Re: PF and CLamAV Integration - how to do it?
Protocol Six Consulting wrote: Hi, I was wondering if anyone here knows how to integrate the PF firewall with ClamAV. I am planning on putting into production an OpenBSD firewall and would like to do virus scanning at the network perimeter. I am definitely interested in scanning email traffic, but also possibly Web and IRC (and any other traffic types that makes sense) for a group of 25 people. For email, I used to run Postfix on my firewall. Postfix would scan the mail using amavisd-new (which scanned the mail with SpamAssassin and ClamAV) and would pass the clean mail to our internal Exchange server. Here is a good guide on how to configure this sort of relay. http://flakshack.com/anti-spam/wiki/index.php Unfortunately I've not seen any real discussion or howtos for this type of integration. I've also looked in the PF FAQ pages and in the archives of Openbsd-misc or Openbsd-PF. Finally, the BookOfPF (which I like a lot!!) doesn't seem to touch on this topic either. I suspect my mental picture of how PF and ClamAV work together may be flawed or incomplete. I guess I'm assuming there is a way to have PF pass information directly to ClamAV, but perhaps some middle-ware glue is necessary. You would need some sort of proxy to reassemble the files to scan with ClamAV. PF can transparently pass traffic to squid, which I believe can use ClamAV for scanning. I found this email on to configure PF to pass the traffic to squid. http://marc.info/?l=squid-usersm=120938897115089w=2 Tim Donahue
Re: openbsd in virtualization
sonjaya wrote: ye that is my point , if i using obsd as guest os will be reduce benefit of OBSD . so now only two candidate - XEN - qemu - vmware server ( price is high 0 - virtualbox SUN may be i will try taht candidate . Thank's for all sharing :) I run OpenBSD under VMware Server and ESXi. (Both are free) It is fairly stable and the performance isn't bad. I would recommend you use the Other Linux (64-bit) profile so you can get access to the e1000 virtual NIC. I could not get OpenBSD 4.4 or 4.5-beta to run under XenServer, it would install and start booting but would lock up during the boot. If anyone knows how to solve this, I would love to hear what you did. Tim
Re: openbsd in virtualization
Mike wrote: Installing 60 physical servers to give the students something to play with is not fun :( I am interested in a simalir situation, how did you achieve the 60 VM's? BTW, how many VM's can I setup using a fast/supped up laptop in a @home environment which would be something that one would setup in work environment. thanks I would use a couple of Dell 2950's with 8/16GB of RAM and some big disks. Running ESXi or one of the other supported systems by these tools, you can use something like MLN[1], oVirt[2], or OpenQRM[3] to manage deploying Lab environments with standardized images. VMware and Citrix XenServer also have pay-for-play Lab management tools for their respective systems. On your laptop you can have as many VM's as you have disk space for. The limiting factor to how many you can have running will probably be how much memory you are limited to in your laptop. [1] - http://mln.sourceforge.net/ [2] - http://ovirt.org/ [3] - http://openqrm.com/ Tim Donahue
Re: openbsd in virtualization
dt...@drizzle.com wrote: Tim Donahue wrote: I run OpenBSD under VMware Server and ESXi. (Both are free) It is fairly stable and the performance isn't bad. I would recommend you use the Other Linux (64-bit) profile so you can get access to the e1000 virtual NIC. In an earlier thread, I noted that I had severe performance problems when running OpenBSD using the Other Linux (64-bit) profile. Have you not encountered this? If not, would you mind posting the .vmx file and a dmesg from the guest? Thank you ... -d I don't have the VM image around any more, but I don't remember any unexpected performance problems. The VM was acting as a firewall/DHCP server to a virtual switch on the ESXi system so it wasn't very heavily loaded. I thought I had used the 'Other Linux (64-bit)' profile when I built it, but it could have been the 'Other (64-bit)' profile. I do have a couple questions. Was it ESX that you had the performance problems with and what kind of work load were you running on the system? Tim Donahue
Re: Unfortunate dot was ... missing
Jean-Francois wrote: All, I just forget the dot !! in the 'rm -r ./dev' so I have no /dev anymore on my server box. One can tell me if this is possible to backup the system without freshh install ? This is a i386 4.4 OpenBSD. One could eventually send me a way or another the full /dev in case this option actually works ? Thanks JF Assuming that you haven't rebooted the box yet, you have a terminal open, and you either have a copy of the /dev/MAKEDEV script or have the source on the system, you should be able to recover without much trouble. All the device nodes in /dev are created with the MAKEDEV script. To recreate them, all you need to do is copy the MAKEDEV script back into the /dev directory and run the following command. # sh MAKEDEV all Tim Donahue
Re: wireless barcode scanners
Quoting Jacob Yocom-Piatt [EMAIL PROTECTED]: does anyone on list know if wireless (e.g. bluetooth) barcode scanners can or do work with openbsd? couldn't find much information about it after searching. the application is inventory tracking, etc, where several users would concurrently scan and have barcodes register with a single machine. if the devices simply spit out the barcodes over bluetooth, i expect there is a way to achieve this. I don't have one to test with OpenBSD, but how about the Symbol P470 scanner? It is cordless and according to the description, it talks back to a base station that acts as a keyboard wedge. -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: wireless barcode scanners
Unless I am mistaken, Jake is looking for a barcode scanner. These are typically not SCSI devices (none that I know of are, at least), they are typically Serial, PS/2, or USB HID devices. All they do is translate the barcode scanned into ASCII for processing by some application. Some newer scanners use Bluetooth, but there are also cordless scanners that talk to a base station that translates the wireless signal into serial, PS/2 or USB input. I can say with 100% certainty (I have one in front of me, ATM) that the Symbol LS1203 works with no problems with OpenBSD. Here is what dmesg reports when I attach the scanner. uhidev1 at uhub4 port 1 configuration 1 interface 0 ?Symbol Technologies, Inc, 2002 Symbol Bar Code Scanner rev 2.00/2.01 addr 2 uhidev1: iclass 3/1 ukbd1 at uhidev1: 8 modifier keys, 6 key codes, country code 33 wskbd2 at ukbd1 mux 1 wskbd2: connecting to wsdisplay0 As you can see, there is no SCSI black magic or any proprietary voodoo going on here. The scanner is simply detected as a USB keyboard, and acts just like one in my day to day use of it. Tim Donahue Quoting Predrag Punosevac [EMAIL PROTECTED]: Jacob Yocom-Piatt wrote: Dear Jacob, That is very interesting question. I was always wondering myself if it is possible to use those bar code scanners with OpenBSD. Anyhow, this is what I found. Obviously bar code scanners work completely differently than Image scanners which are supported by sane-backends http://www.sane-project.org/old-archive/2001-06/0111.html The second thing I found is that they are not very hard for hacking as they are essentially simple SCSI device. Somebody started project in 2000 http://sourceforge.net/projects/uscan/ but never finished. It looks like people have been sued over those drivers as it looks to me that those scanners are very lucrative proprietary market. Finally, it looks that might be a very simple hardware solution for you http://www.readerware.com/rwbarcodespec.html Look at on the bottom of the page. There is bunch of scanners that should just work with OpenBSD. How? It looks to me that when you scan the bar code this bar code gets memorized by the device and you can mount device memory as SCSI drive or download via the network. Sort of like USB memory stick or Digital camera. I have not looked things very carefully so I might be very wrong. I am really curious if you really get those things to work with Open. Please keep me posted. Most Kind Regards, Predrag does anyone on list know if wireless (e.g. bluetooth) barcode scanners can or do work with openbsd? couldn't find much information about it after searching. the application is inventory tracking, etc, where several users would concurrently scan and have barcodes register with a single machine. if the devices simply spit out the barcodes over bluetooth, i expect there is a way to achieve this. cheers, jake -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: pass pasword to ssh
Quoting Richard Storm [EMAIL PROTECTED]: I am writing script, that would ssh to switch and dump configuration in file. FYI, there may be a more effective way than writing your own script. Check out RANCID. It will manage just about any device from just about any vendor and manage the configs and changes through CVS. This of coarse gives you a nice revision history when things go wrong. 1) Since it is switch, i have no way to make use of public key authentication, because I have no way to store pubkey on switch. You may want to check with your vendor, many switches/routers can be logged into with a public key now. 2) Since I'm using dedicated box for backups, I don't need to hide password from ps. What is the cleanest way to pass password to ssh? RANCID uses expect scripts to do the logins. -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: how long does pftop track state?
Quoting David Newman [EMAIL PROTECTED]: Looking for info on seeing near-real-time or real-time info on TCP connection states using pftop. A 4.3-release box has pf rules that allow Windows Remote Desktop connections from a handful of sources. pftop shows entries something like the following: PRD SRC DEST STATE AGE EXP PKTS BYTES tcp I 666.1.2.3:2048666.4.5.6:3389 4:4 32387 57663 40930 10M tcp O 666.1.2.3:2048666.4.5.6:3389 4:4 32397 57653 40930 10M Problem is, this RDC session ended more than two hours ago. The pftop(8) manpage says the EXP column means there are more than 40,000 seconds left until these entries expire. Is there some better way of monitoring current TCP connection states? Perhaps the connection didn't close cleanly? You can use `pfctl -ss -v` to show all the states and their ages, etc. ps. Tangential, but where can I learn more about the STATE column above? I don't see anything in the manpage about the meaning of 4:4 but perhaps I missed it. It seems to be the numerical representation of the state's status in pf's state table, i.e. 4:4 == ESTABLISHED:ESTABLISHED. Grab putty or something and maximize the window to see the descriptive versions. -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: remove any unwanted devices from the kernel.
On 6/6/08 6:52 AM, Geoff Steckel [EMAIL PROTECTED] wrote: Sometimes it matters to be small and sometimes fast. That is a decision made by the kernel hacker. Joe user does not make these decisions because he/she does not understand the overall impact. As someone else who writes code for this fine os would say: removing drivers is pure masturbation. I suggest that there are reasonable cases where a non-core-team person would correctly want to remove unused drivers. Reasonable, maybe, corner cases, more likely than not. For systems which must boot very quickly, removing unused drivers whose probe routines cause significant timeouts can make a big difference. Sometimes timeouts are the only way to check for an I/O device behind a blind interface. For instance, checking a floppy drive's seek time is a significant wait. This sounds like a corner case, how many times is this going to have and effect on Joe User? For systems which are intended to run with little memory or which are straining at architectural limits, 100K here and 100K there can make quite a big difference in what applications can run. Many drivers are over 150K when linked. When a megabyte or two counts, removing 10 drivers could make a big difference. This is not the type of project that Joe User is going to be working on. It is the type of project that is going to go into the hands (hopefully) of a programmer or systems engineer who has the knowledge to do the diagnostics when something goes wrong building this system. This sounds like another corner case to me. If the kernel code is well structured, the following must be true: Removing a driver which is essential to normal operation must cause the kernel compile or link stage to fail. It does, at least in my experience. I was that young and stupid person who believed it was a badge of honor to run a custom kernel, now I believe it is a badge of honor to get your system functioning with the least effort expended, which is one of the reasons I have come to enjoy running OpenBSD. As an aside, I've been wondering what the heck named is doing to initialize itself. It does many thousands of disk accesses for no visible benefit and takes a very long time to do them. I have never noticed a problem with this, and my DNS servers aren't exactly on top end hardware. In fact, they are on 300MHz machines that were rescued from the dumpster... If it is something that annoys you, why don't you do some profiling of the startup routine and see what you can optimize? Tim
Re: zombies - solved
Quoting Jonathan Weiss [EMAIL PROTECTED]: bofh wrote: On Wed, Mar 12, 2008 at 11:58 AM, Theo de Raadt [EMAIL PROTECTED] wrote: A fork does not seem like a good return on investment, so v 1.3.29 will probably go away sooner than later once the Apache Foundation drops maintenance on the 1.3 series. I'm just curious what is in 2.x that you need, that is unavailable in 1.3? mod_proxy_balancer Ok, you have a need for Apache 2.x. That does not mean that the Apache server in the base install needs to be updated. http://www.openbsd.org/cgi-bin/cvsweb/ports/www/apache-httpd/ -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: OpenBSD and Mysql+Sun
Quoting Gustavo Polillo [EMAIL PROTECTED]: Sun +Mysql.. The mysql database will be portable in the next Openbsd versions? How openbsd team loook this? OpenBSD has had a MySQL port for nearly 9 years now.* I would imagine that nothing will change in that respect, and from everything that I have read about the Sun-MySQL deal it will be business as usual for MySQL, just with lots more cash laying around. *http://www.openbsd.org/cgi-bin/cvsweb/ports/databases/mysql/Makefile?rev=1.1content-type=text/x-cvsweb-markup -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: OT: Can an SSH alternative to WebDav be use on OpenBSD
Quoting L. V. Lammert [EMAIL PROTECTED]: On Fri, 25 Jan 2008, Frank Bax wrote: Boris Goldberg wrote: Hello Daniel, I believe it should be possible to set up samba-over-ssh. I mean samba listening localhost only on the server andputty (www.chiark.greenend.org.uk/~sgtatham/putty/) with port forwarding on clients. You can also use samba-over-ipsec. IPSec is not less secure than ssh and gives you more flexibility. Has anyone figured out how to save PuTTY tunnel settings (whether for samba or anything else); so that they can be easily dropped onto multiple systems without having to do manual setup on each one? Have not tried tunnel settings, but I DO know that you can copy any session configurations by exporting the registry keys. Lee I can confirm that the port forwarding settings are stored in the registry. It is easy enough to write a quick script to add those registry entries into the reg. of a new computer. Look in the PuTTY FAQ, I think there is an example of how to do it in there. -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: Apache box behind Openbsd
Quoting Sewan [EMAIL PROTECTED]: Hi, I have an apache-php website running on windows server 2003 port 80, i have correct rdr rules that pointing my web server, i can view website inside my LAN, but i can't view page outside of my network. I've checked all dns- ip settings, everything's fine but problem continues. I've read at some forums that apache doesn't recognize rdr rules from openbsd, so how can i publish my site ? Thanks... You have a filter rule too? Something like: pass in on $ext_if proto tcp to ($ext_if) port 80 The forums are wrong, I have several apache servers behind PF firewalls with no issues. If this doesn't work, please post a dmesg and your pf ruleset so that we actually have the information we need to help you out. -- Tim Donahue This message was sent using IMP, the Internet Messaging Program.
Re: Problem with VLANs
Redirected as this is a misc@ question not a tech@ question. On Thu, 2007-08-02 at 11:48 +0930, Hugo van Niekerk wrote: Hey Everybody Im running OpenBSD 3.9. At startup during vlan initialization I get an error that the vlan initiated with a nonstandard mtu of 1946 (parent pcn1). Of course I understand that a vlan header has to be sent and that provision has to be made for this. Ive done a lot of searching on the web around this and everything is pointing to the fact that the network driver does not support / has not been set for a larger mtu. This is where I get stuck. There is a component SIOCIFMTU that reports that the mtu value I use is incorrect for a specific interface when I try to increase the mtu from the command line using ifconfig. This component, according to my research sets the mtu value automatically at startup based on the information that is fed to it by the network card driver. Anything above what is set at startup would be invalid. Can anybody please give me some advise as to where I can more resources that I can research to resolve this problem or point me in the right direction. I would really appreciated this! Also, I've been looking for a guide or good book / resource around configuring vlans on OpenBSD, I thought maybe I made a mistake in the hostname.if and pf.conf files. Again any assistance here will be greatly appreciated. regards Hugo If your interface is initializing with a MTU of 1496 then the card that you are using is not capable of supporting a MTU over 1500 which is required by the 802.1q spec to do VLAN tagging. A full size ethernet frame with the 802.1q encapsulation is actually 1504 bytes. This is not a configuration issue, unless you have specified a smaller packet size. There is no configuration needed, if the card is capable of doing vlan trunking with the full packet size, it will otherwise it will automatically decrease the MTU to allow for the 4 byte header that will be added. Unfortunately not all the ethernet cards/drivers are able to support this over-sized packet. To check which drivers are capable of supporting it you can grep for IFCAP_VLAN_MTU in the /usr/src/sys/dev/pci/if_driver.c files. I personally have had the best luck with the fxp, sis, and em drivers when I am doing vlan trunking. Tim Donahue
Re: Firefox/Iceweasel in OpenBSD
On Thu, 12 Oct 2006 12:32:08 +0200 RedShift [EMAIL PROTECTED] wrote: David Sampson wrote: Due to the recent flair over the use of the Firefox logo, the GNU camp has decided to fork the entire project, into IceWeasel. The idea here is that they can't use the FF logo freely, so of course they must fork it. I just want to know how this is going to affect the OpenBSD camp, if at all. David Sampson Actually I quickly read the license file included with the source distribution of firefox, and found no reason why the logo/name can't be used in custom builds. I'm no license expert, but does anyone have a clue how mozilla decided that builds other than those from mozilla can't use the name/logo? Imho that was a pretty stupid decision by the mozilla team, things like names and logos are one of the most important aspects in marketing. It would be foolish to wreck it. Finally, how do the mozilla developers feel about this? Do they agree with this management decision? Glenn This is a trademark issue and from what I hear the Mozilla guys guard their trademarks vigorously. This probably stems from the fact that they have been bitten 1 or 2 times in the past with trademark issues and don't want to go through that again. Tim Donahue
Re: Opinion of MySQL 5.xx on OpenBSD 3.9...
Make sure that you have your 'open-files-limit' parameter set to a sane value in your my.cnf. If you don't have anything set for that limit the default is extremely low (so low that using views tended to not work on my dev box). I have been using open-files-limit = 8192, however YMMV. Tim Donahue On Thu, 7 Sep 2006 12:09:09 +0200 Toni Mueller [EMAIL PROTECTED] wrote: Hello, On Thu, 22.06.2006 at 12:49:22 +0200, Henning Brauer lists- [EMAIL PROTECTED] wrote: I haven't seen stability problems with mysql on OpenBSD in a long time. not even on sparc64. then you are very lucky, imho. On a variety of OpenBSD boxes, and with a variety of MySQL versions, I experience random crashes or, mostly, hangs where the server does not respond anymore, but also doesn't crash. In such cases, a violent kill and a restart of the MySQL server is required to get going again. This is from 3.7 to 3.9 with MySQL versions from 4.0.x to 5.0.x (from ports), all on several i386 machines with different (PC-) hardware, with _low_ traffic and _ample_ resources (enough to hold all databases in RAM). When pushed, I see like 10 (15?) queries a second, but on average, I see less than 1 query every two seconds. Unless you're really pushing the limits, performance is not much of a problem either. with really extreme load, our threading library shows why we wanna go for rthreads. for the vast majority of uses out there, you will not see a difference. I very much hope to see a significant difference (or otherwise, more apps that don't depend as much on MySQL). Best, --Toni++
Re: Code beautifiers, anyone?
I have used tidy (for html) and perltidy to clean up messy/generated code in the past. Both are extremely customizable in the format they output code. Tim Donahue On Thu, 24 Aug 2006 14:59:31 +0200 Kyrre Nygerd [EMAIL PROTECTED] wrote: Hello people, I'm looking for the best ways to create a line of code beautification (reformatting) scripts -- one for C, one for Ruby, one for Bash and one for web development languages like XHTML, XML, CSS, PHP and Ajax. Whether as frontline warriors or household maids, they would ensure proper indentation, linebreaks, spaces, tabs and so forth. Can anybody help me? My studies of architectural science has taught me to pay extreme care to the correction of details, and I now wish to apply these teachings to all my code. I find myself always reformatting whatever my associates give me. Not that they're bad programmers, they just care more about the code itself rather than its structure, and I dare not argue with that. When their code is messy, however, my heart feels messy and I can't get any sleep. I wish to be in full control of my code beautifiers. That is, I wish to have them as simple and meaningful as possible. Give me an easy Bash over a complex Ruby any day. There's a lot of messed up tools out there. Companies with flashy websites just doing this for the money. So apart from the bullshit, I've managed to spot out the Ruby Beautifier and GNU Indent as two worthy code beautifiers. However I get the feeling they are more complex than they ought to be, and if less is more, my search will have to continue. All the best, Kyrre
Re: VPN help needed: OpenBSD in the corporate environment instead of Linux
On Fri, 28 Jul 2006 06:30:13 -0700 (PDT) jeraklo [EMAIL PROTECTED] wrote: Alternately, for a more shiny, more firewall-friendly, but less efficient protocol and not quite as secure an implemenation, try OpenVPN. It runs on Windows, Mac OS X, and (most?) POSIX-compliant systems that have tap/tun devices. OK but do OpenVPN connections survive NAT ? It is possible for some client addresses to be private and then translated through NAT to reach the internet. OpenVPN is an SSL VPN and should have no problems traversing NAT. I used it at a former employer and it work great for my laptop. Tim Donahue
Re: OT: Notebook explosion (DELL)
Ahh... Looks like a fully functional DMI (Detonate Machine Interface) has arrived at last... Wonder how that would work out as a LART. Tim Donahue On Wed, 21 Jun 2006 21:20:31 +0200 (CEST) [EMAIL PROTECTED] wrote: Because I know some peoples here own DELL Notebooks: It happened that such a notebook explode. The little storry is avaiable at The Inquirer http://www.theinquirer.net/?article=32550 Would be very bad if such stuff would happen if you4ve ya Notebook on ya knees or so... Kind regards, Sebastian
Re: nice and convenient way to check latest current src changes?
Or even simpler... from my crontab:
cd /usr/src cvs -q update -PAd -rOPENBSD_3_9 21 |mail -s CVS update `date
+%Y-%m-%d` your mail here
I run this at 6:04am each day so it is completed before I get into work.
You could add a check to see if there is any output from the cvs command
before sending the mail, but I like to see the output so I'm sure the
job was actually processed
On Tue, 30 May 2006 13:55:10 -0400
Peter Blair [EMAIL PROTECTED] wrote:
Here's a quick perl script to extract the html:
#!/usr/bin/perl
#
# cvs_dates.pl
while(STDIN)
{
my($line) = $_;
chomp($line);
if( $line =~ /(\d{4}-\d{2}-\d{2}).{28}(\d{10,20})/ )
{
my($d) = $1;
my($id) = $2;
print $d, , $id, \n;
}
}
And just do something like:
wget -q -O -
'http://marc.theaimsgroup.com/?l=openbsd-cvsr=1b=200605w=2' | perl
cvs_dates.pl
On 5/29/06, Didier Wiroth [EMAIL PROTECTED] wrote:
Hello,
To follow the current source changes I usually check the following
website:
http://marc.theaimsgroup.com/?l=openbsd-cvsr=1b=200605w=2 This
isn't very handy as you have to click every message to view the log
message and the files that were changed.
1) Is there a nice way to see current source changes?
(If possible, I would prefer NOT to subscribe to another new
mailing list!)
2) Is there a nice and fast method to check the latest changes
with the cvs command?
Thank you very much
Didier
Re: PHP vs Mason vs Ruby vs JSP/Tomcat
On Fri, 26 May 2006 10:40:02 +0200 Marc Espie [EMAIL PROTECTED] wrote: The main issue with perl modules is that there are so many of them. Most of CPAN is trivial to port over to OpenBSD, but is it worth it ? Most of it probably isn't... Porting all of CPAN is probably not necessary, and the way it is currently being done seems to work. If you port depends on a module, then it should be in the ports tree as well, but all of CPAN... In my experience since stuff in CPAN generally Just Works(TM) on OpenBSD and is as simple as `perl -MCPAN - e install module` I really can't see any compelling reasons for everything to be put into the ports tree. Tim Donahue
Re: build a kernel
On Wednesday 03 May 2006 07:15, holger glaess wrote: hi after a rebuild of the gcc compiler with this instruction http://openbsd.org/faq/faq5.html#NewCompiler a kernel build and a make build will be successful. thanks to all for help. holger Building upgrades between versions is not supported. Please upgrade with an install disk/bsd.rd then update to -stable. Tim Donahue
Re: BSD-licensed Camellia 128-bit block cipher
On Thursday 20 April 2006 07:45, Dimitry Andric wrote: Alexey E. Suslikov wrote: Camellia was certified as the IETF standard cipher (Proposed Standard) for SSL/TLS cipher suites (RFC4132) and IPsec (RFC4312). Source: https://info.isl.ntt.co.jp/crypt/eng/camellia/source_s.html Hmm, isn't the notice on that page incompatible with the BSD license? Any product equipped with Camellia encryption algorithm (including the open sources) is a controlled product regulated under the Japanese Foreign Exchange and Foreign Trade Law, though the algorithm is public. When you plan to export or take this product out of Japan, or provide any juridical person having its main office in Japan, concerning property or business of such a juridical person which is located overseas, please obtain a permission, as required by the Law and related regulations, from the Japanese Government. No, just like you can produce a BSD-licensed AES implementation in the US, but it would still be subject to US Export Laws. Tim Donahue
Re: a little success in vnc over openvpn
On Friday 14 April 2006 07:45, OS rider wrote: Hi all , my name is takesima , a japanese . i can manipulate a windows 2000 machine ( which address is 192.168.1.222 ) via internet . the point is rdr on tun0 inet proto tcp from any to 10.4.0.2 - 192.168.1.22 in pf.conf and vncviewer 10.4.0.2 . i wrote details in the last part of http://nakajin.dyndns.org/pikara.html . this is my first trial ,then there may be mistakes , so please point out them . regards Perhaps this is easier than using a redirect statement in pf.conf. Set `sysctl -w net.inet.ip.forwarding=1` on both servers if it not already set. vncviewer 192.168.1.122 Tim Donahue
Re: why /dev/rwd0c instead of /dev/wd0c?
On Friday 14 April 2006 10:56, Joco Salvatti wrote: Hi all, When I run 'disklabel wd0', it returns: # /dev/rwd0c: My question is: why /dev/rwd0c instead of /dev/wd0c? Thanks.. From `man disklabel`: diskSpecify the disk to operate on. It can be specified either by its full pathname or an abbreviated disk form. In its abbreviat- ed form, the path to the device, the `r' denoting raw device, and the slice, can all be omitted. For example, the first IDE disk can be specified as either /dev/rwd0c, /dev/wd0c, or wd0. Tim Donahue
OSPF problems with Vlan interfaces
I am having problems getting ospfd to work with 802.1q vlans. I have 2
existing ospfd servers that are working correctly with physical interfaces in
each network they are trying to take part in. I recently built new box that
I'm trying to use vlans as it only has 2 interfaces and I want it to talk to
3 different networks. When I start `ospfd -d` to see why no networks ever
get populated into the FIB I get the follow errors. Is there anything I can
do to resolve this problem?
Tim Donahue
recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.3, expected
1496
if_fsm: event WAITTIMER resulted in action NOTHING and changing state for
interface vlan33 from DROTHER to DROTHER
recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.1, expected
1496
# ifconfig
de0: flags=8863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:c0:f0:16:f0:5e
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::2c0:f0ff:fe16:f05e%de0 prefixlen 64 scopeid 0x2
vlan33: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1496
lladdr 00:c0:f0:16:f0:5e
vlan: 33 priority: 0 parent interface: de0
groups: vlan
inet6 fe80::2c0:f0ff:fe16:f05e%vlan33 prefixlen 64 scopeid 0xf
inet 10.4.64.4 netmask 0xff00 broadcast 10.4.64.255
vlan35: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1496
lladdr 00:c0:f0:16:f0:5e
vlan: 35 priority: 0 parent interface: de0
groups: vlan
inet6 fe80::2c0:f0ff:fe16:f05e%vlan35 prefixlen 64 scopeid 0x10
inet 10.2.8.1 netmask 0xff00 broadcast 10.2.8.255
# cat /etc/ospfd.conf
# $OpenBSD: ospfd.conf,v 1.2 2005/02/06 20:07:09 norby Exp $
# macros
password=secret
# global configuration
router-id 10.4.64.4
fib-update yes
# spf-delay 1
# spf-holdtime 5
redistribute none
# auth-key $password
# auth-type simple
# hello-interval 10
# metric 10
# retransmit-interval 5
# router-dead-time 40
# router-priority 1
# transmit-delay 1
# areas
area 1 {
interface vlan33 {
auth-type none
}
}
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.29 2005/08/23 02:52:58 henning Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
set skip on { lo }
scrub in
block in log
pass out keep state
antispoof quick for { lo }
pass in on de0 from any to any
pass in on vlan33 from any to any
pass in on vlan35 from any to any
Re: OSPF problems with Vlan interfaces
On Wednesday 12 April 2006 15:38, Jason Ackley wrote: Tim Donahue wrote: recv_dd_description: invalid MTU 1500 sent by neighbor ID 10.4.64.3, expected 1496 This is your problem. Your physical interface driver doesn't understand frames that are 'slightly' larger than 1500 (baby giant). Frames are increased by 4 bytes when they have 802.1q tags prepended to them. [snip] If you are unsure, you can grep around for 'IFCAP_VLAN_MTU' in the driver source code. Most fxp/bge/nge/em/sk cards should be good. Some vr/rl will work as well. What is the other interface on the box? Its an xl card so I'll need to see if we have any other cards around. You could reduce the MTU on the other routers, but that is a hack. Get a real card/driver and you will be set. This would just be a pain in the rear as time goes on Thanks for the pointer. Tim Donahue
Re: Recommendations for an OpenBSD-based Backup Solution
On Monday 20 March 2006 18:36, Joachim Schipper wrote: On Mon, Mar 20, 2006 at 10:37:42AM -0800, Donald J. Ankney wrote: I threw together a Perl script that uses tar and external firewire drives. Tar has flags that will let it backup over SMB (for the windows boxes) and one can always do use scp (via certificates) piped through tar for remote linux/BSD boxes. I've been using this solution across several platforms (all servers) for a year now, and it has worked well. Amavisd has a very good algorithm for balancing backups. It is, sadly, otherwise a bit of a pain to get going. That said, it's very solid, and can even print pretty reports. Joachim Which amavisd are you refering to, do you have a link to the website for us? The 2 amavisd's that I could find on google (amavisd and amavisd-new) are both email filtering programs and don't have anything to do with backups for servers (though amavisd-new does run quite happily on backup MX servers). Tim Donahue
Re: hardening openbsd firewall
On Tuesday 07 March 2006 23:42, Peter wrote: Hi. I've set up several firewalls with OpenBSD but I have yet to go to any extremes regarding hardening. So far I have updated the source (stable), recompiled the system kernel, removed the source code, turned off inetd, and set up a tight pf.conf. I have been reading up on an interesting strategy of removing tons of executables, storing them on a cd, and setting up symlinks to the cd mount point so they can be accessed when needed. Of coarse now when you have a problem and need your diagnostic tools. Or for that matter if need to apply a security patch you are going to have lots of fun updating the system. Restrict connections to the localhost to only absolutly necessary services, restrict sshd access (and use ssh-keygen to create keypairs), and of coarse only give access to the console to trusted persons. Doing this, as well as keeping up to date on the security patches, will keep your system's risk to a minimum. Don't forget that if someone is good enough to gain access to your system, odds are they are smart enough to copy the code and complier that they need to completely root the system. Tim Donahue
Re: OpenBSD has bad security
On Monday 06 March 2006 13:37, Bryan Brake wrote: Bryan Irvine wrote: For a laugh go here. http://wideopenbsd.org/ How much does it cost to register a domain these days? Is it registered to Dave Feustel? The whois wideopenbsd.org reveals: Tech Name:Registration Private Which I believe invalidates the whole idea of having a whois service so we can contact the domain administrators... I mean if Google and MS both have whois contacts listed, why should people be allowed to keep their information private, but I digress. I don't think that your comment about Dave owning the domain was called for. Dave is not the owner of the domain, in fact see his question to the fisrt time this was posted way back in 2004: http://marc.theaimsgroup.com/?l=openbsd-miscm=109974430125648w=2 author of the site appears to go above and beyond to spread FUD... I mean, he uses HTML and even has an image. sarcasmI think he's serious folks/sarcasm My cynical side definately agrees with this.
Re: Traffic analysis on a per service basis
You could take a look at pfflowd, flow-tools, flowd, and tcpflow. These are all in the ports tree. Tim Donahue On Thursday 02 March 2006 11:16, David Elze wrote: Hi, I just searched the net for hours but didn't find a reasonable solution. My intention is to get traffic graphs, like the ones in mrtg for interfaces but for specific services (that is one for ftp, one for http and so on). First idea was to use mrtg/snmp that I already use for simple interface-based traffic monitoring. But net-snmp has no MIB that presents a service-based differentiation as far as I found out. So the second idea was to use pflog-capabilities, but is there any tool out there that generates images out of pf-logs? I just found pfstat which seems not to be able to work with distinct services. In the end, I tried to find all-in-one solutions, found some rrdtool-related stuff but unfortunately, I did not find a not to complex solution for my problem. Maybe someone can point me in the right direction or just tell me a hint for a good rtfm? Thanks a lot for any tip... Oh, almost forgot: It should work on OpenBSD :-) CU David -- David Elze Tel:(+49)(0)441 - 36116410 [EMAIL PROTECTED] Fax:(+49)(0)441 - 36116419 http://www.bytemine.net/ PGP/GPG: 5F83FEA2 bytemine - Entwicklungsmanufaktur fuer innovative Loesungen [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: /etc and partitions
Speaking from experience, I put /etc on a separate partition once, only took 2 hours to recover it but it was a lesson well learned... There are several file located in the /etc/ directory that need to be immediately available upon boot. These include /etc/fstab and /etc/rc*. Tim Donahue On Monday 27 February 2006 13:37, Michael Schmidt wrote: Hello, version: 3.8 architecture: i386 I have seen that /etc cannot be located on a separated partition. Why can it be not on an extra partition? Have a nice day Michael
Re: boot.conf
Boot off of the cd38.iso, mount your / partition and remove your /etc/boot.conf is the first way that comes to mind. You could also work some magic with the boot prompt that you get from booting off the CD. Something like boot -s hd0a:/bsd should do it and I'm sure I could find a half dozen other ways to do it if i really wanted in. In other words, just adding boot to your boot.conf does not really add any security. It does make your life more difficult when you actually need to access single user mode, but without physical security, nothing is secure. Tim Donahue On Friday 24 February 2006 08:53, Michael Schmidt wrote: Hello, I would like to run an OpenBSD machine where I want that the boot prompt disappears, reason is that I do not want others having access to the boot prompt. In case you put a boot into boot.conf or set timeout to zero then you do not have the opportunity to boot in single user when it may be necessary. Are there ways to circumvent the latter? Have a nice day Michael
Re: xargs PF or BPF
On Monday 13 February 2006 17:13, Stuart Henderson wrote:
On 2006/02/13 16:53, Jason Crawford wrote:
On 2/13/06, Matthias Kilian [EMAIL PROTECTED] wrote:
On Mon, Feb 13, 2006 at 02:03:27PM -0700, Diana Eichert wrote:
find /usr/src -name *.[c|h] -exec grep 'bpf.h' /dev/null {} \;
it's in quotes, this is handled by find, not the shell.
(b) pipeing to xargs(1) may be faster.
why?
As done by find -exec, correct?
grep foo 1 2 3 4 5 6 7 ...
vs.
As done by xargs?
grep foo 1
grep foo 2
grep foo 3
...
Wouldn't for a small list -exec be faster as it is a single invocation of the
grep vs multiple invocations of grep for xargs.
IIRC, the reason xargs exists is to get around limits posed by the number of
args an application like rm or grep can take when passed a large list of
arguments like, say, a recursive find for old files in your spam
quarantine :-).
Tim Donahue
Re: OpenBSD hardware router
On Thursday 02 February 2006 15:54, Darrin Chandler wrote: Kenny Mann wrote: I'm looking for something that which I can slap OpenBSD 3.8 on and use it as a router. This will be used for a house (~ 4 people) and I'm looking for You could look at www.soekris.com. They're underpowered, but it should be able to handle home router/firewall duties. Underpowered? I think that is a really relative term. Underpowered for datamining a 1 TB database? Yeah it probably is, however from my experience I could saturate a 1.5 Mb SDSL or T-1 link using an IPSEC VPN on between a Soekris 4501 and a 1GHz Dell POS. If all you are looking to do is run a firewall for a DSL/Cable connection at home, the 4501 is likely overpowered. Tim Donahue
Re: 3.7 CDs
On Sun, 2005-05-01 at 20:25 +0200, Christoph Machon wrote: Am Sonntag, den 01.05.2005, 06:35 -0400 schrieb Todd Boyer: On Saturday, April 30, Theo de Raadt wrote: Something else... today I had a chance to checkout a new wireframe puffy tshirt. The texture of them is incredible, blind people will appreciate the shirts a lot, heck they are just plain sexy. We should have made a wireframe blowfish tshirt a very very long time ago. Makes a plain sexy desktop too http://www.autumntech.com/bsdstuff/puffy-desktop.jpg Hmm...very interesting. OpenBSD logo on the windows machine ?! The pauper fish ;) -- Wer die Freiheit aufgibt, um Sicherheit zu gewinnen, wird am Ende beides verlieren. [ Benjamin Franklin ] [demime 1.01d removed an attachment of type image/png which had a name of smiley-4.png] Here is the original English version: The man who trades freedom for security does not deserve nor will he ever receive either. -Benjamin Franklin
