Re: IP change trouble
On Mon, Jan 22, 2007 at 09:22:27PM -0500, Nick Holland wrote: > Wrap your lines, please... > > Paul Irofti wrote: > > I have changed one of my workstation's IP with: > > > > $ sudo ifconfig vr0 inet 192.168.1.64 > > > > Afterwards some applications (trn, rtorrent, gaim) acknowledged the > > change and worked on the fly. Others, such as irssi, worked on a > > random basis (i.e. restarting it would lead to connecting or not to > > the servers). Firefox, mutt, snownews, lynx didn't even bother. > > > > I did modify the /etc/hostname.vr0 and /etc/hosts files before > > executing the command. > > > > I couldn't find any solution to this. Is it something I'm missing? > > I felt pretty dumb having to reboot my machine in order to solve > > this. > > Why's that? > > Ok, sure, we laugh our selves silly about everything we do in Windows > requiring a reboot, however, it is easy to forget, sometimes (in fact, > often!) one really SHOULD reboot a machine. Don't worry I'm not an uptime maniac, it means nothing to me. I just had something compiling and didn't want to reboot. > > I've seen this happen way too often, and done it a few times myself: > 1) Make changes "on the fly" > 2) Change config files > 3) ...do nothing...for months... > 4) reboot the server > 5) Find out the changes done in step 2 were done improperly...or > forgotten to be done. > 6) Spend way too long trying to restore proper operation, as you no > longer recall the "what" or the " > > If you reconfigure a machine, you need to reboot it to make sure you > didn't fat-finger something in the process, and make sure it comes up > on its own, even if you aren't doing that right this moment. > I agree. > Yeah, that hurts your "uptime". That's ok, uptime is only significant > to people who come from a Windows background anyway...virtually every > other OS (including MSDOS) ran from when you start them to when you > shut them down (or until an app crashed 'em)...and proper maintenance > requires shutting them down from time to time. > > The actual answer to your question as asked would require much more > information about what you did and what actually happened, but I think > your question is wrong, so this is the answer I'm giving you. Can > you reconfig things on the fly? In theory, yes. Should you? No, at > least if you aren't reading the script files to understand how it all > works together, and even then, schedule that reboot SOON so you can > check for fat-fingering... > > Nick. > I just edited those files and ran that command. Nothing more, nothing less. It was a simple IP change operation.
Re: IP change trouble
On Tue, Jan 23, 2007 at 12:05:56AM +0200, Paul Irofti wrote: > I have changed one of my workstation's IP with: > > $ sudo ifconfig vr0 inet 192.168.1.64 > > Afterwards some applications (trn, rtorrent, gaim) acknowledged the > change and worked on the fly. Others, such as irssi, worked on a random > basis (i.e. restarting it would lead to connecting or not to the > servers). Firefox, mutt, snownews, lynx didn't even bother. > > I did modify the /etc/hostname.vr0 and /etc/hosts files before executing > the command. > > I couldn't find any solution to this. Is it something I'm missing? I > felt pretty dumb having to reboot my machine in order to solve this. > > OpenBSD 4.0-current (GENERIC) #810: Tue Jan 9 11:36:49 MST 2007 > [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC > Changing the IP address of an interface while running needs some consideration. a) check that the interface was correctly configured b) check your routing table and reenter the routes that depend on vr0 when you change the IP of an interface the routing table often does not realize this change -- trust me you don't want to know why. c) restart all applications which were listening on the old IP address bind, ntpd and many other UDP daemons fall in this category. d) restart all applications with open tcp session that used vr0 tcp sessions are sticky A good way to reconfigure your network is to "route -n flush" and "sh /etc/netstart". This works in many cases and if it fails it is often the easiest to reboot your system because it is faster then figuring out what the hell went wrong. -- :wq Claudio
Re: ipcomp
On Tue, Jan 23, 2007 at 01:04:51PM +1100, Richard Thornton wrote: > > Just trying to ascertain if ipcomp(4) is fully integrated with > ipsecctl(8), if it is can someone detail the ipsec.conf(5) config to > use it, also does it support RFC2394 IP Payload Compression Using > DEFLATE? > i believe it is not, and if it is some kind ipsec developer will correct me. jmc
altq hfsc
I was looking at the pf.conf(5) page for my altq/hfsc config and had some trouble understanding the exact workings of hfsc queues, the pf.conf man page has limited info on there workings. Also when i was looking at pf(4) it noted altq(9) which didnt seem to exist, is that an old listing in the pf(4) man page or is my man folder missing something? Is there a better recommended resource for hfsc? -- -Lawrence -Student ID 1028219 -CCNA
Re: altq hfsc
On Tue, Jan 23, 2007 at 12:04:17AM -0800, Lawrence Horvath wrote: > I was looking at the pf.conf(5) page for my altq/hfsc config and had > some trouble understanding the exact workings of hfsc queues, the > pf.conf man page has limited info on there workings. Also when i was > looking at pf(4) it noted altq(9) which didnt seem to exist, is that > an old listing in the pf(4) man page or is my man folder missing > something? > there certainly is an altq(9) page - you can check on the web interface. jmc
Re: setting up a memory file system
> My main question is the device it uses. The man page has the > device /dev/sd0b. This needs to be set up somewhere. Still, I see > that people use "swap" in its place instead. Swap is the b partition in a generic kernel (and most other kernels, too). Use of "swap" in fstab just simplifies things. You don't have to know that the partition is sd0b or wd0b or some other device or some combination of devices in case swapon is used. // marc
Re: setting up a memory file system
On 1/22/07, Peter Matulis <[EMAIL PROTECTED]> wrote: Le Mardi 23 Janvier 2007 00:04, Greg Thomas a icrit : > On 1/22/07, Peter Matulis <[EMAIL PROTECTED]> wrote: > > I am having difficulty finding documentation on how to set up a > > memory file system from beginning to end. I keep reading about > > /tmp and swap and docs that presume certain steps have been > > accomplished (disklabel). > > > > I want to set up /var/blah as mfs. What are the basic steps? > > Is this a trick question? Or does your question have more to it like > populating /var/blah? > > If it's simply a question of mounting /var/blah as mfs the sample in > the fstab manpage is pretty good, substitute /var/blah for /tmp in > the sample and adjust the size accordingly. My main question is the device it uses. The man page has the device /dev/sd0b. This needs to be set up somewhere. Still, I see that people use "swap" in its place instead. Unless I'm misunderstanding your question /dev/sd0b (or /dev/wd0b) is swap, and it gets setup by default during one's installation. Greg
Re: Using isakmpd to build a bridge
On Mon, Jan 22, 2007 at 07:34:13PM -0500, stan wrote: > > Well, It Works For Me [TM]. Actually, our office network is divided into > > several subnets, and the Windows fileserver is on another subnet in a remote > > data centre, several IP hops away, and it all still works. > > > > Locating a machine by name ("Network Neighbourhood") requires either a WINS > > server or dynamic DNS, but you've realised that. Mount by IP address should > > just work. > > Can you clarify what you mean by dynamic DNS in this context? Ah, for that you would need a Windows expert, and that's not me :-) However my rough understanding is that Windows clients make dynamic DNS updates to their 'local' DNS server (that is, Microsoft are assuming that your DNS cache is also authoritative for your own domain - which is probably true if you use Windows domain controllers which are also configured to be DNS servers) Machines register their hostname in this way, so that when you do a lookup on another machine for //foo/subdir then 'foo' can be resolved via DNS. I don't know how this gives you the 'Network neighborhood' browsing capability. Regards, Brian.
Re: setting up a memory file system
* Marco S Hyman <[EMAIL PROTECTED]> [2007-01-23 09:57]: > > My main question is the device it uses. The man page has the > > device /dev/sd0b. This needs to be set up somewhere. Still, I see > > that people use "swap" in its place instead. > > Swap is the b partition in a generic kernel (and most other kernels, > too). Use of "swap" in fstab just simplifies things. You don't have > to know that the partition is sd0b or wd0b or some other device or some > combination of devices in case swapon is used. and you don't actually need a [s|w]d0b or any swap partition for that matter -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Firewall, high interrupt load, is this a driver problem (dc) ?
Hey Henning, Henning Brauer a icrit : * Ronnie Garcia <[EMAIL PROTECTED]> [2007-01-22 21:10]: I'm graphing a lot of kernel/pf variables with cacti, and i'm clearly seeing the box maxing at 15k interrupts/s. that is not necessarily a problem. I'm raising 15k interrupts/s when the box is routing approx 13k pps and then the CPU is at 50-55%. at 13k pps you definately want good nics which have proper interrupt mitigation. most gigE NICs fall into that category; sk, msk and em fall definately into that category. Thanks for your detailled reply. I guess that you are using (or used) obsd routers/firewalls at BS Web Services. They might also handle a high packets rate. May i ask what kind of hardware you are using ? Motherboard, CPU, NIC, PCI type ? I'm considering buying new hardware for these firewalls, and i'd like them to handle a bunch of pps ;) Regards, -- Ronnie Garcia Directeur ovea Til : +33 4 6767 Gsm : +33 6 29500295 http://www.ovea.com
Re: IBM ServeRAID
On Mon, Jan 22, 2007 at 08:36:34PM -0600, Damian Wiest wrote: > On Mon, Jan 22, 2007 at 08:57:58PM -0500, Nick Holland wrote: > > Peter Matulis wrote: > > > Hi. I would like to install OpenBSD 4.0 on an IBM eServer (xSeries 220) > > > that contains a ServeRAID SCSI controller. I see that in OpenBSD > > > Current a driver has been added (ips). Does that mean I cannot install > > > OpenBSD 4.0 and have access to the controller on this machine? Any > > > comments welcome. > > > > > > Thanks in advance, > > > > > > Peter > > > > yep. > > New drivers are never back-ported. > > > > See FAQ 5 for more info on the OpenBSD development process... > > > > Keep in mind: whatever your hesitation is about installing -current on > > your machine is pretty completely negated by the fact that 4.0 won't > > work. (though, admittedly, you can't beat the stability and security > > of a non-functioning system. :) > > > > Nick. > > I'm guessing that it's not worth the time and potential problems of > attempting to recompile a 4.0 kernel with the new driver or just running > a current kernel with an old userland? The first is difficult, the latter unlikely to work. I don't really see the point, either - if you exercise a bit of care [1], -current is very stable. You could temporarily insert another RAID card and/or wait for 4.1, too. Depending on what you need, this might or might not work. Joachim [1] Don't update in the middle of a hackathon, and don't be too quick to update after major filesystem changes - which will be soon.
Re: Do you virtualize w/OpenBSD as host?
On Mon, Jan 22, 2007 at 10:53:18PM -0600, bofh wrote: > On 1/22/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: > >Finally, while OpenBSD does not run many virtualization environments, it > >does run *in* most virtualization environments. At least VMWare should > >work, and Xen is being developed [1]. > > > >Joachim > > > >[1] Or might be ready, or might be abandoned - I'm afraid I'm not > >certain here. > > I thought making xen run in dom0 was one of the summer of code google was > doing? Yes, that's the case. But I'm not sure what the project status is right now - I haven't heard anything in a while. Joachim
Re: Do you virtualize w/OpenBSD as host?
On Mon, Jan 22, 2007 at 04:56:25PM -0800, yary wrote: > On 22/01/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: > >On Mon, Jan 22, 2007 at 12:42:03PM -0800, yary wrote: > >For real virtual stuff, qemu works well - although not exactly swiftly. > >It's usable for testing, but don't try to run it in production. > > > >If you can handle being a little less virtual, chroot + systrace allows > >you to build specialized mini-systems with good security and > >performance. This can be rather useful for running, for instance, > >several disconnected daemons on a single server; OTOH, it's completely > >useless if you are trying to do kernel development work. So it depends > >on what you are trying to do; however, since very few of those > >virtualization systems will allow you to run a different kernel from the > >one you are running on the host, this is not that big a loss. > > > >Finally, while OpenBSD does not run many virtualization environments, it > >does run *in* most virtualization environments. At least VMWare should > >work, and Xen is being developed [1]. > > > > Joachim > > > >[1] Or might be ready, or might be abandoned - I'm afraid I'm not > >certain here. > > I have two uses in mind, one is trying out/debugging network > scenarios, the other is creating a virutal machine where a couple > trusted users can set up some network services (webserver, svn > repository) separate from my own. The first pretty much requires some > kind of virutalization, and the second is much easier with it, AFAIK. qemu is useful for the first case; sysjail (which is a systrace wrapper) might be useful for the second, as pointed out. > For now, I don't have any pressing network problems, and I'm just > going to set up a separate machine from surplus hardware for my > friends. Would like to have some VM stuff to play with so have the > experience if/when I need it (plus, it seems "fun"), prefer to stay > within OpenBSD, easier on my brain. Good idea. Joachim
Re: OpenBSD on software raid
doc Hyde skrev: > Can anyone help me please? > Thank you. Google can... http://www.eclectica.ca/howto/openbsd-software-raid-howto.php These are the steps you are most likely to have missed: # raidctl -a /dev/sd0d raid0 # raidctl -vF component0 raid0 # raidctl -vP raid0 Reboot after the last step, and you're good to go. /Thomas -- We're sysadmins, to us, data is protocol overhead.
Re: Using isakmpd to build a bridge
On Tue, Jan 23, 2007 at 08:54:51AM +, Brian Candler wrote: > On Mon, Jan 22, 2007 at 07:34:13PM -0500, stan wrote: > > > Well, It Works For Me [TM]. Actually, our office network is divided into > > > several subnets, and the Windows fileserver is on another subnet in a > > > remote > > > data centre, several IP hops away, and it all still works. > > > > > > Locating a machine by name ("Network Neighbourhood") requires either a > > > WINS > > > server or dynamic DNS, but you've realised that. Mount by IP address > > > should > > > just work. > > > > Can you clarify what you mean by dynamic DNS in this context? > > Ah, for that you would need a Windows expert, and that's not me :-) > > However my rough understanding is that Windows clients make dynamic DNS > updates to their 'local' DNS server (that is, Microsoft are assuming that > your DNS cache is also authoritative for your own domain - which is probably > true if you use Windows domain controllers which are also configured to be > DNS servers) > > Machines register their hostname in this way, so that when you do a lookup > on another machine for //foo/subdir then 'foo' can be resolved via DNS. > > I don't know how this gives you the 'Network neighborhood' browsing > capability. IIRC - but I'm not sure I do - you can configure Windows to do lookups in any combination of ways: netbios, possibly over TCP/IP, which is the classical solution; a WINS server, which is like a DNS server but not entirely[1]; the lmhosts file, which is like /etc/hosts but only for Windows networking; and DNS lookups. The first two give you browsing capability, or at least should; the rest don't, but still allow you to configure shares by name instead of by IP address. ISTR that netbios and lmhosts are enabled by default, and that the other two must be explicitly enabled; also, the option to update dynamic DNS must be explicitly enabled. Note that you can always hardcode IP addresses; this isn't the best possible practice, but it does work. Joachim
Re: IBM ServeRAID
On 2007/01/23 11:14, Joachim Schipper wrote: > [1] Don't update in the middle of a hackathon, and don't be too quick to > update after major filesystem changes - which will be soon. You could always wait a couple of days between downloading and installing if you want to increase the chance of someone else finding any problems first...same applies to all software updates.
Re: SVN question
On Tue, Jan 23, 2007 at 01:48:18AM -0500, Jean-Daniel Beaubien wrote: > Hi everyone, > > Firstly, I know my question is a bit off-topic for this list...but I > don't exactly trust the subversion mailing list to give me an > objective view if subversion is safe or not. > > Basically I'd like to know what people think about having a svn > repository on a web host like dreamhost.com > (http://wiki.dreamhost.com/index.php/Svn). > > Is it safe if using svn+ssh? Or is it just basically a big no-no? I've been using exactly that setup for a couple of years now; I can't recall any vulnerabilities in that time. Still, it depends on who you give access. SSH is pretty good at keeping the bad people out, provided you use public keys and/or sensible passwords. On a public-access server, I'd certainly look into ways of getting it to chroot (which isn't all that difficult; force SSH logins to use a particular suid wrapper program, or chroot the whole sshd, or ...). However, there is no *other* source code control system I'd recommend over Subversion in this regard. GNU CVS has been trouble-free for a couple of years, but so has Subversion - and the GNU CVS code seems to be rather messy. OpenCVS isn't really ready for prime-time yet, and very new - so it's good to toy around with, but if being as secure as possible is your goal... In fact, this applies to most source code control I know of - while all have their disadvantages, vulnerabilities seem to be rare. So I don't think security is a major deciding factor in choosing Subversion over some other system, or vice versa. However, I'm inclined to say that the setup *is* important, on a web host. I use Subversion for this exact purpose, using a single web site; but if you are using multiple web sites, it might be a good idea to have one uid per repository. This also allows people to write their own hooks, which can be terribly useful. Finally, bad passwords and SSH are a rather annoying combination. You can force them to use Subversion and only Subversion after login, and I'd recommend you do so. Joachim
Framebuffer in OpenBSD
Hello! I would like to port OpenBSD to the MS Xbox (old one). The Kernel already boots until main() in kern/init_main.c . (I can control this with the front LED of the Xbox). The next thing I would like to do is to write a kind of framebuffer driver so that I can get output on the TV. I have the sourcecode for the framebuffer driver of FreeBSD and Linux, but I don't know how to integrate it in OpenBSD. I read that OpenBSD has no framebuffer at all. How could I get output from the Kernel? The Xbox has no serial port... just USB and Ethernet. Markus Ritzer
High Load - t/s
I have a OpenBSD 3.9 server with courier imapd-ssl running. The load on the server is heavy from transactions on the disk where I store the emails. I'm using a Adaptec 2010S SCSI RAID card. I have tried and tweaked the courier imap server the best I can without any luck. >From iostat. ttycd0 fd0 sd0 sd1 cpu tin tout KB/t t/s MB/s KB/t t/s MB/s KB/t t/s MB/s KB/t t/s MB/s us ni sy in id 01 0.00 0 0.00 0.00 0 0.00 50.72 4 0.19 9.92 16 0.15 1 0 0 0 99 0 268 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 14.51 144 2.04 0 0 1 0 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 14.10 143 1.97 1 0 0 0 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 12.40 139 1.68 0 0 2 0 98 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 11.40 146 1.62 1 0 1 0 98 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 12.03 140 1.64 0 0 0 1 99 0 89 0.00 0 0.00 0.00 0 0.00 0.00 0 0.00 10.97 141 1.51 0 0 0 0100 The sd1 disk has 140 t/s. CPU-load is nothing. w: 12:35PM up 46 days, 6:15, 1 user, load averages: 7.11, 5.46, 3.09 Any ideas? Regards Jonas
Re: High Load - t/s
Jonas Thambert wrote: > 12:35PM up 46 days, 6:15, 1 user, load averages: 7.11, 5.46, 3.09 > > > Any ideas? What's the actual problem? high load average in itself is not necessarily a problem. --- Lars Hansson
Re: Do you virtualize w/OpenBSD as host?
On 23 Jan 2007, at 05:22, Jason George wrote: On 1/22/07, Joachim Schipper <[EMAIL PROTECTED]> wrote: Finally, while OpenBSD does not run many virtualization environments, it does run *in* most virtualization environments. At least VMWare should work, and Xen is being developed [1]. Joachim [1] Or might be ready, or might be abandoned - I'm afraid I'm not certain here. I thought making xen run in dom0 was one of the summer of code google was doing? Maybe if we ask nicely, Anil will provide us with an update? Everyone together now... Anil and Christoph, stuck in a tree... Anil and Christoph, both very busy :-) Not forgotten, but it'll be a month at least before I can get to it again. If anyone feels brave and wants to fix the lockup bug that is stopping it from being self-hosting, go for it... -anil
Re: Framebuffer in OpenBSD
On Tue, Jan 23, 2007 at 12:07:50PM +0100, Markus Ritzer wrote: > Hello! > > I would like to port OpenBSD to the MS Xbox (old one). The Kernel already > boots until main() in kern/init_main.c . (I can control this with the front > LED of the Xbox). The next thing I would like to do is to write a kind of > framebuffer driver so that I can get output on the TV. I have the sourcecode > for the framebuffer driver of FreeBSD and Linux, but I don't know how to > integrate it in OpenBSD. > > I read that OpenBSD has no framebuffer at all. openbsd has a lot of framebuffers. look at arch/sparc64/dev/fb.c as a start. > > > How could I get output from the Kernel? > > > The Xbox has no serial port... just USB and Ethernet. > > > > Markus Ritzer -- Alexander Yurchenko
Re: Framebuffer in OpenBSD
I would like to port OpenBSD to the MS Xbox (old one). The Kernel already boots until main() in kern/init_main.c . (I can control this with the front LED of the Xbox). The next thing I would like to do is to write a kind of framebuffer driver so that I can get output on the TV. I have the sourcecode for the framebuffer driver of FreeBSD and Linux, but I don't know how to integrate it in OpenBSD. You might to have a look at NetBSD which recently got some xbox support (although I don't see the point on running on such a machine). I read that OpenBSD has no framebuffer at all. This is a overbroad generalization of ``the i386 and amd64 ports of OpenBSD run the frame buffer in text mode''. Actually, -CURRENT has code to drive the main display in graphics mode if it is VESA 2 compliant (vesafb). You might want to build on top of it as well. Miod
Re: High Load - t/s
> What's the actual problem? high load average in itself is not > necessarily a problem. > > --- > Lars Hansson > The problem is the t/s on the sd1 device where I have the email-storage. Have less than 10 accounts and clients on a Xeon 3.0 Ghz server with 1 Gb RAM. I have tried to see why I have so many t/s on the disk but I can not figure it out. The disks are SCSI-disks 15 000 rpm. /Jonas
Re: Firewall, high interrupt load, is this a driver problem (dc) ?
Here is usefull details from Henning (thanks!) Message original Sujet: Re: Firewall, high interrupt load, is this a driver problem (dc) ? Date: Tue, 23 Jan 2007 11:42:22 +0100 De: Henning Brauer <[EMAIL PROTECTED]> Pour: Ronnie Garcia <[EMAIL PROTECTED]> Rifirences: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> * Ronnie Garcia <[EMAIL PROTECTED]> [2007-01-23 11:19]: > Hey Henning, > > Henning Brauer a icrit : > >* Ronnie Garcia <[EMAIL PROTECTED]> [2007-01-22 21:10]: > > >>I'm graphing a lot of kernel/pf variables with cacti, and i'm clearly > >>seeing the box maxing at 15k interrupts/s. > > > >that is not necessarily a problem. > > > >>I'm raising 15k interrupts/s when the box is routing approx 13k pps and > >>then the CPU is at 50-55%. > > > >at 13k pps you definately want good nics which have proper interrupt > >mitigation. most gigE NICs fall into that category; sk, msk and em fall > >definately into that category. > > Thanks for your detailled reply. > > I guess that you are using (or used) obsd routers/firewalls at BS Web > Services. They might also handle a high packets rate. yup > May i ask what kind of hardware you are using ? Motherboard, CPU, NIC, > PCI type ? varying. > I'm considering buying new hardware for these firewalls, and i'd like > them to handle a bunch of pps ;) the install with the highest forwarding rate I know of uses a Supermicro X6DH8-XB, a 3.2 GHz Xeon and a bunch of em(4. I have seen it doing 750 MBit/s of real-world traffic at approx 150k pps. With a full routing table (~205k entries) and a GENERIC kernel it was running at roughly 80..90% CPU load; the slightly optimized for the task kernel I have in place there now gives quite some extra headroom. Also, I expect sk/msk(4) to perform better than em(4), but that has yet to be proven in real-world conditions. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Backing up /var/db/spamdb
Hi everyone, I realize that there's probably not much value in keeping backups of /var/db/spamdb, since entries have a relatively short lifetime, but it would be nice to be able to drop an existing spamdb onto another machine; or to keep last night's backup in case a spamd/firewall fails and needs to be brought back up quickly. I am content to just let spamd start over from scratch, but users do notice the delay while spamd rebuilds the whitelist. Don't you just love that glazed eyes look when they hear the answer to the question "Is there something wrong with email?" Anything to avoid the users! ;^) I didn't see anything about doing backups of spamdb in the man pages, but I'm guessing you can't just rip it out while spamd is running. Any pointers here? I figure I should shutdown spamd and copy the database-- unless there's something else I can do while the program is running. Thanks, Dan
Re: Idea for additionnal funding
I could be wrong, but the original question said nothing about "non-profit" the way i read the first question as simply as, why cant OpenBSD(a for-profit entity) do advertising, via a search page for google(a for-profit entity, as far as i know), and get paid for it. Nothing non-profit required, simply an advertising deal between 2 for-profit companies. This would not require any "inconsistencies" either, as both companies are for-profit. So in much the same way that we pay OpenBSD for CD sets, Google would be paying OpenBSD for searches. Am I wrong somewhere in that? On 1/22/07, Martin SchrC6der <[EMAIL PROTECTED]> wrote: 2007/1/21, L. V. Lammert <[EMAIL PROTECTED]>: > Actually, I talked to Theo about this last year, as we currently operate > a non-profit that is underutilized. The problem is that since OBSD is NOT > a non-profit, a 'regular' corp cannot transfer funds without a TON of > justification paperwork (especially internationally) - our attorney said > it was definately not worth the legal expense involved and would almos > certainly invite an IRS audit (at more expense). That's why the OpenBSD Enterprise Bundle exists: http://www.dixongroup.net/?q=openbsd Best Martin -- -Lawrence -Student ID 1028219 -CCNA
NIDS + web interface
have had a few occurrences of the "windows machine getting trojaned" lately and need to setup NIDS to watch for such nastiness. in the past i setup snort + ACID and found the process to be quite tedious since i spent an inordinate amount of time setting it up. based on posts made on misc@ and elsewhere, i'm wary of the security implications of running snort. i am interested in hearing opinions on the following: - snort + BASE - prelude-IDS - bro-IDS - (how tedious it is)/(if it's possible) to setup a web interface for the above IDS solutions - openIDS; this is based on openbsd 3.7-release, AFAICT - snort-inline or similar as IPS - systrace-ing such a solution whichever solution i go with, i need to install 2 sets of 2 sensors each, so i'll try my hand at making a ready-to-roll solution along the lines of http://www.openbsdsupport.org/usenix-usebsd-nids.pdf . i can make the install image available, unless someone has already done this and is willing to offer it up ;) cheers, jake
Re: Backing up /var/db/spamdb
Daniel Barowy wrote: Hi everyone, I realize that there's probably not much value in keeping backups of /var/db/spamdb, since entries have a relatively short lifetime, but it would be nice to be able to drop an existing spamdb onto another machine; or to keep last night's backup in case a spamd/firewall fails and needs to be brought back up quickly. I am content to just let spamd daniel, i have learned the hard way that you should be making incremental backups of all of your machines every night. a decent backup solution should take care of this. my advice is "try it!" testing is simple enough: scp /var/db/spamdb to another machine, run spamdb and see if your IPs are preserved. there something wrong with email?" Anything to avoid the users! ;^) lol! tech-clueless ppl complaining about stuff is hard on my ears too. i should get hazard pay for that crap cheers, jake
Re: IBM ServeRAID
On Tue, Jan 23, 2007 at 10:48:20AM +, Stuart Henderson wrote: > On 2007/01/23 11:14, Joachim Schipper wrote: > > [1] Don't update in the middle of a hackathon, and don't be too quick to > > update after major filesystem changes - which will be soon. > > You could always wait a couple of days between downloading and > installing if you want to increase the chance of someone else finding > any problems first...same applies to all software updates. Exactly. Filesystem bugs might be more painful to recover from, though. Joachim
Re: IP change trouble
On Tue, Jan 23, 2007 at 10:02:38AM -0500, Eric Furman wrote: > On Tue, 23 Jan 2007 00:05:56 +0200, "Paul Irofti" <[EMAIL PROTECTED]> > said: > > I have changed one of my workstation's IP with: > > > > $ sudo ifconfig vr0 inet 192.168.1.64 > > > > OK, I'll ask a dumb question and I apologize if this seems too obvious. > Did you first bring the interface 'down', before changing the IP > address? And then bring it back 'up', afterwords? Changing the IP > address on the fly can result in a number of unexpected things > happening. Heh, that must've been it. Reading your message I realized I don't remember marking it as down before issuing the command. I remember doing a bunch of ups and downs afterwards, but not before. Thanks, I think that explains it. I've done this multiple times and never had any trouble until last night. I was sure there was something dumb I did (-:
Re: Do you virtualize w/OpenBSD as host?
On 1/23/07, Anil Madhavapeddy <[EMAIL PROTECTED]> wrote: Anil and Christoph, stuck in a tree... Anil and Christoph, both very busy :-) Heh. Not forgotten, but it'll be a month at least before I can get to it again. If anyone feels brave and wants to fix the lockup bug that is stopping it from being self-hosting, go for it... Are you toying with me? Are you seriously suggesting that nerdvana is around the corner, and that I might be able to host xen stuff under an openbsd dom0? Anil and Christoph! Anil and Christoph! Anil and Christoph! 8-)
Re: Idea for additionnal funding
You're missing the point. OpenBSD is not a non-for-profit organization. OpenBSD is not a for-profit organization. OpenBSD, for all intents and purposes, is Theo de Raadt. This has implications. Period. There is work being done to put into place appropriate legal entities. This is essentially a large exercise in paperwork for accounting and audit compliance. We're on it. This stuff doesn't happen overnight. Now let's leave it at that... >I could be wrong, but the original question said nothing about >"non-profit" the way i read the first question as simply as, why cant >OpenBSD(a for-profit entity) do advertising, via a search page for >google(a for-profit entity, as far as i know), and get paid for it. >Nothing non-profit required, simply an advertising deal between 2 >for-profit companies. > >This would not require any "inconsistencies" either, as both companies >are for-profit. So in much the same way that we pay OpenBSD for CD >sets, Google would be paying OpenBSD for searches. Am I wrong >somewhere in that? > >On 1/22/07, Martin SchrC6der <[EMAIL PROTECTED]> wrote: >> 2007/1/21, L. V. Lammert <[EMAIL PROTECTED]>: >> > Actually, I talked to Theo about this last year, as we currently operate >> > a non-profit that is underutilized. The problem is that since OBSD is NOT >> > a non-profit, a 'regular' corp cannot transfer funds without a TON of >> > justification paperwork (especially internationally) - our attorney said >> > it was definately not worth the legal expense involved and would almos >> > certainly invite an IRS audit (at more expense). >> >> That's why the OpenBSD Enterprise Bundle exists: >> http://www.dixongroup.net/?q=openbsd >> >> Best >>Martin
altq with hfsc
Im trying to implement hfsc altq on a firewall i have running, i currently have the linkshare option working properly with only the bandwidth assigned to the queue not a full service curve. I would like to implement upperlimit however i don't quite understand how the delay works, i understand how to write it, i know the correct syntax, but how does the queue know that the service curve is over and it should reset so to speak? say i have the following queue 68.10_out bandwidth 20Kb priority 2 qlimit 100 hfsc ( linkshare 200Kb upperlimit (1000Kb 5000 500Kb)) the upperlimit allows the queue to "spike" up to 1Mb for 5 seconds, then cuts it back down to 500Kb, but at what point does it say, OK the spike it over, and reset the queue so as to allow it to spike again if needed? please let me know if that was not clear. i understand using linkshare in hfsc is roughly equivalent as setting a bandwidth and using borrow in cbq, correct? also doesn't the bandwidth directive conflict with the upper limit? -- -Lawrence -Student ID 1028219 -CCNA
[OT] Old books to good home
We were cleaning out our old library and I came across some particularly esoteric volumes. I thought they might be of interest to some developers. Please reply off-list if you'd like any of these. VAX Vector Processing Handbook, Second Edition (Digital, 1990) PowerPC Microprocessor Family: The Programming Environments for 32- Bit Microprocessors (Motorola, 1997) PowerQUICC MPC860 User's Manual (Motorola, 1998) Ingenuity in Mathematics, Ross Honsberger (Yale University, 1970) UNIX System V Release 4, Understanding ELF Object Files and Debugging Tools (USL, 1994) -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: Backing up /var/db/spamdb
Jacob Yocom-Piatt wrote: daniel, i have learned the hard way that you should be making incremental backups of all of your machines every night. a decent backup solution should take care of this. my advice is "try it!" testing is simple enough: scp /var/db/spamdb to another machine, run spamdb and see if your IPs are preserved. Hi Jake, The only thing about just copying the file-- I don't want to catch the database in some intermediate state. I understand that spamd uses Berkeley DB, and I'm guessing that it is able to recover from errors, but I honestly don't know since I've never used Berkeley DB for anything myself. For now, I'll take your advice and just scp the file to another machine. I do incremental backups for the machines that count. For me, a firewall is not one of them, since with the exception of the spamdb file, there is no important information stored on it. I keep system configuration files for these kinds of machines elsewhere so that we can quickly put together replacements if they fail. That's good enough for me, and less work than making sure that a couple dozen incremental backups are actually running correctly every night. Dan
multiple external links not working ..
Well thanks to everyone who help me coming close to using multiple external links for internet. but its still not working, my scenario is that i have 2 ISP's connection now the main internet connection is the powerful one which i only want to use for specific protocols which i have defined in a macro called ports now rest is supposed to goto to my 2nd internet connection which is a weak & cheap connection basically there to allow p2p applications access. Main internet is ext_if1 (xl0) slow internet is ext_if2 (xl2) LAN is int_if (xl1) now the problem is that when ever i apply my pf.conf file all the traffic goes to 2nd slow internet connection. my pf.conf file lan_net = "10.0.0.0/16" int_if = "xl1" ext_if1 = "xl0" ext_if2 = "xl2" ext_gw1 = "192.168.0.1" ext_gw2 = "203.81.235.1" chadd = "10.0.0.1" ports = " 22 25 53 80 110 119 123 143 443 465 554 900 995 1755 1863" table persist file "/etc/allowedclients" nat on $ext_if1 inet proto {tcp, udp } from to any port \ { $ports } -> ($ext_if1) nat on $ext_if2 inet proto {tcp, udp } from to any \ -> ($ext_if2) rdr on $int_if proto tcp from to any port 80 -> $chadd port 8080 pass out log on $int_if from any to $lan_net pass in log quick on $int_if from $lan_net to $int_if pass in log on $int_if route-to { ($ext_if2 $ext_gw2) } from \ $lan_net to any flags S/SA keep state pass in log on $int_if route-to { ($ext_if1 $ext_gw1) } inet proto tcp from \ $lan_net to any port {$ports} flags S/SA keep state pass out log on $ext_if2 proto tcp from any to any flags S/SA modulate state pass out log on $ext_if2 proto { udp, icmp } from any to any keep state pass out log on $ext_if1 proto tcp from any to any flags S/SA modulate state pass out log on $ext_if1 proto { udp, icmp } from any to any keep state pass out log on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any pass out log on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any this is what happens bash-3.1# tcpdump -nettipflog0 tcpdump: WARNING: pflog0: no IPv4 address assigned tcpdump: listening on pflog0, link-type PFLOG 1169566778.398818 rule 18/(match) pass out on xl2: 203.81.235.185.5698 > 8.7.232.215.80: [|tcp] (DF) 1169566778.553623 rule 18/(match) pass out on xl2: 203.81.235.185.13550 > 66.249.91.83.80: [|tcp] (DF) 1169566779.005110 rule 18/(match) pass out on xl2: 203.81.235.185.16245 > 209.0.144.87.80: [|tcp] (DF) 1169566779.102642 rule 1/(match) pass in on xl1: 10.0.2.41.1601 > 10.0.0.1.8080: [|tcp] (DF) 1169566779.105302 rule 18/(match) pass out on xl2: 203.81.235.185.5672 > 216.143.70.77.80: [|tcp] 1169566779.167718 rule 1/(match) pass in on xl1: 10.0.1.24.2402 > 10.0.0.1.8080: [|tcp] (DF) 1169566779.170640 rule 18/(match) pass out on xl2: 203.81.235.185.11598 > 64.40.101.40.80: [|tcp] (DF) 1169566779.457058 rule 2/(match) pass in on xl1: 10.0.2.7.2328 > 125.23.47.31.3460: [|tcp] (DF) 1169566779.457112 rule 21/(match) pass out on xl0: 10.0.2.7.2328 > 125.23.47.31.3460: [|tcp] (DF) 1169566779.615288 rule 18/(match) pass out on xl2: 203.81.235.185.33595 > 209.0.144.88.80: [|tcp] (DF) 1169566779.700708 rule 18/(match) pass out on xl2: 203.81.235.185.42575 > 72.14.209.85.80: [|tcp] (DF) 1169566779.994302 rule 1/(match) pass in on xl1: 10.0.2.8.4265 > 10.0.0.1.8080: [|tcp] (DF) 1169566780.005425 rule 18/(match) pass out on xl2: 203.81.235.185.31337 > 72.14.209.86.80: [|tcp] (DF) 1169566780.174899 rule 18/(match) pass out on xl2: 203.81.235.185.27385 > 8.2.96.67.80: [|tcp] (DF) 1169566780.475037 rule 2/(match) pass in on xl1: 10.0.1.19.138 > 10.0.255.255.138: udp 201 1169566780.475089 rule 22/(match) pass out on xl0: 10.0.1.19.138 > 10.0.255.255.138: udp 201 1169566780.652249 rule 18/(match) pass out on xl2: 203.81.235.185.44777 > 8.7.232.215.80: [|tcp] (DF) 1169566780.884663 rule 1/(match) pass in on xl1: 10.0.2.8.4266 > 10.0.0.1.8080: [|tcp] (DF) 1169566780.889225 rule 18/(match) pass out on xl2: 203.81.235.185.44736 > 72.14.217.189.80: [|tcp] (DF) 1169566780.920559 rule 2/(match) pass in on xl1: 10.0.3.6.3273 > 64.182.172.11.8585: [|tcp] (DF) 1169566780.920608 rule 21/(match) pass out on xl0: 10.0.3.6.3273 > 64.182.172.11.8585: [|tcp] (DF) 1169566780.927934 rule 18/(match) pass out on xl2: 203.81.235.185.2945 > 66.249.91.18.80: [|tcp] (DF) 1169566781.046297 rule 2/(match) pass in on xl1: 10.0.1.11.137 > 10.0.255.255.137: udp 50 1169566781.046351 rule 22/(match) pass out on xl0: 10.0.1.11.137 > 10.0.255.255.137: udp 50 1169566781.141521 rule 18/(match) pass out on xl2: 203.81.235.185.6110 > 209.0.144.87.80: [|tcp] (DF) 1169566781.389933 rule 2/(match) pass in on xl1: 10.0.4.19.137 > 10.0.255.255.137: udp 68 1169566781.390009 rule 22/(match) pass out on xl0: 10.0.4.19.137 > 10.0.255.255.137: udp 68 1169566781.505436 rule 18/(match) pass out on xl2: 203.81.235.185.12893 > 66.249.91.19.80: [|tcp] (DF) 1169566781.634241 rule 18/(match) pass out on xl2: 203.81.235.185.3396 > 209.0.144.88.80: [|tcp] (DF) 1169566782.052176 rule 1/(match)
apache security
what i would like to achieve is that on a shared host if bad guys (tm) break into one site they can't get to other sites. is this possible? i've been looking at su-exec but it is for cgi scripts only :/, what other options there are? AFAIK chroot is not the correct answer to my question as it protects the rest of the system from being exploited if one of the sites gets cracked but it can't protect one site from another... -- almir
Re: Backing up /var/db/spamdb
On Tue, 23 Jan 2007, Dan Barowy wrote: > Jacob Yocom-Piatt wrote: > > > > daniel, > > > > i have learned the hard way that you should be making incremental backups of > > all of your machines every night. a decent backup solution should take care > > of this. > > > > my advice is "try it!" testing is simple enough: scp /var/db/spamdb to > > another machine, run spamdb and see if your IPs are preserved. > > > Hi Jake, > > The only thing about just copying the file-- I don't want to catch the > database in some intermediate state. I understand that spamd uses Berkeley > DB, and I'm guessing that it is able to recover from errors, but I honestly > don't know since I've never used Berkeley DB for anything myself. For now, > I'll take your advice and just scp the file to another machine. > > I do incremental backups for the machines that count. For me, a firewall is > not one of them, since with the exception of the spamdb file, there is no > important information stored on it. I keep system configuration files for > these kinds of machines elsewhere so that we can quickly put together > replacements if they fail. That's good enough for me, and less work than > making sure that a couple dozen incremental backups are actually running > correctly every night. A simple and stupid method would be to use spamdb(8) to dump the DB. It does proper locking. Drawback is that some script massage would be needed to restore the db. Also, be aware that the db format is not arch-independent. So e.g. transferring a db between a i386 and sparc64 would not work. -Otto
authpf shell at startup
Hi everyone, I apologize, as this may be more of a MacOS question than an OpenBSD one... We are using authpf for authenticating remote users. Works great, and I haven't had any trouble at all writing frontends for Windows clients-- I just use AutoIt to hide all of the details of opening up an SSH session in PuTTY and establishing a tunnel to the gateway. The problem is, I can't seem to replicate the same functionality in the MacOS. If, for instance, I try to wrap up an SSH session in an AppleScript, I get the error "Psuedo-terminal will not be allocated because stdin is not a terminal." I understand why this happens but I can't think of a way to fix it. Searching the web for instances of this error give me pointers to use the -T switch for ssh ("Disable pseudo-tty allocation."), which solves the error, but appears to cause ssh to connect only momentarily and then disconnect. Obviously, in order to get something useful out of authpf, I need that connection to stick around for awhile. It may be easier (for me) just to suck it up and have my Mac users open up a Terminal window and type in 'ssh foo', but being graphic designers, most of these people are deathly afraid of computers. Dan
Re: authpf shell at startup
Daniel Barowy wrote: The Rogue Fugu wrote: You can make it run a shell script using this procedure: 1) Create a directory called MyApp.app 2) Create a directory within MyApp.app called Contents 3) Create a directory within Contents called MacOS 4) Place your shell script within the MacOS directory and call it MyApp mac os will recognize it as an application. Oops. Sorry-- did not mean to CC the list on this. Ignore.
Re: amavisd-new under OpenBSD 4.0
Thanks for the input everyone, I've been considering my alternatives and I guess I'll just buck up and learn to use ports. (And a few other things...) I looked over dspam, and while they have a really impressive web-site and their goals seem very laudable, and even in-line with the system I'd originally envisioned, I don't think I'm ready for a full solution yet. Instead, I'm going to follow Mr. Roberts' advice and try out a base system with spamd and greylisting. In the mean time, while such a system is keeping my few users afloat, I'll see if I can come up with something more tailored to our situation. Again, thanks for all the wonderful insight and advice from all responders. I'm glad you guys are here to turn to when I get really stuck on something. -Bob
Re: apache security
On 1/23/07, Almir Karic <[EMAIL PROTECTED]> wrote: what i would like to achieve is that on a shared host if bad guys (tm) break into one site they can't get to other sites. "break in" has more than one meaning, and you might have different answers for different scenarios. is this possible? i've been looking at su-exec but it is for cgi scripts only :/, what other options there are? If you want isolation, given that "breaking in" can have multiple meanings, perhaps an option to look at is jailing each site. FreeBSD supports pretty reliable isolation of your web server into individual jails on the box. sysjail would be an alternative to look at for OpenBSD. DS
Re: multiple external links not working ..
Hi, I'm using two external interfaces myself, and I believe I had the same problem you describe in your message. I bet when you do: netstat -rnf inet | grep default you will see that your (ext_if2 ext_gw2) comes on top. Thus, my theory is that the kernel is preferring your second external interface due to your routing table (i.e. the order of your default routes). Since I don't know how to handle this in pf.conf for connections originating from my firewall, such as an http proxy running on the firewall, just as in your case too (otherwise route-to and reply-to work fine), I change my routing table in rc files. Specifically, I rearrange the order of my default routes to have my first external interface/gateway on top: route add default -ifp ext_if1 -mpath ext_gw1 route add default -ifp ext_if2 -mpath ext_gw2 Accordingly, I removed the similar shell commands in hostname.if(5) files. Hope this helps, On Tue, 2007-01-23 at 08:36 -0800, S t i n g r a y wrote: > Well thanks to everyone who help me coming close to using multiple external > links for internet. > but its still not working, my scenario is that i have 2 ISP's connection now > the main internet connection is the powerful one which i only want to use > for specific protocols which i have defined in a macro called ports now > rest is supposed to goto to my 2nd internet connection which is a weak & > cheap connection basically there to allow p2p applications access. > Main internet is ext_if1 (xl0) > slow internet is ext_if2 (xl2) > LAN is int_if (xl1) > now the problem is that when ever i apply my pf.conf file all the traffic > goes to 2nd slow internet connection. > > my pf.conf file > lan_net = "10.0.0.0/16" > int_if = "xl1" > ext_if1 = "xl0" > ext_if2 = "xl2" > ext_gw1 = "192.168.0.1" > ext_gw2 = "203.81.235.1" > chadd = "10.0.0.1" > ports = " 22 25 53 80 110 119 123 143 443 465 554 900 995 1755 1863" > table persist file "/etc/allowedclients" > > nat on $ext_if1 inet proto {tcp, udp } from to any port \ > { $ports } -> ($ext_if1) > nat on $ext_if2 inet proto {tcp, udp } from to any \ > -> ($ext_if2) > > rdr on $int_if proto tcp from to any port 80 -> $chadd port > 8080 > > pass out log on $int_if from any to $lan_net > > pass in log quick on $int_if from $lan_net to $int_if > pass in log on $int_if route-to { ($ext_if2 $ext_gw2) } from \ > $lan_net to any flags S/SA keep state > pass in log on $int_if route-to { ($ext_if1 $ext_gw1) } inet proto tcp from \ > $lan_net to any port {$ports} flags S/SA keep state > > pass out log on $ext_if2 proto tcp from any to any flags S/SA modulate state > pass out log on $ext_if2 proto { udp, icmp } from any to any keep state > pass out log on $ext_if1 proto tcp from any to any flags S/SA modulate state > pass out log on $ext_if1 proto { udp, icmp } from any to any keep state > > pass out log on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any > pass out log on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any > > this is what happens > > bash-3.1# tcpdump -nettipflog0 > tcpdump: WARNING: pflog0: no IPv4 address assigned > tcpdump: listening on pflog0, link-type PFLOG > 1169566778.398818 rule 18/(match) pass out on xl2: 203.81.235.185.5698 > > 8.7.232.215.80: [|tcp] (DF) > 1169566778.553623 rule 18/(match) pass out on xl2: 203.81.235.185.13550 > > 66.249.91.83.80: [|tcp] (DF) > 1169566779.005110 rule 18/(match) pass out on xl2: 203.81.235.185.16245 > > 209.0.144.87.80: [|tcp] (DF) > 1169566779.102642 rule 1/(match) pass in on xl1: 10.0.2.41.1601 > > 10.0.0.1.8080: [|tcp] (DF) > 1169566779.105302 rule 18/(match) pass out on xl2: 203.81.235.185.5672 > > 216.143.70.77.80: [|tcp] > 1169566779.167718 rule 1/(match) pass in on xl1: 10.0.1.24.2402 > > 10.0.0.1.8080: [|tcp] (DF) > 1169566779.170640 rule 18/(match) pass out on xl2: 203.81.235.185.11598 > > 64.40.101.40.80: [|tcp] (DF) > 1169566779.457058 rule 2/(match) pass in on xl1: 10.0.2.7.2328 > > 125.23.47.31.3460: [|tcp] (DF) > 1169566779.457112 rule 21/(match) pass out on xl0: 10.0.2.7.2328 > > 125.23.47.31.3460: [|tcp] (DF) > 1169566779.615288 rule 18/(match) pass out on xl2: 203.81.235.185.33595 > > 209.0.144.88.80: [|tcp] (DF) > 1169566779.700708 rule 18/(match) pass out on xl2: 203.81.235.185.42575 > > 72.14.209.85.80: [|tcp] (DF) > 1169566779.994302 rule 1/(match) pass in on xl1: 10.0.2.8.4265 > > 10.0.0.1.8080: [|tcp] (DF) > 1169566780.005425 rule 18/(match) pass out on xl2: 203.81.235.185.31337 > > 72.14.209.86.80: [|tcp] (DF) > 1169566780.174899 rule 18/(match) pass out on xl2: 203.81.235.185.27385 > > 8.2.96.67.80: [|tcp] (DF) > 1169566780.475037 rule 2/(match) pass in on xl1: 10.0.1.19.138 > > 10.0.255.255.138: udp 201 > 1169566780.475089 rule 22/(match) pass out on xl0: 10.0.1.19.138 > > 10.0.255.255.138: udp 201 > 1169566780.652249 rule 18/(match) pass out on xl2: 203.81.235.185.44777 > > 8.7.232.215.80: [|tcp] (DF) > 1169566780.884663 rule 1/(match) pass in on xl1: 10.0.2.8
Re: apache security
I had an idea but not sure if its possible, section off and chroot each site into a folder of its own, not sure if thats possible to chroot each site to a diff dir or not, i think apache only allows you to chroot the process Maybe use permissions, diff user on each site, chmod to disallow writing from other users? Just some thoughts i had not sure if they are valid. On 1/23/07, Almir Karic <[EMAIL PROTECTED]> wrote: what i would like to achieve is that on a shared host if bad guys (tm) break into one site they can't get to other sites. is this possible? i've been looking at su-exec but it is for cgi scripts only :/, what other options there are? AFAIK chroot is not the correct answer to my question as it protects the rest of the system from being exploited if one of the sites gets cracked but it can't protect one site from another... -- almir -- -Lawrence -Student ID 1028219 -CCNA
Re: apache security
Maybe use permissions, diff user on each site, chmod to disallow writing from other users? that would solve the problem, but i have no idea how to achive it, and google doesn't seem to like me :/. any hints? -- almir
Re: apache security
Almir Karic wrote: what i would like to achieve is that on a shared host if bad guys (tm) break into one site they can't get to other sites. is this possible? i've been looking at su-exec but it is for cgi scripts only :/, what other options there are? AFAIK chroot is not the correct answer to my question as it protects the rest of the system from being exploited if one of the sites gets cracked but it can't protect one site from another... use a systrace-d shell, stsh. kind of a pain to get all the systrace policies in place, but very effective at achieving what you're after. cheers, jake
Re: uvm_fault
I have a similar problem. I would suspect it's my hdd or possible RAM, because this only happens when I am trying to recompile the kernel, or install something from the ports tree. It panics with this error. Jan 23 14:54:08 router /bsd: uvm_fault(0xd0767d20, 0x0, 0, 1) -> e Jan 23 14:54:08 router /bsd: kernel: page fault trap, code=0 Jan 23 14:54:08 router /bsd: Stopped at pmap_page_remove_86+0x114: movl 0(%eax,%edx,4),%eax Jan 23 14:54:08 router /bsd: ddb> I have a core dump, but no real way to analyze it. This is very frustrating. System is an AMD Athlon 750, two NICs, 128MB RAM. Very basic system that I'm using for firewalling my home network. Running at 4.0 -stable, I've applied all patches in the errata section, but I can't recompile the kernel! I've had no indications of hdd or RAM failure, however. If anyone has any suggestions, please help. Thank you, Dale From: [EMAIL PROTECTED] on behalf of Florian Fuessl Sent: Fri 1/5/2007 7:47 AM To: misc@openbsd.org Subject: uvm_fault Hi, I have problems with an OpenBSD 3.9 GENERIC.MP#0 i386 machine causing uvm_fault crashes: uvm_fault(0xd05cc640, 0xedbe2000, 0, 3) -> e kernel page fault trap, code=0 Stopped at memset+0x33: repe stosl %es:(%edi) The system in question is a Fujitsu Siemens Primergy P200 system with five network cards, four Intel PRO/1000MT (82546GB) [em0-3] and one Intel 8255x [fxp0]. It has an Adaptec 2100S RAID controller and 1.5 GB memory. Real memory usage is usually between "Memory: Real: 200M/336M". Any ideas would be great, thanks for your time, - Florian
Re: apache security
On Tue, Jan 23, 2007 at 05:44:38PM +0100, Almir Karic wrote: > what i would like to achieve is that on a shared host if bad guys (tm) > break into one site they can't get to other sites. > > is this possible? i've been looking at su-exec but it is for cgi > scripts only :/, what other options there are? > > AFAIK chroot is not the correct answer to my question as it protects > the rest of the system from being exploited if one of the sites gets > cracked but it can't protect one site from another... The simple solution is to not allow the web server to write anywhere but /tmp. There are other solutions to this problem, including suexec, but the above is surprisingly easy to pull off. Joachim
VPN
I've checked and I've checked and I've checked. Please help! I have an OpenBSD 4.0 firewall on a public network, let's say 1.2.3.4. It serves as a firewall/NAT box for an internal network, 192.168.1.0/24. There's a server located behind that box, say, 192.168.1.100. I need to create a VPN to that server. (No, simply using a ssh tunnel won't work for various reasons!) Is it possible to create a VPN from an outside Windows XP Pro machine to our private network using IPSEC? I've read the man pages and they all say how to create a VPN between two OpenBSD boxes. Fine, but that's not what I need. There was a page on openbsd.cz that's not there anymore. Please, please help! Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/
Re: VPN
I am in the same scenario to be honest, just haven't really started digging that deep. If someone can provide this information we'd be GREATLY appreciative! From: [EMAIL PROTECTED] on behalf of stupidmail4me Sent: Tue 1/23/2007 3:06 PM To: misc@openbsd.org Subject: VPN I've checked and I've checked and I've checked. Please help! I have an OpenBSD 4.0 firewall on a public network, let's say 1.2.3.4. It serves as a firewall/NAT box for an internal network, 192.168.1.0/24. There's a server located behind that box, say, 192.168.1.100. I need to create a VPN to that server. (No, simply using a ssh tunnel won't work for various reasons!) Is it possible to create a VPN from an outside Windows XP Pro machine to our private network using IPSEC? I've read the man pages and they all say how to create a VPN between two OpenBSD boxes. Fine, but that's not what I need. There was a page on openbsd.cz that's not there anymore. Please, please help! _ ___ Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/
Re: VPN
On 1/23/07, stupidmail4me <[EMAIL PROTECTED]> wrote: I've checked and I've checked and I've checked. Please help! I have an OpenBSD 4.0 firewall on a public network, let's say 1.2.3.4. It serves as a firewall/NAT box for an internal network, 192.168.1.0/24. There's a server located behind that box, say, 192.168.1.100. I need to create a VPN to that server. (No, simply using a ssh tunnel won't work for various reasons!) Is it possible to create a VPN from an outside Windows XP Pro machine to our private network using IPSEC? I've read the man pages and they all say how to create a VPN between two OpenBSD boxes. Fine, but that's not what I need. There was a page on openbsd.cz that's not there anymore. Please, please help! You mean, how to set up IPSec on windows? 1 second on google found me: http://www.microsoft.com/technet/network/ipsec/default.mspx Have fun -Nick
Re: VPN
I tried setting up a VPN between WinXP and a litle Linksys VPN router and the WinXP VPN capabilities were really horrible (the config tools too). So I found this program called SSH Sentinel which worked right away for me. But I repeat, I was connecting to a Linksys VPN Router, not OpenBSD so YMMV. Simply enter 'SSHSentinel1.3.2.2.exe' in google and you should find quite a few links to download it. That version was free, but the company stopped releasing it to make more money or something so it's not the latest, but it worked very well for me. Jd On 1/23/07, stupidmail4me <[EMAIL PROTECTED]> wrote: I've checked and I've checked and I've checked. Please help! I have an OpenBSD 4.0 firewall on a public network, let's say 1.2.3.4. It serves as a firewall/NAT box for an internal network, 192.168.1.0/24. There's a server located behind that box, say, 192.168.1.100. I need to create a VPN to that server. (No, simply using a ssh tunnel won't work for various reasons!) Is it possible to create a VPN from an outside Windows XP Pro machine to our private network using IPSEC? I've read the man pages and they all say how to create a VPN between two OpenBSD boxes. Fine, but that's not what I need. There was a page on openbsd.cz that's not there anymore. Please, please help! Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/
Re: VPN
test wrote: I am in the same scenario to be honest, just haven't really started digging that deep. If someone can provide this information we'd be GREATLY appreciative! this has been beaten to death, please search the archives. I've checked and I've checked and I've checked. Please help! I have an OpenBSD 4.0 firewall on a public network, let's say 1.2.3.4. It serves as a firewall/NAT box for an internal network, 192.168.1.0/24. There's a server located behind that box, say, 192.168.1.100. I need to create a VPN to that server. (No, simply using a ssh tunnel won't work for various reasons!) Is it possible to create a VPN from an outside Windows XP Pro machine to our private network using IPSEC? I've read the man pages and they all say how to create a VPN between two OpenBSD boxes. Fine, but that's not what I need. There was a page on openbsd.cz that's not there anymore. Please, please help!
Re: VPN
Hi, I used the following documentation to figure this type of vpn out the first time. It was my starting point. http://www.cs.umd.edu/~mvanopst/xp2obsd.pdf It talks about using Certificate Authentication but much of the doc can be skipped if you want to use shared key auth instead. The windows vpn client took me a bit to wrap my head around (more so than the obsd side of it) but I found this doc explained it pretty well. Thegreenbow also worked well for us as a client side winxp vpn app. What the doc didn't explain to me was how to config the firewall for the ipsec/isakmpd vpn. To figure out that part I did lots of: tcpdump -e -vvv -i pflog0 And I can't forget the multiple readings of "man ipsec" and all the further man pages in ipsec's "SEE ALSO" section. Hope that all helps you some... It's what got me up and working. Wasn't the easiest thing I've ever done on a 'puter but sure felt good when I saw that first valid connection =) Cheers, Chris On Tuesday 23 January 2007 12:06, stupidmail4me wrote: > I've checked and I've checked and I've checked. Please > help! > > I have an OpenBSD 4.0 firewall on a public network, > let's say 1.2.3.4. It serves as a firewall/NAT box for > an internal network, 192.168.1.0/24. > > There's a server located behind that box, say, > 192.168.1.100. I need to create a VPN to that server. > (No, simply using a ssh tunnel won't work for various > reasons!) > > Is it possible to create a VPN from an outside Windows > XP Pro machine to our private network using IPSEC? > I've read the man pages and they all say how to create > a VPN between two OpenBSD boxes. Fine, but that's not > what I need. There was a page on openbsd.cz that's not > there anymore. > > Please, please help! > > > > ___ >_ Never miss an email again! > Yahoo! Toolbar alerts you the instant new Mail arrives. > http://tools.search.yahoo.com/toolbar/features/mail/ -- ..:::.::.::.:... Number 41 Media Corporation First Floor - 612 View Street Victoria BC V8W 1J5 T 250.414.0410 F 250.414.0411 number41media.com
Re: VPN
On Jan 23, 2007, at 4:52 PM, Jean-Daniel Beaubien wrote: I tried setting up a VPN between WinXP and a litle Linksys VPN router and the WinXP VPN capabilities were really horrible (the config tools too). So I found this program called SSH Sentinel which worked right away for me. But I repeat, I was connecting to a Linksys VPN Router, not OpenBSD so YMMV. Simply enter 'SSHSentinel1.3.2.2.exe' in google and you should find quite a few links to download it. That version was free, but the company stopped releasing it to make more money or something so it's not the latest, but it worked very well for me. To be historically accurate, SSH Sentinel was purchased by SafeNet. SafeNet already had their own line of VPN client software (SoftRemote), so Sentinel was discontinued. http://www.ssh.com/company/news/article/484/ -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: VPN
Think the other way around. I'd like to be able to configure my OpenBSD firewall to also act as a "VPN Gateway", so I can connect to that from XP Pro remotely using the external IP, so I can access resources inside my network. I used to use a Server 2003 box sitting inside the network, but have since turned that box into a FC5 workstation. I'd looked all over for a way to do that but can't seem to make it work. From: [EMAIL PROTECTED] on behalf of Nick Guenther Sent: Tue 1/23/2007 4:51 PM To: OpenBSD-Misc Subject: Re: VPN On 1/23/07, stupidmail4me <[EMAIL PROTECTED]> wrote: > I've checked and I've checked and I've checked. Please > help! > > I have an OpenBSD 4.0 firewall on a public network, > let's say 1.2.3.4. It serves as a firewall/NAT box for > an internal network, 192.168.1.0/24. > > There's a server located behind that box, say, > 192.168.1.100. I need to create a VPN to that server. > (No, simply using a ssh tunnel won't work for various > reasons!) > > Is it possible to create a VPN from an outside Windows > XP Pro machine to our private network using IPSEC? > I've read the man pages and they all say how to create > a VPN between two OpenBSD boxes. Fine, but that's not > what I need. There was a page on openbsd.cz that's not > there anymore. > > Please, please help! You mean, how to set up IPSec on windows? 1 second on google found me: http://www.microsoft.com/technet/network/ipsec/default.mspx Have fun -Nick
Re: authpf shell at startup
On Tue, Jan 23, 2007 at 01:48:36PM -0500, Daniel Barowy wrote: > Daniel Barowy wrote: > >The Rogue Fugu wrote: > >>You can make it run a shell script using this procedure: > >>1) Create a directory called MyApp.app > >>2) Create a directory within MyApp.app called Contents > >>3) Create a directory within Contents called MacOS > >>4) Place your shell script within the MacOS directory and call it MyApp > >> > >>mac os will recognize it as an application. > >> > Oops. Sorry-- did not mean to CC the list on this. Ignore. > No apologies necessary. It was very entertaining to see how you do a 'chmod +x' on MacOS.
Re: VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 stupidmail4me wrote: > I've checked and I've checked and I've checked. Please > help! > > I have an OpenBSD 4.0 firewall on a public network, > let's say 1.2.3.4. It serves as a firewall/NAT box for > an internal network, 192.168.1.0/24. > > There's a server located behind that box, say, > 192.168.1.100. I need to create a VPN to that server. > (No, simply using a ssh tunnel won't work for various > reasons!) > > Is it possible to create a VPN from an outside Windows > XP Pro machine to our private network using IPSEC? > I've read the man pages and they all say how to create > a VPN between two OpenBSD boxes. Fine, but that's not > what I need. There was a page on openbsd.cz that's not > there anymore. http://openvpn.net/ http://www.openbsd.org/faq/pf/rdr.html I love OpenVPN. Matt iD8DBQFFtoKYSm+hrfuRXskRAr7DAJ9UQWEoq4hCNb/IklJWIUwwgBCtWwCcDXr8 nfLBkDi6tYtoi3A5pHhib6I= =9wXg -END PGP SIGNATURE-
Re: VPN
On 4:12 pm 01/23/07 "test" <[EMAIL PROTECTED]> wrote: > Think the other way around. I'd like to be able to configure my > OpenBSD firewall to also act as a "VPN Gateway", so I can connect to > that from XP Pro remotely using the external IP, so I can access > resources inside my network. I used to use a Server 2003 box sitting > inside the network, but have since turned that box into a FC5 > workstation. > > I'd looked all over for a way to do that but can't seem to make it > work. I found Poptop on OpenBSD to be a good solution. It is most probably not as secure/configurable as IPSec but if you just like to use default Windows XP tools and access resources inside the corporate network from the Internet etc. it may be worth looking into. At a client site, I set up IPSec, OpenVPN, and Poptop and the admins there prefer poptop due to the lower overhead in configuring XP. It is in the packages as well so very easy to set up and test. Vijay > > > > From: [EMAIL PROTECTED] on behalf of Nick Guenther > Sent: Tue 1/23/2007 4:51 PM > To: OpenBSD-Misc > Subject: Re: VPN > > > > On 1/23/07, stupidmail4me <[EMAIL PROTECTED]> wrote: > > I've checked and I've checked and I've checked. Please > > help! > > > > I have an OpenBSD 4.0 firewall on a public network, > > let's say 1.2.3.4. It serves as a firewall/NAT box for > > an internal network, 192.168.1.0/24. > > > > There's a server located behind that box, say, > > 192.168.1.100. I need to create a VPN to that server. > > (No, simply using a ssh tunnel won't work for various > > reasons!) > > > > Is it possible to create a VPN from an outside Windows > > XP Pro machine to our private network using IPSEC? > > I've read the man pages and they all say how to create > > a VPN between two OpenBSD boxes. Fine, but that's not > > what I need. There was a page on openbsd.cz that's not > > there anymore. > > > > Please, please help! > > You mean, how to set up IPSec on windows? 1 second on google found me: > http://www.microsoft.com/technet/network/ipsec/default.mspx > Have fun > > -Nick > > > !DSPAM:1,45b68e2e102821879814018! Vijay Sankar, M.Eng., P.Eng. ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6 Phone +1 (204) 885-9535, E-Mail: [EMAIL PROTECTED]
sendmail: "forcing" relaying
i need to force a remote host with sendmail to relay all outbound SMTP through a local postfix, instead of delivering it itself. the config is as follows: host w/ postfix ---VPN--- host w/ sendmail a.k.a. posthost a.k.a. sendhost when email is sent to mydomain.com, a domain of mine, from sendhost, it ends up at posthost since posthost is the mailserver for mydomain.com. however, when email is sent to a remote domain, say hotmail.com, it is sent directly from sendhost to hotmail.com without routing through posthost. i need to force sendhost to relay outbound mail through posthost instead of sending it to hotmail.com itself. clues appreciated. cheers, jake
Re: sendmail: "forcing" relaying
Jacob Yocom-Piatt wrote: i need to force a remote host with sendmail to relay all outbound SMTP through a local postfix, instead of delivering it itself. the config is as follows: host w/ postfix ---VPN--- host w/ sendmail a.k.a. posthost a.k.a. sendhost when email is sent to mydomain.com, a domain of mine, from sendhost, it ends up at posthost since posthost is the mailserver for mydomain.com. however, when email is sent to a remote domain, say hotmail.com, it is sent directly from sendhost to hotmail.com without routing through posthost. i need to force sendhost to relay outbound mail through posthost instead of sending it to hotmail.com itself. clues appreciated. i have been informed offlist by a kindly individual that the sendmail option to use is SMART_HOST. cheers, jake
Re: authpf shell at startup
On 1/23/07, Mark Zimmerman <[EMAIL PROTECTED]> wrote: On Tue, Jan 23, 2007 at 01:48:36PM -0500, Daniel Barowy wrote: > Daniel Barowy wrote: > >The Rogue Fugu wrote: > >>You can make it run a shell script using this procedure: > >>1) Create a directory called MyApp.app > >>2) Create a directory within MyApp.app called Contents > >>3) Create a directory within Contents called MacOS > >>4) Place your shell script within the MacOS directory and call it MyApp > >> > >>mac os will recognize it as an application. > >> > Oops. Sorry-- did not mean to CC the list on this. Ignore. > No apologies necessary. It was very entertaining to see how you do a 'chmod +x' on MacOS. I figure you're just poking fun at MacOS but chmod +x on OS X is chmod +x. It looks like the above just makes an application bundle so one can double-click on it from the GUI. Greg
Re: Low power barebone: MSI Axis 700 Lite with fanless VIA C7 1GHz
Constantine A. Murenin wrote: Hi, Anyone tried subj? http://www.newegg.com/Product/Product.asp?Item=N82E16856167012 http://www.msicomputer.com/product/p_spec.asp?model=Axis_700_Lite It looks pretty-pretty nice, and goes for a very reasonable price -- about 202,32 USD delivered for a complete barebone -- it includes case, PSU, mini-ITX motherboard and a fanless VIA C7 1GHz CPU. It even has two serial ports and accepts one full-size PCI card! If anyone has any experience with this system, a dmesg and `sysctl hw.sensors` along with some acoustical descriptions would be really neat. (I suspect that this candy may have a non-controllable fan in the PSU, which would mean that it may not be 100% quiet in a living room / bedroom setting.) Cheers, Constantine. With the hard drive, cdrom, and nic (re0) in the pci slot it draws 25watts, 21watts without. The PSU Fan is typical noise wise. It did not want to boot from a USB thumb drive. sysctl hw.sensors hw.sensors.0=lm0, VCore A, 2.00 V DC hw.sensors.1=lm0, VCore B, 3.79 V DC hw.sensors.2=lm0, +3.3V, 3.26 V DC hw.sensors.3=lm0, +5V, 5.48 V DC hw.sensors.4=lm0, +12V, 12.29 V DC hw.sensors.5=lm0, -12V, -12.86 V DC hw.sensors.6=lm0, -5V, -4.88 V DC hw.sensors.7=lm0, Temp1, 36.00 degC OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Esther processor 1000MHz ("CentaurHauls" 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2 cpu0: unknown Enhanced SpeedStep CPU, msr 0x08100a1308000a13 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1000 MHz (1004 mV): speeds: 1000, 800 MHz cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 468217856 (457244K) avail mem = 419028992 (409208K) using 4256 buffers containing 23515136 bytes (22964K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(db) BIOS, date 10/31/06, BIOS32 rev. 0 @ 0xf92c0, SMBIOS rev. 2.3 @ 0xf0800 (33 entries) bios0: MICRO-STAR INTERNATIONAL CO., LTD MS-7199 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xbdd4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfbd50/128 (6 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 6 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT8237 ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xfe00 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "VIA CN700 Host" rev 0x00 pchb1 at pci0 dev 0 function 1 "VIA CN700 Host" rev 0x00 pchb2 at pci0 dev 0 function 2 "VIA CN700 Host" rev 0x00 pchb3 at pci0 dev 0 function 3 "VIA PT890 Host" rev 0x00 pchb4 at pci0 dev 0 function 4 "VIA CN700 Host" rev 0x00 pchb5 at pci0 dev 0 function 7 "VIA CN700 Host" rev 0x00 ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "VIA S3 Unichrome PRO IGP" rev 0x01: aperture at 0xf400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pciide0 at pci0 dev 15 function 0 "VIA VT6420 SATA" rev 0x80: DMA pciide0: using irq 11 for native-PCI interrupt pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide1 channel 0 drive 0: wd0: 16-sector PIO, LBA, 19536MB, 40010544 sectors atapiscsi0 at pciide1 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom removable wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 4 cd0(pciide1:0:1): using PIO mode 4, DMA mode 2 pciide1: channel 1 ignored (disabled) uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: irq 11 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: irq 5 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered viapm0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x
Re: authpf shell at startup
It also allows the app to be started on login. A shell script on its own won't start up when added to startup items, best case it opens the default text editor. Greg Thomas wrote: On 1/23/07, Mark Zimmerman <[EMAIL PROTECTED]> wrote: On Tue, Jan 23, 2007 at 01:48:36PM -0500, Daniel Barowy wrote: > Daniel Barowy wrote: > >The Rogue Fugu wrote: > >>You can make it run a shell script using this procedure: > >>1) Create a directory called MyApp.app > >>2) Create a directory within MyApp.app called Contents > >>3) Create a directory within Contents called MacOS > >>4) Place your shell script within the MacOS directory and call it MyApp > >> > >>mac os will recognize it as an application. > >> > Oops. Sorry-- did not mean to CC the list on this. Ignore. > No apologies necessary. It was very entertaining to see how you do a 'chmod +x' on MacOS. I figure you're just poking fun at MacOS but chmod +x on OS X is chmod +x. It looks like the above just makes an application bundle so one can double-click on it from the GUI. Greg -- Joel Goguen Bachelor of Computer Science III University of New Brunswick http://iapetus.dyndns.org/
Re: apache security
Almir Karic wrote: > what i would like to achieve is that on a shared host if bad guys (tm) > break into one site they can't get to other sites. if "get to"=look at, this is probably pointless. Unless it is a authentication-protected site, the information is usually spread around by various browser "tool bars" and spyware and is probably more public than the "secretive" site owner thinks. > is this possible? i've been looking at su-exec but it is for cgi > scripts only :/, what other options there are? > > AFAIK chroot is not the correct answer to my question as it protects > the rest of the system from being exploited if one of the sites gets > cracked but it can't protect one site from another... BY DEFAULT... chroot not only protects the rest of the system, but also protects the website(s) itself. http://www.openbsd.org/faq/faq10.html#httpdchroot ". . . the starting configuration of the OpenBSD chroot(2)ed Apache is where the user the httpd(8) program is running as can not run any programs, can not alter any files, and can not assume another user's identity." IF you maintain that rule, your system is pretty darned secure, as even if someone knocks over httpd, all they can do is LOOK at other sites, they can't deface them. Nick.
Re: apache security
On Tue, Jan 23, 2007 at 05:44:38PM +0100, Almir Karic wrote: > is this possible? i've been looking at su-exec but it is for > cgi scripts only :/, what other options there are? If you can run the app(s) with FastCGI (most PHP stuff I have tried does), another option is to use suexec wrapper for dynamic FastCGI processes. If you configure the FastCGI processes to die quickly, and you have many low volume sites, it is not a big RAM hit. m
PlayStation 3
I do apologize in advance if this is not appropriate discussion for this list, but I've been having problems with my PS3 sitting behind my OpenBSD 4.0 machine with pf using nat. Until I do some more "reverse engineering" (in a sense) on how this retarded PS3 actually works on a network, I won't bother asking any technical questions about why something may or may not be working. Rather, my question is, have any of you successfully configured pf to allow your PS3 to join hosted games more than 0.1 percent of the time? If you feel this is unfit for discussion on misc@, feel free to just email me directly. Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of stupidmail4me Sent: Tuesday, January 23, 2007 12:06 PM To: misc@openbsd.org Subject: VPN I've checked and I've checked and I've checked. Please help! I have an OpenBSD 4.0 firewall on a public network, let's say 1.2.3.4. It serves as a firewall/NAT box for an internal network, 192.168.1.0/24. There's a server located behind that box, say, 192.168.1.100. I need to create a VPN to that server. (No, simply using a ssh tunnel won't work for various reasons!) Is it possible to create a VPN from an outside Windows XP Pro machine to our private network using IPSEC? I've read the man pages and they all say how to create a VPN between two OpenBSD boxes. Fine, but that's not what I need. There was a page on openbsd.cz that's not there anymore. Please, please help! Never miss an email again! Yahoo! Toolbar alerts you the instant new Mail arrives. http://tools.search.yahoo.com/toolbar/features/mail/
set obsd 3.9 as dns server
Dear all i have obsd 3.9 , i want setup as dns name for my ip public and mydomain , i try follow step in openbsdsupport.org , but until now always get error lame server and etc , so where i get good tutorial about setup obsd as name server for my public ip and my domain . -sonjaya- http://sicute.blogspot.com
Re: PlayStation 3
Abraham Rolick wrote: > I do apologize in advance if this is not appropriate discussion for this > list, but I've been having problems with my PS3 sitting behind my > OpenBSD 4.0 machine with pf using nat. > > Until I do some more "reverse engineering" (in a sense) on how this > retarded PS3 actually works on a network, I won't bother asking any > technical questions about why something may or may not be working. > > Rather, my question is, have any of you successfully configured pf to > allow your PS3 to join hosted games more than 0.1 percent of the time? > If you feel this is unfit for discussion on misc@, feel free to just > email me directly. Thanks! The key in getting it to work is "UPNP", thus something like: http://upnp.sourceforge.net/ http://linux-igd.sourceforge.net/ Most 'normal' NAT's nowadays support it, most Windows boxes use it etc, thus most homes have it and it enables the opening of ports on the NAT box so that they get forwarded to the internal box that requests it See amongst others: http://forums.linksys.com/linksys/board/message?board.id=Wireless_Routers&mes sage.id=18300 As most parts of the world can't even get PS3's: enjoy it ;) Greets, Jeroen [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: PlayStation 3
On Tue, Jan 23, 2007 at 05:06:20PM -0800, Abraham Rolick wrote: > > Rather, my question is, have any of you successfully configured pf to > allow your PS3 to join hosted games more than 0.1 percent of the time? > If you feel this is unfit for discussion on misc@, feel free to just > email me directly. Thanks! if the ps3 games are like the ps2 games i poked with, ensure to use 'static-port' on the nat rules applicable to the outgoing traffic for the game.
Re: set obsd 3.9 as dns server
On 1/23/07, sonjaya <[EMAIL PROTECTED]> wrote: Dear all i have obsd 3.9 , i want setup as dns name for my ip public and mydomain , i try follow step in openbsdsupport.org , but until now always get error lame server and etc , so where i get good tutorial about setup obsd as name server for my public ip and my domain . Tutorials aren't a big thing here. OpenBSD ships with the BIND DNS server software. Read up: http://www.isc.org/index.pl?/sw/bind/ DS
Re: PlayStation 3
On Wed, 24 Jan 2007, Jeroen Massar wrote: > The key in getting it to work is "UPNP", thus something like: > > http://upnp.sourceforge.net/ > http://linux-igd.sourceforge.net/ a more OpenBSDish implementation seems to be http://miniupnp.free.fr/ NB. I have never used it, or any for of uPNP (nor would I)
atactl smartstatus to email other than cron user
Using cron and atactl to email smartstatus errors to an email address other than cron user: - I was playing with the suggesion in the man page for atactl and smart status. After using rc.local to make sure smart is enabled, something like echo -n 'wd0: ' /sbin/atactl wd0 smartenable /sbin/atactl wd0 smartstatus Now to put someting in crontab to hourly check for errors, per suggestion of man page for atactl I could use: 0 * * * * /sbin/atactl /dev/wd0c smartstatus >/dev/null And the error will email to root, or if the variable [EMAIL PROTECTED] Then all error messages from cron will go there :( I can see where I might want some tasks to email standard error messages to other than the cron user or MAILTO, like sending an email to a pager or other alert email box. Thus the question, how to edit cron task to send normal output to null but email error messages... Handling outputs if I rember and a quick google found a page that seems to confirm, http://ibmdocs.ncep.noaa.gov/userman/cron.html suggests 1> should be standard and 2> should be errors so we should be able to do something like 0 * * * * /sbin/atactl /dev/wd0c smartstatus 1>/dev/null 2>mail -s "wd0 ERRORS on serverXYZ" [EMAIL PROTECTED] Other than using up your pager allotment, does anyone see a problem doing it this way, please correct. If a server is not raid, and using cheaper ide/sata drives, this might be a useful way to be urgently notifed of a hard drive that may fail. - cheers
Re: atactl smartstatus to email other than cron user
Here's an example that will help you solve your problem: ((echo true; echo false >&2) >/dev/null ) 2>&1 | less # Han
Re: atactl smartstatus to email other than cron user
On Wed, 24 Jan 2007, Paul Pruett wrote: > Using cron and atactl to email smartstatus errors > to an email address other than cron user: ... I use the following script to help with cron stuff, it can do what you want. -d --- #!/bin/sh # Helper for cron(8) to send mail only if command terminates abnormally. # Also allows you to specify a different recipient. usage() { echo "Usage: cronmail.sh [-h] [-r recipient] command [args...]" 1>&2 exit 1 } args=`getopt hr: $*` [ $? -ne 0 ] && usage set -- $args for o ; do case "$o" in -h) usage;; -r) RECIPIENT=$2; shift; shift;; --) shift; break;; esac ; done # Need at least one argument (command) [ -z "$1" ] && usage OUTTMP=`mktemp -t cronmail.out.` if [ $? -ne 0 ]; then # Fall back to executing the command with unredirected output exec $* fi $* >$OUTTMP 2>&1 RC=$? if [ $RC -ne 0 ]; then if [ -z "$RECIPIENT" ]; then cat $OUTTMP else mail -s "Failed cron command $1" $RECIPIENT < $OUTTMP fi fi rm $OUTTMP exit $RC
Re: OpenBSD on software raid
On 1/23/07 1:13 AM, Thomas Alexander Frederiksen wrote: > doc Hyde skrev: > >> Can anyone help me please? >> Thank you. > > Google can... > > http://www.eclectica.ca/howto/openbsd-software-raid-howto.php > > These are the steps you are most likely to have missed: > > # raidctl -a /dev/sd0d raid0 > # raidctl -vF component0 raid0 > # raidctl -vP raid0 > > Reboot after the last step, and you're good to go. I built a Sparc64 RAIDframe system with SCSI disks, making these few changes from Marcus Redivo's howto: 1. Change "wd" to "sd" to reference scsi disks. For example, sd0a, sd1d, and so on. 2. There is no fdisk for sparc64, and the installboot procedure is a little different; see the boot_sparc64 and installboot manpages. Here are the commands I used for Marcus' section on making the second disk bootable: # newfs /dev/rsd1a # mount /dev/sd1a /mnt # cp /bsd /mnt/bsd # cp /usr/mdec/ofwboot /mnt/ofwboot # /usr/mdec/installboot /usr/mdec/bootblk /dev/rsd1c And, while not sparc64-specific, I made a couple of other minor changes: 3. Under "Make a RAID-Capable Kernel" I applied all relevant patches to the source tree before building the new kernel. No point in going through that exercise twice... 4. Under "Second Disk Setup," I sped up newfs setup with a for loop: # for i in a d e f g; do newfs raid0${i}; done dn [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: amavisd-new under OpenBSD 4.0
> "Bob" == Bob Eby <[EMAIL PROTECTED]> writes: Bob> Instead, I'm going to follow Mr. Roberts' advice and try out a base Bob> system with spamd and greylisting. In the mean time, while such a Bob> system is keeping my few users afloat, I'll see if I can come up with Bob> something more tailored to our situation. If you have a spare IP address or two, you can also consider low-MX and high-MX traps. I've been using a high-MX trap for two years, and it eliminates about half of my spam. I just recently learned about low-MX traps, and am anxious to try that as well. Basically, you need to turn off the mailer on your A record, and point your lowest MX value at that same IP. Spammers will try to deliver here, and fail. Legitimate mailers will roll over to... Have a mid-range MX pointing at your actual mailer on a *different* IP. Ideally, this should be the same machine, so that you get consistent results with the following... Have a hi-range MX pointing at a different IP *with a mailer listening*. This mailer should return 450 for all mail, but also block that IP for an hour or so from reaching either your actual mailer IP or your hi-range MX ip again (temporary blacklist using PF, preferably on a separate ingres machine if you can). These "lightning rods" attract the spammers, while allowing normal RFC-compliant mail to get through. Like I said, I've been VERY happy with my high-MX trap for over two years. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
2 gateway in OBSD 4.0
Dear All Any posible way to using 2 gateway in n out without using routed protcol such as bgp/osf Because i have two connection to Internet basic diagram |-gw01---| internet | obsd 4.0 |---Lan |---gw02--| - 2 Ip public - 1 server obsd 4.0 with 3 Networkcard - 2 box gw I plan obsd 4.0 for : 1. ns server who have 2 ip public from 2 isp question iwant ask , how to set 2 gw without have bgp/osf access ? -sonjaya-
Re: 2 gateway in OBSD 4.0
On 1/23/07, sonjaya <[EMAIL PROTECTED]> wrote: Dear All Any posible way to using 2 gateway in n out without using routed protcol such as bgp/osf Because i have two connection to Internet basic diagram |-gw01---| internet | obsd 4.0 |---Lan |---gw02--| - 2 Ip public - 1 server obsd 4.0 with 3 Networkcard - 2 box gw I plan obsd 4.0 for : 1. ns server who have 2 ip public from 2 isp question iwant ask , how to set 2 gw without have bgp/osf access ? I'm surprised no one has asked this question before. Oh, wait, , oh, yeah, someone just discussed that scenario this week. http://www.openbsd.org/faq/pf/pools.html#outgoing Greg