Re: Actual BIND error - Patching OpenBSD 4.3 named ?
Hi Andreas, Aren't you dumping on the wrong interface here? Should it not be your $ext_if where the alleged poisoning will come from? 2008/7/9 Rod Whitworth [EMAIL PROTECTED]: On Wed, 9 Jul 2008 11:10:09 +0200, Andreas Maus wrote: Hi. I guess OpenBSDs named is affected by the actual issue: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447 http://www.kb.cert.org/vuls/id/800113 So I hope a patch is in progress ? Or is OpenBSD not affected by this issue? So long, Andreas. -- # tcpdump -nettti rl0 dst port 53 tcpdump: listening on rl0, link-type EN10MB Jul 09 19:48:27.786683 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 70: 192.168.80.4.16284 192.168.80.1.53: 57120+ A? pps.com.au. (28) Jul 09 19:48:43.690332 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 67: 192.168.80.4.1356 192.168.80.1.53: 32536+ A? ibm.com. (25) Jul 09 19:49:11.013223 00:01:80:0f:2b:94 00:00:24:c6:18:85 0800 69: 192.168.80.4.14540 192.168.80.1.53: 29420+ A? intel.com. (27) # uname -a OpenBSD master.witworx.com 4.3 GENERIC#698 i386 Guess again. Was that so hard to try? R/ ** note replies off-list are not required. If you insist you MUST use the reply-to: address. The sender address is a tarpit except for the list servers. *** Rod/ A consultant is someone who's called in when someone has painted himself into a corner. He's expected to levitate his client out of that corner. -The Sayings of Chairman Morrow. 1984.
Re: Actual BIND error - Patching OpenBSD 4.3 named ?
doxpara.com reports no issues with unbound FWIW. Thanks to Stuart for this suggestion during the previous DJBware for ports thread. 2008/7/9 Stuart Henderson [EMAIL PROTECTED]: On 2008-07-09, Steve Tornio [EMAIL PROTECTED] wrote: I get a different result using the external interface of my caching name server, and mine looks vulnerable. named is. the stub resolver isn't. mcbride@ pointed out that you can give named some more protection by natting outbound udp traffic destined for port 53 (even just on the box running the resolver, it doesn't have to be on a firewall in front). something like, nat on egress proto udp from (self) to any port 53 - (self) there - if you need to tell people you're doing something while you wait for a better solution, you have an option. check this with tcpdump and requests from multiple NS, the doxpara.com checker will not notice this as an improvement.
Re: support for Sun Fire
Yep - x2100 M2. OpenBSD 4.1. It works brilliantly compared to the Dell it replaced which was getting to 55+% IO bound. On 16/07/07, Toni Mueller [EMAIL PROTECTED] wrote: Hi Mark, On Tue, 29.05.2007 at 14:13:06 +0100, mark reardon [EMAIL PROTECTED] wrote: I just got a x2100 M2 from Sun yesterday on a 60 day trial and am having trouble setting the MTU on one of the bge NICs. Just some initial findings. Not a big problem for me really. did you get it to run OpenBSD properly? Which model do you have? Best, --Toni++
Re: Publishing your spamtraps list, is that a wise move?
If you have a good whitelist this won't bother you. Why make it obvious that the addresses are spamtrap ones? Just hide a comment somewhere on the homepage that only harvesters will see but not people who browse your web site ( unless they read the html source ). I have been hit where a spammer has used one of our addresses as a reply_to address. No worries. spamd doesn't even break a sweat. The mail doesn't ever hit our server and the only servers that have the problem are the mail servers that believe the forged reply to address as they bang their heads trying to deliver the bounced mails. They should try spamd :-) g'day Mark On 05/07/07, Darrin Chandler [EMAIL PROTECTED] wrote: On Thu, Jul 05, 2007 at 11:07:55AM +0200, Peter N. M. Hansteen wrote: Now I wonder if it would be a good idea to put that list of spamtrap addresses on a web page for the address slurpers to find and use, so I can detect spam senders early and either treat them to 24 hours at the time in the tar pit or have them move on to the next target. The only downside to this that I can see is that occasionally somebody naive and innocent sending backscatter (bounces of undeliverable spam) would be tarpitted for a while. Does anybody else here have views or relevant experience they want to share? I thought about this a while back, and I found a weakness. Now, I haven't seen this used, but it's trivially possible. Here's the deal: You publish spamtrap addresses, and of course you make them easily recognizable as such so you don't trap real people. Spammers spend a very small amount of effort and harvest spamtrap addresses *on purpose* and use them as sender addresses (joe job). The result being, of course, that you blacklist significant valid portions of the internet. Am I wrong here? -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: need a machine for an itanium port
ok - I can match Diana with 100 euros so. Cheers. On 08/06/07, Theo de Raadt [EMAIL PROTECTED] wrote: From what I know, I think dlg has not received any real offers yet. Sad, well I'll throw US$100 into the mix if someone wants to co-ordinate it. I don't have any use for Itanium, but I do know that dlg@ has done some great work, so I might as well support him in something he wants to do. From my perspective, I have some hopes that doing work on ia64 will lead us to developing security techniques that may affect other architectures. But perhaps noone cares about that anymore...
Re: need a machine for an itanium port
yep, just donated here too: Your order currently is: - EUR 100.00 [DON] DONATION to the OpenBSD Project - Total: EUR 100.00 + Shipping. ... ... ... Comments: in response to Theos call to support Itanium port by dlg@ on the [EMAIL PROTECTED] list. On 08/06/07, Bryan Vyhmeister [EMAIL PROTECTED] wrote: On Jun 8, 2007, at 1:22 PM, Diana Eichert wrote: Dunno what the target amount is but if we can get 20 people contributing US/E 100 then there should be enough for an Itanium. So where are the other 18 or so folks? One more just donated $100. Bryan
Re: support for Sun Fire
I just got a x2100 M2 from Sun yesterday on a 60 day trial and am having trouble setting the MTU on one of the bge NICs. Just some initial findings. Not a big problem for me really. On 29/05/07, mufurcz [EMAIL PROTECTED] wrote: Greetings, Are the Sun Fire X2100 (1 x AMD Opteron, Model 175, dual core 2.26 MHz CPU) servers fully supported? I am interested in booth - good and bad experiences with this boxes. If you don't want to generate noise on this group, please e-mail to me personally. Thanks, mufurcz
Re: support for Sun Fire
my problem was only setting the mtu 9000 btw. as I said not a biggie ;-) On 29/05/07, mark reardon [EMAIL PROTECTED] wrote: I just got a x2100 M2 from Sun yesterday on a 60 day trial and am having trouble setting the MTU on one of the bge NICs. Just some initial findings. Not a big problem for me really. On 29/05/07, mufurcz [EMAIL PROTECTED] wrote: Greetings, Are the Sun Fire X2100 (1 x AMD Opteron, Model 175, dual core 2.26 MHz CPU) servers fully supported? I am interested in booth - good and bad experiences with this boxes. If you don't want to generate noise on this group, please e-mail to me personally. Thanks, mufurcz
Re: using spamd to block outbound spam
hogwash might help. I havent used it in a fair while though. http://www.securityfocus.com/infocus/1208 On 13/04/07, Paolo Supino [EMAIL PROTECTED] wrote: Hi I have the following problem: I host a group of windows servers that run a webapp using IIS6 ASP technology. The webapp was written and is maintained by a small private company that develops custom webapps for companies. One of the services the webapp does is send out emails (nothing amazing until now). The problem is that the webapp isn't written securely. The developers keep saying the webapp is secure and isn't the problem. Bringing someone from the outside to prove them wrong has failed thus far. Showing logs and showing network access also proved futile. the webapp is (ab)used by spammers to relay spam emails which caused the webapp's IP address to be added to various spam black lists :-( I'm sure it's the ASP is the problem because only HTTP and HTTPS are accessible on these servers. The website itself is hidden behind a firewall and SMTP port isn't reachable. I'm in the process of replacing the current firewall (Microtik's RouterOS, a Linux based OS) with OpenBSD and I thought of using spamd to block outgoing spam emails. I've started reading about spamd and usage scenarios, but thus far only found spamd being used on incoming emails. Did anyone use spamd to block outgoing spam emails? Is what I want to do possible (in combination PF)? Other solutions will also be appreciated obviously based on OpenBSD :-) TIA Paolo
pfctl not loading rules - Must enable table loading for optimizations
Hello,
Trying to load any rules ( even /usr/share/pf/ examples ) I get the error
about enabling table loading for optimizations
and rules get ignored. anybody able to gently apply a cluestick as to what
table loading it is talking about?
# uname -a
OpenBSD gooner.mynet.net 4.1 GENERIC#10 i386
# pfctl -Rf /etc/pf.conf
pfctl: Must enable table loading for optimizations
# cat /etc/pf.conf
# macros
ext_if=re0
int_if=bge0
tcp_services={ 22, 113 }
icmp_types=echoreq
#comp3=192.168.0.3
# options
set block-policy drop
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*
#rdr pass on $int_if proto tcp to port ftp - 127.0.0.1 port 8021
#rdr on $ext_if proto tcp from any to any port 80 - $comp3
# filter rules
block in
pass out
anchor ftp-proxy/*
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state
# pfctl -s nat
nat on re0 from ! (re0) to any - (re0:0)
rdr pass on re0 inet proto tcp from any to (re0:0) port = 64831 -
10.254.1.40 port 64831
rdr pass on re0 inet proto udp from any to (re0:0) port = 64831 -
10.254.1.40 port 64831
# pfctl -s rules
scrub in all fragment reassemble
#
Re: use OpenBSD to blacklist phone calls?
use zapteller() [ page 115 ] and / or anti-girlfriend-logic [ page 104 ] as documented in the Asterisk - the future of Telephony. The asterisk book is available online via: http://www.asteriskdocs.org/modules/tinycontent/index.php?id=11 enjoy. Mark On 20/03/07, Paul Pruett [EMAIL PROTECTED] wrote: OpenBSD spamd works great for blacklisting IPs, and maybe it could be use for our blacklisting telephone calls using callerID? Even though we are on the 'do not call' registry we still get 4-10 calls a day at home, and at work its just phone spam spam spam Thinking about adding a modem that recognizes callerID to my home openbsd firewall/server to have it also monitor the phones and intercept telemarketing calls between ring 1 and 2 and if a match then give a false fax signal, message or just hangup signal. Has anyone else setup an openbsd server to hangup phone calls by callerid? I looked through /usr/ports/comms and /usr/ports/telephony I think this could be done with the port package asterisk, but it does look complex and I wondered if another package was more appropriate than a VOIP package? I did google some notes for [EMAIL PROTECTED] but I did not read that it is the same as the port ASTERISK. -TIA.
Re: use OpenBSD to blacklist phone calls?
nice one. thanks. On 20/03/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/03/20 17:25, mark reardon wrote: use zapteller() [ page 115 ] and / or anti-girlfriend-logic [ page 104 ] as documented in the Asterisk - the future of Telephony. The asterisk book is available online via: it's in ports/packages now - /usr/ports/books/AsteriskTFOT
