 40 instances of 10/8 indicates that big operators needs to bend themselves backwards to get their stuff together. And T-Mobile US is about to launch an IPv6 only + NAT64 mobile service, will be interesting to see how that plays out.. Cheers, /Joakim
Re: nat static-port option
* Joakim Aronius (joa...@aronius.com) wrote: ..dont want to fuel a flame war here but i heard stuff like ATT is using 40 instances of 10/8 indicates that big operators needs to bend themselves backwards to get their stuff together. Need to correct myself there, should be Verizon Wireless, not ATT. https://sites.google.com/site/ipv6implementors/2010/agenda/14_Parker_VerizonWireless.pdf?attredirects=0 https://sites.google.com/site/ipv6implementors/2010/agenda Cheers, /Joakim
Re: nat static-port option
* Martin Schrvder (mar...@oneiros.de) wrote: Carrier grade NAT is less bullshit than ipv6. :-) Arbor networks just released their new 'Worldwide Infrastructure Report' which was interesting. In particular the rising threat of DDOS and the use of statefull network gear in mobile networks, such as DPI and NAT... The complexities of IPv6, as eloquently expressed by Henning, will surely result in some interesting security issues.. http://www.arbornetworks.com/en/arbor-networks-sixth-annual-worldwide-infrast ructure-security-report.html Now I think we shall let this thread come to rest as this is a bit out of topic. (and before someone refrains to name calling, I was almost called 'IPv6 fanboy' at one point). Have a nice weekend :) /Joakim
Re: Donations
* L. V. Lammert (l...@omnitec.net) wrote: Have you ever tried to read the TOS? Any such organization with unlimited legal resources can do whatever the wish - as long as it's not contrary to the current legal winds, they will get away with it. In a legal sense yes. In a business sense, hopefully not, if enough people take their money elsewhere. I terminated my PP account yesterday. /Joakim
Re: HP Proliant NEO N36L
* Stuart Henderson (s...@spacehopper.org) wrote: On 2010-11-23, Joakim Aronius joa...@aronius.com wrote: Hi, This looks like a nice, small and cheap server: HP ProLiant AMD Athlon II NEO N36L http://www.newegg.com/Product/Product.aspx?Item=N82E16859105905 However, there seem to be some HP stuff in there which Im not sure is supported. FreeBSD dmesg here: http://www23.atwiki.jp/dragonkiller?cmd=uploadact=openpageid=239file=proliant-microserver_freenas0.7.2-dmesg.txt From this I would make educated guesses that the ethernet should be ok, raid probably won't work in raid mode but should be ok in ahci mode. But as to whether ACPI will work, you can't really make a guess ... Ok, that is probably good enough, thanks a lot! Cheers, /Joakim
HP Proliant NEO N36L
Hi, This looks like a nice, small and cheap server: HP ProLiant AMD Athlon II NEO N36L http://www.newegg.com/Product/Product.aspx?Item=N82E16859105905 However, there seem to be some HP stuff in there which Im not sure is supported. Ethernet Controller Embedded NC107i PCI Express Gigabit Ethernet Server Adapter (Seems like this is a bge(4) according to this(?) http://old.nabble.com/HP-DL120-G6-with-OpenBSD--tt28315871.html#a28315871 ) Storage Controller Embedded SATA Controller with Embedded RAID (0, 1) Has anyone tried OpenBSD on one of these? Any DMESG available? In general, are the HP Proliant boxes good with OpenBSD? Regards, /Joakim
Re: Activating ip6.forwarding and accept_rtadv at the same time
* Martin Pelikan (martin.peli...@gmail.com) wrote: 2010/9/7, Claudio Jeker cje...@diehard.n-r-g.com: As soon as you spilt a /64 into something smaler you left IPv6 land end entered something that looks like IPv6 but isn't. Sure it is possible but by doing it you make every IPv6 disciple scream in agony (which is probably a good thing anyway). I don't understand that agonizing part. I've heard of companies with so stupid network policies (read: corporate environment) that DHCP6 with one /112 per department and sequentially assigned addresses against people's MAC addresses is like a spit in the ocean. Most people that would make it scream use some automated system for keeping track of their machines anyway. Why use smaller subnets than /64? Just keep it simple and go for /64s everywhere, its even quite common to use /64s on point to point links. The only reason is that net ops are used to IPv4 and try to conserve IP addresses. In the end they will have an unnecessarily complicated network to handle. What is wrong with arp? ND does a lot more than ARP. (..which, in itself, makes it more complex.) These two things are partially responsible for the failure of IPv6. Failure? I don't know about America, but here in central Europe it finally seems to be deploying well. And wait for China. (yes, I know it's more like intranet, but they probably don't want to separate too much) IPv6 is getting more and more attention, in the US too. So after a decade+ of 'IPv6 will happpen soon' it seems like things finaly start to happen.. and it will surely be painfull :) Cheers, /Joakim
Re: pf rdr to multiple machines in the subnet
* Jean-Francois (jfsimon1...@gmail.com) wrote: Is it possible to use the rule given by Stuart Henderson as follows ? rdr pass on $ext_if proto tcp to port 1024:65535 - 10.0.1/24 Depending on what you want to accomplish. With the above rule the incoming traffic to i.e. port 1024 will be forwarded to_one_of_the_hosts_in your network. Personally I can not see any use for this. 1. read the pf.conf man page 2. If you want help, describe the problem you are trying to solve. /jkm
Re: pf rdr to multiple machines in the subnet
* Jean-Frangois SIMON (jfsimon1...@gmail.com) wrote: 2010/2/7 Bret S. Lambert bret.lamb...@gmail.com No, you'd have to so a seperate rdr line for each backend host. Would a rule like this one work (2 lines). rdr pass on $ext_if proto tcp from any to any port 1024:65535 - 10.0.1.32 rdr pass on $ext_if proto tcp from any to any port 1024:65535 - 10.0.1.33 You can't redirect one port to multiple machines, your options are: 1) redirect different ports to different machines, i.e.: rdr pass on $ext_if proto tcp from any to any port 1024:5000 - 10.0.1.32 rdr pass on $ext_if proto tcp from any to any port 5001:65535 - 10.0.1.33 2) get more external IP addresses. /jkm
Re: way to help: laptops and weekly
* Ingo Schwarze (schwa...@usta.de) wrote: situation, so i consider tedu@'s question unanswered. I'm not even sure there is a good solution at all: Jan Stary and Jonathan Thornburg have presented strong arguments indicating that run it manually at the time you want it might be the best answer. What about a new script that runs daily/weekly/monthly as needed to make it a bit simpler. The user would then not have to keep track of which script to run. This script could be called manually or the user could ad it in cron or shutdown script as it suits the user/machine. ..just my $.02 /jkm
Re: way to help: laptops and weekly
* Steve Shockley (steve.shock...@shockley.net) wrote: On 1/24/2010 2:48 PM, Ted Unangst wrote: Cron runs the weekly update script every Saturday at 3:30am. If you use a laptop or other desktop, your computer probably isn't on then. So the locate and whatis databases never get updated unless you run it by hand. Perhaps run a script via cron occasionally, maybe every six hours where six hours corresponds to 3:30. If /var/log/weekly.out is more than, or exactly, a week old, run weekly. if /var/log/weekly.out is less than a week old, only run /var/log/weekly if it's 3:30am on Saturday. +1. Cron jobs could be run more frequently IMHO, i.e. every 2-3 hrs, as cron is cheap and to make this work on infrequently used machines. /jkm
Re: Parental filter
For the ad-part I use bind with config file from this place: 'http://pgl.yoyo.org/adservers/' Good enough for mee so far. (I will probably need to increase my security posture as my kids get a little older..) Cheers, /Joakim
Re: Backup disk over USB good idea??
Hi, An update for the internet archive.. The USB controller died on me (had to remove the PCI card to boot the machine) so the earlier problems were probably related to that. Cheers, /Joakim /var/log/messages: Jan 5 04:21:49 maya /bsd: ehci0: unrecoverable error, controller halted Jan 5 04:21:49 maya /bsd: ehci0: blocking intrs 0x10 Jan 5 04:21:49 maya /bsd: uhci0: host controller process error Jan 5 04:21:49 maya /bsd: uhci0: host controller halted Jan 5 04:21:49 maya /bsd: sd0 detached Jan 5 04:21:49 maya /bsd: scsibus0 detached Jan 5 04:21:49 maya /bsd: umass0 detached Jan 5 04:21:49 maya /bsd: uhci1: host system error Jan 5 04:21:49 maya /bsd: uhci1: host controller process error Jan 5 04:21:49 maya /bsd: uhci1: host controller halted Jan 5 04:21:49 maya /bsd: uhci_freex: xfer=0xd0f36500 not busy, 0x4f4e5155 Jan 5 04:21:49 maya /bsd: uhci_freex: xfer=0xd0f36700 not busy, 0x4f4e5155 Jan 5 04:22:00 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:22:15 maya last message repeated 2 times Jan 5 04:22:17 maya /bsd: ehci_idone: ex=0xd0f7b700 is done! Jan 5 04:22:20 maya last message repeated 3 times Jan 5 04:22:20 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:22:20 maya /bsd: ehci_idone: ex=0xd0f7b700 is done! Jan 5 04:22:30 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:22:32 maya /bsd: ehci_idone: ex=0xd0f7b700 is done! Jan 5 04:22:35 maya last message repeated 3 times Jan 5 04:22:35 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:22:35 maya /bsd: ehci_idone: ex=0xd0f7b700 is done! Jan 5 04:22:36 maya /bsd: ehci0: port reset timeout Jan 5 04:22:36 maya /bsd: ehci_freex: xfer=0xd0f7b700 not busy, 0x4f4e5155 Jan 5 04:22:46 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:22:47 maya /bsd: ehci_idone: ex=0xd0f7b800 is done! Jan 5 04:22:50 maya last message repeated 3 times Jan 5 04:22:51 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:22:51 maya /bsd: ehci_idone: ex=0xd0f7b800 is done! Jan 5 04:23:01 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:23:03 maya /bsd: ehci_idone: ex=0xd0f7b800 is done! Jan 5 04:23:06 maya last message repeated 3 times Jan 5 04:23:06 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:23:06 maya /bsd: ehci_idone: ex=0xd0f7b800 is done! Jan 5 04:23:16 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:23:18 maya /bsd: ehci_idone: ex=0xd0f7b800 is done! Jan 5 04:23:21 maya last message repeated 3 times Jan 5 04:23:21 maya /bsd: ehci_sync_hc: tsleep() = 35 Jan 5 04:23:21 maya /bsd: ehci_idone: ex=0xd0f7b800 is done!
Re: Backup disk over USB good idea??
* Jon Simola (jsim...@gmail.com) wrote: On Thu, Dec 17, 2009 at 9:31 AM, Mauro Rezzonico l...@ch23.org wrote: Mount under /usr/backup, or /var/backup, or /tmp/backup or whatever! And/Or wrap the backup script with something that checks for the mount. Thanks, I will do both and throw in a mail notification when the disk is unavailable. (mounting under / was pretty stupid :) Cheers, /Joakim
Backup disk over USB good idea??
Hi, I have an old home server which ran out of disk space so I added a big disk over USB which I use for backup (mounted on /backup). Problem is that it has happened a few times that the USB controller has crapped out resulting in the disk being dismounted and the backup filling out /. I then have to reboot to be able to access the disk again (fsck/mount). Is this due to my ancient HW, crappy USB controller card, or is USB mounted disks just less stable? /jkm /var/log/messages: Dec 17 03:12:17 maya /bsd: ehci0: unrecoverable error, controller halted Dec 17 03:12:17 maya /bsd: ehci0: blocking intrs 0x10 Dec 17 03:12:17 maya /bsd: sd0 detached Dec 17 03:12:17 maya /bsd: scsibus0 detached Dec 17 03:12:17 maya /bsd: umass0 detached Dec 17 03:12:23 maya /bsd: ehci_idone: ex=0xd0f7b700 is done! Dec 17 03:12:56 maya last message repeated 6 times Dec 17 03:12:56 maya /bsd: uhub0: device problem, disabling port 1 joa...@maya$ sudo fsck /dev/sd0a Password: Can't open /dev/rsd0a: Device not configured OpenBSD 4.6-stable (GENERIC) #0: Sun Nov 29 21:19:21 CET 2009 r...@maya.aronius.com:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 799 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 267743232 (255MB) avail mem = 250073088 (238MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 02/22/00, BIOS32 rev. 0 @ 0xfda74, SMBIOS rev. 2.3 @ 0xf0ea0 (58 entries) bios0: vendor Intel Corp. version VC82010A.10A.0024.P03.0002221044 date 02/22/2000 bios0: Dell Computer Corporation XPS800 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3230/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82820 Host rev 0x03 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xf800, size 0x400 ppb0 at pci0 dev 1 function 0 Intel 82820 AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb1 at pci0 dev 30 function 0 Intel 82801AA Hub-to-PCI rev 0x02 pci2 at ppb1 bus 2 uhci0 at pci2 dev 9 function 0 VIA VT83C572 USB rev 0x61: irq 11 uhci1 at pci2 dev 9 function 1 VIA VT83C572 USB rev 0x61: irq 9 ehci0 at pci2 dev 9 function 2 VIA VT6202 USB rev 0x63: irq 10 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 VIA EHCI root hub rev 2.00/1.00 addr 1 fxp0 at pci2 dev 10 function 0 Intel 8255x rev 0x08, i82559: irq 9, address 00:02:b3:25:72:b2 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 VIA UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 VIA UHCI root hub rev 1.00/1.00 addr 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801AA LPC rev 0x02: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801AA IDE rev 0x02: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: IC35L060AVV207-0 wd0: 16-sector PIO, LBA48, 58644MB, 120103200 sectors wd1 at pciide0 channel 0 drive 1: ST3120026A wd1: 16-sector PIO, LBA48, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 wd2 at pciide0 channel 1 drive 0: ST3120026A wd2: 16-sector PIO, LBA48, 114473MB, 234441648 sectors wd3 at pciide0 channel 1 drive 1: ST3320620A wd3: 16-sector PIO, LBA48, 305245MB, 625142448 sectors wd2(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 wd3(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2 uhci2 at pci0 dev 31 function 2 Intel 82801AA USB rev 0x02: irq 10 ichiic0 at pci0 dev 31 function 3 Intel 82801AA SMBus rev 0x02: irq 11 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 biomask ff6d netmask ff6d ttymask mtrr: Pentium Pro MTRR support umass0 at uhub0 port 1 configuration 1 interface 0 Western Digital External HDD rev 2.00/1.75 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: WD, 10EAVS External, 1.75
Re: pf and fragmented IPv6 packets
* Todd T. Fries (t...@fries.net) wrote: Must is there, granted. For IPSec tunnels encapsulating IPv6 inside IPv4, there are tricky problems that were looked at during n2k9 but not solved that prevent the proper icmp6 too big message from being sent with the proper source address to match the VPN config so it might make it back to the proper system. Without this, MTU is not reduced, and fail is the result if using tunnel mode with IPSec encapsulating IPv6, only if this is traffic from a client behind a VPN gateway. For the gateways themselves, they generate the properly sized packets. Hi Todd, Host1--(net1)--GW1==(tunnel)==GW2--(net2)--Host2 If Host1 sends an IPv6 packet to Host2 with an MTU too big for the GW1-GW2 tunnel then the GW1 should send an ICMP packet too big to Host1. I assume that the ICMP packet should use GW1 and Host1 unicast addresses on net1 as source and destination, i.e. the MTU would then be related to traffic going through the gateway... But this would then not handle GW1 having multiple tunnels with different MTU.. Should the source address of the ICMPv6 message then be the GW1 tunnel internal endpoint IP? Does it matter if its an IPsec or a gif tunnel, as used by Sixxs (I guess not..)? thanks, /Joakim Ps.. and I also have problem reaching the sitic.se site using IPv6 (Sixxs tunnel)..
Re: pf and fragmented IPv6 packets
* Stuart Henderson (s...@spacehopper.org) wrote: On 2009-12-10, Jonas Thambert jonas.thamb...@sitic.se wrote: Like a month ago we got a complain from a user that our website was unreachable over IPv6. We have 2x Native Ipv6 transits. The user had bought IPv6 from an ISP thay uses tunneling to deliver it to the organization. After some packet traces we found out that the problem was in PF and that it doesn't seem to handle fragmented IPv6 packets. Sure enough, from the man page of pf.conf: Currently, only IPv4 fragments are supported and IPv6 fragments are blocked unconditionally. The problem is that some of Swedens largest ISPs uses tunneling for IPv6 to their customers so we can't just say, ditch em. Terredo seems to work fine. Is there a workaround or plans to implement support for this is pf? the workaround is to reduce the MTU, or for TCP you can use scrub max-mss (1220 is a safe value to clamp MSS to; this equates to MTU 1280, which all IPv6 hosts are required to handle). Could someone please hit me with a clue stick if I am wrong here... If there is tunnel reducing the MTU then the tunnel endpoint should send an ICMPv6 packet too big to the sender. My assumption is that the host then shall reduce the MTU, i.e. putting less stuff in each packet, not that the host should create big packets and then fragment them. /Joakim
Re: pf and fragmented IPv6 packets
* Stuart Henderson (s...@spacehopper.org) wrote: On 2009/12/11 14:14, Joakim Aronius wrote: Could someone please hit me with a clue stick if I am wrong here... If there is tunnel reducing the MTU then the tunnel endpoint should send an ICMPv6 packet too big to the sender. You can't rely on should. Ok, granted, I was a bit sloppy with words there, the RFC says must for the ICMP message. But reading up a bit on how the source host shall handle the situation it turns out that you can do pretty much as you like... RFC 2460: In order to send a packet larger than a path's MTU, a node may use the IPv6 Fragment header to fragment the packet at the source and have it reassembled at the destination(s). However, the use of such fragmentation is discouraged in any application that is able to adjust its packets to fit the measured path MTU (i.e., down to 1280 octets). Cheers, /Joakim
Re: Packets to IPsec blackholed ?
* BARDOU Pierre (bardo...@mipih.fr) wrote: Hello, I had a working ipsec tunnel this morning : Dec 04 09:30:35.086117 rule 375/(match) pass in on vlan100: 10.80.2.135.4685 10.96.37.1.23: S 2120140262:2120140262(0) win 64512 mss 1460,nop,nop,sackOK (DF) Dec 04 09:30:35.086154 rule 28/(match) pass out on enc0: 10.80.2.135.4685 10.96.37.1.23: S 2120140262:2120140262(0) win 64512 mss 1460,nop,nop,sackOK At noon I rebooted my gateway, and now packets get lost in the wild (no pass out nor block out): Dec 04 13:55:35.054695 rule 375/(match) pass in on vlan100: 10.80.2.135.3265 10.96.37.1.23: S 2811095018:2811095018(0) win 64512 mss 1460,nop,nop,sackOK (DF) But my tunnel is still up according to ipsecctl -sa. I have other tunnels who work like a charm. Anyone could tell me out to get my packets back on the right way ? you might have lost a route /j TYVM -- Cordialement, Pierre BARDOU CSIM - Bureau 012 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 69 71 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: Stopped at pf_test_rule+0xa87
* Henning Brauer (lists-open...@bsws.de) wrote: * Joakim Aronius joa...@aronius.com [2009-12-01 15:54]: * Henning Brauer (lists-open...@bsws.de) wrote: * Alastair Johnson att...@googlemail.com [2009-12-01 12:00]: Got the following error on 2 identical firewalls last night: uvm_fault(0xd0891180, 0x0 0, 3) - e kernel: page fault trap, code=0 Stopped atpf_test_rule+0xa87: movl %ecx,0x4(%eax) OpenBSD 4.6 installed from the ISO /OpenBSD/4.6/i386/install46.iso please get the latest stable. this really looks like an issue i fixed after release. Any indication on who this could affect is appreciated. I.e. how do I know if I need to upgrade to latest stable? sigh. if you use pf you'll want to. if you use OpenBSD you want to. heck, you want to follow -stable right? Yes, and I am. I missread your original reply and thought you recomended going to -current to fix this. Sorry for the noise. Cheers, /J
Re: Stopped at pf_test_rule+0xa87
* Henning Brauer (lists-open...@bsws.de) wrote: * Alastair Johnson att...@googlemail.com [2009-12-01 12:00]: Got the following error on 2 identical firewalls last night: uvm_fault(0xd0891180, 0x0 0, 3) - e kernel: page fault trap, code=0 Stopped atpf_test_rule+0xa87: movl %ecx,0x4(%eax) OpenBSD 4.6 installed from the ISO /OpenBSD/4.6/i386/install46.iso please get the latest stable. this really looks like an issue i fixed after release. Hi, Any indication on who this could affect is appreciated. I.e. how do I know if I need to upgrade to latest stable? Cheers, /Joakim -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Interface order and ipv6 routes
* Stuart Henderson (s...@spacehopper.org) wrote: On 2009-10-18, Mats Erik Andersson ynglinga...@yahoo.se wrote: I face a tricky problem when OpenBSD 4.4 initiates interfaces with ipv6 addresses. My setting is a router supposed to route ipv6 traffic __without__ tunneling: rl0: exterior interface with static stateful ipv6-adress fxp0: first interior interface with static, stateful ipv6-address xl0: second interior interface with static, stateful ipv6-address. They are all assigned a static inet6 alias in their hostname.if files, the addresses being assign from my ipv6 net of length 64. you're putting addresses from one single subnet onto multiple interfaces. just as with ipv4, this is a problem. ipv6 is designed so that subnets are /64. if you're running multiple v6 subnets you should have more than a /64. your provider /should/ (but might not) accommodate this request and give you a /48 or /56 or something.. if this is really not possible, you will be in for a messy setup, probably including bridging. I'd go for a tunnel to a saner provider rather than do that... Yes. HE probably do a similar setup as Sixxs where you first are allocated a /64 which is for the tunnel only. When it is up and running you can request a /48 which you use at your site. (with /64s as internal subnets) In the case of Sixxs they also block all addresses from your tunnel /64 except for your tunnel endpoint (::2) so the rest of the addresses can not be used, this might also be the case for HE. Cheers, /J
Re: autowhitelister for spamd needs testing
Yeah, this is useful for manually maintaining a list of domains for which you want to check spf records and update the whitelist. I.e. domains such as hotmail.com and google.com which fulfill the following requirements: a) use round-robin sending mailservers b) are somehwat trusted I do this whith scripts today (including one from you Daniel :) /J * Daniel Ouellet (dan...@presscom.net) wrote: Dave Anderson wrote: On Wed, 22 Apr 2009, jared r r spiegel wrote: On Thu, Apr 23, 2009 at 12:30:28AM +, Stuart Henderson wrote: I see a tiny little problem with this method... sometimes people send spam from domains whose DNS they control. +1 i think part of the success i experience using SPF as a means to create whitelists is in the fact that i maintain the list of domains i fancy whitelisting. unfortunately, it would be trivial for someone to take advantage of an spf-based automatic whitelist to slip right on thru spamd(8). it's a pisser. What might make sense is to alter the script to generate a list of canditates for whitelisting, but only apply any of them after they are manually approved. Or to may be allow to actually have a list that the script cold checked against to make the changes, witch would achieve the user intended results and at the same time eliminating the possibility to have one domain adding it's own records if that's no restricted. Like yo could create a google.com in the list and that would allow connection from google being automatically added via the SPF records, but no others would unless you manually add their name to the allow auto extension of the SPF name list. Just a thought, not sure it's the best idea, but that's one way to keep it automatic like intended to be use. Daniel
Re: Multiple layers of NAT
* Michiel van Baak (mich...@vanbaak.info) wrote: On 09:06, Wed 22 Apr 09, Janne Johansson wrote: Lars Nooden wrote: Alexander Hall wrote: Lars Nooden wrote: Sometimes I have to set up a LAN inside a pre-existing NAT'd LAN and traffic from the inner LAN (B) does not make it to the Internet or even to final, external interface (4). I've searched around a bit and see there is something wrong (in general) with double NAT I dont know where you got that info from, but as long as each NAT is set up correctly, there isnt any difference in being NATed once or five times. I have seen trouble with 'double nat' too many times in the voip world to even bother with it anymore. ..and for some protocols you need ALGs in every NAT. /jkm Ok, most of the times one of the nat devices was a DSL modem, and their implementation is,. interesting. In - Out is the same, and as long as you set each NAT up right with the fordards, Out - In will be as good/bad as one NAT. -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Re: Way to tell ftpd to log IP of remote host?
Thanks! /J * Ingo Schwarze (schwa...@usta.de) wrote: Hi Mark, Mark Bucciarelli wrote on Fri, Mar 13, 2009 at 08:17:23AM -0500: Mar 13 08:52:01 crosscutmedia ftpd[1728]: connection from pool-68-239-27-14.bos.east.verizon.net [68.239.27.14] Mar 13 08:52:09 crosscutmedia ftpd[4218]: FTP LOGIN FROM pool-68-239-27-14.bos.east.verizon.net as google But now you have given me another reason not to upgrade. ;P Huh, what? When you are upgrading your system, you are *not* doing me a favor. When you are *not* keeping your system up to date, you are doing the bad guys and gals a favor. =;c) Besides, see http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ftpd/ftpd.c I just committed the feature, it will be in the next -current snapshot and in 4.6-release. So, don't forget ordering the 4.6 CDs this autumn and doing the upgrade after November 1st. Also, upgrading to 4.5-stable and applying the source code patch ftpd.c rev 1.186 is safe. Yours, Ingo
Re: [landisk] a question for other users
* Diana Eichert ([EMAIL PROTECTED]) wrote: I realize the landisk platform wasn't added until 4.1 and 4.1 is not yet officially released on the ftp site, but I haven't seen much from other users. It wasn't that hard to download a miniroot, dd it to the landisk hard drive, cvs src with OPENBSD_4_1 tag and build a release. Are there many of y'all out there? It's a pretty cool platform to run DNS servers, spamd traps and various other things on. I have a question for the developers. Is there away to have the box restart automagically after power loss? Maybe it's a setting for the ROM monitor on the box? I don't know 'cause I've never actually run one of my Plextors with the stuff it came with. If I've missed something obvious please feel free to hit me with a giant clue stick. diana Hi Diana, I just got mine (PX-EH16). There are settings for 'Wake on lan' amd 'power save mode' but none resembling restart after power loss. I also got a cell phone USB cable buti have NO clue what so ever to were i should attatch it... You referred to 'solder Rx/Tx/Gnd to the pins at the front of the board', I dont seem to have any unused pins on the board. The board is marked CN7 in the front with a row of five holes. Any ideas? Cheers, /Joakim
Re: firefox 1.5.0.6 for openbsd
kern.osrelease seem more appropriate.
Cheers,
/jkm
* Will Maier ([EMAIL PROTECTED]) wrote:
On Thu, Aug 03, 2006 at 12:11:08PM -0400, David T Harris wrote:
The easiest way to install firefox on OpenBSD or any other package
(that is available from OpenBSD) is to download the package from
the OpenBSD website (or a mirror) or the ftp mirrors.
No, the easiest way is like so:
$ man pkg_add
[...]
$ ftp ftp://ftp.openbsd.org/pub/OpenBSD/ftplist
[choose a mirror]
$ export PKG_PATH=ftp://your.mirror.com/pub/OpenBSD/$(sysctl -n
kern.version)/packages/$(machine)/
$ sudo pkg_add -i your-package
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*--[ BSD Unix: Live Free or Die ]--*
Re: ssh attacks
Why? You say that you block SSH on 1,2,3 and then that you want to do something MORE on 4? You probably already have 'block all' and then allow ssh on one of your boxes, thats it. Maybe you want an IDS system or a SSH tarpit, but this is not the job for pf. Tobias Ulmer made some good points in his mail, including 'this is stupid'. Cheers, /jkm * Peter Fraser ([EMAIL PROTECTED]) wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack on address 4. I never want to pass ssh on address 1, address 2 or address 3 ever, I want to use the information that someone was trying to ssh to those address to identify person as an attacker. -Original Message- From: Matthias Kilian [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 3:02 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: ssh attacks On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. See the example on overload at http://www.openbsd.org/faq/pf/filter.html#stateopts Basically, you pass and just block verything from bad_hosts in a separate rule. Ciao, Kili
Re: FTP download/CD sales ratio
Ordering from Wim (kd85.org) works great, there is no point in using other resellers than the two alternatives on openbsd.org. /jkm * Henrik Borgh ([EMAIL PROTECTED]) wrote: On 5/4/06, Michael Erdely [EMAIL PROTECTED] wrote: As soon as you see pre-orders are up, order. I did and have had my 3.9 CDs for a couple weeks now. For me, not wanting to build all the packages I use, I only wait until release day to download the rest of the packages (from a mirror). Except that not all resellers are eqully fast. Neither of the danish resellers has announced having OpenBSD 3.9, and i'm not sure that they differs from so many other resellers. So i guess that one have to order the CD-ROM's from kd85.com or computershop.ca, to be sure to have them, on at least the release day. -- Regards Henrik
Re: ftp-proxy isssues
Hi,
Your complete pf.conf and the relevant pf log entries would be helpful. I had
the same problem after upgrading to 3.9. Turned out to be an old antispoof rule
in my (then) too messy pf.conf which blocked incoming traffic on the external
interface with a destination address on the internal NATed network. Seems like
the current ftp-proxy setup translates dest IP to the internal network and then
it passes the external if again. Follwing the PF FAQ should solve the problem
so check your other rules too.
Cheers,
/Joakim
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
-Camiel Dobbelaar [EMAIL PROTECTED] wrote: -
To: [EMAIL PROTECTED]
From: Camiel Dobbelaar [EMAIL PROTECTED]
Date: 05/11/2006 07:33AM
cc: misc@openbsd.org
Subject: Re: ftp-proxy isssues
On Thu, 11 May 2006, [EMAIL PROTECTED] wrote:
rdr on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
CYou need this.
pass in on $ext_if inet proto tcp from any \
to $ext_if port 55000 57000 user proxy \
flags S/SA keep state
CYou don't need this anymore.
Ah, okay, how come i don't need this anymore, i must be missing and not
understanding the matters properly.
How can i transform all this into the anchor stuff?
All rules within one anchor?? Since bracets aren't used in any example,
how
do i know which rules are in an anchor and which aren't?
How to fit the pass in in the anchor?
CYou just put the three anchors in pf.conf, literally:
Cnat-anchor ftp-proxy/*
Crdr-anchor ftp-proxy/*
Canchor ftp-proxy/*
CIt's the proxy's job to load rules in them, on the fly.
I don't need a pass out rule, since this is implicitly the case by the
floating policy and pass out statement i wouldnt need a anchor
ftp-proxy/* statement at all
CThe manpage explicitly says that all anchors are mandatory.
this is how i understand it, seperate connections, not natting or
redirecting connections, because that wouldn't be proxying at all.
Or maybe it's not proxyied, i just don't know.
CIt proxies the control connection, but not the data connections.
CSince you know about the anchors and therefore that ftp-proxy has
Cchanged
CI must ask: which documentation did you follow and what was unclear?
CMaybe that needs fixing.
The page that triggered me was this one:
http://www.openbsd.org/39.html
ftp-proxy has been rewritten, and a tftp version, tftp-proxy, has been
added
Then i clicked to this link:
http://www.openbsd.org/cgi-bin/man.cgi?query=ftp-proxysektion=8
The man page of ftp-proxy.
Unclear from the man page was that i don't need the pass in's anymore as
you mentioned before, i still don't understand why.
I also clicked on the pf.conf man page:
http://www.openbsd.org/cgi-bin/man.cgi?query=pf.confsektion=5arch=apropos=0manpath=OpenBSD+Current
In the anchor section i saw this:
ext_if = kue0
block on $ext_if all
anchor spam
pass out on $ext_if all keep state
pass in on $ext_if proto tcp from any \
to $ext_if port smtp keep state
Okay, but then, which rules fall under the anchor section spam and which
don't, it would be more clear like this:
ext_if = kue0
block on $ext_if all
anchor spam {
pass out on $ext_if all keep state
pass in on $ext_if proto tcp from any \
to $ext_if port smtp keep state }
That way i'd know that both two pass rules belongs to the anchor spam, but
in the example i cannot conclude that.
Also in the same man page from pf.conf i read this:
# NO RDR
no rdr on $int_if proto { tcp, udp } from any to $server port 80
no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80
rdr on $int_if proto { tcp, udp } from any to any port 80 - 127.0.0.1
\
port 80
This longer example uses both a NAT and a redirection. The external
in-terface has the address 157.161.48.183. On localhost, we are running
ftp-proxy(8), waiting for FTP sessions to be redirected to it. The three
mandatory anchors for ftp-proxy(8) are omitted from this example; see the
ftp-proxy(8) manpage.
Forgive the layout, i know it's a mess
Here the three mandatory anchors are also mentioned, but i thought that the
examples would lead to an error in my case because with the last anchor i
would have no pass rule like this from the ftp-proxy man page:
anchor ftp-proxy/*
pass out proto tcp from $proxy to any port 21 keep state
I thought that with an anchor i would also need a rule attached to it.
Regards,
Reinoud.
--
Cam
Re: Wireless NIC for soekris 4801
Hi, Note that the PCI slot is 3.3V only, most WiFI PCI cards i have looked at are 5V. My guess is that you have to go with MiniPCI (but i might be wrong). Cheers, /Joakim * Lasse Bach ([EMAIL PROTECTED]) wrote: Hi all, I wrote a message about OpenBSD hardware recommendations some time ago. As I said I was going to buy a wireless NIC for an OpenBSD box. Well, the box is a soekris 4801 which is going to act as an wireless router. Does anyone have any HW recommendations on that and should it be PCI or MiniPCI? Thanks in advance Lasse Bach
Re: upgrade halted
* Joachim Schipper ([EMAIL PROTECTED]) wrote: On Wed, Apr 19, 2006 at 04:22:06PM +0200, Jasper Bal wrote: Any hints? Did I do something wrong? Is there a fix? Or do I have to travel 400 km? Is sendmail listening to incoming connections? If so, you might have a chance to exploit it to gain (more/root) access. I can't help you here, but securityfocus.com does claim to have a PoC: http://www.securityfocus.com/bid/17192/info. No idea if it works, though, and OpenBSD's security enhancements are unlikely to be very helpful here. Of course, that's sort of the point... Yeah, I think we all would be better of runnig a less secure OS. Then we could hack it when we screw up like this. I bet you got this tip from som Linux forum (couldn't help that :) Almost everyone that have used remote/headless machines for some time have locked themselves out for stupid reasons; upgrade, changing pf rules etc. (been there :P ) It really helps having two machines sharing a serial cable when something like this happens.. I would say that all sugestion so far in this thread are examples of actions that a secure OS should prevent. Good luck anyway, hope it works out. /Joakim The one other security problem is only useful if you can get scp to try to work with strange filenames, and that's not very likely, is it? Since you have syslog access (further upthread - via FTP, I presume), what does the system say when you try to log in as root (over FTP? over SSH?)? Joachim
Re: Going nuts with wireless (ath(4) in this case)
Hi, I couldn't find any decent ath based cards either so i got a couple of ral instead. Works ok on 3.8 except that hostap hangs the box sometimes(bummer) but that seems to be fixed in 3.9. Ralink also seems to be one of few decent companies that releases documentation. I don't buy anything from DLink and I stay away from Netgear for wireless stuff. Cheers, /Joakim * Moritz Grimm ([EMAIL PROTECTED]) wrote: Hello, today, I wasted tons of money (from my perspective) ... First, I bought a D-Link DWL-G650. Turns out it was revision C with an AR5213 on it ... the driver complained about the RF radio not being supported. After lots of whining in the store, I got to replace it with a Netgear WG511T. Before breaking any seals of the packaging, I called Netgear tech support to ask for what they built into this card, with s/n foo-blah-bar. Turns out they couldn't tell, really, so I asked whether there are any different revisions of that card, i.e. whether it ever changed. They say no, it's been always the same and I figured that was good enough. Oh well, I thought wrong. Same AR5213, same unsupported RF radio. ARGH! No way I'm going to be able to get this one replaced, with broken seals in the package. It seems that it's virtually impossible to get a working/supported wireless card these days ... damn those vendors who change hardware without notice, and damn Netgear for lying to me. :-(( And not to mention that useless, new wireless bridge that is doing nothing ... at least it has 3 shiny blue LEDs. Now I figured, what the hell; let's try and make it supported. My wishful thinking and simply cranking the supported revisions of ath(4) allowed the driver to attach, but that's as far as it goes. I can mess around with ifconfig, setting any channel other than 6 isn't possible and I'm getting this should not happen-errors. Since I was too stupid to save the kernel output earlier, it's now garbled ... impressive, how stuff in memory survives power-cycles in dmesg (all the numbers are okay, otherwise I wouldn't bother pasting this:) A4heros C/mmunications, In\M-c., AR5001--, Wireless LAN Reference Card : irq 11 ath0: AR5213 7.9 phy 4.5 rf2112a 5.6 FCC2A*, address 00:0f:b5:ef:5e:a0 ath0: device timeowt ar5k_ar5212_nic_wakeup: failed to resume |he AR5212 (acain) avh0: Unable to reset h\M-ardware; hal status 3671035180 ath0: device timeowt [...] :-) My experimentation did some weird stuff to OpenBSD, which is why I'm running a sane kernel again. Anyways, I'm obviously not getting anywhere, and driver hacking still is a closed book to me. However, I'm quite interested in learning more, or at least try and help someone who's further down this road by testing patches etc. In case I'm alone with this, I'd highly appreciate some pointers on how to get started. I don't remember, was Atheros a nice or an evil company? How can I get the information I need to get this to work? Thanks for your time, Moritz
Re: iwlist scan equivalent command under OpenBSD
Also note the different between ifconfig -M run under user and superuser permissions, sudo ifconfig -M if is what you want. /jkm * Nikolai N. Fetissov ([EMAIL PROTECTED]) wrote: On Thu, February 16, 2006 11:17 am, Ramiro Aceves wrote: Hi OpenBSD fans. I have been googling around and have not been able to solve this question. ?How can one discover what wireless networks are available under OpenBSD? I am used to the iwlist scan eth0 under Linux, and I hate to halt OpenBSD and boot Linux only to discover the networks, then come back and start OpenBSD again to continue the configuration. What is the OpenBSD equivalent to Linux iwlist? Anyway, my Intel 2200 card is recogniced very well under OpenBSD with iwi driver. Thank you very much in advance. Ramiro. ifconfig -M see ifconfig(8) -- nikolai
Re: Ralink - device timeout
Hi Anders, From your dmesg: pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 From RAL(4) CAVEATS PCI ral adapters seem to strictly require a system supporting PCI 2.2 or greater and will likely not work in systems based on older revisions of the PCI specification. /jkm * Anders Normann ([EMAIL PROTECTED]) wrote: For about a month now I have been trying to get my Ralink PCI card working under OpenBSD - I have had it working under FreeBSD, but could not get my wireless mouse working there. I a last effort to figure out why Ralink isn't working on my Fujitsu-Siemens Amilo L7300 laptop I have to ask the list: How can I get the card working? Have Googled and the only answer I find is: This should not happen when searching for my error message: ral0:device timeout I enclose dmesg and ifconfig ral0. Ifconfig ral0: ral0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:14:a5:0b:85:2b media: IEEE802.11 autoselect (DS1 mode 11g) status: no network ieee80211: nwid myhome nwkey 0xmystring 100dBm inet 192.168.2.10 netmask 0xff00 broadcast 192.168.2.255 inet6 fe80::214:a5ff:fe0b:852b%ral0 prefixlen 64 scopeid 0x1 dmesg: OpenBSD 3.9-beta (GENERIC) #0: Sun Jan 22 20:31:54 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Celeron(R) M processor 1.50GHz (GenuineIntel 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF real mem = 468230144 (457256K) avail mem = 420065280 (410220K) using 4278 buffers containing 23515136 bytes (22964K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(a9) BIOS, date 05/06/05, BIOS32 rev. 0 @ 0xfd7a0 pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #2 is the last bus bios0: ROM list: 0xc/0xf400 0xd/0x8000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA PM800 AGP rev 0x00 pchb1 at pci0 dev 0 function 1 VIA PM800 Errors rev 0x00 pchb2 at pci0 dev 0 function 2 VIA PM800 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA PM800 DRAM rev 0x00 pchb4 at pci0 dev 0 function 4 VIA PM800 PMC rev 0x00 pchb5 at pci0 dev 0 function 7 VIA PM800 PCI rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 PCI-PCI rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA PM800 Unichrome S3 rev 0x02: aperture at 0xf000, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ral0 at pci0 dev 6 function 0 Ralink RT2560 rev 0x01: irq 11, address 00:14:a5:0b:85:2b ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525 cbb0 at pci0 dev 12 function 0 ENE CB-1410 CardBus rev 0x01: irq 10 uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x80: irq 7 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x80: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 3 VIA VT6202 USB rev 0x82: irq 11 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered viapm0 at pci0 dev 17 function 0 VIA VT8235 ISA rev 0x00 iic0 at viapm0 pciide0 at pci0 dev 17 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST9808210A wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: _NEC, DVD+-RW ND-6650A, 1.42 SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 auvia0 at pci0 dev 17 function 5 VIA VT8233 AC97 rev 0x50: irq 11 ac97: codec id 0x414c4760 (Avance Logic ALC655) audio0 at auvia0 VIA VT82C686 Modem rev 0x80 at pci0 dev 17 function 6 not configured vr0 at pci0 dev 18 function 0 VIA RhineII-2 rev 0x74: irq 7, address 00:40:ca:d3:ff:43 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 10: OUI 0x0a, model 0x4063 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x40 pcmcia0 at cardslot0 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker
Re: Ralink - device timeout
* Jonathan Gray ([EMAIL PROTECTED]) wrote: On Mon, Jan 23, 2006 at 12:36:46PM +0100, Joakim Aronius wrote: Hi Anders, From your dmesg: pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 From RAL(4) CAVEATS PCI ral adapters seem to strictly require a system supporting PCI 2.2 or greater and will likely not work in systems based on older revisions of the PCI specification. /jkm I keep saying this no one listens. The pcibios string does _not_ indicate PCI 2.2 compliance or not. If you have a system that can't deal with the 3V PCI 2.2+ cards and you put a ral in it, it will not post. Oh. And how does one know if the system can handle 3V PCI 2.2+ cards? Any hint in the dmesg or do i need to dig up the mobo manual? /jkm
Re: Ralink - device timeout
I had the same problem, worked on it for a while, was pointed at the Caveats section of the man page and gave up. I just found the mobo documentation at Dell and my system should support PCI 2.2 so i guess it should have worked.. As i remember the interface seemed to be up but it was not possible to send any traffic. I returned my card so i cant do any further testing. /jkm * Anders Normann ([EMAIL PROTECTED]) wrote: Joakim Aronius skrev: Hi Anders, From your dmesg: pcibios0 at bios0: rev 2.1 @ 0xfd7a0/0x860 From RAL(4) CAVEATS PCI ral adapters seem to strictly require a system supporting PCI 2.2 or greater and will likely not work in systems based on older revisions of the PCI specification. /jkm Yes have seen that, but ont the other hand, this card works under FreeBSD and Windows so fail to see that this is the reason unless the RAL driver has been used in a different way in OpenBSD than in FreeBSD. That may be the case as the procedures for making it work are different. I do want to have a BSD alternative to Windows, but am at a loss as to reach the goal. Is it easier to get my mouse working under FreeBSD than the Ralink card under OpenBSD? * Anders Normann ([EMAIL PROTECTED]) wrote: For about a month now I have been trying to get my Ralink PCI card working under OpenBSD - I have had it working under FreeBSD, but could not get my wireless mouse working there. I a last effort to figure out why Ralink isn't working on my Fujitsu-Siemens Amilo L7300 laptop I have to ask the list: How can I get the card working?
Re: redirecting domain names
Hi, I use DNS to solve this too. Got my list from http://pgl.yoyo.org/adservers/ which can generate config files in a bunch if different formats. Works great. Cheers, /jkm * Nick Holland ([EMAIL PROTECTED]) wrote: Stuart Henderson wrote: On 2006/01/22 12:39, Peter Fraser wrote: Rather than going to each machine an installing this hosts file in \windows\system32\drivers\etc I would rather have my firewall block these names instead. Please note the blocking has to be done on the name, not the ip address. You'll need to use a web proxy for this. You COULD use a proxy for this (actually, it would have to be a more general proxy, not just web), but you can do this in simpler ways, too (which I would argue are at least as effective in real life than the more technically perfect proxy system). Just set up a poisoned DNS resolver to mangle resolution of any domain or subdomain you don't want people going to, which is what you are doing in a machine-by-machine basis with a hosts file: http://www.holland-consulting.net/tech/imblock.html I'm very fond of this idea of DNS mangling, both to eliminate things I find personally annoying, plus as an aid for managing other people's computers. See the Disadvantages section in that article for a list of limitations and disclaimers. Nick.
Re: Apache logs filled with remote exploit trials
Hi, Implemented these rewrite rules a while ago (think someone on this list suggested it): IfModule mod_rewrite.c RewriteEngine on # RewriteLog logs/rewrite.log # RewriteLogLevel 1 RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)root.exe(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/FormMail(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/Formmail(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/cgi-bin(.*)$ http://www.dhs.gov RedirectMatch permanent (.*)\/xmlrpc(.*)$ http://www.dhs.gov /IfModule Takes care of almost all of the crap.. Now and then something new pops up, such as xmlrpc. Cheers, /jkm * Didier Wiroth ([EMAIL PROTECTED]) wrote: Hello, My apache logs are filled with these kind of attacks: [Sun Jan 15 20:53:19 2006] [error] [client 69.60.121.159] File does not exist: /htdocs/drupal/xmlrpc.php [Sun Jan 15 20:53:20 2006] [error] [client 69.60.121.159] File does not exist: /htdocs/phpgroupware/xmlrpc.php [Sun Jan 15 20:53:21 2006] [error] [client 69.60.121.159] File does not exist: /htdocs/wordpress/xmlrpc.php [Sun Jan 15 20:53:22 2006] [error] [client 69.60.121.159] File does not exist: /htdocs/xmlrpc.php [Sun Jan 15 20:53:23 2006] [error] [client 69.60.121.159] File does not exist: /htdocs/xmlrpc/xmlrpc.php [Sun Jan 15 20:53:24 2006] [error] [client 69.60.121.159] File does not exist: /htdocs/xmlsrv/xmlrpc.php How do you handle these kind of attacks? How or what do I have to use to dynamically block client Ips, that tries these type of attacks? Thank you very much Didier
Re: theo (fwd)
Second that. Just ignore personal mails sent to misc@, theo is perfectly capable of answering mails, if he wish to. Lets try to keep the signal to noise ration on a decent level, keep OT mails off-list. Cheers, /jkm * Kevin R ([EMAIL PROTECTED]) wrote: [snip] The only thing that spoils OpenBSD is ... This is a good example of a thread unnecessarily getting out of control. How about everyone following a few simple guidelines: 1. Read the entire FAQ before posting 2. If a message is poorly posted for reasons like: - you should have read the FAQ before posting - no, we don't and probably never will support your old hardware - you forgot to include a dmesg and proper diagnostics, etc... Then a simple one line reply indicating this would suffice. 3. Respect each other's knowledge or lack thereof Google can't help you if you don't know what you're looking for and end up with 1000's of sites that don't match your problem. It takes far more effort to whine and complain about a post than to provide simple feedback on what they could/should have done. At the very least, remind them to re-read http://www.openbsd.org/mail.html A newbie to the list won't understand the nuances of a poorly written post - but if he's treated with respect he may buy CD's and tell all his friends. If you can't say anything nice... don't say anything at all.
Re: OpenBSD's 10th birthday
Congrats from Mongolia. and Happy birthday from Sweden! Cheers, /Joakim
Re: is there a way to block sshd trolling?
I second that. Blocking ssh access from Linux hosts removes 95% of these
attacks. Simple and effective.
block drop in log quick on $ext_if proto { tcp, udp } from any os Linux to any
port ssh label Block ssh from Linux hosts
/jkm
* Nick Ryan ([EMAIL PROTECTED]) wrote:
You could use pf to block linux ssh access.
block in log quick on $EXT_IF inet proto tcp from any os Linux to port
22 label Blocked Linux ssh access:
That'll reduce it quite a lot.
John Marten wrote:
You know what i mean? Every day I get some script kiddie, or adult
trying to guess usernames or passwords.
I've installed the newest version of SSH, so i'm covered there. But I
still get a dozen or 2 of the
sshd Invalid user somename from ###.##.##.###
input_userauth_request: ivalid user somename
Failed password for invalid user somename
Recieved disconnect from ###.##.##.###
Someone told me to add a 'block in quick on $net inet proto {tcp,udp}
from ###.##.##.### to any flags S/SA'
entry in my pf.conf file. But if I had do that for every hacker my
pf.conf would be huge!
There's got to be a better way, and I'm open to suggestions.
John F. Marten III
Information Technology Specialist
Re: WLAN Device problem
Hi, Post a dmesg. I had a similar problem with ral when i tried to use it in a box with pcibios 2.1 From ral(4): CAVEAT PCI ral adapters seem to strictly require a system supporting PCI 2.2 or greater and will likely not work in systems based on older revisions of the PCI specification. /J * Sam Ficher ([EMAIL PROTECTED]) wrote: Hello I have the following problem, i have a CNet CWP-854 Ralink Wireless-G PCI Adapter i have configured it on OpenBSD 3.8 Beta after some attempts i was able to get a status to ACTIVE, however it seems that there is no connection available, ping any clients on the same network fails same goes for the gateway too. I can't seem to understand what is wrong, i have tried other people's help, they have said probably the chip is not supported. Best Regards, Sam
