mp setperf splipi
I was very curious about the implementation so I've read it. http://www.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/i386/mp_setperf.c?rev=1.2content-type=text/x-cvsweb-markup well I was wondering why is it necessary the splipi when before we are at IPL_HIGH? ... s = splipi(); ul_setperf(mp_setperflevel); splx(s); ... tkanks, -- giovanni
named lookup failures through pf fw
i seem to be having a dns/fw issues that i can't figure out. basically, wifi clients can't lookup dns successfully unless the entry is already cached on the openbsd 4.0 box first. this has just started after introducing a new firewall config but i have _no_ idea what the difference between a fresh vs cached lookup should be from the client side! this is surely a misunderstanding on my part. can you see what i'm missing? what's there: openbsd 4.0 dns servers 10.0.0.11 12 openbsd 4.1 firewall sis2internet, 121.73.27.x sis1/2 bridged 10.0.0.11 12 via crossover ath0wifi 172.16.x.x dhcp for clients dhcp side: the clients (macos, windows, whatever) receive a dhcp address can access services such as email on the 10.x network, and anything on the internet via IP address. but when a name lookup is done from 172. to the 10. dns servers, the request goes through to the 10. dns server just fine - which then replies with a 'not found' type error. running the same lookup again on the 10. dns server directly works. then re-running the same query from the client side retrieves the new cached version correctly. presumably the fw rules are ok as traffic is passing each time. but what am i missing? i've not changed the dns servers since 3.9, but there is a new pfSense firewall in between. pf.conf named.conf follow the dns trace. en1: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500 tunnel inet -- inet 172.16.0.10 netmask 0xff00 broadcast 172.16.0.255 ether 00:19:e3:0f:1a:6b media: autoselect status: active supported media: autoselect vlan: 0 parent interface: none bond interfaces: none non-cached from client: May 17 07:19:52.391667 172.16.0.10.49319 10.0.0.11.53: [udp sum ok] 21247+ A? www.novell.com. (32) (ttl 63, id 17885, len 60) return to client: May 17 07:19:52.392233 10.0.0.11.53 172.16.0.10.49319: 21247- 0/13/13 (451) (ttl 64, id 20192, len 479) non-cached from dns server: May 17 07:20:08.675725 10.0.0.2.40578 203.96.152.4.53: [udp sum ok] 13112+ [1au] A? www.novell.com. (43) (ttl 64, id 6400, len 71) reply from dns forwarder: May 17 07:20:08.686623 203.96.152.4.53 10.0.0.2.40578: 13112 1/3/3 www.novell.com. A 130.57.5.25 (162) (DF) (ttl 124, id 11878, len 190) cached from client: May 17 07:20:13.695183 172.16.0.10.49320 10.0.0.11.53: [udp sum ok] 50027+ A? www.novell.com. (32) (ttl 63, id 17961, len 60) cached reply from dns server: May 17 07:20:13.695563 10.0.0.11.53 172.16.0.10.49320: 50027- 1/3/2 www.novell.com. A 130.57.5.25 (151) (ttl 64, id 18118, len 179) pf.conf === # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macro definitions # interfaces ext_if = sis2 wii_if = ath0 dmz_if = { sis0 sis1 bridge0 } int_if = { sis0 sis1 bridge0 ath0 } # networks ext_nw = { 121.73.27.0/24 } wii_nw = { 172.16.0.0/24 } dmz_nw = { 10.0.0.0/24 } int_nw = { 10.0.0.0/24 172.16.0.0/24 } # dmz hosts dmz_web = 10.0.0.20 dmz_mail = 10.0.0.21 dmz_ssh = 10.0.0.31 # port groups mail_ports = { imap, imaps, smtp } web_ports = { http, https } # tables table spamd-white persist table internal_net persist {10.0.0.0/24, 172.16.0.0/24} # options set skip on lo set require-order yes set block-policy drop set optimization normal set loginterface none set loginterface ath0 # normalisation scrub in all scrub out all # translation redirection nat on $ext_if inet proto {icmp, tcp, udp} \ from !($ext_if) - ($ext_if:0) rdr pass on $ext_if inet proto tcp \ from any to $ext_nw port $web_ports - $dmz_web rdr pass on $ext_if inet proto tcp \ from any to $ext_nw port $mail_ports - $dmz_mail rdr pass on $ext_if inet proto tcp \ from any to $ext_nw port ssh - $dmz_ssh # filtering block in all block out log all block quick proto { tcp, udp } from any port = 0 to any block quick proto { tcp, udp } from any to any port = 0 # block
Re: named lookup failures through pf fw
On Thu, 17 May 2007 [EMAIL PROTECTED] wrote: i seem to be having a dns/fw issues that i can't figure out. basically, wifi clients can't lookup dns successfully unless the entry is already cached on the openbsd 4.0 box first. I guess you have to add the wifi network in the acl clients list in named.conf. -moj this has just started after introducing a new firewall config but i have _no_ idea what the difference between a fresh vs cached lookup should be from the client side! this is surely a misunderstanding on my part. can you see what i'm missing? what's there: openbsd 4.0 dns servers 10.0.0.11 12 openbsd 4.1 firewall sis2internet, 121.73.27.x sis1/2 bridged 10.0.0.11 12 via crossover ath0wifi 172.16.x.x dhcp for clients dhcp side: the clients (macos, windows, whatever) receive a dhcp address can access services such as email on the 10.x network, and anything on the internet via IP address. but when a name lookup is done from 172. to the 10. dns servers, the request goes through to the 10. dns server just fine - which then replies with a 'not found' type error. running the same lookup again on the 10. dns server directly works. then re-running the same query from the client side retrieves the new cached version correctly. presumably the fw rules are ok as traffic is passing each time. but what am i missing? i've not changed the dns servers since 3.9, but there is a new pfSense firewall in between. pf.conf named.conf follow the dns trace. en1: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500 tunnel inet -- inet 172.16.0.10 netmask 0xff00 broadcast 172.16.0.255 ether 00:19:e3:0f:1a:6b media: autoselect status: active supported media: autoselect vlan: 0 parent interface: none bond interfaces: none non-cached from client: May 17 07:19:52.391667 172.16.0.10.49319 10.0.0.11.53: [udp sum ok] 21247+ A? www.novell.com. (32) (ttl 63, id 17885, len 60) return to client: May 17 07:19:52.392233 10.0.0.11.53 172.16.0.10.49319: 21247- 0/13/13 (451) (ttl 64, id 20192, len 479) non-cached from dns server: May 17 07:20:08.675725 10.0.0.2.40578 203.96.152.4.53: [udp sum ok] 13112+ [1au] A? www.novell.com. (43) (ttl 64, id 6400, len 71) reply from dns forwarder: May 17 07:20:08.686623 203.96.152.4.53 10.0.0.2.40578: 13112 1/3/3 www.novell.com. A 130.57.5.25 (162) (DF) (ttl 124, id 11878, len 190) cached from client: May 17 07:20:13.695183 172.16.0.10.49320 10.0.0.11.53: [udp sum ok] 50027+ A? www.novell.com. (32) (ttl 63, id 17961, len 60) cached reply from dns server: May 17 07:20:13.695563 10.0.0.11.53 172.16.0.10.49320: 50027- 1/3/2 www.novell.com. A 130.57.5.25 (151) (ttl 64, id 18118, len 179) pf.conf === # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. # macro definitions # interfaces ext_if= sis2 wii_if= ath0 dmz_if= { sis0 sis1 bridge0 } int_if= { sis0 sis1 bridge0 ath0 } # networks ext_nw = { 121.73.27.0/24 } wii_nw = { 172.16.0.0/24 } dmz_nw = { 10.0.0.0/24 } int_nw = { 10.0.0.0/24 172.16.0.0/24 } # dmz hosts dmz_web= 10.0.0.20 dmz_mail = 10.0.0.21 dmz_ssh = 10.0.0.31 # port groups mail_ports= { imap, imaps, smtp } web_ports = { http, https } # tables table spamd-white persist table internal_net persist {10.0.0.0/24, 172.16.0.0/24} # options set skip on lo set require-order yes set block-policy drop set optimization normal set loginterface none set loginterface ath0 # normalisation scrub in all scrub out all # translation redirection nat on $ext_if inet proto {icmp, tcp, udp} \ from !($ext_if) - ($ext_if:0) rdr pass on $ext_if inet proto tcp \ from any to $ext_nw port $web_ports - $dmz_web rdr pass on $ext_if inet proto tcp \ from any to $ext_nw port $mail_ports - $dmz_mail rdr pass on $ext_if inet proto tcp \ from any to $ext_nw port ssh - $dmz_ssh
Re: named lookup failures through pf fw [RESOLVED]
On Thu, May 17, 2007 at 10:42:46AM +0200, Mats O Jansson wrote: On Thu, 17 May 2007 [EMAIL PROTECTED] wrote: i seem to be having a dns/fw issues that i can't figure out. basically, wifi clients can't lookup dns successfully unless the entry is already cached on the openbsd 4.0 box first. I guess you have to add the wifi network in the acl clients list in named.conf. -moj thanks Mats, sorted! a+ scorch
Re: openBSD as a 802.11b/g AP
Hi, Darrin Chandler schrieb: I've done hostap with ath in b mode with no problems. One thing you might try is specifying explicity instead of using autoselect. I *might* have done that when I set it up, but I'm not at all sure... This worked for me with the old ath card: inet 192.168.180.1 255.255.255.192 NONE \ media autoselect mode 11b mediaopt hostap \ nwid wrap chan 7 -nwflag hidenwid \ nwkey 0xXX \ up Btw, my CM9 ath card replaced an old 11b wi card and gave an old notebook 11g mode too as client. =) Michael
FAQ - Why good firewalls lose in the market
http://www.schneier.com/crypto-gram-0705.html#1 Kind regards Siju
Re: Failing to get [EMAIL PROTECTED] in X
On Sat, 12 May 2007 12:59:09 -0700 Michael Oliver [EMAIL PROTECTED] wrote: On 5/12/07, Alex Holst [EMAIL PROTECTED] wrote: Quoting Tobias Weingartner [EMAIL PROTECTED]: xdpyinfo | grep dim tori$ xdpyinfo | grep dim dimensions:1680x1050 pixels (474x303 millimeters) And my current xorg.conf with what I believe are correct HorizSync and VertRefresh: http://a.mongers.org/x/xorg.conf This config outputs [EMAIL PROTECTED] -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.mongers.org I had a similar problem a few weeks back. It turned out that the 'nv' driver didn't support wide screen resolutions. However, I installed the 'nvidia' drivers and it worked out just fine. Perhaps this problem is similar. you installed the nvidia driver on openbsd, how? i assume you talk about a linux distribution or some other BSD which supports nvidia binaries.
Sheldeez Commercials
Many of you are aware that Sheldeez has done an extensive television advertising campaign all over the United States.nbsp; Many of you have also asked for copies of the commercials to forward to friends and family.nbsp; In the interest of bandwidth and e-mail storage space we have opened a page with buzznet to post our commercials, photos of styles, photos of stylists etc..nbsp; This site is for our salon and on-line customers alike.nbsp; Please visit, check out the videos, drop us a line, whatever you'd like.nbsp; We look forward to hearing from and or seeing you soon.nbsp; Please share with anyone who may find it useful.http://sheldeez.buzznet.com/user/video/play/Check back to see updates of photos, blogs, and how to videos.Sheldeez Managementhttps://webcart.net/securehost/sheldeez.com/webcart11/nl_unsubscribe.php?ln=enEMAIL=misc%40openbsd.orgSRC=aah2Click here to unsubscribe
GRE or gif keepalive
Hey Everybody, Do you know if GRE or gif is having a keepalive option? I searched with google and the archives and I didn't find anything like that. The problem that I have is as I run GRE over IPSec and I would like to know when the IPSec tunnel is down with the help of GRE interface which it should go down if there is sort of of a keepalive mechanism. -- Alex
Re: Monitoring with labels
On Wed, 16 May 2007, Darren Spruell wrote: I suppose that the collector would also need to support sflow? DS if you wanted to collect sflow data :-) diana Past hissy-fits are a predictor of future hissy-fits. Diana Eichert(12 May 2007)
Re: GRE or gif keepalive
On 2007/05/17 13:46, Alex Berdan wrote: Do you know if GRE or gif is having a keepalive option? Not directly, but you can add one using ospfd(8) or ifstated(8).
Re: new openbsd 4.0 server, panic on ufsdirhash
On Wed, May 16, 2007 at 07:44:14PM -0700, John Mendenhall wrote: Well, I posted the dmesg at the beginning of this thread. Sorry, I'd forgotten it was in your first post. :( Use UKC (boot -c), and the verbose command. See boot_config(8). Is this supported when booting from cd? I can only boot from the cd right now. Once it starts copying data, it crashes in the comp set. Yes, you can use this technique when booting from CD. On i386, at the boot prompt, type in -c and press the Enter key. The kernel will load, but before doing any hardware discovery will issue a UKC prompt. If you type verbose and press Enter, then type quit and press Enter, you will get more detailed kernel probe output.
Re: Chaos Computer Camp 2007. Anyone going?
Felix kept on twisting my arm so hard about it that he finally managed to convince me to go. I have always wanted to go there anyway. I'll stock up on my meds and if I'm in good enough shape, I'll join the merry gang. Look for me somewhere in the BSD village. -- Jacek Artymiak devGuide.net
ac97: codec not read on Dell Latitude LS (4.1)
Hello, I am running 4.1 on a Dell Latitude LS laptop (full dmesg at bottom). The machine uses the (undocumented, man neo) Neomagic MagicMedia 256AV audio chip: neo0 at pci1 dev 0 function 1 Neomagic MagicMedia 256AV rev 0x20 1:0:1 10c8:8005 pin B clink 0x01 irq 10 stage 0 WARNING: preserving irq 10 pci_intr_route_link: route PIRQ 0x01 - IRQ 10 preserved BIOS setting : irq 10 ac97: codec id not read audio0 at neo0 I can't seem to get the audio chip working. The /dev/audio et al. are there, but I can't play anything. Doing cat file.au /dev/audio takes forever with even a small au file, and while running, does not respond to ^C (only dies like minute after that). What exactly is the WARNING about? What does ac97: codec id not read mean? Are these two related? Thanks a lot Jan This is the full dmesg. The 'LATITUDE' config (I know) is GENERIC with *VERBOSE added. OpenBSD 4.1-stable (LATITUDE) #4: Tue May 8 11:59:14 CEST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/LATITUDE cpu0: Intel Pentium III (GenuineIntel 686-class) 399 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE real mem = 133722112 (130588K) avail mem = 118636544 (115856K) using 1663 buffers containing 6811648 bytes (6652K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 03/17/00, BIOS32 rev. 0 @ 0xfd7b0, SMBIOS rev. 2.3 @ 0xdc010 (23 entries) bios0: Dell Computer Inc. Atlas apm0 at bios0: Power Management spec V1.2 apm0: battery life expectancy 100% apm0: AC on, battery charge high apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xfd7b0/0x850 pcibios0: config mechanism [1][x], special cycles [x][x], last bus 1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf50/144 (7 entries) PIR Entry 0: Bus: 0 Device: 7 INTA: link 0x60 bitmap 0xdef8 INTB: link 0x61 bitmap 0xdef8 INTC: link 0x62 bitmap 0xdef8 INTD: link 0x63 bitmap 0xdef8 PIR Entry 1: Bus: 1 Device: 0 INTA: link 0x60 bitmap 0xdef8 INTB: link 0x61 bitmap 0xdef8 INTC: link 0x62 bitmap 0xdef8 INTD: link 0x63 bitmap 0xdef8 PIR Entry 2: Bus: 0 Device: 1 INTA: link 0x00 bitmap 0xdef8 INTB: link 0x00 bitmap 0xdef8 INTC: link 0x00 bitmap 0xdef8 INTD: link 0x00 bitmap 0xdef8 PIR Entry 3: Bus: 1 Device: 0 INTA: link 0x60 bitmap 0xdef8 INTB: link 0x61 bitmap 0xdef8 INTC: link 0x00 bitmap 0xdef8 INTD: link 0x00 bitmap 0xdef8 PIR Entry 4: Bus: 0 Device: 10 INTA: link 0x60 bitmap 0xdef8 INTB: link 0x00 bitmap 0xdef8 INTC: link 0x00 bitmap 0xdef8 INTD: link 0x00 bitmap 0xdef8 PIR Entry 5: Bus: 0 Device: 13 INTA: link 0x60 bitmap 0xdef8 INTB: link 0x00 bitmap 0xdef8 INTC: link 0x00 bitmap 0xdef8 INTD: link 0x00 bitmap 0xdef8 PIR Entry 6: Bus: 0 Device: 16 INTA: link 0x62 bitmap 0xdef8 INTB: link 0x00 bitmap 0xdef8 INTC: link 0x00 bitmap 0xdef8 INTD: link 0x00 bitmap 0xdef8 pcibios0: PCI Interrupt Router at 000:07:0 (Intel 82371FB ISA rev 0x00) pciintr_link_fixup: PIRQ 0x00 is already connected to IRQ 10 pciintr_link_fixup: PIRQ 0x01 is already connected to IRQ 10 pciintr_link_fixup: PIRQ 0x02 is already connected to IRQ 3 pciintr_link_fixup: PIRQ 0x03 is already connected to IRQ 10 pciintr_link_fixup: piirq 0x0408 000:10:0 104c:ac1e Incorrect secondary bus: primary 0, secondary 0, subordinate 0 PCI bus renumbering needed PCI bridge 0: primary 0, secondary 1, subordinate 1 PCI bridge 1: primary 0, secondary 2, subordinate 2 pcibios0: PCI bus #2 is the last bus [System BIOS Setting]--- device vendor product register space addresssize 000:00:0 8086:7190 10h mem 0xf800 0x0400 [OK] 000:01:0 8086:7191 [OK] 000:07:0 8086:7110 [OK] 000:07:1 8086:7111 20h port 0xfcd0 0x0010 [OK] 000:07:2 8086:7112 20h port 0xfce0 0x0020 [OK] 000:07:3 8086:7113 [OK] 000:10:0 104c:ac1e 10h mem 0x 0x1000 [OK] 000:13:0 10b7:9200 10h port 0xfc00 0x0080 14h mem 0xfedfec00 0x0080 [OK] 000:16:0 11c1:0448 10h mem 0xfedfe800 0x0100 14h port 0xfcc8 0x0008 18h port 0xf800 0x0100 [OK] 001:00:0 10c8:0005 10h mem 0xf600 0x0100 14h mem 0xfe40 0x0040 18h mem 0xfeb0 0x0010 [OK] 001:00:1 10c8:8005
Re: GRE or gif keepalive
Thanks Stuart, I heard about this command. I ain't using OSPF for the link state I use BGP. My GRE interface never goes down when the IPsec goes down. Is this normal? Cosmetic bug? Thanks, Rgds, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 13:46, Alex Berdan wrote: Do you know if GRE or gif is having a keepalive option? Not directly, but you can add one using ospfd(8) or ifstated(8). -- Alex
ImageMagick and chroot
Hello , Has anyone had luck in making ImageMagick work into the www chroot environment? Some web applications need to use the 'convert' system command, so i included it into the /var/www/bin/ directory and also every file that gets mentioned when you run : ldd convert , into it's corresponding directory. system:/var/www/bin{4}# ldd convert convert: StartEnd Type Open Ref GrpRef Name exe 10 0 convert 04d59000 24d68000 rlib 01 0 /usr/local/lib/libWand.so.10.1 0d077000 2d147000 rlib 02 0 /usr/local/lib/libMagick.so.10.1 05d92000 25dc5000 rlib 03 0 /usr/local/lib/libxml2.so.9.0 00d9 20e6c000 rlib 04 0 /usr/local/lib/libiconv.so.4.0 0b4b9000 2b4c1000 rlib 04 0 /usr/lib/libz.so.4.1 02e0c000 22e1 rlib 03 0 /usr/local/lib/libbz2.so.10.3 0c23c000 2c243000 rlib 03 0 /usr/local/lib/libpng.so.4.2 06a32000 26a38000 rlib 03 0 /usr/local/lib/libjpeg.so.62.0 04b0b000 24b1b000 rlib 03 0 /usr/local/lib/libjasper.so.1.0 032e1000 232e8000 rlib 05 0 /usr/lib/libm.so.2.1 060fb000 2611f000 rlib 03 0 /usr/local/lib/libtiff.so.37.3 0ee7e000 2ee89000 rlib 03 0 /usr/local/lib/liblcms.so.1.12 054f3000 254f9000 rlib 03 0 /usr/local/lib/libjbig.so.2.0 04183000 241b4000 rlib 01 0 /usr/lib/libc.so.39.0 0a2a3000 0a2a3000 rtld 01 0 /usr/libexec/ld.so system:/var/www/bin{5}# But it still doesn't work. What am i missing? Any suggestions or ideas are welcome. Marcos
Volume Management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I m quite new to OpenBSD but i m familiar with *nix systems. I m currently looking at using OpenBSD to build a nas appliance, however after looking into the packages list i havent found a Volume Manager, anyone able to point me in the right direction? Much appreciated. Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGTGOC8B8RxF4jfhQRAhQiAJ9hklDMq3XgdeZ+Qq1ROmybiDye6gCePEUx FdA79EEmYfe4BNmVvYFjHZE= =arOW -END PGP SIGNATURE-
Re: ImageMagick and chroot
On Thu, May 17, 2007 at 12:19:42PM -0300, Marcos Laufer wrote: Hello , Has anyone had luck in making ImageMagick work into the www chroot environment? Some web applications need to use the 'convert' system command, so i included it into the /var/www/bin/ directory and also every file that gets mentioned when you run : ldd convert , into it's corresponding directory. system:/var/www/bin{4}# ldd convert convert: StartEnd Type Open Ref GrpRef Name exe 10 0 convert 04d59000 24d68000 rlib 01 0 /usr/local/lib/libWand.so.10.1 0d077000 2d147000 rlib 02 0 /usr/local/lib/libMagick.so.10.1 05d92000 25dc5000 rlib 03 0 /usr/local/lib/libxml2.so.9.0 00d9 20e6c000 rlib 04 0 /usr/local/lib/libiconv.so.4.0 0b4b9000 2b4c1000 rlib 04 0 /usr/lib/libz.so.4.1 02e0c000 22e1 rlib 03 0 /usr/local/lib/libbz2.so.10.3 0c23c000 2c243000 rlib 03 0 /usr/local/lib/libpng.so.4.2 06a32000 26a38000 rlib 03 0 /usr/local/lib/libjpeg.so.62.0 04b0b000 24b1b000 rlib 03 0 /usr/local/lib/libjasper.so.1.0 032e1000 232e8000 rlib 05 0 /usr/lib/libm.so.2.1 060fb000 2611f000 rlib 03 0 /usr/local/lib/libtiff.so.37.3 0ee7e000 2ee89000 rlib 03 0 /usr/local/lib/liblcms.so.1.12 054f3000 254f9000 rlib 03 0 /usr/local/lib/libjbig.so.2.0 04183000 241b4000 rlib 01 0 /usr/lib/libc.so.39.0 0a2a3000 0a2a3000 rtld 01 0 /usr/libexec/ld.so system:/var/www/bin{5}# But it still doesn't work. What am i missing? Any suggestions or ideas are welcome. Marcos You could trying manually chrooting into /var/www and running the command by hand to see if it throws any useful warnings. You will need a shell within the chroot while testing tho. -- James Turner http://bsdgroup.org
Re: GRE or gif keepalive
On 2007/05/17 17:11, Alex Berdan wrote: I heard about this command. I ain't using OSPF for the link state I use BGP. Well, you could lower your timers then... My GRE interface never goes down when the IPsec goes down. That's normal, gre doesn't know about link state.
Re: Chaos Computer Camp 2007. Anyone going?
Hi, On 17/05/07, Jacek Artymiak [EMAIL PROTECTED] wrote: Felix kept on twisting my arm so hard about it that he finally managed to convince me to go. I have always wanted to go there anyway. I'll stock up on my meds and if I'm in good enough shape, I'll join the merry gang. Look for me somewhere in the BSD village. What do the BSD lot get up to whilst there? Is it a hackathon, or something less formal? I've never done anything as low level as operating systems programming in C, so in a hackathon situation I wouldnt be much use. Ofcourse I am willing to learn :P -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett/
OT: cacti, pfflowd and flowd
Hi all, Somebody have tried to install cacti, pfflowd and flowd on two different servers? OpenBSD with pfflowd and another Unix server with cacti and flowd ... I am trying to do it without luck (principal problem is how can I do to parse from cacti flowd log file)... and I can't find any doc about how to do it ... Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Chaos Computer Camp 2007. Anyone going?
* Edd Barrett wrote: Hi, On 17/05/07, Jacek Artymiak [EMAIL PROTECTED] wrote: Felix kept on twisting my arm so hard about it that he finally managed to convince me to go. I have always wanted to go there anyway. I'll stock up on my meds and if I'm in good enough shape, I'll join the merry gang. Look for me somewhere in the BSD village. What do the BSD lot get up to whilst there? Is it a hackathon, or something less formal? I've never done anything as low level as operating systems programming in C, so in a hackathon situation I wouldnt be much use. Ofcourse I am willing to learn :P It's more of the can we have your liver, please? style...
Re: GRE or gif keepalive
Thanks anyway! I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives and I can have SNMP traps in case the IPSec tunnel is down (GRE interface is down). The BGP works just fine and the routes converge exactly as I wanted. Is OpenBSD having any plans with this GRE keepalives? (Unfortunately my environment is not all CISCO) Thanks, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 17:11, Alex Berdan wrote: I heard about this command. I ain't using OSPF for the link state I use BGP. Well, you could lower your timers then... My GRE interface never goes down when the IPsec goes down. That's normal, gre doesn't know about link state.
Re: GRE or gif keepalive
On 2007/05/17 18:02, Alex Berdan wrote: I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives Unfortunately, despite GRE being documented across a number of RFCs, there's no mention of this. Looks like it's probably a cisco- proprietary extension, I couldn't find any docs on packet formats or implementation. Have you come across any?
Re: Chaos Computer Camp 2007. Anyone going?
Erm... On 17/05/07, Marc Balmer [EMAIL PROTECTED] wrote: What do the BSD lot get up to whilst there? Is it a hackathon, or something less formal? It's more of the can we have your liver, please? style... ok. (pauses to think). I don't get it. :P -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett/
Re: Chaos Computer Camp 2007. Anyone going?
On 17/05/07, Jason Dixon [EMAIL PROTECTED] wrote: Alkie-haul Now we're talking! -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett/
Re: Chaos Computer Camp 2007. Anyone going?
Marc Balmer wrote: * Edd Barrett wrote: Hi, On 17/05/07, Jacek Artymiak [EMAIL PROTECTED] wrote: Felix kept on twisting my arm so hard about it that he finally managed to convince me to go. I have always wanted to go there anyway. I'll stock up on my meds and if I'm in good enough shape, I'll join the merry gang. Look for me somewhere in the BSD village. What do the BSD lot get up to whilst there? Is it a hackathon, or something less formal? I've never done anything as low level as operating systems programming in C, so in a hackathon situation I wouldnt be much use. Ofcourse I am willing to learn :P It's more of the can we have your liver, please? style... this is a great idea: fund openbsd via sales of black market organs! a bit of vertical integration couldn't hurt, we'd need a surgeon and facility in south africa http://news.nationalgeographic.com/news/2004/01/0116_040116_EXPLorgantraffic.html then it could be the BSD Liver and Kidney Village. we could even make a liver fall off a truck if anybody's looking ;).
Re: OT: flowcharts
On Tue, May 15, 2007 at 12:01:35PM +0200, [EMAIL PROTECTED] wrote: I have an OT question for you guys. Do any of you use flowcharting software, and if so what do you use? I am just beginning to explore the world of programming and have so far used Microsoft (spit) Visio. I tried both Kivio and Dia but they fall short for me. My code choices are (due to the course I am attending) limited to JavaScript and pseudocode. Any recommendations? If you _really_ want actual flow-charts, I just use Xfig or a piece of paper. However, instead of pseudocode, try python. I looks like pseudocode but is actually a very nice programming language with good documentation. I suppose it depends on your course. If they require a flow-chart, draw one, and find out if they'll accept python for pseudocode. Doug.
a cd key
Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Thank you; Bray.
Re: OT: cacti, pfflowd and flowd
On 5/17/07, carlopmart [EMAIL PROTECTED] wrote: Hi all, Somebody have tried to install cacti, pfflowd and flowd on two different servers? OpenBSD with pfflowd and another Unix server with cacti and flowd ... I am trying to do it without luck (principal problem is how can I do to parse from cacti flowd log file)... and I can't find any doc about how to do it ... Maybe because there isn't one... :) flowd supports a Python API which should allow you to rip the data out you need. I believe with Cacti you can use external scripts for a datasource. DS
Re: GRE or gif keepalive
This is a nice feature which can be used in cases where you don't run any dynamic routing protocol over GRE/IPSec tunnel. If you have OpenBSD as VPN concentrator you can have SNMP traps when the tunnel is down and take any action etc. Here is the CISCO implementation: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cec.html Hopefully someone will see this and eventually purpose a alternate solution or implement keepalives in the distribution. Rgds, Alex On 5/17/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/05/17 18:02, Alex Berdan wrote: I was curious about the GRE implementation on OpenBSD as in CISCO there are keepalives Unfortunately, despite GRE being documented across a number of RFCs, there's no mention of this. Looks like it's probably a cisco- proprietary extension, I couldn't find any docs on packet formats or implementation. Have you come across any? -- Alex
Re: ImageMagick and chroot
Marcos Laufer wrote: Hello , Has anyone had luck in making ImageMagick work into the www chroot environment? Yes, run the following script and you are done. #!/bin/sh CHROOT=/var/www # Make dirs [ ! -d $CHROOT/bin ] mkdir -p $CHROOT/bin [ ! -d $CHROOT/usr/local/bin ] mkdir -p $CHROOT/usr/local/bin [ ! -d $CHROOT/usr/local/lib ] mkdir -p $CHROOT/usr/local/lib [ ! -d $CHROOT/usr/lib ] mkdir -p $CHROOT/usr/lib [ ! -d $CHROOT/usr/X11R6/lib ] mkdir -p $CHROOT/usr/X11R6/lib/ [ ! -d $CHROOT/usr/libexec ] mkdir -p $CHROOT/usr/libexec [ ! -d $CHROOT/var/run ] mkdir -p $CHROOT/var/run SH=/bin/sh if [ -x $SH ]; then cp -f $SH $CHROOT/$SH else echo No shit. $SH not found! :) fi LD_HINTS=/var/run/ld.so.hints if [ -f $LD_HINTS ]; then cp $LD_HINTS $CHROOT/$LD_HINTS else echo $LD_HINTS not found. Still wondering thou. fi CONVERT=$(which convert | awk '{print $1}') if [ ! -z $CONVERT ] [ -x $CONVERT ]; then cp -f $CONVERT $CHROOT/$CONVERT for i in $(ldd $CONVERT | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo convert not found. exit 1 fi COMPOSITE=$(which composite | awk '{print $1}') if [ ! -z $COMPOSITE ] [ -x $COMPOSITE ]; then cp -f $COMPOSITE $CHROOT/$COMPOSITE for i in $(ldd $COMPOSITE | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo composite not found. exit 1 fi IDENTIFY=$(which identify | awk '{print $1}') if [ ! -z $IDENTIFY ] [ -x $IDENTIFY ]; then cp -f $IDENTIFY $CHROOT/$IDENTIFY for i in $(ldd $IDENTIFY | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo identify not found. exit 1 fi HTH, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Re: a cd key
BradenM - Sonoma Computer [EMAIL PROTECTED] writes: Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Erm. What's the problem you're trying to solve? If you remove some binaries and put them on a CD, what prevents someone from just getting those binaries somewhere else and putting them on the machine? //art
Re: OT: flowcharts
On Thu, 2007-05-17 at 13:02 -0400, Douglas Allan Tutty wrote: If you _really_ want actual flow-charts, I just use Xfig or a piece of paper. Inkscape also has been getting some features useful for flowcharts in recent releases. Jeff [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Problem with a URL
I am trying to open up this url with firefox on openbsd -current, but there is a problem with accessing the site. Is there a problem with doing the lookups with url's that start with dashes: http://-amaya-.deviantart.com/ Thanks, Brian Yahoo! oneSearch: Finally, mobile search that gives answers, not web links. http://mobile.yahoo.com/mobileweb/onesearch?refer=1ONXIC
Re: Problem with a URL
Its not just starting with a dash, I also cannot open ones that end the host section with a dash (ke-.deviantart.com) On 2007 May 17 (Thu) at 10:46:01 -0700 (-0700), Brian wrote: :I am trying to open up this url with firefox on openbsd -current, but there is :a problem with accessing the site. Is there a problem with doing the lookups :with url's that start with dashes: : :http://-amaya-.deviantart.com/ : :Thanks, : :Brian -- Using TSO is like kicking a dead whale down the beach. -- S. C. Johnson
Re: Problem with a URL
On 5/17/07, Peter Hessler [EMAIL PROTECTED] wrote: Its not just starting with a dash, I also cannot open ones that end the host section with a dash (ke-.deviantart.com) On 2007 May 17 (Thu) at 10:46:01 -0700 (-0700), Brian wrote: :I am trying to open up this url with firefox on openbsd -current, but there is :a problem with accessing the site. Is there a problem with doing the lookups :with url's that start with dashes: : :http://-amaya-.deviantart.com/ RFC962 (and several other places) say that: No blank or space characters are permitted as part of a name. No distinction is made between upper and lower case. The first character must be an alpha character. The last character must not be a minus sign or period. -- Jon
Re: a cd key
On Thu, 17 May 2007 10:40:11 -0700 BradenM - Sonoma Computer [EMAIL PROTECTED] wrote: Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? I've heard about someone wanting to do that with compilers and other development utilities. The logic was that if someone broke in, they could not write a small program, compile, and link it on the spot. But, in reality, if an attacker broke in, they'd be more likely to just copy what they wanted from their own machine. Years ago, I considered putting web pages on a CD or DVD for a Windows NT machine so that in order to deface the page, the attacker would have to get to the configuration files and do a lot more work instead of just replacing a few html files. An added advantage would be that since most attacks traversed directories on the same hard drive, they wouldn't be able to get into any system programs by that method. I never did try it, though. Eric Johnson
ssh and skey
Is there any setting to use to make ssh present a fake skey challenge for nonexistent accounts? It would need to save the challenge for reuse later otherwise an attacker could try it several times and see if the challenge remains the same. It would be kind of nice if an attacker could not use ssh with skey to determine whether or not an account exists and has been initialized with skey. Here is an example. First, we connect to a machine with use of normal passwords prohibited in the /etc/ssh/sshd_config file. rum: no such account whiskey: account exists and skey has been enabled vodka: account exists, but no skey $ ssh -l rum:skey 10.1.1.1 Permission denied (publickey,keyboard-interactive). $ ssh -l whiskey:skey 10.1.1.1 otp-md5 996 trom02893 S/Key Password: otp-md5 996 trom02893 S/Key Password: otp-md5 996 trom02893 S/Key Password: Permission denied (publickey,keyboard-interactive). $ ssh -l vodka:skey 10.1.1.1 Permission denied (publickey,keyboard-interactive). Now, another machine with the same accounts set up but with normal passwords permitted in ssh: $ ssh -l rum:skey 10.1.1.2 rum:[EMAIL PROTECTED]'s password: Permission denied, please try again. rum:[EMAIL PROTECTED]'s password: Permission denied, please try again. rum:[EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). $ ssh -l whiskey:skey 10.1.1.2 otp-md5 99 monk57993 S/Key Password: otp-md5 99 monk57993 S/Key Password: otp-md5 99 monk57993 S/Key Password: whiskey:[EMAIL PROTECTED]'s password: Permission denied, please try again. whiskey:[EMAIL PROTECTED]'s password: Permission denied, please try again. whiskey:[EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). $ ssh -l vodka:skey 10.1.1.2 vodka:[EMAIL PROTECTED]'s password: Permission denied, please try again. vodka:[EMAIL PROTECTED]'s password: Permission denied, please try again. vodka:[EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). Thus, an attacker would know that 10.1.1.1 requires skey and 10.1.1.2 does not and that an account named whiskey exists and has skey enabled on both computers. About the only thing the attacker would not know is that on the second machine, the vodka account exists and the rum account does not exist. As you can see, it is trivially easy to determine which server requires skey, which doesn't, and which accounts exist and have skey enabled. Obviously, a fake skey challenge would need to be saved so that if the attacker tried again, he would see the same challenge. If he saw wildly different challenges on each try, he would know that it was random. How much use would this knowledge be to an attacker? My impression is that the reason opening the finger daemon to the net is not viewed favorably is that it identifies usernames to potential attackers. If this is wrong, why not open it up again? Of course, we need to make sure that any security holes in the code are fixed. (Note. In the above cases, the FQDN was replaced with a nonrouteable IP address.) Eric Johnson
Re: Chaos Computer Camp 2007. Anyone going?
On Thu, May 17, 2007 at 11:51:03AM -0500, Jacob Yocom-Piatt wrote: this is a great idea: fund openbsd via sales of black market organs! a bit of vertical integration couldn't hurt, we'd need a surgeon and facility in south africa Talk is cheap, and every six months people come up with ideas that would be great for the project, but would just take away developer time. If you want to see this happen then go get some organs and come back with money! ;-) -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: ssh and skey
On Thu, May 17, 2007 at 02:14:55PM -0500, Eric Johnson wrote: Obviously, a fake skey challenge would need to be saved so that if the attacker tried again, he would see the same challenge. Instead of saving the challenge, just regenerate it each time. E.g., hash a 128-bit secret with the username, and then format this as an skey challenge.
Re: ssh and skey
On Thu, May 17, 2007 at 02:47:37PM -0500, Matthew R. Dempsky wrote: Instead of saving the challenge, just regenerate it each time. E.g., hash a 128-bit secret with the username, and then format this as an skey challenge. Oops, nevermind, libskey already does this in skey_fakeprompt.
Re: Volume Management
In article [EMAIL PROTECTED], Sibastien Colmant wrote: I m quite new to OpenBSD but i m familiar with *nix systems. I m currently looking at using OpenBSD to build a nas appliance, however after looking into the packages list i havent found a Volume Manager, anyone able to point me in the right direction? fdisk(8), disklabel(8), bioctl(8), newfs(8), dump(8), restore(8) -- [100~Plax]sb16i0A2172656B63616820636420726568746F6E61207473754A[dZ1!=b]salax
Re: GRE or gif keepalive
On 2007/05/17 18:44, Alex Berdan wrote: This is a nice feature which can be used in cases where you don't run any dynamic routing protocol over GRE/IPSec tunnel. If you have OpenBSD as VPN concentrator you can have SNMP traps when the tunnel is down and take any action etc. Here is the CISCO implementation: http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087cec.html Hopefully someone will see this and eventually purpose a alternate solution or implement keepalives in the distribution. I already found some pages about how to turn it on in IOS, but they don't bother with any implementation details. Thanks to a kind person who contacted me offlist, I now know how the hack works: http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml#topic2
Re: a cd key
On Thu, May 17, 2007 at 10:40:11AM -0700, BradenM - Sonoma Computer wrote: Hi; In the past, I read an article which told me of a process in which a cd houses the important system binaries and software and even some settings and is left outside of the machine so that unauthorized users, and even root, cannot access the programs unless the disc is within the system's cdrom drive. Does anyone have any resources which explain and show the process for doing something similar to that which is stated above? Aside from the answers you've already received, I've heard quite a few people running the entire system from CD for security-sensitive things like firewalls, mostly when using Linux. (The argument is that it is very hard to compromise a machine in a way that survives reboots if you can't write to the system disk.) Of course, this is an OpenBSD list, and I am sure we can all imagine the easy Linux-bashing remark that follows. It's not entirely unjustified, either; if an attacker can compromise your system once, he can comprose it twice. Also, I've found that anything that makes upgrading the system harder, including removing the compiler, is very likely to be a net security loss. Joachim -- TFMotD: dirname (1) - return directory portion of pathname
Re: Problem with a URL
On Thu, May 17, 2007 at 12:03:52PM -0700, Jon Simola wrote: On 5/17/07, Peter Hessler [EMAIL PROTECTED] wrote: Its not just starting with a dash, I also cannot open ones that end the host section with a dash (ke-.deviantart.com) On 2007 May 17 (Thu) at 10:46:01 -0700 (-0700), Brian wrote: :I am trying to open up this url with firefox on openbsd -current, but there is :a problem with accessing the site. Is there a problem with doing the lookups :with url's that start with dashes: : :http://-amaya-.deviantart.com/ RFC962 (and several other places) say that: No blank or space characters are permitted as part of a name. No distinction is made between upper and lower case. The first character must be an alpha character. The last character must not be a minus sign or period. FWIW, it's Firefox, not anything deeper: $ host -- -amaya-.deviantart.com -amaya-.deviantart.com has address 69.28.181.43 -amaya-.deviantart.com mail is handled by 0 a.mx.deviantart.com. $ ping -- -amaya-.deviantart.com PING -amaya-.deviantart.com (69.28.181.43): 56 data bytes 64 bytes from 69.28.181.43: icmp_seq=0 ttl=48 time=172.842 ms 64 bytes from 69.28.181.43: icmp_seq=1 ttl=48 time=162.626 ms 64 bytes from 69.28.181.43: icmp_seq=2 ttl=48 time=163.964 ms --- -amaya-.deviantart.com ping statistics --- 4 packets transmitted, 3 packets received, 25.0% packet loss round-trip min/avg/max/std-dev = 162.626/166.477/172.842/4.545 ms So, you might want to give that artist a warning and/or use a different browser for visiting this site. Links+, from ports, works. Joachim -- TFMotD: cas (4) - Sun Cassini 10/100/Gigabit Ethernet device
Re: Volume Management
On Thu, May 17, 2007 at 04:15:32PM +0200, S?bastien Colmant wrote: I m quite new to OpenBSD but i m familiar with *nix systems. I m currently looking at using OpenBSD to build a nas appliance, however after looking into the packages list i havent found a Volume Manager, anyone able to point me in the right direction? Much appreciated. There is no volume manager in OpenBSD. Use a combination of RAID and ccd, if so inclined; 4.2 might feature a new software RAID framework (or not; I've not heard anything official, besides some cvs commits on 'softraid'). Joachim -- TFMotD: motd (5) - message of the day
Re: pf state limits
Wild guess: The limitiation is the max value that the variable size of the counter can contain, followed secondly by physical memory. ~BAS On Mon, 5 Mar 2007, Bill Marquette wrote: I know this has come up in the past but I haven't been able to track down a definitive answer (I'm sure there's a reason why), so I'll ask the question again. Given a i386 kernel, assume I can toss as much RAM at the box as needed (I know this isn't the limitation, it's a kernel memory issue), what's the maximum I can set the state table size to? I have a couple boxes that are running around 200K states with the limit set at 256K. I expect that I will see a growth in that state table size as the traffic to the servers behind these machines increases during our peak season. I can tune the tcp.closed parameter a bit on the external rules as 75% of these states are fin_wait_2:fin_wait_2, but before I start messing with that I'd rather increase the state limit some more. I can also try adaptive timeouts on those rules, but I'm more than a little paranoid about having the system dynamically change timeout values. Any suggestions on what the max might be and how I can monitor the system to see where I'm at in relationship to the max (if there's no hard number, I'm guessing the number depends on hardware and other system options that affect kernel memory). --Bill l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~James Maynard Keenan
Re: PF keep state does'nt like Mandriva2007
Could be sliding windows, selective ack (SACK), MTU/MTU Disc/MSS issues, any of the RFC extensions. Check sysctl on linux v.s. scrub on OpenBSD ~BAS On Mon, 29 Jan 2007, Marco Peereboom wrote: Nobody likes Mandriva. On Sun, Jan 28, 2007 at 07:56:04PM -0800, Reza Muhammad wrote: Dear Lists. I have one bridge PF machine for packet queue and prio, and few new install Mandriva2007 (linux kernel) that couldn not browse the web (the other protocol work OK) if the rules keep state in PF machine is activated. but the others hosts (WinXP, BSD, Mac, Others Linux) work fine. Why PF (OpenBSD-3.9) doesnt like Mandriva2007 Plese help regards Reza Never Miss an Email Stay connected with Yahoo! Mail on your mobile. Get started! http://mobile.yahoo.com/services?promote=mail l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~James Maynard Keenan
Re: About pf states
I just ran into this same problem. Trying to accomplish Cisco ASA style reflexive stateful rules(r): - Default block in - Trust no subnets / interface - Pass in rules which ingress/egress an interface pair - Inbound tcp syn on any interface shoud create relfexsive outbound equivilant on the egress interface ~~BAS On Wed, 17 Jan 2007, Brian Candler wrote: On Tue, Jan 16, 2007 at 08:03:52PM +0100, Samuel Mo?ux wrote: With this config, I can't access dmz hosts from lan or internet. The state gets created: all tcp $dmz_ip:25 - 192.168.1.161:19399 CLOSED:SYN_SENT but the response is blocked: Jan 16 19:32:59.627083 rule 0/(match) block in on xl2: $dmz_ip.25 192.168.1.161.19399: [|tcp] (DF) So, there's something I don't understand from pf.conf man page If a packet matches a pass ... keep state rule, the filter creates a state for this connection and automatically lets pass all subsequent packets of that connection. If just someone could show me what's wrong here, and why Someone please correct me if I'm wrong, but I believe that the 'keep state' only applies to the opposite packets through the same interface. For example: pkt1++ pkt1' --- | ext_if int_if | -- --- || -- pkt2++ pkt2' A rule which matches pkt1 inbound on ext_if with keep state will also match pkt2 outbound on ext_if. But I believe you will need another rule to permit pkt1' outbound via int_if. If that rule has keep state then it will also match pkt2' inbound via int_if. If you look at the example at http://www.openbsd.org/faq/pf/example1.html you will see that they deal with this by a global pass out keep state rule. Try adding this to your ruleset after your block in log all If you were to argue that pf.conf(5) is unclear on this point, especially where it it says By default, packets coming in and out of any interface can match a state then I would not disagree with you :-) HTH, Brian. l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~James Maynard Keenan
Re: ImageMagick and chroot
Has anyone had luck in making ImageMagick work into the www chroot environment? snip But it still doesn't work. What am i missing? Any suggestions or ideas are welcome. Marcos when I was getting gallery to run under chmoded apache, I got pretty tired of ldd-ing the files, so I've simply extracted package contents into chroot (/var/www): #tar xzvf ~/ImageMagick-6.3.2.1-no_x11.tgz -C /var/www Don't know how wrong that was, but it worked pretty well - in the end I only needed a couple of shared libs that were missing. The script is a cleaner solution, though. By the way, gallery2 works pretty well with GD php plugin, elimitating the need to use ImageMagic. GD is much slower, though. Maxim
Re: PF set state-policy
On Sun, 16 May 2004, Tim Kornau wrote: On Fri, 14 May 2004 at 14:50 -0400, Roy Morris wrote: I am working with a simple two interface route/pf and block in and out packets on all interfaces. It makes sense that you would have to have a rule to allow the packet in on if-a, but I would have thought the state would carry across to if-b, without having to place another rule that said let the packet out. I have tried the 'set state-policy', although floating is the default and should be passing this along?? Hello Roy, Without your pf.conf this Mail cannot be completely answered but mybe there is a hint that i can give you that might resolve the situation. The state is kept with the default setting of floating Presumably because, with a default block in/out, the traffic ingresses one interface, the state is create, but when it egresses another interface it is re-evaluated ? This is where I always get confused: If the OpenBSD pf(4) stateful firewall is acting as an intermediary forwarding device for a 3-way TCP handshake, shouldn't the re-evaluation of the initial the initial packet (S/SA) matching a pass in rule on an ingress interface punch a hole back out of the original ingress interface, _as well as_ punch a hole *in* and *out* of the egress interrace. Come to think of it, that sounds like pretty agressive for keep state, maybe that's my nasty assumption? ~BAS but if your ruleset explicitly denies outgoing packets on the interface then in my understanding these will be dropped. Tim -- Darksun rising over blood red sea l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~James Maynard Keenan
Re: keep state in pf
That seems logical. A little bit of pfctl -s state | egrep [regex] should be revealing. Also pfctl -x loud if you can test during a low-volume timeframe ~BAS On Wed, 9 Jun 2004, Lawren Quigley-Jones wrote: I recently tracked down the cause of a problem we have been having in our building with file transfers that travel out of our OpenBSD firewall and then back in. The tcp transfer would time out if and only if the transfer went cross subnet, and therefor had to pass the firewall twice as it went to the building's router and then back in to the receiving machine. This occurred on both our old 3.3 system and our replacement 3.5 system with the same pf rules and net configuration. It didn't seem to drop all transfers. SMTP transfers with mail attachments would fail every time. Transfers of certain files via FTP and SCP would fail every time and yet most files had not problems. Because most of our traffic isn't cross-subnet, we didn't see enough of the errors to track down exactly what the variables were. In the pf rules, our default action was to pass everything, pass all keep state. The solution was to remove the keep state from this rule. Once removed it read pass all and the time outs stopped occurring. Not surprisingly, the following rules produced the timeouts as well: pass out on $ext_if all keep state pass in on $ext_if all keep state pass out on $int_if all pass in on $int_if all A hypothesis is that because the keep state rules are seeing two transfers with the same session IDs (the transfer as it exits and then the identical transfer as it enters again), at some point during the transfer PF balks at the sequence as if there was an intruding packet trying to hijack the transfer. This is not substantiated at all though. Has anyone else experienced this problem or seen documentation on it? If there is no documentation, I'm going to submit it as a bug. Thanks... -Lawren l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~James Maynard Keenan
Re: Volume Management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I m familiar with those, my question was regarding a volume manager not simple disk operation. Something similar to lvm or evms maybe Tobias Weingartner a icrit : In article [EMAIL PROTECTED], Sibastien Colmant wrote: I m quite new to OpenBSD but i m familiar with *nix systems. I m currently looking at using OpenBSD to build a nas appliance, however after looking into the packages list i havent found a Volume Manager, anyone able to point me in the right direction? fdisk(8), disklabel(8), bioctl(8), newfs(8), dump(8), restore(8) iD8DBQFGTMks8B8RxF4jfhQRAmAXAJ9ixUZRjZ247Xw51u2Z2Tdt038L8QCeIdJs x53HDI86/4IqWzhfdQwdcjQ= =oelW -END PGP SIGNATURE-
Re: ImageMagick and chroot
Hello , The script just worked . Thanks a lot Aiko for that script, and thanks to everybody for the suggestions and help. Now the convert command runs , and i can see the web application shows me an image where it supposed to be showd, but i still have some errors though , but i guess they are about the programming of this web application . I know that on the old server (lionux) it worked just fine with the code as it is (php5), but maybe has to be changed because of the chroot , i don't know , i'll try to contact the programmer to let him see it . Thanks , Marcos - Original Message - From: Aiko Barz [EMAIL PROTECTED] To: Marcos Laufer [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Thursday, May 17, 2007 2:51 PM Subject: Re: ImageMagick and chroot : [EMAIL PROTECTED] Marcos Laufer wrote: Hello , Has anyone had luck in making ImageMagick work into the www chroot environment? Yes, run the following script and you are done. #!/bin/sh CHROOT=/var/www # Make dirs [ ! -d $CHROOT/bin ] mkdir -p $CHROOT/bin [ ! -d $CHROOT/usr/local/bin ] mkdir -p $CHROOT/usr/local/bin [ ! -d $CHROOT/usr/local/lib ] mkdir -p $CHROOT/usr/local/lib [ ! -d $CHROOT/usr/lib ] mkdir -p $CHROOT/usr/lib [ ! -d $CHROOT/usr/X11R6/lib ] mkdir -p $CHROOT/usr/X11R6/lib/ [ ! -d $CHROOT/usr/libexec ] mkdir -p $CHROOT/usr/libexec [ ! -d $CHROOT/var/run ] mkdir -p $CHROOT/var/run SH=/bin/sh if [ -x $SH ]; then cp -f $SH $CHROOT/$SH else echo No shit. $SH not found! :) fi LD_HINTS=/var/run/ld.so.hints if [ -f $LD_HINTS ]; then cp $LD_HINTS $CHROOT/$LD_HINTS else echo $LD_HINTS not found. Still wondering thou. fi CONVERT=$(which convert | awk '{print $1}') if [ ! -z $CONVERT ] [ -x $CONVERT ]; then cp -f $CONVERT $CHROOT/$CONVERT for i in $(ldd $CONVERT | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo convert not found. exit 1 fi COMPOSITE=$(which composite | awk '{print $1}') if [ ! -z $COMPOSITE ] [ -x $COMPOSITE ]; then cp -f $COMPOSITE $CHROOT/$COMPOSITE for i in $(ldd $COMPOSITE | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo composite not found. exit 1 fi IDENTIFY=$(which identify | awk '{print $1}') if [ ! -z $IDENTIFY ] [ -x $IDENTIFY ]; then cp -f $IDENTIFY $CHROOT/$IDENTIFY for i in $(ldd $IDENTIFY | awk '{if ($3 == rlib) {print $7}}'); do if [ -f $i ]; then cp -f $i $CHROOT/$i fi done else echo identify not found. exit 1 fi HTH, Aiko -- Aiko Barz [EMAIL PROTECTED] Web: http://www.haeckser.de
Re: Volume Management
On 5/17/07, Sibastien Colmant [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I m familiar with those, my question was regarding a volume manager not simple disk operation. Something similar to lvm or evms maybe use ccdconfig.
Re: SFTP no autocompletion?
Darren Tucker dtucker at zip.com.au writes: On Tue, May 15, 2007 at 12:36:43PM +0200, Paul de Weerd wrote: On Tue, May 15, 2007 at 11:33:27AM +0200, Pieter Verberne wrote: | Hi there, | | does SFTP have no TAB-autocompletion for local/remote files? TAB | doesn't work. It makes transferring files very clumsy. And does SFTP | secure my username and password or only my file transfers by default? SFTP uses ssh and thus secures the entire connection. The sftp(1) client that comes by default with OpenBSD does not do tabcompletion. Feel free to use another client or to write support for it and send a patch ;) Anyone looking into this would probably want to look at what Ben Lindstrom has already done with this: http://www.eviladmin.org/patches/sftp-tab.patch I would just beware of this patch. It works fine for local files, but there are some serious flaws in remote file completion due to the fact that remote-glob() doesn't act like glob() (Read: sftp will crash in some cases). This is a long known bug to me, but I've had very little energy to complete it since I have no real backers nor have had time in the past few years. Just wanted to provide the warning. =-) - Ben
Sun Netra X1 Firewall Throughput?
Can anyone give any information about the Sun Netra X1 being used as a pf firewall. I am specifically looking for throughput information. I am considering using a pair for a theoretical maximum throughput of about 45 Mbps. Can the Netra X1 comfortably handle this with carp(4) and some pf firewalling. I know this is pretty generic but any comments? (In case you are wondering, I would run pfsync on a VLAN on the less used interface.) Thank you. Bryan