Re: spamd
On 2007-06-05T06:43, Edgars Mak?a wrote: IP is static and entered commands/text is the same too. No mistakes, i was carefully checking all commands and entered text. And as i found most problematic smtp is windows based MailEnable. What else i should check? maybe your spamlogd is the problem. Restart it to be sure. hth, Marcus.
Re: ICP90x4RO - ICP SCSI U320 - PCI-X - OpenBSD
On 2007-02-16T17:25, Florian Fuessl wrote: Hi, the new ICP-Vortex ICP90x4RO (ICP SCSI U320 - PCI-X) SCSI-RAID controllers do not seem to be supported by the OpenBSD gdt-module. Are there any workarounds or plans to support the new ICP-Vortex RAID-hardware within the next release? It depends on how fast you can send the card to the devs. ;-) The ICP cards doesn't seem to be very common at the dev labs. so long, Marcus.
Re: spamd question
On 2007-01-18T11:27, Martin wrote: Hello. I'm using spamd but am noticing that some SPAM is still coming though It's probably more dev but I don't like posting to the dev/tech lists. If the ideas/info have merit, then perhaps it can be forwarded to that list. Can (or does) spamd look at the From:, do a MX/A record dns lookup and compare. it to the sender IP to see if it's valid during the SMTP transaction ? that is not so easy. You could easily shoot in your own foot. SPF is very similiar but needs some additional dns entries. hth, Marcus.
Re: small question regarding snapshots checksums
On 2007-01-09T14:01, Peter Philipp wrote: ... At that point (if you look at the timestamp) it's been 4 hours since the OpenBSD main source did a change in the kernel versions and all the other mirrors hadn't picked up the changes. So there was a checksum mismatch. I was wondering whether a history file of checksums is a good thing to include on the main ftp site? That way one can check whether older revisions of binaries are the right checksum? Otherwise one would not know (and there would be no point of checksums then right?). it would be simpler to sign all the tgz with gzsig (1) and verify the tgz with a offical key. Of course this has to be done by the OpenBSD devs. so long, Marcus.
Re: uvm_fault
On 2007-01-05T13:47, Florian Fuessl wrote: Hi, I have problems with an OpenBSD 3.9 GENERIC.MP#0 i386 machine causing uvm_fault crashes: uvm_fault(0xd05cc640, 0xedbe2000, 0, 3) - e kernel page fault trap, code=0 Stopped at memset+0x33: repe stosl %es:(%edi) The system in question is a Fujitsu Siemens Primergy P200 system with five network cards, four Intel PRO/1000MT (82546GB) [em0-3] and one Intel 8255x [fxp0]. It has an Adaptec 2100S RAID controller and 1.5 GB memory. Real memory usage is usually between Memory: Real: 200M/336M. Any ideas would be great, thanks for your time, please go to http://www.openbsd.org/report.html and read it. thanks, Marcus.
Re: create an ISO based on the running system
On 2006-12-30T19:10, Edy wrote: Good Day, I have setup a box OpenBSD 4.0 with bridge firewall, spamd, snort with mysql + BASE and snort2pf. I would like to create an ISO image of the box so that I could install the exact setup on any system. Is there a document which explains on how to achieve this? go to the faq and look at 4.13 Customizing the install process. so long, Marcus.
Re: Squid 2.6 transparent proxy with pf
On 2006-12-21T15:29, Dominik Zalewski wrote: On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 hehe, you must exlude the squid! hth, Marcus.
Re: apmd resume + xlock
Hi James, On 2006-12-12T11:45, James Turner wrote: xidle was a great suggestion thanks. The below script doesn't work either, and for some reason when running apmd in debug mode nothing gets outputted from what I can tell. For locking the screen before suspend I'll probably just stick with Theo's suggestion and run xlock zzz, although I would love it to work on lid closer also. I use this: $ cat /etc/apm/suspend #!/bin/ksh sudo -u username /bin/ksh -c HOME=/home/username; /usr/X11R6/bin/xlock \ -display :0.0 It works for me. If I close the lid, OpenBSD gets locked. hth, Marcus.
Re: port forwarding
On 2006-12-04T14:50, Bambero wrote: ... rdr pass proto tcp from any to any port - port 80 ... What may be wrong ? nothing. You can't redirect to ports only. You could only redirect to an IP address/port. Please read the man pages/faq. hth, Marcus
Re: Starting PF
On 2006-11-29T13:57, Robert C Wittig wrote:
...
pf_rules=/etc/pf.conf # specify which file contains your rules
that is not necessary.
...
I am curious to know why 'pf=YES' added to /etc/rc.conf.local did not
start PF automatically on reboot, and what I might do to correct this.
I'm sure that you have done more to your system then you told :-)
verify that your /etc/rc.conf contains:
local_rcconf=/etc/rc.conf.local
[ -f ${local_rcconf} ] . ${local_rcconf} # Do not edit this line
Furthermore you could test that your rc.conf.local is used by rc (8)
by adding echo 'It works [tm]' to it and reboot.
hth,
Marcus.
Re: trouble with IPv6 address with pkg_add(1)
On 2006-11-28T19:40, Bruno Carnazzi wrote: Hi all, When using PKG_PATH=ftp://ftp.freenet.de/pub/ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386 with pkg_add(1), updating package with sudo pkg_add -ui -F update -F updatedepends fails, saying no package in PKG_PATH. When using PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386, everything work fine. As both path includes exactly the same packages, I expect there is a trouble with IPv6 adress (I go through a IPv4 NAT-box, and my LAN is IPv4-only) : I don't think this problem is caused by IPv6. Have you tried adding a slash, as stated in man 1 pkg_add, to the PKG_PATH? like PKG_PATH=ftp://ftp.freenet.de/pub/ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/ so long, Marcus.
Re: trouble with IPv6 address with pkg_add(1)
On 2006-11-28T20:58, Bruno Carnazzi wrote: ... I don't think this problem is caused by IPv6. Have you tried adding a slash, as stated in man 1 pkg_add, to the PKG_PATH? I'm updating... :) But I don't think the backslash is the problem, as in second case, everything works fine (without backslash)... very likely these are different ftp-servers (application) with differnt configurations = different behavior. so long, Marcus.
Re: syslog.conf question: log into a separate file, but not into /var/log/messages
Hi Alexander, On 2006-11-24T10:50, Alexander Farber wrote: Then I've added a second ! and moved those 2 lines to the top of /etc/syslog.conf: !!pref *.*/var/log/pref Now no messages at all are written into /var/log/messages :-/ Can anyone please give me a hint? read man syslog.conf !!prog causes the subsequent block to abort evaluation when a message matches, ensuring that only a single set of actions is taken. !* can be used to ensure that any ensuing blocks are further evaluated (i.e. can- celling the effect of a !prog or !!prog). hth, Marcus.
spamd-white table empty
Hi, I have a strange problem, my spamd-white table is empty. # pfctl -t spamd-white -T show # I use this flags to start spamd: spamd_flags=-b 127.0.0.1 -n 'Mail Daemon' spamd_grey=YES spamdb shows a _lot_ of WHITE entries. Any help would be really appreciated. Please reply only to the mailinglist, I've added the ML IP by hand. so long, Marcus. P.S. today compiled: OpenBSD 4.0-stable (GENERIC) #2: Sat Nov 18 10:19:57 CET 2006
Re: spamd-white table empty - SOLVED
for the archives
On 2006-11-18T14:33, Marcus Popp wrote:
Hi,
I have a strange problem, my spamd-white table is empty.
there was no spamd: (pf spamd-white update) (spamd) process.
Because I have started spamd not with eval and the spamd_flags variable
was not evaluated.
eval /usr/libexec/spamd ${spamd_flags}
Marcus.
Re: MIPS based routerboard machines
Hi, I would support (money|board) a BCM95352E[1] based solution like the Linksys WRT54GL[2]. The HW is pretty cheap ca. 60 Euros. so long, Marcus. [1] http://www.broadcom.com/products/Wireless-LAN/802.11-Wireless-LAN-Solutions/BCM95352E [2] http://www.linksys.com/servlet/Satellite?c=L_Product_C2childpagename=US%2FLayoutcid=1133202177241pagename=Linksys%2FCommon%2FVisitorWrapper
Re: Script to sync pf rules for CARP fws
On 2006-11-14T16:37, C. L. Martinez wrote: Hi all, Somebody knows where I can find a good shell script to sync pf.conf rules over a several Openbsd firewalls using CARP? for HOST in a b c d; do scp /etc/pf.conf $HOST:/etc/ done hth, Marcus.
Re: Script to sync pf rules for CARP fws
On 2006-11-14T18:43, C. L. Martinez wrote: Sorry?? Do I need to run pfctl to load rules only on one fw under carp and then this rules are sync to the others firewalls ?? If this is ok, then I don't read pf's very well ... no, you have to run pfctl on every machine to activate changes in your pf.conf. Carp has nothing todo with syncing pf rules. Pfsync is for syncing the state tables - not rules! so long, Marcus.
Re: Error in php5-gd-5.1.4 packages for OpenBSD 4.0
Hi, there is a special ml for ports@, further information can be found at http://www.openbsd.org/mail.html. hth, Marcus.
Re: 4.0 areca install
On 2006-11-03T15:09, Robert George Ababurko wrote: I am just getting back into using OpenBSDI see that 4.0 has more support for the Areca SATA RAID cards, but do ot list them in the supported devices list. It just has a note showong 4.0 features. That said, when installing 4.0 on my machine with an Areca sata raid controller (ARC-1110), it is not seeing my areca card. Am I incorrect in assuming that 4.0 should see the card on boot? OR is there something else I need to go through to get the OS installed on a RAID volume ala Areca? Oh, btw, I am using the CD4.0.iso to install the OS on amd64 arch. I think a dmesg would help... to help you. so long, Marcus.
Re: update automaticly
On 2006-10-19T21:28, sonjaya wrote: i have script for update automaticly here: # cat /root/update_part1.sh #!/bin/csh cd /usr/src setenv CVS_CLIENT_PORT -1 setenv CVSROOT [EMAIL PROTECTED]:/cvs cvs -d $CVSROOT -q up -rOPENBSD_3_9 -Pd date /root/update_part1.log when i try run that script get error such like this : # sh /root/update_part1.sh /root/update_part1.sh[3]: setenv: not found /root/update_part1.sh[4]: setenv: not found cvs update: CVSROOT -q must be an absolute pathname cvs [update aborted]: Bad CVSROOT. please tell me to fix it . fix it ;-) try # /root/update_part1.sh sh don't know setenv hth, Marcus.
Re: retrieving bootparams
On 2006-10-18T17:27, Francois Visconte wrote: Hello, is there any way to retrieve boot params, like /proc/cmdline under linux ? wrong list. hth, Marcus.
Re: retrieving bootparams
On 2006-10-18T15:58, Marcus Popp wrote: On 2006-10-18T17:27, Francois Visconte wrote: Hello, is there any way to retrieve boot params, like /proc/cmdline under linux ? wrong list. aehmm, sorry got you wrong. so long, Marcus.
Re: network cards - which one is the best ;
On 2006-09-03T23:16, Bill Marquette wrote: On 9/3/06, Ted Unangst [EMAIL PROTECTED] wrote: On 9/3/06, Sylwester S. Biernacki [EMAIL PROTECTED] wrote: I use Intel cards for several years and was happy of them almost all the time. However, after I've read about them at this list usenet for the last few months I had to stand up and throw away all of them. Theo wrote about em driver in OpenBSD and bad vendor design of Intel NICs in general. Exactly the opposite I have used Intel server cards with ~320Mbps traffic (max of old PCI board ;P) and everything worked as it should. if they work great for you, why do you care? Other than Intel, is anyone else making quad port gig cards? I'm always open to playing with other hardware (and am hitting some amount of limitations with my current hardware setup anyway) but haven't run across any decent quad cards lately. Silicom makes em-based quad/six port cards. http://www.silicom.co.il/ hth, Marcus.
Re: hotplugd
On 2006-08-24T16:56, Bachman Kharazmi wrote: I use hotplugd to attach my usbstick. I works well, but I miss a detach script which I couldn't find as a example in the manual so I wonder if it's necessary. I've tried once to just disconnect the stick without umounting the FS manually, and it worked. messages shows: Aug 24 16:24:54 venus /bsd: umass1: SanDisk Corporation Cruzer Micro, rev 2.00/0.10, addr 2 Aug 24 16:24:54 venus /bsd: umass1: using SCSI over Bulk-Only Aug 24 16:24:54 venus /bsd: scsibus2 at umass1: 2 targets Aug 24 16:24:54 venus /bsd: sd1 at scsibus2 targ 1 lun 0: SanDisk, Cruzer Micro, 0.1 SCSI2 0/direct removable Aug 24 16:24:55 venus /bsd: sd1: 488MB, 488 cyl, 64 head, 32 sec, 512 bytes/sec, 1000944 sec total Aug 24 16:36:57 venus /bsd: umass1: at uhub3 port 1 (addr 2) disconnected Aug 24 16:36:57 venus /bsd: sd1 detached Aug 24 16:36:57 venus /bsd: scsibus2 detached Aug 24 16:36:57 venus /bsd: umass1 detached Can it cause any damage on a FS if I remove a usb device that is mounted by hotplugd? Yes it can damage the FS! hotplugd has no chance unmounting (syncing) the filesystem if you just unplug the stick. so long, Marcus.
Re: CARP + individual services ?
Hi ben, On 2006-08-24T12:00, ben wrote: I just spent more time than I would have liked to searching for info on providing HA/LB via CARP (and possibly other tools) for individual services (such as http) rather than IP addresses. I was surprised to find just about nothing on the topic since it seems like something people would want to use CARP for. For example, lets say I have two machines set up as web servers, sharing an IP address and load balanced with CARP. The httpd on one host dies but it's interface is fine. CARP doesn't do load balancing you need pf on a third machine. man 4 carp pf faq Doesn't that mean CARP has no effect and approximately half the requests going to the virtual host ip address will timeout? That sucks. CARP doesn't provide watchdog services. This topic (service watchdog) has been discused recently. I'm guessing you can configure ifstated to run curl or something every few seconds to monitor the httpd and respond by taking the CARP interface down or rig up some hoc shell script to do roughly the same thing. Right? Why don't bring up the service back? If you want to cut of the machine you have to use the third (pf) machine. hth, Marcus.
Re: OpenBSD gets a poor score in security.
Hi jlr0i6sg3t, On 2006-07-27T19:17, [EMAIL PROTECTED] wrote: Someone has written an article under Information Security News, entitled Linux patch problems: Your distro may vary. As if OpenBSD were a Linux distro. Ok, thats wrong. In this article, he compares response times to vulnerabilities and then gives various Linux distros and OpenBSD a score. OpenBSD came 2nd last, but get this, Ubuntu, the Linux which had the root password logged to disk in the plain from the installer, complete with a community which did not notice this until almost the next release was out... came first! so what? They are damn fast in response time of broken 'packages'. Don't get me wrong, I really like OpenBSD and I use it frequently, but if I would want an up2date system (including security patches) I choose (Xu|Ku|U)buntu. The article is not about the OS, it's about the applications you run. And it's a fact that OpenBSD is not the fastest delivering updates for broken packages. But who care, you still have a secure OS. ;-) so long, Marcus.
Re: RAIDframe, swapping components in a RAID 1 array
Hi Paul, On 2006-05-22T14:14, Paul Wright wrote: Hi all, I've followed a set of instructions[1] describing a method of installing OpenBSD onto a RAID 1 array created with raidctl using only 2 disks (sd0b + sd1b). The basic premise is to first install normally onto one disk (sd0b) and then created a degraded RAID 1 array using the second disk (sd1b) and a fake third disk (sd2b). After booting off the array you then add the original first (sd0b) disk to the array and rebuild. first point sd0b is not a disk it's a partition. Second point: normaly the 'b' partition of a disk is used for swapping, so this setup is unusual. Have you tried the setup with sd0a and sd1a? hth, Marcus.
Re: High-Performance Network Cards?
On 2006-05-19T11:51, James Mackinnon wrote: Hey everyone I'm looking at upgrading my Environment to 2 firewalls using carp and such. I have a bunch of segments (5) internally + the pfsync connection I do alot of data transfers on the backend, which would likely be best managed with gigabit cards, the front end, will be connected to 2 cisco BGP routers so 100mb is adaquate there as the PVC are set to 10mb per provider on the front end of the ciscos What I am wondering, is in the past, I only purchased Intel Adapters, which I prefer to stay with. Do their gigabit adapters work well on OpenBSD 3.9? or, is there a better card available that has multi-network interfaces per card that can be segmented and offer quality high performance? Any recommendations on this would be great. Have a look at silicom[1]. Their cards use em(4) and work well with 3.9. hth, Marcus. [1] http://www.silicom.co.il/
Re: OpenBSD alternative for Bruce Schneier's password safe
On 2006-05-06T14:32, Siju George wrote: Hi Tanvir, Thankyou so much for the info and offer :-) On 5/6/06, Tanvir Ahmed [EMAIL PROTECTED] wrote: On 5/5/06, Siju George [EMAIL PROTECTED] wrote: It would be really great if some on can give advice on this topic :-) You can keep your passwords in plain-text grepable file format and encrypt the file using GnuPG. I have written a small shell script which takes a server name as a command-line argument, then decrypts the password file, shows you the normal user's and root's password actually I donot want the password to be displayed on the console. maybe xclip (port|package) is the right tool for you. echo foo | xclip (replace 'echo foo with your favourite tool) hth, Marcus.
Re: bluefish or other web design tools
Hi Jacob, On 2006-04-19T09:15, Jacob Yocom-Piatt wrote: ... any other suggestions for website development software? have a look at quanta it's a kde web-dev tool. http://quanta.kdewebdev.org/ hth, Marcus.
Re: bluefish or other web design tools
On 2006-04-19T14:54, Marcus Popp wrote: Hi Jacob, On 2006-04-19T09:15, Jacob Yocom-Piatt wrote: ... any other suggestions for website development software? have a look at quanta it's a kde web-dev tool. http://quanta.kdewebdev.org/ hth, Marcus. it's in the kdewebdev package. Marcus
Re: dmesg - MacBook Pro
On 2006-04-07T10:59, Michael Steinfeld wrote: If anyone cares here's the dmesg from my MacBook Pro. -- OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Genuine Intel(R) CPU T2500 @ 2.00GHz (GenuineIntel 686-class) 2 GHz cpu0: FPU,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,CMOV,MMX,FXSR,SSE,SSE2,SS,SSE3 real mem = 268017664 (261736K) avail mem = 237674496 (232104K) does OpenBSD only support 256 MB of the RAM? You should have 2 GB. so long, Marcus.
Re: Spam (solutions) and some other practical issues
Hi, On 2006-03-16T18:38, Gabriel George POPA wrote: Thank you Joachim. Now, regarding spamd(8), I knew that I need help from pf. Regarding SpamAssassin: I did pkg_add, I followed the instructions on modifying /etc/procmailrc I started spamd (spamc should have been called for every message). Nothing happened. are you sure that you start /usr/local/bin/spamd and not spamd(8)? hth, Marcus.
Re: configure my route table during boot
On 2005-11-04T18:58, netture wrote: Hi every one. im a newbe with OpenBSD, I just wan to know how to set my route table as i want during the boot process. in fact this is my route table $ netstat -rn --- Routing tables Internet: DestinationGatewayFlags Refs UseMtu Interface default192.168.0.1UGS 0 22 - em0 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 10 33224lo0 192.168.0/24 link#3 UC 10 - bge0 --- ! 192.168.0.1link#3 UHLc10 - bge0 ! 224/4 127.0.0.1 URS 00 33224 lo0 --- and I would like somthing like this --- Routing tables that i would like Internet: DestinationGatewayFlags Refs UseMtu Interface default192.168.0.1UGS 0 22 - em0 127/8 127.0.0.1 UGRS00 33224 lo0 127.0.0.1 127.0.0.1 UH 10 33224lo0 192.168.0/24 link#3 UC 10 - em0 --- ! 192.168.0.1link#3 UHLc10 - em0 ! 224/4 127.0.0.1 URS 00 33224 lo0 --- I'v try to modify (with no succes) the file /etc/hostname.bge0 by adding the following lines ! /sbin/route change -net 192.168.0/24 -ifp em0 ! /sbin/route change -host 192.168.0.1 -ifp em0 this has nothing to do with routing! Try reading man 5 hostname.if You could just 'mv /etc/hostname.bge0 /etc/hostname.em0' and you should get what you want. And next time please, don't reply to a running thread with a different topic. hth, Marcus.
Re: passwd: /sbin/nologin --- not working for me
On 2005-10-21T07:53, morla wrote: hello all, i just made up a second account on my box and wanted to prevent the old one from loging into it, due i want to keep it for email retrival. when i enter something like morla:*:1000:1000:morla:/home/morla:/sbin/nologin into /etc/passwd and a similary entry into /etc/master.passwd should'nt this keep me out??? please be carefull with me, i am realtily new to bsd... have you used vipw? Thats all you need to change settings in, and only in, the /etc/master.passwd! Otherwise you have to rebuild the passwd db by hand. Read VIPW(8) for more information. hth, Marcus.
Re: block outgoing smtp (enable only two servers)
Hi,
On 2005-06-23T08:55, Roberto Pereyra wrote:
Hi
I have a simple question about pf.
I want to block outgoing smtp traficc for all my users. I only pass
smtp traffic to two smtp server (correo.urdi.com.ar,
smtp.bourlot.com).
This rule:
block out log quick on $ext_if proto tcp from any to any !{
correo.urdi.com.ar, smtp.bourlot.com } port smtp
don't woks . what's I doing wrong.
maybe you should try:
pass out quick on $ext_if proto tcp from any to { 201.252.250.3,
200.80.42.124 } port smtp keep state
block out log on $ext_if proto tcp from any to any port smtp
hth (but reading pf faq also helps),
Marcus.
