Pour vous ou votre entourage

[OptiVente]

Bonjour  
 
Nous espirons que l'information suivante pourra vous jtre utile, ou ` difaut 
aider une personne de votre entourage?
Savez-vous qu'il existe des aides financihres publiques, pour votre 
diveloppement commercial pour lesquelles vous jtes peut-jtre iligible?
Pour vous aider nous organisons :
Des riunions dinformation pour votre diveloppement commercial, et pour des 
subventions publiques
Des ateliers thimatiques pour jtre encore plus efficace sur certaines itapes de 
vos ventes : Pour en savoir plus
Si les liens regus ne fonctionnent pas, vous acchderez aux informations sur les 
subventions, riunions d'informations et ateliers par le site www.optivente.com.

N'hisitez pas ` nous contacter. Bonne continuation dans vos activitis.

Cordialement

Thierry CRAYE
Girant OptiVente
01 46 89 07 32

Vous recevez ce mail, car sauf erreur de notre part vous jtes impliqui dans des 
actions commerciales. Si ce mail ne vous concerne pas, veuillez nous en 
excuser, vous pouvez vous disisncrire de nos envois d'informations: [EMAIL 
PROTECTED]

Supermicro retailer

[Francois Slabbert]

Hi all,

Does anyone know of a reliable online retailer that sells Supermicro
motherboards and ships internationally, courrier shipping is essential. I'm
resident in South Africa and would like the minimum amount of hassle and
back and forth shipping fees, etc, etc.

Thanks in advance


--
This e-mail and its contents are subject to AfriGIS PTY Limited
e-mail disclaimer at
http://www.afrigis.co.za/eMailDisclaimer
--

Re: SSH client (putty) hangs after name/password login

[forums]

Hello Frank,

DNS resolving works fine :-) 

On the outside (internet) the system can resolve
the ip address I am coming from via public DNS servers. 

TCPDUMP gives me the correct hostname/ipaddress when the logon happens.

The resolv.conf has 2 external DNS servers and 1 Internal one for internal
resolving.

But just to be sure I added my own PC (hostname) into the hosts. file...
Ping the name and he resolves ok...

makes no differanceremember, if I logon locally (from the LOCAL network
that is, not on the console) it works fine. Also, I changed the SSHD.CONF
with the "useDNS NO" parameter.
So, it will not try to resolve with that parameter active (at least, thats
what it does I think).

I have no problem logging in...but after I pressed ENTER on the
password...it freezes...

PS -X shows me being logged in however...

-

If this is a MTU issue...then that would not explain that I cannot logon via
the Tunnel :

MYPC <172.17.21.1> ---> VPNBOX (OBSD3.8) <=Tunnel==> VPNBOX
(OBSD3.8) <192.168.80.103>
SSHClient
>
SSHD

The SSH traffic is then encapsulated into the VPN stream like all other
traffic (mainly RDP/ICA)
Those other protocols have no problems (and use, i think, much bigger
packets then SSH).


-Oorspronkelijk bericht-
Van: Frank Bax [mailto:[EMAIL PROTECTED] 
Verzonden: dinsdag 6 februari 2007 15:56
Aan: misc@openbsd.org
Onderwerp: Re: SSH client (putty) hangs after name/password login

At 09:03 AM 2/6/07, forums wrote:
>I get the logon prompt, give my name+password and then the SSH just 
>sits there...
>Nothing happens anymore...(after a while it times out)


http://openbsd.org/faq/faq8.html#RevDNS

Re: SSH client (putty) hangs after name/password login

[forums]

Hello Dag,

"
nohup kill -HUP pid-of-sshd-listener-process
should get it for you
or if you are really (justifiably) paranoid a little temporary cron that
will restart sshd if not running, or in five minutes.
"

Ok, i will first set this up on a test machine...

thing is, as logging on from the local LAN gives no problem...will it show
anything...
ok, we wont know if i dont trace...:-)



-Oorspronkelijk bericht-
Van: Dag Richards [mailto:[EMAIL PROTECTED] 
Verzonden: dinsdag 6 februari 2007 17:06
Aan: misc@openbsd.org
Onderwerp: Re: SSH client (putty) hangs after name/password login

Brian A. Seklecki wrote:
>> Hello Brian,
>>
>> Not quite sure what you mean with pstree...don't know the command and 
>> no 'man pstree' on my 3.8 system..?
> 
> It's in the psmisc/ package
> 
>> Note that I no problems logging into the system while on the local 
>> network (doing this via a PC that I remotely manage). When I do a SSH 
>> session (via the VPN
>> tunnel) on the INSIDE
>> of the OBSD box, I get the same problem(using the same account).
> 
> Okay I must be asleep again.  I thought we eliminated pf(4) as the 
> problem.  Technically if you can negotiate a 3-way handshake and 
> establish the TCP socket, MTU should be a non-issue.
> 
> What about "netstat -s".  Anything suspicious (grep -i drop) for 
> sections esp: tcp: ip: icmp: etherip:
> 
> If you have access via the LAN, what about tcpdump(8) on the tun(4) 
> interface?
> 
>> is
>> not the case locaclly
> 
> 
>> Problem here is that this system is 900Km away...if I would stop the 
>> SSHD (so i could
> 
> Normally I'd say to you "Oh you're fine with pkill -HUP sshd"; but 
> that's because I'm accustomed to out-of-band management like DRAC and 
> mgetty >:}

nohup kill -HUP pid-of-sshd-listener-process
should get it for you
or if you are really (justifiably) paranoid a little temporary cron that
will restart sshd if not running, or in five minutes.


> 
> ~BAS
> 
>> restart it with debug options) I will not be able to reach it anymore
>> :-(

Re: missing isakmpd.fifo

[Toni Mueller]

Hi Dag,

On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards <[EMAIL PROTECTED]> wrote:
> locations. Yesterday I needed to add a tunnel, there was no 
> /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid 
> 
> The fifo was recreated, I could use it to control isakmpd. OK.
> 
> Today I look for isakmpd.fifo, it has disappeared again.

> and nothing I do not expect to see.  I am not running out of disk space 
> ... anybody seen this before?

please check again using -i in order to find out whether you have
enough disk space.


Best,
--Toni++

Re: remove sendmail/install postfix

[Toni Mueller]

Hi,

On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus <[EMAIL PROTECTED]> wrote:
> But the mailwraper provides a more generic way for
> OpenBSD to use mail without dealing much about
> the uses mail system. (sendmail,postfix,exim,qmail, ...)

this is probably correct (or that's what it was created for), but I
have yet to overcome my inertia against implementing this, for marginal
benefit.


Best,
--Toni++

Re: remove sendmail/install postfix

[Henning Brauer]

* Toni Mueller <[EMAIL PROTECTED]> [2007-02-07 11:55]:
> On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus <[EMAIL PROTECTED]> wrote:
> > But the mailwraper provides a more generic way for
> > OpenBSD to use mail without dealing much about
> > the uses mail system. (sendmail,postfix,exim,qmail, ...)
> 
> this is probably correct (or that's what it was created for), but I
> have yet to overcome my inertia against implementing this, for marginal
> benefit.

well then you keep making up more (useless) work for you, while 
everybody else enjoys the elegance of mailwrapper.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

login.conf

[Toni Mueller]

Hello,

I'd like to adjust the default limits for an account via login.conf(5)
and adding the appropriate class entry to the affected account in the
password file. Specifically, I want this to configure the resource
limits for a MySQL server. Will this work?

The man page mumbles something about "login and some other programs"
which will make use of the class entry, but I was unable to figure out
which programs exactly will obey or ignore these class entries. I could
also manually place a number of 'ulimit' statements in the start script
but would prefer to do it with login.conf.

Btw, I seem to have 368 tables (to forestall the '29 tables'
argument)...

Any ideas, please?


Best,
--Toni++

Re: remove sendmail/install postfix

[RW]

On Wed, 7 Feb 2007 11:49:07 +0100, Toni Mueller wrote:

>Hi,
>
>On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus <[EMAIL PROTECTED]> wrote:
>> But the mailwraper provides a more generic way for
>> OpenBSD to use mail without dealing much about
>> the uses mail system. (sendmail,postfix,exim,qmail, ...)
>
>this is probably correct (or that's what it was created for), but I
>have yet to overcome my inertia against implementing this, for marginal
>benefit.

Hell, that's funny. I installed the postfix package and used the
recommended (and supplied) script to make postfix the default mailer.
There is one to switch back.

Apart from that there was only (IIRC) one manual thing to do: change
the queue-runner or something like that. So easy I forget: no pain = no
brain (storing horror tales).

Trivial for me and I thought that I had a very large inertia to mass
ratio as I only weigh in at 66.x kg. 8-))

Anyway jakob@ has (for me) done a fine job of making it painless.

R/

>From the land "down under": Australia.
Do we look  from up over?

Dummy Interface In OpenBGPd

[demuel]

Hi,

As I read the openbgpd documentation, there is not a single point wherein in 
the examples a dummy
interface is being used. Is a dummy interface supported in OpenBGP?

Regards,
Demuel

Re: login.conf

[Darrin Chandler]

On Wed, Feb 07, 2007 at 12:00:13PM +0100, Toni Mueller wrote:
> Hello,
> 
> I'd like to adjust the default limits for an account via login.conf(5)
> and adding the appropriate class entry to the affected account in the
> password file. Specifically, I want this to configure the resource
> limits for a MySQL server. Will this work?
> 
> The man page mumbles something about "login and some other programs"
> which will make use of the class entry, but I was unable to figure out
> which programs exactly will obey or ignore these class entries. I could
> also manually place a number of 'ulimit' statements in the start script
> but would prefer to do it with login.conf.

Starting something from rc.local or from a script you can use su(1)'s
"-c" to specify the login class. For instance...

# su -c mysql root -c '/usr/local/bin/mysqld_safe>/dev/null'

You will still want to tweak up a my.cnf to use the new limits.

-- 
Darrin Chandler   |  Phoenix BSD Users Group
[EMAIL PROTECTED]  |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/darrin/  |

Re: Dummy Interface In OpenBGPd

[Henning Brauer]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]:
> As I read the openbgpd documentation, there is not a single point wherein in 
> the examples a dummy
> interface is being used. Is a dummy interface supported in OpenBGP?

-vvv :)

from bgpd's perspective, an interface is an interface, mostly.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Dummy Interface In OpenBGPd

[Stuart Henderson]

On 2007/02/07 11:24, [EMAIL PROTECTED] wrote:
> As I read the openbgpd documentation, there is not a single point wherein
> in the examples a dummy interface is being used. Is a dummy interface
> supported in OpenBGP?

Do you mean 'loopback interface'? Works just fine (certainly to an alias
on lo0, I assume a single address on lo1, lo2 etc would likewise not be a
problem).

Re: login.conf

[Stuart Henderson]

On 2007/02/07 12:00, Toni Mueller wrote:
> I'd like to adjust the default limits for an account via login.conf(5)
> and adding the appropriate class entry to the affected account in the
> password file. Specifically, I want this to configure the resource
> limits for a MySQL server. Will this work?

Yes, see http://www.openbsdsupport.org/mysql.htm

Re: Dummy Interface In OpenBGPd

[demuel]

Yeah a loopback just like in Quagga or in Cisco.

> On 2007/02/07 11:24, [EMAIL PROTECTED] wrote:
>> As I read the openbgpd documentation, there is not a single point wherein
>> in the examples a dummy interface is being used. Is a dummy interface
>> supported in OpenBGP?
>
> Do you mean 'loopback interface'? Works just fine (certainly to an alias
> on lo0, I assume a single address on lo1, lo2 etc would likewise not be a
> problem).

Re: Dummy Interface In OpenBGPd

[demuel]

Does that categorically mean there is no way, as of the moment, in openbgp to 
use a dummy
interface just like in Quagga?

> * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]:
>> As I read the openbgpd documentation, there is not a single point wherein in 
>> the examples a
>> dummy
>> interface is being used. Is a dummy interface supported in OpenBGP?
>
> -vvv :)
>
> from bgpd's perspective, an interface is an interface, mostly.
>
> --
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: HTTP URL filtering?

[Andrei GUDIU]

I use mod_security for filtering. Take a look at http://www.modsecurity.org/

You can find it in the ports system undes www/mod_security

Good luck

Andrei GUDIU

Xavier Mertens wrote:


Hi *,

I've a problem with an Apache web server hit by f*cking spammers...
I would like to filter some URLs (unused but still used by the bots) *BEFORE* 
they reach the httpd processes. What could be the best method? pf? something 
else?

Thanks!


Xavier

Re: Dummy Interface In OpenBGPd

[Henning Brauer]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 13:14]:
> Yeah a loopback just like in Quagga or in Cisco.

loopback interfaces are pseudo-interfaces.
and as I said, interfaces are just interfaces for bgpd. pseudo or real, 
there is no real difference.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Dummy Interface In OpenBGPd

[Henning Brauer]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 13:11]:
> Does that categorically mean there is no way, as of the moment, in openbgp to 
> use a dummy
> interface just like in Quagga?

well, you have to be more explicity.
pseudo-interfaces are just interfaces. there is no visible difference 
for bgpd.

you still didn't say what you actually want.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

qlogic QLA4050C or QLA4052C

[Stephan A. Rickauer]

is there a developer who's interested in writing a driver for that
product? It's an iSCSI Host Bus Adapter:

  http://www.qlogic.com/products/iscsi_products_hba.asp

Our Institute would donate the required hardware and I will try to get
Free Programming Documentation (though I am not too optimistic with qlogic).

Please let me know off list.

-- 

 Stephan A. Rickauer

 ---
 Institute of Neuroinformatics Tel  +41 44 635 30 50
 University / ETH Zurich   Sec  +41 44 635 30 52
 Winterthurerstrasse 190   Fax  +41 44 635 30 53
 CH-8057 ZurichWeb  www.ini.unizh.ch

 RSA public key:  https://www.ini.uzh.ch/~stephan/pubkey.asc
 ---

Re: Dummy Interface In OpenBGPd

[Stuart Henderson]

On 2007/02/07 12:07, [EMAIL PROTECTED] wrote:
> Does that categorically mean there is no way, as of the moment, in openbgp to 
> use a dummy
> interface just like in Quagga?

there categorically *is* a way, set up /32 address on a lo interface,
and use that as local-address in bgpd.conf, making sure the other hosts
have a way to reach it (e.g. announce the /32 into OSPF). quite useful
for i-bgp sessions and it's pretty much the same way you'd do this
elsewhere.

there is nothing particularly special about the lo* interfaces,
just configure them as normal (hostname.lo0, hostname.lo1, etc).

Re: Dummy Interface In OpenBGPd

[Claudio Jeker]

On Wed, Feb 07, 2007 at 12:07:56PM -, [EMAIL PROTECTED] wrote:
> Does that categorically mean there is no way, as of the moment, in
> openbgp to use a dummy interface just like in Quagga?
> 

There are no dummy interfaces. If you like to use a loopback interface
create one.

# cat > /etc/hostname.lo1 
inet 10.83.66.128 255.255.255.255 NONE
# sh /etc/netstart lo1

That's it. You have a loopback address that can be used in bgpd.

neighbor 10.83.66.164 {
remote-as 65123
local-address 10.83.66.128
}

I guess that's what you are looking for. bgpd does not realy care about
interfaces. Interfaces and their link state are only used to figure out
the availability of nexthops.

Btw. for ospfd you can use "interface lo1" to reliably redistribute the
loopback address.

-- 
:wq Claudio

> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]:
> >> As I read the openbgpd documentation, there is not a single point wherein 
> >> in the examples a
> >> dummy
> >> interface is being used. Is a dummy interface supported in OpenBGP?
> >
> > -vvv :)
> >
> > from bgpd's perspective, an interface is an interface, mostly.
> >
> > --
> > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> > BS Web Services, http://bsws.de
> > Full-Service ISP - Secure Hosting, Mail and DNS Services
> > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: ospfd participating in a stub area

[Claudio Jeker]

On Tue, Feb 06, 2007 at 11:09:45PM -0500, Nick Davey wrote:
> The passive keyword will advertise a network as a stub area, however as 
> the interface is passive it cannot form a neighbor relationship with any 
> other router in that area, or on that interface. From the man pages it 
> would appear there is no way to specify an area as stub however Claudio 
> or Henning would be able to help you out more than I would.
> 

Stub areas have nothing to do with passive interfaces. A stub area is an
area that does not get flooded with AS-external LSA. This is used to allow
crappy routers with limited memory into larger networks.

Ospfd does currently not support stub areas. We did not consider them
important enough to be something that had to be implemented ASAP.
Some bits are present but more work is needed and it is on the todo list.

-- 
:wq Claudio

> Best Regards,
> Nick
> 
> Lars Hansson wrote:
> >Nigel Roberts wrote:
> >>Is it possible to configure an area in ospfd.conf to be a stub area?
> >
> >Yes, use the "passive" option. It's in the ospfd.conf man page.
> >
> >
> >---
> >Lars Hansson

Re: ospfd participating in a stub area

[Esben Norby]

On Wednesday 07 February 2007 00:53, Nigel Roberts wrote:
> Is it possible to configure an area in ospfd.conf to be a stub area?
>
> I have an area where all particpating routers (ciscos) are configured
> to treat it as a stub ie.
>
> router ospf 1234
> ...
>   area 1 stub
> ...

What excactly is the purpose of this? Is it some cisco trick to save memory or 
does it have a real purpose?

Normaly when routers form adjacency the network is not considered a stub 
network any more, hence it can be used to forward traffic.

/Esben

Re: Dummy Interface In OpenBGPd

[demuel]

I have 4 machines running OpenBSD-stable and it used some AS in the 64512-65535 
range. Now, two of
these machines will be eventually connected to two different AS, say obsd1 to 
AS 64512 and obsd2
to 64513, while these four machines fall under one AS, say 64513.

>From my readings in the published article of Claudio Jekker, it appears to me 
>that this setup is
for a fully-redundant architecture wherein there could be no single point of 
failure.

I want to experiment with creating dummy interfaces under such topology just 
like in Quagga.


> * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 13:11]:
>> Does that categorically mean there is no way, as of the moment, in openbgp 
>> to use a dummy
>> interface just like in Quagga?
>
> well, you have to be more explicity.
> pseudo-interfaces are just interfaces. there is no visible difference
> for bgpd.
>
> you still didn't say what you actually want.
>
> --
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

patch for src/etc/skel/dot.cshrc

[Igor Sobrado]

Hello.

This patch removes the -g option from src/etc/skel/dot.cshrc.

The reason I am suggesting this change is that -g "does nothing;
[it is] kept for compatibility with older versions of ls" (source: ls(1));
so this option is superfluous on this alias.

If it is better opening a problem report, I will do it.  But I suppose
that someone on this mailing list will probably want to discuss this
change.

I hope OpenBSD developers will like this patch; if not, feel free
to drop it.

Cheers,
Igor.

--- dot.cshrc   Wed Feb 16 07:56:57 2005
+++ dot.cshrc   Wed Feb  7 13:50:20 2007
@@ -9,7 +9,7 @@
 alias jjobs -l
 alias la   ls -a
 alias lf   ls -FA
-alias ll   ls -lgsA
+alias ll   ls -lsA
 alias tset 'set noglob histchars=""; eval `\tset -s \!*`; unset noglob 
histchars'
 alias zsuspend

Re: Dummy Interface In OpenBGPd

[demuel]

Can this looback interface be used as a sort of router-id just like in Quagga? 
Do I need to add
routes for this IP address reachable elsewhere in my network?

> On Wed, Feb 07, 2007 at 12:07:56PM -, [EMAIL PROTECTED] wrote:
>> Does that categorically mean there is no way, as of the moment, in
>> openbgp to use a dummy interface just like in Quagga?
>>
>
> There are no dummy interfaces. If you like to use a loopback interface
> create one.
>
> # cat > /etc/hostname.lo1
> inet 10.83.66.128 255.255.255.255 NONE
> # sh /etc/netstart lo1
>
> That's it. You have a loopback address that can be used in bgpd.
>
> neighbor 10.83.66.164 {
>   remote-as 65123
>   local-address 10.83.66.128
> }
>
> I guess that's what you are looking for. bgpd does not realy care about
> interfaces. Interfaces and their link state are only used to figure out
> the availability of nexthops.
>
> Btw. for ospfd you can use "interface lo1" to reliably redistribute the
> loopback address.
>
> --
> :wq Claudio
>
>> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]:
>> >> As I read the openbgpd documentation, there is not a single point wherein 
>> >> in the examples a
>> >> dummy
>> >> interface is being used. Is a dummy interface supported in OpenBGP?
>> >
>> > -vvv :)
>> >
>> > from bgpd's perspective, an interface is an interface, mostly.
>> >
>> > --
>> > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
>> > BS Web Services, http://bsws.de
>> > Full-Service ISP - Secure Hosting, Mail and DNS Services
>> > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Dummy Interface In OpenBGPd

[Henning Brauer]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 14:08]:
> I want to experiment with creating dummy interfaces under such topology just 
> like in Quagga.

this doesn't lead anywhere, really.
I don't know what "dummy interfaces .. just like in quagga" are, and, 
moreover, it is completely unclear what you want to accomplish.

you probably just want a loopback interface, but that is a guess.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Dummy Interface In OpenBGPd

[demuel]

What i want to accomplish and wanted to do is to be able to use such an 
interface when all the NIC
on my machines are alloted for BGP.

> * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 14:08]:
>> I want to experiment with creating dummy interfaces under such topology just 
>> like in Quagga.
>
> this doesn't lead anywhere, really.
> I don't know what "dummy interfaces .. just like in quagga" are, and,
> moreover, it is completely unclear what you want to accomplish.
>
> you probably just want a loopback interface, but that is a guess.
>
> --
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: Dummy Interface In OpenBGPd

[Claudio Jeker]

On Wed, Feb 07, 2007 at 01:08:31PM -, [EMAIL PROTECTED] wrote:
> Can this looback interface be used as a sort of router-id just like in
> Quagga? Do I need to add routes for this IP address reachable elsewhere
> in my network?

Yes the IP needs to be reachable from elsewhere in your network -- unless
you don't want to use it and you can use the IP as your router-id --
that's what the router-id keyword is used for (actually you can use almost
anything as router-id). 

-- 
:wq Claudio

rsa remote auth

[Lawrence Horvath]

I am trying to get my openbsd 4.0 box to allow remote ssh logins using
an rsa key,

i added the key into my ~/.ssh/authorized_keys file, and set
permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600

i added the rsa of its self, for testing, however i cant seem to get
an ssh session to authenticate with out the password

contents of authorized_keys(parts of the key omited):

ssh-rsa .==

Anyone know what im doing wrong? why it wont authenticate with the rsa key?
If anymore info is needed please let me know

--
-Lawrence
-Student ID 1028219
-CCNA

Re: rsa remote auth

[Otto Moerbeek]

On Wed, 7 Feb 2007, Lawrence Horvath wrote:

> I am trying to get my openbsd 4.0 box to allow remote ssh logins using
> an rsa key,
> 
> i added the key into my ~/.ssh/authorized_keys file, and set
> permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600

That'll render .ssh almost useless make that 0700 for the dir.

-Otto
> 
> i added the rsa of its self, for testing, however i cant seem to get
> an ssh session to authenticate with out the password
> 
> contents of authorized_keys(parts of the key omited):
> 
> ssh-rsa .==
> 
> Anyone know what im doing wrong? why it wont authenticate with the rsa key?
> If anymore info is needed please let me know
> 
> -- 
> -Lawrence
> -Student ID 1028219
> -CCNA

Re: rsa remote auth

[Darren Spruell]

On 2/7/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote:

I am trying to get my openbsd 4.0 box to allow remote ssh logins using
an rsa key,

i added the key into my ~/.ssh/authorized_keys file, and set
permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600


Verify that the user itself is the owner of these files, not root or
anyone else.


i added the rsa of its self, for testing, however i cant seem to get
an ssh session to authenticate with out the password


Are there any line breaks in the copied key? 'cat -e
~/.ssh/authorized_keys' might reveal these kind of oopses.

Did you place the exact contents of id_{rsa,dsa}.pub and not id_{rsa,dsa}?


ssh-rsa .==


There's no reason to obfuscate this. Your public key is not sensitive.

DS

Re: rsa remote auth

[Stuart Henderson]

On 2007/02/07 06:49, Lawrence Horvath wrote:
> and made sure of the file permissions
> ~/.ssh is 0700
> ~/.ssh/authorized_keys is 0600

run sshd -d -p some_port (unless you want to disturb your main daemon
on port 22) and watch the screen output while you connect.

Re: rsa remote auth

[Lawrence Horvath]

On 2/7/07, Darren Spruell <[EMAIL PROTECTED]> wrote:

On 2/7/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote:
> I am trying to get my openbsd 4.0 box to allow remote ssh logins using
> an rsa key,
>
> i added the key into my ~/.ssh/authorized_keys file, and set
> permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600

Verify that the user itself is the owner of these files, not root or
anyone else.


Verified ownership of the file is the user, both owner and group



> i added the rsa of its self, for testing, however i cant seem to get
> an ssh session to authenticate with out the password

Are there any line breaks in the copied key? 'cat -e
~/.ssh/authorized_keys' might reveal these kind of oopses.


used the cat -e command, no line breaks



Did you place the exact contents of id_{rsa,dsa}.pub and not id_{rsa,dsa}?


I did
$cd ~/.ssh
$cp id_rsa.pub authorized_keys

so yes it would be the exact contents



> ssh-rsa .==

There's no reason to obfuscate this. Your public key is not sensitive.

DS



and made sure of the file permissions
~/.ssh is 0700
~/.ssh/authorized_keys is 0600


--
-Lawrence
-Student ID 1028219
-CCNA

Re: Dummy Interface In OpenBGPd

[Henning Brauer]

* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 14:34]:
> What i want to accomplish and wanted to do is to be able to use such an 
> interface when all the NIC
> on my machines are alloted for BGP.

that is not any clearer.
"such an interface"? get rid of that dummy interface terminology, that 
doesn't exist.
"when all interfaces are alloted for BGP"? you probably mean allotted. 
How are they allotted for BGP? you already have a BGP listener there? 
Why are you haveing multiple listeners in teh first place?
the answer is probably still "create lo1" or similiar. But honestly, I 
am tired of guessing what you actually want to accomplish. I asked 3 
times now. Enough is enough.

-- 
Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: login.conf

[Toni Mueller]

Hello Stuart,

On Wed, 07.02.2007 at 11:39:28 +, Stuart Henderson <[EMAIL PROTECTED]> 
wrote:
> On 2007/02/07 12:00, Toni Mueller wrote:
> > I'd like to adjust the default limits for an account via login.conf(5)
> > and adding the appropriate class entry to the affected account in the
> > password file. Specifically, I want this to configure the resource
> > limits for a MySQL server. Will this work?
> 
> Yes, see http://www.openbsdsupport.org/mysql.htm

uppp I apparently didn't see that section because I didn't
re-read it. If that info is correct, then this "solves" it (hello
Daniel!).

Thank you for the heads-up.


Best,
--Toni++

Re: HTTP URL filtering?

[Toni Mueller]

Hello Xavier,

On Tue, 06.02.2007 at 22:50:36 +0100, Xavier Mertens <[EMAIL PROTECTED]> wrote:
> I've a problem with an Apache web server hit by f*cking spammers...
> I would like to filter some URLs (unused but still used by the bots)
> *BEFORE* they reach the httpd processes. What could be the best
> method? pf? something else?

I guess that you want to keep the load off your Apache, right?

I'd also vote for a lightweight front-end reverse proxy like nginx
(already mentioned) or lighttpd to do this.



Best,
--Toni++

AsiaBSDCon 2007 timetable is published

[Masao Uebayashi]

The timetable of AsiaBSDCon 2007 has been published.  

http://asiabsdcon.org/timetable.html

AsiaBSDCon 2007, University of Tokyo, Tokyo, Japan
8 - 11 March, 2007
http://asiabsdcon.org/

AsiaBSDCon is a conference for users and developers on BSD based systems.
The conference is for anyone developing, deploying and using systems based
on FreeBSD, NetBSD, OpenBSD, DragonFly BSD, Darwin, and MacOS X.
AsiaBSDCon is a technical conference and aims to collect the best technical
papers and presentations available to ensure that the latest developments
in our open source community are shared with the widest possible audience.

Please contact [EMAIL PROTECTED] if you have any questions.

Failed installation on HP ProLiant ML110 G4 (with dmesg)

[Ron Oliver]

Below is a capture from a serial console during the installation.
Note that I've reduced most of the repeated messages a la [last
message repeated x times]; otherwise, this would be a 7000 line post.

Aside: how about a 3-wire serial console option that doesn't need DCD
driven?  My beloved Cisco serial cables don't drive DCD; I had to dig
deeply into my big bag o' adapters to find an old-school null modem to
do it.  But I guess I'll appreciate that feature if I ever need a
serial console through a modem. :)

This should also answer a previously posted question on a related
failed ProLiant install: "Why axe(4)?"  Because it seemed like a good
idea at the time to the kernel.  It wasn't a user selection.  All
hardware is HP-supplied with the system; nothing added here.

I first tried this with the PS/2 keyboard that came with the unit, but
it was unresponsive by the time I got to a prompt, hence the MS
Natural Pro plugged in.

If anyone cares, it looks like Ubuntu 6.06LTS will install on it (and
the PS/2 keyboard IS responsive under that OS.)  I'll go ahead and
install that for the hell of it.  If anyone wants dmesg from that, let
me know.

Either this will work soon, or it's going back; I can't afford to have
a science project sitting around.  But if any developers want
something tried out, let me know and I'll assist as I can.  I can also
hang it on a public IP if that helps.


OpenBSD/i386 BOOT 2.10

boot>
booting fd0a:/bsd: 4692244+739940=0x52e4c0
entry point at 0x200120*
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2006 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.0 (RAMDISK_CD) #39: Sat Sep 16 19:34:26 MDT 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz ("GenuineIntel" 686-class) 1.87 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX
16
real mem  = 1071788032 (1046668K)
avail mem = 971149312 (948388K)
using 4256 buffers containing 53690368 bytes (52432K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(7b) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xfd460,
SMB
IOS rev. 2.4 @ 0xdc010 (47 entries)
bios0: HP ProLiant ML110 G4
pcibios0 at bios0: rev 2.1 @ 0xfd460/0xba0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #10 is the last bus
bios0: ROM list: 0xc/0x8000 0xdc000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7230 MCH" rev 0xc0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01
pci2 at ppb1 bus 3
vga1 at pci2 dev 0 function 0 vendor "Matrox", unknown product 0x0522 rev
0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01
pci3 at ppb2 bus 4
bge0 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1
(0x4201):
irq 12, address 00:18:fe:79:02:af
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 11
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 7
usb3 at uhci3: USB revision 1.0
uhub3 at usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 10
ehci0: timed out waiting for BIOS
usb4 at ehci0: USB revision 2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8 ports with 8 removable, self powered
ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xe1
pci4 at ppb3 bus 10
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0
c
onfigured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  SCSI0 5/cdrom
r
emovable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, channel
0
confi

Sun Fire X2100, GigaBit Fiber?

[Steven Xiao]

Hi,

  I really want to use one of those Sun Fire X2100, X2100 M2 or X2200 to
build a firewall for my network. But my problem is that my network is a
fiber connection running Gigabit. It seems that all these boxes have only
PCI-E X8 slot(s) for fiber network card(s).

  My questions are:

  1) Sun also sells a fiber gigabit card with X2100 ... (Sun Dual Gigabit
Ethernet PCI-E MMF Adapter). But this card is not supported in OpenBSD
4.0. Am I right? Is there a plan to support it in the near futher?

  2) If I get a M2 box, say, X2100 M2 with two PCI-E X8 slots and get two
PCI-E fiber network cards, say, HP NC373F PCI Express Multifunction
Gigabit server adapter (1000baseSX) which is supported per openbsd
document. Would that work?

  Thanks for any inputs.

  Steven

Re: HTTP URL filtering?

[Marian Hettwer]

Hej there,

Xavier Mertens schrieb:

Hi *,

I've a problem with an Apache web server hit by f*cking spammers...
I would like to filter some URLs (unused but still used by the bots) *BEFORE* 
they reach the httpd processes. What could be the best method? pf? something 
else?

I had the same problem with botnets, attacking a specific URL. Even 
sending out 404 errors didn't help at all.
I wouldn't recommend the pf overload feature, as this depends on the 
number of tcp connections to your webserver.
Say you have a webpage with 50 images, this would be 50 connections. 
Another webpage may only have 2 images, this would lead to only 2 
connections.

Here is what I did.
Install mod_security for apache.
Define rules like those:


# Maximum request body size we will
# accept for buffering
SecRequestBodyAccess On
#SecRequestBodyLimit 131072
# Store up to 128 KB in memory
#SecRequestBodyInMemoryLimit 131072

# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyAccess Off
SecResponseBodyLimit 524288

# Debug log
SecDebugLog /var/log/apache/modsec_debug.log
SecDebugLogLevel 0

# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
#SecAuditEngine Off
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
#SecAuditLogParts ABIFHZ
SecAuditLogParts A
SecAuditLogType Serial

# The name of the audit log file
SecAuditLog /var/log/apache/modsec_audit.log

# Default action set
#SecDefaultAction "deny,log,auditlog,status:403"

# Turn on Rule Engine
SecRuleEngine On

# Refuse to accept POST requests that do
# not specify request body length
# SecRule REQUEST_METHOD ^POST$ chain
# SecRule REQUEST_HEADER:Content-Length ^$
#
# Metal District Rules
#SecRule REQUEST_URI "/phpbb2/posting\.php\(.*\)" 
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"
#SecRule ARGS /phpbb2/posting.php 
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"
SecRule REQUEST_FILENAME /phpbb2/posting.php 
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"
SecRule REQUEST_FILENAME /phpBB2/posting.php 
"deny,phase:1,exec:/root/bin/fill-blacklist.sh"




Anytime someone is accessing /phpbb2/posting.php the script 
fill-blacklist.sh is run:


([EMAIL PROTECTED] <~> $ cat /root/bin/fill-blacklist.sh
#!/bin/sh
#
sudo pfctl -T add -t www-spammers $(echo ${REMOTE_ADDR})
echo "${REMOTE_ADDR} added to blacklist"

The ip gets added to the table www-spammers.
My pf rules look like that:
# www-spammers table
table  persist file "/etc/www-spammers"
block in quick on $ext_if proto tcp from  to $ext_if port 80

Drawback: I need sudo to use pfctl as the user www (which apache runs 
under).
Pro: Every bot can access the url exactly one time, afterwards its 
blacklisted.
Use expire-table to free the pf table occassionally and of course make 
sure that you don't block yourself - whitelist ip addresses like your 
standard gateway, otherwise you may DoS yourself ;)


Of course this is just a hack, but it works in my case.
Any suggestions to improve this setup are welcome :)

best regards,
Marian

Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)

[Stuart Henderson]

On 2007/02/07 12:37, Ron Oliver wrote:
> Aside: how about a 3-wire serial console option that doesn't need DCD
> driven?

I think it's just the bootloader..

> My beloved Cisco serial cables don't drive DCD

adapters with DTR-DSR-DCD-CTS connected together work ok for this.

> wd0 at pciide1 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
> wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
> wd0: no disk label
> dkcsum: wd0 matches BIOS drive 0x80
...
> No disks found.

that's odd...

Re: HTTP URL filtering?

[Marian Hettwer]

Hi,

Karsten McMinn schrieb:

On 2/6/07, Xavier Mertens <[EMAIL PROTECTED]> wrote:

Hi *,

I've a problem with an Apache web server hit by f*cking spammers...
I would like to filter some URLs (unused but still used by the bots)
*BEFORE* they reach the httpd processes. What could be the
best method? pf? something else?


I used snort to filter before httpd to build simple IP address lists
to feed into a pf table. It was kinda clunky. Second time
around I'd just parse my httpd log files and do the same thing.
With apache configured right and a cron running every minute
you'll get by with minimal work needed. I'd imagine.

I tried the very same when a webserver of mine was hitted by some 
botnet. Unluckily, cron can only ran every minute as the fastest 
interval and within 1 minute I already had around 1000 connections from 
different IP addresses.

Ergo: A one minute interval didn't help at all..

./Marian

Re: Sun Fire X2100, GigaBit Fiber?

[Christopher Snell]

Check out the Intel PRO/1000 PF.  While it's not mentioned as
supported in amd64, many of its brethren are.  It might be worth a
try.

http://www.intel.com/network/connectivity/products/pro1000pf_dualport_server_adapter.htm

Chris


On 2/7/07, Steven Xiao <[EMAIL PROTECTED]> wrote:

Hi,

  I really want to use one of those Sun Fire X2100, X2100 M2 or X2200 to
build a firewall for my network. But my problem is that my network is a
fiber connection running Gigabit. It seems that all these boxes have only
PCI-E X8 slot(s) for fiber network card(s).

  My questions are:

  1) Sun also sells a fiber gigabit card with X2100 ... (Sun Dual Gigabit
Ethernet PCI-E MMF Adapter). But this card is not supported in OpenBSD
4.0. Am I right? Is there a plan to support it in the near futher?

  2) If I get a M2 box, say, X2100 M2 with two PCI-E X8 slots and get two
PCI-E fiber network cards, say, HP NC373F PCI Express Multifunction
Gigabit server adapter (1000baseSX) which is supported per openbsd
document. Would that work?

  Thanks for any inputs.

  Steven

Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)

[Miod Vallat]

> > wd0 at pciide1 channel 0 drive 0: 
> > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
> > wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
> > wd0: no disk label
> > dkcsum: wd0 matches BIOS drive 0x80
> ...
> > No disks found.
> 
> that's odd...

This is caused by the kernel dmesg being flooded with the axe error
messages.

The OP should try to boot -c, disable axe, and install without axe; this
should at least allow the installation to proceed.

Miod

BRL-CAD 3D software for OpenBSD

[Karel Kulhavy]

Hello

I made a patch so that BRL-CAD compiles on OpenBSD and sent it to the developer
and he incorporated it into the official code so now it should compile out of
the box on OpenBSD. BRL-CAD is a powerful non-bloatware 3D modeling system
being developed by U.S. Army since 1979 and since 2004 released under GPL.  It
was used for example for design of the M1A1 Abrams tank. Example outputs:

http://ronja.twibright.com/3d/

If someone has time to make a package please do it. I tried to read the
information about the portage tree but it's too complicated for me to
understand - I forget the beginning before I get to the end.

The compilation is simple ./configure make make install then it installs into
/usr/brlcad and $PATH has to be set.

CL<

Airtist Telecharger vos MP3 sans DRM a partir de 0,2�

[Airtist.com]

Email in english :
Si vous avez des difficultees pour visualiser cette page , cliquez ici

Tilichargez vos musiques en mp3 sans DRM
Rejoignez vos artistes dans la communauti!

Bonjour,
Airtist est le nouveau site Internet communautaire de tilichargement
musical.
Sur Airtist vous pouvez dicouvrir et tilicharger de la musique et
rejoindre la communauti d'internautes et d'artistes:
http://www.airtist.com

Avec Airtist tilichargez vos musiques en mp3 sans DRM
Accidez ` une communauti musicale avec des artistes indipendants de tous
styles musicaux et de tous pays, tilichargez vos musiques avec 2 modes:
Payant ` prix variable ditermini par l'artiste (` partir de 0,20euro le
titre)
Gratuit et Ligal ` base d'annonces publicitaires (bienttt disponible)
Liberti des titres que vous tilichargez, compatibles avec tous les
lecteurs et baladeurs mp3.

Rejoignez vos artistes dans la communauti
Criez une page web personnelle Airtist:
Blog, albums photos, votes, commentaires, messagerie, riseaux d'amis,
musiques, concours, etc.

Solidariti avec les associations
A chaque tilichargement d'une musique 1 centime est reversi `
l'association ou œuvre caritatives de ton choix comme Sol en Si,
Fondation Nicolas Hulot, Restos du Coeur etc.

Tu es artiste ou tu fais parti d'un groupe ?
Tu fais de la musique et tu souhaites la distribuer sur Airtist et jtre
payi?
Inscription artiste

Airtist.com c'est plus de 5000 musiques ` tilicharger dans tous les
styles musicaux, artistes connus, indipendants et autoproduits et de tous
pays.

Vous pouvez tilicharger les albums de Henri Salvador, Anaos, Bloc Party,
Nosfell, Yann Tiersen & Shannon Wright, Higelin et de centaines d'autres
artistes connus et indipendants de la schne montante frangaise et
internationale.

Airtist est une plateforme de tilichargement ligale en partenariat avec
la SACEM.

Pour vous desabonner de cette liste, cliquez sur desinscription

powered by eoxiamail v 2.10.4;

Re: ospfd participating in a stub area

[Nigel Roberts]

On Wed, 07 Feb 2007 at 13:57:52 +0100, Esben Norby wrote:

> What excactly is the purpose of this? Is it some cisco trick to save memory 
> or 
> does it have a real purpose?

It's not a cisco trick as such, since it's defined in the OSPF RFC
along with NSSA (not so stubby areas) and totally stubby areas. It is
designed to save CPU and memory resources.

> Normaly when routers form adjacency the network is not considered a stub 
> network any more, hence it can be used to forward traffic.

Stub areas are not to be confused with stub networks. Stub networks
are what is formed when you define an interface as passive. A stub
area is what is formed when the area border router for that area no
longer floods LSAs for AS-external routes into the area.

Thanks to Claudio for clarifying the situation. It's not a big deal
really - I was simply doing some testing with stub areas and wanted to
make sure of what was possible.

Regards,
Nigel

net.inet.ip.mforwarding?

[Jonathan Whiteman]

Sorry I should know this but I'm sorta green.  If I enable
net.inet.ip.mforwarding on all my routers, should that allow
OS X things like bonjour and iTunes music sharing to work
across the bridge?

external usb disk freezing machine

[frantisek holop]

hi there,

here i go again, describing usb problems.  i am really not sure now
if it is a) my external disk, b) openbsd, c) bios/motherboard/usb port
that is giving me the headache...

i am trying my luck here, and please find attached a most curious
/var/log/messages snippet of one "from reboot till reboot" session.
i hope the usb people can make something of it...  dmesg gratis
included inside :D

so basically what started happening: i plug in the disk, everything
dandy, disk goes away every couple of minutes, then reappers; of
course making the programs accessing it at the moment very very
unhappy.  then after a final "ehci_idone:" message it's either
silicon heaven (absolute freeze), or reappearing and disappearing
again and again.  booted it in windows, everything looks fine,
no mysterious disappearing tricks.  the strange is, that i have
the disk for 2 weeks now, and it started happening today.


(ps. the 'disklabel=' entries are logger(1) calls from hotplugd attach)
(ps2. are "empty" /bsd messages normal?)

Feb  7 19:31:07 amaaq syslogd: restart
Feb  7 19:31:07 amaaq /bsd: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 
MDT 2006
Feb  7 19:31:07 amaaq /bsd: [EMAIL 
PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
Feb  7 19:31:07 amaaq /bsd: cpu0: Intel(R) Pentium(R) M processor 1.80GHz 
("GenuineIntel" 686-class) 1.80 GHz
Feb  7 19:31:07 amaaq /bsd: cpu0: 
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2
Feb  7 19:31:07 amaaq /bsd: cpu0: Enhanced SpeedStep 1800 MHz (1340 mV): 
speeds: 1800, 1600, 1400, 1200, 1000, 800, 600 MHz
Feb  7 19:31:07 amaaq /bsd: real mem  = 535326720 (522780K)
Feb  7 19:31:07 amaaq /bsd: avail mem = 480366592 (469108K)
Feb  7 19:31:07 amaaq /bsd: using 4256 buffers containing 26869760 bytes 
(26240K) of memory
Feb  7 19:31:07 amaaq /bsd: mainbus0 (root)
Feb  7 19:31:07 amaaq /bsd: bios0 at mainbus0: AT/286+(8b) BIOS, date 03/23/05, 
BIOS32 rev. 0 @ 0xfd700, SMBIOS rev. 2.31 @ 0xd6010 (31 entries)
Feb  7 19:31:07 amaaq /bsd: bios0: TOSHIBA Satellite M30X
Feb  7 19:31:07 amaaq /bsd: apm0 at bios0: Power Management spec V1.2
Feb  7 19:31:07 amaaq /bsd: apm0: AC on, battery charge unknown
Feb  7 19:31:07 amaaq /bsd: apm0: flags 30102 dobusy 0 doidle 1
Feb  7 19:31:07 amaaq /bsd: pcibios0 at bios0: rev 2.1 @ 0xfd700/0x900
Feb  7 19:31:07 amaaq /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @ 
0xfdf20/192 (10 entries)
Feb  7 19:31:07 amaaq /bsd: pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 
82371FB ISA" rev 0x00)
Feb  7 19:31:07 amaaq /bsd: pcibios0: PCI bus #3 is the last bus
Feb  7 19:31:07 amaaq /bsd: bios0: ROM list: 0xc/0x1 0xd/0x1000 
0xd6000/0x800! 0xe/0x4000!
Feb  7 19:31:07 amaaq /bsd: cpu0 at mainbus0
Feb  7 19:31:07 amaaq /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (no 
bios)
Feb  7 19:31:07 amaaq /bsd: pchb0 at pci0 dev 0 function 0 "Intel 82852GM 
Hub-PCI" rev 0x02
Feb  7 19:31:07 amaaq /bsd: "Intel 82852GM Memory" rev 0x02 at pci0 dev 0 
function 1 not configured
Feb  7 19:31:07 amaaq /bsd: "Intel 82852GM Configuration" rev 0x02 at pci0 dev 
0 function 3 not configured
Feb  7 19:31:07 amaaq /bsd: ppb0 at pci0 dev 1 function 0 "Intel 82852/82855 
AGP" rev 0x02
Feb  7 19:31:07 amaaq /bsd: pci1 at ppb0 bus 1
Feb  7 19:31:07 amaaq /bsd: vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility 
M10 NP" rev 0x00
Feb  7 19:31:07 amaaq /bsd: wsdisplay0 at vga1 mux 1: console (80x25, vt100 
emulation)
Feb  7 19:31:07 amaaq /bsd: wsdisplay0: screen 1-5 added (80x25, vt100 
emulation)
Feb  7 19:31:08 amaaq /bsd: uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" 
rev 0x03: irq 10
Feb  7 19:31:08 amaaq /bsd: usb0 at uhci0: USB revision 1.0
Feb  7 19:31:08 amaaq /bsd: uhub0 at usb0
Feb  7 19:31:08 amaaq /bsd: uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
Feb  7 19:31:08 amaaq /bsd: uhub0: 2 ports with 2 removable, self powered
Feb  7 19:31:08 amaaq /bsd: uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" 
rev 0x03: irq 5
Feb  7 19:31:08 amaaq /bsd: usb1 at uhci1: USB revision 1.0
Feb  7 19:31:08 amaaq /bsd: uhub1 at usb1
Feb  7 19:31:08 amaaq /bsd: uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
Feb  7 19:31:08 amaaq /bsd: uhub1: 2 ports with 2 removable, self powered
Feb  7 19:31:08 amaaq /bsd: uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" 
rev 0x03: irq 4
Feb  7 19:31:08 amaaq /bsd: usb2 at uhci2: USB revision 1.0
Feb  7 19:31:08 amaaq /bsd: uhub2 at usb2
Feb  7 19:31:08 amaaq /bsd: uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
Feb  7 19:31:08 amaaq /bsd: uhub2: 2 ports with 2 removable, self powered
Feb  7 19:31:08 amaaq /bsd: ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" 
rev 0x03: irq 11
Feb  7 19:31:08 amaaq /bsd: usb3 at ehci0: USB revision 2.0
Feb  7 19:31:08 amaaq /bsd: uhub3 at usb3
Feb  7 19:31:08 amaaq /bsd: uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
Feb  7 19:31:08 amaaq /bsd: uhub3: 6 ports with 6 removable, self powered
Feb  7 19:31:08 amaaq /

Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)

[K WESTERBACK]

As stupid-trick-with-install-scripts, one can simply manually enter the disks
of interest.

At the "Proceed with install?' prompt simply enter

!export
DKDEVS=wd0

You should get the prompt back and be able to proceed normally.
 Ken

- Original Message 
From: Ron Oliver <[EMAIL PROTECTED]>
To:
misc@openbsd.org
Sent: Wednesday, February 7, 2007 12:37:43 PM
Subject: Failed
installation on HP ProLiant ML110 G4 (with dmesg)

Below is a capture from a
serial console during the installation.
Note that I've reduced most of the
repeated messages a la [last
message repeated x times]; otherwise, this would
be a 7000 line post.

Aside: how about a 3-wire serial console option that
doesn't need DCD
driven?  My beloved Cisco serial cables don't drive DCD; I
had to dig
deeply into my big bag o' adapters to find an old-school null modem
to
do it.  But I guess I'll appreciate that feature if I ever need a
serial
console through a modem. :)

This should also answer a previously posted
question on a related
failed ProLiant install: "Why axe(4)?"  Because it
seemed like a good
idea at the time to the kernel.  It wasn't a user
selection.  All
hardware is HP-supplied with the system; nothing added here.
I first tried this with the PS/2 keyboard that came with the unit, but
it was
unresponsive by the time I got to a prompt, hence the MS
Natural Pro plugged
in.

If anyone cares, it looks like Ubuntu 6.06LTS will install on it (and
the
PS/2 keyboard IS responsive under that OS.)  I'll go ahead and
install that
for the hell of it.  If anyone wants dmesg from that, let
me know.

Either
this will work soon, or it's going back; I can't afford to have
a science
project sitting around.  But if any developers want
something tried out, let
me know and I'll assist as I can.  I can also
hang it on a public IP if that
helps.

>> OpenBSD/i386 BOOT 2.10
boot>
booting fd0a:/bsd:
4692244+739940=0x52e4c0
entry point at 0x200120*
Copyright (c) 1982, 1986,
1989, 1991, 1993
The Regents of the University of California.  All rights
reserved.
Copyright (c) 1995-2006 OpenBSD. All rights reserved.
http://www.OpenBSD.org

OpenBSD 4.0 (RAMDISK_CD) #39: Sat Sep 16 19:34:26 MDT
2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz ("GenuineIntel" 686-class) 1.87 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF
LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX
16
real mem  = 1071788032 (1046668K)
avail mem = 971149312 (948388K)
using
4256 buffers containing 53690368 bytes (52432K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(7b) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xfd460,
SMB
IOS rev. 2.4 @ 0xdc010 (47 entries)
bios0: HP ProLiant ML110 G4
pcibios0
at bios0: rev 2.1 @ 0xfd460/0xba0
pcibios0: PCI IRQ Routing Table rev 1.0 @
0xfdee0/256 (14 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel
82371FB ISA" rev 0x00)
pcibios0: PCI bus #10 is the last bus
bios0: ROM list:
0xc/0x8000 0xdc000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0:
configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel E7230
MCH" rev 0xc0
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01
pci2 at ppb1 bus 3
vga1 at pci2 dev 0 function 0 vendor "Matrox", unknown
product 0x0522 rev
0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100
emulation)
ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01
pci3 at
ppb2 bus 4
bge0 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750
C1
(0x4201):
irq 12, address 00:18:fe:79:02:af
brgphy0 at bge0 phy 1: BCM5750
10/100/1000baseT PHY, rev. 0
uhci0 at pci0 dev 29 function 0 "Intel 82801GB
USB" rev 0x01: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0:
Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable,
self powered
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq
5
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub,
rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at
pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 11
usb2 at uhci2: USB
revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
uhci3 at pci0 dev 29 function 3
"Intel 82801GB USB" rev 0x01: irq 7
usb3 at uhci3: USB revision 1.0
uhub3 at
usb3
uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub3: 2 ports with 2
removable, self powered
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB"
rev 0x01: irq 10
ehci0: timed out waiting for BIOS
usb4 at ehci0: USB revision
2.0
uhub4 at usb4
uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub4: 8
ports with 8 removable, self powered
ppb3 at pci0 dev 30 function 0 "Intel
82801BA AGP" rev 0xe1
pci4 at ppb3 bus 10
ichpcib0 at pci0 dev 31 function 0
"Intel 82801GB LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 f

When will php5-gd-5.1.4-no_x11.tgz be fixed?

[Adam PAPAI]

It's really hard to install php5-gd-5.1.4-no_x11.tgz on a server without 
xbase40.tgz...


astatine[wooh]> sudo pkg_add php5-gd-5.1.4-no_x11.tgz
Can't install php5-gd-5.1.4-no_x11.tgz: lib not found freetype.13.1
Even by looking in the dependency tree:
gettext-0.14.5p1, jpeg-6bp3, expat-2.0.0, t1lib-5.1.0p0, 
php5-core-5.1.4p1, libiconv-1.9.2p3, png-1.2.12p0, libxml-2.6.26

Maybe it's in a dependent package, but not tagged with @lib ?
(check with pkg_info -K -L)
If you are still running 3.6 packages, update them.

I do not wan't to install Xlibs on my box.

When will it be fixed?

Thanks in advance

--
Adam PAPAI
D i g i t a l Influence
http://www.digitalinfluence.hu
E-mail: [EMAIL PROTECTED]
Phone: +36 30 33-55-735 (Hungary)
Phone: +49 176-67264167 (Germany)

Re: net.inet.ip.mforwarding?

[Jussi Peltola]

Jonathan Whiteman wrote:

Sorry I should know this but I'm sorta green.  If I enable
net.inet.ip.mforwarding on all my routers, should that allow
OS X things like bonjour and iTunes music sharing to work
across the bridge?


Bridge? Are you bridging or routing here? Please tell us more about
your network.

If you are ethernet bridging, as far as I know that will do nothing. If 
you are routing, it is a different story, but I'm afraid my knowledge of 
Bonjour is not good enough to give a definitive answer, but my 
experiences with certain other multicast based protocols are that it is 
easier to use ethernet bridge filtering than make routing work with 
them. AFAIK Apple isn't targeting these services for large networks 
anyway, they are to ease setting up a home or other small network that 
is a single broadcast domain.


Regards,
Jussi Peltola

Re: When will php5-gd-5.1.4-no_x11.tgz be fixed?

[Stuart Henderson]

On 2007/02/07 21:08, Adam PAPAI wrote:
> It's really hard to install php5-gd-5.1.4-no_x11.tgz on a server without 
> xbase40.tgz...

fixed in -current.

Re: dump(8) -> dvd: best practices?

[Joachim Schipper]

On Tue, Feb 06, 2007 at 07:49:22PM -0500, Josh Grosse wrote:
> On Tue, Feb 06, 2007 at 06:24:38PM -0500, I wrote:
> > I have completed tests with small files, and am now running a test w/
> > 8GB or so of data.  
> 
> It works, using shunt/flyisofs.  I will be making offsite backups much much
> more than I will be restoring them, and this is fairly easy:
> 
>   shunt -c 'dump -0af - /path/to/backups' + 
>  'flyisofs mbc=2295104 fbc=200 |
>  growisofs -Z /dev/rcd0c=/dev/fd/0'
> 
> The shunt program prompts to start the dump, and also prompts to start
> flyisofs, so one must depress ENTER twice after entering this rather long
> command.  Note that  mbc = media sectors.  DVD+RW uses 2,295,104 2048-byte 
> sectors.  Note also that fbc is under 4GB, to avoid any ISO9660 problems.
> 
> The flyisofs program will close when the ISO is full, and shunt will prompt
> me to restart it, so I have time to change media and press ENTER again.

Looks good.

> > I am going to look into amanda, it may solve all my operational issues. It 
> > could make disaster recovery a little more complex, as it is 3rd party 
> > software.  
>  
> I have looked.  2.4.5 is really for tape only.  2.5.0 has not been ported,
> and its introduction mentions optical, but ... it is the same as 2.4.5; you
> must write backups to hard drive in CD or DVD sizes, and then burn them 
> manually.

I use AMANDA, and am mostly happy with it - but yes, it's for tapes, and
using it for anything else is not a particularly good call.

> > Even if I end up going with Amanda, I may still port shunt so that is 
> > available for others.
>  
> I've started, I should have it done this evening, and will post it on ports@
> when I think it's ready.

Nice.

Joachim

Re: net.inet.ip.mforwarding?

[Jonathan Whiteman]

yes it is bridging not routing, and its a vpn (OpenVPN) bridge to
complicate matters just a bit further.  a simplified diagram
follows.  i've used actual device names here and indicated the
bridged ones by enclosing them with { }

   PUBLIC INTERNET
  |  |
--|-  ---|-
|en0   |  | dc0   |
|  |  |   |
|firewall 2|  |firewall 1 |
|  |  |   |
|{en1 tun0}{tun1 sis0}|
--|-  -|---
  ||
192.168.254.0/24  192.168.248.0/21


normal stuff seems to work across the bridge for the most part
however there is a problem with all the apple proprietary
services that rely on bonjour/rendevous.

there is another separate and somewhat intermittent problem
with routing between sub-subnets of the bridged halves of the
network but thats a separate discussion i think.  see the email
i sent to the list on monday subject "vpn bridge misbehavior"
for a more complete network diagram and a description of that
(probably unrelated?) problem.

and oh yea, i *know* these mac services weren't designed for
anything other than small-scale home use.  i'm acutely aware of
that at this point.  (the mac decision was someone else's)

anyway, thanks for your time,
~jon


Jussi Peltola wrote:

Jonathan Whiteman wrote:

Sorry I should know this but I'm sorta green.  If I enable
net.inet.ip.mforwarding on all my routers, should that allow
OS X things like bonjour and iTunes music sharing to work
across the bridge?


Bridge? Are you bridging or routing here? Please tell us more about
your network.

If you are ethernet bridging, as far as I know that will do nothing. If 
you are routing, it is a different story, but I'm afraid my knowledge of 
Bonjour is not good enough to give a definitive answer, but my 
experiences with certain other multicast based protocols are that it is 
easier to use ethernet bridge filtering than make routing work with 
them. AFAIK Apple isn't targeting these services for large networks 
anyway, they are to ease setting up a home or other small network that 
is a single broadcast domain.


Regards,
Jussi Peltola

Re: Question about syslog-ng

[Joachim Schipper]

On Wed, Feb 07, 2007 at 12:34:07AM -0500, jared r r spiegel wrote:
> On Tue, Feb 06, 2007 at 08:21:38AM -0600, Phusion wrote:
> > When installing syslog-ng on a OpenBSD 4.0 machine should I start the
> > daemon in /etc/rc.local or /etc/rc.securelevel?
> 
>   taking a peek at /etc/rc, the base syslogd is started unconditionally
>   before even rc.securelevel is sourced.
> 
>   it feels a bit dirty, but looks like the only way to completely perfectly
>   replace the default syslogd would be to edit /etc/rc in some way or another
>   ( your rc.local/rc.securelevel syslog-ng startup stanza could kill syslogd,
> but below i mention some stuff that syslog-ng would've missed anyway ).
> 
>   in /etc/rc v1.295:
> 
> - rc.local is sourced on line 710
> - syslogd is started on line 301
> - rc.conf is sourced on line 206 (and rc.conf tries to source rc.conf.local)
> 
>   so if you want to totally drop the default syslogd and use syslog-ng for
>   local logging on this host:
> 
> - one of the worst possible ways would probably to be to put your actual
>   startup stanza for syslog-ng in /etc/rc.conf.local which would make it
>   start before the network and probably make anyone reading this want to
>   puke a bit.
> - actually, no, the worst thing would probably to be to go to line 301 and
>   replace 'syslogd' with '/usr/local/sbin/syslog-ng', since their arguments
>   are not the same.
> - the "cleanest" way that comes to mind to do a 1-to-1 replacement 
>   without disturbing the current working of things much, if at all, would
>   be to add a parameter to rc.conf.local for 'syslogd="NO"', then wrap the
>   current /etc/rc syslogd stanza from line 291 through line 301 in a
>   conditional that checks for that syslogd parameter being != "NO" similar
>   to the one for pf(4) right below the syslogd one.  then more another params
>   to rc.conf.local for 'syslogng="YES"' ( or _ng if you want, whatever ) and
>   'syslogng_flags="whatever args"' and add a conditional startup stanza
>   for syslog-ng right below the normal syslogd one.
> 
>   outside of editing /etc/rc, starting it in rc.local would mean that
>   the default syslogd would handle anything started after line 301
>   up to line 710 -- anything started under 'standard daemons' could be
>   caught by syslog-ng, but anything before that (most notably all the
>   stuff after 'initial' and 'network' daemons and a few other things
>   that syslog) would be under the sole jurisdiction of the base syslogd(8).
> 
>   either way, if syslog-ng is going to be used locally, i'd make a check
>   between whatever your favourite way of determining if something is running
>   (syslogd) and syslog-ng's .conf to see if they're going to try to fight
>   over anything.
> 
>   given that syslog-ng's source sockets are handled in its .conf and
>   not on commandline, perhaps also try to sanely handle/duplicate
>   the current extra socket checks (named/dev/log, empty/dev/log) that
>   the stock syslogd /etc/rc stanza checks for.
>   
>   if syslog-ng is going to be used on this host only as a dumping ground
>   for incoming remote TCP/UDP log messages (eg, doesn't make any local
>   unix sockets, only listens to network, and syslogd does also *not*
>   listen to the network (-u)), leave /etc/rc alone and just do 
>   /etc/rc.local because then it doesn't really matter other than a
>   few wallclock seconds when this host boots up whether you do
>   rc.local or rc.securelevel. the fewer things you put in rc.securelevel,
>   the fewer things you have to accidentally forget about during upgrade
>   or troubleshooting.

Or do as I do, and just run syslog-ng alongside syslogd. Where syslog-ng
handles the network stuff, and syslogd dumps stuff via lo0.

Sure, it's ugly, but it's easy to set up and works fine. And doesn't
have quite as interesting a failure mode as the alternative.

Joachim

Re: HTTP URL filtering?

[Daniel Ouellet]

Marian Hettwer wrote:
I tried the very same when a webserver of mine was hitted by some 
botnet. Unluckily, cron can only ran every minute as the fastest 
interval and within 1 minute I already had around 1000 connections from 
different IP addresses.

Ergo: A one minute interval didn't help at all..


I had and time to time still have attack like this and put together a 
series of effective measure to take care of this. Some I explain and put 
together on misc@ under the title:


Feedback wanted on gethttpd graylisting ideas included

So you can search marc for:

http://marc.theaimsgroup.com/?t=11578471381&r=1&w=2

I also posted a few more things, but it is possible to control that.

I added many more things as well and here if you have URL not use what 
you can do is actually may be very simple and effective right away as 
well using PF and redirect if the connections are from source that 
either will redirect or not.


What I did for example for source that do not redirect, or follow the 
standard. If you connect to let say a URL


a.b.c/test.html

and that test.html is a huge page that many bots actually love to attack 
to make you waist bandwidth and put your server to a crawl. What I did 
is simply to have that page send a redirect right away and then close 
the connection. So, any valid users that access that page will be 
redirected to the valid page and the bot will simply have it;s 
connection close. So, yes you still process all the connection, but the 
handling from the server is pretty small. Just a few bytes. Also, that 
same connection is logs into SQL server that I query from cron and add 
to PF each minutes. Yes I need to handle all the connections for that 
minute like you said, but the traffic is very minimal and before you 
know it, the source is block. Then I also have built my scripts to 
refresh the block IP's with time out, meaning that I wanted to be nice 
and the source IP's where block in incremental time each time they were 
process. So, if the source go away and was from a valid proxy from AOL 
for example, I wasn't going to loose the traffic for ever, but the 
traffic for the time of the attack. And in the end, all the connections 
that were following the redirect were process normally. That's because 
DDoS bot attack so far call URL via GET and doesn't check for the return 
code, so they were never going to the redirect new location and were 
block later on.


Now for crawlers that follow bad URL or attack bad URL, you can here as 
well put redirect to a different port.


Like a.b.c/follow.html would redirect to a.b.c:81/follow.html and then 
you simply use PF to add right away all source trying to connect to 
tcp/81 to your table and be done with them. That's also quick and simple 
to do as well.


Anyway, that's just some idea that are fast efficient and proved to work 
very well thank you.


I have more in place as well, ut if you do just these you will see light 
at the end of the tunnel.


Best,

Daniel

Re: login.conf

[Daniel Ouellet]

Toni Mueller wrote:

uppp I apparently didn't see that section because I didn't
re-read it. If that info is correct, then this "solves" it (hello
Daniel!).


Yes that information is correct and if done to the letter, you get it to 
do as you wish. Been tested and used for many years on pretty darn busy 
servers without a hiccup!

Inquiries about OpenBSD's wifi implementation

[DAAD DAAD]

Hi

I'm looking for information about various implementations of wifi in
operating systems. Mainly because I want to assist Syllable operating
system developers [syllable.org] (though I may not be able to
undertake such a feat, but the lack of developers forced me *hint
hint*)

And I've been told that the most consistent wifi implementation is
OpenBSD's, so I'm asking here:
o) How segregated is the wifi implementation from the kernel (module
or built in)?
o) Is there anything related to the wifi implementation beside
[/src/sys/net80211/]?
o) Who is the most knowledgeable about the implementation? (just in
case something is really obscure and can't be solved by code diving, I
won't spam him, honest)
o) Is there any extra documents that may help me?

Re: net.inet.ip.mforwarding?

[Claudio Jeker]

On Wed, Feb 07, 2007 at 01:04:59PM -0800, Jonathan Whiteman wrote:
> yes it is bridging not routing, and its a vpn (OpenVPN) bridge to
> complicate matters just a bit further.  a simplified diagram
> follows.  i've used actual device names here and indicated the
> bridged ones by enclosing them with { }
> 
>PUBLIC INTERNET
>   |  |
> --|-  ---|-
> |en0   |  | dc0   |
> |  |  |   |
> |firewall 2|  |firewall 1 |
> |  |  |   |
> |{en1 tun0}{tun1 sis0}|
> --|-  -|---
>   ||
> 192.168.254.0/24  192.168.248.0/21
> 

This is not a correct bridging setup. Bridging means that you are using
the same network on both sides of the bridge. This may also explain other
issues you have. Hosts on 192.168.254/24 can not reach 192.168.248.1
without an additional route.

AFAIK Apples bonjour service is multicast, includes the network address
and mask and has a TTL of 1. So multicast routing will not help.
This is especially true for the iTunes sharing.

-- 
:wq Claudio

Re: rsa remote auth

[Darren Tucker]

On Wed, Feb 07, 2007 at 06:49:59AM -0800, Lawrence Horvath wrote:
[...]
> and made sure of the file permissions
> ~/.ssh is 0700
> ~/.ssh/authorized_keys is 0600

Also make sure your home dir is not group or world writable.

If that's not it then take a look at the server-side debug output as
Stuart suggested upthread.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Re: missing isakmpd.fifo

[Dag Richards]

Toni Mueller wrote:

Hi Dag,

On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards <[EMAIL PROTECTED]> wrote:
locations. Yesterday I needed to add a tunnel, there was no 
/var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid 


The fifo was recreated, I could use it to control isakmpd. OK.

Today I look for isakmpd.fifo, it has disappeared again.


and nothing I do not expect to see.  I am not running out of disk space 
... anybody seen this before?


please check again using -i in order to find out whether you have
enough disk space.


Best,
--Toni++



hsdcert0:root:/root #df -i 

Filesystem  1K-blocks  Used Avail Capacity iused   ifree  %iused 
 Mounted on

/dev/sd0a 4126462 35180   3884960 1%2204  533602 0%   /
/dev/sd0e 103030244978744 0%  16  144238 0% 
  /home
/dev/sd0d 1030302 2978786 0%   1  144253 0% 
  /tmp
/dev/sd0f10318830391228   9411662 4%   13887 1305023 1% 
  /usr
/dev/sd0g16423486   1080606  14521706 7%3564 2077842 0% 
  /var



Nope plenty inodes too.

Re: net.inet.ip.mforwarding?

[Jonathan Whiteman]

Thank you both for your responses.  I have made this diagram
clearer because I sort of *am* using the same subnet on both
sides of the bridge... or at least that was my intent, but
obviously the address ranges have to be separate on both sides
of the bridge even though the netmasks need to be the same.

Perhaps with this further clarification one of you might be
able to explain to me what exactly I've done wrong here:


   |--PUBLIC INTERNET --|
   ||
 --|----|-
 |en0   || dc0   |
 |  ||   |
 |firewall 2||firewall 1 |
 |  ||   |
 |{en1 tun0}--{tun1 sis0}|
 |----|---
 ||
ip:   192.168.254.1   192.168.250.1
subnet:   255.255.248.0   255.255.248.0
network:  192.168.248.0   192.168.248.0
broadcast:192.168.255.255 192.168.255.255

So, sis0 (192.168.250.1) is the primary gateway (and dns server
actually) for all clients behind both firewalls.  The subnet
mask given to all clients as well as the physical devices sis0
on firewall 1 and en1 on firewall 2 is the same as well:
255.255.248.0.

Tun1 on firewall 1 (the openvpn server) does not
have any ip address however I *have* configured the
openvpn server to hand out 192.168.254.1 ONLY to the client
on firewall 2, so en1 and tun0 on firewall 2 both are
configured with the same ip address and subnet mask...
it seemed like I needed this for the actual bridge of en1 and
tun0 to behave but I won't claim that means I did it correctly
in the first place.

Thanks again in advance for everyone's time,
~jon

Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)

[Ron Oliver]

On 2/7/07, Miod Vallat <[EMAIL PROTECTED]> wrote:

> > wd0 at pciide1 channel 0 drive 0: 
> > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
> > wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
> > wd0: no disk label
> > dkcsum: wd0 matches BIOS drive 0x80
> ...
> > No disks found.

This is caused by the kernel dmesg being flooded with the axe error
messages.

The OP should try to boot -c, disable axe, and install without axe; this
should at least allow the installation to proceed.

Miod



Your command is my wish.  The install proceeded normally after that.
Thanks for the save, Miod!

Forgot to mention LONG wait after "Entry point at 0x200120".
Also long wait after "pckbc0 at isa0 port 0x60/5" and
"wskbd0 at pckbd0: console keyboard, using wsdisplay0".
The waits occurred even after disabling axe.

Rebooting (didn't disable axe) yields, after many axe0 messages:
ifmedia_match: multiple match for 0x20/0xfeff, selected instance 0
uvm_fault(0xd0767d20, 0x0, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at   usbd_probe_and_attach+0x242:movzbl  0x2(%eax),%eax
ddb>

I have to leave for an appointment right now, but will be back
(hopefully!) in an hour or so.  I can disable axe in boot_config; I'll
have no need for that device.  But do you anticipate any other related
issues before I put this into production?  Would you (or some other
developer) like access to the system when I get back?  I can leave it
at your disposal for a few days (and type as needed) if it will help
the cause.

I also have a 3Ware 8006-2LP and a pair of SATA disks to install in it
(for a RAID-1 configuration) as well once the base system is stable,
if that's of interest to anyone.

Thanks again,
--
Ron Oliver

Re: net.inet.ip.mforwarding?

[Jonathan Whiteman]

Sorry just for the sake of correctness:

em0 and em1 are the devices on firewall 2, not en0 and en1...
thats a typo.

Jonathan Whiteman wrote:

Thank you both for your responses.  I have made this diagram
clearer because I sort of *am* using the same subnet on both
sides of the bridge... or at least that was my intent, but
obviously the address ranges have to be separate on both sides
of the bridge even though the netmasks need to be the same.

Perhaps with this further clarification one of you might be
able to explain to me what exactly I've done wrong here:


   |--PUBLIC INTERNET --|
   ||
 --|----|-
 |en0   || dc0   |
 |  ||   |
 |firewall 2||firewall 1 |
 |  ||   |
 |{en1 tun0}--{tun1 sis0}|
 |----|---
 ||
ip:   192.168.254.1   192.168.250.1
subnet:   255.255.248.0   255.255.248.0
network:  192.168.248.0   192.168.248.0
broadcast:192.168.255.255 192.168.255.255

So, sis0 (192.168.250.1) is the primary gateway (and dns server
actually) for all clients behind both firewalls.  The subnet
mask given to all clients as well as the physical devices sis0
on firewall 1 and en1 on firewall 2 is the same as well:
255.255.248.0.

Tun1 on firewall 1 (the openvpn server) does not
have any ip address however I *have* configured the
openvpn server to hand out 192.168.254.1 ONLY to the client
on firewall 2, so en1 and tun0 on firewall 2 both are
configured with the same ip address and subnet mask...
it seemed like I needed this for the actual bridge of en1 and
tun0 to behave but I won't claim that means I did it correctly
in the first place.

Thanks again in advance for everyone's time,
~jon

Re: Dummy Interface In OpenBGPd

[demuel]

The thing is, after I creatd /etc/hostname.lo1 as stated and I tring to ping it 
from other devices
within that network, it is not reachable. I put network 10.83.66.128/32 in my 
/etc/bgpd.conf but
still I can only ping this interface from that host it is put in but not from 
the other host.

Some hints? Should I manually add a route to it in the kernel routing table?

> On Wed, Feb 07, 2007 at 12:07:56PM -, [EMAIL PROTECTED] wrote:
>> Does that categorically mean there is no way, as of the moment, in
>> openbgp to use a dummy interface just like in Quagga?
>>
>
> There are no dummy interfaces. If you like to use a loopback interface
> create one.
>
> # cat > /etc/hostname.lo1
> inet 10.83.66.128 255.255.255.255 NONE
> # sh /etc/netstart lo1
>
> That's it. You have a loopback address that can be used in bgpd.
>
> neighbor 10.83.66.164 {
>   remote-as 65123
>   local-address 10.83.66.128
> }
>
> I guess that's what you are looking for. bgpd does not realy care about
> interfaces. Interfaces and their link state are only used to figure out
> the availability of nexthops.
>
> Btw. for ospfd you can use "interface lo1" to reliably redistribute the
> loopback address.
>
> --
> :wq Claudio
>
>> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]:
>> >> As I read the openbgpd documentation, there is not a single point wherein 
>> >> in the examples a
>> >> dummy
>> >> interface is being used. Is a dummy interface supported in OpenBGP?
>> >
>> > -vvv :)
>> >
>> > from bgpd's perspective, an interface is an interface, mostly.
>> >
>> > --
>> > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
>> > BS Web Services, http://bsws.de
>> > Full-Service ISP - Secure Hosting, Mail and DNS Services
>> > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam

Re: net.inet.ip.mforwarding?

[Jussi Peltola]

As far as I can see, for the broadcast protocols to work you need to use
the same subnet in both ends. The way I set a similar system up some
time ago was as follows:

| Public Network ---|
|   |
|---|-|||-|
|eth0 (w.x.y.z)   || eth0 (a.b.c.d)   |
| ||  |
|  gw.site1.company.com   ||  gw.site2.company.com|
| ||  |
|  br0 { eth1 tap0 }  ||  br0 { eth1 tap0 }   |
|-|---||-||
  |  |
 10.74.2.0/24   10.74.2.0/24
 Subnet of Redmond boxesSmall remote subnet 
 DHCP server, etc.  Client Redmond boxes

The important part here is that both sides are on the same subnet.
Note that OpenVPN isn't really configured with any IP addresses at all
(except the peer's) since it operates on the Ethernet level.
Redmond broadcasts to 10.74.2.255 will go over the bridge, as will DHCP
requests, since they are both also Ethernet broadcasts.
Some firewalling was also involved, but since it was done using the
ethX OS I'd rather forget all about it...

And yes, I've since gotten rid of both Redmond and the ethX OS, and also
bridging, since the need disappeared with the Redmonds, so I might have
forgotten things along the way.

-- 
Jussi Peltola

Re: net.inet.ip.mforwarding?

[Jussi Peltola]

On Wed, Feb 07, 2007 at 02:46:57PM -0800, Jonathan Whiteman wrote:
> Thank you both for your responses.  I have made this diagram
> clearer because I sort of *am* using the same subnet on both
> sides of the bridge... or at least that was my intent, but
> obviously the address ranges have to be separate on both sides
> of the bridge even though the netmasks need to be the same.

There mustn't be duplicate addresses, of course, but the client
machines on both sides need to use the same subnet mask and have
addresses in the same subnet.

> Tun1 on firewall 1 (the openvpn server) does not
> have any ip address however I *have* configured the
> openvpn server to hand out 192.168.254.1 ONLY to the client
> on firewall 2, so en1 and tun0 on firewall 2 both are
> configured with the same ip address and subnet mask...
> it seemed like I needed this for the actual bridge of en1 and
> tun0 to behave but I won't claim that means I did it correctly
> in the first place.

Bridging should work without any addresses specified at all.
Try changing the hostname.if config to "up" instead of an IP address
unless you need an IP address to manage the machine. Having the same IP
on two interfaces bridged together might work but isn't very logical.
In any case since it is bridging, the addresses shouldn't matter...

You might also want to change the setup so that the clients behind
firewall 2 use firewall 2's address as the default gateway, so you don't
connect to the rest of the world through the VPN (unless that is what
you want for some reason). Even then only en1 should be configured with
an IP address and the tun should just be left "link0 up". I doubt the
bridge functionality depends on the addresses, it must be something
else.

You might want to try broadcast pinging in one network, preferably
from a machine that is not the firewall and using tcpdump to see
where the packets disappear (adding "log" to the default block
rule helps).

Please help with routing

[eject]

Hi all I have troubles with routing between my VPN servers (using
openvpn and tun pseudo-devices) in 3
offices. Problem desc: I can't ping hosts in 192.168.1.0/24 network in
office3 (pings don't go to 10.1.0.1 and 192.168.2.0/24 -> 192.168.1.0/24).

Ping probes work fine between another internal networks to
192.168.2.0/24.

When run on router in office2 "tcpdump -i tun2" (interface to office1)
and "ping 192.168.1.1" I see ping requests to  ping 192.168.1.1 on
tcpdump output, but no ping reply.

===

office1  <-> office2 <>  office3

##
10.1.0.1 <--> 10.1.0.2 -+- 10.8.0.1 <-> 10.8.0.2
   ||   |
192.168.1.0/24   192.168.197.0/24192.168.2.0/24
###


 Office1
rl1:  inet 192.168.1.254 netmask 0xff00 broadcast 192.168.1.255
  description: Internal interface
tun0: inet 10.1.0.1 --> 10.1.0.2 netmask 0x
  description: office2 interface

# netstat -rn -f inet
Routing tables

Internet:
DestinationGatewayFlagsRefs  Use  Netif Expire
10.1.0.2   10.1.0.1   UH  2  237   tun0
192.168.1  link#2 UC  00rl1
192.168.2  10.1.0.2   UGS 09   tun0
192.168.19710.1.0.2   UGS 01   tun0

 Office2 
rl1:  inet 192.168.197.1 netmask 0xff00 broadcast 192.168.197.255
  description: Internal interface
tun1: inet 10.8.0.1 --> 10.8.0.2 netmask 0x 
  description: office1 interface
tun2: inet 10.1.0.2 --> 10.1.0.1 netmask 0x
  description: office2 interface

# netstat -rn -f inet
Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu  Interface
10.1.0.1   10.1.0.2   UH  10  -   tun2
10.8.0.2   10.8.0.1   UH  2 1796  -   tun1
192.168.1/24   10.1.0.1   UGS 1  165  -   tun2
192.168.2/24   10.8.0.2   UGS 0   10  -   tun1

 Office3 

rl1:  inet 192.168.2.254 netmask 0xff00 broadcast 192.168.2.255
  description: Internal interface
tun1: inet 10.8.0.2 --> 10.8.0.1 netmask 0x
  description: office2 interface

netstat -rn -f inet
Routing tables

Internet:
DestinationGatewayFlags Refs UseMtu  Interface
default10.8.0.1   UGS 2 9489  -   tun1
10.8.0.1   10.8.0.2   UH  3 2059  -   tun1
192.168.2/24   link#2 UC  10  -   rl1
192.168.2.10:13:d4:d1:3f:f1   UHLc09  -   rl1

===

Lot of thanks. I waiting for your answers!

Re: Dummy Interface In OpenBGPd

[Stuart Henderson]

On 2007/02/07 22:54, [EMAIL PROTECTED] wrote:
> Some hints? Should I manually add a route to it in the kernel routing table?

If you're going to use static routes, you might as well use an address
on an normal interface... it's only worth configuring BGP on a loopback address
if you have an IGP to redistribute that address into.

(interesting. this prompted me to read lo(4) and learn it has a link1 flag,
well you learn something new every day..!)

Re: Please help with routing

[Jussi Peltola]

>  Office3 
> 
> rl1:  inet 192.168.2.254 netmask 0xff00 broadcast 192.168.2.255
>   description: Internal interface
> tun1: inet 10.8.0.2 --> 10.8.0.1 netmask 0x
>   description: office2 interface
> 
> netstat -rn -f inet
> Routing tables
> 
> Internet:
> DestinationGatewayFlags Refs UseMtu  Interface
> default10.8.0.1   UGS 2 9489  -   tun1
> 10.8.0.1   10.8.0.2   UH  3 2059  -   tun1
> 192.168.2/24   link#2 UC  10  -   rl1
> 192.168.2.10:13:d4:d1:3f:f1   UHLc09  -   rl1

You lack routes here. 
Add 192.168.197.0/24 with gateway 10.8.0.1 and 192.168.1.0/24 with
gateway 10.8.0.1. The default route through the VPN looks like a routing
loop (the VPN packets cannot go through the VPN). Either that or you
omitted some of the routing table.

Re: rsa remote auth

[Lawrence Horvath]

Ahh ok there we go,
It was a permissions issue on ~/ i had read and write set for group,
changed it to 0700, its now working



On 2/7/07, Stuart Henderson <[EMAIL PROTECTED]> wrote:

On 2007/02/07 06:49, Lawrence Horvath wrote:
> and made sure of the file permissions
> ~/.ssh is 0700
> ~/.ssh/authorized_keys is 0600

run sshd -d -p some_port (unless you want to disturb your main daemon
on port 22) and watch the screen output while you connect.





--
-Lawrence
-Student ID 1028219
-CCNA

Master ${SKIPDIR} manifest (fwd)

[Brian A. Seklecki]

Here's an initial attempt:

http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir.txt

And w/o comments:

http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir_nc.txt

This initial (and far from comprehensive) attempt reduces build sizes:

# du -hs /usr/obj/ /usr/destdir /usr/releasedir/
475M/usr/obj/
243M/usr/destdir
104M/usr/releasedir/


(Down from the usual 850m+ obj/, etc.)

~BAS

-- Forwarded message --
Date: Mon, 5 Feb 2007 01:06:07 -0500 (EST)
From: Brian A. Seklecki <[EMAIL PROTECTED]>
To: misc@openbsd.org
Subject: Master ${SKIPDIR} manifest

Is anyone maintaining a ${SKIPDIR} manifest?  A master list of source 
directories, organized logically by subsystem?  Something to match the variety 
of make.conf(5)/mk.conf(5) knobs in other systems?


l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
   http://www.spiritual-machines.org/

Fn problem

[ronald jiang]

a. In ksh without X, in emacs, when I press Fn, it becomes F(n-1).
b. And the meta is esc, how to map it to alt. When esc mapped to meta, I 
have to release it first before typing the next key of the binding keys. 
But I would like it to work only when pressing.


In X, everything is ok, but the default font is not good. I'm new to unix, 
and don't know how to custumize.


-- ibm t30, obsd 4.0, emacs22

Re: Decent 2d performance with ATI FireGL 5200?

[gklok]

On Wed, Feb 07, 2007 at 12:07:16AM -0500, Allan Wind wrote:
> Is there a way to get decent 2d performance with an ATI FireGL 5200?
No its based on the Radeon X1600, it has no 2D acceleration core at all,
and of course ATI does not release the documentation to write drivers
for the 3D bits.

See:
http://dri.freedesktop.org/wiki/ATIRadeon
"All radeons have open source 2D support. Note that R500 series chips
(X1300, X1800 etc) do not have a Radeon 2D core, so are only supported
by the vesa driver (no acceleration)."

> VESA in 1920x1200 is too slow for me.
> The ati or radeon drivers give me "(EE) No devices detected.", and the
> driver list in /var/log/Xorg.0.log does not show the card.
> fglrx is not an option either, right?  
Hell no, and never will be, unless ATI were to give the source to X.org
under the right license.

>Porting seems under way for
> FreeBSD (http://www.fglrx-freebsd.com/index.php), but I am not sure if
> that helps me.
Not unless you use FreeBSD, they like blobs we dont.

> /Allan