Re: License Violation - ksh
On Mon, Dec 03, 2007 at 01:37:53PM -0700, Bob Beck wrote: * Marco Peereboom [EMAIL PROTECTED] [2007-12-03 06:19]: No harm done just stupidity perpetuated. Kind of like fox news. Dunno about no harm done there marco - Saying fox news doesn't do any harm is like saying Joesph Goebels didn't to any harm - only perpetuated stupidity.. perpeduated stupidity can be damn harmful. I call Godwin's law! (specially because you're most unfortunately diminishing Gobbels' evil actions with that comparison). Rui -- Hail Eris! Today is Pungenday, the 46th day of The Aftermath in the YOLD 3173 + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
Re: VPN Concentrator
Joseph C. Bender wrote: Scott Learmonth wrote: And Khalid - sorry to hijack your thread. Most of my road warriors are going to be on macs and too cheap to purchase VPN Tracker. Any successes I gave I'll certainly share. There's always OpenVPN. GUI via Tunnelblick http://www.tunnelblick.net/ For Mac users I'd recommend IPSecuritas, a free GUI frontend to the racoon daemon that comes with Mac OS X.
Re: Routing between spokes - recent best practices?
On Dec 4, 2007, at 12:14 AM, visc wrote: So, my question is this - what are the current best practices for setting up a hub and spoke topology using OpenBSD, allowing for traffic to securely flow from Branch to Branch on occasion without using a full mesh topology. If it's at all possible... (network description below) At this point IMHO branch-to-branch is avoided not for security reasons but for administrative reasons. It is a pain in the ass to configure each branch to establish a VPN to any other branch. It's easy to tell each branch router if you want to talk to BRANCHX, talk to CENTRALOFFICE first. If you have more than a handful of branches it is very annoying to tell each router if you want to talk to BRACHA, talk to A; if you want to talk to BRANCHB, talk to B; etc. The primary advantage of the star or branch-to-central topology was the difficulty of someone putting a man-in-the-middle of a leased line. But now leased lines are expensive. VPNs and direct Internet connections are cheap so it makes much more sense to put in the pain- in-the-ass effort to connect everyone in your Intranet via VPNs/IPSEC and get rid of your leased lines. If you only have enough budget to move a few this year you analyze which few cross-talk the most and configure them for mesh and leave the rest as star. This is not true if you asked an auditor, however. It is much easier to put a network sensor down in a star topology and get most of the network traffic than it is for a mesh network. If you want to be able to buy one device and know for sure that everyone is going through it you probably need a star topology and a heavy hand on the branch routers. -- Freedom, truth, love, beauty. John Rodenbiker
Re: Bernstein puts qmail in public domain
* Tom Bombadil [EMAIL PROTECTED] [2007-12-04 03:00]: exim is an insecure piece of shit that makes old sendmail look good. besides, it is not free. Curiosity here since we are exim users... what makes it insecure? rotten design and bad implementation, to begin with? Should we be really worried about running it? yes. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Could Hiawatha replace Apache as in base HTTP server if it's license changed?
On Dec 3, 2007 10:53 PM, Damien Miller [EMAIL PROTECTED] wrote: Secondly, I don't think anyone in OpenBSD would display as much hubris as this claim on the Hiawatha home page: Hiawatha's source code is free of security-bugs. Heh, OK.
seems like packet is lost between pf and interface
Hallo! I am observing seemingly perplexing problem on OpenBSD 4.1 firewall. Some dns queries work from behind firewall towards internet and others doesnt. For example doesnt work query which has a big response of TXT data. Firewall has internal interface em1 attached to subnet 10.0.1 (actual numbers are public but are here substituted) and outer em3 interface, and working rules are (among many others) pass in log (all, to pflog1) quick on em1 inet from 10.0.1.89 to 192.168.1.241 flags S/SA keep state pass out log (all, to pflog1) quick on em3 inet from 10.0.1.89 to 192.168.1.241 flags S/SA keep state ... scrub in on em3 all fragment reassemble scrub out on em3 all random-id fragment reassemble # pfctl -sa | grep frag | grep -v scrub fragment 253180.0/s frag 30s frags hard limit 5000 Since i can see in pflog1 log my packets all right i am sure right rules are working, for example on inner interface (appropriate entries exist for outer interface also) Dec 04 09:48:20.152350 rule 8/(match) pass in on em1: 10.0.1.89.32817 192.168.1.241.53:[|domain] (DF) Dec 04 09:48:20.153173 rule 8/(match) pass out on em1: 192.168.1.241.53 10.0.1.89.32817:[|domain] Dec 04 09:48:24.170777 rule 8/(match) pass in on em1: 10.0.1.89.32817 192.168.1.241.53:[|domain] (DF) Dec 04 09:48:24.171379 rule 8/(match) pass out on em1: 192.168.1.241.53 10.0.1.89.32817:[|domain] Dec 04 09:48:26.186794 rule 8/(match) pass in on em1: 10.0.1.89.32817 192.168.1.241.53:[|domain] (DF) Dec 04 09:48:26.187317 rule 8/(match) pass out on em1: 192.168.1.241.53 10.0.1.89.32817:[|domain] On the other hand listening on outer interface with tcpdump i see queries and replies but on inner interface i do not see replies anymore 09:48:20.152335 10.0.1.89.32817 192.168.1.241.53: 21147+% [1au] TXT? domeen.ee. (54) (DF) 09:48:24.170758 10.0.1.89.32817 192.168.1.241.53: 10788+% [1au] TXT? domeen.ee. (54) (DF) 09:48:26.186778 10.0.1.89.32817 192.168.1.241.53: 25954+% [1au] KEY? domeen.ee. (54) (DF) 09:48:26.187321 192.168.1.241.53 10.0.1.89.32817: 25954* 0/4/2 (645) (DF) If someone could explain to me where to look to or what to tune to regain those packages which seem to be lost somewhere between pf and interface. Best regards, Imre
Replacement functionality if systrace is to be removed.
Hi there, I was speaking to someone at OpenCON about the fundamental systrace flaw regarding processes forking in order to bypass the checks. The general impression I was given was that systrace is to be removed at some point. If this is the case, will there be a similar tool available? I ask because I find USE_SYSTRACE (/etc/mk.conf) essential for the TeXLive port. It writes all over the place during the build. Thanks -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: ibgp
On Mon, Dec 03, 2007 at 01:00:37PM -0800, Tom Bombadil wrote: Greetings... We are trying to use a couple routers with carp and uplinks with 2 different providers. One router as master and another one slave. The slave getting all the routes from the master using IBGP. The problem is that when I bring to interface of the master down to test if the failover works, the slave deletes all the routes it got from the master. Is there any way of retaining those IBGP routes for sometime after the tcp connection is severed, or until the slave server (now master) can connect to the external peers and the get routes from them? Or... if anybody has any other hint for a more resilient setup, I'd be glad to hear. Currently it is not possible to keep routing infos around after a session died. If a session dies bgpd must remove all the routing records from that session or bad things happen. If people are interested to sponsor some work to allow seamless carp/bgp failover I know a way to abuse the Graceful Restart Mechanism for BGP of RFC4724 to allow that. -- :wq Claudio
Re: This list: CC and TO fields
On Mon, 3 Dec 2007, xSAPPYx wrote: On Dec 3, 2007 5:04 AM, ropers [EMAIL PROTECTED] wrote: On 03/12/2007, L [EMAIL PROTECTED] wrote: I can't find the 'reply only to group' feature my mail client yet.. but I just started using this email client recently. It is Mozilla Thunderbird. Reply to all. Alpine is another good one for lists. http://www.washington.edu/alpine/ But since it replaced pine the UTF-8 support is broken for me, and the arrow navigation is improved. But I did not have time to look into that. But I can agree that it is indeed very fine for reading mailing lists. Best regards Markus
Re: pfctl - show port numbers
hmm, on Mon, Dec 03, 2007 at 02:24:05PM -0500, MikeM said that toggle between symbols and numbers (e.g., -n for netstat or tcpdump) it may be helpful as well. That's the main reason why I originally though +1 one man's worthless feature is other man's best friend. please put it in... -f -- every silver lining has a cloud.
Re: This list: CC and TO fields
On Tue, 4 Dec 2007, Markus Hennecke wrote: But since it replaced pine the UTF-8 support is broken for me, and the arrow UTF-8 works fine here. -- Antoine
Re: Routing between spokes - recent best practices?
On 12/4/07, John Rodenbiker [EMAIL PROTECTED] wrote: On Dec 4, 2007, at 12:14 AM, visc wrote: So, my question is this - what are the current best practices for setting up a hub and spoke topology using OpenBSD, allowing for traffic to securely flow from Branch to Branch on occasion without using a full mesh topology. If it's at all possible... (network description below) At this point IMHO branch-to-branch is avoided not for security reasons but for administrative reasons. It is a pain in the ass to configure each branch to establish a VPN to any other branch. It's easy to tell each branch router if you want to talk to BRANCHX, talk to CENTRALOFFICE first. GRE/IPIP inside IPsec and dynamic routing. /Tony If you have more than a handful of branches it is very annoying to tell each router if you want to talk to BRACHA, talk to A; if you want to talk to BRANCHB, talk to B; etc. The primary advantage of the star or branch-to-central topology was the difficulty of someone putting a man-in-the-middle of a leased line. But now leased lines are expensive. VPNs and direct Internet connections are cheap so it makes much more sense to put in the pain- in-the-ass effort to connect everyone in your Intranet via VPNs/IPSEC and get rid of your leased lines. If you only have enough budget to move a few this year you analyze which few cross-talk the most and configure them for mesh and leave the rest as star. This is not true if you asked an auditor, however. It is much easier to put a network sensor down in a star topology and get most of the network traffic than it is for a mesh network. If you want to be able to buy one device and know for sure that everyone is going through it you probably need a star topology and a heavy hand on the branch routers. -- Freedom, truth, love, beauty. John Rodenbiker
Re: Replacement functionality if systrace is to be removed.
On Tue, 4 Dec 2007, Edd Barrett wrote: I ask because I find USE_SYSTRACE (/etc/mk.conf) essential for the TeXLive port. It writes all over the place during the build. Better fix the port then. -- Antoine
Re: Replacement functionality if systrace is to be removed.
Hi, On 04/12/2007, Antoine Jacoutot [EMAIL PROTECTED] wrote: Better fix the port then. I think you misunderstood. The port is fixed, but only because systrace allowed me to cut the build short when the build offended. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Replacement functionality if systrace is to be removed.
On Tue, 4 Dec 2007, Edd Barrett wrote: On 04/12/2007, Antoine Jacoutot [EMAIL PROTECTED] wrote: Better fix the port then. I think you misunderstood. The port is fixed, but only because systrace allowed me to cut the build short when the build offended. Ah ok yes, I did misunderstand. Well this is the use for USE_SYSTRACE in ports indeed. -- Antoine
Re: Routing between spokes - recent best practices?
On 12/4/07, Tony Sarendal [EMAIL PROTECTED] wrote: On 12/4/07, John Rodenbiker [EMAIL PROTECTED] wrote: On Dec 4, 2007, at 12:14 AM, visc wrote: So, my question is this - what are the current best practices for setting up a hub and spoke topology using OpenBSD, allowing for traffic to securely flow from Branch to Branch on occasion without using a full mesh topology. If it's at all possible... (network description below) At this point IMHO branch-to-branch is avoided not for security reasons but for administrative reasons. It is a pain in the ass to configure each branch to establish a VPN to any other branch. It's easy to tell each branch router if you want to talk to BRANCHX, talk to CENTRALOFFICE first. GRE/IPIP inside IPsec and dynamic routing. Or just a management tool to create configs and push it out. /Tony /Again
ftp-proxy feature request
I have a multiple ISP router/firewall running 4.2. To make FTP work properly over both gateways, I found and applied the following patch to ftp-proxy **see link below** and it's working great (apparently pftpx is very similar to ftp-proxy). Without this fix, my second ftp-proxy process (for ISP2) allows the incoming data connection but incorrectly tries to respond over the firewall's default gateway (ISP1). This fix adds a reply-to argument to the dynamic inbound rule and makes everything work. I believe it also adds route-to when using passive FTP. I have an explicit pf route-to rule to handle the initial outbound FTP connection coming from the ftp-proxy. Is there any chance that this feature could be added to the OpenBSD code? Or is there some other way to properly route FTP over multiple gateways with the existing ftp-proxy? Seems like something that others may find to be useful. http://cvstrac.pfsense.com/dirview?d=tools/pfPorts/pftpx-routeto/files; Thanks, Bryan
Info gpio Support on alix - pcengines ...
Hi. Marc Balmer gave me info about adding gpio support for the new alix boards produced by pcengines. I hope someone is interested in ... I'll sum it up ... 1. add to GENERIC config gpio* at gscpcib? glxpcib* at pci? # AMD CS5536 PCI-ISA bridge gpio* at glxpcib? 2. booting the new kernel dmesg shows then gpio0 at glxpcib0: 32 pins pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility 3. after making the device with MAKEDEV gpio0 4. initializing the gpio for led 1 = 6; led 2 = 25 and led 3 = 27 with gpioctl -c [led] out iout 5. then - to set or reset the leds use gpioctl [led] 1 || 0 || 2 for the rest rtfm - gpioctl. This configuration works for me. Please correct me if something is wrong or could be done better. - Karl-Heinz
Re: Bernstein puts qmail in public domain
On Tue, Dec 04, 2007 at 10:04:54AM +0100, Henning Brauer wrote: * Tom Bombadil [EMAIL PROTECTED] [2007-12-04 03:00]: exim is an insecure piece of shit that makes old sendmail look good. besides, it is not free. Curiosity here since we are exim users... what makes it insecure? rotten design and bad implementation, to begin with? Could you be slightly more specific? Should we be really worried about running it? yes. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Bernstein puts qmail in public domain
On Tue, Dec 04, 2007 at 10:16:27AM -0500, Douglas A. Tutty wrote: Could you be slightly more specific? perhaps checking vulnerabilities reported compared to other products. see also how frequent the fixes are, since some bug fixes can also improve security (some bugs can be used as security holes and openbsd did teach us that many bug fixes that have not been fixed somewhere else can become security problems later, sometimes even monthes later). im not saying anything about exim in the matter, i am not competent on this domain. just some clues and trying not to talk out of my ass (is that theo's flamethrower i see in the corner ? I'm outta here!) -- unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ; yes ; fsck ; umount ; sleep
/var/log/messages permissions in 4.2
I'm noticing that the messages log seems to be world readable in 4.2 e.g. -rw-r--r-- 1 root wheel 1801 Dec 4 17:51 messages What's up with that? Shouldn't it be set to 640? If not what is the rationale for 644? -Lars
Re: seems like packet is lost between pf and interface
Imre Oolberg wrote: Hallo! I am observing seemingly perplexing problem on OpenBSD 4.1 firewall. Some dns queries work from behind firewall towards internet and others doesnt. For example doesnt work query which has a big response of TXT data. If someone could explain to me where to look to or what to tune to regain those packages which seem to be lost somewhere between pf and interface. how about providing a bit more information? such as more of pf.conf than just 2 lines; there's nothing mentioned about dns there. my guess based on the information you've not provided is that you're only passing UDP DNS not TCP DNS appropriately. cheers, scorch
Re: ftp-proxy feature request
Bryan S. Leaman wrote: I have a multiple ISP router/firewall running 4.2. To make FTP work properly over both gateways, I found and applied the following patch to ftp-proxy **see link below** and it's working great (apparently pftpx is very similar to ftp-proxy). Without this fix, my second ftp-proxy process (for ISP2) allows the incoming data connection but incorrectly tries to respond over the firewall's default gateway (ISP1). This fix adds a reply-to argument to the dynamic inbound rule and makes everything work. I believe it also adds route-to when using passive FTP. I have an explicit pf route-to rule to handle the initial outbound FTP connection coming from the ftp-proxy. Is there any chance that this feature could be added to the OpenBSD code? Or is there some other way to properly route FTP over multiple gateways with the existing ftp-proxy? Seems like something that others may find to be useful. I think I helped create part of that route-to diff, but I don't think it belongs in base ftp-proxy. A userland daemon should not control routing like that. Maybe the new 'tag' option can be used for this? (or else the tag option needs work ;-) ) -- Cam
Re: pfctl - show port numbers
On 14:45:41 Dec 04, frantisek holop wrote: +1 one man's worthless feature is other man's best friend. please put it in... No use shouting yourself hoarse over this. If it is a no , it is a no. I later realized that nobody can satisfy everyone's needs and it is impossible to ever get total buy in in anything. We have to respect the developer's decisions. And I myself am quite convinced that it is not worthwhile to add this. No offense meant. -Girish
Re: pfctl - show port numbers
hmm, on Tue, Dec 04, 2007 at 09:47:17PM +0530, Girish Venkatachalam said that On 14:45:41 Dec 04, frantisek holop wrote: +1 one man's worthless feature is other man's best friend. please put it in... No use shouting yourself hoarse over this. shouting? are you serious? If it is a no , it is a no. I later realized that nobody can satisfy everyone's needs and it is impossible to ever get total buy in in anything. We have to respect the developer's decisions. Henning has not used the word no, yet. he might sleep on it and commit it tommorrow. or never, i dont know. but if people don't tell him that it can be useful, he'll never know, because it is useless to him. and when it comes up 4 years from now he'll say, oh, it's trivial but noone told me it's useful. things like this happen all the time, decisions may change based on new info. and last but not least, it is in line with the other network tools (so i hope Henning will have a good night's sleep) and as an added bonus, patch was attached. -f ps. maybe some day some people on this list will stop defending the devs as if they couldn't speak for themselves (they can) or couldn't shout at those pesky lusers themselves (oh hell, they can). -- i plan to live forever or die trying.
Re: RTL8185 wireless support?
On Sat, Dec 01, 2007 at 08:41:48AM -0500, Frank Bax wrote: Jonathan Gray wrote: On Fri, Nov 30, 2007 at 11:42:53PM -0500, Frank Bax wrote: TP-LINK 802.11g/b pci cards (model TL-WN353G) are on sale; so I got one. Chipset is marked RTL8185L. I found a reference to RTL8185 in CVS, but I'm not clear on what the Sep5 comments for if_rtw_pci.c are saying? It either says: a) RTL8185 was supported, but now only if RTW_DEBUG is set? b) RTL8185 was supported with RTW_DEBUG, but now?? RTL8185 support was started but could not be finished due to lack of information on the radios. Would contributing a device help? Or is it vendor docs you need? Documentation, the initial bits in CVS were done with the hardware we already have.
Re: pfctl - show port numbers
* frantisek holop [EMAIL PROTECTED] [2007-12-04 18:15]: If it is a no , it is a no. I later realized that nobody can satisfy everyone's needs and it is impossible to ever get total buy in in anything. We have to respect the developer's decisions. Henning has not used the word no, yet. he might sleep on it and commit it tommorrow. or never, i dont know. but if people don't tell him that it can be useful, he'll never know, because it is useless to him. and when it comes up 4 years from now he'll say, oh, it's trivial but noone told me it's useful. things like this happen all the time, decisions may change based on new info. while that is entirely true, I really don't see much of a point here. actually, if I were to implement these parts now I'd make it print port numbers only and not names - we don't print hostnames either. but - it has been that way for more than 6 years. I don't see a good reason to change it now. And I certainly don't want to add YAO (Yet Another Option) for that. That said, I am not the only developer in that area, and my word is certainly not then end of all wisdom. and last but not least, it is in line with the other network tools (so i hope Henning will have a good night's sleep) and as an added bonus, patch was attached. the patch was fine, technically, yes. ps. maybe some day some people on this list will stop defending the devs as if they couldn't speak for themselves (they can) or couldn't shout at those pesky lusers themselves (oh hell, they can). yup.wanna try the shouting part? :) (nah, no reason to here) -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: pfctl - show port numbers
while that is entirely true, I really don't see much of a point here. actually, if I were to implement these parts now I'd make it print port numbers only and not names - we don't print hostnames either. but - it has been that way for more than 6 years. I don't see a good reason to change it now. And I certainly don't want to add YAO (Yet Another Option) for that. That said, I am not the only developer in that area, and my word is certainly not then end of all wisdom. Personally, I think if I were starting from square one, I'd do port numbers, not service names, but that's not the way it's been for many years and even though my preference would be numbers my loathing for yet another option far outweighs this preference. So, I'd prefer not to see a knob for this. The change does not warrant the churn. -Bob
pf: antispoofing and LANs
Hello, From reading the documentation, I couldn't quite tell where the antispoofing rule should fall in a pf ruleset. Is this syntax correct? I thought I'd be able to access another LAN machine freely via ssh (I've already tested that ssh does work without a firewall), but I cannot. table lan { 192.168.0.0/24 } block all antispoof for $ext_if pass in quick on $ext_if from lan to $ext_if pass out quick on $ext_if from $ext_if to lan Thanks, DM -- Be aware. Stay present. Speak honestly. - Never miss a thing. Make Yahoo your homepage.
Re: /var/log/messages permissions in 4.2
On 04/12/2007, Lars Noodin [EMAIL PROTECTED] wrote: I'm noticing that the messages log seems to be world readable in 4.2 e.g. -rw-r--r-- 1 root wheel 1801 Dec 4 17:51 messages What's up with that? Shouldn't it be set to 640? If not what is the rationale for 644? It has been like this for a very long time, since 2002-11 and OpenBSD 3.3. http://www.openbsd.org/cgi-bin/cvsweb/src/etc/newsyslog.conf#rev1.20 Cheers, Constantine.
Re: /var/log/messages permissions in 4.2
On 04/12/2007, Constantine A. Murenin [EMAIL PROTECTED] wrote: On 04/12/2007, Lars Noodin [EMAIL PROTECTED] wrote: I'm noticing that the messages log seems to be world readable in 4.2 e.g. -rw-r--r-- 1 root wheel 1801 Dec 4 17:51 messages What's up with that? Shouldn't it be set to 640? If not what is the rationale for 644? It has been like this for a very long time, since 2002-11 and OpenBSD 3.3. http://www.openbsd.org/cgi-bin/cvsweb/src/etc/newsyslog.conf#rev1.20 Actually, it was always rotated with 644 permissions, starting with NetBSD dated 1993. What would be the rationale for 640? ;) C.
netstat freezes
Hi misc, I noticed way back with 3.8 that netstat would sometimes hang on me for a very long time (over two minutes) before spitting out the Active Internet Connections list; once it shows that though, it shows the rest of the lists in an instant. I thought it was just a fluke so I ignored it. But now I've seen it on other systems too, so I'm wondering what's up. Has anyone else seen this behaviour? I've search the archives with netstat hang and netstat freeze and found nothing. -Nick
PKI VPN
Hi, I am planning (I do not know when) to use a PKI to manage the key of a VPN router. I follow a little the last discussion: IpSec may be use without (too much) trouble on recent Windows and MacOS client (in addition of OpenBSD client). No (strong) need for pptp or L2TP. The key are manage by isakmp, and I would like to use a PKI to manage the keys. Then to migrate the keys to the VPN servers (file or LDAP ?). At first glance, I consider OpenCA and IDX-PKI. But PKI are complex tools and before I do some nasty things or I loose too much time try to setup one, I would like to know which PKI you have used and why? Cordialement, Jean-Girard Pailloncy
Re: VPN Concentrator
On 1 Dec 2007, at 05:37, visc wrote: On 30-Nov-07, at 2:13 AM, Khalid Schofield wrote: Hi, I'd like to make a VPN Concentrator using openbsd. I want users to be able to authenticate using usernames and passwords and to either nat the users or give them an ip from our main dhcp server via a bridge. If I have say a mac user at home wanting to connect into my network using the built in mac os client how should I set up the vpn server? Will it auth using usernames and passwords or is certificates only simple way to authenticate to the vpn server? How would I know which is better to use for this application out of PPTP or IPsec? Any and all input welcome. Khalid I'm embarking down the same path for what it's worth, but I'm actually doing it to eventually get rid of my Cisco 3005. My main structure though is ipsec between static fixed devices/locations and I don't need to worry about supporting PPTP or L2TP over IPSEC, or supplying addresses- yet. I think Brian A. Seklecki's response: `That's a tall order. In Cisco-land a VPNC3000k will run you $5k plus SMARTNet. You'll need isakmpd(8) policies. You'll need dhclient-server relay support. You'll need XAuth authentication (Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all together with LDAP and PKI. Kind of hit the nail on the head of my worries as well. I knew it wouldn't be a 5 minute job but it's going to be worth it. I'm busy enough now making a secure network between offices using an OpenBSD box as the hub, but when I need to start adapting for Road Warriors things may get tricky. Well I'm sure we can chat on here and get a good idea of how to embark on the project. The OpenBSD kernel has support for the hardware crypto cards :P For example, your Mac user at home, assuming Tiger's built in client I use the standard mac client with my m0n0wall firewall's vpn service at home. (I'm not clear on Leopard's new VPN protocols), can only use PPTP or L2TP over IPSEC. I don't know if it's even possible to support all protocols easily on an OpenBSD concentrator, so I plan to push my Road Warriors into using clients such as VPN Tracker or The Greenbow client, though open source alternatives would be preferable. In my perfect world it would be isakmp/ipsec only for me and to hell with clients. Too bad that can't always happpen... Standardizing on one client is a good idea and the technical users will find a way to get it working with what ever they want. So, anyway, lots of ramble for little benefit, but at least I know somebody else is doing it... Indeed! I'm glad to hear from someone else who thinks this idea isn't mad!
Re: VPN Concentrator
So how can i get an encrypted vpn service with username and password auth instead of certificates? We kind of skimmed over those bits. On 1 Dec 2007, at 06:44, Scott Learmonth wrote: On 30-Nov-07, at 9:57 PM, Jason Dixon wrote: On Dec 1, 2007, at 12:37 AM, visc wrote: On 30-Nov-07, at 2:13 AM, Khalid Schofield wrote: Hi, I'd like to make a VPN Concentrator using openbsd. I want users to be able to authenticate using usernames and passwords and to either nat the users or give them an ip from our main dhcp server via a bridge. If I have say a mac user at home wanting to connect into my network using the built in mac os client how should I set up the vpn server? Will it auth using usernames and passwords or is certificates only simple way to authenticate to the vpn server? How would I know which is better to use for this application out of PPTP or IPsec? Any and all input welcome. Khalid I'm embarking down the same path for what it's worth, but I'm actually doing it to eventually get rid of my Cisco 3005. My main structure though is ipsec between static fixed devices/locations and I don't need to worry about supporting PPTP or L2TP over IPSEC, or supplying addresses- yet. I think Brian A. Seklecki's response: `That's a tall order. In Cisco-land a VPNC3000k will run you $5k plus SMARTNet. You'll need isakmpd(8) policies. You'll need dhclient-server relay support. You'll need XAuth authentication (Possibly via PAM). You'll need IPSEC NAT-T. Maybe tie it all together with LDAP and PKI. Kind of hit the nail on the head of my worries as well. I'm busy enough now making a secure network between offices using an OpenBSD box as the hub, but when I need to start adapting for Road Warriors things may get tricky. For example, your Mac user at home, assuming Tiger's built in client (I'm not clear on Leopard's new VPN protocols), can only use PPTP or L2TP over IPSEC. I don't know if it's even possible to support all protocols easily on an OpenBSD concentrator, so I plan to push my Road Warriors into using clients such as VPN Tracker or The Greenbow client, though open source alternatives would be preferable. In my perfect world it would be isakmp/ipsec only for me and to hell with clients. Too bad that can't always happpen... I haven't been following this thread, but I saw your post and thought I'd add some bits for you to consider. First, you mention that Mac OS X only supports PPTP or L2TP over IPSec. This is not true. I've used OpenVPN (via tunnelblick) and the Cisco VPN client. OpenBSD has solutions that will support both of those clients. Would it be nice to have XAUTH support? Sure, but don't hold your breath. --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net Thanks, it's good to know not to get too excited about XAUTH. This is all new territory for me. I was only referring to the built-in osx client via Internet Connect.app. Though the Cisco VPN client is actually what is driving my desire to move away from Cisco. My support contracts have run out with Cisco, and I'm too much of a paranoid soul to use Cisco clients I find via other means. Yet incompatibility has once again struck me. And Khalid - sorry to hijack your thread. Most of my road warriors are going to be on macs and too cheap to purchase VPN Tracker. Any successes I gave I'll certainly share. no probs Cheers
Re: netstat freezes
On Tue, Dec 04, 2007 at 03:05:31PM -0500, Nick Guenther wrote: Hi misc, I noticed way back with 3.8 that netstat would sometimes hang on me for a very long time (over two minutes) before spitting out the Active Internet Connections list; once it shows that though, it shows the rest of the lists in an instant. I thought it was just a fluke so I ignored it. But now I've seen it on other systems too, so I'm wondering what's up. Has anyone else seen this behaviour? I've search the archives with netstat hang and netstat freeze and found nothing. What are the actual options you pass to netstat? You know that netstat does DNS lookups by default? Those can cause some massive delays if something does not resolve. -- :wq Claudio
Re: VPN Concentrator
On 2007/12/04 21:17, Khalid Schofield wrote: So how can i get an encrypted vpn service with username and password auth instead of certificates? We kind of skimmed over those bits. is authpf any good for you?
Re: PKI VPN
On 2007/12/04 21:48, Jean-Girard Pailloncy wrote: The key are manage by isakmp, and I would like to use a PKI to manage the keys. Then to migrate the keys to the VPN servers (file or LDAP ?). I think you're missing part of the puzzle. For the client OS you're talking about, I think you're looking at using X509 certificates; this doesn't involve copying keys. Generate the keys directly on the machines that will use them; then generate CSR to send to the CA, which returns a signed certificate. All endpoints (client and server equally) have their private key, their individual certificate signed by the CA, and the CA's own certificate. There's no need to go copying all the certs all over the place. Private keys stay private; there's no need for any machine to have a copy, other than the single endpoint directly using it. Please take a look at the section SETTING UP AN IKE PUBLIC KEY INFRASTRUCTURE (PKI) in isakmpd(8) if you haven't already. I think many people find a little bit of scripting is enough to tie things together.
Re: netstat freezes
try using the -n switch, if that works, something is not resolving properly.
Access to a remote Oracle database
Hi, I'm using freetds from my OpenBSD machine to connect to a MS SQL Server and works like a charm. Now I need to access to a Oracle server but it seems that the TDS protocol is not supported by Oracle databases, they use their own protocol named TNS and there is no freetns available. I investigated if I could use ODBC, but it seems (afaik) that ODBC needs a specific driver for each database and I do not know if there is such driver for OpenBSD. Perhaps someone know... a) if with freetds it is possible to connect to Oracle (perhaps activating some tds listener in the database) b) if ODBC is usable in OpenBSD to talk to Oracle. I'm using OpenBSD in a sparc machine at the moment (Sun Netra T1), but I can use a x86 machine as well. Any comments appreciated. -- Joaquin Herrero
Re: netstat freezes
On 12/4/07, Claudio Jeker [EMAIL PROTECTED] wrote: On Tue, Dec 04, 2007 at 03:05:31PM -0500, Nick Guenther wrote: Hi misc, I noticed way back with 3.8 that netstat would sometimes hang on me for a very long time (over two minutes) before spitting out the Active Internet Connections list; once it shows that though, it shows the rest of the lists in an instant. I thought it was just a fluke so I ignored it. But now I've seen it on other systems too, so I'm wondering what's up. Has anyone else seen this behaviour? I've search the archives with netstat hang and netstat freeze and found nothing. What are the actual options you pass to netstat? You know that netstat does DNS lookups by default? Those can cause some massive delays if something does not resolve. Oh, of course. Haha, I'm so silly, I let myself get bit by DNS. Oh well, at least it's in the archives for the next fool. -Nick
Re: /var/log/messages permissions in 4.2
What would be the rationale for 640? ;) Well according to cvs log: it can be easily changed if you like it another way. millert, So I guess one rationale might be as simple as because ;) -B
Re: pfctl - show port numbers
On 18:08:13 Dec 04, frantisek holop wrote: shouting? are you serious? I am rarely if ever serious. ;) -Girish
Re: Access to a remote Oracle database
On 12/4/07, Joaquin Herrero [EMAIL PROTECTED] wrote: Hi, I'm using freetds from my OpenBSD machine to connect to a MS SQL Server and works like a charm. Now I need to access to a Oracle server but it seems that the TDS protocol is not supported by Oracle databases, they use their own protocol named TNS and there is no freetns available. I investigated if I could use ODBC, but it seems (afaik) that ODBC needs a specific driver for each database and I do not know if there is such driver for OpenBSD. Perhaps someone know... a) if with freetds it is possible to connect to Oracle (perhaps activating some tds listener in the database) b) if ODBC is usable in OpenBSD to talk to Oracle. I'm using OpenBSD in a sparc machine at the moment (Sun Netra T1), but I can use a x86 machine as well. Any comments appreciated. Some quick googling shows http://www.bsdforums.org/forums/archive/index.php/t-23706.html http://archives.neohapsis.com/archives/openbsd/2001-07/2129.html It looks like there's no BSD-specific oracle client, but that you may be able to use a binary blob linux client under linux emulation to make it work (but that it'll be kind of lame). You might be able to run another database as a wrapper around the oracle one? e.g. see http://www.sqlmag.com/Article/ArticleID/22264/sql_server_22264.html ? -Nick
Re: pfctl - show port numbers
On 11:06:09 Dec 04, Bob Beck wrote: Personally, I think if I were starting from square one, I'd do port numbers, not service names, but that's not the way it's been for many years and even though my preference would be numbers my loathing for yet another option far outweighs this preference. I personally feel service names are better. I can better relate when I see pptp, http or ftp instead of 1723, 80 or 21. Again this is dependent on personal preference and is really inconsequential. I feel it is important that any product/software does not change its behavior once it gets entrenched in the market. Moreover it is yet another option as Henning correctly said. We don't want to be linux? Do we? ;) So, I'd prefer not to see a knob for this. The change does not warrant the churn. Quite right. Have a nice day! -Girish
Re: pfctl - show port numbers
*seriously* unsupported: $ perl -pi -e s,etc/services,etc/sXrvices, /sbin/pfctl ~/bin/pfctl-no-service-names your foot is : : : V this way bang
Re: pfctl - show port numbers
Quoting Stuart Henderson [EMAIL PROTECTED]: *seriously* unsupported: $ perl -pi -e s,etc/services,etc/sXrvices, /sbin/pfctl ~/bin/pfctl-no-service-names your foot is : : : V this way bang A longer winded version (same idea - Perl ... and no prizes for my code) use warnings; use strict; # Get the rules my $pfctl_rules=`pfctl -s rules`; # Get the known services open(SERVICES,/etc/services); my (@services)=SERVICES; # Pull out the TCP services my %services; foreach my $service (@services) { if ($service =~ /(.*?)[\s]*([0-9]{1,4})\/tcp/) { my $service_name=$1; my $service_port=$2; $services{$service_name}=$service_port; } } # Now go through the rules - if we find port = ccc then translate, otherwise # just print the pftcl line as is foreach my $pfctl_rule (split /\n/,$pfctl_rules) { if ($pfctl_rule =~ /(.*?)port = ([\D]*?)([\s].*)/) { my $look_up=; if (exists $services{$2}) { $look_up=$services{$2}; } print $1port = $2($look_up)$3\n; } else { print $pfctl_rule\n; } } Sample (manually altered, obviously): # perl pfrules.pl block drop log all pass out quick on XXX1 inet proto tcp from (XXX1) to NNN.NNN.NNN.NNN port = ssh(22) flags S/SA keep state pass proto udp from any to any port = domain(53) keep state pass in log on XXX0 inet proto tcp from any to 127.0.0.1 port = 8021 flags S/SA keep state pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = www(80) flags S/SA keep state pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = https(443) flags S/SA keep state
Re: pfctl - show port numbers
On 23:44:31 Dec 04, Stuart Henderson wrote: *seriously* unsupported: $ perl -pi -e s,etc/services,etc/sXrvices, /sbin/pfctl ~/bin/pfctl-no-service-names your foot is : : : V this way bang Wow ;) I never imagined one cud get so devious with programming. Ha ha Human cleverness can do some really cool things. ;) -Girish
Re: pfctl - show port numbers
On 13:22:23 Dec 05, [EMAIL PROTECTED] wrote: A longer winded version (same idea - Perl ... and no prizes for my code) use warnings; use strict; # Get the rules my $pfctl_rules=`pfctl -s rules`; # Get the known services open(SERVICES,/etc/services); my (@services)=SERVICES; # Pull out the TCP services my %services; foreach my $service (@services) { if ($service =~ /(.*?)[\s]*([0-9]{1,4})\/tcp/) { my $service_name=$1; my $service_port=$2; $services{$service_name}=$service_port; } } # Now go through the rules - if we find port = ccc then translate, otherwise # just print the pftcl line as is foreach my $pfctl_rule (split /\n/,$pfctl_rules) { if ($pfctl_rule =~ /(.*?)port = ([\D]*?)([\s].*)/) { my $look_up=; if (exists $services{$2}) { $look_up=$services{$2}; } print $1port = $2($look_up)$3\n; } else { print $pfctl_rule\n; } } Sample (manually altered, obviously): # perl pfrules.pl block drop log all pass out quick on XXX1 inet proto tcp from (XXX1) to NNN.NNN.NNN.NNN port = ssh(22) flags S/SA keep state pass proto udp from any to any port = domain(53) keep state pass in log on XXX0 inet proto tcp from any to 127.0.0.1 port = 8021 flags S/SA keep state pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = www(80) flags S/SA keep state pass in on XXX0 inet proto tcp from any to NNN.NNN.NNN.NNN port = https(443) flags S/SA keep state If I had done this in my patch, probably it would have got accepted. ;) Even now it could be done of course. Just that I thought the options way. If there is enough coffee for me in the list, I would do it. ;) -Girish
Re: License Violation - ksh
Pedro de Oliveira wrote: Hello, Someone on IRC just posted this link http://www.delilinux.de/oksh/ , seems like someone ported OpenBSD ksh to Linux and licensed it under GPLv3. Isn't this a license violation? The ksh in OpenBSD is the pdksh (Public Domain). Slap a license on it if you like, it matters not. -- View this message in context: http://www.nabble.com/License-Violation---ksh-tf4932920.html#a14163439 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: netstat freezes
On Tue, 4 Dec 2007 16:59:51 -0500 Nick Guenther [EMAIL PROTECTED] wrote: On 12/4/07, Claudio Jeker [EMAIL PROTECTED] wrote: On Tue, Dec 04, 2007 at 03:05:31PM -0500, Nick Guenther wrote: Hi misc, I noticed way back with 3.8 that netstat would sometimes hang on me for a very long time (over two minutes) before spitting out the Active Internet Connections list; once it shows that though, it shows the rest of the lists in an instant. I thought it was just a fluke so I ignored it. But now I've seen it on other systems too, so I'm wondering what's up. Has anyone else seen this behaviour? I've search the archives with netstat hang and netstat freeze and found nothing. What are the actual options you pass to netstat? You know that netstat does DNS lookups by default? Those can cause some massive delays if something does not resolve. Oh, of course. Haha, I'm so silly, I let myself get bit by DNS. Oh well, at least it's in the archives for the next fool. -Nick Stoopid questions have a purpose, too ;-) Dhu
Re: pfctl - show port numbers
On 06:12:09 Dec 05, Girish Venkatachalam wrote: If there is enough coffee for me in the list, I would do it. ;) This diff should satisfy everyone. -Girish Index: pfctl_parser.c === RCS file: /cvs/src/sbin/pfctl/pfctl_parser.c,v retrieving revision 1.235 diff -u -r1.235 pfctl_parser.c --- pfctl_parser.c 2007/10/15 02:16:35 1.235 +++ pfctl_parser.c 2007/12/05 01:27:21 @@ -295,6 +295,7 @@ void print_port(u_int8_t op, u_int16_t p1, u_int16_t p2, const char *proto) { - char a1[6], a2[6]; + char a1[6], a2[6], srvport1[1024], srvport2[1024]; struct servent *s; - s = getservbyport(p1, proto); p1 = ntohs(p1); - p2 = ntohs(p2); snprintf(a1, sizeof(a1), %u, p1); + + if (s != NULL) + snprintf(srvport1,sizeof(srvport1), %s(%s), s-s_name, a1); + else + strlcpy(srvport1, a1, sizeof(srvport1)); + + p2 = ntohs(p2); snprintf(a2, sizeof(a2), %u, p2); + s = getservbyport(p2, proto); + if (s != NULL) + snprintf(srvport2,sizeof(srvport2), %s(%s), s-s_name, a1); + else + strlcpy(srvport2, a2, sizeof(srvport2)); + printf( port); - if (s != NULL (op == PF_OP_EQ || op == PF_OP_NE)) - print_op(op, s-s_name, a2); - else - print_op(op, a1, a2); + print_op(op, srvport1, srvport2); }
Re: OpenBSD version / build question
375, 410, 468: Are these build numbers? Yes. So, the current stable kernel is 0? OpenBSD amdthunder.home.local 4.2 GENERIC#0 i386 OpenBSD black.cirt.vt.edu 4.2 GENERIC#0 i386 -- View this message in context: http://www.nabble.com/OpenBSD-version---build-question-tf4923181.html#a14163491 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: Access to a remote Oracle database
* Joaquin Herrero [EMAIL PROTECTED] [071204 17:27]: Hi, I'm using freetds from my OpenBSD machine to connect to a MS SQL Server and works like a charm. Now I need to access to a Oracle server but it seems that the TDS protocol is not supported by Oracle databases, they use their own protocol named TNS and there is no freetns available. I investigated if I could use ODBC, but it seems (afaik) that ODBC needs a specific driver for each database and I do not know if there is such driver for OpenBSD. Perhaps someone know... a) if with freetds it is possible to connect to Oracle (perhaps activating some tds listener in the database) b) if ODBC is usable in OpenBSD to talk to Oracle. I'm using OpenBSD in a sparc machine at the moment (Sun Netra T1), but I can use a x86 machine as well. Any comments appreciated. -- Joaquin Herrero Oracle is really tight lipped about their application protocol. Your not likely to find a FreeTNS implementation. If you do, please let me know. If your using Perl, you could use DBD::Proxy to get an Oracle supported platform that has the Oracle client installed and then connect to the database host. Yes, it's a bit ridiculous, but that's Oracle... Jim
Re: OpenBSD version / build question
On Dec 4, 2007 5:41 PM, new_guy [EMAIL PROTECTED] wrote: 375, 410, 468: Are these build numbers? Yes. So, the current stable kernel is 0? Just on your system. The -release kernel as compiled by [EMAIL PROTECTED] is his build #375. Once you start compiling your own kernels you may build them more often than others. OpenBSD amdthunder.home.local 4.2 GENERIC#0 i386 OpenBSD black.cirt.vt.edu 4.2 GENERIC#0 i386 -- Ticketmaster and Ticketweb suck, but everyone knows that: http://ticketmastersucks.org http://lodesertprotosites.org Dethink to survive - Mclusky
Code signing in OpenBSD
I've searched OpenBSD.org and google for source code signing practices in OpenBSD, nothing obvious stands out. I've probably overlooked it. Just curious about this... is the process described someplace? -- View this message in context: http://www.nabble.com/Code-signing-in-OpenBSD-tf4947207.html#a14164451 Sent from the openbsd user - misc mailing list archive at Nabble.com.
Compliments and Knob Question
Hello, I just plugged in some USB devices into my old 133Mhz laptop with OpenBSD on it and they magically work. These devices would not work and/or had problems on Winblows with the laptop.. yet on the desktop they USB devices worked fine. So as I say.. compliments, and thanks. Question about buttons and knobs.. What exactly is a knob? I ask because on a Door, a knob is very useful for getting the door open.. if the door didn't have a knob I'd have to stick my finger or a credit card into the latch area and get it open. Is a knob an extra feature that doesn't really add anything much better, but is just there for the sake of being trendy? Is a knob a wrapper in some cases? For example is IFUP/IFDOWN a knob? Is a symlink a knob since that is essentially an extra directory that isn't necessarily needed since you could just be simple and use the actual file instead.. I think some 'wrappers' are useful so I hope all wrappers are not knobs.. I think maybe I have the definition of a knob wrong.J Having two knobs on a door is stupid, unless one knob is for a really short person who is 1 foot tall and the other knob is for the 5 foot person). I know I'm being a knob asking what a knob is, but I seriously want to know exactly what a knob or button is. Yes I googled it and basically all I found was a knob is when someone implements something that doesn't seem to be the best solution or the knob doesn't really add any extra enhancement. But on a door, a knob is quite needed.. so.. flamebaits aside.. I'd like technical knob discussion please. As an API author I try to reduce complexity.. but sometimes making wrappers around an API might add a knob around it to make it simpler. For example the CP command is just a knob for copy.. Regards, L505 Knob Student
Importante en navidad
Hola muy buenos dias, le escribo nuevamente para comentarle que se han liberado algunos espacios en Cancun para esta navidad puede ver mas detalles en http://www.yuppieviajes.com/cancun tambien puede marcarme al 01 800 123 3153 o al 01 800 555 0505 o si prefiere que le marque puede indicarme a que numero puedo hacerlo, desde ya muy agradecida por su tiempo y atencion, saludos cordiales Liliana Itza 01 800 123 3153
Re: ftp-proxy feature request
On Dec 4, 2007 9:34 PM, Camiel Dobbelaar [EMAIL PROTECTED] wrote: I think I helped create part of that route-to diff, but I don't think it belongs in base ftp-proxy. A userland daemon should not control routing like that. Maybe the new 'tag' option can be used for this? (or else the tag option needs work ;-) ) Thanks a lot Camile :-) Could you please explain in a bit detail how to make the tag option work? Kind Regards Siju
Re: netstat freezes
I noticed way back with 3.8 that netstat would sometimes hang on me for a very long time (over two minutes) before spitting out the Active Internet Connections list; once it shows that though, it shows the rest of the lists in an instant. I thought it was just a fluke so I ignored it. But now I've seen it on other systems too, so I'm wondering what's up. Has anyone else seen this behaviour? I've search the archives with netstat hang and netstat freeze and found nothing. What are the actual options you pass to netstat? You know that netstat does DNS lookups by default? Those can cause some massive delays if something does not resolve. Oh, of course. Haha, I'm so silly, I let myself get bit by DNS. Oh well, at least it's in the archives for the next fool. -Nick Stoopid questions have a purpose, too ;-) Dhu Probably patronizing most.. but.. A small boost in startup time is noticed when a static IP is used.. however not too much to make a worthwhile difference. If you ever happen to unplug your network and boot the computer, which I do sometimes since I don't want my network connected for security reasons unless I'm using the network.. sometimes you can wonder why it takes longer to boot up; it is usually always because of the DHCP getting tripped up wondering why it can't find the DHCP server and this can hang the computer for a few seconds/half-minutes.
A question about pecl install fileinfo
While trying to install fileinfo # pecl install fileinfo I get the following error. downloading Fileinfo-1.0.4.tgz ... Starting to download Fileinfo-1.0.4.tgz (5,835 bytes) .done: 5,835 bytes 3 source files, building running: phpize Configuring for: PHP Api Version: 20041225 Zend Module Api No: 20060613 Zend Extension Api No: 220060519 Cannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF environment variable is set correctly and then rerun this script. ERROR: `phpize' failed I have tried quite a few things but nothing has worked. How can I install fileinfo? Please let me know if you have any ideas on how to do this. Thanks very much, Vijay
Re: Compliments and Knob Question
On 4-Dec-07, at 10:24 PM, L wrote: Hello, I just plugged in some USB devices into my old 133Mhz laptop with OpenBSD on it and they magically work. These devices would not work and/or had problems on Winblows with the laptop.. yet on the desktop they USB devices worked fine. So as I say.. compliments, and thanks. Question about buttons and knobs.. What exactly is a knob? I ask because on a Door, a knob is very useful for getting the door open.. if the door didn't have a knob I'd have to stick my finger or a credit card into the latch area and get it open. Is a knob an extra feature that doesn't really add anything much better, but is just there for the sake of being trendy? Is a knob a wrapper in some cases? For example is IFUP/IFDOWN a knob? Is a symlink a knob since that is essentially an extra directory that isn't necessarily needed since you could just be simple and use the actual file instead.. I think some 'wrappers' are useful so I hope all wrappers are not knobs.. I think maybe I have the definition of a knob wrong.J Having two knobs on a door is stupid, unless one knob is for a really short person who is 1 foot tall and the other knob is for the 5 foot person). I know I'm being a knob asking what a knob is, but I seriously want to know exactly what a knob or button is. Yes I googled it and basically all I found was a knob is when someone implements something that doesn't seem to be the best solution or the knob doesn't really add any extra enhancement. But on a door, a knob is quite needed.. so.. flamebaits aside.. I'd like technical knob discussion please. As an API author I try to reduce complexity.. but sometimes making wrappers around an API might add a knob around it to make it simpler. For example the CP command is just a knob for copy.. Regards, L505 Knob Student That thing on the door is a handle. A knob would let you adjust how far the door opens, how much it resists being opened, whether or not it shuts itself (and how quickly) and how far you have to turn the handle to get it to start opening. Clearly most doors work just fine without knobs.
Re: Compliments and Knob Question
Question about buttons and knobs.. What exactly is a knob? At least here is Australia, knob is slang for: 1. Penis 2. an idiot or a person who does stupid things. That guy is a knob
Re: Compliments and Knob Question
That thing on the door is a handle. A knob would let you adjust how far the door opens, how much it resists being opened, whether or not it shuts itself (and how quickly) and how far you have to turn the handle to get it to start opening. Clearly most doors work just fine without knobs. Tech knob discussion, how about a nice boring dictionary answer. 1 a*:* a rounded protuberance *:* lump b*:* a small rounded ornament or handle 2*:* a rounded usually isolated hill or mountain This seems that a knob doesn't have to be useful. Brian
Re: Code signing in OpenBSD
On Dec 5, 2007 11:16 AM, new_guy [EMAIL PROTECTED] wrote: I've searched OpenBSD.org and google for source code signing practices in OpenBSD, nothing obvious stands out. I've probably overlooked it. Just curious about this... is the process described someplace? No. OpenBSD doesn't sign code. --- Lars Hansson
Re: Compliments and Knob Question
On 5/12/2007, at 4:24 PM, L wrote: Question about buttons and knobs.. What exactly is a knob? [cut] it simpler. For example the CP command is just a knob for copy.. My understanding of knob is an option or a switch. I guess the meaning is like a music console - all those knobs you can turn to fiddle with sound. So you start off with command X that moves bytes from A to B. So the user does ... X A B ... and his bytes are moved. Then dev. a adds an option - a knob. X [a] A B Then dev. b add his option X [a|b] A B Then devs c, d, e etc. And someone adds the -quiet knob, the - verbose knob. And obviously if you run -quiet you would ignore - verbose? Or the other way round? X [a|b|c|d|e|f] A B By now the code starts to have a lot of conditionals: if a and b but not c do this otherwise if f do that Code gets messy - harder to follow - bugs creep in (potentially security related.) When you want to add feature Z - which ones of all those knobs/options should it handle? In what way? Was it REALLY worth adding all those options for a couple of people here or there (who could have piped output / used a Perl script / whatever?) Usually not. I guess it would be the same for an API - you start with a simple entry point and end up with a lot of entry points, or having a whole heap of options in every entry point. My 2c ...
Re: Compliments and Knob Question
On 5/12/2007, at 7:09 PM, Richard Toohey wrote: On 5/12/2007, at 4:24 PM, L wrote: Question about buttons and knobs.. What exactly is a knob? [cut] it simpler. For example the CP command is just a knob for copy.. My understanding of knob is an option or a switch. I guess the meaning is like a music console - all those knobs you can turn to fiddle with sound. Like this stuff ... http://digitalmedia.oreilly.com/2005/01/26/synthedit1_0105.html Lots and lots and LOTS of knobs all to fiddle with sound.
Re: OpenBSD version / build question
On Tue, Dec 04, 2007 at 05:41:28PM -0800, new_guy wrote: 375, 410, 468: Are these build numbers? Yes. So, the current stable kernel is 0? OpenBSD amdthunder.home.local 4.2 GENERIC#0 i386 OpenBSD black.cirt.vt.edu 4.2 GENERIC#0 i386 When you build a kernel, a new vers.c file is created by running /usr/src/sys/conf/newvers.sh. That script is also responsible for creating a version file that increments every time you build a kernel in the same directory. You too could have high build number if you were never to delete the kernel build directory (by default instruction /usr/src/sys/arch/$(machine)/compile/GENERIC) or being carefull about keeping the version file. -- Hugo Villeneuve [EMAIL PROTECTED] http://EINTR.net/