On Tue, 4 Sep 2018 13:16:26 -0400
Daniel Jakots wrote:
> On Tue, 4 Sep 2018 12:05:01 -0500, "Karl O. Pinc"
> wrote:
>
> > Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable
> > to username existance checking by remote systems.
>
> It was a
Hi,
Ssh in OpenBSD 6.3 (stable), and I presume 6.2, is vulnerable
to username existance checking by remote systems.
OpenBSD current has a patch.
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
Demonstration code is found here:
On Tue, 20 Oct 2015 01:08:42 -0600
Devin Reade <g...@gno.org> wrote:
>
>
> > On Oct 19, 2015, at 18:26, Karl O. Pinc <k...@meme.com> wrote:
>
> > But if you write DNS names into your pf.conf
> > file then step 2 can be eliminated. All
>
Hello,
Attached are 3 patches to -current for your
consideration. Apply with:
cd /usr/src
patch -p1 ...
The first, expose-default-pf-rules.patch, lets
the sysadm use the rc(8) constructed default pf
ruleset. This ability was, in a sense,
compromised when 5.8 eliminated the pf_rules
On Mon, 19 Oct 2015 12:47:46 -0600
Theo de Raadt wrote:
> > > The supplied patch allows the rc.conf(8) pf
> > > variable to be set to MINIMAL (in addition to
> > > the current YES and NO). A setting of MINIMAL
> > > loads the rc(8) default pf ruleset and enables
> > >
Well, since there's no attachments,
I am including the patches inline.
On Mon, 19 Oct 2015 10:27:16 -0500
"Karl O. Pinc" <k...@meme.com> wrote:
> Attached are 3 patches to -current for your
> consideration. Apply with:
>
> cd /usr/src
> patch -p1 ...
&g
Hi,
I've an old HP Vectra, with 64MB RAM. When I try to upgrade
from 4.7 to 4.8 the bsd.rd hangs -- the boot
sequence gets as far as softraid0 at root
and then stops. There is no response to
ctrl-alt-del and the system must be power
cycled.
Appended is the output from a serial console
booting
On 11/15/2010 06:35:38 PM, Nick Holland wrote:
On 11/15/10 15:54, Karl O. Pinc wrote:
I've an old HP Vectra, with 64MB RAM. When I try to upgrade
from 4.7 to 4.8 the bsd.rd hangs --
Where should I go from here?
try a snapshot, or do a remote upgrade (which doesn't use bsd.rd).
As I
On 11/12/2010 12:41:41 AM, Vivien MOREAU wrote:
Thursday 11 Nov 2010 23:51 (-0600), Karl O. Pinc wrote :
I just upgraded from 4.7-stable to 4.8-stable
How did you upgrade? Did you follow instructions at
http://www.openbsd.org/faq/upgrade48.html?
Humm. I thought that I used upgrade48.html
Hi,
I just upgraded from 4.7-stable to 4.8-stable
and tried to rebuild the GENERIC i386 kernel
and 'make depend' failed. Figuring that maybe
I'd done something wrong updating the source with
cvs I tried removing /usr/src and replacing it
with the 4.8 tarballs and I had the same
problem.
Here's
On 11/01/2010 10:02:28 AM, Theo de Raadt wrote:
We are pleased to announce the official release of OpenBSD 4.8.
I notice that the Errata link on the OpenBSD home page
gets a 404. Are there no errata?
Thanks for all the great work.
Karl k...@meme.com
Free Software: You don't pay back, you
On 07/23/2009 05:52:38 AM, Henning Brauer wrote:
* hu st hust...@yahoo.com [2009-07-23 12:35]:
AFAIK pf has only a ftp-proxy anchor.
it has userland helpers for the most relevant protocols.
Is there a list of these anywhere? ftp-proxy is the only
one that comes to mind, of those where
Hello,
In order to minimize Internet connectivity downtime
I am looking at obtaining connections from 2 ISPs
and running BGP. However I won't have a publicly
routeable IP block from ARIN. Each ISP will
allocate some of their addresses and the LAN's
rfc1918 addresses will be NATted.
This
On 06/18/2009 01:50:17 PM, Pete Vickers wrote:
On 18. juni. 2009, at 19.45, Karl O. Pinc wrote:
What's the best way to solve this problem?
stop trying to bodge it, and get some PI space.
I'd love but, how can I justify to ARIN a large enough address
block that it won't be dropped
On 06/18/2009 03:49:08 PM, tico wrote:
Karl O. Pinc wrote:
On 06/18/2009 01:50:17 PM, Pete Vickers wrote:
stop trying to bodge it, and get some PI space.
I'd love but, how can I justify to ARIN a large enough address
block that it won't be dropped by BGP administrators?
The only reason
On 06/18/2009 06:01:36 PM, tico wrote:
The number of networks that filter prefixes smaller than /22 don't
appear to be that numerous IMHO, but if they do, your /24 will
still be reachable as they'll see the larger /19 or whatever from
your provider that it's carved out of.
But not from the
On 06/18/2009 05:52:44 PM, Daniel Ouellet wrote:
Hi, here is a few ideas for you.
A few things to think about here depending on what issue you really
try to solved.
First a good ISP after you actually reach them have built redundancy
on their
network, so unless you try a cheap one, then you
On 06/15/2009 06:58:33 AM, Claudio Jeker wrote:
On Sun, Jun 14, 2009 at 11:28:31PM -0500, Karl O. Pinc wrote:
Hi,
It occurs to me that multipath routing
(http://www.openbsd.org/faq/faq6.html#Multipath)
might not play nicely with ftp-proxy on a firewall
because passive ftp sessions could
Hi,
It occurs to me that multipath routing
(http://www.openbsd.org/faq/faq6.html#Multipath)
might not play nicely with ftp-proxy on a firewall
because passive ftp sessions could multiplex the
data and control connections via different ISPs.
My assumption here is that if you're using
multipath
On 02/11/2009 04:55:34 PM, Karl O. Pinc wrote:
On 02/08/2009 08:23:44 PM, Ariane van der Steldt wrote:
On Sun, Feb 01, 2009 at 10:07:49PM -0600, Karl O. Pinc wrote:
I seem to have a problem where 4.4 hangs writing to swap.
Chances are its fixed in -current.
I just upgraded to a snapshot
On 02/08/2009 08:23:44 PM, Ariane van der Steldt wrote:
On Sun, Feb 01, 2009 at 10:07:49PM -0600, Karl O. Pinc wrote:
I seem to have a problem where 4.4 hangs writing to swap.
Chances are its fixed in -current.
I just upgraded to a snapshot and the problem seems
to have gone away. Thanks
Hello,
I seem to have a problem where 4.4 hangs writing to swap.
I can run: stress --vm 5 --vm-bytes 5M --vmhang 5 --timeout 1m
under 4.3 but under 4.4 the machine hangs. Here's the background.
I'm ran nothing but bind (+ cron etc.) on a 586 with 48M of RAM
(machine A, the problem machine).
On 07/14/2008 12:47:40 PM, Karl O. Pinc wrote:
I've an OpenBSD box that's been running postfix for a few
years, strictly as a send-only mta, and every night the
box gets rebooted. Every couple of months postfix does
not come up on reboot.
For the record, it seems the problem has something
Hi,
I've an OpenBSD box that's been running postfix for a few
years, strictly as a send-only mta, and every night the
box gets rebooted. Every couple of months postfix does
not come up on reboot.
All that shows up in the logs is:
snip postfix/postfix-script[3005]: fatal: Postfix integrity
On 11/08/2007 10:54:20 AM, Soner Tari wrote:
On Wed, 2007-11-07 at 13:45 -0500, Steve Shockley wrote:
Try using cdbr as the boot record in no emulation, and put cdboot in
the
root directory of the CD.
I've tried as you suggested,
and
it works
...
For the archives here's a mkisofs command
FYI,
Running OpenBSD 4.0 stable, 32MB RAM, 3 identical
nics.
One symptom of running out of RAM is getting a
panic on boot. The system boots fine with bsd.rd,
but try to boot with the bsd image and you get
(from handwritten notes):
bmtphy1 at dcl phy1; BCM5201 10/100, rev. 2
dc2 at pci0 dev 12
On 07/06/2007 06:46:26 PM, Chris Smith wrote:
I assume the problem is not enough RAM because when I
add more RAM everything works fine.
Repeatable? Sure you've ruled out a seating problem?
Yes, repeatable.
I didn't try to reseat the nic (or the ram), but it worked
fine booting from the
On 07/01/2007 12:53:59 PM, Camiel Dobbelaar wrote:
On Sun, 1 Jul 2007, Karl O. Pinc wrote:
The basic idea is to modify ftp-proxy so it adds binat
rules to it's anchors.
You cannot use port in binat rules, so that would not work.
I think this problem can only be fixed in pf itself
On 03/22/2007 03:17:00 PM, Stuart Henderson wrote:
One thing to watch out for with binat: you can't use it with
ftp-proxy(8), since binat is of higher priority than the rdr or
nat rules which are added to the anchor. The workaround there
is to list nat and rdr separately.
I just figured this
On 03/16/2007 02:51:48 AM, Kian Mohageri wrote:
Expectations aside, being condescending is never warranted.
Both
Karl and Martin did just that.
I did not intend to be condesending and apologise if it
was taken that way.
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay
Thanks very much for taking the time to respond.
On 03/16/2007 02:33:28 PM, Kian Mohageri wrote:
I'm not saying that you're unappreciative, just that it seemed that
way.
That is why when I write suggestions, I usually find something to
thank the
person for too, just so they don't feel
On 03/16/2007 02:51:35 PM, Karel Kulhavy wrote:
On Fri, Mar 16, 2007 at 01:26:39PM +, Karl O. Pinc wrote:
It's actually really easy. Follow the first 2 steps in man
release.
Unfortunately these instructions fail with not being clear if I should
use
OPENBSD_4_0_BASE or OPENBSD_4_0
On 03/14/2007 09:13:19 AM, Martin Schrvder wrote:
2007/3/13, Theo de Raadt [EMAIL PROTECTED]:
This means everyone should have our latest patches installed.
Just a reminder: security-announce exists for messages like this. Use
it or delete it.
While the bug is bad, the handling of it is even
On 03/15/2007 10:24:31 PM, Tony Abernethy wrote:
Karl O. Pinc wrote:
On 03/14/2007 09:13:19 AM, Martin Schrvder wrote:
2007/3/13, Theo de Raadt [EMAIL PROTECTED]:
This means everyone should have our latest patches installed.
Just a reminder: security-announce exists for messages like
On 03/15/2007 10:48:49 PM, Ray Percival wrote:
On Mar 15, 2007, at 7:31 PM, Karl O. Pinc wrote:
I rely on having a clear channel for security related
problems.
The only communication problem here is that you don't look
at the information that the project puts out there for you
On 03/15/2007 11:04:49 PM, Jeremy Huiskamp wrote:
That's what I was going to say. If you did things properly,
you would have had this patch applied before you knew that it
was a remote hole.
You have a valid point: any bug is a security problem.
However, the topic is not my management
On 03/15/2007 11:29:22 PM, Theo de Raadt wrote:
I looked for your name on the donations list. I don't see it.
I only buy CDs and stuff occasionally, and generally
invest time in what I hope are productive ways.
How much do I need to donate to keep from having to
waste my time in
On 03/16/2007 12:09:46 AM, Theo de Raadt wrote:
I looked for your name on the donations list. I don't see it.
I only buy CDs and stuff occasionally, and generally
invest time in what I hope are productive ways.
I think you bought one CD.
I think I've bought 4 over the last 5 years.
I
On 03/15/2007 11:55:44 PM, Kian Mohageri wrote:
Security isn't about receiving notifications to your Inbox in a timely
fashion. It is about being proactive yourself. You should be the one
taking measures to secure your systems, and you should be the one
ACTIVELY
LOOKING for problems.
On 03/16/2007 12:40:57 AM, Daniel Ouellet wrote:
And what are the developers doing with their time? They give it to
you and you have the got to complain on top of it!
So next time I shouldn't post when I see a problem?
That'll help, not.
Karl [EMAIL PROTECTED]
Free Software: You don't pay
I apologise to the list for responding to
the flames. I made my point and went beyond
into unproductiveness.
I'm sorry and I'll stop now.
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
-- Robert A. Heinlein
Hi,
I've applied patch 009_timezone.patch to update
the tzfiles for the US DST change. (OpenBSD 4.0)
Are the libraries clever enough to know that
the files changed or do processes need to
be restarted.
It's simple enough to reboot
the entire box but I'm curious,
and it's aesthetically
Hi,
I was wondering why /usr/local/sbin was not in
the $PATH of the default section of /etc/login.conf.
Since /usr/local/bin is in there I can think of no
reason not to also have /usr/local/sbin.
Regards,
Karl [EMAIL PROTECTED]
Free Software: You don't pay back, you pay forward.
Is the stock fstab documented anywhere? That is,
the fstab that you get if you use the recommended
partitions that the install program sets up for you.
I've been shuffling partitions around and would like
something to compare against with regards to
mounting noexec nosuid etc.
Thanks.
Karl
On 01/01/2007 04:08:49 PM, Ingo Schwarze wrote:
The default is:
- everything except / is nodev
- everything except /sbin /usr /usr/bin /usr/sbin /usr/libexec
/usr/libexec/* /usr/local /usr/local/* /usr/X11R6 /usr/X11R6/bin
is nosuid
- noexec is not used by default
Thanks to
On 12/25/2006 06:25:44 AM, Reyk Floeter wrote:
hi,
On Sun, Dec 24, 2006 at 09:44:46PM +, Karl O. Pinc wrote:
I was just messing about upgrading some boxes from 3.8
and I shut a router down for a while and the bridge
it was plugged into hung. No response to pings and
no response
Hi,
I was just messing about upgrading some boxes from 3.8
and I shut a router down for a while and the bridge
it was plugged into hung. No response to pings and
no response to the keyboard. The only thing I noticed
was that the 3 keyboard lights were all blinking off
and on together at about
On 02/04/2006 01:05:17 AM, veins wrote:
I think you are missing the point, cgd and salting are two different
and
unrelated things. It's not because cgd isn't making it into OpenBSD,
that salting won't make it into svnd. I'd explain, but frankly after a
night at work i'd rather go and sleep
On 01/03/2006 09:45:02 PM, Ted Unangst wrote:
On 1/3/06, kami petersen [EMAIL PROTECTED] wrote:
on a related subject: what's keeping that diff you did to add
salting to
vnconfig from hitting the tree? (or something like it)
i don't believe that the people asking for cgd really even intend
On 01/02/2006 03:31:10 AM, Marco Pfatschbacher wrote:
Although it's rather hypothetical to have two broken switches
at the same time, your assumptions are correct.
The backup will not take over.
It is rather hypothetical, but perhaps not as much as you
might think. I have already, during
On 01/01/2006 11:35:19 AM, Jon Hart wrote:
The BNF seems to indicate that what you are trying to do is legal
syntax-wise. At one point I had an ifstated.conf that did something
similiar with a master switch state that was the target of
init-state
-- it would help determine what the correct
On 01/01/2006 03:09:03 PM, Marco Pfatschbacher wrote:
On Sun, Jan 01, 2006 at 12:28:42AM +, Karl O. Pinc wrote:
[...]
Suppose I have 2 firewalls, one failing over to the
other with carp. (net.inet.carp.preempt=1 on
both firewalls.) Each has 3 interfaces, internet,
lan, and dmz. The dmz
Hi,
Sorry, but I just can't seem to get (all of)
net.inet.carp.preempt from the man pages.
I could set this up and test it, but I know that
somebody's done it already and a quick search of
the list archives fails me.
Suppose I have 2 firewalls, one failing over to the
other with carp.
man 5 ifstated.conf says:
The init block is used
to initialise the state and is executed each time the
state is entered.
But this does not seem to be true if you use 'init-state'
to enter the state. Or maybe there's something else
wrong with my config below, or with ifstated when there's
no
On 12/23/2005 05:22:28 AM, Kilaru Sambaiah wrote:
I have a question regarding pf and binat.
I need to protect mail server and web server behind firewall. I am
planning to run
pf with binat rules. I need to do the following:
1) Allow only ssh to firewall
2) Allow 80, 443 fron net to web
Hi,
I just did a 3.6 - 3.7 - 3.8 upgrade and
looking through the /etc/security mailing
I see that I don't have /etc/disklabls/
or /etc/isakmpd/. These directories do
not seem to be in etc38.tgz, although they
do show up on a system I did a clean 3.8
install on. (3.8 patched to stable as
of Dec
On 12/23/2005 09:24:09 AM, Jason Crawford wrote:
On 12/23/05, Karl O. Pinc [EMAIL PROTECTED] wrote:
Hi,
I just did a 3.6 - 3.7 - 3.8 upgrade and
looking through the /etc/security mailing
I see that I don't have /etc/disklabls/
or /etc/isakmpd/. These directories do
not seem
57 matches
Mail list logo