Pour vous ou votre entourage
Bonjour Nous espirons que l'information suivante pourra vous jtre utile, ou ` difaut aider une personne de votre entourage? Savez-vous qu'il existe des aides financihres publiques, pour votre diveloppement commercial pour lesquelles vous jtes peut-jtre iligible? Pour vous aider nous organisons : Des riunions dinformation pour votre diveloppement commercial, et pour des subventions publiques Des ateliers thimatiques pour jtre encore plus efficace sur certaines itapes de vos ventes : Pour en savoir plus Si les liens regus ne fonctionnent pas, vous acchderez aux informations sur les subventions, riunions d'informations et ateliers par le site www.optivente.com. N'hisitez pas ` nous contacter. Bonne continuation dans vos activitis. Cordialement Thierry CRAYE Girant OptiVente 01 46 89 07 32 Vous recevez ce mail, car sauf erreur de notre part vous jtes impliqui dans des actions commerciales. Si ce mail ne vous concerne pas, veuillez nous en excuser, vous pouvez vous disisncrire de nos envois d'informations: [EMAIL PROTECTED]
Supermicro retailer
Hi all, Does anyone know of a reliable online retailer that sells Supermicro motherboards and ships internationally, courrier shipping is essential. I'm resident in South Africa and would like the minimum amount of hassle and back and forth shipping fees, etc, etc. Thanks in advance -- This e-mail and its contents are subject to AfriGIS PTY Limited e-mail disclaimer at http://www.afrigis.co.za/eMailDisclaimer --
Re: SSH client (putty) hangs after name/password login
Hello Frank, DNS resolving works fine :-) On the outside (internet) the system can resolve the ip address I am coming from via public DNS servers. TCPDUMP gives me the correct hostname/ipaddress when the logon happens. The resolv.conf has 2 external DNS servers and 1 Internal one for internal resolving. But just to be sure I added my own PC (hostname) into the hosts. file... Ping the name and he resolves ok... makes no differanceremember, if I logon locally (from the LOCAL network that is, not on the console) it works fine. Also, I changed the SSHD.CONF with the "useDNS NO" parameter. So, it will not try to resolve with that parameter active (at least, thats what it does I think). I have no problem logging in...but after I pressed ENTER on the password...it freezes... PS -X shows me being logged in however... - If this is a MTU issue...then that would not explain that I cannot logon via the Tunnel : MYPC <172.17.21.1> ---> VPNBOX (OBSD3.8) <=Tunnel==> VPNBOX (OBSD3.8) <192.168.80.103> SSHClient > SSHD The SSH traffic is then encapsulated into the VPN stream like all other traffic (mainly RDP/ICA) Those other protocols have no problems (and use, i think, much bigger packets then SSH). -Oorspronkelijk bericht- Van: Frank Bax [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 6 februari 2007 15:56 Aan: misc@openbsd.org Onderwerp: Re: SSH client (putty) hangs after name/password login At 09:03 AM 2/6/07, forums wrote: >I get the logon prompt, give my name+password and then the SSH just >sits there... >Nothing happens anymore...(after a while it times out) http://openbsd.org/faq/faq8.html#RevDNS
Re: SSH client (putty) hangs after name/password login
Hello Dag, " nohup kill -HUP pid-of-sshd-listener-process should get it for you or if you are really (justifiably) paranoid a little temporary cron that will restart sshd if not running, or in five minutes. " Ok, i will first set this up on a test machine... thing is, as logging on from the local LAN gives no problem...will it show anything... ok, we wont know if i dont trace...:-) -Oorspronkelijk bericht- Van: Dag Richards [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 6 februari 2007 17:06 Aan: misc@openbsd.org Onderwerp: Re: SSH client (putty) hangs after name/password login Brian A. Seklecki wrote: >> Hello Brian, >> >> Not quite sure what you mean with pstree...don't know the command and >> no 'man pstree' on my 3.8 system..? > > It's in the psmisc/ package > >> Note that I no problems logging into the system while on the local >> network (doing this via a PC that I remotely manage). When I do a SSH >> session (via the VPN >> tunnel) on the INSIDE >> of the OBSD box, I get the same problem(using the same account). > > Okay I must be asleep again. I thought we eliminated pf(4) as the > problem. Technically if you can negotiate a 3-way handshake and > establish the TCP socket, MTU should be a non-issue. > > What about "netstat -s". Anything suspicious (grep -i drop) for > sections esp: tcp: ip: icmp: etherip: > > If you have access via the LAN, what about tcpdump(8) on the tun(4) > interface? > >> is >> not the case locaclly > > >> Problem here is that this system is 900Km away...if I would stop the >> SSHD (so i could > > Normally I'd say to you "Oh you're fine with pkill -HUP sshd"; but > that's because I'm accustomed to out-of-band management like DRAC and > mgetty >:} nohup kill -HUP pid-of-sshd-listener-process should get it for you or if you are really (justifiably) paranoid a little temporary cron that will restart sshd if not running, or in five minutes. > > ~BAS > >> restart it with debug options) I will not be able to reach it anymore >> :-(
Re: missing isakmpd.fifo
Hi Dag, On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards <[EMAIL PROTECTED]> wrote: > locations. Yesterday I needed to add a tunnel, there was no > /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid > > The fifo was recreated, I could use it to control isakmpd. OK. > > Today I look for isakmpd.fifo, it has disappeared again. > and nothing I do not expect to see. I am not running out of disk space > ... anybody seen this before? please check again using -i in order to find out whether you have enough disk space. Best, --Toni++
Re: remove sendmail/install postfix
Hi, On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus <[EMAIL PROTECTED]> wrote: > But the mailwraper provides a more generic way for > OpenBSD to use mail without dealing much about > the uses mail system. (sendmail,postfix,exim,qmail, ...) this is probably correct (or that's what it was created for), but I have yet to overcome my inertia against implementing this, for marginal benefit. Best, --Toni++
Re: remove sendmail/install postfix
* Toni Mueller <[EMAIL PROTECTED]> [2007-02-07 11:55]: > On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus <[EMAIL PROTECTED]> wrote: > > But the mailwraper provides a more generic way for > > OpenBSD to use mail without dealing much about > > the uses mail system. (sendmail,postfix,exim,qmail, ...) > > this is probably correct (or that's what it was created for), but I > have yet to overcome my inertia against implementing this, for marginal > benefit. well then you keep making up more (useless) work for you, while everybody else enjoys the elegance of mailwrapper. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
login.conf
Hello, I'd like to adjust the default limits for an account via login.conf(5) and adding the appropriate class entry to the affected account in the password file. Specifically, I want this to configure the resource limits for a MySQL server. Will this work? The man page mumbles something about "login and some other programs" which will make use of the class entry, but I was unable to figure out which programs exactly will obey or ignore these class entries. I could also manually place a number of 'ulimit' statements in the start script but would prefer to do it with login.conf. Btw, I seem to have 368 tables (to forestall the '29 tables' argument)... Any ideas, please? Best, --Toni++
Re: remove sendmail/install postfix
On Wed, 7 Feb 2007 11:49:07 +0100, Toni Mueller wrote: >Hi, > >On Sat, 03.02.2007 at 21:26:36 +0100, Andreas Maus <[EMAIL PROTECTED]> wrote: >> But the mailwraper provides a more generic way for >> OpenBSD to use mail without dealing much about >> the uses mail system. (sendmail,postfix,exim,qmail, ...) > >this is probably correct (or that's what it was created for), but I >have yet to overcome my inertia against implementing this, for marginal >benefit. Hell, that's funny. I installed the postfix package and used the recommended (and supplied) script to make postfix the default mailer. There is one to switch back. Apart from that there was only (IIRC) one manual thing to do: change the queue-runner or something like that. So easy I forget: no pain = no brain (storing horror tales). Trivial for me and I thought that I had a very large inertia to mass ratio as I only weigh in at 66.x kg. 8-)) Anyway jakob@ has (for me) done a fine job of making it painless. R/ >From the land "down under": Australia. Do we look from up over?
Dummy Interface In OpenBGPd
Hi, As I read the openbgpd documentation, there is not a single point wherein in the examples a dummy interface is being used. Is a dummy interface supported in OpenBGP? Regards, Demuel
Re: login.conf
On Wed, Feb 07, 2007 at 12:00:13PM +0100, Toni Mueller wrote: > Hello, > > I'd like to adjust the default limits for an account via login.conf(5) > and adding the appropriate class entry to the affected account in the > password file. Specifically, I want this to configure the resource > limits for a MySQL server. Will this work? > > The man page mumbles something about "login and some other programs" > which will make use of the class entry, but I was unable to figure out > which programs exactly will obey or ignore these class entries. I could > also manually place a number of 'ulimit' statements in the start script > but would prefer to do it with login.conf. Starting something from rc.local or from a script you can use su(1)'s "-c" to specify the login class. For instance... # su -c mysql root -c '/usr/local/bin/mysqld_safe>/dev/null' You will still want to tweak up a my.cnf to use the new limits. -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/darrin/ |
Re: Dummy Interface In OpenBGPd
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]: > As I read the openbgpd documentation, there is not a single point wherein in > the examples a dummy > interface is being used. Is a dummy interface supported in OpenBGP? -vvv :) from bgpd's perspective, an interface is an interface, mostly. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Dummy Interface In OpenBGPd
On 2007/02/07 11:24, [EMAIL PROTECTED] wrote: > As I read the openbgpd documentation, there is not a single point wherein > in the examples a dummy interface is being used. Is a dummy interface > supported in OpenBGP? Do you mean 'loopback interface'? Works just fine (certainly to an alias on lo0, I assume a single address on lo1, lo2 etc would likewise not be a problem).
Re: login.conf
On 2007/02/07 12:00, Toni Mueller wrote: > I'd like to adjust the default limits for an account via login.conf(5) > and adding the appropriate class entry to the affected account in the > password file. Specifically, I want this to configure the resource > limits for a MySQL server. Will this work? Yes, see http://www.openbsdsupport.org/mysql.htm
Re: Dummy Interface In OpenBGPd
Yeah a loopback just like in Quagga or in Cisco. > On 2007/02/07 11:24, [EMAIL PROTECTED] wrote: >> As I read the openbgpd documentation, there is not a single point wherein >> in the examples a dummy interface is being used. Is a dummy interface >> supported in OpenBGP? > > Do you mean 'loopback interface'? Works just fine (certainly to an alias > on lo0, I assume a single address on lo1, lo2 etc would likewise not be a > problem).
Re: Dummy Interface In OpenBGPd
Does that categorically mean there is no way, as of the moment, in openbgp to use a dummy interface just like in Quagga? > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]: >> As I read the openbgpd documentation, there is not a single point wherein in >> the examples a >> dummy >> interface is being used. Is a dummy interface supported in OpenBGP? > > -vvv :) > > from bgpd's perspective, an interface is an interface, mostly. > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: HTTP URL filtering?
I use mod_security for filtering. Take a look at http://www.modsecurity.org/ You can find it in the ports system undes www/mod_security Good luck Andrei GUDIU Xavier Mertens wrote: Hi *, I've a problem with an Apache web server hit by f*cking spammers... I would like to filter some URLs (unused but still used by the bots) *BEFORE* they reach the httpd processes. What could be the best method? pf? something else? Thanks! Xavier
Re: Dummy Interface In OpenBGPd
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 13:14]: > Yeah a loopback just like in Quagga or in Cisco. loopback interfaces are pseudo-interfaces. and as I said, interfaces are just interfaces for bgpd. pseudo or real, there is no real difference. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Dummy Interface In OpenBGPd
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 13:11]: > Does that categorically mean there is no way, as of the moment, in openbgp to > use a dummy > interface just like in Quagga? well, you have to be more explicity. pseudo-interfaces are just interfaces. there is no visible difference for bgpd. you still didn't say what you actually want. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
qlogic QLA4050C or QLA4052C
is there a developer who's interested in writing a driver for that product? It's an iSCSI Host Bus Adapter: http://www.qlogic.com/products/iscsi_products_hba.asp Our Institute would donate the required hardware and I will try to get Free Programming Documentation (though I am not too optimistic with qlogic). Please let me know off list. -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWeb www.ini.unizh.ch RSA public key: https://www.ini.uzh.ch/~stephan/pubkey.asc ---
Re: Dummy Interface In OpenBGPd
On 2007/02/07 12:07, [EMAIL PROTECTED] wrote: > Does that categorically mean there is no way, as of the moment, in openbgp to > use a dummy > interface just like in Quagga? there categorically *is* a way, set up /32 address on a lo interface, and use that as local-address in bgpd.conf, making sure the other hosts have a way to reach it (e.g. announce the /32 into OSPF). quite useful for i-bgp sessions and it's pretty much the same way you'd do this elsewhere. there is nothing particularly special about the lo* interfaces, just configure them as normal (hostname.lo0, hostname.lo1, etc).
Re: Dummy Interface In OpenBGPd
On Wed, Feb 07, 2007 at 12:07:56PM -, [EMAIL PROTECTED] wrote: > Does that categorically mean there is no way, as of the moment, in > openbgp to use a dummy interface just like in Quagga? > There are no dummy interfaces. If you like to use a loopback interface create one. # cat > /etc/hostname.lo1 inet 10.83.66.128 255.255.255.255 NONE # sh /etc/netstart lo1 That's it. You have a loopback address that can be used in bgpd. neighbor 10.83.66.164 { remote-as 65123 local-address 10.83.66.128 } I guess that's what you are looking for. bgpd does not realy care about interfaces. Interfaces and their link state are only used to figure out the availability of nexthops. Btw. for ospfd you can use "interface lo1" to reliably redistribute the loopback address. -- :wq Claudio > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]: > >> As I read the openbgpd documentation, there is not a single point wherein > >> in the examples a > >> dummy > >> interface is being used. Is a dummy interface supported in OpenBGP? > > > > -vvv :) > > > > from bgpd's perspective, an interface is an interface, mostly. > > > > -- > > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > > BS Web Services, http://bsws.de > > Full-Service ISP - Secure Hosting, Mail and DNS Services > > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: ospfd participating in a stub area
On Tue, Feb 06, 2007 at 11:09:45PM -0500, Nick Davey wrote: > The passive keyword will advertise a network as a stub area, however as > the interface is passive it cannot form a neighbor relationship with any > other router in that area, or on that interface. From the man pages it > would appear there is no way to specify an area as stub however Claudio > or Henning would be able to help you out more than I would. > Stub areas have nothing to do with passive interfaces. A stub area is an area that does not get flooded with AS-external LSA. This is used to allow crappy routers with limited memory into larger networks. Ospfd does currently not support stub areas. We did not consider them important enough to be something that had to be implemented ASAP. Some bits are present but more work is needed and it is on the todo list. -- :wq Claudio > Best Regards, > Nick > > Lars Hansson wrote: > >Nigel Roberts wrote: > >>Is it possible to configure an area in ospfd.conf to be a stub area? > > > >Yes, use the "passive" option. It's in the ospfd.conf man page. > > > > > >--- > >Lars Hansson
Re: ospfd participating in a stub area
On Wednesday 07 February 2007 00:53, Nigel Roberts wrote: > Is it possible to configure an area in ospfd.conf to be a stub area? > > I have an area where all particpating routers (ciscos) are configured > to treat it as a stub ie. > > router ospf 1234 > ... > area 1 stub > ... What excactly is the purpose of this? Is it some cisco trick to save memory or does it have a real purpose? Normaly when routers form adjacency the network is not considered a stub network any more, hence it can be used to forward traffic. /Esben
Re: Dummy Interface In OpenBGPd
I have 4 machines running OpenBSD-stable and it used some AS in the 64512-65535 range. Now, two of these machines will be eventually connected to two different AS, say obsd1 to AS 64512 and obsd2 to 64513, while these four machines fall under one AS, say 64513. >From my readings in the published article of Claudio Jekker, it appears to me >that this setup is for a fully-redundant architecture wherein there could be no single point of failure. I want to experiment with creating dummy interfaces under such topology just like in Quagga. > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 13:11]: >> Does that categorically mean there is no way, as of the moment, in openbgp >> to use a dummy >> interface just like in Quagga? > > well, you have to be more explicity. > pseudo-interfaces are just interfaces. there is no visible difference > for bgpd. > > you still didn't say what you actually want. > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
patch for src/etc/skel/dot.cshrc
Hello. This patch removes the -g option from src/etc/skel/dot.cshrc. The reason I am suggesting this change is that -g "does nothing; [it is] kept for compatibility with older versions of ls" (source: ls(1)); so this option is superfluous on this alias. If it is better opening a problem report, I will do it. But I suppose that someone on this mailing list will probably want to discuss this change. I hope OpenBSD developers will like this patch; if not, feel free to drop it. Cheers, Igor. --- dot.cshrc Wed Feb 16 07:56:57 2005 +++ dot.cshrc Wed Feb 7 13:50:20 2007 @@ -9,7 +9,7 @@ alias jjobs -l alias la ls -a alias lf ls -FA -alias ll ls -lgsA +alias ll ls -lsA alias tset 'set noglob histchars=""; eval `\tset -s \!*`; unset noglob histchars' alias zsuspend
Re: Dummy Interface In OpenBGPd
Can this looback interface be used as a sort of router-id just like in Quagga? Do I need to add routes for this IP address reachable elsewhere in my network? > On Wed, Feb 07, 2007 at 12:07:56PM -, [EMAIL PROTECTED] wrote: >> Does that categorically mean there is no way, as of the moment, in >> openbgp to use a dummy interface just like in Quagga? >> > > There are no dummy interfaces. If you like to use a loopback interface > create one. > > # cat > /etc/hostname.lo1 > inet 10.83.66.128 255.255.255.255 NONE > # sh /etc/netstart lo1 > > That's it. You have a loopback address that can be used in bgpd. > > neighbor 10.83.66.164 { > remote-as 65123 > local-address 10.83.66.128 > } > > I guess that's what you are looking for. bgpd does not realy care about > interfaces. Interfaces and their link state are only used to figure out > the availability of nexthops. > > Btw. for ospfd you can use "interface lo1" to reliably redistribute the > loopback address. > > -- > :wq Claudio > >> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]: >> >> As I read the openbgpd documentation, there is not a single point wherein >> >> in the examples a >> >> dummy >> >> interface is being used. Is a dummy interface supported in OpenBGP? >> > >> > -vvv :) >> > >> > from bgpd's perspective, an interface is an interface, mostly. >> > >> > -- >> > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] >> > BS Web Services, http://bsws.de >> > Full-Service ISP - Secure Hosting, Mail and DNS Services >> > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Dummy Interface In OpenBGPd
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 14:08]: > I want to experiment with creating dummy interfaces under such topology just > like in Quagga. this doesn't lead anywhere, really. I don't know what "dummy interfaces .. just like in quagga" are, and, moreover, it is completely unclear what you want to accomplish. you probably just want a loopback interface, but that is a guess. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Dummy Interface In OpenBGPd
What i want to accomplish and wanted to do is to be able to use such an interface when all the NIC on my machines are alloted for BGP. > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 14:08]: >> I want to experiment with creating dummy interfaces under such topology just >> like in Quagga. > > this doesn't lead anywhere, really. > I don't know what "dummy interfaces .. just like in quagga" are, and, > moreover, it is completely unclear what you want to accomplish. > > you probably just want a loopback interface, but that is a guess. > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: Dummy Interface In OpenBGPd
On Wed, Feb 07, 2007 at 01:08:31PM -, [EMAIL PROTECTED] wrote: > Can this looback interface be used as a sort of router-id just like in > Quagga? Do I need to add routes for this IP address reachable elsewhere > in my network? Yes the IP needs to be reachable from elsewhere in your network -- unless you don't want to use it and you can use the IP as your router-id -- that's what the router-id keyword is used for (actually you can use almost anything as router-id). -- :wq Claudio
rsa remote auth
I am trying to get my openbsd 4.0 box to allow remote ssh logins using an rsa key, i added the key into my ~/.ssh/authorized_keys file, and set permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600 i added the rsa of its self, for testing, however i cant seem to get an ssh session to authenticate with out the password contents of authorized_keys(parts of the key omited): ssh-rsa .== Anyone know what im doing wrong? why it wont authenticate with the rsa key? If anymore info is needed please let me know -- -Lawrence -Student ID 1028219 -CCNA
Re: rsa remote auth
On Wed, 7 Feb 2007, Lawrence Horvath wrote: > I am trying to get my openbsd 4.0 box to allow remote ssh logins using > an rsa key, > > i added the key into my ~/.ssh/authorized_keys file, and set > permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600 That'll render .ssh almost useless make that 0700 for the dir. -Otto > > i added the rsa of its self, for testing, however i cant seem to get > an ssh session to authenticate with out the password > > contents of authorized_keys(parts of the key omited): > > ssh-rsa .== > > Anyone know what im doing wrong? why it wont authenticate with the rsa key? > If anymore info is needed please let me know > > -- > -Lawrence > -Student ID 1028219 > -CCNA
Re: rsa remote auth
On 2/7/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote: I am trying to get my openbsd 4.0 box to allow remote ssh logins using an rsa key, i added the key into my ~/.ssh/authorized_keys file, and set permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600 Verify that the user itself is the owner of these files, not root or anyone else. i added the rsa of its self, for testing, however i cant seem to get an ssh session to authenticate with out the password Are there any line breaks in the copied key? 'cat -e ~/.ssh/authorized_keys' might reveal these kind of oopses. Did you place the exact contents of id_{rsa,dsa}.pub and not id_{rsa,dsa}? ssh-rsa .== There's no reason to obfuscate this. Your public key is not sensitive. DS
Re: rsa remote auth
On 2007/02/07 06:49, Lawrence Horvath wrote: > and made sure of the file permissions > ~/.ssh is 0700 > ~/.ssh/authorized_keys is 0600 run sshd -d -p some_port (unless you want to disturb your main daemon on port 22) and watch the screen output while you connect.
Re: rsa remote auth
On 2/7/07, Darren Spruell <[EMAIL PROTECTED]> wrote: On 2/7/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote: > I am trying to get my openbsd 4.0 box to allow remote ssh logins using > an rsa key, > > i added the key into my ~/.ssh/authorized_keys file, and set > permissions on ~/.ssh and ~/.ssh/authorized_keys to 0600 Verify that the user itself is the owner of these files, not root or anyone else. Verified ownership of the file is the user, both owner and group > i added the rsa of its self, for testing, however i cant seem to get > an ssh session to authenticate with out the password Are there any line breaks in the copied key? 'cat -e ~/.ssh/authorized_keys' might reveal these kind of oopses. used the cat -e command, no line breaks Did you place the exact contents of id_{rsa,dsa}.pub and not id_{rsa,dsa}? I did $cd ~/.ssh $cp id_rsa.pub authorized_keys so yes it would be the exact contents > ssh-rsa .== There's no reason to obfuscate this. Your public key is not sensitive. DS and made sure of the file permissions ~/.ssh is 0700 ~/.ssh/authorized_keys is 0600 -- -Lawrence -Student ID 1028219 -CCNA
Re: Dummy Interface In OpenBGPd
* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 14:34]: > What i want to accomplish and wanted to do is to be able to use such an > interface when all the NIC > on my machines are alloted for BGP. that is not any clearer. "such an interface"? get rid of that dummy interface terminology, that doesn't exist. "when all interfaces are alloted for BGP"? you probably mean allotted. How are they allotted for BGP? you already have a BGP listener there? Why are you haveing multiple listeners in teh first place? the answer is probably still "create lo1" or similiar. But honestly, I am tired of guessing what you actually want to accomplish. I asked 3 times now. Enough is enough. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: login.conf
Hello Stuart, On Wed, 07.02.2007 at 11:39:28 +, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2007/02/07 12:00, Toni Mueller wrote: > > I'd like to adjust the default limits for an account via login.conf(5) > > and adding the appropriate class entry to the affected account in the > > password file. Specifically, I want this to configure the resource > > limits for a MySQL server. Will this work? > > Yes, see http://www.openbsdsupport.org/mysql.htm uppp I apparently didn't see that section because I didn't re-read it. If that info is correct, then this "solves" it (hello Daniel!). Thank you for the heads-up. Best, --Toni++
Re: HTTP URL filtering?
Hello Xavier, On Tue, 06.02.2007 at 22:50:36 +0100, Xavier Mertens <[EMAIL PROTECTED]> wrote: > I've a problem with an Apache web server hit by f*cking spammers... > I would like to filter some URLs (unused but still used by the bots) > *BEFORE* they reach the httpd processes. What could be the best > method? pf? something else? I guess that you want to keep the load off your Apache, right? I'd also vote for a lightweight front-end reverse proxy like nginx (already mentioned) or lighttpd to do this. Best, --Toni++
AsiaBSDCon 2007 timetable is published
The timetable of AsiaBSDCon 2007 has been published. http://asiabsdcon.org/timetable.html AsiaBSDCon 2007, University of Tokyo, Tokyo, Japan 8 - 11 March, 2007 http://asiabsdcon.org/ AsiaBSDCon is a conference for users and developers on BSD based systems. The conference is for anyone developing, deploying and using systems based on FreeBSD, NetBSD, OpenBSD, DragonFly BSD, Darwin, and MacOS X. AsiaBSDCon is a technical conference and aims to collect the best technical papers and presentations available to ensure that the latest developments in our open source community are shared with the widest possible audience. Please contact [EMAIL PROTECTED] if you have any questions.
Failed installation on HP ProLiant ML110 G4 (with dmesg)
Below is a capture from a serial console during the installation. Note that I've reduced most of the repeated messages a la [last message repeated x times]; otherwise, this would be a 7000 line post. Aside: how about a 3-wire serial console option that doesn't need DCD driven? My beloved Cisco serial cables don't drive DCD; I had to dig deeply into my big bag o' adapters to find an old-school null modem to do it. But I guess I'll appreciate that feature if I ever need a serial console through a modem. :) This should also answer a previously posted question on a related failed ProLiant install: "Why axe(4)?" Because it seemed like a good idea at the time to the kernel. It wasn't a user selection. All hardware is HP-supplied with the system; nothing added here. I first tried this with the PS/2 keyboard that came with the unit, but it was unresponsive by the time I got to a prompt, hence the MS Natural Pro plugged in. If anyone cares, it looks like Ubuntu 6.06LTS will install on it (and the PS/2 keyboard IS responsive under that OS.) I'll go ahead and install that for the hell of it. If anyone wants dmesg from that, let me know. Either this will work soon, or it's going back; I can't afford to have a science project sitting around. But if any developers want something tried out, let me know and I'll assist as I can. I can also hang it on a public IP if that helps. OpenBSD/i386 BOOT 2.10 boot> booting fd0a:/bsd: 4692244+739940=0x52e4c0 entry point at 0x200120* Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0 (RAMDISK_CD) #39: Sat Sep 16 19:34:26 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz ("GenuineIntel" 686-class) 1.87 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX 16 real mem = 1071788032 (1046668K) avail mem = 971149312 (948388K) using 4256 buffers containing 53690368 bytes (52432K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7b) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xfd460, SMB IOS rev. 2.4 @ 0xdc010 (47 entries) bios0: HP ProLiant ML110 G4 pcibios0 at bios0: rev 2.1 @ 0xfd460/0xba0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00) pcibios0: PCI bus #10 is the last bus bios0: ROM list: 0xc/0x8000 0xdc000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7230 MCH" rev 0xc0 ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01 pci1 at ppb0 bus 2 ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01 pci2 at ppb1 bus 3 vga1 at pci2 dev 0 function 0 vendor "Matrox", unknown product 0x0522 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01 pci3 at ppb2 bus 4 bge0 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1 (0x4201): irq 12, address 00:18:fe:79:02:af brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 7 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 10 ehci0: timed out waiting for BIOS usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xe1 pci4 at ppb3 bus 10 ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 c onfigured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SCSI0 5/cdrom r emovable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 31 function 2 "Intel 82801GB SATA" rev 0x01: DMA, channel 0 confi
Sun Fire X2100, GigaBit Fiber?
Hi, I really want to use one of those Sun Fire X2100, X2100 M2 or X2200 to build a firewall for my network. But my problem is that my network is a fiber connection running Gigabit. It seems that all these boxes have only PCI-E X8 slot(s) for fiber network card(s). My questions are: 1) Sun also sells a fiber gigabit card with X2100 ... (Sun Dual Gigabit Ethernet PCI-E MMF Adapter). But this card is not supported in OpenBSD 4.0. Am I right? Is there a plan to support it in the near futher? 2) If I get a M2 box, say, X2100 M2 with two PCI-E X8 slots and get two PCI-E fiber network cards, say, HP NC373F PCI Express Multifunction Gigabit server adapter (1000baseSX) which is supported per openbsd document. Would that work? Thanks for any inputs. Steven
Re: HTTP URL filtering?
Hej there, Xavier Mertens schrieb: Hi *, I've a problem with an Apache web server hit by f*cking spammers... I would like to filter some URLs (unused but still used by the bots) *BEFORE* they reach the httpd processes. What could be the best method? pf? something else? I had the same problem with botnets, attacking a specific URL. Even sending out 404 errors didn't help at all. I wouldn't recommend the pf overload feature, as this depends on the number of tcp connections to your webserver. Say you have a webpage with 50 images, this would be 50 connections. Another webpage may only have 2 images, this would lead to only 2 connections. Here is what I did. Install mod_security for apache. Define rules like those: # Maximum request body size we will # accept for buffering SecRequestBodyAccess On #SecRequestBodyLimit 131072 # Store up to 128 KB in memory #SecRequestBodyInMemoryLimit 131072 # Buffer response bodies of up to # 512 KB in length SecResponseBodyAccess Off SecResponseBodyLimit 524288 # Debug log SecDebugLog /var/log/apache/modsec_debug.log SecDebugLogLevel 0 # The audit engine works independently and # can be turned On of Off on the per-server or # on the per-directory basis #SecAuditEngine Off SecAuditEngine RelevantOnly SecAuditLogRelevantStatus ^5 #SecAuditLogParts ABIFHZ SecAuditLogParts A SecAuditLogType Serial # The name of the audit log file SecAuditLog /var/log/apache/modsec_audit.log # Default action set #SecDefaultAction "deny,log,auditlog,status:403" # Turn on Rule Engine SecRuleEngine On # Refuse to accept POST requests that do # not specify request body length # SecRule REQUEST_METHOD ^POST$ chain # SecRule REQUEST_HEADER:Content-Length ^$ # # Metal District Rules #SecRule REQUEST_URI "/phpbb2/posting\.php\(.*\)" "deny,phase:1,exec:/root/bin/fill-blacklist.sh" #SecRule ARGS /phpbb2/posting.php "deny,phase:1,exec:/root/bin/fill-blacklist.sh" SecRule REQUEST_FILENAME /phpbb2/posting.php "deny,phase:1,exec:/root/bin/fill-blacklist.sh" SecRule REQUEST_FILENAME /phpBB2/posting.php "deny,phase:1,exec:/root/bin/fill-blacklist.sh" Anytime someone is accessing /phpbb2/posting.php the script fill-blacklist.sh is run: ([EMAIL PROTECTED] <~> $ cat /root/bin/fill-blacklist.sh #!/bin/sh # sudo pfctl -T add -t www-spammers $(echo ${REMOTE_ADDR}) echo "${REMOTE_ADDR} added to blacklist" The ip gets added to the table www-spammers. My pf rules look like that: # www-spammers table table persist file "/etc/www-spammers" block in quick on $ext_if proto tcp from to $ext_if port 80 Drawback: I need sudo to use pfctl as the user www (which apache runs under). Pro: Every bot can access the url exactly one time, afterwards its blacklisted. Use expire-table to free the pf table occassionally and of course make sure that you don't block yourself - whitelist ip addresses like your standard gateway, otherwise you may DoS yourself ;) Of course this is just a hack, but it works in my case. Any suggestions to improve this setup are welcome :) best regards, Marian
Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)
On 2007/02/07 12:37, Ron Oliver wrote: > Aside: how about a 3-wire serial console option that doesn't need DCD > driven? I think it's just the bootloader.. > My beloved Cisco serial cables don't drive DCD adapters with DTR-DSR-DCD-CTS connected together work ok for this. > wd0 at pciide1 channel 0 drive 0: > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors > wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 > wd0: no disk label > dkcsum: wd0 matches BIOS drive 0x80 ... > No disks found. that's odd...
Re: HTTP URL filtering?
Hi, Karsten McMinn schrieb: On 2/6/07, Xavier Mertens <[EMAIL PROTECTED]> wrote: Hi *, I've a problem with an Apache web server hit by f*cking spammers... I would like to filter some URLs (unused but still used by the bots) *BEFORE* they reach the httpd processes. What could be the best method? pf? something else? I used snort to filter before httpd to build simple IP address lists to feed into a pf table. It was kinda clunky. Second time around I'd just parse my httpd log files and do the same thing. With apache configured right and a cron running every minute you'll get by with minimal work needed. I'd imagine. I tried the very same when a webserver of mine was hitted by some botnet. Unluckily, cron can only ran every minute as the fastest interval and within 1 minute I already had around 1000 connections from different IP addresses. Ergo: A one minute interval didn't help at all.. ./Marian
Re: Sun Fire X2100, GigaBit Fiber?
Check out the Intel PRO/1000 PF. While it's not mentioned as supported in amd64, many of its brethren are. It might be worth a try. http://www.intel.com/network/connectivity/products/pro1000pf_dualport_server_adapter.htm Chris On 2/7/07, Steven Xiao <[EMAIL PROTECTED]> wrote: Hi, I really want to use one of those Sun Fire X2100, X2100 M2 or X2200 to build a firewall for my network. But my problem is that my network is a fiber connection running Gigabit. It seems that all these boxes have only PCI-E X8 slot(s) for fiber network card(s). My questions are: 1) Sun also sells a fiber gigabit card with X2100 ... (Sun Dual Gigabit Ethernet PCI-E MMF Adapter). But this card is not supported in OpenBSD 4.0. Am I right? Is there a plan to support it in the near futher? 2) If I get a M2 box, say, X2100 M2 with two PCI-E X8 slots and get two PCI-E fiber network cards, say, HP NC373F PCI Express Multifunction Gigabit server adapter (1000baseSX) which is supported per openbsd document. Would that work? Thanks for any inputs. Steven
Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)
> > wd0 at pciide1 channel 0 drive 0: > > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors > > wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 > > wd0: no disk label > > dkcsum: wd0 matches BIOS drive 0x80 > ... > > No disks found. > > that's odd... This is caused by the kernel dmesg being flooded with the axe error messages. The OP should try to boot -c, disable axe, and install without axe; this should at least allow the installation to proceed. Miod
BRL-CAD 3D software for OpenBSD
Hello I made a patch so that BRL-CAD compiles on OpenBSD and sent it to the developer and he incorporated it into the official code so now it should compile out of the box on OpenBSD. BRL-CAD is a powerful non-bloatware 3D modeling system being developed by U.S. Army since 1979 and since 2004 released under GPL. It was used for example for design of the M1A1 Abrams tank. Example outputs: http://ronja.twibright.com/3d/ If someone has time to make a package please do it. I tried to read the information about the portage tree but it's too complicated for me to understand - I forget the beginning before I get to the end. The compilation is simple ./configure make make install then it installs into /usr/brlcad and $PATH has to be set. CL<
Airtist Telecharger vos MP3 sans DRM a partir de 0,2�
Email in english : Si vous avez des difficultees pour visualiser cette page , cliquez ici Tilichargez vos musiques en mp3 sans DRM Rejoignez vos artistes dans la communauti! Bonjour, Airtist est le nouveau site Internet communautaire de tilichargement musical. Sur Airtist vous pouvez dicouvrir et tilicharger de la musique et rejoindre la communauti d'internautes et d'artistes: http://www.airtist.com Avec Airtist tilichargez vos musiques en mp3 sans DRM Accidez ` une communauti musicale avec des artistes indipendants de tous styles musicaux et de tous pays, tilichargez vos musiques avec 2 modes: Payant ` prix variable ditermini par l'artiste (` partir de 0,20euro le titre) Gratuit et Ligal ` base d'annonces publicitaires (bienttt disponible) Liberti des titres que vous tilichargez, compatibles avec tous les lecteurs et baladeurs mp3. Rejoignez vos artistes dans la communauti Criez une page web personnelle Airtist: Blog, albums photos, votes, commentaires, messagerie, riseaux d'amis, musiques, concours, etc. Solidariti avec les associations A chaque tilichargement d'une musique 1 centime est reversi ` l'association ou œuvre caritatives de ton choix comme Sol en Si, Fondation Nicolas Hulot, Restos du Coeur etc. Tu es artiste ou tu fais parti d'un groupe ? Tu fais de la musique et tu souhaites la distribuer sur Airtist et jtre payi? Inscription artiste Airtist.com c'est plus de 5000 musiques ` tilicharger dans tous les styles musicaux, artistes connus, indipendants et autoproduits et de tous pays. Vous pouvez tilicharger les albums de Henri Salvador, Anaos, Bloc Party, Nosfell, Yann Tiersen & Shannon Wright, Higelin et de centaines d'autres artistes connus et indipendants de la schne montante frangaise et internationale. Airtist est une plateforme de tilichargement ligale en partenariat avec la SACEM. Pour vous desabonner de cette liste, cliquez sur desinscription powered by eoxiamail v 2.10.4;
Re: ospfd participating in a stub area
On Wed, 07 Feb 2007 at 13:57:52 +0100, Esben Norby wrote: > What excactly is the purpose of this? Is it some cisco trick to save memory > or > does it have a real purpose? It's not a cisco trick as such, since it's defined in the OSPF RFC along with NSSA (not so stubby areas) and totally stubby areas. It is designed to save CPU and memory resources. > Normaly when routers form adjacency the network is not considered a stub > network any more, hence it can be used to forward traffic. Stub areas are not to be confused with stub networks. Stub networks are what is formed when you define an interface as passive. A stub area is what is formed when the area border router for that area no longer floods LSAs for AS-external routes into the area. Thanks to Claudio for clarifying the situation. It's not a big deal really - I was simply doing some testing with stub areas and wanted to make sure of what was possible. Regards, Nigel
net.inet.ip.mforwarding?
Sorry I should know this but I'm sorta green. If I enable net.inet.ip.mforwarding on all my routers, should that allow OS X things like bonjour and iTunes music sharing to work across the bridge?
external usb disk freezing machine
hi there, here i go again, describing usb problems. i am really not sure now if it is a) my external disk, b) openbsd, c) bios/motherboard/usb port that is giving me the headache... i am trying my luck here, and please find attached a most curious /var/log/messages snippet of one "from reboot till reboot" session. i hope the usb people can make something of it... dmesg gratis included inside :D so basically what started happening: i plug in the disk, everything dandy, disk goes away every couple of minutes, then reappers; of course making the programs accessing it at the moment very very unhappy. then after a final "ehci_idone:" message it's either silicon heaven (absolute freeze), or reappearing and disappearing again and again. booted it in windows, everything looks fine, no mysterious disappearing tricks. the strange is, that i have the disk for 2 weeks now, and it started happening today. (ps. the 'disklabel=' entries are logger(1) calls from hotplugd attach) (ps2. are "empty" /bsd messages normal?) Feb 7 19:31:07 amaaq syslogd: restart Feb 7 19:31:07 amaaq /bsd: OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006 Feb 7 19:31:07 amaaq /bsd: [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC Feb 7 19:31:07 amaaq /bsd: cpu0: Intel(R) Pentium(R) M processor 1.80GHz ("GenuineIntel" 686-class) 1.80 GHz Feb 7 19:31:07 amaaq /bsd: cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,SBF,EST,TM2 Feb 7 19:31:07 amaaq /bsd: cpu0: Enhanced SpeedStep 1800 MHz (1340 mV): speeds: 1800, 1600, 1400, 1200, 1000, 800, 600 MHz Feb 7 19:31:07 amaaq /bsd: real mem = 535326720 (522780K) Feb 7 19:31:07 amaaq /bsd: avail mem = 480366592 (469108K) Feb 7 19:31:07 amaaq /bsd: using 4256 buffers containing 26869760 bytes (26240K) of memory Feb 7 19:31:07 amaaq /bsd: mainbus0 (root) Feb 7 19:31:07 amaaq /bsd: bios0 at mainbus0: AT/286+(8b) BIOS, date 03/23/05, BIOS32 rev. 0 @ 0xfd700, SMBIOS rev. 2.31 @ 0xd6010 (31 entries) Feb 7 19:31:07 amaaq /bsd: bios0: TOSHIBA Satellite M30X Feb 7 19:31:07 amaaq /bsd: apm0 at bios0: Power Management spec V1.2 Feb 7 19:31:07 amaaq /bsd: apm0: AC on, battery charge unknown Feb 7 19:31:07 amaaq /bsd: apm0: flags 30102 dobusy 0 doidle 1 Feb 7 19:31:07 amaaq /bsd: pcibios0 at bios0: rev 2.1 @ 0xfd700/0x900 Feb 7 19:31:07 amaaq /bsd: pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf20/192 (10 entries) Feb 7 19:31:07 amaaq /bsd: pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00) Feb 7 19:31:07 amaaq /bsd: pcibios0: PCI bus #3 is the last bus Feb 7 19:31:07 amaaq /bsd: bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd6000/0x800! 0xe/0x4000! Feb 7 19:31:07 amaaq /bsd: cpu0 at mainbus0 Feb 7 19:31:07 amaaq /bsd: pci0 at mainbus0 bus 0: configuration mode 1 (no bios) Feb 7 19:31:07 amaaq /bsd: pchb0 at pci0 dev 0 function 0 "Intel 82852GM Hub-PCI" rev 0x02 Feb 7 19:31:07 amaaq /bsd: "Intel 82852GM Memory" rev 0x02 at pci0 dev 0 function 1 not configured Feb 7 19:31:07 amaaq /bsd: "Intel 82852GM Configuration" rev 0x02 at pci0 dev 0 function 3 not configured Feb 7 19:31:07 amaaq /bsd: ppb0 at pci0 dev 1 function 0 "Intel 82852/82855 AGP" rev 0x02 Feb 7 19:31:07 amaaq /bsd: pci1 at ppb0 bus 1 Feb 7 19:31:07 amaaq /bsd: vga1 at pci1 dev 0 function 0 "ATI Radeon Mobility M10 NP" rev 0x00 Feb 7 19:31:07 amaaq /bsd: wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) Feb 7 19:31:07 amaaq /bsd: wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Feb 7 19:31:08 amaaq /bsd: uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x03: irq 10 Feb 7 19:31:08 amaaq /bsd: usb0 at uhci0: USB revision 1.0 Feb 7 19:31:08 amaaq /bsd: uhub0 at usb0 Feb 7 19:31:08 amaaq /bsd: uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 Feb 7 19:31:08 amaaq /bsd: uhub0: 2 ports with 2 removable, self powered Feb 7 19:31:08 amaaq /bsd: uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x03: irq 5 Feb 7 19:31:08 amaaq /bsd: usb1 at uhci1: USB revision 1.0 Feb 7 19:31:08 amaaq /bsd: uhub1 at usb1 Feb 7 19:31:08 amaaq /bsd: uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 Feb 7 19:31:08 amaaq /bsd: uhub1: 2 ports with 2 removable, self powered Feb 7 19:31:08 amaaq /bsd: uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x03: irq 4 Feb 7 19:31:08 amaaq /bsd: usb2 at uhci2: USB revision 1.0 Feb 7 19:31:08 amaaq /bsd: uhub2 at usb2 Feb 7 19:31:08 amaaq /bsd: uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 Feb 7 19:31:08 amaaq /bsd: uhub2: 2 ports with 2 removable, self powered Feb 7 19:31:08 amaaq /bsd: ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x03: irq 11 Feb 7 19:31:08 amaaq /bsd: usb3 at ehci0: USB revision 2.0 Feb 7 19:31:08 amaaq /bsd: uhub3 at usb3 Feb 7 19:31:08 amaaq /bsd: uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1 Feb 7 19:31:08 amaaq /bsd: uhub3: 6 ports with 6 removable, self powered Feb 7 19:31:08 amaaq /
Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)
As stupid-trick-with-install-scripts, one can simply manually enter the disks of interest. At the "Proceed with install?' prompt simply enter !export DKDEVS=wd0 You should get the prompt back and be able to proceed normally. Ken - Original Message From: Ron Oliver <[EMAIL PROTECTED]> To: misc@openbsd.org Sent: Wednesday, February 7, 2007 12:37:43 PM Subject: Failed installation on HP ProLiant ML110 G4 (with dmesg) Below is a capture from a serial console during the installation. Note that I've reduced most of the repeated messages a la [last message repeated x times]; otherwise, this would be a 7000 line post. Aside: how about a 3-wire serial console option that doesn't need DCD driven? My beloved Cisco serial cables don't drive DCD; I had to dig deeply into my big bag o' adapters to find an old-school null modem to do it. But I guess I'll appreciate that feature if I ever need a serial console through a modem. :) This should also answer a previously posted question on a related failed ProLiant install: "Why axe(4)?" Because it seemed like a good idea at the time to the kernel. It wasn't a user selection. All hardware is HP-supplied with the system; nothing added here. I first tried this with the PS/2 keyboard that came with the unit, but it was unresponsive by the time I got to a prompt, hence the MS Natural Pro plugged in. If anyone cares, it looks like Ubuntu 6.06LTS will install on it (and the PS/2 keyboard IS responsive under that OS.) I'll go ahead and install that for the hell of it. If anyone wants dmesg from that, let me know. Either this will work soon, or it's going back; I can't afford to have a science project sitting around. But if any developers want something tried out, let me know and I'll assist as I can. I can also hang it on a public IP if that helps. >> OpenBSD/i386 BOOT 2.10 boot> booting fd0a:/bsd: 4692244+739940=0x52e4c0 entry point at 0x200120* Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2006 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 4.0 (RAMDISK_CD) #39: Sat Sep 16 19:34:26 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD cpu0: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz ("GenuineIntel" 686-class) 1.87 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CF LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX 16 real mem = 1071788032 (1046668K) avail mem = 971149312 (948388K) using 4256 buffers containing 53690368 bytes (52432K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(7b) BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xfd460, SMB IOS rev. 2.4 @ 0xdc010 (47 entries) bios0: HP ProLiant ML110 G4 pcibios0 at bios0: rev 2.1 @ 0xfd460/0xba0 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdee0/256 (14 entries) pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00) pcibios0: PCI bus #10 is the last bus bios0: ROM list: 0xc/0x8000 0xdc000/0x4000! cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "Intel E7230 MCH" rev 0xc0 ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01 pci1 at ppb0 bus 2 ppb1 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01 pci2 at ppb1 bus 3 vga1 at pci2 dev 0 function 0 vendor "Matrox", unknown product 0x0522 rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) ppb2 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01 pci3 at ppb2 bus 4 bge0 at pci3 dev 0 function 0 "Broadcom BCM5721" rev 0x21, BCM5750 C1 (0x4201): irq 12, address 00:18:fe:79:02:af brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: irq 5 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: irq 11 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: irq 7 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: irq 10 ehci0: timed out waiting for BIOS usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb3 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0xe1 pci4 at ppb3 bus 10 ichpcib0 at pci0 dev 31 function 0 "Intel 82801GB LPC" rev 0x01: PM disabled pciide0 at pci0 dev 31 f
When will php5-gd-5.1.4-no_x11.tgz be fixed?
It's really hard to install php5-gd-5.1.4-no_x11.tgz on a server without xbase40.tgz... astatine[wooh]> sudo pkg_add php5-gd-5.1.4-no_x11.tgz Can't install php5-gd-5.1.4-no_x11.tgz: lib not found freetype.13.1 Even by looking in the dependency tree: gettext-0.14.5p1, jpeg-6bp3, expat-2.0.0, t1lib-5.1.0p0, php5-core-5.1.4p1, libiconv-1.9.2p3, png-1.2.12p0, libxml-2.6.26 Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. I do not wan't to install Xlibs on my box. When will it be fixed? Thanks in advance -- Adam PAPAI D i g i t a l Influence http://www.digitalinfluence.hu E-mail: [EMAIL PROTECTED] Phone: +36 30 33-55-735 (Hungary) Phone: +49 176-67264167 (Germany)
Re: net.inet.ip.mforwarding?
Jonathan Whiteman wrote: Sorry I should know this but I'm sorta green. If I enable net.inet.ip.mforwarding on all my routers, should that allow OS X things like bonjour and iTunes music sharing to work across the bridge? Bridge? Are you bridging or routing here? Please tell us more about your network. If you are ethernet bridging, as far as I know that will do nothing. If you are routing, it is a different story, but I'm afraid my knowledge of Bonjour is not good enough to give a definitive answer, but my experiences with certain other multicast based protocols are that it is easier to use ethernet bridge filtering than make routing work with them. AFAIK Apple isn't targeting these services for large networks anyway, they are to ease setting up a home or other small network that is a single broadcast domain. Regards, Jussi Peltola
Re: When will php5-gd-5.1.4-no_x11.tgz be fixed?
On 2007/02/07 21:08, Adam PAPAI wrote: > It's really hard to install php5-gd-5.1.4-no_x11.tgz on a server without > xbase40.tgz... fixed in -current.
Re: dump(8) -> dvd: best practices?
On Tue, Feb 06, 2007 at 07:49:22PM -0500, Josh Grosse wrote: > On Tue, Feb 06, 2007 at 06:24:38PM -0500, I wrote: > > I have completed tests with small files, and am now running a test w/ > > 8GB or so of data. > > It works, using shunt/flyisofs. I will be making offsite backups much much > more than I will be restoring them, and this is fairly easy: > > shunt -c 'dump -0af - /path/to/backups' + > 'flyisofs mbc=2295104 fbc=200 | > growisofs -Z /dev/rcd0c=/dev/fd/0' > > The shunt program prompts to start the dump, and also prompts to start > flyisofs, so one must depress ENTER twice after entering this rather long > command. Note that mbc = media sectors. DVD+RW uses 2,295,104 2048-byte > sectors. Note also that fbc is under 4GB, to avoid any ISO9660 problems. > > The flyisofs program will close when the ISO is full, and shunt will prompt > me to restart it, so I have time to change media and press ENTER again. Looks good. > > I am going to look into amanda, it may solve all my operational issues. It > > could make disaster recovery a little more complex, as it is 3rd party > > software. > > I have looked. 2.4.5 is really for tape only. 2.5.0 has not been ported, > and its introduction mentions optical, but ... it is the same as 2.4.5; you > must write backups to hard drive in CD or DVD sizes, and then burn them > manually. I use AMANDA, and am mostly happy with it - but yes, it's for tapes, and using it for anything else is not a particularly good call. > > Even if I end up going with Amanda, I may still port shunt so that is > > available for others. > > I've started, I should have it done this evening, and will post it on ports@ > when I think it's ready. Nice. Joachim
Re: net.inet.ip.mforwarding?
yes it is bridging not routing, and its a vpn (OpenVPN) bridge to complicate matters just a bit further. a simplified diagram follows. i've used actual device names here and indicated the bridged ones by enclosing them with { } PUBLIC INTERNET | | --|- ---|- |en0 | | dc0 | | | | | |firewall 2| |firewall 1 | | | | | |{en1 tun0}{tun1 sis0}| --|- -|--- || 192.168.254.0/24 192.168.248.0/21 normal stuff seems to work across the bridge for the most part however there is a problem with all the apple proprietary services that rely on bonjour/rendevous. there is another separate and somewhat intermittent problem with routing between sub-subnets of the bridged halves of the network but thats a separate discussion i think. see the email i sent to the list on monday subject "vpn bridge misbehavior" for a more complete network diagram and a description of that (probably unrelated?) problem. and oh yea, i *know* these mac services weren't designed for anything other than small-scale home use. i'm acutely aware of that at this point. (the mac decision was someone else's) anyway, thanks for your time, ~jon Jussi Peltola wrote: Jonathan Whiteman wrote: Sorry I should know this but I'm sorta green. If I enable net.inet.ip.mforwarding on all my routers, should that allow OS X things like bonjour and iTunes music sharing to work across the bridge? Bridge? Are you bridging or routing here? Please tell us more about your network. If you are ethernet bridging, as far as I know that will do nothing. If you are routing, it is a different story, but I'm afraid my knowledge of Bonjour is not good enough to give a definitive answer, but my experiences with certain other multicast based protocols are that it is easier to use ethernet bridge filtering than make routing work with them. AFAIK Apple isn't targeting these services for large networks anyway, they are to ease setting up a home or other small network that is a single broadcast domain. Regards, Jussi Peltola
Re: Question about syslog-ng
On Wed, Feb 07, 2007 at 12:34:07AM -0500, jared r r spiegel wrote: > On Tue, Feb 06, 2007 at 08:21:38AM -0600, Phusion wrote: > > When installing syslog-ng on a OpenBSD 4.0 machine should I start the > > daemon in /etc/rc.local or /etc/rc.securelevel? > > taking a peek at /etc/rc, the base syslogd is started unconditionally > before even rc.securelevel is sourced. > > it feels a bit dirty, but looks like the only way to completely perfectly > replace the default syslogd would be to edit /etc/rc in some way or another > ( your rc.local/rc.securelevel syslog-ng startup stanza could kill syslogd, > but below i mention some stuff that syslog-ng would've missed anyway ). > > in /etc/rc v1.295: > > - rc.local is sourced on line 710 > - syslogd is started on line 301 > - rc.conf is sourced on line 206 (and rc.conf tries to source rc.conf.local) > > so if you want to totally drop the default syslogd and use syslog-ng for > local logging on this host: > > - one of the worst possible ways would probably to be to put your actual > startup stanza for syslog-ng in /etc/rc.conf.local which would make it > start before the network and probably make anyone reading this want to > puke a bit. > - actually, no, the worst thing would probably to be to go to line 301 and > replace 'syslogd' with '/usr/local/sbin/syslog-ng', since their arguments > are not the same. > - the "cleanest" way that comes to mind to do a 1-to-1 replacement > without disturbing the current working of things much, if at all, would > be to add a parameter to rc.conf.local for 'syslogd="NO"', then wrap the > current /etc/rc syslogd stanza from line 291 through line 301 in a > conditional that checks for that syslogd parameter being != "NO" similar > to the one for pf(4) right below the syslogd one. then more another params > to rc.conf.local for 'syslogng="YES"' ( or _ng if you want, whatever ) and > 'syslogng_flags="whatever args"' and add a conditional startup stanza > for syslog-ng right below the normal syslogd one. > > outside of editing /etc/rc, starting it in rc.local would mean that > the default syslogd would handle anything started after line 301 > up to line 710 -- anything started under 'standard daemons' could be > caught by syslog-ng, but anything before that (most notably all the > stuff after 'initial' and 'network' daemons and a few other things > that syslog) would be under the sole jurisdiction of the base syslogd(8). > > either way, if syslog-ng is going to be used locally, i'd make a check > between whatever your favourite way of determining if something is running > (syslogd) and syslog-ng's .conf to see if they're going to try to fight > over anything. > > given that syslog-ng's source sockets are handled in its .conf and > not on commandline, perhaps also try to sanely handle/duplicate > the current extra socket checks (named/dev/log, empty/dev/log) that > the stock syslogd /etc/rc stanza checks for. > > if syslog-ng is going to be used on this host only as a dumping ground > for incoming remote TCP/UDP log messages (eg, doesn't make any local > unix sockets, only listens to network, and syslogd does also *not* > listen to the network (-u)), leave /etc/rc alone and just do > /etc/rc.local because then it doesn't really matter other than a > few wallclock seconds when this host boots up whether you do > rc.local or rc.securelevel. the fewer things you put in rc.securelevel, > the fewer things you have to accidentally forget about during upgrade > or troubleshooting. Or do as I do, and just run syslog-ng alongside syslogd. Where syslog-ng handles the network stuff, and syslogd dumps stuff via lo0. Sure, it's ugly, but it's easy to set up and works fine. And doesn't have quite as interesting a failure mode as the alternative. Joachim
Re: HTTP URL filtering?
Marian Hettwer wrote: I tried the very same when a webserver of mine was hitted by some botnet. Unluckily, cron can only ran every minute as the fastest interval and within 1 minute I already had around 1000 connections from different IP addresses. Ergo: A one minute interval didn't help at all.. I had and time to time still have attack like this and put together a series of effective measure to take care of this. Some I explain and put together on misc@ under the title: Feedback wanted on gethttpd graylisting ideas included So you can search marc for: http://marc.theaimsgroup.com/?t=11578471381&r=1&w=2 I also posted a few more things, but it is possible to control that. I added many more things as well and here if you have URL not use what you can do is actually may be very simple and effective right away as well using PF and redirect if the connections are from source that either will redirect or not. What I did for example for source that do not redirect, or follow the standard. If you connect to let say a URL a.b.c/test.html and that test.html is a huge page that many bots actually love to attack to make you waist bandwidth and put your server to a crawl. What I did is simply to have that page send a redirect right away and then close the connection. So, any valid users that access that page will be redirected to the valid page and the bot will simply have it;s connection close. So, yes you still process all the connection, but the handling from the server is pretty small. Just a few bytes. Also, that same connection is logs into SQL server that I query from cron and add to PF each minutes. Yes I need to handle all the connections for that minute like you said, but the traffic is very minimal and before you know it, the source is block. Then I also have built my scripts to refresh the block IP's with time out, meaning that I wanted to be nice and the source IP's where block in incremental time each time they were process. So, if the source go away and was from a valid proxy from AOL for example, I wasn't going to loose the traffic for ever, but the traffic for the time of the attack. And in the end, all the connections that were following the redirect were process normally. That's because DDoS bot attack so far call URL via GET and doesn't check for the return code, so they were never going to the redirect new location and were block later on. Now for crawlers that follow bad URL or attack bad URL, you can here as well put redirect to a different port. Like a.b.c/follow.html would redirect to a.b.c:81/follow.html and then you simply use PF to add right away all source trying to connect to tcp/81 to your table and be done with them. That's also quick and simple to do as well. Anyway, that's just some idea that are fast efficient and proved to work very well thank you. I have more in place as well, ut if you do just these you will see light at the end of the tunnel. Best, Daniel
Re: login.conf
Toni Mueller wrote: uppp I apparently didn't see that section because I didn't re-read it. If that info is correct, then this "solves" it (hello Daniel!). Yes that information is correct and if done to the letter, you get it to do as you wish. Been tested and used for many years on pretty darn busy servers without a hiccup!
Inquiries about OpenBSD's wifi implementation
Hi I'm looking for information about various implementations of wifi in operating systems. Mainly because I want to assist Syllable operating system developers [syllable.org] (though I may not be able to undertake such a feat, but the lack of developers forced me *hint hint*) And I've been told that the most consistent wifi implementation is OpenBSD's, so I'm asking here: o) How segregated is the wifi implementation from the kernel (module or built in)? o) Is there anything related to the wifi implementation beside [/src/sys/net80211/]? o) Who is the most knowledgeable about the implementation? (just in case something is really obscure and can't be solved by code diving, I won't spam him, honest) o) Is there any extra documents that may help me?
Re: net.inet.ip.mforwarding?
On Wed, Feb 07, 2007 at 01:04:59PM -0800, Jonathan Whiteman wrote: > yes it is bridging not routing, and its a vpn (OpenVPN) bridge to > complicate matters just a bit further. a simplified diagram > follows. i've used actual device names here and indicated the > bridged ones by enclosing them with { } > >PUBLIC INTERNET > | | > --|- ---|- > |en0 | | dc0 | > | | | | > |firewall 2| |firewall 1 | > | | | | > |{en1 tun0}{tun1 sis0}| > --|- -|--- > || > 192.168.254.0/24 192.168.248.0/21 > This is not a correct bridging setup. Bridging means that you are using the same network on both sides of the bridge. This may also explain other issues you have. Hosts on 192.168.254/24 can not reach 192.168.248.1 without an additional route. AFAIK Apples bonjour service is multicast, includes the network address and mask and has a TTL of 1. So multicast routing will not help. This is especially true for the iTunes sharing. -- :wq Claudio
Re: rsa remote auth
On Wed, Feb 07, 2007 at 06:49:59AM -0800, Lawrence Horvath wrote: [...] > and made sure of the file permissions > ~/.ssh is 0700 > ~/.ssh/authorized_keys is 0600 Also make sure your home dir is not group or world writable. If that's not it then take a look at the server-side debug output as Stuart suggested upthread. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: missing isakmpd.fifo
Toni Mueller wrote: Hi Dag, On Thu, 01.02.2007 at 08:37:01 -0800, Dag Richards <[EMAIL PROTECTED]> wrote: locations. Yesterday I needed to add a tunnel, there was no /var/run/isakmpd.fifo ... odd says I. isakmpd had been running since mid The fifo was recreated, I could use it to control isakmpd. OK. Today I look for isakmpd.fifo, it has disappeared again. and nothing I do not expect to see. I am not running out of disk space ... anybody seen this before? please check again using -i in order to find out whether you have enough disk space. Best, --Toni++ hsdcert0:root:/root #df -i Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/sd0a 4126462 35180 3884960 1%2204 533602 0% / /dev/sd0e 103030244978744 0% 16 144238 0% /home /dev/sd0d 1030302 2978786 0% 1 144253 0% /tmp /dev/sd0f10318830391228 9411662 4% 13887 1305023 1% /usr /dev/sd0g16423486 1080606 14521706 7%3564 2077842 0% /var Nope plenty inodes too.
Re: net.inet.ip.mforwarding?
Thank you both for your responses. I have made this diagram clearer because I sort of *am* using the same subnet on both sides of the bridge... or at least that was my intent, but obviously the address ranges have to be separate on both sides of the bridge even though the netmasks need to be the same. Perhaps with this further clarification one of you might be able to explain to me what exactly I've done wrong here: |--PUBLIC INTERNET --| || --|----|- |en0 || dc0 | | || | |firewall 2||firewall 1 | | || | |{en1 tun0}--{tun1 sis0}| |----|--- || ip: 192.168.254.1 192.168.250.1 subnet: 255.255.248.0 255.255.248.0 network: 192.168.248.0 192.168.248.0 broadcast:192.168.255.255 192.168.255.255 So, sis0 (192.168.250.1) is the primary gateway (and dns server actually) for all clients behind both firewalls. The subnet mask given to all clients as well as the physical devices sis0 on firewall 1 and en1 on firewall 2 is the same as well: 255.255.248.0. Tun1 on firewall 1 (the openvpn server) does not have any ip address however I *have* configured the openvpn server to hand out 192.168.254.1 ONLY to the client on firewall 2, so en1 and tun0 on firewall 2 both are configured with the same ip address and subnet mask... it seemed like I needed this for the actual bridge of en1 and tun0 to behave but I won't claim that means I did it correctly in the first place. Thanks again in advance for everyone's time, ~jon
Re: Failed installation on HP ProLiant ML110 G4 (with dmesg)
On 2/7/07, Miod Vallat <[EMAIL PROTECTED]> wrote: > > wd0 at pciide1 channel 0 drive 0: > > wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors > > wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 > > wd0: no disk label > > dkcsum: wd0 matches BIOS drive 0x80 > ... > > No disks found. This is caused by the kernel dmesg being flooded with the axe error messages. The OP should try to boot -c, disable axe, and install without axe; this should at least allow the installation to proceed. Miod Your command is my wish. The install proceeded normally after that. Thanks for the save, Miod! Forgot to mention LONG wait after "Entry point at 0x200120". Also long wait after "pckbc0 at isa0 port 0x60/5" and "wskbd0 at pckbd0: console keyboard, using wsdisplay0". The waits occurred even after disabling axe. Rebooting (didn't disable axe) yields, after many axe0 messages: ifmedia_match: multiple match for 0x20/0xfeff, selected instance 0 uvm_fault(0xd0767d20, 0x0, 0, 1) -> e kernel: page fault trap, code=0 Stopped at usbd_probe_and_attach+0x242:movzbl 0x2(%eax),%eax ddb> I have to leave for an appointment right now, but will be back (hopefully!) in an hour or so. I can disable axe in boot_config; I'll have no need for that device. But do you anticipate any other related issues before I put this into production? Would you (or some other developer) like access to the system when I get back? I can leave it at your disposal for a few days (and type as needed) if it will help the cause. I also have a 3Ware 8006-2LP and a pair of SATA disks to install in it (for a RAID-1 configuration) as well once the base system is stable, if that's of interest to anyone. Thanks again, -- Ron Oliver
Re: net.inet.ip.mforwarding?
Sorry just for the sake of correctness: em0 and em1 are the devices on firewall 2, not en0 and en1... thats a typo. Jonathan Whiteman wrote: Thank you both for your responses. I have made this diagram clearer because I sort of *am* using the same subnet on both sides of the bridge... or at least that was my intent, but obviously the address ranges have to be separate on both sides of the bridge even though the netmasks need to be the same. Perhaps with this further clarification one of you might be able to explain to me what exactly I've done wrong here: |--PUBLIC INTERNET --| || --|----|- |en0 || dc0 | | || | |firewall 2||firewall 1 | | || | |{en1 tun0}--{tun1 sis0}| |----|--- || ip: 192.168.254.1 192.168.250.1 subnet: 255.255.248.0 255.255.248.0 network: 192.168.248.0 192.168.248.0 broadcast:192.168.255.255 192.168.255.255 So, sis0 (192.168.250.1) is the primary gateway (and dns server actually) for all clients behind both firewalls. The subnet mask given to all clients as well as the physical devices sis0 on firewall 1 and en1 on firewall 2 is the same as well: 255.255.248.0. Tun1 on firewall 1 (the openvpn server) does not have any ip address however I *have* configured the openvpn server to hand out 192.168.254.1 ONLY to the client on firewall 2, so en1 and tun0 on firewall 2 both are configured with the same ip address and subnet mask... it seemed like I needed this for the actual bridge of en1 and tun0 to behave but I won't claim that means I did it correctly in the first place. Thanks again in advance for everyone's time, ~jon
Re: Dummy Interface In OpenBGPd
The thing is, after I creatd /etc/hostname.lo1 as stated and I tring to ping it from other devices within that network, it is not reachable. I put network 10.83.66.128/32 in my /etc/bgpd.conf but still I can only ping this interface from that host it is put in but not from the other host. Some hints? Should I manually add a route to it in the kernel routing table? > On Wed, Feb 07, 2007 at 12:07:56PM -, [EMAIL PROTECTED] wrote: >> Does that categorically mean there is no way, as of the moment, in >> openbgp to use a dummy interface just like in Quagga? >> > > There are no dummy interfaces. If you like to use a loopback interface > create one. > > # cat > /etc/hostname.lo1 > inet 10.83.66.128 255.255.255.255 NONE > # sh /etc/netstart lo1 > > That's it. You have a loopback address that can be used in bgpd. > > neighbor 10.83.66.164 { > remote-as 65123 > local-address 10.83.66.128 > } > > I guess that's what you are looking for. bgpd does not realy care about > interfaces. Interfaces and their link state are only used to figure out > the availability of nexthops. > > Btw. for ospfd you can use "interface lo1" to reliably redistribute the > loopback address. > > -- > :wq Claudio > >> > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-02-07 12:31]: >> >> As I read the openbgpd documentation, there is not a single point wherein >> >> in the examples a >> >> dummy >> >> interface is being used. Is a dummy interface supported in OpenBGP? >> > >> > -vvv :) >> > >> > from bgpd's perspective, an interface is an interface, mostly. >> > >> > -- >> > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] >> > BS Web Services, http://bsws.de >> > Full-Service ISP - Secure Hosting, Mail and DNS Services >> > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: net.inet.ip.mforwarding?
As far as I can see, for the broadcast protocols to work you need to use the same subnet in both ends. The way I set a similar system up some time ago was as follows: | Public Network ---| | | |---|-|||-| |eth0 (w.x.y.z) || eth0 (a.b.c.d) | | || | | gw.site1.company.com || gw.site2.company.com| | || | | br0 { eth1 tap0 } || br0 { eth1 tap0 } | |-|---||-|| | | 10.74.2.0/24 10.74.2.0/24 Subnet of Redmond boxesSmall remote subnet DHCP server, etc. Client Redmond boxes The important part here is that both sides are on the same subnet. Note that OpenVPN isn't really configured with any IP addresses at all (except the peer's) since it operates on the Ethernet level. Redmond broadcasts to 10.74.2.255 will go over the bridge, as will DHCP requests, since they are both also Ethernet broadcasts. Some firewalling was also involved, but since it was done using the ethX OS I'd rather forget all about it... And yes, I've since gotten rid of both Redmond and the ethX OS, and also bridging, since the need disappeared with the Redmonds, so I might have forgotten things along the way. -- Jussi Peltola
Re: net.inet.ip.mforwarding?
On Wed, Feb 07, 2007 at 02:46:57PM -0800, Jonathan Whiteman wrote: > Thank you both for your responses. I have made this diagram > clearer because I sort of *am* using the same subnet on both > sides of the bridge... or at least that was my intent, but > obviously the address ranges have to be separate on both sides > of the bridge even though the netmasks need to be the same. There mustn't be duplicate addresses, of course, but the client machines on both sides need to use the same subnet mask and have addresses in the same subnet. > Tun1 on firewall 1 (the openvpn server) does not > have any ip address however I *have* configured the > openvpn server to hand out 192.168.254.1 ONLY to the client > on firewall 2, so en1 and tun0 on firewall 2 both are > configured with the same ip address and subnet mask... > it seemed like I needed this for the actual bridge of en1 and > tun0 to behave but I won't claim that means I did it correctly > in the first place. Bridging should work without any addresses specified at all. Try changing the hostname.if config to "up" instead of an IP address unless you need an IP address to manage the machine. Having the same IP on two interfaces bridged together might work but isn't very logical. In any case since it is bridging, the addresses shouldn't matter... You might also want to change the setup so that the clients behind firewall 2 use firewall 2's address as the default gateway, so you don't connect to the rest of the world through the VPN (unless that is what you want for some reason). Even then only en1 should be configured with an IP address and the tun should just be left "link0 up". I doubt the bridge functionality depends on the addresses, it must be something else. You might want to try broadcast pinging in one network, preferably from a machine that is not the firewall and using tcpdump to see where the packets disappear (adding "log" to the default block rule helps).
Please help with routing
Hi all I have troubles with routing between my VPN servers (using openvpn and tun pseudo-devices) in 3 offices. Problem desc: I can't ping hosts in 192.168.1.0/24 network in office3 (pings don't go to 10.1.0.1 and 192.168.2.0/24 -> 192.168.1.0/24). Ping probes work fine between another internal networks to 192.168.2.0/24. When run on router in office2 "tcpdump -i tun2" (interface to office1) and "ping 192.168.1.1" I see ping requests to ping 192.168.1.1 on tcpdump output, but no ping reply. === office1 <-> office2 <> office3 ## 10.1.0.1 <--> 10.1.0.2 -+- 10.8.0.1 <-> 10.8.0.2 || | 192.168.1.0/24 192.168.197.0/24192.168.2.0/24 ### Office1 rl1: inet 192.168.1.254 netmask 0xff00 broadcast 192.168.1.255 description: Internal interface tun0: inet 10.1.0.1 --> 10.1.0.2 netmask 0x description: office2 interface # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire 10.1.0.2 10.1.0.1 UH 2 237 tun0 192.168.1 link#2 UC 00rl1 192.168.2 10.1.0.2 UGS 09 tun0 192.168.19710.1.0.2 UGS 01 tun0 Office2 rl1: inet 192.168.197.1 netmask 0xff00 broadcast 192.168.197.255 description: Internal interface tun1: inet 10.8.0.1 --> 10.8.0.2 netmask 0x description: office1 interface tun2: inet 10.1.0.2 --> 10.1.0.1 netmask 0x description: office2 interface # netstat -rn -f inet Routing tables Internet: DestinationGatewayFlagsRefs UseMtu Interface 10.1.0.1 10.1.0.2 UH 10 - tun2 10.8.0.2 10.8.0.1 UH 2 1796 - tun1 192.168.1/24 10.1.0.1 UGS 1 165 - tun2 192.168.2/24 10.8.0.2 UGS 0 10 - tun1 Office3 rl1: inet 192.168.2.254 netmask 0xff00 broadcast 192.168.2.255 description: Internal interface tun1: inet 10.8.0.2 --> 10.8.0.1 netmask 0x description: office2 interface netstat -rn -f inet Routing tables Internet: DestinationGatewayFlags Refs UseMtu Interface default10.8.0.1 UGS 2 9489 - tun1 10.8.0.1 10.8.0.2 UH 3 2059 - tun1 192.168.2/24 link#2 UC 10 - rl1 192.168.2.10:13:d4:d1:3f:f1 UHLc09 - rl1 === Lot of thanks. I waiting for your answers!
Re: Dummy Interface In OpenBGPd
On 2007/02/07 22:54, [EMAIL PROTECTED] wrote: > Some hints? Should I manually add a route to it in the kernel routing table? If you're going to use static routes, you might as well use an address on an normal interface... it's only worth configuring BGP on a loopback address if you have an IGP to redistribute that address into. (interesting. this prompted me to read lo(4) and learn it has a link1 flag, well you learn something new every day..!)
Re: Please help with routing
> Office3 > > rl1: inet 192.168.2.254 netmask 0xff00 broadcast 192.168.2.255 > description: Internal interface > tun1: inet 10.8.0.2 --> 10.8.0.1 netmask 0x > description: office2 interface > > netstat -rn -f inet > Routing tables > > Internet: > DestinationGatewayFlags Refs UseMtu Interface > default10.8.0.1 UGS 2 9489 - tun1 > 10.8.0.1 10.8.0.2 UH 3 2059 - tun1 > 192.168.2/24 link#2 UC 10 - rl1 > 192.168.2.10:13:d4:d1:3f:f1 UHLc09 - rl1 You lack routes here. Add 192.168.197.0/24 with gateway 10.8.0.1 and 192.168.1.0/24 with gateway 10.8.0.1. The default route through the VPN looks like a routing loop (the VPN packets cannot go through the VPN). Either that or you omitted some of the routing table.
Re: rsa remote auth
Ahh ok there we go, It was a permissions issue on ~/ i had read and write set for group, changed it to 0700, its now working On 2/7/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2007/02/07 06:49, Lawrence Horvath wrote: > and made sure of the file permissions > ~/.ssh is 0700 > ~/.ssh/authorized_keys is 0600 run sshd -d -p some_port (unless you want to disturb your main daemon on port 22) and watch the screen output while you connect. -- -Lawrence -Student ID 1028219 -CCNA
Master ${SKIPDIR} manifest (fwd)
Here's an initial attempt: http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir.txt And w/o comments: http://people.collaborativefusion.com/~seklecki/bsd-appliance/obsd_mkconf_subsys_prune_skipdir_nc.txt This initial (and far from comprehensive) attempt reduces build sizes: # du -hs /usr/obj/ /usr/destdir /usr/releasedir/ 475M/usr/obj/ 243M/usr/destdir 104M/usr/releasedir/ (Down from the usual 850m+ obj/, etc.) ~BAS -- Forwarded message -- Date: Mon, 5 Feb 2007 01:06:07 -0500 (EST) From: Brian A. Seklecki <[EMAIL PROTECTED]> To: misc@openbsd.org Subject: Master ${SKIPDIR} manifest Is anyone maintaining a ${SKIPDIR} manifest? A master list of source directories, organized logically by subsystem? Something to match the variety of make.conf(5)/mk.conf(5) knobs in other systems? l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/
Fn problem
a. In ksh without X, in emacs, when I press Fn, it becomes F(n-1). b. And the meta is esc, how to map it to alt. When esc mapped to meta, I have to release it first before typing the next key of the binding keys. But I would like it to work only when pressing. In X, everything is ok, but the default font is not good. I'm new to unix, and don't know how to custumize. -- ibm t30, obsd 4.0, emacs22
Re: Decent 2d performance with ATI FireGL 5200?
On Wed, Feb 07, 2007 at 12:07:16AM -0500, Allan Wind wrote: > Is there a way to get decent 2d performance with an ATI FireGL 5200? No its based on the Radeon X1600, it has no 2D acceleration core at all, and of course ATI does not release the documentation to write drivers for the 3D bits. See: http://dri.freedesktop.org/wiki/ATIRadeon "All radeons have open source 2D support. Note that R500 series chips (X1300, X1800 etc) do not have a Radeon 2D core, so are only supported by the vesa driver (no acceleration)." > VESA in 1920x1200 is too slow for me. > The ati or radeon drivers give me "(EE) No devices detected.", and the > driver list in /var/log/Xorg.0.log does not show the card. > fglrx is not an option either, right? Hell no, and never will be, unless ATI were to give the source to X.org under the right license. >Porting seems under way for > FreeBSD (http://www.fglrx-freebsd.com/index.php), but I am not sure if > that helps me. Not unless you use FreeBSD, they like blobs we dont. > /Allan