Re: want to get a zaurus - anybody in japan willing to help?
http://www.openbsd-support.com/ Not sure if they will be able to help you out but they are in Japan ;) Cheers Ste Jones
Re: OpenBSD's 10th birthday
On 10/18/05, Theo de Raadt [EMAIL PROTECTED] wrote: Now it is really OpenBSD's 10th birthday ;) Happy Birthday to you Happy Birthday to you Happy Birthday dear OpenBSD Happy Birthday to you Congratz for the last 10 years You birthday present should have arrived from paypal by now :P Cheers Ste Jones
Re: A great article ( found on the OpenBSD site)
another article worth a mention??? Hard-as-nails OpenBSD releases v3.8 http://www.tectonic.co.za/view.php?id=680
Re: routing tables
On 11/15/05, David fire [EMAIL PROTECTED] wrote: hi i read the man page fro netstat route routed ifconfig all the section 6 of the facks and i cant find where i should put the routing info now i am doing route add 198.162.15.0/8 http://198.162.15.0/8 .. route add 10.98.0.0/16 http://10.98.0.0/16 but when i reboot i must put it again. where i should put that thanks!!! David man hostname.if and check the !command-line section cheers ste
Re: VPN: solutions that interoperate with win xp
On 12/19/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: heya, i've been grinding away to get a VPN setup where i can have win xp clients connect to my openbsd firewall and access the network behind it. i have tried a number of things, none of which have yet worked for all my users. i am very much interested in hearing from other admins who have currently working solutions along these lines. i have setup isakmpd between my home and my business location, so i know i am not a complete idiot when it comes to this stuff ;). when i tried to use the native windows IPsec implementation, both as described in http://openbsd.cz/~pruzicka/vpn.html and through the confusing GUI, i was not able to get anywhere. when i used ipseccmd.exe, it would not give me any useful debugging outputs and crashed a couple times while i was trying to set this up. i would very much like to have a setup using the native IPsec in win xp, but am utterly in the dark as to the win xp configuration side of things. i have also setup openvpn, which works great for me from home, and i have been able to successfully get this working. however, one of the users that connects to my VPN is having problems making openvpn and his kerio firewall play nice, and a working openvpn configuration cannot survive a reboot due to win xp being such a great OS. i am also aware of the green bow VPN client that is known to interoperate with isakmpd. i have avoided using this solution since i know it to be a resource hog on win xp. anybody else's views on this software would be nice. anything that you think could help me get a VPN with win xp talking to my openbsd firewall would be awesome. i would love a howto for the win xp boxes, but a smack with the cluestick is likely all i need. it would be nice for this to NOT use certificates, as i'd like to get a shared secret setup working first, then switch to certs later. cheers, jake Hello I am looking at doing the same thing, from a conversation i had over the weekend i think you need to use virtual-id's and run proxy arp on the internal interface. Hope that helps Cheers Steve
Re: ssh hangs from Ubunty Feisty 7.04 to OpenBSD
On 4/24/07, Rui Miguel Silva Seabra [EMAIL PROTECTED] wrote: Ter, 2007-04-24 C s 11:32 -0400, Steven Harms escreveu: I can verify that ssh between Ubuntu 7.04 and openbsd is completely working. Your issue is with your /etc/ssh_config. [EMAIL PROTECTED] I second this verification. Rui The only problem I had was due to the default UTF-8 character encoding opposed to ISO-8859-1 but no connection problems to 3.8, 3.9 or 4.0. Cheers Ste
Re: Small office with BSD blueprint
Why is DHCP a bad idea? rogue dhcp servers, broken clients, possible man in the middle attacks and unauthorised access problems http://www.networkpenetration.com/dhcp_flaws.html cheers ste
Re: 3.7: weird IP address problem
On 4/24/06, Toni Mueller [EMAIL PROTECTED] wrote: Hello, I have a box that once had two IP addresses on one interface. I deconfigured one of them using ifconfig -alias. Now, when I want to use any (?) program on that box to go over this interface, it wants to use the addresses which is no longer present. I double-checked to ensure that there is no NAT in the way, and also used all netstat and ifconfig otions I know to convince myself that the old address is gone. I also tried to 'ifconfig ifname inet the-one-and-only-address' just in case there would be a different handling of addresses assigned with and without using -alias, but to no avail. What could that be, and why can't I see this address anywhere? I'd rather not reboot only to make a change in IP numbers effective... Best, --Toni++ I've noticed the same thing before with aliases. Down and upping the interface combined with a route flush sh /etc/netstart should fix the problem probably wouldn't do this over ssh though. cheers ste
OT: Thoe's x commit and homeland security audit
Is Theo the automated code scanner mentioned here? http://news.yahoo.com/s/zd/20060502/tc_zd/177195 In reference to this commit http://www.openbsd.org/cgi-bin/cvsweb/XF4/xc/programs/Xserver/hw/xfree86/common/xf86Init.c.diff?r1=1.13r2=1.14 7 days before the official patch http://xorg.freedesktop.org/releases/X11R6.9.0/patches/x11r6.9.0-geteuid.diff Just curious Cheers Ste
Re: Transparent Bridge fail-over?
On 5/4/06, Ken Ebling [EMAIL PROTECTED] wrote: Hello, I'm wondering if any of the changes to CARP in OpenBSD 3.9 allow machines without an IP address to use CARP for fail-over. Thanks, Ken Ebling I think you might be after STP (spanning tree protocol) not CARP Cheers Ste
Re: Transparent Bridge fail-over?
On 5/4/06, Ken Ebling [EMAIL PROTECTED] wrote: On May 4, 2006, at 10:26 AM, Ste Jones wrote: I think you might be after STP (spanning tree protocol) not CARP Cheers Ste Thanks for the advice. I found a document explaining how to set it all up. They do mention that with switces, failover may take a few minutes because of mac address cache flush time, and that getting smart switches that can flush cache when it detects an stp change will improve failover time. My stupid question is, can I use hubs instead of switches to reduce failover time? I'm not sure if using a hub would cause any problems, as I've never dealt with STP before. Any insight you could offer would be greatly appreciated. Thanks again, Ken Ebling I have never setup STP but if you were to use a hub you are only moving the convegence problem to the devices on the end, be it a router or clients. Instead of a few next hop mac updates between a switch and the STP bridges , all the devices would need to update thus increasing total convergence time. If however you were to use a hub you could look into dropping your ARP cache timeouts or possibly use gratious ARP... again never done Cheers Ste
Missing Man Page bio (3)?
Hello, Just wondering if there is a missing man page or if bio (3) references should be removed from the following pages SSL_accept.pod SSL_connect.pod SSL_do_handshake.pod SSL_get_fd.pod SSL_get_rbio.pod SSL_read.pod SSL_set_bio.pod SSL_set_fd.pod SSL_shutdown.pod SSL_write.pod Cheers Ste Jones
Re: is this logically correct ?
On 8/15/06, S t i n g r a y [EMAIL PROTECTED] wrote: Sorry for reposting but as no one answered , i need to confirm urgent. here is my first traffic shaping pf.conf file .. although there werent any syntax mistakes but can you have a look to it see if there is any logical mistake ? would be very greatfull regards intif=epic0 intnet=10.0.0.0/16 extif=fxp0 extad=192.168.0.2/32 chadd=10.0.0.1/32 servers=10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5, 10.0.0.6 mailserver=10.0.0.2 vip=10.0.0.5 ports = 21 22 25 53 80 110 119 123 143 443 554 1755 1863 3389 5000 5001 5050 51 00 5190 6667 11999 allif={$extif, intif} table allowedclients persist file /etc/allowedclients table blockedclients persist file /etc/blockedclients scrub in all altq on $extif cbq bandwidth 500Kb queue { def, msn, www, https, smtp, ssh, ftp } queue ftp bandwidth 10% cbq(borrow red) queue www bandwidth 30% cbq(borrow red) queue https bandwidth 30% cbq(borrow red) queue ssh bandwidth 10% cbq(borrow red) queue def bandwidth 10% cbq(default borrow red) queue smtp bandwidth 10% cbq nat on $extif inet proto {tcp, udp } from allowedclients to any port { $ports } - $extad rdr on $intif proto tcp from allowedclients to any port 80 - $chadd port 8080 rdr on $extif proto tcp from any to $extad port 25 - $mailserver port 25 rdr on $extif proto tcp from any to $extad port 80 - $mailserver port 80 pass out on $extif inet proto { tcp, udp } from allowedclients to any port { $ports } pass in on extif proto tcp from allowedclients to any port msn queue msn pass in on extif proto tcp from allowedclients to any port ssh queue ssh pass in on extif proto tcp from allowedclients to any port www queue https pass in on extif proto tcp from allowedclients to any port www queue www pass in on extif proto tcp from allowedclients to any port smtp queue smtp pass in on extif proto tcp from allowedclients to any port ftp queue ftp pass out on extif inet proto udp from any to allowedclients port msn queue msn pass out on extif inet proto udp from any to allowedclients port ssh queue ssh pass out on extif inet proto udp from any to allowedclients port www queue htt ps pass out on extif inet proto udp from any to allowedclients port www queue www pass out on extif inet proto udp from any to allowedclients port smtp queue sm tp pass out on extif inet proto udp from any to allowedclients port ftp queue ftp *B:B$., B8B8,.B$B:*B(B(B(*B$ Stingray *B:B$., B8B8,.B$B:*B(B(*B$ shouldn't allif={$extif, intif} be allif={$extif, $intif} If you want to verify the queues, install pftop (in the ports) and check the Queue View when you have a bit of traffic to see if they are being added to the correct one. cheers ste
Re: Forum-Software, good and secure, on OpenBSD systems?
On 9/12/06, Michael Schmidt [EMAIL PROTECTED] wrote: Hello, which experiences or what knowledge are/is available concerning good and secure forum-software known to run under OpenBSD? I am interested in feedback on this. I have been using punbb (punbb.org) for the last few months with out much stress... seems quite good with no complaints so far. Hope that helps Cheers Ste
Re: figuring out the local IP address of an interface
Is there a way to portably make this work across linux,FreeBSD,NetBSD and OpenBSD? If I remember correctly you can possibly do it with libdnet http://libdnet.sourceforge.net/ Cheers Ste
Re: dns working but problem w etherape
Thanks, good point. But does not make any difference. No doubt the problem is in etherape as I can do manual queries just fine. From my post on openbsd-newbies a few days ago I had the same problem a year or so ago, with etherape and the lack of dns http://marc.theaimsgroup.com/?l=openbsd-miscm=111465469331179w=2 To get around it you can find a patch here for 0.91 http://www.networkpenetration.com/downloads.html Basically it adds a -D switch so you can specify the DNS server. be warned though its a cpu hog and it fragged a machine of mine after a few weeks of constant running. Cheers Ste
Re: imp, apache chroot, mini_sendmail, does not really sendmail
On 11/30/06, dreamwvr [EMAIL PROTECTED] wrote: On Tue, Nov 28, 2006 at 04:38:28AM +0100, Alexander Hall wrote: dreamwvr wrote: Hello, if using imp port in chroot with mini_sendmail can you input? chroot -u www /var/www echo test |mini_sendmail -v -p25 address works just fine. However IMP is unable to really_send mails. You are only chrooting your echo here. Try something like echo test | sudo chroot -u www /var/www mini_sendmail ... Yeah, duh brain fart. That would help yes. :) IMP in chroot definately is interesting. Still no sendmail from chrooted IMP. So there is something else IMP likes to see to exec mini_sendmail. Did you copy sh in to the chroot? cheers ste
Re: php mail() function fails
On 1/12/07, Henning Brauer [EMAIL PROTECTED] wrote: * Joachim Schipper [EMAIL PROTECTED] [2007-01-12 15:50]: On Fri, Jan 12, 2007 at 12:30:32PM +0100, Henning Brauer wrote: * Lars Hansson [EMAIL PROTECTED] [2007-01-12 08:20]: On Friday 12 January 2007 13:04, noob lenoobie wrote: My problem is the following : I'm unable to send mail from php. the php mail() function will not work in chroot (unless you install the chroot flavour of the mini-sendmail package). err.. ...unless you make mail work inside the chroot. and since mini_sendmail is a piece of shit, i recomment femail, but I might be biased :) I'm curious - why do you feel mini_sendmail is 'a piece of shit'? I've never given much thought to it, but it has worked well for a couple of years now, and femail doesn't seem to do things very differently. well, it's a bit that I looked at mini_sendmail's code, but it was horrid. second, it does not nearly implement RFC282{1,2} correctly. the parser is horribly incomplete and broken. I'll have to admit that mini_sendmail's website sucks, but at least the man page doesn't misspell 'environment' (at least in the DESCRIPTION on http://unduli.bsws.de/femail/femail.8.html). ;-) oh well Just out of interest does femail need a sh in the chroot like mini_sendmail?
Re: What's up with my pf.conf?
On 2/14/07, mal content [EMAIL PROTECTED] wrote: To clarify: I can connect from any 192.168.2.* IP to a temporary machine in the 192.168.1.* network (the empty network between the hardware router and the openbsd box), so packets appear to be forwarded correctly. If I try to connect to an external IP, however, the packets don't seem to go anywhere. I have, on a few occasions, seen responses from openbsd.org to packets sent earlier which are then blocked by pf (correctly, as they are no longer associated with any connection). I have connected a machine to the 192.168.1.* network to sniff packets with wireshark and see absolutely nothing go through when a machine at 192.168.2.5 attempts to 'nc' to openbsd.org:80. Watching pf logs with tcpdump shows that pf certainly believes it has forwarded packets to the external IP address. ... In the old days, we'd have opened the switch with bolt cutters and set fire to the building on the way out. MC what does `route show` say and is the default gateway correct? Cheers Ste
Re: Could Hiawatha replace Apache as in base HTTP server if it's license changed?
On Dec 7, 2007 4:15 PM, Daniel Ouellet [EMAIL PROTECTED] wrote: Ste Jones wrote: Just to say lighttpd appears to be BSD licensed http://trac.lighttpd.net/trac/browser/trunk/COPYING Between appears to be and being, there is a difference. Right from the home page, http://www.lighttpd.net/ fifth line And best of all it's Open Source licensed under the revised BSD license. have been there for a very long time and the link still is dead to the license itself. I keep looking for it and still not good. Between appears and being, there is a long way. Just FYI. Best, Daniel I emailed Jan, the lead developer of Lighttpd to see what he said about the license. His answer is below I would like to say that I have been running lighttpd in production for the last few months with out too many hiccups. Vhosts, priv sep + chrooting is all there, aswell as fastcgi binding for those wanting to run php, ruby etc... But hey I am not an Openbsd developer and can't comment on the security of lighttpd's code, but I think most people would agree it would be better to have a maintained piece of BSD software opposed to a fairly stagnant bit of GPL. The only downside of lighttpd that I have come across is that it doesn't support .htaccess files, thus rules have to added to its config file. Cheers Ste -- Forwarded message -- From: Jan Kneschke [EMAIL PROTECTED] Date: Dec 7, 2007 5:10 PM Subject: Re: lighttpd license To: Ste Jones [EMAIL PROTECTED] It is this at http://trac.lighttpd.net/trac/browser/trunk/COPYING It should be the normal, nowadays BSD license: http://opensource.org/licenses/bsd-license.php cheers, Jan
Re: Could Hiawatha replace Apache as in base HTTP server if it's license changed?
On Dec 7, 2007 7:32 PM, Andris [EMAIL PROTECTED] wrote: On Dec 7, 2007 3:57 PM, Ste Jones [EMAIL PROTECTED] wrote: But hey I am not an Openbsd developer and can't comment on the security of lighttpd's code, but I think most people would agree it would be better to have a maintained piece of BSD software opposed to a fairly stagnant bit of GPL. Please note that Apache (in base) is not GPL; this is the license: http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/httpd/LICENSE?r ev=1.5content-type=text/plain Greetings. Opps, my bad