Re: they say openbsd is not as scalable as others
On 5/29/06, Marian Hettwer [EMAIL PROTECTED] wrote: -BEGIN PGsnip so what is best served? exactly what I said. I've used opensbd to serve just about everything as a service provider. includes stuff like mysql/postgresql, apache, php, perl, mail, squid, pf and on down the line. My opinion was formed after I had worked heavily with solaris, freebsd, * linux, M$, cisco * and lots of other hardware and software. thats just me. On 5/29/06, Raja Subramanian [EMAIL PROTECTED] wrote: So in the end, the freedom wins! well said.
UPS with USB: hidups or newhidups drivers in nut
As far as I understand I need either the hidups or the newhidups driver of nut in order to use the APC Back-UPS XS 1500 (aka BX1500) with a USB interface cable. Unfortunately the 3.9 nut-2.0.0p1 package doesn't come with either of the two drivers. Neither does the current nut-2.0.3 port. I even tried to compile the nut-2.0.3 port with --with-drivers=newhidups configuration arg added to the Makefile. After a few guess-fixes [1] I finally got sucked with my extremely limited hacking knowledge [2]. A change log over at www.networkupstools.org was teasing me with all the improvements on newhidups and the removal of the experimental status flag. Are the hidups and newhidups only available under Linux? What are my alternatives? Both apc-upsd and upsd look quite old and they don't look like they support USB either. http://www.apcupsd.org/ looks promising. Has that been compiled and used successfully on OpenBSD, maybe even with USB? Thanks for your time, Claus BTW, sorry for the blank mail earlier. [1] changed includes busb.hb to dev/usb/usb.h in files w-nut-2.0.3/nut-2.0.3/drivers/libhid.h and w-nut-2.0.3/nut-2.0.3/drivers/libusb.h [2] It looks like the references to HIDDevice isnbt liked even though its defined as a struct. === Building for nut-2.0.3 common/ drivers/ cc -I../include -O2 -pipe -Wall -Wsign-compare -s -c newhidups.c In file included from newhidups.c:25: libhid.h:160: error: syntax error before '*' token libhid.h:170: error: syntax error before '*' token libhid.h:175: error: syntax error before '*' token libhid.h:180: error: syntax error before '*' token libhid.h:185: error: syntax error before '*' token libhid.h:190: error: syntax error before '*' token libhid.h:196: error: syntax error before '*' token In file included from newhidups.h:32, from newhidups.c:26: libusb.h:41: error: syntax error before '*' token libusb.h:42: error: syntax error before '*' token libusb.h:45: error: syntax error before '*' token libusb.h:46: error: syntax error before '*' token libusb.h:47: error: syntax error before '*' token libusb.h:48: error: syntax error before '*' token In file included from newhidups.c:26: newhidups.h:36: error: syntax error before '*' token newhidups.h:36: warning: type defaults to `int' in declaration of `udev' newhidups.h:36: warning: data definition has no type or storage class newhidups.c:54: error: syntax error before '*' token newhidups.c:54: warning: type defaults to `int' in declaration of `udev' newhidups.c:54: warning: data definition has no type or storage class *** Error code 1 Stop in /usr/ports/sysutils/nut/w-nut-2.0.3/nut-2.0.3/drivers (line 102 of Makefile). *** Error code 1 Stop in /usr/ports/sysutils/nut/w-nut-2.0.3/nut-2.0.3 (line 27 of Makefile). *** Error code 1 Stop in /usr/ports/sysutils/nut (line 1924 of /usr/ports/infrastructure/mk/bsd.port.mk). -- Bis zu 70% Ihrer Onlinekosten sparen: GMX SmartSurfer! Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer
Re: cgi with chroot
On Tue, 2006-05-30 at 15:34 -0700, prad wrote: i tried to got a ksh script to work after i copied the ksh into /var/www/bin my understanding is that the chrooted environment doesn't give access to the /bin/ksh program. /var/www/bin/sh is working for me. i tried the same thing with ruby (copied both ruby and erb into /var/www/bin) and got the same thing again. Ruby is working for me too. Check this out: #!/bin/sh WWW=/var/www # Path [ ! -d $WWW/bin ] mkdir -p $WWW/bin [ ! -d $WWW/usr/bin ] mkdir -p $WWW/usr/bin [ ! -d $WWW/usr/local/bin ]mkdir -p $WWW/usr/local/bin [ ! -d $WWW/usr/local/sbin ] mkdir -p $WWW/usr/local/sbin [ ! -d $WWW/usr/local/lib ]mkdir -p $WWW/usr/local/lib [ ! -d $WWW/usr/lib ] mkdir -p $WWW/usr/lib [ ! -d $WWW/var/run ] mkdir -p $WWW/var/run # cp ruby RUBY=$(which ruby) cp -f $RUBY $WWW/$RUBY # cp env ENV=$(which env) cp -f $ENV $WWW/$ENV # Ruby stuff rsync -va /usr/local/lib/ruby $WWW/usr/local/lib # cp libs for LIB in $(ldd $RUBY | awk '{if ($3 == rlib) {print $7}}'); do cp -f $LIB $WWW/$LIB done # cp hints cp -f /var/run/ld.so.hints $WWW/var/run/ld.so.hints I have got one more script that fixes ImageMagick which is needed by Typo3. Bye, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Re: Static functions in C code
On 5/31/06, Brett Lymn [EMAIL PROTECTED] wrote: On Tue, May 30, 2006 at 04:55:14PM +0300, Denis Doroshenko wrote: why would you even want that (moreover in opensource)? hide for what reason? It's called lexical scoping - it has nothing really to do with security more to do with preventing namespace pollution. Clearly you have never written a library. clearly you're impying too much here. i must admit that i have not used statics since there was nothing in my tiny projects that would need it. i won't argue with you, from you have never written a library sounds like it would be fruitless. if you want multiple functions named say do_it in your code to not cause name clashes, then do_it(); i always try to name things the way they very unlikely to clash with something and yet such names seem to make more sense. i like to debug my problems fast, to see every step, what was called, where and with what parameters. as i said, i didn't hit the need for it.
Re: Recommended window manager for OpenBSD
akonsu wrote: hello has anyone tried evilwm (http://www.6809.org.uk/evilwm/)? is it any good? i am looking for a good simple keyboard controllable WM. i am doing mostly development. thanks konstantin I've been using evilwm for almost a year on my workstation and laptop, and I must say that I'm very satisfied. I used it a couple of months with Debian unstable before moving on to OpenBSD 3.8, and later 3.9. I've made a screenshot available here for limited time: http://www.cs.aau.dk/~mt/evilwm.png I use it in conjunction with Enlightenment's terminal, Eterm, and (at the moment) a nice wallpaper from http://themes.freshmeat.net/projects/opuwa/ Everything you need to know to use evilwm is described in its manual page. Go and try it out - just install the package. My .xsession and Eterm theme file are attached for your convenience. /Martin Eterm-0.8.10 begin main begin color foreground white background black tint 0xff shade 0% cursor #00 cursor_text #88 menu_text white scrollbar #3f1c00 unfocusedscrollbar #77 pointer white video normal color 0 rgb:0/0/0 color 1 rgb:cc/00/00 color 2 rgb:00/cc/00 color 3 rgb:cc/cc/00 color 4 rgb:00/00/cc color 5 rgb:cc/00/cc color 6 rgb:00/cc/cc color 7 rgb:fa/eb/d7 color 8 rgb:33/33/33 color 9 rgb:ff/00/00 color 10 rgb:00/ff/00 color 11 rgb:ff/ff/00 color 12 rgb:00/00/ff color 13 rgb:ff/00/ff color 14 rgb:00/ff/ff color 15 rgb:ff/ff/ff end color begin attributes title Eterm-0.8.10 name Eterm-0.8.10 iconname Eterm-0.8.10 scrollbar_type motif scrollbar_width 10 font 0 fixed font 1 6x10 font 2 6x13 font 3 8x13 font 4 9x15 end attributes begin pixmaps path /usr/local/share/Eterm/pix/ end pixmaps begin toggles map_alert 1 visual_bell 0 login_shell 1 scrollbar 0 menubar 0 utmp_logging 1 meta8 0 iconic 0 home_on_echo 1 home_on_input 0 home_on_refresh 1 scrollbar_floating 0 scrollbar_right 1 scrollbar_popup 0 borderless 0 save_under 0 trans 0 watch_desktop 0 no_cursor 0 menubar_move 0 pause 0 xterm_select 0 select_line 0 select_trailing_spaces 0 viewport_mode 0 end toggles begin keyboard smallfont_key less bigfont_key greater app_keypad 0 app_cursor 0 end keyboard begin misc print_pipe lp save_lines 1024 min_anchor_size 0 border_width 5 menu Eterm.menu term_name xterm-color debug 0 end misc end main /usr/X11R6/bin/xset m 0 4 /usr/X11R6/bin/xset s off /usr/X11R6/bin/xset b off /usr/X11R6/bin/xset -dpms /usr/local/bin/Esetroot ~/.wallpaper.png /usr/local/bin/evilwm -term /usr/local/bin/Eterm
Re: UPS with USB: hidups or newhidups drivers in nut
On 5/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: http://www.apcupsd.org/ looks promising. Has that been compiled and used successfully on OpenBSD, maybe even with USB? yes I might even have the same model. Give it a try. It works well.
Re: UPS with USB: hidups or newhidups drivers in nut
On 2006/05/31 08:52, [EMAIL PROTECTED] wrote: As far as I understand I need either the hidups or the newhidups driver of nut in order to use the APC Back-UPS XS 1500 (aka BX1500) with a USB interface cable. [...] Are the hidups and newhidups only available under Linux? Not tested, but NUT is probably looking for /usr/local/include/usb.h from the libusb port/package, not the system /usr/include/dev/usb/usb.h Programs using libusb should be reasonably portable between OS.
Re: dd problem
akonsu wrote: hello, i wanted to create an ISO image of a CDROM, so i ran this command: dd if=/dev/cd0a of=my.iso and i waited and waited for about 30 minutes until i just gave up and pressed ^C. the resulting iso file was much larger than the source disc. try dd if=/dev/rcd0c of=disk.iso bs=32k note the rcd0c instead of cd0a. The 'a' vs. 'c' doesn't (seem to) matter, I just philosophically prefer the 'c' implying entire disk, rather than just one partition. The raw mode of access makes a lot of difference here. I put the bs=32k in there for a bit of additional performance, but it turns out that without the bs= line, it didn't work at all. After a little thought (and testing), I remembered that on most modern platforms, CDROM drives have a 2k block size, so apparently dd has trouble moving 512 bytes at a time out of CDROM drives. I confirmed that bs=2k worked, bs=1k does not, so I might possibly be not totally wrong on that. bs=32k seemed to go about twice as fast as bs=2k. Well, I learned something. :) Nick.
hotspot software
Hello, Does anybody uses software for managing hotspot clients and to count traffic? Thanks, Artyom
Problems trying to log on squirrelmail.
Hi all, After three days facing a lot of problems to install an OpenBSD server with postfix, cyrus and squirrelmail, I could finally log on webmail. But now I'm facing a new problem that I could solve, and it shows as soon as I log in. I've tried everything I found on the Internet, but I didn't succeed. The error message is how it follows: On the left side, where the folders are shown: ERROR: ERROR: Could not complete request. Query: CREATE INBOX.Sent Reason Given: Permission denied On the right side, where the messages are placed: ERROR: ERROR: Could not complete request. Query: SELECT INBOX Reason Given: Mailbox does not exist Has anyone ever faced this problem? I'd also be thankful if anyone could point me a set of servers that I could use to build an e-mail server over OpenBSD. -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: CGI in C: getenv(CONTENT_LENGTH)
On 5/30/06, vladas [EMAIL PROTECTED] wrote: I am concerned for the cases where URL given by the cliend side is like 2MB. In my understanding, there is a gap between the server opening a socket for the connection and starting reading in the data from the client until the end of that readining-in when server stores the info about the request in the env variables. So if URL is very big, it would be first transfered to the httpd cache and httpd would determine the CONTENT_LENGTH and would store that info in the env of the httpd, right? The CGI's env. variable CONTENT_LENGTH is set from the client's header (see /usr/src/usr.sbin/httpd/src/main/util_script.c: else if (!strcasecmp(hdrs[i].key, Content-length)) { ap_table_addn(e, CONTENT_LENGTH, hdrs[i].val); } )
Re: CGI in C: getenv(CONTENT_LENGTH)
This is bad because CONTENT_LENGTH could be sizeof(buff): On 5/30/06, vladas [EMAIL PROTECTED] wrote: char buff[1]; const char *len1 = getenv(CONTENT_LENGTH); contentlength=strtol(len1, endptr, 10); fread(buff, contentlength, 1, stdin);
Re: Problems trying to log on squirrelmail.
On 2006/05/31 08:41, Joco Salvatti wrote: ERROR: ERROR: Could not complete request. Query: SELECT INBOX Reason Given: Mailbox does not exist Sounds like you didn't create the inbox. $ telnet xxx 143 Trying xxx... Connected to xxx. Escape character is '^]'. * OK xxx Cyrus IMAP4 v2.2.12 server ready . login yourusername pass . OK User logged in . create INBOX . OK Completed . logout * BYE LOGOUT received . OK Completed (or you can use cyradm to connect as a cyrus administrator and issue the command 'cm user.yourusername', or use cyradm to connect as the user and 'cm INBOX'). Has anyone ever faced this problem? I'd also be thankful if anyone could point me a set of servers that I could use to build an e-mail server over OpenBSD. Cyrus can do some useful and unusual things (for example, indexed full-text search of mailboxes, if you configure it to do so), but it is a complex piece of software, and you will need to read the documentation to learn how to carry out admin tasks and use it effectively. If you are simply looking for a decent IMAP server and don't particularly need the features of Cyrus, try Dovecot instead. It's simpler and quite easy to use.
Re: FTP download/CD sales ratio
Ordering from Wim (kd85.org) works great, there is no point in using other resellers than the two alternatives on openbsd.org. /jkm * Henrik Borgh ([EMAIL PROTECTED]) wrote: On 5/4/06, Michael Erdely [EMAIL PROTECTED] wrote: As soon as you see pre-orders are up, order. I did and have had my 3.9 CDs for a couple weeks now. For me, not wanting to build all the packages I use, I only wait until release day to download the rest of the packages (from a mirror). Except that not all resellers are eqully fast. Neither of the danish resellers has announced having OpenBSD 3.9, and i'm not sure that they differs from so many other resellers. So i guess that one have to order the CD-ROM's from kd85.com or computershop.ca, to be sure to have them, on at least the release day. -- Regards Henrik
Re: CGI in C: getenv(CONTENT_LENGTH)
Alexander, thank you - really - very much for the reply. Shame on me for a slow response. The CGI's env. variable CONTENT_LENGTH is set from the client's header (see /usr/src/usr.sbin/httpd/src/main/util_script.c: Please excuse me for being mistaken in these (as well as the ones in the previous mails) basics. On 31/05/06, Alexander Farber [EMAIL PROTECTED] wrote: This is bad because CONTENT_LENGTH could be sizeof(buff): So client could cause buff overflow by specifying wrong CONTENT_LENGTH in the custom-crafted headers. In that case, even the apache's 414 Request-URI Too Large could not prevent the problem,right? So the only solution I can figure out is allocate buffer = than #define DEFAULT_LIMIT_REQUEST_LINE 8190 and to sscanf it to pick up the needed data from the headers sent from client. It seems like reinventing the wheel, really. Of course, I will google on it right away, but how e.g. mod_perl or other cgi's are dealing with it? I missed something obvious, right?
Re: FTP download/CD sales ratio
* Joakim Aronius wrote: Ordering from Wim (kd85.org) works great, there is no point in using other resellers than the two alternatives on openbsd.org. As for Switzerland, we resell it so people can save a bit on freight. So there probably is a point buying from local reseller.
Re: CGI in C: getenv(CONTENT_LENGTH)
Hi Why 8190? IMHO just malloc() a buffer of any length you like (depends on what data len your app would typically receive), then read() into it and if you exceed its sizeof while read() still returns positive values (i.e. not -1 and not 0), realloc() the buffer. On 5/31/06, vladas [EMAIL PROTECTED] wrote: So client could cause buff overflow by specifying wrong CONTENT_LENGTH in the custom-crafted headers. In that case, even the apache's 414 Request-URI Too Large could not prevent the problem,right? So the only solution I can figure out is allocate buffer = than #define DEFAULT_LIMIT_REQUEST_LINE 8190 and to sscanf it to pick up the needed data from the headers sent from client. It seems like reinventing the wheel, really. Of course, I will google on it right away, but how e.g. mod_perl or other cgi's are dealing with it? Maybe mod_perl and mod_cgi don't malloc() + read() the body, but just pass stdin file descriptor to the user? poka Alex
Re: CGI in C: getenv(CONTENT_LENGTH)
So client could cause buff overflow by specifying wrong CONTENT_LENGTH in the custom-crafted headers. In that case, even the apache's 414 Request-URI Too Large could not prevent the problem,right? Not to waste readers' (if any) time, I will be more detailed: I have meant In that case, even the apache's 414 Request-URI Too Large could not prevent the problem, as buff overflow still could be caused for the headers smaller than 8190 as they would pass httpd check but misinform and would potencialy make to panic my cgi.c, right? And there is no reliable way to determine the CONTENT_LENGTH inside the httpd from the client input given as headers might vary, right?
Re: CGI in C: getenv(CONTENT_LENGTH)
On 31/05/06, Alexander Farber [EMAIL PROTECTED] wrote: Hi Why 8190? IMHO just malloc() a buffer of any length you like (depends on what data len your app would typically receive), then read() into it and if you exceed its sizeof while read() still returns positive values (i.e. not -1 and not 0), realloc() the buffer. That's nice, laconic. But still, as far as I understand, anything could have came in under this scheme and I still have to figure out what the real content size is (given that I do not trust CONTENT_LENGTH). Its not like a big deal to write some checks, I ask just to make sure I got it right. On 5/31/06, vladas [EMAIL PROTECTED] wrote: So client could cause buff overflow by specifying wrong CONTENT_LENGTH in the custom-crafted headers. In that case, even the apache's 414 Request-URI Too Large could not prevent the problem,right? So the only solution I can figure out is allocate buffer = than #define DEFAULT_LIMIT_REQUEST_LINE 8190 and to sscanf it to pick up the needed data from the headers sent from client. It seems like reinventing the wheel, really. Of course, I will google on it right away, but how e.g. mod_perl or other cgi's are dealing with it? Maybe mod_perl and mod_cgi don't malloc() + read() the body, but just pass stdin file descriptor to the user? In which case the CONTENT_LENGTH would rely on what? Just on connection socket? (But I say this still without checking what really the mod_perl does, so please feel free to ignore this). poka Alex
PF load balance problem
Hello Everybody. I have a small, yet relevant question regarding PF's load balancing features. Today I run PF with load balacing in substitution for Layer 3 load balancer switches, in two type of scenarios, the very first where applications share sessions and the other, where sessions are not shared. My problem is... Here is my enviroment Basically the example enviroment is one server with PF and three Web Servers which do not share their sessions: table lb { 10.0.0.1, 10.0.0.2, 10.0.0.3 } rdr on xl0 inet proto tcp from any to IP_PUBLICO port 80 - { lb } round-robin sticky-address pass in quick log on xl0 proto tcp from any to lb port 80 flags S/SA modulate state (src.track 1800) stick-address option makes PF always redirect a connection to a server, it creates a entry in the Source table (source-track, which can be seen with pfctl -vs Source) and while this entry stills alive it forwards every other request from the same IP address to this same Web Server. By default, the entry is alive on Source untill the last state is still alive. To raise this value we need to set new limit to src.track (set timeout src.track), I did this through the rule which allows the connection, as you can see in the mentioned rule. To make it short, PF will load balance connections among the servers on lb table, and keep the same server to the same cliente up to 1800 seconds (30 minutes) after the last state was excluded. My problem starts to happen now: Everything above mentioned works perfectly, the issue starts when we have to delete one IP from the load balance table. For example, if 10.0.0.2 server is down, I need to take it out of the balancing table: pfctl -t lb -T del 10.0.0.2 In this case, technically load balancing will be kept only among the IPs 10.0.0.1 and 10.0.0.3, which are the only ones that still exists in the lb table. But the problem is, even when the just deleted 10.0.0.2 server is not on lb anymore, clients requests/states which were in Source before and that pointed 10.0.0.2, will still there, and therefore redirections to 10.0.0.2 will continue to happen until src.track expires (30 minutes in the mentioned situation), or when I do pfctl -F Source. But if I do the second approach, I will flush all my references and sessions for this and all other source-tracks data in my firewall. Possible solutions I see: The only solution I found was to change PF source code, where we could: 1) Create something similar to pfctl -k used for states, but Source version of it. In this case, to delete a server, we would do pfctl -t lb -T del 10.0.0.2 pfctl -new -flag 10.0.0.2 2) Make sticky-address verify if the IP address is still in the load balacing options (in this case, if it is on lb table still). This second approach would (maybe) suffer from performance issues, since we are adding a new check before stick-address handles the request. Anyone has any better option? Does any hacker have available time to do this? Thank you a lot. -- Diego Linke Public Key: http://www.gamk.com.br/gamk.asc
PF load balance problem
Everything above mentioned works perfectly, the issue starts when we have to delete one IP from the load balance table. For example, if 10.0.0.2 server is down, I need to take it out of the balancing table: pfctl -t lb -T del 10.0.0.2 In this case, technically load balancing will be kept only among the IPs 10.0.0.1 and 10.0.0.3, which are the only ones that still exists in the lb table. But the problem is, even when the just deleted 10.0.0.2 server is not on lb anymore, clients requests/states which were in Source before and that pointed 10.0.0.2, will still there, and therefore redirections to 10.0.0.2 will continue to happen until src.track expires (30 minutes in the mentioned situation), or when I do pfctl -F Source. But if I do the second approach, I will flush all my references and sessions for this and all other source-tracks data in my firewall. from pfctl(8): A network prefix length of 0 can be used as a wildcard. To kill all states with the target ``host2'': # pfctl -k 0.0.0.0/0 -k host2 so why don't you kill all states to dead pool member right after removing it from the lb table?
Re:
Hola. Gracias por su mensaje. Por favor tomen nota del NUEVO EMAIL de Winner y modifiquenlo en su libreta de direcciones. GRACIAS ! El nuevo mail es : [EMAIL PROTECTED] Hi ! Thanks for your message. Note that we have a NEW EMAIL ADDRESS. Please use that one in the future. THANKS ! The new address is: [EMAIL PROTECTED]
Re: dd problem
thanks everybody. 1. how do i determine the corect block size for a device? 2. is the fact that dd does not work without any bs parameter a bug and should be reported? thanks konstantin try dd if=/dev/rcd0c of=disk.iso bs=32k note the rcd0c instead of cd0a. The 'a' vs. 'c' doesn't (seem to) matter, I just philosophically prefer the 'c' implying entire disk, rather than just one partition. The raw mode of access makes a lot of difference here. I put the bs=32k in there for a bit of additional performance, but it turns out that without the bs= line, it didn't work at all. After a little thought (and testing), I remembered that on most modern platforms, CDROM drives have a 2k block size, so apparently dd has trouble moving 512 bytes at a time out of CDROM drives. I confirmed that bs=2k worked, bs=1k does not, so I might possibly be not totally wrong on that. bs=32k seemed to go about twice as fast as bs=2k. Well, I learned something. :) Nick.
Re: PF load balance problem
Alexey, A network prefix length of 0 can be used as a wildcard. To kill all states with the target ``host2'': # pfctl -k 0.0.0.0/0 -k host2 so why don't you kill all states to dead pool member right after removing it from the lb table? This is not work! The problem is that this command to erase the STATES, however the SOURCE keeps. Thanks -- Diego Linke Public Key: http://www.gamk.com.br/gamk.asc
license for getopt.c?
While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? $OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $ -- Will
Re: cgi with chroot
On Wed, 31 May 2006 06:58:51 +0200 Marcus Glocker [EMAIL PROTECTED] wrote: On Wed, May 31, 2006 at 12:38:10AM -0400, Adam wrote: #!/bin/sh echo Content-Type: text/html echo echo I'm sorry Dave, I'm afraid I can't do that. HTTP headers are terminated by \r\n not \n. Yes, correctly HTTP headers are terminated by \r\n. But most webservers also understand \n in case of a CGI header. And this example generates \n not \r\n: I know that example generates \n instead of \r\n, that's why I said its wrong. Just because apache will fix your incorrect output, doesn't mean you should go ahead and write CGIs that way and rely on webservers to fix it for you. Not all of them will, and there's no benefit from doing it wrong. Adam
Re: license for getopt.c?
Will H. Backman wrote: While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? david@ = David Krause Cheers, Dries
Re: CGI in C: getenv(CONTENT_LENGTH)
On 31 May 2006 08:21:03 -0700, Randal L. Schwartz merlyn@stonehenge.com wrote: why are you doing CGI in C? you can get the same code written much faster in Perl. And if you need speed, you can migrate that same code to running under mod_perl, and then it'll be FAR faster than forking a separate process for a C program each time. 1. Why in C? To keep it drastically minimal. Yes, in my case, it is worth to take all that time to get the app done in C (no UTF etc). Kernel is in C and I want to learn both of them. Look at this in terms of people who like to hack. 2. Why not Perl? I do love perl. Perl is ok. But I do not like the idea of calling libperl plus dbi stuff with every request as I will have enough overhead with other parts of the app. Perl will be used only for internal pages, the ones used not too often. 3. Why not mod_perl? I do not like idea of debugging in the pool. Standalone does not represent the real life env. I do not want to create some add-on just to test it right. I want to keep it simple as its me who is too stupid for the right way to debug. Besides, I do not need to have compiler inside my httpd. No way. I am not saying that I do not trust OpenBSD. I do not trust myself in this aspect. 4. Forking FastCGI will solve this if this will be an issue. Before that, I put high hopes into mfs. And if processes are light and fast, they rotate fast too ( or so I believe ). I wrote all this to show respect for the long replies that I get about the topic. Sorry for resources used. Please take no offense, if some of my questions or statements are stupid for you all being experts.
Re: CGI in C: getenv(CONTENT_LENGTH)
On Wed, May 31, 2006 at 02:14:09AM +0900, vladas wrote: Does (the above) really mean that URL more than 8190 bytes would be rejected? Or I am mixing something here? Yes, overly-long URLs will be rejected. Use POST, not GET, in such cases. All recent Apache versions are configured this way, I believe. Joachim
Re: CGI in C: getenv(CONTENT_LENGTH)
Carson Harding, Thank you for the inspiring guide! Thank you for your time. On 01/06/06, Carson Harding [EMAIL PROTECTED] wrote: ... Respecfuly.
Re: UPS with USB: hidups or newhidups drivers in nut
On 5/31/2006 4:27 AM, Jeff Quast wrote: On 5/31/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: http://www.apcupsd.org/ looks promising. Has that been compiled and used successfully on OpenBSD, maybe even with USB? yes I might even have the same model. Give it a try. It works well. Jeff, did you need to disable the uhid driver in order to prevent it from grabbing the UPS device as it was stated in apcupsd's documentation [1]? Claus [1] http://www.apcupsd.org/manual/USB_Configuration.html#SECTION000102100
Re: license for getopt.c?
On 5/31/06, Will H. Backman [EMAIL PROTECTED] wrote: While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? $OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $ it would be helpful if you mentioned *which* getopt.c. the one in libc (before it was deleted) certainly did have a license. i also doubt david wrote the file in question if that's why you're asking.
Re: license for getopt.c?
Ted Unangst wrote: On 5/31/06, Will H. Backman [EMAIL PROTECTED] wrote: While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? $OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $ it would be helpful if you mentioned *which* getopt.c. the one in libc (before it was deleted) certainly did have a license. i also doubt david wrote the file in question if that's why you're asking. Here is where I found it: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/getopt/
Re: dd problem
1) stat(2), the st_blksize field in the stat struct 2) no, because it's the device, not dd, that's not letting it work. CD-ROMS only want to output 2K of data at a time, so if you request less than that, they just won't do it. Generally though, most devices will output less than st_blksize, but it'll just go damn slow. Jason On 5/31/06, akonsu [EMAIL PROTECTED] wrote: thanks everybody. 1. how do i determine the corect block size for a device? 2. is the fact that dd does not work without any bs parameter a bug and should be reported? thanks konstantin try dd if=/dev/rcd0c of=disk.iso bs=32k note the rcd0c instead of cd0a. The 'a' vs. 'c' doesn't (seem to) matter, I just philosophically prefer the 'c' implying entire disk, rather than just one partition. The raw mode of access makes a lot of difference here. I put the bs=32k in there for a bit of additional performance, but it turns out that without the bs= line, it didn't work at all. After a little thought (and testing), I remembered that on most modern platforms, CDROM drives have a 2k block size, so apparently dd has trouble moving 512 bytes at a time out of CDROM drives. I confirmed that bs=2k worked, bs=1k does not, so I might possibly be not totally wrong on that. bs=32k seemed to go about twice as fast as bs=2k. Well, I learned something. :) Nick.
Re: license for getopt.c?
On 5/31/06, Ted Unangst [EMAIL PROTECTED] wrote: On 5/31/06, Will H. Backman [EMAIL PROTECTED] wrote: While wandering through the usr.bin source tree (not to imply that I am qualified to take the journey), I noticed that getopt.c doesn't have a license clause in it. Anyone know who david might be? $OpenBSD: getopt.c,v 1.6 2003/07/10 00:06:51 david Exp $ it would be helpful if you mentioned *which* getopt.c. the one in libc (before it was deleted) certainly did have a license. i also doubt david wrote the file in question if that's why you're asking. Well he mentioned the usr.bin source tree, and there is only one getopt.c file in usr.bin source tree. And he mentioned david because he's the last one to edit the file according to the $OpenBSD$ RCS Id. If I recall correctly, not having a license means full Copyright law is in effect, which means no copying allowed, however getopt.c in /usr/src/usr.bin/getopt/ doesn't seem to have much of anything except a call to getopt(3). Jason
Re: UPS with USB: hidups or newhidups drivers in nut
On 5/31/2006 5:43 AM, Stuart Henderson wrote: On 2006/05/31 08:52, [EMAIL PROTECTED] wrote: As far as I understand I need either the hidups or the newhidups driver of nut in order to use the APC Back-UPS XS 1500 (aka BX1500) with a USB interface cable. [...] Are the hidups and newhidups only available under Linux? Not tested, but NUT is probably looking for /usr/local/include/usb.h from the libusb port/package, not the system /usr/include/dev/usb/usb.h Programs using libusb should be reasonably portable between OS. Thanks Stuart. You are right, the libusb-0.1.10ap1 package contains the needed /usr/local/include/usb.h file. I got it all compiled now but I'm already stuck again. The newhidups driver doesn't detect the UPS. I read somewhere [1] that the uhid device needed to be disabled in order to get the driver to run in FreeBSD. Apcupsd specifically requires that from OpenBSD [2]. Does that really mean that a custom build of OpenBSD is required? Claus [1] http://www.mail-archive.com/nut-upsuser@lists.alioth.debian.org/msg00558.html http://wiki.botka.homeunix.org/bin/view/Main/NetworkUpsToolsUsb [2] http://www.apcupsd.org/manual/USB_Configuration.html Enclosures: - newhidups debug output - usbdevs info - dmesg - What I did to get nut with newhidups to compile == newhidups debug output == # USB_DEBUG=2 newhidups -u root -DD auto Network UPS Tools: New USB/HID UPS driver 0.28 (2.0.3) debug level is '2' usb_set_debug: Setting debugging level to 2 (on) usb_os_find_busses: Found /dev/usb0 usb_os_find_busses: Found /dev/usb1 No appropriate HID device found No matching USB/HID UPS found == usbdevs info == # usbdevs -dv Controller /dev/usb0: addr 1: full speed, self powered, config 1, UHCI root hub(0x), VIA(0x1106), rev 1.00 uhub0 port 1 powered port 2 addr 2: low speed, self powered, config 1, Back-UPS RS 1500 FW:8.g2 .D USB FW:g2(0x0002), American Power Conversion(0x051d), rev 1.06 uhidev0 Controller /dev/usb1: addr 1: full speed, self powered, config 1, UHCI root hub(0x), VIA(0x1106), rev 1.00 uhub1 port 1 powered port 2 powered == dmesg == OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) processor (AuthenticAMD 686-class, 256KB L2 cache) 1.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR real mem = 536387584 (523816K) avail mem = 482426880 (471120K) using 4278 buffers containing 26923008 bytes (26292K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(f1) BIOS, date 07/11/02, BIOS32 rev. 0 @ 0xfb4b0 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdf94 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/176 (9 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xb000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8363 Host rev 0x03 ppb0 at pci0 dev 1 function 0 VIA VT8363 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI AIW Radeon rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40 pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: ST360021A wd0: 16-sector PIO, LBA, 57241MB, 117231408 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: MITSUMI, CR-48XCTE, 1.0D SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 12 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 12 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40 emu0 at pci0 dev 9 function 0 Creative Labs SoundBlaster Live rev 0x07: irq 5 ac97: codec id 0x83847608 (SigmaTel STAC9708/11) ac97: codec features 18 bit DAC, 18 bit ADC, SigmaTel 3D audio0 at emu0 Creative Labs PCI Gameport Joystick rev 0x07 at pci0 dev 9 function 1 not configured bktr0 at pci0 dev 11 function 0 Brooktree BT848 rev 0x11: irq 12 bktr0: Intel Smart Video III/VideoLogic Captivator PCI, no tuner. sis0 at pci0 dev 13 function 0 NS DP83815 10/100 rev 0x00, DP83816A: irq 11, address 00:09:5b:bc:78:39 nsphyter0 at sis0 phy 0: DP83815
Re: cgi with chroot
On Wed, May 31, 2006 at 12:07:16PM -0400, Adam wrote: I know that example generates \n instead of \r\n, that's why I said its wrong. Just because apache will fix your incorrect output, doesn't mean you should go ahead and write CGIs that way and rely on webservers to fix it for you. Not all of them will, and there's no benefit from doing it wrong. Well, I wouldn't say that I am doing it wrong, maybe you are just a little bit intolerant; snip RFC2616, 19.3, Tolerant Applications ... The line terminator for message-header fields is the sequence CRLF. However, we recommend that applications, when parsing such headers, recognize a single LF as a line terminator and ignore the leading CR. ... /snip The HTTP header termination is a empty message-header field line. In the real world I don't know a single HTTP server which is that intolerant, including my own webserver. My intention was to give somebody a help and not starting an argue with you. And before you start to offend that snip is not a vaild HTML tag, I know that by myself ;) Thread over for me. Regards, Marcus -- Marcus Glocker, [EMAIL PROTECTED], http://www.nazgul.ch -
Re: UPS with USB: hidups or newhidups drivers in nut
On 2006/05/31 11:12, Claus wrote: On 5/31/2006 5:43 AM, Stuart Henderson wrote: On 2006/05/31 08:52, [EMAIL PROTECTED] wrote: As far as I understand I need either the hidups or the newhidups driver of nut in order to use the APC Back-UPS XS 1500 (aka BX1500) with a USB interface cable. [...] Are the hidups and newhidups only available under Linux? Not tested, but NUT is probably looking for /usr/local/include/usb.h from the libusb port/package, not the system /usr/include/dev/usb/usb.h Programs using libusb should be reasonably portable between OS. Thanks Stuart. You are right, the libusb-0.1.10ap1 package contains the needed /usr/local/include/usb.h file. I got it all compiled now Good stuff, and thanks for the useful and detailed information you included. but I'm already stuck again. The newhidups driver doesn't detect the UPS. I read somewhere [1] that the uhid device needed to be disabled in order to get the driver to run in FreeBSD. Apcupsd specifically requires that from OpenBSD [2]. Does that really mean that a custom build of OpenBSD is required? Well, it needs a change making to the OS, but I don't see any reason for it to be a custom build, it seems like it's quite suitable to go into the standard OS. uhidev0 at uhub0 port 2 configuration 1 interface 0 uhidev0: American Power Conversion Back-UPS RS 1500 FW:8.g2 .D USB FW:g2, rev 1.10/1.06, addr 2, iclass 3/0 uhidev0: 123 report ids uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1 Fortunately matthieu@ recently made it easy to work with this when he made changes to uhid to accommodate the metageek wi-spy. [1] Please try this 1-line change and rebuild the kernel (just GENERIC, you don't need anything custom); Index: /usr/src/sys/dev/usb/usb_quirks.c === RCS file: /data/cvsroot/OpenBSD/src/sys/dev/usb/usb_quirks.c,v retrieving revision 1.22 diff -u -r1.22 usb_quirks.c --- /usr/src/sys/dev/usb/usb_quirks.c 14 May 2006 12:00:04 - 1.22 +++ /usr/src/sys/dev/usb/usb_quirks.c 31 May 2006 17:33:07 - @@ -128,6 +128,7 @@ { USB_VENDOR_NEC, USB_PRODUCT_NEC_PICTY920, ANY, { UQ_BROKEN_BIDIR }}, { USB_VENDOR_NEC, USB_PRODUCT_NEC_PICTY800, ANY, { UQ_BROKEN_BIDIR }}, { USB_VENDOR_METAGEEK, USB_PRODUCT_METAGEEK_WISPY, ANY, { UQ_BAD_HID }}, + { USB_VENDOR_APC, USB_PRODUCT_APC_UPSPRO500, ANY, { UQ_BAD_HID }}, { 0, 0, 0, { 0 } } }; This should prevent the UPS attaching to uhid, instead it should show as ugen in dmesg and be available for apcupsd. [1] (One can see why the wi-spy attaches to uhid since the board is intended for wireless remote keyboard/mouse but someone worked out how to make better use of it - but why this UPS, and the cypress usb-serial, report themselves as being HID is less clear..)
Re: UPS with USB: hidups or newhidups drivers in nut
Please try this 1-line change and rebuild the kernel here's a more complete diff, bringing across other HID quirks from FreeBSD - a couple of MGE UPS, and a GPS receiver. Index: sys/dev/usb/usb_quirks.c === RCS file: /data/cvsroot/OpenBSD/src/sys/dev/usb/usb_quirks.c,v retrieving revision 1.22 diff -u -r1.22 usb_quirks.c --- sys/dev/usb/usb_quirks.c14 May 2006 12:00:04 - 1.22 +++ sys/dev/usb/usb_quirks.c31 May 2006 17:56:38 - @@ -128,6 +128,11 @@ { USB_VENDOR_NEC, USB_PRODUCT_NEC_PICTY920, ANY, { UQ_BROKEN_BIDIR }}, { USB_VENDOR_NEC, USB_PRODUCT_NEC_PICTY800, ANY, { UQ_BROKEN_BIDIR }}, { USB_VENDOR_METAGEEK, USB_PRODUCT_METAGEEK_WISPY, ANY, { UQ_BAD_HID }}, + { USB_VENDOR_APC, USB_PRODUCT_APC_UPSPRO500, ANY, { UQ_BAD_HID }}, + { USB_VENDOR_DELORME, USB_PRODUCT_DELORME_EARTHMATE, + ANY, { UQ_BAD_HID }}, + { USB_VENDOR_MGE, USB_PRODUCT_MGE_UPS1, ANY, { UQ_BAD_HID }}, + { USB_VENDOR_MGE, USB_PRODUCT_MGE_UPS2, ANY, { UQ_BAD_HID }}, { 0, 0, 0, { 0 } } }; Index: sys/dev/usb/usbdevs === RCS file: /data/cvsroot/OpenBSD/src/sys/dev/usb/usbdevs,v retrieving revision 1.200 diff -u -r1.200 usbdevs --- sys/dev/usb/usbdevs 13 May 2006 20:32:52 - 1.200 +++ sys/dev/usb/usbdevs 31 May 2006 17:55:36 - @@ -89,6 +89,7 @@ vendor DIAMOND20x045a Diamond (Supra) vendor MICROSOFT 0x045e Microsoft vendor PRIMAX 0x0461 Primax Electronics +vendor MGE 0x0463 MGE UPS Systems vendor AMP 0x0464 AMP vendor CHERRY 0x046a Cherry Mikroschalter vendor MEGATRENDS 0x046b American Megatrends @@ -1375,6 +1376,10 @@ /* Metricom products */ product METRICOM RICOCHET_GS 0x0001 Ricochet GS + +/* MGE UPS Systems products */ +product MGE UPS1 0x0001 Protection Center 1 UPS +product MGE UPS2 0x Protection Center 2 UPS /* Micro Star International products */ product MSI WLAN 0x1020 WLAN Index: sys/dev/usb/usbdevs.h === RCS file: /data/cvsroot/OpenBSD/src/sys/dev/usb/usbdevs.h,v retrieving revision 1.204 diff -u -r1.204 usbdevs.h --- sys/dev/usb/usbdevs.h 13 May 2006 20:33:32 - 1.204 +++ sys/dev/usb/usbdevs.h 31 May 2006 17:55:55 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs.h,v 1.204 2006/05/13 20:33:32 matthieu Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -96,6 +96,7 @@ #defineUSB_VENDOR_DIAMOND2 0x045a /* Diamond (Supra) */ #defineUSB_VENDOR_MICROSOFT0x045e /* Microsoft */ #defineUSB_VENDOR_PRIMAX 0x0461 /* Primax Electronics */ +#defineUSB_VENDOR_MGE 0x0463 /* MGE UPS Systems */ #defineUSB_VENDOR_AMP 0x0464 /* AMP */ #defineUSB_VENDOR_CHERRY 0x046a /* Cherry Mikroschalter */ #defineUSB_VENDOR_MEGATRENDS 0x046b /* American Megatrends */ @@ -1382,6 +1383,10 @@ /* Metricom products */ #defineUSB_PRODUCT_METRICOM_RICOCHET_GS0x0001 /* Ricochet GS */ + +/* MGE UPS Systems products */ +#defineUSB_PRODUCT_MGE_UPS10x0001 /* Protection Center 1 UPS */ +#defineUSB_PRODUCT_MGE_UPS20x /* Protection Center 2 UPS */ /* Micro Star International products */ #defineUSB_PRODUCT_MSI_WLAN0x1020 /* WLAN */ Index: sys/dev/usb/usbdevs_data.h === RCS file: /data/cvsroot/OpenBSD/src/sys/dev/usb/usbdevs_data.h,v retrieving revision 1.204 diff -u -r1.204 usbdevs_data.h --- sys/dev/usb/usbdevs_data.h 13 May 2006 20:33:32 - 1.204 +++ sys/dev/usb/usbdevs_data.h 31 May 2006 17:55:55 - @@ -1,4 +1,4 @@ -/* $OpenBSD: usbdevs_data.h,v 1.204 2006/05/13 20:33:32 matthieu Exp $ */ +/* $OpenBSD$ */ /* * THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT. @@ -2355,6 +2355,14 @@ Ricochet GS, }, { + USB_VENDOR_MGE, USB_PRODUCT_MGE_UPS1, + Protection Center 1 UPS, + }, + { + USB_VENDOR_MGE, USB_PRODUCT_MGE_UPS2, + Protection Center 2 UPS, + }, + { USB_VENDOR_MSI, USB_PRODUCT_MSI_WLAN, WLAN, }, @@ -4137,6 +4145,10 @@ { USB_VENDOR_PRIMAX, Primax Electronics, + }, + { + USB_VENDOR_MGE, + MGE UPS Systems, }, { USB_VENDOR_AMP,
Re: Recommended window manager for OpenBSD
plan9/larswm. Small, fast, and shuffles windows around so you don't have to. Also very good for folks that prefer the keyboard over the mouse. On 5/30/06, Sam Chill [EMAIL PROTECTED] wrote: On 5/30/06, akonsu [EMAIL PROTECTED] wrote: hello has anyone tried evilwm (http://www.6809.org.uk/evilwm/)? is it any good? Try it yourself. Its one of the smallest wms I have ever used. It doesn't do much, but it does all it claims well. I've used it in the past when I just wanted a bunch of xterms and I have no complaints. -Sam
Re: Recommended window manager for OpenBSD
On 5/30/06, akonsu [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: hello has anyone tried evilwm (http://www.6809.org.uk/evilwm/)? is it any good? Try it yourself. Its one of the smallest wms I have ever used. It doesn't do much, but it does all it claims well. I've used it in the past when I just wanted a bunch of xterms and I have no complaints. -Sam i am using the fvwm, default on OpenBSD. you can to try ion3, is a good choice as well. http://www.modeemi.fi/~tuomov/ion/ gsoares
Re: ssh attacks
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. See the example on overload at http://www.openbsd.org/faq/pf/filter.html#stateopts Basically, you pass and just block verything from bad_hosts in a separate rule. Ciao, Kili
Kerberos/OpenLDAP/Samba
Good day, I am trying to set up a network with OpenBSD 3.9 as core of a single sign-on solution using Kerberos5 authentication, OpenLDAP as the directory service, with Samba serving Windows clients. I followed the steps in info heimdal and can get tickets. I then set up OpenLDAP, added the schemas (including samba.schema) and added the samba-ldap and samba-docs packages for OpenBSD 3.9. I can traverse the ldap directory and see the users organizational unit I had created but a Windows client (XP SP2) is not able to access the Samba Share. Are there any documents that are specific to OpenBSD that gives the various steps required in making this work? If you have any pointers, please let me know. I have read documents related to samba-ldap at Gentoo Linux, FreeBSD and NetBSD that give some details and also tried to follow what was available at openldap.org but it hasn't worked for me yet. In fact the instructions I have followed have made matters worse and left me somewhat confused. So at this point the only thing that I know is working properly is krb5. If there are no documents that are easy and straightforward to follow, I would like to take a stab at creating one but will need help. If anyone who has had experience in this area is willing to work with me, I will be grateful. Thanks very much, Vijay -- Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone: 204 885 9535, E-Mail: [EMAIL PROTECTED]
Re: ssh attacks
Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack on address 4. I never want to pass ssh on address 1, address 2 or address 3 ever, I want to use the information that someone was trying to ssh to those address to identify person as an attacker. -Original Message- From: Matthias Kilian [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 3:02 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: ssh attacks On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. See the example on overload at http://www.openbsd.org/faq/pf/filter.html#stateopts Basically, you pass and just block verything from bad_hosts in a separate rule. Ciao, Kili
Wouldn't It Be Wonderful To WIN EVERY LISTING?
Wouldnt It Make A Difference IfYou Increased Your Business By 40% Or More This Year? The testimonials are still flooding in about our new customizable Pre-Listing Package. Heres an excerpt from one I received recently: your previous suggestions helped elevate my business in 2005 to the BEST year I've ever experienced in Real Estate (40% increase from 2004). Not to mention the confidence boost and increased number of listings I received from using your pre-listing package (I'm in the midst of implementing your NEW one which blows away your previous one...I'm so excited. I've already successfully used the mini pre listing pkg. Marketing System Solutions, thank you so-o-o-o much. L. Abrams, Coldwell Banker, PA Click here to learn about our new *KILLER* Pre-Listing package. If you arent immediately directed to our webpage, please enter the following into the address bar of your Internet browser: www.mssincproducts.com/prelistingpackage.html Please do not reply to this message this mailbox is not monitored. [IMAGE] [IMAGE] Marketing System Solutions, Inc. 7 P.O. Box 266 7 Washington, NJ 07882
Re: ssh attacks
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: Right now someone is trying out each IP address I have with an ssh attack. Only one of those IP addresses is enabled for ssh. I have a (max-src-conn-rate 100/10, overload bad_guys flush global) on that address. I would like to know how to get pf to note these other atempts and block the sender. To me the obvious would be block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. These are the rules I use for this. block in log quick on $ext_if from bruteforce to any pass in log on $ext_if inet proto tcp from any to ($ext_if) \ port ssh flags S/SA keep state\ (max-src-conn 5, max-src-conn-rate 5/60, \ overload bruteforce flush global) HTH -- Terry http://tyson.homeunix.org
openvpn bridge ip/netmask
I have a lan interface A tun0 interface Both are bridged with bridge0 Bridge0 is configured by brconfig I have setup openvpn in bridge mode But only broadcasts and arp request pass tun0 How do I add an address/ip to bridge0 ? shadrock - Email sent from www.ntlworld.com Virus-checked using McAfee(R) Software Visit www.ntlworld.com/security for more information
Re: ssh attacks
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: Right now someone is trying out each IP address I have with an ssh attack. Only one of those IP addresses is enabled for ssh. I have a (max-src-conn-rate 100/10, overload bad_guys flush global) on that address. I would like to know how to get pf to note these other atempts and block the sender. To me the obvious would be block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. You already have or will get answers to your question. Having gone through this myself I'll propose something else: secure your machines and forget about the ssh scanners. I blocked these guys by various means and watched what happened for a while. Sometimes there were lots of scans and other times there were only a few per day. But they were all hit and run scans, from IPs all over the place. You're going to fill your tables with IPs that aren't coming back. Pf does a fine job with tables, and my boxes never got slow or low on memory. But why waste resources for nothing? At that point you're really doing the same job as pflog. I ended up using a table for IPs allowed to ssh, others are blocked. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
OT: thanks
My dmesg: OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Samuel 2 (CentaurHauls 686-class) 533 MHz cpu0: FPU,DE,TSC,MSR,MTRR,PGE,MMX real mem = 158900224 (155176K) avail mem = 138125312 (134888K) using 1965 buffers containing 8048640 bytes (7860K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(30) BIOS, date 03/18/02, BIOS32 rev. 0 @ 0xfb370 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdce4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdc70/112 (5 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 12 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT8231 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x9800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8601 PCI rev 0x05 ppb0 at pci0 dev 1 function 0 VIA VT82C601 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Trident CyberBlade i1 rev 0x6a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 17 function 0 VIA VT8231 ISA rev 0x10 pciide0 at pci0 dev 17 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: Maxtor 6B160P0 wd0: 16-sector PIO, LBA48, 156334MB, 320173056 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 17 function 2 VIA VT83C572 USB rev 0x1e: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 17 function 3 VIA VT83C572 USB rev 0x1e: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered viaenv0 at pci0 dev 17 function 4 VIA VT8231 PMG rev 0x10 auvia0 at pci0 dev 17 function 5 VIA VT82C686 AC97 rev 0x40: irq 12 auvia0: codec reset timed out auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy ac97: codec id not read auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy auvia0: codec busy audio0 at auvia0 vr0 at pci0 dev 18 function 0 VIA RhineII-2 rev 0x51: irq 10 address 00:40:63:c1:1d:13 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface ukphy0: OUI 0x004063, model 0x0032, rev. 5 rl0 at pci0 dev 20 function 0 Realtek 8139 rev 0x10: irq 11 address 00:e0:4c:39:05:0f rlphy0 at rl0 phy 0: RTL internal phy isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 sysbeep0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo biomask e36d netmask ef6d ttymask efef pctr: user-level cycle counter enabled ugen0 at uhub0 port 1 ugen0: THOMSON Speed Touch 330, rev 1.10/4.00, addr 2 dkcsum: wd0 matches BIOS drive 0x80 root on wd0a rootdev=0x0 rrootdev=0x300 rawdev=0x302 I've been flitting with other operating systems to see if I can make compile times quicker and less pppoa2[9464]: write_dest: ENOBUFS errors. so have tried freebsd/ubuntu etc etc and none have performed so well on such poor hardware as openbsd. just thought I'd mail and say thanks and well done guys! p.s. is anyone working on reverse engineering the firmware for usb adsl modems? i'd love to do it myself but would take a very long time :) regards poncenby
Re: ssh attacks
If these attempts all come from the same source, why not filter that ip at the gateway level. What legit use does this person have on your network on any port, much less ssh? On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack on address 4. I never want to pass ssh on address 1, address 2 or address 3 ever, I want to use the information that someone was trying to ssh to those address to identify person as an attacker. -Original Message- From: Matthias Kilian [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 3:02 PM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: ssh attacks On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. See the example on overload at http://www.openbsd.org/faq/pf/filter.html#stateopts Basically, you pass and just block verything from bad_hosts in a separate rule. Ciao, Kili
Re: Problems trying to log on squirrelmail.
Stuart Henderson wrote: [snip] If you are simply looking for a decent IMAP server and don't particularly need the features of Cyrus, try Dovecot instead. It's simpler and quite easy to use. In -current, Postfix (mail/postfix/snapshot/) supports Dovecot SASL: http://wiki.dovecot.org/Sasl /Sigfred
Re: ssh attacks
On Wed, May 31, 2006 at 03:15:34PM -0400, Peter Fraser wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack on address 4. I never want to pass ssh on address 1, address 2 or address 3 ever, I want to use the information that someone was trying to ssh to those address to identify person as an attacker. Oh, sorry for not reading exactly. So your problem is that you want to get state for ssh connection attempts to addresses 1, 2 and 3 but at the same time want to block those connections. This isn't possible (no connection - no state). (QUICK HACK ALERT) But it may be possible to redirect those connections to some unused port on localhost (i.e. the firewall) let something listen on this port, accept everything but immediately closing the connection. Then use a simple pass rule with overload and max-src-conn options to add offending addresses to your table. Ciao, Kili ps: I didn't test the above, so if it's complete nonsense, feel free to flame me.
Re: data DVD mounting on OpenBSD 3.8
From [EMAIL PROTECTED] Thu May 25 10:23:13 2006 Date: Thu, 25 May 2006 09:13:45 +0200 From: Bachman Kharazmi [EMAIL PROTECTED] I've not used dvd's with obsd myself, but I assume you've read http://www.openbsd.org/faq/faq13.html#playDVD AND the link about how to mount DVDs. http://www.openbsd.org/cgi-bin/man.cgi?query=mount_cd9660sektion=8 If the mount doesn't work, reply with error and the commands you ran. Unfortunately I have read those sources, but they were of no help. Commands and their output after inserting a kind of data DVD, which mounts on Windows, in to the DVD-RW-drive: verbatim--start-- # whoami root # ls -l /mnt/ total 12 drwxrwxrwx 2 root wheel 512 May 12 07:37 CDROM drwxrwxrwx 2 root wheel 512 Mar 10 03:52 DVDROM drwxrwxrwx 2 root wheel 512 Feb 27 13:49 M2luFlopi # mount_cd9660 -e /dev/rcd0c /mnt/DVDROM/ mount_cd9660: /dev/rcd0c on /mnt/DVDROM: Block device required # ls -l /dev/*dvd* ls: /dev/*dvd*: No such file or directory # mount -a /dev/rcd0c /mnt/DVDROM/ mount_ffs: /dev/rcd0c on /mnt/DVDROM: Block device required # ls -l /dev/*cd0* brw-r- 1 root operator 16, 0 Feb 27 06:20 /dev/ccd0a brw-r- 1 root operator 16, 1 Feb 27 06:20 /dev/ccd0b brw-r- 1 root operator 16, 2 Feb 27 06:20 /dev/ccd0c brw-r- 1 root operator 16, 3 Feb 27 06:20 /dev/ccd0d brw-r- 1 root operator 16, 4 Feb 27 06:20 /dev/ccd0e brw-r- 1 root operator 16, 5 Feb 27 06:20 /dev/ccd0f brw-r- 1 root operator 16, 6 Feb 27 06:20 /dev/ccd0g brw-r- 1 root operator 16, 7 Feb 27 06:20 /dev/ccd0h brw-r- 1 root operator 16, 8 Feb 27 06:20 /dev/ccd0i brw-r- 1 root operator 16, 9 Feb 27 06:20 /dev/ccd0j brw-r- 1 root operator 16, 10 Feb 27 06:20 /dev/ccd0k brw-r- 1 root operator 16, 11 Feb 27 06:20 /dev/ccd0l brw-r- 1 root operator 16, 12 Feb 27 06:20 /dev/ccd0m brw-r- 1 root operator 16, 13 Feb 27 06:20 /dev/ccd0n brw-r- 1 root operator 16, 14 Feb 27 06:20 /dev/ccd0o brw-r- 1 root operator 16, 15 Feb 27 06:20 /dev/ccd0p br--rw-rw- 1 root operator6, 0 Feb 27 06:20 /dev/cd0a brw--- 1 root operator6, 2 Apr 9 05:00 /dev/cd0c brw-r- 1 root operator7, 0 Feb 27 06:20 /dev/mcd0a brw-r- 1 root operator7, 2 Feb 27 06:20 /dev/mcd0c crw-r- 1 root operator 18, 0 Feb 27 06:20 /dev/rccd0a crw-r- 1 root operator 18, 1 Feb 27 06:20 /dev/rccd0b crw-r- 1 root operator 18, 2 Feb 27 06:20 /dev/rccd0c crw-r- 1 root operator 18, 3 Feb 27 06:20 /dev/rccd0d crw-r- 1 root operator 18, 4 Feb 27 06:20 /dev/rccd0e crw-r- 1 root operator 18, 5 Feb 27 06:20 /dev/rccd0f crw-r- 1 root operator 18, 6 Feb 27 06:20 /dev/rccd0g crw-r- 1 root operator 18, 7 Feb 27 06:20 /dev/rccd0h crw-r- 1 root operator 18, 8 Feb 27 06:20 /dev/rccd0i crw-r- 1 root operator 18, 9 Feb 27 06:20 /dev/rccd0j crw-r- 1 root operator 18, 10 Feb 27 06:20 /dev/rccd0k crw-r- 1 root operator 18, 11 Feb 27 06:20 /dev/rccd0l crw-r- 1 root operator 18, 12 Feb 27 06:20 /dev/rccd0m crw-r- 1 root operator 18, 13 Feb 27 06:20 /dev/rccd0n crw-r- 1 root operator 18, 14 Feb 27 06:20 /dev/rccd0o crw-r- 1 root operator 18, 15 Feb 27 06:20 /dev/rccd0p -rw-r--r-- 1 root wheel 1024 Apr 9 05:40 /dev/rcd0 crw-r- 1 root operator 15, 0 Feb 27 06:20 /dev/rcd0a crw-r--r-- 1 root operator 15, 2 Apr 9 05:40 /dev/rcd0c crw-r- 1 root operator 39, 0 Feb 27 06:20 /dev/rmcd0a crw-r- 1 root operator 39, 2 Feb 27 06:20 /dev/rmcd0c # mount_cd9660 -e /dev/rccd0c /mnt/DVDROM/ mount_cd9660: /dev/rccd0c on /mnt/DVDROM: Block device required # mount_cd9660 -e /dev/cd0c /mnt/DVDROM/ mount_cd9660: /dev/cd0c on /mnt/DVDROM: Invalid argument # mount_cd9660 -e /dev/mcd0c /mnt/DVDROM/ mount_cd9660: /dev/mcd0c on /mnt/DVDROM: Device not configured # mount_cd9660 -e /dev/rmcd0c /mnt/DVDROM/ mount_cd9660: /dev/rmcd0c on /mnt/DVDROM: Block device required # mount_cd9660 -e /dev/ccd0c /mnt/DVDROM/ mount_cd9660: /dev/ccd0c on /mnt/DVDROM: Device not configured verbatim--end The type of the writeable DVD is DVD+R. Regards, Martin Vahi
Re: data DVD mounting on OpenBSD 3.8
On 2006/05/31 23:14, Martin Vahi wrote: mount_cd9660: /dev/rccd0c on /mnt/DVDROM: Block device required mount_cd9660: /dev/cd0c on /mnt/DVDROM: Invalid argument mount_cd9660: /dev/mcd0c on /mnt/DVDROM: Device not configured mount_cd9660: /dev/rmcd0c on /mnt/DVDROM: Block device required mount_cd9660: /dev/ccd0c on /mnt/DVDROM: Device not configured Look at the error messages, the ones for the devices starting with an r (raw devices) say Block device required. The ones for devices not present on your system say, Device not configured. And there's one different message, for cd0c. Or, look at cd(4) i.e. 'man 4 cd', ccd(4), mcd(4), and see which you think is most likely. Hopefully that has got you looking more closely at cd0; what else could you try? Are you mounting the correct partition? Note what cd(4) says about disklabel.
Re: ssh attacks
On Wed, 31 May 2006, Peter Fraser wrote: Expect I was not clear. Someone is attacking address 1, address 2, address 3, those address are all blocked with respect to ssh. , but because he is attacking those addresses, I want to stop an expected attack on address 4. I never want to pass ssh on address 1, address 2 or address 3 ever, I want to use the information that someone was trying to ssh to those address to identify person as an attacker. Have a look at denyhosts (Google for that). -- A
Nouveaux produits
Cher Monsieur, Chhre Madame La boutique technologie du futur vous prisente ses nouveaux produits : Nous avons rajoutis une gamme de CD Audio Strobe personnalisis qui traitent plus spicifiquement les points disiris. Et toujours nos produits d'avant-garde pour : Apprentissage acciliri , Etude , Hypnose , Ditente , Relaxation , Hyperactiviti , Concentration , Mimoire , Croissance , Guirison , Dipendances (Midicaments, Alcool, Drogues...) l'Anxiiti CD personnalisis subliminaux ou d'auto-hypnose (relaxation, cigarette, rigime...) Nos stimulateurs ciribraux qui vous permettent de divelopper au maximum votre potentiel. Dans l'attente de vos nouvelles, meilleures salutations. 5/11/2006 9:40:32 Team TDF Accidez ` la boutique en cliquant ici
Re: Recommended window manager for OpenBSD
No. Just by lookin at the screenshots you can see it doesn't do what Ion does. With Ion, space is managed for you (that is its whole point). The point is stopping with that foolish oh-where-am-I-going-to-place-this-window attitude.
Re: openvpn bridge ip/netmask
On 2006/05/31 18:20, [EMAIL PROTECTED] wrote: I have a lan interface A tun0 interface You put this into what OpenVPN calls 'tap' mode, didn't you? See tun(4) about layer 2 tunneling mode. Both are bridged with bridge0 If the above doesn't help, send your config to misc@ (or the openvpn mailing list), including: hostname.tun0, openvpn config, netstat -rn, pf.conf, brconfig -a, and whatever else you can think of that may be relevant. Bridge0 is configured by brconfig I have setup openvpn in bridge mode But only broadcasts and arp request pass tun0 How do I add an address/ip to bridge0 ? It happens automatically (unless you tell it otherwise). See brconfig(8). fwiw: on OpenBSD 3.9, IPSEC is __very much__ simpler to setup than OpenVPN, and you don't need to keep watching for security fixes.
vpn1411 problem related to software error? (was Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem])
Didier Wiroth wrote: I run the test for almost 20 minutes, there was no problem anymore! Regards Didier Thank you for your report. Here's where I stick my head out farther than I probably should and hope it doesn't get taken off. I checked the hifn code to see if it had changed since 3.9 Release. It hasn't. I took a look at the list of includes and noticed that several files have changed since 3.9 Release. Not being skilled enough to know if this is the right train of thought, I have to ask: is it possible that something was changed before 3.9 Release which broke hifn, and was later (lately) adjusted back to a state which works with hifn? If so, if the cause is not identified now is there a possibility that hifn could be broken again in the future? The reason I ask is that hifn has a somewhat muddy history of breakage which has often been blamed on hardware. Is the hardware junk or is the problem hard to nail down? Or is this a combination of both - is the previous evidence of junk hardware + hifn problems resulting in a knee jerk reaction of blaming the hardware by default? Also relevant for mere users like myself (ie not qualified to fix this problem), should we just downgrade to an earlier release or upgrade to current, or is this the sort of thing that would get patched if a problem was indeed identified? Thanks. Breeno
CARP
I finally got CARP _working_ :) I've a problem when I do ifconfig carp1 down on the MASTER host to test if BACKUP takes over the traffic.. It does work so far. But the problem is that if I'm streaming Internet radio or are connected to IRC the radio will get stalled when I do ifconfig carp1 down on MASTER, and the IRC disconnects and then tries to reconnect which of course works. I think something is wrong, since it shouldn't affect the traffic flow at all when MASTER interrupt. I have three interfaces in each host. and my setup looks like (here is a diff link http://pastebin.com/pastebin.php?diff=749904) MASTER HOST: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 08:00:20:9e:7c:60 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::a00:20ff:fe9e:7c60%hme0 prefixlen 64 scopeid 0x1 inet 192.168.1.10 netmask 0xff00 broadcast 192.168.1.255 rl0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:08:a1:8e:64:70 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.10.100 netmask 0xff00 broadcast 192.168.10.255 inet6 fe80::208:a1ff:fe8e:6470%rl0 prefixlen 64 scopeid 0x2 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:8b:0e:30:02 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.254.254 netmask 0xff00 broadcast 192.168.254.255 inet6 fe80::250:8bff:fe0e:3002%fxp0 prefixlen 64 scopeid 0x3 pflog0: flags=141UP,RUNNING,PROMISC mtu 33192 pfsync0: flags=41UP,RUNNING mtu 1460 pfsync: syncdev: fxp0 maxupd: 128 enc0: flags=0 mtu 1536 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: MASTER carpdev hme0 vhid 1 advbase 1 advskew 0 groups: carp inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: MASTER carpdev rl0 vhid 2 advbase 1 advskew 0 groups: carp inet 192.168.10.50 netmask 0xff00 broadcast 192.168.10.255 # cat /etc/hostname.* inet 192.168.1.100 255.255.255.0 192.168.1.255 vhid 1 pass foo inet 192.168.10.50 255.255.255.0 192.168.10.255 vhid 2 pass bar inet 192.168.254.254 255.255.255.0 NONE dhcp NONE NONE NONE up syncif fxp0 inet 192.168.10.100 255.255.255.0 NONE BACKUP HOST: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33192 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 hme0: flags=8b63UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 08:00:20:9c:5d:3a groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::a00:20ff:fe9c:5d3a%hme0 prefixlen 64 scopeid 0x1 inet 192.168.1.7 netmask 0xff00 broadcast 192.168.1.255 rl0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500 lladdr 00:c0:26:6d:ff:6c media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.10.200 netmask 0xff00 broadcast 192.168.10.255 inet6 fe80::2c0:26ff:fe6d:ff6c%rl0 prefixlen 64 scopeid 0x2 fxp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:50:8b:0e:7d:7d media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.254.253 netmask 0xff00 broadcast 192.168.254.255 inet6 fe80::250:8bff:fe0e:7d7d%fxp0 prefixlen 64 scopeid 0x3 pflog0: flags=141UP,RUNNING,PROMISC mtu 33192 pfsync0: flags=41UP,RUNNING mtu 1348 pfsync: syncdev: fxp0 maxupd: 128 enc0: flags=0 mtu 1536 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: BACKUP carpdev hme0 vhid 1 advbase 1 advskew 50 groups: carp inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 carp: BACKUP carpdev rl0 vhid 2 advbase 1 advskew 50 groups: carp inet 192.168.10.50 netmask 0xff00 broadcast 192.168.10.255 # cat /etc/hostname.* inet 192.168.1.100 255.255.255.0 192.168.1.255 vhid 1 advskew 50 pass foo inet 192.168.10.50 255.255.255.0 192.168.10.255 vhid 2 advskew 50 pass bar inet 192.168.254.253 255.255.255.0 NONE dhcp NONE NONE NONE up syncif fxp0 inet 192.168.10.200 255.255.255.0 NONE And pf.conf at both hosts are identical: # cat /etc/pf.conf set loginterface fxp0 nat on hme0 from rl0:network to any - hme0 pass in on hme0 all pass out on hme0 all pass quick on { fxp0 } proto pfsync keep state pass on { hme0 rl0 }
Re: cgi with chroot
On Wednesday 31 May 2006 00:20, Aiko Barz wrote: Ruby is working for me too. Check this out: the script is great, aiko and has helped my understanding a lot (i'm trying to learn ksh as well and it was nice to see a script like this in action!) (also thanks to marcus (and others) for the various tips. marcus, i will follow through on the scripting as per your suggestions, after i get the embedded ruby with mod_ruby to work.) i ran the script and the environment is all setup nicely. then i went to /usr/local/share/examples/mod_ruby and got the httpd.conf addititons (copied below) from there and put it into my httpd.conf file. then something happens that i don't understand. the RubyRequire apache/ruby-run causes no problems when i start apache, but when i try RubyRequire apache/eruby-run (which i need, i presume, to run the embedded .rhtml files) i get error messages spewed out: [Wed May 31 14:13:04 2006] [error] mod_ruby: failed to require apache/eruby-run [Wed May 31 14:13:04 2006] [notice] Accept mutex: sysvsem (Default: sysvsem) [Wed May 31 14:13:04 2006] [error] mod_ruby: failed to require apache/eruby-run [Wed May 31 14:13:04 2006] [error] mod_ruby: error in ruby [Wed May 31 14:13:04 2006] [error] mod_ruby: error in ruby [Wed May 31 14:13:04 2006] [error] mod_ruby: /usr/local/lib/ruby/1.8/apache/eruby-run.rb:45:in `require': no such file to load -- eruby (LoadError) i find this weird because eruby is sitting right beside ruby in the apache folder!!??? yet it seems that it can't be found. finally, don't i also need a AddType application/x-httpd-ruby .rhtml -- In friendship, prad ... with you on your journey Towards Freedom http://www.towardsfreedom.com (website) Information, Inspiration, Imagination - truly a site for soaring I's # You should specify the correct path to mod_ruby.so. LoadModule ruby_module /usr/local/apache/libexec/mod_ruby.so #note: this needs to be /usr/lib/apache/modules/mod_ruby.so# # # If ClearModuleList is used in your httpd.conf, you should use AddModule # # to activate the ruby module. # AddModule mod_ruby.c # If the ruby module is installed, this will be enabled. IfModule mod_ruby.c # for Apache::RubyRun RubyRequire apache/ruby-run # exec files under /ruby as ruby scripts. Location /ruby SetHandler ruby-object RubyHandler Apache::RubyRun.instance Options +ExecCGI /Location # exec *.rbx as ruby scripts. Files *.rbx SetHandler ruby-object RubyHandler Apache::RubyRun.instance /Files # # for Apache::ERubyRun # RubyRequire apache/eruby-run # # # handle files under /eruby as eRuby files by eruby. # Location /eruby # SetHandler ruby-object # RubyHandler Apache::ERubyRun.instance # /Location # # # handle *.rhtml as eruby files. # Files *.rhtml # SetHandler ruby-object # RubyHandler Apache::ERubyRun.instance # /Files # # for Apache::ERbRun # RubyRequire apache/erb-run # # # handle files under /erb as eRuby files by ERb. # Location /erb # SetHandler ruby-object # RubyHandler Apache::ERbRun.instance # /Location # # for debug # RubyRequire auto-reload /IfModule
other languages support?
Hello, is there a way to install several languages on one system? say, if i have an english system, is there a way to add cyrillic to it and switch between the two languages when typing? thanks for any pointers! konstantin
Ответ: other languages support?
http://www.openbsd.ru/ 2006/6/1, akonsu [EMAIL PROTECTED]: Hello, is there a way to install several languages on one system? say, if i have an english system, is there a way to add cyrillic to it and switch between the two languages when typing? thanks for any pointers! konstantin
Re: CARP
On 2006/05/31 23:21, Bachman Kharazmi wrote: # cat /etc/hostname.* inet 192.168.1.100 255.255.255.0 192.168.1.255 vhid 1 pass foo inet 192.168.10.50 255.255.255.0 192.168.10.255 vhid 2 pass bar inet 192.168.254.254 255.255.255.0 NONE dhcp NONE NONE NONE up syncif fxp0 inet 192.168.10.100 255.255.255.0 NONE this doesn't answer your question, but can I recommend this, which I find useful in many situations since it displays the lines from the file prefixed with the filename, so people can tell which line is from which file: $ grep . /etc/hostname.* You can use head/tail to similar effect too, but grep gives more compact output, also particularly good for reading pkg/DESCR of several ports at once.
Re: ??????????: other languages support?
On Thu, Jun 01, 2006 at 02:26:46AM +0400, Vadim Jukov wrote: http://www.openbsd.ru/ 2006/6/1, akonsu [EMAIL PROTECTED]: is there a way to install several languages on one system? say, if i have an english system, is there a way to add cyrillic to it and switch between the two languages when typing? I find that if I use the Caps Lock key I can enter some simple cyrillic words like PRIVET and even some proper names like CBETA. Of course this doesn't work for all words, but you can spell bedroom in Russian that way. Yes, it's not the perfect answer but it saves mucking with config files and stuff. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: ??????????: other languages support?
huh? bedroom? is this a joke? 2006/5/31, Darrin Chandler [EMAIL PROTECTED]: I find that if I use the Caps Lock key I can enter some simple cyrillic words like PRIVET and even some proper names like CBETA. Of course this doesn't work for all words, but you can spell bedroom in Russian that way. Yes, it's not the perfect answer but it saves mucking with config files and stuff. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: ??????????: other languages support?
huh? bedroom? is this a joke? KOMHATA. Not that I'd really consider this multi-language support... :) DS
Re: Your DriverGuide.com Inquiry
Greetings from DriverGuide.com. We're sorry. You replied to a notification-only address that cannot accept incoming e-mail. But that's OK--this automated response will direct you to the right place at DriverGuide.com to answer your question. Many common questions are answered in our FAQ, please visit: http://members.driverguide.com/index.php?action=faq If you have already registered but have not received your membership email, visit: http://members.driverguide.com/ums/index.php?action=rs If you have already registered but forgotten your password, visit: http://members.driverguide.com/ums/index.php?action=fd If you are having trouble with registration, visit: http://members.driverguide.com/index.php?action=feedbackid=27s=1 For all other questions or inquiries, visit: http://members.driverguide.com/index.php?action=feedback Thanks for using DriverGuide.com! Sincerely, DriverGuide team http://www.DriverGuide.com To unsubscribe from DriverGuide, click on this link: http://members.driverguide.com/ums/[EMAIL PROTECTED] P.S. You received this message because DriverGuide.com received a message with the following headers: From: misc@openbsd.org To: [EMAIL PROTECTED] Subject: Important Date: Thu, 1 Jun 2006 06:41:18 +0700
The Unix Haters Handbook
Hi all. I had not before seen this book, but doing some Unix research I found it at http://research.microsoft.com/~daniel/uhh-download.html Loving Unix I found the book hilarious and quite entertaining and still containing some truth. The chapter about the rm command is very funny because everybody has tried that mistake once. Anyway, wanted to share my discovery. I know many knows this book, but perhaps many also don't. Best and kind regards, Rico
Re: UPS with USB: hidups or newhidups drivers in nut
Index: sys/dev/usb/usb_quirks.c === RCS file: /data/cvsroot/OpenBSD/src/sys/dev/usb/usb_quirks.c,v retrieving revision 1.22 diff -u -r1.22 usb_quirks.c --- sys/dev/usb/usb_quirks.c 14 May 2006 12:00:04 - 1.22 +++ sys/dev/usb/usb_quirks.c 31 May 2006 17:56:38 - @@ -128,6 +128,11 @@ { USB_VENDOR_NEC, USB_PRODUCT_NEC_PICTY920, ANY, { UQ_BROKEN_BIDIR }}, { USB_VENDOR_NEC, USB_PRODUCT_NEC_PICTY800, ANY, { UQ_BROKEN_BIDIR }}, { USB_VENDOR_METAGEEK, USB_PRODUCT_METAGEEK_WISPY, ANY, { UQ_BAD_HID }}, + { USB_VENDOR_APC, USB_PRODUCT_APC_UPSPRO500,ANY, { UQ_BAD_HID }}, + { USB_VENDOR_DELORME, USB_PRODUCT_DELORME_EARTHMATE, + ANY, { UQ_BAD_HID }}, + { USB_VENDOR_MGE, USB_PRODUCT_MGE_UPS1, ANY, { UQ_BAD_HID }}, + { USB_VENDOR_MGE, USB_PRODUCT_MGE_UPS2, ANY, { UQ_BAD_HID }}, { 0, 0, 0, { 0 } } }; I think we need a much more compressed do not attach as hid table inside the uhid driver itself, since there are going to mny more than this in the long run. I think hid has it backwards. I will discuss it this evening with dlg and pascoe.
Re: Kernel panic -- Processor State .. PState
Hello, After a large investigation I figured out that some people have problems with OpenBSD on that machine and some don't. The hardware is strictly the same. All hardware tests pass fine. The only difference between the 2 kind of machine is about the BIOS version installed. The differences between the two BIOS are: - The vcore has been updated to +0.1v - Pstate has been removed The second release of the BIOS seams to be buggy on OpenBSD. Someone could help me to understand on this please ? Thx ++ Jerome -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Jerome Loyet Envoye : mardi 30 mai 2006 23:28 A : misc@openbsd.org Objet : Re: Kernel panic smashed stack in ufs_makeinode In fact this is not just a problem with my machine. I bought a dedicated server (www.dedibox.fr). I installed OpenBSD 3.9 on it. Other people did exactly the same and the have the same problem. This is NOT a hardware which is disfunctioning. This must be a problem of compatibility. Any idees ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Spruell, Darren-Perot Envoyi : mardi 30 mai 2006 23:06 @ : misc@openbsd.org Objet : Re: Kernel panic smashed stack in ufs_makeinode From: [EMAIL PROTECTED] I got another kernel panic: free: non-malloced addr 0x10 type temp Many programs seg fault with Program terminated with signal 11, Segmentation fault The memory has been tested with memtest86. Any idees? I've had memtest86 report good memory when I had a system throwing spurious signal 11s. The fix was swapping out memory in the end. I don't suppose memtest86 is supposed to be able to detect all memory problems, yeah? DS [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s] [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
Re: CARP
On May 31, 2006, at 5:21 PM, Bachman Kharazmi wrote: I've a problem when I do ifconfig carp1 down on the MASTER host to test if BACKUP takes over the traffic.. You're not alone. I have a pair of boxes running 3.8/pf/carp/etc.. I upgraded them to 3.9 and during the upgrade discovered that if I do 'ifconfig carp0|1 down' that fail over does not happen properly. : ( If I do 'ifconfig rl0 down' (rl0 being the physical interface for carp0) that things then do fail over as expected. I thought maybe this was an issue with 3.9 so I did a fresh install of 3.8 on both and still the problem persists. I have not bothered with the upgrade to 3.9 again, no time just yet. I know that 3.8 3.9 boxes can't keep sync together. I'm seeing the problem when both boxes are at the same version, either 3.8 or 3.9. I know it worked at one point back in my lab but that was 3.7. When I do fail rl0, state is preserved for connections. I have a VOIP line and had a connection between that and my cell phone going when I failed rl0. The telephone call stayed live. This is all from memory but I recall that when I did fail carp0 connections stopped. I think it was a case of the master node still had carp1 as master, yet the second node had carp0 as master or something like that where each thought it had half and thus no connections would work. I'm at a loss as to why this might be happening. Annoying issue too. If I wanted to take a host out of the pool of firewalls then I'd take down the carp interface, leaving the physical interfaces up, so access to the box would still work. Now I can't do that. :( -Chad
Libpcap library version
I was trying working with ettercap today, and found out the only version 0.6.bp3 is in the ports tree. This version is described as deprecated on the ettercap webpage. I downloaded the most recent version (0.7.3) and tried to install it. When I run the configure script included in I get the following output: $ ./configure --with-libpcap=/usr/src/lib/libpcap ... checking for libpcap... /usr/src/lib/libpcap checking for pcap_datalink_val_to_description in -lpcap... no configure: error: Incorrect libpcap version. libpcap = 0.8.1 required I was told on the #openbsd irc channel that openbsd maintains its own versions of the libraries. Is this just due to an old library version, or am I missing something else? -- There are no stupid questions, but there are a lot of inquisitive idiots.
Re: Kernel panic -- Processor State .. PState
On 2006/06/01 01:55, Jerome Loyet wrote: The only difference between the 2 kind of machine is about the BIOS version installed. The differences between the two BIOS are: - The vcore has been updated to +0.1v - Pstate has been removed The second release of the BIOS seams to be buggy on OpenBSD. Someone could help me to understand on this please ? BIOS sets a lot of parameters on the machine which can cause instability if they're wrong - memory timings, PCI bus settings etc. Seems like you need to report this regression to someone who can fix the BIOS (hardware manufacturer?). I would expect most manufacturers prefer to respond to someone buying 100s or 1000s of boxes than a private individual, so perhaps it would be better if someone at dedibox could contact them.
[Resolved] Help with CUPS and Samsung ML-1710
I have resolved configuring the printer in raw mode...and reading carefully the official samba how-to: Classical Printing, and CUPS Printing ;-) -- Forwarded message -- From: ip [EMAIL PROTECTED] Date: May 30, 2006 5:06 PM Subject: Help with CUPS and Samsung ML-1710 To: misc@openbsd.org Hello, I've been trying to get my Samsung ML-1710 running under OpenBSD with CUPS. Installation of everything seems to have gone o.k., but I can't print anything... From dmesg I receive: ulpt0 at uhub1 port 2 configuration 1 interface 0 ulpt0: Samsung Electronics Co., Ltd. Samsung ML-1710 Series, rev 1.10/1.00, addr 2, iclass 7/1 ulpt0: using bi-directional mode I have configured it via web, Samsung ML-1710 Foomatic/gdi (recommended) Description: Stampante Laser B/N Location: Printer State: idle, accepting jobs. Device URI: usb:/dev/ulpt0 but if I running /usr/local/libexec/cups/backend/usb manually, the prompt shows: # ./usb direct usb:/dev/ulpt0 Unknown USB Printer #1 direct usb:/dev/ulpt1 Unknown USB Printer #2 The cps's error_log file don't show errors, I [30/May/2006:15:18:34 +0200] Started /usr/local/libexec/cups/cgi-bin/printers.cgi (pid=28574) I [30/May/2006:15:18:35 +0200] Adding start banner page none to job 1. I [30/May/2006:15:18:35 +0200] Adding end banner page none to job 1. I [30/May/2006:15:18:35 +0200] Job 1 queued on 'ML1710' by 'root'. I [30/May/2006:15:18:35 +0200] Started filter /usr/local/libexec/cups/filter/pstops (PID 1194) for job 1. I [30/May/2006:15:18:35 +0200] Started filter /usr/local/libexec/cups/filter/foomatic-rip (PID 5490) for job 1. I [30/May/2006:15:18:35 +0200] Started backend /usr/local/libexec/cups/backend/usb (PID 26302) for job 1. I [30/May/2006:15:18:36 +0200] Started /usr/local/libexec/cups/cgi-bin/printers.cgi (pid=28339) and also when I search to bypass the spooler mechanism, # lptest /dev/ulpt0 it doesn't print :( I hope in your help :) Thanks, -- ip
Re: ??????????: other languages support?
On Wed, May 31, 2006 at 04:16:12PM -0700, Spruell, Darren-Perot wrote: huh? bedroom? is this a joke? KOMHATA. Not that I'd really consider this multi-language support... :) You surprise me sometimes. ;) -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: ssh attacks
This has been asked before, and I tried many of the suggestions given especially with pf (max-src-conn). But the simplest way to stop this, is to change your ssh port. You can do all that tweaking in pf but your logs will still show that someone tried, just that your logs will be smaller. But change the port and you'll see no attempts whatsoever. This is my experience. I agree with what this guy below says. I too ended up only allowing certain IP addresses to ssh into my servers but this is troublesome when you're at a new location and that location has a dynamic address. I ultimately changed the port number and the only inconvenience to me was remembering the new port number. I blocked these guys by various means and watched what happened for a while. Sometimes there were lots of scans and other times there were only a few per day. But they were all hit and run scans, from IPs all over the place. You're going to fill your tables with IPs that aren't coming back. Pf does a fine job with tables, and my boxes never got slow or low on memory. But why waste resources for nothing? At that point you're really doing the same job as pflog. I ended up using a table for IPs allowed to ssh, others are blocked.
Re: [Fwd: 'Corrupted MAC on input' points to vpn1411 problem]
On Tue, May 30, 2006 at 07:49:39AM -0600, Breen Ouellette wrote: Thanks for your post. I hope you take it one step further and run that script (and then report your result to this list)! :) i just run worms(6) or rain(6) in a screen(1) window and then set it to monitor for 30s silence ('^a _'). reminds me, i think i did see it on 3des as well as aes now that you mention that. but it is not happening as of may1st current. http://marc.theaimsgroup.com/?l=openbsd-miscm=114349587814641w=2 don't remember the interval of it happening prior to that. -- jared [ openbsd 3.9-current GENERIC ( may 1 ) // i386 ]
Spamd log question
I can't seem to find an explanation for this in the man pages (excuse my blindness if it is stated), but what does the '(17/16)' indicate in log entries such as this.. Jun 1 00:01:33 guardian spamd[9554]: 209.59.102.252: connected (17/16) Mike
Re: Spamd log question
On Wed, May 31, 2006 at 10:31:18PM -0400, Mike Spenard wrote: I can't seem to find an explanation for this in the man pages (excuse my blindness if it is stated), but what does the '(17/16)' indicate in log entries such as this.. Jun 1 00:01:33 guardian spamd[9554]: 209.59.102.252: connected (17/16) From what I've gathered by watching logs, it's (total conns/blacklist conns) -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: Spamd log question
What would the remainder be then if 16 out of 17 are black. Is the remaining 1 a greylist connection? Darrin Chandler wrote: On Wed, May 31, 2006 at 10:31:18PM -0400, Mike Spenard wrote: I can't seem to find an explanation for this in the man pages (excuse my blindness if it is stated), but what does the '(17/16)' indicate in log entries such as this.. Jun 1 00:01:33 guardian spamd[9554]: 209.59.102.252: connected (17/16) From what I've gathered by watching logs, it's (total conns/blacklist conns)
Re: Spamd log question
On Wed, May 31, 2006 at 10:56:40PM -0400, Mike Spenard wrote: What would the remainder be then if 16 out of 17 are black. Is the remaining 1 a greylist connection? Yes, if I'm right (and I think I am.) Grep the logs for 'connected ' and the numbers should make sense. You should see something like: ... connected (11/10), lists: whatever ... connected (12/10) ... connected (13/11), lists: baz ... disconnected after 30 seconds. ... connected (12/11) ... disconnected after 402 seconds. lists: whatever So whenever there's a connect with lists after it both numbers go up, otherwise only the first goes up. Disconnected is analogous, but you don't get the number of connections there. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: ssh attacks
On Wed, May 31, 2006 at 02:54:16PM -0400, Peter Fraser wrote: Right now someone is trying out each IP address I have with an ssh attack. Only one of those IP addresses is enabled for ssh. I have a (max-src-conn-rate 100/10, overload bad_guys flush global) on that address. I would like to know how to get pf to note these other atempts and block the sender. To me the obvious would be block in on Outsize proto tcp port ssh flags S/SA state (max-src-conn-rate 100/10, overload bad_hosts flush global) This does not work. One gets a message that keeping state on a blocked run makes no sense. This topic comes up in regular intervals of 6 month on every *nix mailinglist i'm on. It will result in everybody screaming for some scripts that analyze log files and block ips, do firewall-tricks, port changes and whatnot. It's stupid (sorry, but it is): - Attacks are automated. - Stupid user/password combinations. - From zombie host. Countermeassures: - Block the evil guys (here is the big thread about how to do it, and most people successful DOS themselves or even create security holes) After the scriptkiddies have stoped ROTFL: - Use their botnet with 10k hosts from all over the world. - Connect only 3 times per bot to one ip. Gained security = 0% Leave it just as it is. You don't have anything to fear anything if you use decent passwords. Otherwise don't offer a ssh service! Remember, there is a chance to hit _the_ password with the first try... Things that really improve security: - use keyfiles, disable password auth - good passwords (here size matters, men :p) - whitelist know safe networks I just had to write this down, because it really annoys me :) Please don't take it personally. Have fun, i'm going to sleep a bit now... Tobias