Re: 'bgpctl show rib in neighbor $peer' no longer shows unfiltered received routes

2023-05-09 Thread Rogier Krieger 
Thanks for the rapid response and proposal.
I'd wanted to test yesterday but had to postpone.

On Mon, May 8, 2023 at 12:18 PM Claudio Jeker  wrote:
> Here is a possible solution where a perfect match aborts the detection
> loop. Now this only works if the labels are in the right order ("in"
> before "invalid").

This is similar to what I had in mind, but shorter than what I'd thought of.
I'll test on -current first and report back. After, I'll adapt for
-release after (i.e. the equivalent of r1.124 for parser.c [1]).


> I wonder if chaning "invalid" to "notvalid" or "noteligible" would be a
> better fix for now...

Personally, I like the flexibility of keyword freedom, given the small
one-time price to pay of sorting.
Sorting may make maintenance a little easier too; at least I've seen
several recent commits elsewhere to that end.

Best regards,

Rogier

'bgpctl show rib in neighbor $peer' no longer shows unfiltered received routes

2023-05-07 Thread Rogier Krieger 
While diagnosing an unrelated matter, I find that 'bgpctl show rib'
has difficulty with the 'in' keyword. The 'out' counterpart works as
expected. Looking at bgpctl(8), the following should work (but
doesn't):
$ bgpctl show rib in neighbor $peer
ambiguous argument: in
valid commands/args:

  invalid
  leaked
  in
  out


Note: tested this on a 7.3 (w/ bgpd erratum) release system.
On a 7.2 release system, I don't see this regression (unsurprising, as
bgpctl(8) there doesn't list  'invalid' as a valid 'show rib' option).

I suspect this involves the logic in match_token() from
src/usr.sbin/bgpctl/parser.c. I'll take a stab at providing a patch.
Meanwhile, I'd appreciate any hints and/or a workaround for the mean
time.

Thanks in advance,

Rogier

Re: Multiple, simultaneous interfaces using dhclient

2014-07-13 Thread Rogier Krieger 
On Sun, Jul 13, 2014 at 10:11 AM, Björn Ketelaars 
bjorn.ketela...@hydroxide.nl wrote:

 It sounds like that your default inet route is overwritten after dhclient
 on vlan1 is issued.


That's not something I'd expect, given that the dhclient instances should
be in separate routing domains.



 Did you have a look at the route table before and after each call of
 dhclient?


That was my initial suspicion and one of my reasons for trying to separate
things into rdomain 1.

I logged routing tables every second or so while manually running dhclient
for vlan1 (instead of via hostname.if).

Before:

# netstat -T0 -nrfinet
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default84.245.29.1UGS7  1871091 - 8
vlan0
84.245.29/24   link#5 UC 10 - 4
vlan0
84.245.29.100:30:88:16:ac:fd  UHLc   10 - 4
vlan0
127/8  127.0.0.1  UGRS   00 33144 8
lo0
127.0.0.1  127.0.0.1  UH 229313 33144 4
lo0
192.168.1.200:25:90:33:12:65  UHLc   0   16 - 4
lo0
224/4  127.0.0.1  URS00 33144 8
lo0

# netstat -T1 -nrfinet
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
10.0.52/24 link#15UC 00 - 4
vlan52


# route -T1 exec /sbin/dhclient vlan1

Gives me an IP on vlan1 and routes in rdomain 1, but kills connectivity on
vlan0 after the first DHCPREQUEST goes out on vlan1.


# ps ax | grep dhclient | grep -v grep
23596 ??  Is  0:00.02 dhclient: vlan0 [priv] (dhclient)
27697 ??  Is  0:00.48 dhclient: vlan0 (dhclient)
12813 ??  Ss  0:00.00 dhclient: vlan1 [priv] (dhclient)
10342 p7  Z+  0:00.00 (dhclient)
 7017 p7  S+  0:00.01 dhclient: vlan1 (dhclient)

Note the zombie dhclient in between. I don't know why it's there. A few
seconds later, vlan1 appears to have its address and - I assume - the
zombie is reaped.

# ps ax | grep dhclient | grep -v grep
23596 ??  Is  0:00.02 dhclient: vlan0 [priv] (dhclient)
27697 ??  Is  0:00.48 dhclient: vlan0 (dhclient)
12813 ??  Ss  0:00.01 dhclient: vlan1 [priv] (dhclient)
19415 ??  Ss  0:00.00 dhclient: vlan1 (dhclient)

# netstat -T0 -nrfinet
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default84.245.29.1UGS7  1871093 - 8
vlan0
84.245.29/24   link#5 UC 10 - 4
vlan0
84.245.29.100:30:88:16:ac:fd  UHLc   10 - 4
vlan0
127/8  127.0.0.1  UGRS   00 33144 8
lo0
127.0.0.1  127.0.0.1  UH 229313 33144 4
lo0
192.168.1/24   link#2 UC 10 - 4
em1
192.168.1.200:25:90:33:12:65  UHLc   0   16 - 4
lo0
224/4  127.0.0.1  URS00 33144 8
lo0

# netstat -T1 -nrfinet
Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio
Iface
default10.10.12.1 UGS00 - 8
vlan1
10.0.52/24 link#15UC 00 - 4
vlan52
10.10.12/22link#16UC 10 - 4
vlan1
10.10.12.1 link#16UHLc   10 - 4
vlan1


Forgive me for removing the Routing tables line from the netstat output.

Only after killing all dhclients and re-running dhclient vlan0, I get my
internet connectivity back.

Regards,

Rogier

Multiple, simultaneous interfaces using dhclient

2014-07-12 Thread Rogier Krieger 
Dear list,

as my ISP is migrating to a new network setup, I'm forced to tinker with my
local setup. Unfortunately, I'm struggling to get two interfaces (vlan0,
vlan1) working simultaneously with DHCP.

Separately, they work fine. Together, vlan1 drops my internet connection
(vlan0); the latter won't return until I manually re-issue dhclient vlan0.
Upon lease renewal, the same occurs, lest I kill the dhclient instance for
vlan1.

I wonder if I'm doing something silly. Is the having two simultaneous
dhclient instances a supported setup? The second instance is for an IPTV
set-top-box (STB) that I'd like to keep away from my regular LAN, hence the
routing domains.

I've disabled PF while trying to get this working, so as to minimise the
amount of things I can do wrong.

Does anyone have a cluebat for me? Insight greatly appreciated.

Regards,



Background:
It's a FttH link that provides two tagged networks (vlan 34 for IP; vlan 4
for IPTV). The latter provides an private range address (in 10.10.12.0/22)
for a set-top-box.

For the STB:
- IPTV Traffic is to be NATed to vlan4 (towards the 10.10.12.0/22 and
185.6.48.0/26  ranges)
- Other/Internet traffic (e.g. program guides) needs to travel via the
regular IP uplink (vlan 34) and should be NATed there



# cat /etc/dhclient.conf
supersede host-name fluor;
prepend domain-name-servers 27.0.0.1;

interface vlan1 {
#ignore routers;# vlan1 is in rdomain 1; default route won't hurt us
}


# cat /etc/hostname.em0
description internal
-inet6
up

# cat /etc/hostname.em1
description uplink
-inet6
up

# cat /etc/hostname.vlan0
description ip (uplink)
vlan 34 vlandev em1
dhcp
-inet6

# cat /etc/hostname.vlan1
description tv (uplink)
rdomain 1
group tv
vlan 4 vlandev em1
dhcp
-inet6

# cat /etc/hostname.vlan52
description tv (downlink)
rdomain 1
group tv
vlan 52 vlandev em0
inet 10.0.52.1/24
-inet6




-- 
If you don't know where you're going, any road will get you there.

Re: Documentation on rc.conf.local lacks important warning

2014-02-09 Thread Rogier Krieger 
Though I looked on a 5.3 system, rc.conf(8) suggests the following:
It is advisable to leave rc.conf untouched, and instead create and edit a
new rc.conf.local file.

That's rather different from creating a copy. From a brief look at CVS,
it's the same for -current.

Regards,

Rogier


On Sun, Feb 9, 2014 at 7:28 PM, VaZub vasyl.zu...@gmail.com wrote:

 Hi all,

 There is a small nuisance I've stumbled upon during my first
 experiments with OpenBSD.

 Both the man page for rc.conf(8) as well as the official OpenBSD FAQ
 (10.3) suggest to avoid editing /etc/rc.conf directly and instead copy
 it to /etc/rc.conf.local and edit afterwards. Yet it seems both fail
 to mention, that in order to prevent your system from going ballistic
 after doing this, you should also comment out or delete a particular
 line of code in /etc/rc.conf.local, namely this one:
 [ -f /etc/rc.conf.local ]  . /etc/rc.conf.local. Not good,
 especially for those who do follow official instructions and still
 suddenly find themselves with a broken system on their hands for no
 apparent reason.

 This might seem like a trivial issue for old-timers, and one is sure
 to find the appropriate solution with a little bit of deeper googling,
 but having short relevant notices in the aforementioned manuals could
 save newcomers some introductory frustration. What do you think? Is
 there anyone among those looking after the official documentation up
 to consider such a suggestion?

 Regards,
 Vasyl Zubko




-- 
If you don't know where you're going, any road will get you there.

Re: Trouble getting ipsec.conf 'tag' working in 5.3

2013-06-11 Thread Rogier Krieger 
A kind soul (thank you) suggested I add the following to my ruleset:
pass quick on enc0 proto ipencap

Unfortunately, that does still not allow the inner outbound traffic to pass.


From what I can tell, the original ruleset already let ipencap traffic pass
on enc0. I verified with tcpdump and by separately logging the pass rules.
Had ipencap been the problem, tcpdump on pflog1 would show a match on rule
#11 (instead of the 'tagged PBX' rule #12).

Pinging or UDP traffic to the 172.24.8.0/24 subnet fails, whereas incoming
traffic from the other side is matched to the 'tagged PBX' rule (#12). I've
made sure the tagging in #14 does not occur for traffic to the PBX (I added
its net to the internal table.

I expected ipsec to automagically add the 'PBX' tag to traffic it gets
handed (in this case, from $if_int) when that traffic fits its SAs. I
further expected pf to need no more than a simple 'pass on enc0 tagged PBX'
after that. If I was too optimistic or misunderstood ipsec.conf(5), a
cluebat is more than welcome. If this is something that should work, I'll
try with -current as well.

Regards,

Rogier


# tcpdump -ni pflog0 -s1600 -eee -ttt -v
Jun 11 13:36:47.049079 rule 0/(match) [uid 0, pid 17691] block out on enc0:
192.168.10.101.63617  172.24.8.56.5060: [udp sum ok] udp 593 (ttl 63, id
40730, len 621, bad cksum 5a08!)
Jun 11 13:40:03.515813 rule 0/(match) [uid 0, pid 17691] block out on enc0:
192.168.10.102  172.24.8.55: icmp: echo request (id:0001 seq:411) (ttl
127, id 23969, len 60, bad cksum 5dc2!)


# tcpdump -ni pflog1 -s1600 -eee -ttt
Jun 11 13:39:28.142858 rule 12/(match) pass in on enc0: 172.24.8.1 
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:28.142883 rule 12/(match) pass in on enc0: 172.24.8.1 
192.168.10.102: icmp: echo request
Jun 11 13:39:29.149843 rule 12/(match) pass in on enc0: 172.24.8.1 
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:29.149865 rule 12/(match) pass in on enc0: 172.24.8.1 
192.168.10.102: icmp: echo request
Jun 11 13:39:30.159693 rule 12/(match) pass in on enc0: 172.24.8.1 
192.168.10.102: icmp: echo request (encap)
Jun 11 13:39:30.159715 rule 12/(match) pass in on enc0: 172.24.8.1 
192.168.10.102: icmp: echo request


# pfctl -sr -vv | grep -e '^@'
@0 block return log all
@1 match out on egress inet all tagged OUT nat-to (egress:0:1) round-robin
@2 pass out on egress from (egress:3) to any flags S/SA
@3 pass out on egress proto udp from (egress:3) to any port = 3740
@4 pass out on egress inet6 from (vlan801:network:1) to any flags S/SA
@5 pass on egress proto udp from any to any port = 500
@6 pass on egress proto udp from any to any port = 4500
@7 pass on egress proto ipv6 all
@8 pass on egress inet proto icmp all
@9 pass on egress inet6 proto ipv6-icmp all
@10 pass on egress proto esp all
@11 pass log (all, to pflog1) on enc0 proto ipencap all
@12 pass log (all, to pflog1) on enc0 all flags S/SA keep state (if-bound)
tagged PBX
@13 pass in on vlan801 proto tcp from (vlan801:network:5) to (vlan801:9)
port = 22 flags S/SA
@14 match in on vlan801 from (vlan801:network:5) to ! internal:7 tag OUT
@15 pass on vlan801 all flags S/SA

Re: Trouble getting ipsec.conf 'tag' working in 5.3

2013-06-11 Thread Rogier Krieger 
On Tue, Jun 11, 2013 at 3:26 PM, mxb m...@alumni.chalmers.se wrote:

 Tried to tag pkts on $int_if ? Eg

match in on $if_int from ($if_int:network) to $pbx_net tag PBX


Yes and that works. But shouldn't it already be covered by the 'PBX' tag in
ipsec.conf?
That's what I expected and what I'm trying to figure out.

Thanks for the suggestion, though.

Regards,

Rogier

Trouble getting ipsec.conf 'tag' working in 5.3

2013-06-10 Thread Rogier Krieger 
Dear list,

after re-installing a machine with 5.3 (i386), I wanted to tighten up the
filtering rules. To that end, I added a 'block log' rule near the top of my
rules. This appears to be unexpectedly effective.

I'm having trouble with my IPsec VPN to a VoIP PBX. Although my SAs come up
as expected, outbound traffic appears to be blocked on enc0. What bugs me
is that the 'tag' and 'tagged' keywords do not seem to work as I'd expect
from ipsec.conf(5).

I created the SAs with the 'PBX' tag and would like to be so lazy as to
just use:
pass on enc keep state (if-bound) tagged PBX

Surprisingly, I can receive incoming pings from the PBX (172.24.8.0/24)
with this setup, but am unable to ping the address from my own net (
192.128.10.0/24). I get this with the fairly minimal ruleset added below.

Of course, I could add rules listing the address ranges in question, but I
had hoped to use the 'PBX' tag for that instead. Did I misread or
misunderstand ipsec.conf(5) or am I missing something else entirely?

Insight greatly appreciated,

Regards,

Rogier


# tcpdump -eee -ttt -ni pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
Jun 10 22:42:39.513643 rule 0/(match) block out on enc0: 192.168.10.102 
172.24.8.1: icmp: echo request


# cat /etc/pf.conf
if_int=vlan801
pbx_net=172.24.8.0/24
noc_net=172.24.10.0/24
table internal persist { $if_int:network, $pbx_net, $noc_net }

set block-policy return
block log
set skip on { lo sk0 }


# Outbound traffic
match out on egress inet nat-to (egress:0) tagged OUT
pass out on egress from (egress)

# IPv6 tunnel
pass out on egress proto tcp from (egress) to any port 3874 # TIC
pass out on egress proto udp from (egress) to any port 3740 # heartbeat
pass on egress proto ipv6
pass on egress inet  proto icmp
pass on egress inet6 proto icmp6

# IPsec tunnel
pass on egress proto udp from any to any port { isakmp, ipsec-nat-t }
pass on egress proto esp
pass on enc0 keep state (if-bound) tagged PBX

# SSH
pass in on $if_int proto tcp from ($if_int:network) to ($if_int) \
port ssh

# Internal traffic
match in on $if_int from ($if_int:network) to !internal tag OUT
pass on $if_int


# cat /etc/ipsec.conf
id   = b2
gw   = fxp0
gw6  = gif6
net  = 192.168.10.0/24

# PBX access
pbx_id  = weber
pbx_gw  = [removed]
pbx_net = 172.24.8.0/24
ike esp from $net to $pbx_net peer $pbx_gw srcid $id dstid $pbx_id tag PBX


# cat /var/run/dmesg.boot
OpenBSD 5.3 (GENERIC) #50: Tue Mar 12 18:35:23 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,CNXT-ID,xTPR,PERF
real mem  = 1071374336 (1021MB)
avail mem = 1042882560 (994MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 01/22/04, BIOS32 rev. 0 @ 0xf0010,
SMBIOS rev. 2.3 @ 0xfbe60 (76 entries)
bios0: vendor Intel Corp. version BF86510A.86A.0053.P13.0401220953 date
01/22/2004
bios0: Intel Corporation D865GBF
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC ASF! TCPA WDDT
acpi0: wakeup devices TANA(S4) P0P3(S4) AC97(S4) USB0(S4) USB1(S4) USB2(S4)
USB3(S4) USB7(S4) UAR1(S4) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 99MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (P0P1)
acpiprt2 at acpi0: bus -1 (P0P2)
acpiprt3 at acpi0: bus 1 (P0P3)
acpicpu0 at acpi0
acpipwrres0 at acpi0: URP1
acpipwrres1 at acpi0: FDDP
acpipwrres2 at acpi0: LPTP
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc/0xa200! 0xca800/0x800 0xcb000/0x1000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82865G Host rev 0x02
vga1 at pci0 dev 2 function 0 Intel 82865G Video rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
intagp0 at vga1
agp0 at intagp0: aperture at 0xf000, size 0x800
inteldrm0 at vga1: apic 1 int 16
drm0 at inteldrm0
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: apic 1 int
16
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: apic 1 int
19
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: apic 1 int
18
uhci3 at pci0 dev 29 function 3 Intel 82801EB/ER USB rev 0x02: apic 1 int
16
ehci0 at pci0 dev 29 function 7 Intel 82801EB/ER USB2 rev 0x02: apic 1
int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xc2
pci1 at ppb0 bus 1
skc0 at pci1 dev 0 function 0 3Com 3c940 rev 0x10, Yukon (0x1): apic 1
int 21
sk0 at skc0 port A: address 00:0a:5e:54:48:99
eephy0 at sk0 phy 0: 88E1011 Gigabit

Re: em(4) fails to initialize for Intel i350-F2 dual-port fibre NIC

2013-04-29 Thread Rogier Krieger 
Apologies for the delayed follow-up; I was unable to test over the weekend.

I plugged in both fibres this afternoon. With the diff, the hardware
appears to be correctly initialized. Both ports properly find their link.
Light testing today shows no surprises.

Any particular things I should test additionally?

Regards,

Rogier

em(4) fails to initialize for Intel i350-F2 dual-port fibre NIC

2013-04-26 Thread Rogier Krieger 
Dear list,

after installing a dual-port fibre NIC, it seems the card is recognized,
but fails to initalize. The card in question is an i350-F2. I've upgraded
to the latest snapshot to see if there's any improvement, but alas.

snip
em0 at pci8 dev 0 function 0 Intel I350 Fiber rev 0x01: msiem0: Hardware
Initialization Failedem0: Unable to initialize the hardware
em1 at pci8 dev 0 function 1 Intel I350 Fiber rev 0x01: msiem1: Hardware
Initialization Failedem1: Unable to initialize the hardware
/snip

From commits, I gather the i350 is relatively new. Would anyone have
advice/hints on what steps of the initialisation I should look or how I can
generate more debugging output? I tried a verbose boot (boot -c), but that
didn't show more details for these em(4) cards. The box is currently hooked
up for testing, so few things to break.

Any insight appreciated. I've added dmesg and pcidump below.


Regards,

Rogier


$ dmesg
OpenBSD 5.3-current (GENERIC.MP) #103: Wed Apr 24 09:33:02 MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8568242176 (8171MB)
avail mem = 8332447744 (7946MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xcfb9c000 (67 entries)
bios0: vendor Dell Inc. version 2.7.0 date 10/30/2010
bios0: Dell Inc. PowerEdge 1950
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ
TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1862.18 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 265MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF
cpu1: 4MB 64b/line 16-way L2 cache
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF
cpu2: 4MB 64b/line 16-way L2 cache
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,TM2,SSSE3,CX16,xTPR,PDCM,DCA,NXE,LONG,LAHF,PERF
cpu3: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 4
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus -1 (PE2P)
acpiprt7 at acpi0: bus 10 (PEX4)
acpiprt8 at acpi0: bus 12 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 14 (COMP)
acpicpu0 at acpi0: C3
acpicpu1 at acpi0: C3
acpicpu2 at acpi0: C3
acpicpu3 at acpi0: C3
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 4
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 5
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 6
ppb3 at pci3 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xc3
pci4 at ppb3 bus 7
bnx0 at pci4 dev 0 function 0 Broadcom BCM5708 rev 0x12: apic 4 int 16
ppb4 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci5 at ppb4 bus 8
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 9
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0x12
pci7 at ppb6 bus 1
mfi0 at pci7 dev 0 function 0 Symbios Logic SAS1078 rev 0x04: apic 4 int
16
mfi0: PERC 6/i Integrated, firmware 6.3.1-0003, 256MB cache
scsibus0 at mfi0: 64 targets
sd0 at scsibus0 targ 0 lun 0: DELL, PERC 6/i, 1.22 SCSI3 0/direct fixed
naa.6001e4f03b29f90010d4de5a04294200
sd0: 139264MB, 512 bytes/sector, 285212672 sectors
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0x12: msi
pci8 at ppb7 bus 10
em0 at pci8 dev 0 function 0 Intel I350 Fiber rev 0x01: msiem0: Hardware
Initialization Failedem0: Unable to initialize the hardware
em1 at pci8 dev 0 function 1 Intel I350 Fiber rev 0x01: msiem1: Hardware
Initialization Failedem1: Unable to initialize the hardware
ppb8 at pci0

Re: em(4) fails to initialize for Intel i350-F2 dual-port fibre NIC

2013-04-26 Thread Rogier Krieger 
Hi Jonathan,

thanks for the diff. Currently building a kernel with it and will report
back.

Regards,

Rogier


On Sat, Apr 27, 2013 at 3:24 AM, Jonathan Gray j...@jsg.id.au wrote:

 On Fri, Apr 26, 2013 at 10:51:45PM +0200, Rogier Krieger wrote:
  Dear list,
 
  after installing a dual-port fibre NIC, it seems the card is recognized,
  but fails to initalize. The card in question is an i350-F2. I've upgraded
  to the latest snapshot to see if there's any improvement, but alas.
 
  snip
  em0 at pci8 dev 0 function 0 Intel I350 Fiber rev 0x01: msiem0:
 Hardware
  Initialization Failedem0: Unable to initialize the hardware
  em1 at pci8 dev 0 function 1 Intel I350 Fiber rev 0x01: msiem1:
 Hardware
  Initialization Failedem1: Unable to initialize the hardware
  /snip
 
  From commits, I gather the i350 is relatively new. Would anyone have
  advice/hints on what steps of the initialisation I should look or how I
 can
  generate more debugging output? I tried a verbose boot (boot -c), but
 that
  didn't show more details for these em(4) cards. The box is currently
 hooked
  up for testing, so few things to break.
 
  Any insight appreciated. I've added dmesg and pcidump below.

 It was tested with copper not fibre, perhaps the following
 diff helps.

 Index: if_em_hw.c
 ===
 RCS file: /cvs/src/sys/dev/pci/if_em_hw.c,v
 retrieving revision 1.71
 diff -u -p -r1.71 if_em_hw.c
 --- if_em_hw.c  5 Dec 2012 23:20:20 -   1.71
 +++ if_em_hw.c  27 Apr 2013 01:21:06 -
 @@ -1446,7 +1446,7 @@ em_adjust_serdes_amplitude(struct em_hw
 DEBUGFUNC(em_adjust_serdes_amplitude);

 if (hw-media_type != em_media_type_internal_serdes ||
 -   hw-mac_type == em_82575)
 +   (hw-mac_type = em_82575))
 return E1000_SUCCESS;

 switch (hw-mac_type) {
 @@ -1700,10 +1700,10 @@ em_setup_fiber_serdes_link(struct em_hw
  * initialization.
  */
 if (hw-mac_type == em_82571 || hw-mac_type == em_82572 ||
 -   hw-mac_type == em_82575)
 +   hw-mac_type = em_82575)
 E1000_WRITE_REG(hw, SCTL, E1000_DISABLE_SERDES_LOOPBACK);

 -   if (hw-mac_type == em_82575)
 +   if (hw-mac_type = em_82575)
 em_power_up_serdes_link_82575(hw);

 /*
 @@ -1724,7 +1724,7 @@ em_setup_fiber_serdes_link(struct em_hw
 /* Take the link out of reset */
 ctrl = ~(E1000_CTRL_LRST);

 -   if (hw-mac_type == em_82575) {
 +   if (hw-mac_type = em_82575) {
 /* set both sw defined pins on 82575/82576*/
 ctrl |= E1000_CTRL_SWDPIN0 | E1000_CTRL_SWDPIN1;

 @@ -3611,7 +3611,7 @@ em_check_for_link(struct em_hw *hw)
 DEBUGFUNC(em_check_for_link);
 uint16_t speed, duplex;

 -   if (hw-mac_type == em_82575 
 +   if ((hw-mac_type = em_82575) 
 hw-media_type != em_media_type_copper) {
 ret_val = em_get_pcs_speed_and_duplex_82575(hw, speed,
 duplex);
 @@ -3951,7 +3951,8 @@ em_get_speed_and_duplex(struct em_hw *hw
 uint16_t phy_data;
 DEBUGFUNC(em_get_speed_and_duplex);

 -   if (hw-mac_type == em_82575  hw-media_type !=
 em_media_type_copper)
 +   if ((hw-mac_type = em_82575) 
 +   hw-media_type != em_media_type_copper)
 return em_get_pcs_speed_and_duplex_82575(hw, speed,
 duplex);

 if (hw-mac_type = em_82543) {
 @@ -5284,7 +5285,7 @@ em_detect_gig_phy(struct em_hw *hw)

 if ((hw-media_type == em_media_type_internal_serdes ||
 hw-media_type == em_media_type_fiber) 
 -   hw-mac_type == em_82575) {
 +   (hw-mac_type = em_82575)) {
 hw-phy_type = em_phy_undefined;
 return E1000_SUCCESS;
 }




-- 
If you don't know where you're going, any road will get you there.

Re: Advice on adding com2 to (amd64) GENERIC; enabling easier IPMI SOL with SuperMicro boards

2013-04-06 Thread Rogier Krieger 
On Sat, Apr 6, 2013 at 1:35 AM, Ted Unangst t...@tedunangst.com wrote:
 I guess you missed the subsequent put back yesterday. :)

Guilty as charged.


 [...] com2 renumbers any other pci attached com ports from the likes of
puc.

I suppose for those running tools such as conserver, this would mean
changing the config lines that carry the 'baseport' values. In case it's
helpful, I've added the following snippet for faq/current.html to warn
unsuspecting serial users.

Regards,

Rogier



Index: current.html
===
RCS file: /cvs/www/faq/current.html,v
retrieving revision 1.373
diff -u -r1.373 current.html
--- current.html 28 Mar 2013 21:49:08 - 1.373
+++ current.html 6 Apr 2013 09:01:26 -
@@ -54,6 +54,7 @@
 lia href=#201303102013/03/10 - fontconfig update/a
 lia href=#201303112013/03/11 - pf translation counter added/a
 lia href=#201303252013/03/25 - Perl update/a
+lia href=#201304052013/04/05 - amd64 adds com2 and com3 to
GENERIC/a

 !-- New additions go on the bottom, please --
 /ul
@@ -562,6 +563,15 @@
 of this being committed and rely on such packages, you might like to wait
 for updated packages to become available to save the trouble of building
 them yourself.
+
+p
+a name=20130405/a
+h32013/04/05 - amd64 adds com2 and com3 to GENERIC/h3
+OpenBSD/amd64 GENERIC and GENERIC.MP kernels now include the com2 (COM3)
+and com3 (disabled by default) devices that were commented out before. This
+may cause the renumbering of serial ports on other devices such as puc(4).
+Users of the conserver port may want to use the 'portbase' and
'devicesubst'
+settings to easily adjust their configuration.

 hr
 a href= index.htmlimg height= 24 width= 24 src=
../images/back.gif border= 0 alt=[back]/a

Re: Advice on adding com2 to (amd64) GENERIC; enabling easier IPMI SOL with SuperMicro boards

2013-04-05 Thread Rogier Krieger 
Out of curiosity, after seeing the commit and subsequent backing out of
this change, what'd be the expected issues with enabling com2 that require
more thought?

Regards,

Rogier




On Sat, Mar 30, 2013 at 8:01 AM, Ted Unangst t...@tedunangst.com wrote:

 On Sat, Mar 30, 2013 at 02:06, Rogier Krieger wrote:

  The GENERIC kernel config has commented out com2 (at isa0, addr 0x3e8,
  irq 5) and I assume this is not without reason. I've been unable to
  find that reason in source changes, but perhaps someone here knows. On
  i386, it is present.

 I am guessing this is an oversight. i386 runs on the same machines, so
 if com2 were causing trouble it would be disabled there too.




-- 
If you don't know where you're going, any road will get you there.

Advice on adding com2 to (amd64) GENERIC; enabling easier IPMI SOL with SuperMicro boards

2013-03-29 Thread Rogier Krieger 
Dear list,

in an attempt to save on serial cabling for our machines, I'm trying
to see if IPMI Serial over Lan (SOL) works as advertised.

For our Dell boxes, things seem to work, but our SuperMicro boards
(X7SPA-HF and X8ST3-F) require extra work. The latter seem to insist
on using com2 (i.e. COM3 in BIOS), which isn't present by default in
GENERIC[.MP]. Obviously, adding this creates a bit of hassle and the
risk of the com2 device being unavailable should I ever forget to add
it back after upgrades.

The GENERIC kernel config has commented out com2 (at isa0, addr 0x3e8,
irq 5) and I assume this is not without reason. I've been unable to
find that reason in source changes, but perhaps someone here knows. On
i386, it is present.

In summary, would the following be acceptable?

Regards,

Rogier


Index: GENERIC
===
RCS file: /cvs/src/sys/arch/amd64/conf/GENERIC,v
retrieving revision 1.338
diff -u -r1.338 GENERIC
--- GENERIC 15 Mar 2013 09:10:52 -  1.338
+++ GENERIC 30 Mar 2013 01:04:54 -
@@ -315,7 +315,7 @@

 com0   at isa? port 0x3f8 irq 4# standard PC serial ports
 com1   at isa? port 0x2f8 irq 3
-#com2  at isa? port 0x3e8 irq 5
+com2   at isa? port 0x3e8 irq 5
 #com3  at isa? port 0x2e8 irq 9# (conflicts with some video cards)

 com*   at pcmcia?  # PCMCIA modems/serial ports

Re: smtpd relay

2013-02-26 Thread Rogier Krieger 
On Tue, Feb 26, 2013 at 4:39 PM, Zoran Kolic zko...@sbb.rs wrote:
 accept for any relay via my.isp.smtpserver

iirc, smtpd.conf(5) mentions the host being in URL form, e.g.
 smtp://my.isp.smtpserver

At least, it does for my Feb 17th snapshot.

Regards,

Rogier

Re: OpenSMTPd error after upgrading to -current

2013-02-03 Thread Rogier Krieger 
On Sun, Feb 3, 2013 at 10:19 PM, Frank Brodbeck f...@gmx.biz wrote:
 /etc/mail/smtpd.conf:12: error: invalid url: smtps+auth://mail.split-brain.de

The description of the relay parameter in smtpd.conf(5) is accurate.
It seems the examples section in smtpd.conf(5) is slightly outdated,
however.

The format for the relay URL changed to include a label for looking up
the credentials. This allows you to select different credentials for
the same host should you need that. This is one of the recent goodies
[1] mentioned in another thread.

Instead of using a hostname in the secrets file, use a label and list
that label in the relay URL. After running makemap, smtpd liked my
configuration again. I've added a sanitised version as an example.

# cat /etc/mail/smtpd.conf
listen on lo0

table aliases db:/etc/mail/aliases.db
table secrets db:/etc/mail/secrets.db

accept for local alias aliases deliver to mbox
accept for any relay via ssl+auth://[label]@[host] auth secrets


# cat /etc/mail/secrets
[label] [user]:[password]


Hope that helps,

Rogier


References:
1. Undeadly - OpenSMTPD: more features, more cleanup, more more
http://undeadly.org/cgi?action=articlesid=20130130081741

-- 
If you don't know where you're going, any road will get you there.

Re: ext2fs read errors

2012-12-30 Thread Rogier Krieger 
On Sun, Dec 30, 2012 at 12:54 PM, Martijn van Duren
m.vandu...@jonker.nl wrote:
 Jan Stary schreef op zo 30-12-2012 om 12:24 [+0100]:
 On Dec 30 10:43:00, m.vandu...@jonker.nl wrote:
  I'm migrating my data from an ext3 partition [...]
snip
 That is correct. And I mounted it mount_ext2fs /dev/wd0i /mnt.

Why would you expect an ext3fs partition to be working properly using
ext2fs tools? The man pages for the tools involved do not mention
ext3fs support or its journal features.

Can you reproduce the issue with an ext2fs filesystem as well?

Regards,

Rogier

Re: ftp/www.openbsd.org downtime today. don't panic

2012-10-12 Thread Rogier Krieger 
On Fri, Oct 12, 2012 at 4:08 PM, Bob Beck b...@openbsd.org wrote:
 Please don't panic.

Naturally, this happens on a day one forgets to bring a towel.

Cheers,

Rogier

Re: IPv6, OpenBSD and .. Mac OS X Lion

2012-07-15 Thread Rogier Krieger 
Here, it took a few iterations of properly reading the rtadvd.conf(5)
manual, but the various Mac devices over here (OS X v10.6+, iOS v5+)
properly get addresses and DNS servers assigned.

My setup:
Addresses here are assigned over rtadvd(8); DNS information over
DHCPv6. With the recent patch to rtadvd, the latter component could
actually be phased out. I suppose that's easier.


One thing I ran into: correctly set raflags to accurately reflect your
network's situation. For mine, a value of 64 was needed (address:
rtadvd; DNS: DHCPv6). Until I properly set this, my systems (Win7 and
Mac alike) discarded the DHCPv6 info they received. See rtadvd.conf(5)
for the correct values to use.

If you use rtadvd exclusively, you'll need another value for raflags,
of course. See the manual.

Regards,

Rogier

Re: AUTHENTICATION_METHOD = 65001 (unknown)

2012-06-10 Thread Rogier Krieger 
On Sun, Jun 10, 2012 at 8:12 PM, Ray Zorthin rayzort...@yahoo.com wrote:
  2) Do we need to use iked(8) instead of isakmpd(8)?

Instead, you may want to look at npppd and using the L2TP variant
natively available on your iPad. At least, that's how I have an iOS
device connect (v5.1.1 currently, but worked for several earlier
versions as well).

The description in the source tree provides useful hints and required
steps to getting this working. The L2TP traffic is secured through
IPsec.

I have not yet needed to provision iOS devices with this
configuration, but I suspect it can be done similarly to how one would
provision the (Cisco) IPsec VPN client on iOS.

Regards,

Rogier

Re: Recent DELL hardware support

2012-04-05 Thread Rogier Krieger 
On Thu, Apr 5, 2012 at 21:02, Kostas Zorbadelos kzo...@otenet.gr wrote:
 The only remaining question is PERC H200 support.

mpii(4) should cover the Dell PERC H200.

Re: how to find dependencies when building a new kernel

2011-11-29 Thread Rogier Krieger 
On Tue, Nov 29, 2011 at 11:38, T. Valent tmp...@4ss.de wrote:
 [dmassage] It's not part of the official OpenBSD or the ports tree.

Are you sure it's not in sysutils/dmassage?

It would seem you're trying to build your own stripped-down kernel.
Doing that sort of thing is typically a you break it, you get to keep
the pieces activity.

While I do not know the reasons [1] you have for doing so, you may
have better luck solving issues using config(8). If you take that
route, be sure to note down the changes needed so you can repeat the
process at subsequent upgrades.

Regards,

Rogier


1. OpenBSD FAQ #5
http://openbsd.org/faq/faq5.html#Why

Re: DNS Google ?

2011-11-22 Thread Rogier Krieger 
Lest I'm mistaken, both serve DNS data, but in different roles.

nsd is for serving authoritative zones, not for resolver work.
unbound is a resolver.

Regards,

Rogier

Re: dhclient, resolv.conf

2011-10-20 Thread Rogier Krieger 
On Thu, Oct 20, 2011 at 20:11,  sophia.ort...@googlemail.com wrote:
 But again, I insist in my first question: how I get that
 dhclient respect my resolv.conf and do not touch it?

If you insist on dhclient not touching resolv.conf and do not want to
edit the in-base dhclient-script, you can use the 'script' parameter
described in dhclient.conf(5). As a bonus, you get to maintain your
changes from then on.

I do not see why you prefer editing resolv.conf over dhclient.conf,
though, but I trust you have your reasons.

Regards,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: bsd.rd and (automated) upgrading

2011-04-30 Thread Rogier Krieger 
On Sat, Apr 30, 2011 at 11:54, David Steiner davidsteiner2...@gmail.com wrote:
 can the upgrade process via bsd.rd be automated?

Yes, see e.g. Yaifo. The link came by earlier this week on the list.
http://sourceforge.net/projects/yaifo/files/yaifo/4.8/yaifo-4.8.tgz/download

Regards,

Rogier

Trying to find mfi(4) cards, am I looking for the LSISAS2108 chip?

2011-03-11 Thread Rogier Krieger 
In short: if I'd like to get a RAID5/6 supporting mfi(4) card, what
current LSI/other models would I be looking for? Would that be models
with the LSISAS2108 chip?

The mfi(4) manual states the Dell PERC H700 to be a supported mfi(4)
card. From the Dell documentation, it seems that card holds an
LSISAS2108 chip. Is this the generic LSI chip for this particular
line? If so, what generic cards LSI cards would I be looking for. It
would be nice to have more options than just Dell.

Can anyone confirm the following would be mfi(4):
+ MegaRAID SAS 9260-8i [1]
+ MegaRAID SAS 9280-16i4e [2]
+ SuperMicro AOC-USAS2LP-H8iR [3]

Each of these has product pages listing the 2108 chipset, but I'd
prefer some confirmation before going the 'try by buying' way.


Any insight would be greatly appreciated (including a reality check on
my liking mfi(4) over e.g. mpi(4)).


Regards,

Rogier



References:
1. LSI - MegaRAID SAS 9260-8i
http://www.lsi.com/channel/products/raid_controllers/megaraid_9260-8i/index.html
2. LSI - MegaRAID SAS 9280-16i4e
http://www.lsi.com/channel/products/raid_controllers/megaraid_9280-16i4e/index.html
3. SuperMicro - AOC-USAS2LP-H8iR
http://www.supermicro.com/products/accessories/addon/AOC-USAS2LP-H8iR.cfm

Re: ipfm+openbsd 4.6

2011-01-24 Thread Rogier Krieger 
On Mon, Jan 24, 2011 at 01:10, emigrant emig...@gmail.com wrote:
 ipfm dont work well in openbsd 4.6/4.7/4.8,  too much changes in pf?(yes, i
 use pfaltq+hfsc),  any ideas what can i do? go back to 4.5? :)

People here are unlikely to recommend going back in OpenBSD versions.
From the first Google hit on IPFM [1], I get the impression you best
move away from IPFM as it has not been actively developed for
years..

If you're after a simple list of traffic for individual hosts, you may
be able to leverage the 'label' keyword in pf.conf(5), especially if
it's only a few hosts you're trying to get data for. Such as:

# /etc/pf.conf
hostlist = { 127.0.0.1, 192.168.100.15, 192.168.100.30 }
pass from $hostlist label traffic-$srcaddr

# sudo pfctl -vvs labels


Alternatively, look at pflow(4) and a Netflow collector on the other
end to see if that's more to your liking.

Regards,

Rogier

References:
1. Google - 'IPFM'
http://www.google.nl/search?q=ipfm

Re: network configuration problems

2010-06-20 Thread Rogier Krieger 
2010/6/19 Jean-Frangois SIMON jfsimon1...@gmail.com:
 # bash /etc/netstart

As others have pointed at, you'll want /bin/sh instead for this case.

When in doubt what to use, review the top line in the script you're
about to execute and use the shell listed there.


 WARNING: /etc/hostname.re0 is insecure, fixing permissions

It fixes the permissions, so seeing correct permissions afterward
means the fix succeeded. See the relevant lines in /etc/netstart if
you want to know more how it does that.

Regards,

Rogier

Re: anyone use these for firewall?

2010-06-15 Thread Rogier Krieger 
On Tue, Jun 15, 2010 at 17:58, Chris Smith obsd_m...@chrissmith.org wrote:
 Ran across these Supermicro boxes:

 http://www.supermicro.com/products/system/1U/5015/SYS-5015A-PHF.cfm

If I'm not mistaken it's a system that turned up on the list earlier,
including 4.7 dmesg.

http://marc.info/?l=openbsd-miscm=127078571618143w=2
http://marc.info/?l=openbsd-miscm=127050936423288w=2

Regards,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: Stopped at pf_test_rule+0xa87 [again]

2010-03-10 Thread Rogier Krieger 
On Tue, Mar 9, 2010 at 22:25, Price, Joe jpr...@ceccontrols.com wrote:
 In summary, it sounds like Henning may have fixed it from this post:
 http://marc.info/?l=openbsd-cvsm=124955744915786w=2

From the message you quoted and seeing r1.655.4.1, it seems the fixes
you refer to made it into 4.6-stable. You may want to run 4.6-stable
to fix your problem; see release(8) on how to build that.


 Also, why didn't this make it to an errata reliability fix?

I don't know, but the following could be an explanation. To quote the FAQ [1]:

Note, however, that patches aren't made for new additions to OpenBSD,
and are only done for important reliability fixes or security problems
that should be addressed right away on impacted systems (which is
often NOT all systems, depending on their purpose).


Regards,

Rogier


References
1. OpenBSD FAQ 10
http://www.openbsd.org/faq/faq10.html#Patches

Re: any known working configuration of OpenBGPd and CARP ?

2010-03-07 Thread Rogier Krieger 
On Sun, Mar 7, 2010 at 06:00, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com
wrote:
 from the network point of view, packets will come from the same MAC an
 IP address (because of CARP), so ... if BACKUP will just continue to
 maintain a session, established by MASTER,  nobody will even know, 1
 sec is nothing in terms of BGP

Your just continue sounds a bit optimistic. It could also be called
hijacking a session, though you picked a better purpose and much nicer
words for it. It's of course possible, since stuff such as MD5
signatures and IPsec exist to thwart that sort of thing.

Sounds like a cool idea, though.

Regards,

Rogier

Re: nmbd does not listen

2010-03-07 Thread Rogier Krieger 
On Sun, Mar 7, 2010 at 14:31, jean-francois jfsimon1...@gmail.com wrote:
 Is there some basic configuration I missed to do ?

As a quick check, did you start both smbd and nmbd components (ps ax
is your friend here) and did you place the necessary lines in
/etc/rc.local as per the message you received upon install? If you
missed that, see pkg_info(1) and its -M option.

Alternatively, review the log files for samba to see what's (not) happening.

Regards,

Rogier

Re: any known working configuration of OpenBGPd and CARP ?

2010-03-06 Thread Rogier Krieger 
On Sat, Mar 6, 2010 at 17:26, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com
wrote:
 no, I want routes exactly to carp.

That sounds odd. Routes are something different than what particular
host responds to frames directed to a specific hardware address.

If I understand the rest of your description correctly, you want only
the master bgpd to have sessions and to somehow distribute its routes
to the backup(s), with the backups starting with that 'state' and
initiate connections to your BGP peers whenever a master goes down. I
doubt that'll work.

In your scenario, if your master goes down, there are no longer any
BGP sessions up with any of your peers. If I'm not mistaken, that will
cause them to withdraw the prefixes you previously advertised from
their tables and no longer forward traffic to you.

When your new master is promoted, it will set up a new session with
your peers. This is probably not the sort of failover you want to see
happening in production.


I suspect that's just one reason why Henning and Claudio made their
suggestions. The N sessions for N CARP members allows for your remote
peers to maintain a path back towards you and for you to have a
working path out. It is very likely the path of least pain and anguish
with smooth failover. Unless of course static routing were an option.
While not sexy, it's simple (fewer moving parts) and still allows you
to use CARP.

Regards,

Rogier

Re: pf: blocklists

2010-03-04 Thread Rogier Krieger 
On Thu, Mar 4, 2010 at 14:34, nixlists nixmli...@gmail.com wrote:
 spamd is great, but I need to filter other traffic. I still wonder how
 people manage to download and convert blocklists for loading into pf

If I understand your question and read the spamd-setup(8) man page
correctly, you may want to try your luck with its '-b' option. Or did
I misunderstand your question?

Besides that, if spamd and spamd-setup work for you, you can use the
spamd table in PF to block access to other targets than SMTP. If you
want to use the spamd-setup mechanic but not want the data to end up
in spamd (and the spamd table), look at its sources and rework it a
bit.


 Often there are syntax errors in the lists, sometimes transfers fail.
 IOW it's unreliable, and I have to do it manually.

If you want to increase reliability of a (vanilla or reworked)
spamd-setup succeeding, you can scrape and parse the lists yourself
and distribute them locally. You mentioned that sucks too, though I
do not directly see why, other than perhaps the work involved or stale
list contents (which can be periodically expired as well).

I suspect it's easier to treat the latter reliability concerns as a
separate issue rather than work it into spamd-setup, but that's just a
personal preference, I suppose.

Regards,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: Core dumps from daemon processes?

2010-02-24 Thread Rogier Krieger 
Would the following be an improvement for the documentation? Feel free
to flame my mdoc(7) skills or lack thereof.

Regards,

Rogier


### Eclipse Workspace Patch 1.0
#P man5
Index: core.5
===
RCS file: /cvs/src/share/man/man5/core.5,v
retrieving revision 1.12
diff -u -r1.12 core.5
--- core.5  31 May 2007 19:19:58 -  1.12
+++ core.5  24 Feb 2010 18:57:21 -
@@ -158,7 +158,16 @@
 .Xr gdb 1 ,
 .Xr pmdb 1 ,
 .Xr setrlimit 2 ,
-.Xr sigaction 2
+.Xr sigaction 2 ,
+.Xr sysctl 3
+.Sh CAVEATS
+Programs with their set-user-ID bit set will not dump core as a security
+precaution. This prevents sensitive information from ending up on disk.
+For debugging programs affected by this, refer to
+.Xr sysctl 3
+for the
+.Li kern.nosuidcoredump
+option for how to deal with this.
 .Sh HISTORY
 A
 .Nm

Re: RAID1 : offline - online (how to?)

2010-02-21 Thread Rogier Krieger 
On Sun, Feb 21, 2010 at 17:51, Jean-Francois jfsimon1...@gmail.com wrote:
 Sorry for the so many questions but still manual may not always
 answer to them.

Did you read bioctl(8) and did you try the -R option that man page
mentions? It would seem appropriate for your question.

 How do we make the device become online again ?

From a (brief) look at the manual and bioctl.c, I get the impression
that providing bioctl -R with the failed chunk (sd0, in your case)
should set off a rebuild of your softraid volume (sd2, in your case).
I haven't had time to explore softraid in practice yet, so take my
advice with a grain of salt.


 BTW does the same apply for physical drives instead of usb pens ?

I would expect 'yes', given that your USB pen attaches as an sd(4).
Ripping out a USB pen is not that different from ripping out a regular
drive, only easier.

Regards,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: RAID1 : offline - online (how to?)

2010-02-21 Thread Rogier Krieger 
On Sun, Feb 21, 2010 at 19:47, Jean-Francois jfsimon1...@gmail.com wrote:
 Seems appropriate in the latest man, but did not appear in my man page. The -R
 is'nt available in version 4.4 ? any way to proceed ?

As far as I know, softraid didn't support rebuilds in 4.4; it was
added later. Judging from the man page differences between releases,
I'd say it was between 4.4 and 4.5.

If you're in for potentially dangerous advice: perhaps rebuilding the
array with a later release is possible. You probably want to check
with a developer first. Assuming you care for the data on the pens,
make a backup before trying anything.

Regards,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: RAID1 : offline - online (how to?)

2010-02-21 Thread Rogier Krieger 
On Mon, Feb 22, 2010 at 00:03, Jean-Francois jfsimon1...@gmail.com wrote:
 Making again the test on 4.6 Now I have bioctl: BIOCCREATERAID: Invalid
 argument however on a another machine. Am I wrong in any point ?

The kernel complains about invalid metadata, so that may well stop you
from rebuilding your 4.4-softraid array on 4.6. If memory serves me,
the format did change in the past. You could try checking old
revisions of current.html to see if that's the case (or have someone
more knowledgeable confirm it).


 Is there any need to compile raid into the kernel as I saw here ?
 http://www.argon18.com/raid_openbsd.html

Unlikely, it describes RAIDframe. It describes OpenBSD, reality of
about 5 to 6 years ago. That document mentions raidctl(8), for
instance.


 Following example (same method as I first used)

I presume your example is a copy-paste without editing and you're
still using the USB pens. Given the metadata complaints in dmesg,
zeroing out the underlying drive chunks may help. That said, it's just
guesswork on my part.

Regards,

Rogier

Re: multiple qemu hosts, typo

2010-02-02 Thread Rogier Krieger 
On Tue, Feb 2, 2010 at 15:27, Matthias Pfeifer m...@finance-circle.de wrote:
  [...] Then the second:
snip
  this gives me a  cannot create /dev/tun0: Device busy 

If I'm not mistaken, you need separate tun(4) devices per qemu
instance. The reason for that lies in the device being ready for
simultaneous use only by a single process.

To quote tun(4):
 Each device has the exclusive open property; it cannot be opened if it is
 already open and in use by another process.

If I misunderstood, feel free to correct me.

Regards,

Rogier

Re: Jan 28 snapshot - em0 disappeared

2010-02-01 Thread Rogier Krieger 
On Mon, Feb 1, 2010 at 07:32, Steve Williams
st...@williamsitconsulting.com wrote:
 I have downloaded the current cvs code and compiled it.  It exhibits the
 same problem, missing em0.

It seems to nicely detect the hardware, just not liking its EEPROM
contents and stopping initialisation there. While you should take a
developer's word over mine, I suppose it's not surprising that
ifconfig(8) does not show the hardware.

Seeing a few Google searches seems to indicate it's not necessarily an
OS problem. While some posts mention an Intel utility (IBAUTIL.EXE) to
configure/manage the built-in boot agent, you will probably want to
search for the correct NIC model and see which specific version/tool
you need.

I included a link [1] to the utility a 5 minute cursory search yielded
me. Use at your own risk, since I can't really be sure it's the
correct one.

Regards,

Rogier


References:
1. Intel Boot Agent BIOS
http://downloadcenter.intel.com/Detail_Desc.aspx?agr=YDwnldID=12344ProdId=2775lang=eng

Re: Doubt about updating the ports

2009-12-26 Thread Rogier Krieger 
On Sat, Dec 26, 2009 at 20:11, Daniel Bareiro daniel-lis...@gmx.net wrote:
 I'm updating OBSD 4.5-stable to OBSD to 4.6-stable and have a doubt when
 updating ports using this [1] procedure.

The instructions you linked describe how to go from 4.6-release to
4.6-stable, not what you are trying to accomplish (unless you've made
a typo).

If indeed you are at 4.5 and want to go to 4.6, save yourself
considerable trouble and some bashing on misc@ (see the archives for
why) and either:
- upgrade via the FAQ instructions [1]
- wipe/reinstall

If you want to go straight to 4.6-stable, get a hold of the -stable
file sets through someone you trust. You can use those to upgrade or
install a 4.6-stable system. If that's not viable, get the -release
sets and follow release(8) to build your own -stable.

Good luck,

Rogier

References:
1. OpenBSD FAQ - Upgrade Guide 4.6
http://www.openbsd.org/faq/upgrade46.html

-- 
If you don't know where you're going, any road will get you there.

Re: Dell Latitude E6400 'sluggish' keyboard response with ACPI enabled

2009-10-04 Thread Rogier Krieger 
On Sun, Oct 4, 2009 at 00:14, Marco Peereboom sl...@peereboom.us wrote:
 This fixes it.  I need to come up with a way to get this in the tree
 without breaking IBM T21.

Indeed it does. Where I originally noticed the problem very quickly
after system startup, it now seems to have disappeared. I still see
acpidump segfaulting (but I can't tell whether that's a related issue
or not). Tested on GENERIC.MP built this morning.

dmesg 4.6-current (Oct. 4, amd64)
http://pastebin.com/f605fda4d

acpidump 4.6-current (Oct. 4, amd64)
http://pastebin.com/f45f19d9d
(acpidump still segfaults when run; if desired, I have the core file saved)

If I can be of help testing further, please let me know. Thanks for
the quick response.

Regards,

Rogier

Dell Latitude E6400 'sluggish' keyboard response with ACPI enabled

2009-10-03 Thread Rogier Krieger 
While trying out a Dell Latitude E6400, I notice sluggish keyboard
behaviour. This occurs both in 4.5 as well as the Oct. 2 snapshot
(-current). In each case, I use the amd64 snapshots. The issues
disappear when disabling ACPI via UKC.

What I see is the following: some keypresses being 'missed',
occasional repeats of keys pressed (though only once). Additionally, I
sometimes see a briefly non-responsive mousepad in X.

Trying acpidump(8) results in a segfault (and accompanying coredump).
Are others seeing this as well? I included dmesg and acpidump output
at the links below. Other than that, this laptop seems to work fine
(but I wouldn't be surprised if Dell does some undocumented dark magic
in its ACPI somewhere).

Are others seeing this sort of issue as well or does anyone have a
suggestion as to what to try?


dmesg 4.6-current (Oct. 2 snapshot, amd64)
http://pastebin.com/f40be7a33

acpidump 4.6-current (Oct. 2 snapshot, amd64)
http://pastebin.com/f10da9f0c
(acpidump segfaults when run; if desired, I have the core file saved)

Any insight appreciated,

Rogier

Re: mod_mp3 bug or wtf

2009-09-22 Thread Rogier Krieger 
On Tue, Sep 22, 2009 at 01:56, Andrej Elizarov vigilan...@gmail.com wrote:
 I found this example:

 mkdir /var/www/music
 mkdir -p /var/www/var/www
 cd /var/www/var/www
 ln -s /var/www/music music

 But in this case all mp3s must be inside ServerRoot. Not good.

You're essentially offering web content. Arguably, /var/www is a good
place for that sort of information to be confined to.

If you feel you must plug holes into an essentially sane default, you
can try mounting an NFS export containing the desired files somewhere
within /var/www. See exports(5), mount_nfs(8) and others for more
information.

I'm not fully sure whether re-mounting exported data from 'localhost'
is a good thing. I have it running at a few places (mainly due to
earlier poor planning for /var/www/logs).

Hope this helps,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: Updates to several OpenBSD hosts

2009-06-23 Thread Rogier Krieger 
On Tue, Jun 23, 2009 at 22:27, Urban Hillebrandm...@urban-online.at wrote:
 My aploogies for being unclear. Those hosts are all on different
 locations and nets, even belong to different companies.

You could try using tools such as cfengine and/or puppet (both are in
ports) to have them pull in their configuration form a master host.
Preparing the configuration, scripts, install tools and keeping them
under version control might work for your purposes.

Whether it's worth your effort is up to you. I'd recommend to start
simple, to see if you like it. If so, it should free your hands a bit
to improve on the system.

Perhaps a look at infrastructures.org [1] proves helpful; it was for
me. How you want to deploy such a thing with multiple companies etc.
may take some thought/checking their policies.

Hope this helps,

Rogier

References:
1. Infrastructures.org - Best practices in automated systems
administration [...]
http://www.infrastructures.org/

mod_fastcgi and chroot (4.4/amd64)

2009-04-05 Thread Rogier Krieger 
While trying to get a test Catalyst rig running on my 4.4 machine, I
am getting bitten by the chroot(2) feature. Running the following
configuration snippet works fine with httpd_flags=-u but yields the
following httpd error while using chroot.

The machine is a vanilla 4.4-release amd64 box, running the fcgi,
mod_fastcgi and p5-Catalyst-* packages. Dmesg included at the end of
this message (in the hope that it won't be munged too much).

Essentially, I'm looking for a cluebat. I have a feeling a /var/www/
may be stripped off once too often.

Insight greatly appreciated,

Rogier


r...@monitor:/var/www# tail -fn 10 logs/cat-test/error_log
snip
[Sun Apr  5 14:05:59 2009] [error] [client 172.25.1.150] File does not
exist: /cat-test/cat-test.fcgi/


Using the following configuration (included in otherwise unchanged
httpd.conf) snippet:

r...@monitor:/var/www# cat conf/cat-test.conf
# FastCGI settings
IfModule mod_fastcgi.c
FastCgiIpcDir /var/www/run
FastCgiExternalServer /var/www/cat-test/cat-test.fcgi -socket
cat-test.sock
/IfModule


# VirtualHost settings
Listen 172.25.1.150:80
NameVirtualHost 172.25.1.150:80
VirtualHost 172.25.1.150:80
#ServerAdminwebmaster@
ServerName  cat-test.ht-solutions.lan
#ServerAliascat-test.ht-network.lan

DocumentRoot/var/www/cat-test
Alias / /var/www/cat-test/cat-test.fcgi/
Alias /cat-test//var/www/cat-test/cat-test.fcgi/

# Rewrite URLs without trailing slash
#RewriteRule ^/cat-test$ cat-test/ [R]
# Do not expose CVS directories
LocationMatch /CVS/
AllowOverride None
Order deny,allow
Deny from all
/LocationMatch

# Basic logging
ErrorLog  /var/www/logs/cat-test/error_log
CustomLog /var/www/logs/cat-test/access_log combined
/VirtualHost


r...@monitor:/var/www# ls -al /var/www/run
total 12
drwxrwx---   3 wwwwww 512 Apr  5 13:59 .
drwxr-xr-x  13 root   daemon  512 Apr  5 13:52 ..
srwxrwxrwx   1 cat  www   0 Apr  5 13:59 cat-test.sock
drwx--   2 wwwwww 512 Apr  5 10:36 dynamic


r...@monitor:/var/www# cat /var/run/dmesg.boot
OpenBSD 4.4 (GENERIC.MP) #1812: Tue Aug 12 17:22:53 MDT 2008
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2129227776 (2030MB)
avail mem = 2067476480 (1971MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x7fb9c000 (66 entries)
bios0: vendor Dell Inc. version 2.2.6 date 02/05/2008
bios0: Dell Inc. PowerEdge 1950
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP APIC SPCR HPET MCFG WD__ SLIC ERST HEST BERT EINJ TCPA
acpi0: wakeup devices PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1862.13 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu0: 4MB 64b/line 16-way L2 cache
cpu0: apic clock running at 265MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu1: 4MB 64b/line 16-way L2 cache
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu2: 4MB 64b/line 16-way L2 cache
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU L5320 @ 1.86GHz, 1861.92 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,TM2,CX16,xTPR,NXE,LONG
cpu3: 4MB 64b/line 16-way L2 cache
ioapic0 at mainbus0 apid 4 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 4
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (PEX2)
acpiprt2 at acpi0: bus 5 (UPST)
acpiprt3 at acpi0: bus 6 (DWN1)
acpiprt4 at acpi0: bus 8 (DWN2)
acpiprt5 at acpi0: bus 1 (PEX3)
acpiprt6 at acpi0: bus 0 (PE2P)
acpiprt6: no apic found for irq 64
acpiprt6: no apic found for irq 65
acpiprt6: no apic found for irq 78
acpiprt7 at acpi0: bus 10 (PEX4)
acpiprt8 at acpi0: bus 12 (PEX6)
acpiprt9 at acpi0: bus 2 (SBEX)
acpiprt10 at acpi0: bus 14 (COMP)
acpicpu0 at acpi0: C3
acpicpu1 at acpi0: C3
acpicpu2 at acpi0: C3
acpicpu3 at acpi0: C3
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 Intel 5000X Host rev 0x12
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0x12
pci1 at ppb0 bus 4
ppb1

Re: mod_fastcgi and chroot (4.4/amd64) [resolved]

2009-04-05 Thread Rogier Krieger 
On Sun, Apr 5, 2009 at 16:35, Rogier Krieger rkrie...@gmail.com wrote:
 While trying to get a test Catalyst rig running on my 4.4 machine, I
 am getting bitten by the chroot(2) feature.

While chroot(2) seems to be the issue, the following two things seem
to make it work as desired.

Make /var/www/var/www a symlink to /var/www [1]
# cd /var/www  mkdir var  cd var  ln -s .. www

Alter the location for the FastCgiExternalServer directive to read:
FastCgiExternalServer /cat-test/cat-test.fcgi -socket cat-test.sock

All of a sudden I now get my expected starting page. Ironic and
humbling to see that the thread contains a post of my own as well ;)

Still, insight and comments appreciated.

Rogier

1. MARC - OpenBSD-misc - Joachim Schipper - Re: ruby on rails derailed [...]
http://marc.info/?l=openbsd-miscm=113492193517773w=2

-- 
If you don't know where you're going, any road will get you there.

Re: 4.4 sshd didn't start

2008-11-03 Thread Rogier Krieger 
On Mon, Nov 3, 2008 at 21:08, Bryan Irvine [EMAIL PROTECTED] wrote:
 Should be in rc.conf.local?

If I'm not mistaken [1], you will only see a change in
/etc/rc.conf.local if you select 'no' for starting sshd by default.


To the OP:

 On Mon, Nov 3, 2008 at 11:28 AM, elflord woods [EMAIL PROTECTED] wrote:
 and then i add enable_sshd=YES in /etc/rc.local

The flag name should probably be sshd_flags and not enable_sshd. When
in doubt: look at /etc/rc.conf, but be sure to save changes to
/etc/rc.conf.local to survive upgrades, etc.

If you do not see sshd(8) starting upon reboot yet have selected
'yes', you would do best to check your logs and see where the problem
is. Did you change any files relating to sshd?


 but then it complains that it could not load host key

What message are you getting w.r.t. the host keys? Report what errors
you see instead of letting others guess. If e.g. you are trying to
write to a read-only location, the (logs of the) boot up sequence may
give useful clues.

Regards,

Rogier


References:
1. OpenBSD CVSweb - src/distrib/miniroot/install.sub - r1.436
http://www.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub?rev=1.436

-- 
If you don't know where you're going, any road will get you there.

Re: OpenLDAP

2008-09-08 Thread Rogier Krieger 
On Mon, Sep 8, 2008 at 09:58, my mail [EMAIL PROTECTED] wrote:
 so i can use ldap with bdb backends in OpenBSD 4.4 eh?

Take a look at the port's Makefile [1] which apparently will be in
4.4-release. Excerpt below to save you the searching. If you intended
your remark as sarcasm, it's more likely to pollute the archives
rather than help.

.if ${FLAVOR:L:Mbdb}
BROKEN= OpenLDAP 2.3 is incompatible with Berkeley DB 4.6


If you want to use bdb as a backend, you'll likely have to compile
OpenLDAP manually (see Philip Guenther's earlier post [2] in this
thread, for instance). For extra credit: provide diffs to update the
port to deal with 2.4 :)

Cheers,

Rogier


References:
1. OpenBSD CVSweb - ports/databases/openldap/Makefile (r1.85)
http://www.openbsd.org/cgi-bin/cvsweb/ports/databases/openldap/Makefile?rev=1.85content-type=text/x-cvsweb-markup
2. MARC.info - OpenBSD-misc, 'Re: OpenLDAP' by Philip Guenther (2008/09/03)
http://marc.info/?l=openbsd-miscm=122046507630763w=2

-- 
If you don't know where you're going, any road will get you there.

Re: FAQ License?

2008-07-28 Thread Rogier Krieger 
If I'm not mistaken, there has already been a thread [1] on this,
including an explanation
[2] of the various considerations involved.

1. MARC.info - OpenBSD-misc - Thread 'BSD Documentation License?'
http://marc.info/?t=12061249355r=1w=2

2. MARC.info - OpenBSD-misc - Nick Holland - 'Re: BSD Documentation License?'
http://marc.info/?l=openbsd-miscm=120618838928361w=2

-- 
If you don't know where you're going, any road will get you there.

Re: RAID/Intel Installation Problem

2008-06-19 Thread Rogier Krieger 
On Wed, Jun 18, 2008 at 12:39 PM, Kenneth R Westerback
[EMAIL PROTECTED] wrote:
 If this is the device you expect to provide disks, the only obvious
 candidate I see, it is not currently supported in the RAMDISK_CD
 kernel if at all.

From a quick glance at pciide(4), I suppose it should work. That is,
it would work *without* the in-BIOS RAID.

To the OP: for proper RAID support, best refer to mfi(4), ami(4) or
arc(4) if you want bioctl(8) niceness. Maybe softraid(4) will suit
your needs too (but see the caveats listed in the man page; trying it
out is still on my to do list).

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: Got Cerfiticate how to use it. WAS: Re: OpenSSL On Openbsd help

2008-06-15 Thread Rogier Krieger 
On Sun, Jun 15, 2008 at 9:37 AM, Khalid Schofield
[EMAIL PROTECTED] wrote:
 Running openbsd 4.0 and apache 1.3 . I've loads of virtual hosts on
 apache and I'm now running apache from rc.conf.local with:
  httpd_flads -u -DSSL .

That probably is a typo and in your rc.conf.local it would read
httpd_flags? Besides that, you would probably serve yourself with an
upgrade to the latest and greatest (4.3) and do so before you upgrade
your web apps.


 Now what? I only want server.crt to be used for one of my virtual hosts.

That will cost you a bunch of IP addresses, one for each distinct SSL
virtual host. You could start by not using the _default_:443 virtual
host.

If you want to make sure none of your other virtual hosts accidentally
get served via the https port, place each individual SSL'd virtual
host on a separate IP address. There is not really a way around that.
Virtual hosts work by the information from the Host: $virtual_host
header being available. For SSL connections, the crypto work needs to
be done before you get that information (which requires you to choose
your virtual host already to select keys, certificates, etc.).


 I've tried all sorts but it doesn't seem to work when I try to connect to 443.

Have you tried the usual batch of:
+ properly connected cables
+ apache error log upon startup
+ ps output listing the httpd processes
+ netstat output listing you have a listener to the https port
+ firewall rules (tcpdump and pflog0 can come in very handy)


 Also apachectl restart doesn't ask for the certificate password. But a
 reboot does. apachectl startssl doesn't ask either.

If you're switching to chrooted operation soon, you should probably
use stop/start and not restart just to get into the right habit. If
httpd does suprising things, you will want to read its error log.


 I've decided to comment out the certificates for the time being.

You don't really want to do that, given that the server will not
automagically load the certificates out of thin air. You'll want to
make sure that the server can open the files, etc. Again, such is
usually listed in your httpd's error log. If you see error numbers
that do not directly make sense to you, check with errno(2).

Hopefully this helps tracking down the problem,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: How to HIDE OpenBSD as user-agent?

2008-04-29 Thread Rogier Krieger 
In hopes of preventing your ending up singed and blackened around the edges...

On Tue, Apr 29, 2008 at 2:18 PM, macintoshzoom
[EMAIL PROTECTED] wrote:
 How to HIDE OpenBSD as user-agent?

  For security reasons it is sometimes interesting to hide GLOBALLLY th
  O.S. you are running on [...]

It is not. As pointed out on these lists countless times now,
attackers will throw everything they have and see what (if anything)
makes it through. They don't care how they break in, all they want is
to use your systems to their ends.

Do everyone a favour and stop believing in security through obscurity.

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

mpi(4) supporting bio(4)/bioctl(8)?

2008-04-17 Thread Rogier Krieger 
Dear list,

From the differences in the man pages for ami(4) and mfi(4) vs mpi(4),
I get the impression that the niceties
of bio(4) are not available to mpi devices. Am I correct in thinking that?

I'm somewhat confused on the matter, given that the NYCBsdCon 2006
slides [1] from Marco Peereboom's
talk on Bio and sensors would suggest basic support (p. 28, Supported
Hardware) for mpi devices, but
browsing around the CVS, I do not find bio.h included for
/sys/dev/ic/mpi.c [2] (whereas ami.c and mfi.c
do include it [3,4]).

If correct, are there plans or ongoing efforts to make the mpi driver
also support bioctl? If not, I know
what sort of equipment to avoid on a bunch of new servers.

Thanks in advance,

Rogier Krieger


References:
1. NYCBSDCon 2006 - Marco Peereboom - Bio and Sensors in OpenBSD
http://www.openbsd.org/papers/bio.pdf
2. OpenBSD CVSweb - /src/sys/dev/ic/mpi.c (rev. 1.92)
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/mpi.c?rev=1.92content-type=text/x-cvsweb-markup
3. OpenBSD CVSweb - /src/sys/dev/ic/ami.c (rev. 1.186)
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/ami.c?rev=1.186content-type=text/x-cvsweb-markup
4. OpenBSD CVSweb - /src/sys/dev/ic/mfi.c (rev. 1.80)
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/ic/mfi.c?rev=1.80content-type=text/x-cvsweb-markup

-- 
If you don't know where you're going, any road will get you there.

Re: Network Time Synchronization using timed or ntpd or a Combination?

2007-10-23 Thread Rogier Krieger 
On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
 You  don't  really  need ntpd on all systems. One (timeserver) runs ntpd,
 and others use rdate, called from cron (once a day is usually enough).

While your suggestion would work, it would also entail more work
without adding benefit. Upon install, you get the question of whether
you want to use ntpd. Starting with 4.2, it even asks for a specific
NTP server.

Using ntpd gets you better synchronisation without the need of setting
something up with cron. Rdate will work, but the work developers put
into (further integrating) ntpd makes rdate appear rather ...
outdated.

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: Network Time Synchronization using timed or ntpd or a Combination?

2007-10-23 Thread Rogier Krieger 
On 10/23/07, Chris Kuethe [EMAIL PROTECTED] wrote:
 Rdate provides a single valuable service: the ability to poll a device
 to see what time it thinks it is (ie. probing the health of my time servers).

Good point; I should probably add that to my monitoring setup.

Thanks for the suggestion,

Rogier.

-- 
If you don't know where you're going, any road will get you there.

Re: Network Time Synchronization using timed or ntpd or a Combination?

2007-10-23 Thread Rogier Krieger 
On 10/23/07, Boris Goldberg [EMAIL PROTECTED] wrote:
   It's always better to don't run a demon if you don't have to. :)

That sort of remark has often started endless debates. :)

For me, trusting rdate to provide time or using ntpd for it is pretty
much the same, but feel free to disagree. There are no risk-free
activities.

In my book, ntpd gets the job done with less administrative work and
it's made by the same people I trust to provide me with a sensible and
secure system.


   Talking  about  a more work

If using site.tgz this sort of thing is rather a moot point.


 Anyway, for the last five years no version of OBSD (including  4.2) worked for
 me without tuning a kernel, so an extra line in a crontab is nothing. :)

If you haven't already, it might be wise to track the issue and report
it. Most of my things requiring post-install kernel config got fixed
over the next release, so I'm a happy camper.

Cheers,

Rogier

-- 
If you don't know where you're going, any road will get you there.

Re: GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens

2007-07-11 Thread Rogier Krieger 

On 7/10/07, Rogier Krieger [EMAIL PROTECTED] wrote:

If my clients (MIT KfW, SecureCRT) attempt GSSAPI authentication,
[...] OpenSSH does not obtain any AFS token, forcing me to run
afslog manually.


Or put such a command in /etc/ssh/sshrc, as hinted at in sshd(8). This
seems to work in that it provides me with tickets/tokens for both the
Kerberos and GSSAPI cases.

The above seems a bit of a workaround, but I can live with that. I'll
see if I can reproduce this on my 4.1 boxes. If so, I'll report back
to the OpenSSH list, since it strikes me as odd that a session would
do different things (whether or not to obtain an AFS token) based on
how the Krb5 TGT was obtained (password verification or transferred by
GSSAPI).

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens

2007-07-10 Thread Rogier Krieger 

Dear list,

While fiddling around to move my home directories onto AFS, I notice a
bit of interesting behaviour. At a first glance, everything seems just
fine. When logging in through the Krb5 mechanism (as defined in
login.conf), OpenSSH nicely obtains an AFS token for me. Use case:
Windows SSH client entering a username/password upon connecting.

The following scenario, however, does not get me AFS tickets in my
shell: obtaining Krb5 credentials on the client and logging into
OpenSSH through GSSAPI. Although logging in seems to have nicely
transfered my Krb5 ticket, OpenSSH does not obtain an AFS token for
me. Running afslog manually fixes this, but I would greatly prefer to
have afslog run automatically.

Browsing the archives, I gather GSSAPI and Kerberos are treated
differently, but I cannot distill a solution from the results. Is
there any? I'm presently thinking of ways to get 'afslog' to run after
the GSSAPI login is completed. Would the 'approve' stanza in
login.conf and a small work for this purpose?

Reading the manual, I do get the feeling approve wasn't meant for this
sort of thing, but I figured to best ask here for some good advice.
Insight or a good cluebat are most appreciated.

I'm thinking along the lines of:
(in /etc/login.conf)
:approve=/usr/local/bin/auto-afslog:\
:approve-ftp=/usr/local/bin/auto-afslog:\


(for the script)
#!/bin/sh
AFSLOG=/usr/bin/afslog
${AFSLOG} -p ${HOME}

For a ${HOME} based in AFS filespace. If ${HOME} were to be outside
AFS file space, I wouldn't mind the login to fail, since that would be
a worthwhile incident to investigate.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: GSSAPI logins into OpenSSH combined with auto-obtaining AFS tokens

2007-07-10 Thread Rogier Krieger 

As someone kind made me realise in an off-list reply, I should have
included my sshd_config on the machine in question. I should further
note that it is a 3.9-stable machine (although I did not spot changes
relating to the OpenSSH behaviour regarding GSSAPI for the versions
included with 4.0/4.1).

The following parameters differ from the stock sshd_config (the
complete file is at the bottom of this message):
KerberosAuthentication yes
KerberosGetAFSToken yes
GSSAPIAuthentication yes
X11Forwarding yes

The above lines allow me to enter a username/password combination to
login (after which OpenSSH properly obtains the AFS tokens for me). As
I said, this bit works nicely.

If my clients (MIT KfW, SecureCRT) attempt GSSAPI authentication,
OpenSSH properly obtains the Krb5 TGT (with the same end time as the
one listed in my MIT KfW) and lets me login. In the GSSAPI case,
however, OpenSSH does not obtain any AFS token, forcing me to run
afslog manually.

Hence my original question: can/should I use login.conf(5)'s 'approve'
stanza and a special script to run the afslog for me to get my AFS
tokens in order for the GSSAPI case?

Cheers,

Rogier


# cat /etc/ssh/sshd_config
#   $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
KerberosAuthentication yes
#KerberosOrLocalPasswd no
KerberosGetAFSToken yes

# GSSAPI options
GSSAPIAuthentication yes
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem   sftp/usr/libexec/sftp-server

--
If you don't know where you're going, any road will get you there.

Re: spamd

2007-06-04 Thread Rogier Krieger 

On 6/4/07, Edgars Makra [EMAIL PROTECTED] wrote:

With one such non passable smtp server admin we tested it via phone. He
said that promt is very slow (as it should be), then he got 451 Temp
error. After 5, 15, 30 and 60 minutes he retried, nothing :(


If you tried connecting by manually performing an SMTP conversation,
be sure to connect from a constant IP address and be especially
careful to send exactly the same information for the MAIL FROM and
RCPT TO commands. A simple typo can mess up your test and explain your
problem.

To prevent typing mistakes, you may want to consider scripting a test,
e.g. by using nc(1) and a constant SMTP conversation. Be sure to make
it a proper SMTP conversation, too, given Bob Beck's remark earlier in
this thread.

Hope this helps,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: pf.conf settings

2007-05-29 Thread Rogier Krieger 

On 5/28/07, Woodchuck [EMAIL PROTECTED] wrote:

I wonder if this setup will allow you to do dhcp.  Probably during
boot, (before it takes effect, when the rules in /etc/rc are active),
but afterwards, not.


Typically, dhclient(8) uses the bpf(4) devices and is not troubled by
PF's ruleset. If I'm not mistaken, this behaviour is hinted at in the
man page.



This might be an issue.  I dunno how dhcp communicates, don't use it myself.


If you're interested, you may want to see RFC 2131 and RFC 2132. In
short: DHCP uses UDP datagrams to/from ports 67 and 68.

Typically, conversations start with a discovery (broadcast by the
client). An active DHCP server may then provide a lease offer.
Normally, the client requests the address listed in the offer. If all
goes well, the server acknowledges the request.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

FFS panic on 4.0-release and fsck_ffs troubles (SATA drive on SiI3112)

2007-05-08 Thread Rogier Krieger 

On an older piece of hardware (PII-300) running 4.0-release running
local storage at my parents', I experience FFS-related panics when
writing files to the secondary HDD [wd1] (connected to a separate SATA
controller [pciide1]).

Since I lacked a console cable, I copied the trace and ps information
by hand. I see the following panic:

start = 0, len = 7547, fs = /storage
panic: ffs_alloccg: map corrupted
Stopped at  Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb trace
Debugger(d0716864,1,daf72ae0,1d7b,0) at Debugger+0x4
panic(d06737d6,0,1d7b,d0bc48d4,40) at panic+0x63
ffs_freefile(d0bc4800,d74ea000,ebd0,8,0) at ffs_freefile+0x5b6
ffs1_blkpref(d3cdf4a8,d3de2f2c,0,4000,d3cdf4fc) at ffs1_blkpref+0x843
ffs1_blkpref(d3cdf4a8,17b,0,4000) at ffs1_blkpref+0x7e4
ffs1_blkpref(d3cdf4a8,13a,18c06c8,4000,d03fcba0,20,d3dbd500,0) at
ffs1_blkpref+0x1ec
ffs_alloc(d3cdf4a8,0,18c06c8,4000,d3dbd500,daf72ca4,d0b203c0,d3c79198)
at ffs_alloc+0x116
ffs1_balloc(d3cdf4a8,0,0,4000,d3dbd500,0,daf72ddc,4000) at ffs1_balloc+0x4a4
ffs_write(daf72e08,d3ce0924,30042,d3c73448,d07173c0) at ffs_write+0x240
VOP_WRITE(d3ce0924,daf72e98,1,d3dbd500,d3ce0924,20002,d3c73448,2) at
VOP_WRITE+0x34
vn_write(d3da09a0,d3da09bc,daf72e98,d3dbd500) at vn_write+0x89
dofilewrite(d3c73448,4,d3da09a0,86e3d000,4) at dofilewrite+0x71
sys_write(d3c73448,daf72f68,daf72f58,4,b0) at sys_write+0x47
syscall() at syscall+0x2ea
--- syscall (number 4) ---
0x1c1ba69:
ddb ps
  PIDPPIDPGRP   UID S   FLAGS   WAITCOMMAND
*26380  17275   17275  070x6rsync
172757353   17275  03 0x408eselect  rsync
 735324867353  03 0x4086pause   ksh
 2486   204262486   10013 0x4086pause   ksh
20246   10313   10313   10013  0x185select  sshd
10313   14793   10313  03 0x4084netio   sshd
 2831   12831  030x40184select  sendmail
10501   1   1  03 0x4084ttyopn  getty
25497   1   25497  03 0x4086ttyin   getty
16601   1   16601  03 0x4086ttyin   getty
13493   1   13493  03 0x4086ttyin   getty
 1360   11360  03 0x4086ttyin   getty
32381   1   32381  03 0x4086ttyin   getty
30314   1   30314  03   0x84select  cron
 8100   18100  03   0x85select  nmbd
30863   22543   22543  03  0x185pause   smbd
22543   1   22543  03  0x185select  smbd
14793   1   14793  03   0x84select  sshd
 7408   17408  03  0x184select  inetd
20959   1   20959 713  0x184kqread  
ftp-proxy
 7102   17102 773  0x184polldhcpd
28523   1   28523  03   0x84pollntpd
16441   1   16441 833  0x184pollntpd
 972636793679 683  0x184select  isakmpd
 3679   13679  03   0x84netio   isakmpd
 148613171317 703  0x184select  named
 1317   11317  03  0x184netio   named
17875   30083   30083 743  0x184bpf pflogd
30083   1   30083  03   0x84netio   pflogd
 8979   28885   28885 732  0x184syslogd
28885   1   28885  03   0x8cnetio   syslogd
18547   1   18547 773  0x184polldhclient
 3186   1   11906  03   0x86polldhclient
   13   0   0  03   0x100204crypto_wa   crypto
   12   0   0  03   0x100204aiodonedaiodoned
   11   0   0  03   0x100204syncer  update
   10   0   0  03   0x100204cleaner cleaner
9   0   0  03   0x100204reaper  reaper
8   0   0  03   0x100204pgdaemon
pagedaemon
7   0   0  03   0x100204pftmpfpurge
6   0   0  03   0x100204wait
wskbd_hotkey
5   0   0  03   0x100204usbtsk  usbtask
4   0   0  03

Re: Problem: Raid mounting root as read-only, and not from the partition desired...

2007-04-07 Thread Rogier Krieger 

On 4/7/07, Merp.com Volunteer [EMAIL PROTECTED] wrote:

I used the directions from eclectica here:
http://www.eclectica.ca/howto/openbsd-software-raid-howto.php


To be blunt: you are using old (3.7) instructions that are not from
the OpenBSD project, that involve compiling your own kernel (see the
FAQ on that [1]), that you do not fully follow either. Why do you
expect help on misc@ (instead of contacting the author of your
instructions)?



My partitioning scheme is a little different, and maybe that's part
of the problem.

I'm trying to have it setup as:
/raid0a =  /boot
/raid0d =  /


Why do you want a separate /boot? If the answer to that question is:
It works that way on my Linux system alarm bells should go off,
prompting you to read the documentation. If I misinterpreted things
here, please say so.

The 'a' partition is for your root. Using it for /boot (which is a
single file on OpenBSD, not a directory) is bound to get you strange
results. The raidctl(8) manual, for instance, is quite clear on that
(see the -A root option).


Your easiest option would be to acquire a decent RAID card (the
ami(4), mfi(4) or mpi(4) cards come to mind) and perform a regular
install. Granted, doing so costs money and I do not know your budget.
Given your sender address, the choice probably depends on the scarcer
of the two: volunteers or money. If others will need to maintain the
system after you're involved, spending money to save them time later
may be well worth it.

If you want to continue on RAIDframe (which is a fine product, but
requires more skills from you), I suggest you rethink your partition
scheme and make raid0a the root partition. In fact, I would recommend
starting from scratch and with the documentation to figure out a
proper procedure. You're likely to come out with a better
understanding of the system.

Please document your entire setup (and recovery) procedure for
posterity and fellow volunteers to come. They *will* need it at some
point in time. If you are not planning to do documentation, better
rethink the whole effort.

Cheers,

Rogier


References:
1. OpenBSD FAQ - Why do I need a custom kernel?
http://www.openbsd.org/faq/faq5.html#Why

Re: bcw(4) is gone

2007-04-05 Thread Rogier Krieger 

On 4/6/07, Andris Delfino [EMAIL PROTECTED] wrote:

What's wrong? They protect their license. Period.


No one seems to dispute the right of copyright holders to protect their
licence.

That said, there are more ways than one to protect one's licence. It
hardly seems unreasonable to privately contact the developer in
question before going public, as seems to be the custom in many other
suspected licence issues.

Choosing to first send a private message would likely have remedied
any issues, both quickly and with a lot less fallout. Too bad that
that didn't happen.

Rogier

Re: Problems with X11 traffic over ssh in pf.conf

2007-03-23 Thread Rogier Krieger 

On 3/23/07, carlopmart [EMAIL PROTECTED] wrote:

Do I need to open additional ports or protocols??


Not so much additional ports or protocols, but are you sure you
enabled X11 forwarding?

A few suggestions for things to check:
+ in /etc/ssh/sshd_config, did you enable 'X11Forwarding' ?
+ for the ssh client(s), did you choose to enable X11 forwarding?

In ssh, you can use either the -X command line option or use settings
to that effect in your config file (see ssh_config(5) for more info).

Hope this helps,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: Problems with X11 traffic over ssh in pf.conf

2007-03-23 Thread Rogier Krieger 

On 3/23/07, carlopmart [EMAIL PROTECTED] wrote:

My problem is wih pf rules. If I put on pf.conf pass all, all works ok.


Then the easiest debugging feature is doing a tcpdump on pflog0 for
blocked packets. Assuming (without your pf.conf, it's hard to guess)
you use a default block, add a log clause to that line.

Blocked packets will then show up on tcpdump.
$ sudo tcpdump -n -e -vv -ttt -i pflog0

Hope this helps,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: ldap authentication troubles

2007-02-23 Thread Rogier Krieger 

On 2/21/07, Vijay Sankar [EMAIL PROTECTED] wrote:

On Wednesday 21 February 2007 10:22, Rogier Krieger wrote:

 Personally, I'm having trouble using login-ldap with my local(host)
 LDAP server using SSL.

snip

ftl2# more /etc/openldap/ldap.conf

snip

TLS_CACERT /etc/ssl/certs/ca.crt


The TLS_CACERT setting did the trick for me. Things work just fine
now. Thank you for that pointer. I knew I was missing something :)

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: ldap authentication troubles

2007-02-21 Thread Rogier Krieger 

On 2/21/07, L. V. Lammert [EMAIL PROTECTED] wrote:

PMFJI, but could you clarify that? Requiring local accounts totally
defeats the purpose of an LDAP server.


Yes, it does. In fact, it is clearly documented in the login-ldap port
materials.

You may get around said local accounts requirement if you can create
an LDAP-NIS gateway that the OpenBSD machine can talk with. At
present, I do not believe one is available for OpenBSD-bsed systems.



What apps have you found do NOT work properly with LDAP?


Personally, I'm having trouble using login-ldap with my local(host)
LDAP server using SSL. It refuses to connect and I can't find where
the problem lies. But since the two run on the same server, I manage
to live with unsecured connections.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: spamd unnecessarily abrasive?

2007-02-20 Thread Rogier Krieger 

On 2/20/07, J Moore [EMAIL PROTECTED] wrote:

I was under the impression that spamd was supposed to politely defer
connections from unknown/greylisted hosts.


Given the '451' response in the SMTP conversation, it is a relatively
polite and benign way to defer connections. I doubt a sending MTA will
feel too heartbroken over the accompanying text ;)

Humans shouldn't be connecting to port 25 in any case, unless when
they know what they're doing (and know why they're connecting). End
user connections are what the submission port (589) is for.

For port 589, I recommend the administrator set his MTA software to a
warm and friendly greeting, with a stern message upon failed
authentication. That bit, however, falls outside the scope of spamd.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: spamd unnecessarily abrasive?

2007-02-20 Thread Rogier Krieger 

On 2/20/07, Jimmy Mdkeld | Loopia AB [EMAIL PROTECTED] wrote:

Rogier Krieger wrote:
 End user connections are what the submission port (589) is for.

# grep submission /etc/services
submission  587/tcp
submission  587/udp


As I ment to say, port 587 ;)

Apparently, it is time for my coffee break.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: pf rules

2007-02-12 Thread Rogier Krieger 

On 2/12/07, Artyom Goryainov [EMAIL PROTECTED] wrote:

block in quick on $ext_if proto tcp from {!$me, !$mynet} to $ext_if  port 80


You will probably want to see the PF FAQ [1] on this, specifically the
section on Lists and Macros. It tells you why you should use tables
for this purpose. The list expands to a set of separate single rules,
for !$me and !$mynet respectively.

To quote from the FAQ:

Beware of constructs like the following, dubbed negated lists, which
are a common mistake:

   pass in on fxp0 from { 10.0.0.0/8, !10.1.2.3 }

While the intended meaning is usually to match any address within
10.0.0.0/8, except for 10.1.2.3, the rule expands to:

   pass in on fxp0 from 10.0.0.0/8
   pass in on fxp0 from !10.1.2.3


References:
1. PF FAQ - Lists and Macros
http://www.openbsd.org/faq/pf/macros.html


--
If you don't know where you're going, any road will get you there.

Re: The OACK Project

2007-01-24 Thread Rogier Krieger 

On 1/24/07, Jonathan Eifrig [EMAIL PROTECTED] wrote:

tftpd[]: oack: Permission denied


That may have something to do with *file* permissions. Quoting tftpd(8):

The use of tftp(1) does not require an account or password on the remote
system.  Due to the lack of authentication information, tftpd will allow
only publicly readable files to be accessed.

Are the files you're trying to serve world-readable?

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: ODBC repost...

2007-01-09 Thread Rogier Krieger 

On 1/9/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

We would then like to access that data from our
mainframe via ODBC to retreive the records.


Since it's not really clear to me what you intend to so, I am assuming
the following:
+ Your mainframe runs a Windows platform
+ Your OpenBSD machine serves as a database server
+ You're going for PostgreSQL on your OpenBSD machine as your database choice

In that case: install the ODBC plugins available from postgresql.org
onto your Windows machine. Set up an ODBC link and retrieve the data
from PostgreSQL throuth that ODBC link.

You shouldn't need to install an ODBC package onto your OpenBSD
machine: installing on your Windows mainframe should suffice. All
you'd need to install onto your OpenBSD machine is the PostgreSQL
package.

Hope this helps,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: PHP5 install error

2006-11-29 Thread Rogier Krieger 

Just a quick guess.

On 11/30/06, Brendan Grossman [EMAIL PROTECTED] wrote:

Can't install php5-core-5.1.4p1-hardened because of conflicts
(php5-core-5.1.4p1)


Try to delete the conflicting package (php5-core) first. You already
seem to have it installed, blocking the installation for your
differently flavoured package.

# pkg_delete php5-core

Then give your original command another try.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: Building 4.0 problem

2006-11-02 Thread Rogier Krieger 

On 11/2/06, Josh [EMAIL PROTECTED] wrote:

Following the man release page [...]


Could you elaborate on what branch (-release, -stable, -current) and
version you're trying to build 4.0 on? And of course: which 4.0 branch
are you trying to build?

If it's not working, try the regular binary upgrade or snapshots. The
regular bits of documentation (upgrade guide, tracking -current) still
apply, of course.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: openbsd mobile question?

2006-10-16 Thread Rogier Krieger 

This *really* is something you should have looked up in the archives.
Browse those for more information. The archive is your friend.

On 10/16/06, Jay Jesus Amorin [EMAIL PROTECTED] wrote:

does openbsd 4.0 supports intel ac'97 modem and intel ipw2200 on laptop?


In short: don't expect Winmodems to work and see iwi(4).

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: best hardware plattform for openbsd

2006-10-14 Thread Rogier Krieger 

On 10/13/06, Toni Mueller [EMAIL PROTECTED] wrote:

Thanks for pointing me to bioctl - I was unaware about that - but I
don't offhand see how I could eg. collect SMART status on the drives
hanging off such a card.


IIRC, you cannot collect the SMART status on individual drives.
Personally, I don't really mind as I'm not a big fan of SMART. Having
seen drives that showed no issues in SMART, right up to the point of
dying, is bound to change one's perspective.



Since the machines may very well be not in reach, I don't fancy
beeping or blinking drive enclosures. I need log entries instead.


The logical disk status on ami(4) devices can also be polled through
sensorsd(8). Perhaps I should also have mentioned that bit.

If you want individual drive statistics, I suppose you would want to
parse bioctl(8) output. I also recommend you take a quick look at
sensorsd.conf(5).

The above works for me, but of course your requirements may be different.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: best hardware plattform for openbsd

2006-10-13 Thread Rogier Krieger 

On 10/13/06, Toni Mueller [EMAIL PROTECTED] wrote:

[...] whether I should stick with RAIDframe [...] or if I should go for
hardware RAID instead [...]


Personally, I find using hardware RAID a lot easier. You can stick
with GENERIC kernels and have fewer problems on installing/upgrading.
For me, that's worth the extra cash spent on hardware.



[...] and fly blind (or which ways do I have to monitor  the health
status of disks and RAID [...] w/o disrupting normal operation?).


Using bioctl(8), I find that you're far from blind. Stick with the LSI
ami(4) or mfi(4) gear or Areca arc(4) cards if you want to use bioctl.
IIRC, arc(4) made it to the 4.0 release, but I have yet to try out one
of those cards.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

persistent fsck error on newly newfs'ed filesystem [BLK(S) MISSING IN BIT MAPS]

2006-10-09 Thread Rogier Krieger 

On one of my older P2 machines (running 3.9-stable), I seem to have a
very persistent fsck error: BLK(S) MISSING IN BIT MAPS. Regardless
of whether or not I choose to salvage these, I keep getting the error
below.

The error occurs on an unmounted file system. After choosing to
salvage, seems to complete normally. Running it again yields the same
missing blocks message.

Expecting user error, I emptied the drive using dd, ran fdisk -i and
re-created the disklabel using the built-in editor (disklabel -E).
Even on a newly newfs'ed filesystem, the problem persists.

If anyone could shed some light on what is going wrong, I would
greatly appreciate it. Cluebats are equally welcome.

Output for fsck, fdisk, disklabel, /etc/fstab and dmesg are all
included below. If I should provide other info, please let me know.

Cheers,

Rogier



[EMAIL PROTECTED]:/# fsck -fy /backup
** /dev/rwd1e
** File system is already clean
** Last Mounted on
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
** Phase 5 - Check Cyl groups
BLK(S) MISSING IN BIT MAPS
SALVAGE? yes

1 files, 1 used, 41280687 free (15 frags, 5160084 blocks, 0.0% fragmentation)

* FILE SYSTEM WAS MODIFIED *



[EMAIL PROTECTED]:/# fdisk wd1
Disk: wd1   geometry: 30401/255/63 [488392065 Sectors]
Offset: 0   Signature: 0xAA55
Starting   Ending   LBA Info:
#: idC   H  S -C   H  S [   start:  size   ]

0: 000   0  0 -0   0  0 [   0:   0 ] unused
1: 000   0  0 -0   0  0 [   0:   0 ] unused
2: 000   0  0 -0   0  0 [   0:   0 ] unused
*3: A60   1  1 - 30400 254 63 [  63:   488392002 ] OpenBSD



[EMAIL PROTECTED]:/# disklabel wd1
# Inside MBR partition 3: type A6 start 63 size 488392002
# /dev/rwd1c:
type: ESDI
disk: ESDI/IDE disk
label: ST3250820AS
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 16
sectors/cylinder: 1008
cylinders: 16383
total sectors: 488397168
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0   # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0

16 partitions:
# sizeoffset  fstype [fsize bsize  cpg]
 a:   102406563  4.2BSD   2048 16384  328 # Cyl 0*-  1015
 b:   3973473 484418592swap   # Cyl 480574 -484515*
 c: 488397168 0  unused  0 0  # Cyl 0 -484520
 d:   1048320   1024128  4.2BSD   2048 16384   16 # Cyl  1016 -  2055
 e: 167772528   2072448  4.2BSD   2048 16384  328 # Cyl  2056 -168496
 h: 115343424 169844976  4.2BSD   2048 16384   16 # Cyl 168497 -282924
 i: 167772528 285188400  4.2BSD   2048 16384   16 # Cyl 282925 -449365
 j:  10486224 452960928  4.2BSD   2048 16384   16 # Cyl 449366 -459768
 k:  20971440 463447152  4.2BSD   2048 16384   16 # Cyl 459769 -480573



[EMAIL PROTECTED]:/# cat /etc/fstab
# System drive (WD Caviar 6 GByte IDE)
/dev/wd0a / ffs rw 1 1
#/dev/wd0d /altroot ffs xx 0 0
/dev/wd0e /var ffs rw,nodev,nosuid 1 2
/dev/wd0f /var/log ffs rw,nodev,nosuid 1 2
/dev/wd0g /usr ffs rw,nodev 1 2
/dev/wd0h /data ffs rw,nodev,nosuid 1 2
#
# Secondary drive (Seagate 250 GByte S-ATA)
/dev/wd1d /altroot ffs xx 0 0
/dev/wd1e /backup ffs rw,nodev,nosuid 1 2
/dev/wd1h /home ffs rw,nodev,nosuid 1 2
/dev/wd1i /storage ffs rw,nodev,nosuid,noexec 1 2
/dev/wd1j /var/www ffs ro,nodev,nosuid,noexec 1 2
/dev/wd1k /var/squid ffs ro,nodev,nosuid,noexec 1 2



[EMAIL PROTECTED]:/# dmesg
OpenBSD 3.9-stable (GENERIC) #9: Sun Sep  3 17:34:41 CEST 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 301 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 133799936 (130664K)
avail mem = 115363840 (112660K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(c4) BIOS, date 03/22/98, BIOS32 rev. 0 @ 0xfb4f0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb968
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf10/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x02
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 Intel

Re: mount_null replacement?

2006-10-06 Thread Rogier Krieger 

On 10/4/06, G 0kita [EMAIL PROTECTED] wrote:

I notice mount_null was dropped as of OpenBSD 3.8, can someone tell
me first of all why this was done [...]


Various comments to the likes of 'turd polishing' can be found in the
misc@ archives. IIRC, the developers gave up on this piece of
functionality as it just wouldn't work reliably. See the archives and
commit logs for a more detailed description.


Specifically I'm looking to have a writable directory mounted read-only in
another location.


As another poster suggested, you can probably get away with local NFS
mounts. Those have worked for me since 3.8, although I never put them
to antthing resembling a stress test. YMMV.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: NIS server

2006-10-03 Thread Rogier Krieger 

On 10/3/06, Joachim Schipper [EMAIL PROTECTED] wrote:

[...] note that at least OpenBSD can authenticate
directly against LDAP, using sysutils/login_ldap.


Personally, I suspect the OP has a specific interest in implementing
NIS. Through NIS, OpenBSD can obtain the information it would
otherwise get from the password file (i.e. user entries). IIRC, there
is no alternative 'nsswitch-like' tool available for OpenBSD. If I'm
wrong on this, feel free to correct me (you'd make me happy).

As nice a tool as login_ldap may be, it still requires you to add such
entries, limiting scalability. Unfortunately, I do not know of an
LDAP-based NIS working on OpenBSD, so this probably isn't too much
help to the OP either. Sorry for wasting the bandwidth.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: OpenBSD Paypal used against User Agreement?

2006-09-30 Thread Rogier Krieger 

On 9/30/06, Karel Kulhavy [EMAIL PROTECTED] wrote:

The PayPal service may not be used solely for the purpose of transferring
money from one individual to another without an underlying transaction for the
sale of goods or services.


It's a payment model to allow a twice-yearly (update of) release of
your favourite software to take place. For the specific transaction,
you buy a spot with your name on it on the donations page.

If you're still uncertain, order a few CD's and wrapping (T-shirts).

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: bioctl(8) and ami(4)

2006-09-15 Thread Rogier Krieger 

On 9/15/06, Darrin Chandler [EMAIL PROTECTED] wrote:

[...] mostly I'm looking for a cluestick about bioctl.


AFAIK, this has to do with bugs in the 3.9 bioctl that were fixed in
-current a while ago. The following two threads came up in the
archives:

LSI MegaRaid non-hotspare
http://marc.theaimsgroup.com/?t=11481358623r=1w=2

Unable to set Hot Spare on MegaRAID 300-8x
http://marc.theaimsgroup.com/?t=11516052231r=1w=2

Hope these help,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: How to update httpd without a compiller

2006-08-23 Thread Rogier Krieger 

On 8/23/06, Juha Saarinen [EMAIL PROTECTED] wrote:

On 8/23/06, Nico Meijer [EMAIL PROTECTED] wrote:
 Set up another, non-production, box with 3.9 and build -stable on that.

snip

Seems a slightly cumbersome way to deal with security issues which may
be urgent, but perhaps that's just me?


Building -stable on a suitable host does not take too long, so I
suppose time constraints will not bite you too often.

Regarding your comment on the process being cumbersome: you use the
same update process as you do for your twice-yearly updates. In this
case, you do not even have to update your configuration in /etc.

I find the process rather easy and the process scales relatively well
to accommodate larger number of machines.

If you're working with a single machine, perhaps applying patches to
-release is easier than building -stable. I used to do so before I
obtained a build host. The OP will need a compiler for that, though.

An alternative may be binpatch (see the archives), but I haven't tried
that piece of software yet. IIRC, quite a few people are happy with
that, so it may be worth your while.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: spamd and TLS on port 25

2006-08-10 Thread Rogier Krieger 

On 8/10/06, Will H. Backman [EMAIL PROTECTED] wrote:

Am I correct in assuming that spamd and TLS on port 25 don't get along?


Given a mail server (or MUA) that is configured to require TLS on a
port it connects to, it will likely have a problem with any other end
not offering TLS capability. This is hardly spamd-specific.

However, the above is unlikely to be the case. Some sites may attempt
to setup TLS, but IIRC, they only do so if their counterpart
advertises that capability. Note that spamd doesn't advertise that
capability, so there should be no problem.

Capability advertisement takes place after the EHLO stage. I have
never seen any capabilities offered by spamd. It just does what it's
supposed to do (and no more): let valid mail servers through to your
real MTA.

Once the connection passes through to your real MTA, the rules of
engagement for your real MTA apply. By then, spamd is out of the
picture. Upon issuing EHLO to that server, it should return the
supported service extensions.

As a side note: if you intend to let users submit mail, you'd best use
a different port. Ports such as 587 (negotiate STARTTLS) or port 465
(TLS by default). You wouldn't even be dealing with spamd then.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: spamd and TLS on port 25

2006-08-10 Thread Rogier Krieger 

On 8/10/06, Will H. Backman [EMAIL PROTECTED] wrote:

Because I require TLS and SMTP-AUTH for relaying purposes, I'm in a
bind. My real problem is getting Exchange to do SMTP-TLS on a different
port, so this is really a non-openbsd issue.


Perhaps you'd benefit from a solution of shielding your Exchange with
a more benign MTA (e.g. Postfix, sendmail) and add spamd into the mix
if you desire.

For relaying, all you need is a way to validate the usernames. Using
the Exchange's LDAP repository as a lookup table for Postfix or
exporting valid users and their passwords to a Postfix lookup table
(file), you could get around your Exchange configuration issue.

In the smtp-proxy [1] thread earlier this week, at least two people
pointed to the Book of Postfix that contains an example (yes, this is
somehwat of a dij`-vu).

Cheers,

Rogier


References:
1. MARC openbsd-misc archive: Re: smtp proxy
http://marc.theaimsgroup.com/?l=openbsd-miscm=115512550405839w=2

--
If you don't know where you're going, any road will get you there.

Re: spamd and TLS on port 25

2006-08-10 Thread Rogier Krieger 

On 8/10/06, Joachim Schipper [EMAIL PROTECTED] wrote:

Note that at least Postfix has an independent greylisting implementation


True and these implementations may even be quite nice. I never felt
much of a need to try it out after having setup spamd.



Both are likely to work with STARTTLS; spamd isn't going to do that.


And spamd shouldn't, either. For submission purposes, the clean
solution is use an alternate port (as it's a different bit of the
e-mail system).

For user mail submission, I see no real need to use spamd, either.
Tracing (and handling) offending users is relatively simple once
they're authenticated.

Keep a few sanity checks (e.g. no more than X recipients for a message
or no more than 100 messages a minute) for virus detection and/or
quarantine purposes if you please.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: spamd and TLS on port 25

2006-08-10 Thread Rogier Krieger 

On 8/10/06, Joachim Schipper [EMAIL PROTECTED] wrote:

 Keep a few sanity checks (e.g. no more than X recipients for a message
 or no more than 100 messages a minute)

snip


This also helps against compromised boxes - i.e., it limits the damage.
So it's generally a good idea to have some limit.


For those servicing larger networks such as universities' ResNets or
campus networks, using a mandatory smarthost can be an excellent
detection tool to see which users/stations need to end up in a
quarantine.

Granted, the largest customer base for this sort of thing are likely
to be Windows users. A few exception lists (for those capable
administrators running valid mail servers that push a lot of traffic)
should keep the Unix folks happy.



Also, while STARTTLS does have its merits, it's still better suited for
handling MTA authentication than protecting user data [...]


Very true. STARTTLS really only safeguards the credentials exchange.
Once the MTA relays the message, there are no guaranteers on
infrastructure security.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: smtp proxy

2006-08-09 Thread Rogier Krieger 

From the behaviour you describe, your design takes an effort at

tearing down just about the nicest part of SMTP: its resilience
against network outages.


On 8/9/06, openbsd misc [EMAIL PROTECTED] wrote:

the smtp proxy should not be allowed to queue a message, else the
size of the ramdisk would set the maximum message size.


I wonder what your rationale is behind your intention to have the
proxy function from RAM. It seems to cause more problems than it
solves.



[...] I need a solution that streams the mail after checking the
envelope (smtp session) informations.



From a functional point of view, you need a proxy that kills off

unwanted messages and reliably delivers them to your Exchange device.

Shielding an Exchange server from the big bad Internet is good
practice. I can heartily second Rod Whitworth's suggestion and assure
you it works quite well.

Your streaming wish seems to come from your wish not to store data on
a ramdisk. Once again: why have the ramdisk at all?



It should also drop the connection if the exchange server is down.


You could do that and perhaps there are several good reasons for
dropping connectivity. Keep in mind that you're actively shutting down
SMTP-availability for your site with such a measure.

What do you specifically need your Exchange server for that you must
shut down your site in case it is unavailable?

Allowing for your proxy to have an up-to-date table of valid users can
be achieved quite simply without having to sacrifice SMTP-availability
(once again, see the Book of Postfix example for pointers, p. 174 and
onwards)



Without that problem I would take qmail.


Qmail (SMTP) stores its work in progress in /var/qmail/queue. I'll
admit not having checked the QMTP/QMQP sources, but I suspect
qmail-qmtpd or qmail-qmqpd store their work there as well.

It's been a while since I actively administered qmail (and I'm
reluctant to touch our last few remaining qmail setups to find out
more).


Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: Alternative superuser aside from root

2006-08-08 Thread Rogier Krieger 

On 8/8/06, Tito Mari Francis Escaqo [EMAIL PROTECTED] wrote:

Is it possible to replace root with another username as superuser?


Sure, just change its password entry. That said, I wouldn't recommend
wasting your time on this.



This could make the system very secure because when it comes to
BSD/Unix/Linux, the root is the most coveted user account.


No, it wouldn't make your system any more secure than it was before
the change. I recommend you read the archives to see why your
suggestion isn't too worthwhile.

One reason why s/root/anything/ won't help you much is that its UID is
still 0. In other words: you still have an almighty user on the
system.

The concept of usernames is primarily to make things easier for us
humans. Under the hood, things work in terms of (numeric) UIDs/GIDs.
As a hacker, you'd just go for UID 0.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: watchdogd

2006-08-05 Thread Rogier Krieger 

On 8/5/06, Felix Kronlage [EMAIL PROTECTED] wrote:

I think, silent by default with -v for more informations seems more
appropiate too.


Would you care to elaborate why you want the default behaviour (notify
on a changed timeout) altered?

The proposed patch by the OP doesn't cause changes for existing users.
Your suggestion does. Are there that many noisy devices? I'm just
curious.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: OpenBSD's own compiler

2006-07-31 Thread Rogier Krieger 

On 7/31/06, R. Tyler Ballance [EMAIL PROTECTED] wrote:

Jeeez, talk about an overreaction to the suggestion. [...] It's not that far
fetched of an idea


Given the times that this question popped up in the archives, Mickey's
reaction isn't too surprising. From the past discussions, I gather
that a change of compiler would be a massive job, regardless of the
compiler changed to.

That said, I'll happily admit that I didn't make a time estimate for the job.



[...] remember a spin-off project that the OpenBSD guys are responsible
that's become the most heavily used SSH code on the planet...


Given the History page on OpenSSH.org [1], licensing terms are likely
to have been a factor as well. To quote:

OpenSSH is a derivative of the original free ssh 1.2.12 release from
Tatu Ylvnen. This version was the last one which was free enough for
reuse by our project.



[...] but I'm certain it'd just take a few talented individuals with spare
time to really get it [TeNDRA] going again.


The above does not include the work done on actually obtaining a
compiler desired. Be it from scratch or by working on existing code, I
recommend to be careful whose spare time you volunteer.

Cheers,

Rogier


References:
1. OpenSSH Project History and Credits
http://www.openssh.org/history.html

--
If you don't know where you're going, any road will get you there.

Re: SATA DVD Support?

2006-07-29 Thread Rogier Krieger 

On 7/29/06, J Moore [EMAIL PROTECTED] wrote:

I guess that squelches plans for a SATA HDD as well :(


If by that you mean you expect OpenBSD to not support SATA HDDs, I can
happily assure you you're wrong. OpenBSD supports various SATA
controllers (such as your SiI 3112, the SiI 3114, etc.). I yet have to
encounter a SATA HDD it does not support.

Regarding SATA DVD drives, I have no experience with those (as in: I
have yet to encounter them) so I cannot tell you whether they should
work or not.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: VPN(8)

2006-07-26 Thread Rogier Krieger 

On 7/26/06, Gustavo Rios [EMAIL PROTECTED] wrote:

 # Pass encrypted traffic to/from security gateways
 pass in proto esp from $GATEWAY_B to $GATEWAY_A
 pass out proto esp from $GATEWAY_A to $GATEWAY_B

In the last two line above, if i wanted to specify the interface,
which of enc0 or $ext_if, should i use?


$ext_if, given the following rationale:

Your external interface will see the packets with ESP payload coming
from / going to the other gateway(s). Inbound, these packets require
processing; outbound, they are the result of processing. Your external
interface cannot - unless you do *very* unwise things - see the
internals of those packets; that's what your enc(4) interfaces can
help you with.


From enc(4):

The enc interface allows an administrator to see outgoing packets before
they have been processed by ipsec(4), or incoming packets after they have
been similarly processed, via tcpdump(8).

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: Help to debug Openbsd freezes...

2006-07-26 Thread Rogier Krieger 

On 7/24/06, Xavier Mertens [EMAIL PROTECTED] wrote:

It's still running 3.5 (ok, ok, don't shoot, it's an old one but upgrades are 
not easy).


As another poster already mentioned: upgrades are an easy and well
documented process. Do your specific circumstances (e.g. problems to
physically access your co-located machines) make upgrades painful?

If so, you should probably solve that problem. If you can't perform
routine work such as upgrades, what do you do when an emergency pops
up?



For two weeks now, the box freezes randomly...


I've encountered such trouble as well. Several times, replacing the
power supply did the trick. You may want to keep those around at the
data centre.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: stopping robots

2006-07-25 Thread Rogier Krieger 

On 7/25/06, prad [EMAIL PROTECTED] wrote:

what is the best way to stop those robots and spiders from getting in?


The sure way to stop robots and spiders is to shut down your web
server. I don't suppose that's the answer you're looking for.

Treat malicious robots as malicious/unwelcome users. For whatever your
definition of malicious, do not expect to be able to easily discern
between regular human users and robots. It's too easy to alter
user-agent strings, etc to rely on those without precautions (as with
all client-generated input).



.htaccess?


That might help, but not solve your problem discerning between human
and automated clients. Also, the usual problems/threats regarding
credentials will of course apply. Mind you, automated processes
(robots) can also use credentials.

Possibly you can also use CAPTCHA. Various modules (PHP, Perl) exist
that allow to integrate these easily. Whether (or when) robots will be
able to fool these tests is another matter.



robot.txt and apache directives?


Well-behaved robots will adhere to measures such as (x)html meta tags,
robots.txt files, etc. Other robots may not.



find them on the access_log and block with pf?


Using access_log means you're using information gathered from after the fact.



which are good robots and which are bad?


Apart from robots/spiders potentially being an excellent friend,
allowing robots (e.g. Google) may also have undesirable side effects.
Such effects range from out-dated information being displayed to
search engine users to sensitive data being stored on servers outside
your influence. I'm sure there are many more.

I'd recommend you think about your threat model first and use that to
determine which information you deem sensitive and to what lengths you
will go to secure that information.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

alias addresses with dhclient - exits with buf_read (connection closed)

2006-07-24 Thread Rogier Krieger 

When using the alias clause (per dhclient.conf(5)), I encounter a
problem with dhclient: it immediately exits after obtaining a lease.
It does seem to set the requested alias, however.

It exits with the following syslog messages:
Jul 22 16:14:11 sol dhclient[1937]: buf_read (connection closed)
Jul 22 16:14:11 sol dhclient[1937]: exiting.

I would expect dhclient to keep running as it normally does (i.e.
without aliases). Given the manual (and barring configuration errors),
I would expect this functionality to be supported. Is that correct or
are there caveats? I could not find these in the manual/faq/Google.

If I remove the alias clause from the dhclient.conf file (included
below), dhclient works as expected: it obtains a lease, sets the
interface address and keeps running. Adding the alias clause seems to
cause this symptom.


I traced the exit message above to the privsep.c file included with
the dhclient sources. I suspect something causes the connection to the
privileged process to close. I cannot find out what specific condition
causes it to close, though.

In the dhclient(8) and dhclient.conf(5) manuals, I cannot find
information on how to obtain more verbose logging. Suggestions on how
to obtain more information are more than welcome, if anyone has them.
I've seen several threads [1,2] describe this issue, but I failed to
find answers indicating what the underlying problem is.

My dhclient configuration:

# cat /etc/dhclient.conf
# Generic settings
initial-interval 1;
send host-name sol;


# ADSL uplink
interface rl0 {
   # Prepend our own information where needed (DNS)
   prepend domain-name-servers 127.0.0.1;

   # Request other information from the DHCP server
   request host-name, subnet-mask, broadcast-address, routers, domain-name-
servers, time-offset;

   # Supersede some information obtained from the DHCP server
   #supersede routers 10.0.0.138;
   #supersede subnet-mask 255.255.255.0;
}

# ADSL modem connection
alias {
  interface rl0;
  fixed-address 10.0.0.10;
  option subnet-mask 255.255.255.255;
}


My system's dmesg:

# cat /var/run/dmesg.boot
OpenBSD 3.9 (GENERIC) #617: Thu Mar  2 02:26:48 MST 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II (GenuineIntel 686-class, 512KB L2 cache) 301 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem  = 133799936 (130664K)
avail mem = 115367936 (112664K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(c4) BIOS, date 03/22/98, BIOS32 rev. 0 @ 0xfb4f0
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb968
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf10/128 (6 entries)
pcibios0: PCI Exclusive IRQs: 10 11 12
pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371SB ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82443BX AGP rev 0x02
ppb0 at pci0 dev 1 function 0 Intel 82443BX AGP rev 0x02
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Rage Pro rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 7 function 1 Intel 82371AB IDE rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: WDC AC36400L
wd0: 16-sector PIO, LBA, 6149MB, 12594960 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: E-IDE, CD-ROM 36X/AKU, U10I SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 Intel 82371AB USB rev 0x01: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 7 function 3 Intel 82371AB Power rev 0x02: polling
iic0 at piixpm0
unknown at iic0 addr 0x28 not configured
rl0 at pci0 dev 9 function 0 Realtek 8139 rev 0x10: irq 11, address
00:e0:4c:3c:5b:0d
rlphy0 at rl0 phy 0: RTL internal PHY
rl1 at pci0 dev 11 function 0 Realtek 8139 rev 0x10: irq 12, address
00:e0:4c:69:ec:31
rlphy1 at rl1 phy 0: RTL internal PHY
pciide1 at pci0 dev 12 function 0 CMD Technology SiI3112 SATA rev 0x02: DMA
pciide1: using irq 10 for native-PCI interrupt
pciide1: port 0: device present, speed: 1.5Gb/s
wd1 at pciide1 channel 0 drive 0: ST3250820AS
wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd1(pciide1:0:0): using BIOS timings, Ultra-DMA mode 6
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot

Re: alias addresses with dhclient - exits with buf_read (connection closed)

2006-07-24 Thread Rogier Krieger 

On 7/24/06, Matthias Bertschy [EMAIL PROTECTED] wrote:

I have encountered this problem, and Kenneth helped me with some diffs.


Glad to see you got a follow-up on that thread. I didn't find it in
the archives, though. When can one obtain these diffs?



I have tested them and they work, but I don't know if they are already in CVS...


I'll admit that I haven't checked this with -current. If you could
send me the diffs as well, I'd be happy to verify. I saw several
changes in the sources beyond 3.9-release, but it'd be easier to check
with the diffs around.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

Re: Why ksh?

2006-07-23 Thread Rogier Krieger 

On 7/21/06, Pedro Timsteo [EMAIL PROTECTED] wrote:

In bash, I often type a command, but then think I want to have all the
xterm for this, so I press CTRL-L and then RETURN.


How about the follwoing: press CTRL+A, prepend clear;  to your
command line and use CTRL+E to return to where you were editing.

Cheers,

Rogier

--
If you don't know where you're going, any road will get you there.

  1   2   3   >