How to debug IPSec and PF problem

[Mikel Lindsaar]

Hi all,

I've got a VPN running between two networks. Works fine for basically
everything and very easy to setup, kudos to the guys that worked on
ipsecctl and isakmpd.

I have one problem though that I am trying to debug.

Network looks like this:

192.168.11.250# Asterisk1
 |
 |
192.168.11.1# OpenBSD1 4.3
 |
 | # VPN
 |
192.168.4.1  # OpenBSD2 4.3
 |
 |
192.168.4.250   # Asterisk2

Firstly, I can ssh from any box to any box over the VPN.  This works
fine.  So the basic VPN is functional.

Secondly, 192.168.4.1 has several different routes out of it and a
fairly complex setup in pf.conf and this is what I think I have
misconfigured.

I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2.

The traffic is running and I get the traffic flowing from one end to
the other, but return traffic is getting blocked or misrouted.

Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250
arriving and packets from 192.168.4.250 leaving.

Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250
arriving and packets from 192.168.4.250 leaving.

Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets.

Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets.

I have disabled any firewalls on both asterisk boxes, but this makes no change.

Disabling pf on the 192.168.11.1 box makes no change.

I can't disable pf on 192.168.4.1 right now (could schedule a time later)

I believe the problem is somewhere in 192.168.4.1's pf.conf or route table.

Now, I know this email contains no where near all the data needed to
debug this by someone on list, but I want to work it out myself and I
have a few questions.

1) Is the ipsec tunnel just treated like a standard interface by PF?

2) how and when does the ipsec tunnel grab packets to send through the
tunnel?  I can't see any route entries or the like.  I assume it
attaches somehow the same way PF does and intercepts packets.

And probably most importantly:

3) What is the best way to find what rule in PF is matching the IAX
UDP packet stream?  I'm not getting anywhere with eyeballing it.

If I can find how the packet is moving through the stack, I am sure I
can fix the darn thing.

Thanks

Mikel

Re: Longest Uptime?

[Guido Tschakert]

new_guy schrieb:
 I know. Longest uptime is silly, macho, pointless stuff... but I ran across
 an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The
 only reason it was not an open mail relay is that /var was full. So, I
 thought to myself, I bet I could run an OpenBSD box for that amount of time
 or longer without getting hacked and without doing much to it. Just
 wondering what's the longest OpenBSD uptime some folks on misc have seen?
 
 Thanks


Hmm,

what about 180-190 days uptime max?
Afaik you need to reboot your OpenBSD when you upgrade in May and
November...

guido

Re: NTFS-3G Stable Read/Write Driver ready to merge on cvs obsd ?

[Artur Grabowski]

Heimdall Imbert [EMAIL PROTECTED] writes:

 Hahaha, I wanted to say the same thing but figured that this wouldn't be an
 appropriate venue for a discussion of this nature.  But since someone else
 brought it up, I figure I might as well add my two cents. I currently run
 Debian and Windows XP on my laptop and I use it as a learning tool (because
 I am nowhere near a guru unlike many of the people here!).

LEGO is a learning tool too. So are picture books and dolls.

I don't think that word means what you think it means.

//art

Re: How to debug IPSec and PF problem

[Rod Whitworth]

On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote:

Hi all,

I've got a VPN running between two networks. Works fine for basically
everything and very easy to setup, kudos to the guys that worked on
ipsecctl and isakmpd.

I have one problem though that I am trying to debug.

Network looks like this:

192.168.11.250# Asterisk1
 |
 |
192.168.11.1# OpenBSD1 4.3
 |
 | # VPN
 |
192.168.4.1  # OpenBSD2 4.3
 |
 |
192.168.4.250   # Asterisk2

Firstly, I can ssh from any box to any box over the VPN.  This works
fine.  So the basic VPN is functional.

Secondly, 192.168.4.1 has several different routes out of it and a
fairly complex setup in pf.conf and this is what I think I have
misconfigured.

I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2.

The traffic is running and I get the traffic flowing from one end to
the other, but return traffic is getting blocked or misrouted.

Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250
arriving and packets from 192.168.4.250 leaving.

Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250
arriving and packets from 192.168.4.250 leaving.

Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets.

Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets.

I have disabled any firewalls on both asterisk boxes, but this makes no change.

Disabling pf on the 192.168.11.1 box makes no change.

I can't disable pf on 192.168.4.1 right now (could schedule a time later)

I believe the problem is somewhere in 192.168.4.1's pf.conf or route table.

Now, I know this email contains no where near all the data needed to
debug this by someone on list, but I want to work it out myself and I
have a few questions.

1) Is the ipsec tunnel just treated like a standard interface by PF?

2) how and when does the ipsec tunnel grab packets to send through the
tunnel?  I can't see any route entries or the like.  I assume it
attaches somehow the same way PF does and intercepts packets.

And probably most importantly:

3) What is the best way to find what rule in PF is matching the IAX
UDP packet stream?  I'm not getting anywhere with eyeballing it.

If I can find how the packet is moving through the stack, I am sure I
can fix the darn thing.

Thanks

Mikel



By your statement I can ssh from any box to any box over the VPN. I
understand you to mean from any LAN host at either end to any LAN host
at the other. Is that correct?

If so why would traffic from one LAN host at the 192.168.4. end be any
different to the others? There is nothing magic about asterisk.

I suggest that you traceroute from 192.168.4.250 to the other asterisk
and see just where those packets go. I have a funny feeling they are
heading out to the cloud naked rather than through IPsec. Of course if
that is true there will be no reply after they hit the $ext_if in the
near-end router.

I don't know how you would manage to get this situation without
screwing up the other hosts on the same LAN but then you have not shown
any configurations at all so I have to use my personal ESP which has
less than 6/6 vision.

FYI your inet routing table gives no hint to packets as to which path
to choose involving IPsec. If they don't match your ipsec.conf they
don't go up the tunnel.

If you need more help you need to supply more info.

/R

*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: Longest Uptime?

[Artur Grabowski]

new_guy [EMAIL PROTECTED] writes:

 I know. Longest uptime is silly, macho, pointless stuff... but I ran across
 an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The
 only reason it was not an open mail relay is that /var was full. So, I
 thought to myself, I bet I could run an OpenBSD box for that amount of time
 or longer without getting hacked and without doing much to it. Just
 wondering what's the longest OpenBSD uptime some folks on misc have seen?

 7:52AM  up 6134 days, 16:36, 3 users, load averages: 0.52, 0.47, 0.43

http://www.blahonga.org/~art/diffs/epenis-enlargement.20060210

//art

Re: Longest Uptime?

[Mike Swanson]

On Tue, Oct 28, 2008 at 11:45 PM, Guido Tschakert
[EMAIL PROTECTED] wrote:
 Hmm,

 what about 180-190 days uptime max?
 Afaik you need to reboot your OpenBSD when you upgrade in May and
 November...

 guido

Just hope an important kernel update doesn't come by within those six
months.  ;)

Re: How to debug IPSec and PF problem

[Christoph Leser]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von Rod Whitworth
 Gesendet: Mittwoch, 29. Oktober 2008 07:47
 An: OpenBSD general usage list
 Betreff: Re: How to debug IPSec and PF problem


 On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote:

 Hi all,
 
 I've got a VPN running between two networks. Works fine for
 basically
 everything and very easy to setup, kudos to the guys that worked on
 ipsecctl and isakmpd.
 
 I have one problem though that I am trying to debug.
 
 Network looks like this:
 
 192.168.11.250# Asterisk1
  |
  |
 192.168.11.1# OpenBSD1 4.3
  |
  | # VPN
  |
 192.168.4.1  # OpenBSD2 4.3
  |
  |
 192.168.4.250   # Asterisk2
 
 Firstly, I can ssh from any box to any box over the VPN.  This works
 fine.  So the basic VPN is functional.
 
 Secondly, 192.168.4.1 has several different routes out of it and a
 fairly complex setup in pf.conf and this is what I think I have
 misconfigured.
 
 I am trying to setup an IAX2 (port 4569) from asterisk1 to asterisk2.
 
 The traffic is running and I get the traffic flowing from one end to
 the other, but return traffic is getting blocked or misrouted.
 
 Tcpdump on 192.168.4.250 eth0 I see the packets from 192.168.11.250
 arriving and packets from 192.168.4.250 leaving.
 
 Tcpdump on 192.168.4.1 enc0 I see the packets from 192.168.11.250
 arriving and packets from 192.168.4.250 leaving.
 
 Tcpdump on 192.168.11.1 enc0 I only see the 192.168.11.250 packets.
 
 Tcpdump on 192.168.11.250 eth0 I only see the 192.168.11.250 packets.
 
 I have disabled any firewalls on both asterisk boxes, but
 this makes no
 change.
 
 Disabling pf on the 192.168.11.1 box makes no change.
 
 I can't disable pf on 192.168.4.1 right now (could schedule a time
 later)
 
 I believe the problem is somewhere in 192.168.4.1's pf.conf or route
 table.
 
 Now, I know this email contains no where near all the data needed to
 debug this by someone on list, but I want to work it out
 myself and I
 have a few questions.
 
 1) Is the ipsec tunnel just treated like a standard interface by PF?
 
 2) how and when does the ipsec tunnel grab packets to send
 through the
 tunnel?  I can't see any route entries or the like.  I assume it
 attaches somehow the same way PF does and intercepts packets.
 
 And probably most importantly:
 
 3) What is the best way to find what rule in PF is matching
 the IAX UDP
 packet stream?  I'm not getting anywhere with eyeballing it.
 
 If I can find how the packet is moving through the stack, I
 am sure I
 can fix the darn thing.
 
 Thanks
 
 Mikel
 


 By your statement I can ssh from any box to any box over the
 VPN. I understand you to mean from any LAN host at either
 end to any LAN host at the other. Is that correct?

 If so why would traffic from one LAN host at the 192.168.4.
 end be any different to the others? There is nothing magic
 about asterisk.

 I suggest that you traceroute from 192.168.4.250 to the other
 asterisk and see just where those packets go. I have a funny
 feeling they are heading out to the cloud naked rather than
 through IPsec. Of course if that is true there will be no
 reply after they hit the $ext_if in the near-end router.

 I don't know how you would manage to get this situation
 without screwing up the other hosts on the same LAN but then
 you have not shown any configurations at all so I have to use
 my personal ESP which has less than 6/6 vision.

 FYI your inet routing table gives no hint to packets as to
 which path to choose involving IPsec. If they don't match
 your ipsec.conf they don't go up the tunnel.

 If you need more help you need to supply more info.

 /R

 *** NOTE *** Please DO NOT CC me. I am subscribed to the
 list. Mail to the sender address that does not originate at
 the list server is tarpitted. The reply-to: address is
 provided for those who feel compelled to reply off list. Thankyou.

 Rod/
 /earth: write failed, file system is full
 cp: /earth/creatures: No space left on device


Hi,

I think

1. netstat -rn -f encap
should show 2 entries for your IPSEC tunnel, one for each direction.

2. tcpdump -lenvvvi pflog0  will show packets being blocked are let pass
including the number of the rule which was applied ( if you have logging
enabled in your pf.conf )

3. tcpdump on the other interfaces of your bsd boxed might help to discover
the missing packets ( if, as Rod suspects, they are just routed into the cloud
).

Regards
Christoph

Re: Capture serial port output to a file

[J.C. Roberts]

On Tuesday 28 October 2008, Marc Balmer wrote:
 * Bruce Bauer wrote:
  Problem:
  OpenBSD 4.2 on i386
  Serial port /dev/cua00 connected to the console port on a firewall.
  I need to catch all text output from the serial port to a file.
  The process doing this must survive a loss of network.
  The box is running headless.

 I could suggest you run cu in a screen session.  I have used

 cu ... | tee logfile

 in the past, but there are possibly more elegant solutions


I've never tried using tee(1) but it is more elegant than using the 
default solution provided by tip/cu/remote.

As is often the case, wanted the feature is in base, and has been there 
long enough for most people to both forget about it, and to some 
degree, most people no longer understand the language used to describe 
the features in the man page.

The language used in man tip(1) and man remote(5) is accurate, but the 
problem is you'd need to be ancient to know what the language means. 
The problematic term in the man pages is script since it basically 
means log file

In remote(5) you'll see an option for re which is a string to define 
to a path/filename, and an option for sc boolean which tells tip to 
turn on scripting The boolean options are turned on by just listing 
them (without the =1 =on =true nonsense).

Here's the default entry for tty00 in /etc/remote

tty00|For hp300,i386,mac68k,macppc,mvmeppc,vax:\
:dv=/dev/tty00:tc=direct:tc=unixhost:


Here's the entry for my tty00 in /etc/remote

tty00|For hp300,i386,mac68k,macppc,mvmeppc,vax:\
:dv=/dev/tty00:tc=direct:sc:re=/home/jcr/tip.txt:tc=unixhost:

If I do a simple 

# tip tty00

And boot the serial connected host, everything shows up on screen just 
like always *BUT* all of the output is also written to the given file.

You might might also want to look over the beautify (be), line ending 
and escape sequence stuff in man remote(5) to tweak the text file 
output to your liking.

--
jcr

Re: Longest Uptime?

[Gilles Chehade]

new_guy a icrit :

I know. Longest uptime is silly, macho, pointless stuff... but I ran across
an old SunOS 2.6 box that had been up for 387 days. It had been hacked. The
only reason it was not an open mail relay is that /var was full. So, I
thought to myself, I bet I could run an OpenBSD box for that amount of time
or longer without getting hacked and without doing much to it. Just
wondering what's the longest OpenBSD uptime some folks on misc have seen?

Thanks
  

It is not the size of your uptime that matters, it is what you do with it.

Gilles

Re: J.C. Roberts [EMAIL PROTECTED] saiz OpenBSD. --We won't miss you.

[Christoph Leser]

 -Urspr|ngliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 Im Auftrag von bofh
 Gesendet: Dienstag, 28. Oktober 2008 16:13
 An: OpenBSD general usage list
 Betreff: Re: J.C. Roberts [EMAIL PROTECTED] saiz 
 OpenBSD. --We won't miss you.


 On Tue, Oct 28, 2008 at 9:55 AM, Kevin Wilcox
 [EMAIL PROTECTED] wrote:
  2008/10/28 Owain Ainsworth [EMAIL PROTECTED]:
  On Tue, Oct 28, 2008 at 05:37:24AM -0700, Neko wrote:
 
  git a life
 
  [EMAIL PROTECTED]:~$git clone a://life
  Initialized empty Git repository in /home/oga/life/.git/
  fatal: I don't handle protocol 'a'
 
  Didn't anyone ever tell you not to run arbitrary commands
 you read on
  a mailing list? grin

 I dunno.  I once typed in :(){ :|: };: that I read on a
 mailing list into my bash shell but it did nothing to my
 openbsd box.  Nor my osx box.  Linux boxes otoh


I tried on linux ( rhel5 ), where it generated lots of

-bash: fork: Resource temporarily unavailable

messages.

After running it once, a single colon on the commandline gave the same effect,
which was the clue to what happened.

On linux bash

:(){ :|: };:

defines a function calling itself recursively in the background

: ()
{
: | : 
}

The last colon then calls this function.

I'm not a shell expert. Is this behaviour expected? I found, that I can define
function '+', '-', '/', '?' etc. .

Re: OPENVAS on OpneBSD [was Re: PCI Compliant Vulnerability Scanner]

[Nigel J. Taylor]

Simon,

I have nearly completed a port of OpenVAS for OpenBSD. I have it running
but a few things to resolve before submitting to the ports.

Regards

Nigel Taylor

Simon Slaytor wrote:
 Dorian B|ttner wrote:
  Looking for openvas?
 http://www.derkeiler.com/Mailing-Lists/securityfocus/pen-test/2005-11/0067.html


 I've been looking at OpenVAS has anyone got it working under OpenBSD?

Re: Using OpenBGPD as a route-server

[Claudio Jeker]

On Tue, Oct 28, 2008 at 04:24:02PM +0100, Hans Vosbergen wrote:
 Hi Misc,
 
 I am trying to make OpenBGPD work as a route-server for a little hobby
 project I am working on.
 
 As it's very hard to find configuration examples for this usage on the web i
 have to turn here.
 
 What I am trying to achieve:
 - A route-server acting as a transparent route distributor.
 - Control by neighbours who their prefixes are announced to, based on
 communities.
 
 Making OpenBGP work as a transparent AS was the easy part. However I'm stuck
 in the communities control part.
 
 How it is supposed to work, my route-server has AS1234 in my test
 environment.
 
 If a neighbour announces:
 1. { community 1234:1234 } -- Their prefixes will be announced to EVERY
 other neighbour.
 2. { community 1234:as} -- Their prefixes will ONLY be announced to AS,
 ie: 1234:8943 will only send the prefixes to AS8943.
 3. { community 1234:1234 1234:AS } -- Their prefixes will be announced to
 every other neighbour EXCEPT AS.
 
 I have been able to achieve the first 2 ways the prefix control should work,
 but I can't manage to get the 3rd to work. Before moving to OpenBGPD I
 managed to produce the way I want it to work in Quagga but I simply do not
 want to use that.
 
 Would anyone have an idea on how to make OpenBGPD not announce prefixes to
 specific neighbours if they appear in the 1234:1234 1234:AS list?
 

The route server I set up uses more or less this config:

# global configuration
AS $ASNUM
router-id $IP
transparent-as yes

network $LAN

group RS {
announce all
max-prefix 5000 restart 15
set nexthop no-modify
#   softreconfig in no

neighbor $LAN {
descr RS peer
passive
}
}

# filter out prefixes longer than 24 or shorter than 8 bits
deny from any prefixlen 8  24

# do not accept a default route, multicast and experimental networks
deny from any prefix 0.0.0.0/0
deny from any prefix 10.0.0.0/8 prefixlen = 8
deny from any prefix 127.0.0.0/8 prefixlen = 8
deny from any prefix 169.254.0.0/16 prefixlen = 16
deny from any prefix 172.16.0.0/12 prefixlen = 12
deny from any prefix 192.0.2.0/24 prefixlen = 24
deny from any prefix 192.168.0.0/16 prefixlen = 16
deny from any prefix 224.0.0.0/4 prefixlen = 4
deny from any prefix 224.0.0.0/4 prefixlen = 4
deny from any prefix 240.0.0.0/4 prefixlen = 4

# we set's these communities to identify from where
# it learned a route:
match from any set community $ASNUM:neighbor-as

# 1. Prepend RS $ASNUM to *all* RS-Peers
match from group RS community $ASNUM:65500 set prepend-self 1

# 2. Prepend RS $ASNUM to *selected* RS-Peer N-times
# (N can be 1 to 3)
match to group RS community 65501:neighbor-as set prepend-self 1
match to group RS community 65502:neighbor-as set prepend-self 2
match to group RS community 65503:neighbor-as set prepend-self 3

# 3. Do *not* announce to RS-Peers with AS 
deny to group RS community $ASNUM:neighbor-as

# 4. Do *not* announce to *ANY* RS-Peers
deny to group RS community $ASNUM:65535

# 5. Prepend own announcement by one
match to group RS prefix $LAN set prepend-self 1

Works like a champ without any additional per peer config :)
-- 
:wq Claudio

Re: file encrypyion

[Jacob Yocom-Piatt]

Paul M wrote:

I'm looking for a way to encrypy backup files for secure storage.

Gpg is an obvious candidate, but I'm wondering if there's anything in 
base, perhaps a creative use of ssh or some other tool, though not 
something liable to break, obviously.


Any thoughts would be much appreciated.

paulm




i am surprised that nobody has pointed you at the manpages for bioctl 
and softraid. read these and you can see how to use crypto volumes with 
softraid.


AFAICT most of the work done on bioctl and softraid should have made it 
into 4.4, if not you need to run current to get these features.

Re: How to debug IPSec and PF problem

[Mikel Lindsaar]

On Wed, Oct 29, 2008 at 8:06 PM, Christoph Leser [EMAIL PROTECTED] wrote:
 On Wed, 29 Oct 2008 17:01:21 +1100, Mikel Lindsaar wrote:
 I've got a VPN running between two networks. Works fine for
 basically
 If so why would traffic from one LAN host at the 192.168.4.
 end be any different to the others? There is nothing magic
 about asterisk.
 3. tcpdump on the other interfaces of your bsd boxed might help to discover
 the missing packets ( if, as Rod suspects, they are just routed into the cloud

OK, turns out the problem was a state entry.

I did pfctl -k 0.0.0.0/0 -k 192.168.11.250 and all was good.

Thanks for your pointers though.

Mikel

Re: J.C. Roberts [EMAIL PROTECTED] saiz OpenBSD. --We won't miss you.

[bofh]

On Wed, Oct 29, 2008 at 6:15 AM, Christoph Leser [EMAIL PROTECTED] wrote:
 I'm not a shell expert. Is this behaviour expected?

wiki has a nice article on fork bombs.

-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0feature=related

FFS file system driver for Windows 2000/XP/2003

[Andrés]

Hi, guys, I just want to share this link I just found. Didn't tried it
yet, but others may want to try it too. Giving the results we get, it
would be a good idea to include the link in the FAQ: How can I access
my OpenBSD file system from Windows directly?

http://ffsdrv.sourceforge.net/

Greetings!

Re: FFS file system driver for Windows 2000/XP/2003

[Vadim Zhukov]

On Wednesday 29 October 2008 14:55:58 Andris wrote:
 Hi, guys, I just want to share this link I just found. Didn't tried it
 yet, but others may want to try it too. Giving the results we get, it
 would be a good idea to include the link in the FAQ: How can I access
 my OpenBSD file system from Windows directly?

 http://ffsdrv.sourceforge.net/

Please search archives before posting. This driver (and his bugs) are
known.

And it doesn't work with contemporary OpenBSD FFS realization, AFAIK.

--
  Best wishes,
Vadim Zhukov

Re: Capture serial port output to a file -Solved

[Bruce Bauer]

Combining suggestions from several people.
I installed screen
This gives me an interactive screen that doesn't die when I disconnect the 
session.
Then in the screen session: cu -l /dev/cua00 -t | tee /var/log/log.console
I can then kill my ssh connction, connect again and see that the screen and cu 
processes are still running.
I can tail -f /var/log/log.console to see new output from the console
Bonus: I can reconnect to the screen session to issue interactive commands to 
get more debugging info out of the device.

Thanks all


--- [EMAIL PROTECTED] wrote:

From: Nick Holland [EMAIL PROTECTED]
To: misc misc@openbsd.org
Subject: Re: Capture serial port output to a file
Date: Tue, 28 Oct 2008 22:03:58 -0400

Marc Balmer wrote:
 * Bruce Bauer wrote:
 Problem:
 OpenBSD 4.2 on i386
 Serial port /dev/cua00 connected to the console port on a firewall.
 I need to catch all text output from the serial port to a file.
 The process doing this must survive a loss of network.
 The box is running headless.
 
 I could suggest you run cu in a screen session.  I have used
 
 cu ... | tee logfile
 
 in the past, but there are possibly more elegant solutions

Not sure it is more elegant, but I mention it just because I was
happy to find out about it: script(1).

It's in base.

Nick.

Samo do 1. novembra pokloni i popusti

[Top Shop]

Poštovani,

Podsećamo Vas da samo još 3 dana uz poklon i sa popustom možete poručiti
sledeće proizvode:

  * Bun  Thigh Doer po ceni od 5.990,00 RSD + POKLON Rina's 90 -
priručnik za mršavljenje - poručite ovde!

  * Air Climber po ceni od 8.990,00 RSD + POKLON Rina's 90 - priručnik za
mršavljenje - poručite ovde!

  * The Bean po ceni od 4290,00 RSD + POKLON Rina's 90 - priručnik za
mršavljenje - poručite ovde!

  * Sanozen jonizator po sniženoj ceni od: 5990,00 RSD - poručite ovde!

Ne propustite oktobarske popuste - poručite odmah!

Vaš,
E-Topshop

Ovu elektronsku poštu primate, ukoliko ste svojevoljno ostavili svoju
e-mail adresu, učestvovali u posebnim akcijama ili poklon igrama na sajtu
www.e-topshop.tv

Ponuda data u ovom e-mailu važi isključivo za porudžbine upućene putem
Interneta ili broja telefona 021 489 26 60.

Ukoliko ne želite više da primate naše elektronske poruke, za
odjavljivanje sa naše e-mailing liste, kliknite ovde.

Studio Moderna d.o.o., Bulevar vojvode Stepe 30, 21000 Novi Sad, Tel: 021
489 29 00, Fax: 021 489 29 08, E-mail: [EMAIL PROTECTED]

[IMAGE]If you would no longer like to receive our emails please
unsubscribe by clicking here.

4.4 in germany

[Matthias Pfeifer]

 Thank you all for the OpenBSD 4.4 CD set!
 
 Nice Pictures, nice stickers, nice song and great operating system :)

NATing traffic going into the ipsec tunnel

[Vladimir]

We need to connect to a vendor's network over VPN however they are 
telling us we need to NAT all the traffic going to their network. They 
also want publicly addressable IPs as the NATed address (go figure). I 
have read extensively and looked at manuals but can't quite get it working


Set up is as follows

1.1.1.1 - My network VPN endpoint
1.1.1.100 - My NAT address (I took it off the $ext_if)

2.2.2.1 - Vendor Network VPN endpoint
2.2.2.100 - Vendor NAT address

Vendor is running a TCP service on 2.2.2.100:5000 that I am trying to 
access from my network.


I have set up a VPN tunnel which seems to be in place e.g. doing netstat 
-nr shows this


Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)

2.2.2.100/32   0 1.1.1.100/320 0 2.2.2.1/esp/use/in
1.1.1.100/32   0 2.2.2.100/32 0 0 
2.2.2.1/esp/require/out


Then per instructions in following document I did

http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

ifconfig lo1 1.1.1.100/32
route add 2.2.2.100/32 1.1.1.100

If I do that I can ping Vendor NAT address from the firewall itself but 
telnetting to port 2.2.2.100:5000 never connects.


Then I added

nat on lo1 from 10.0.8.0/24 to 2.2.2.100 - 1.1.1.100

If I then try to ping 2.2.2.100 from e.g. 10.0.8.101 I get

From 10.0.8.254 icmp_seq=1 Time to live exceeded

If I try to telnet to 2.2.2.100:5000 I get

# telnet 2.2.2.100 5000
Trying 2.2.2.100...
telnet: connect to address 2.2.2.100: No route to host
telnet: Unable to connect to remote host: No route to host

If I try to sniff on lo1 I get

 tcpdump -vvv -i lo1
tcpdump: listening on lo1, link-type LOOP
13:14:40.279954 10.0.8.101.55173  2.2.2.100.3128: S [tcp sum ok] 
4262188680:4262188680(0) win 5840 mss 1460,sackOK,timestamp 883518184 
0,nop,wscale 7 (DF) [tos 0x10] (ttl 63, id 3738, len 60)
13:14:40.279982 10.0.8.101.55173  2.2.2.100.3128: S [tcp sum ok] 
4262188680:4262188680(0) win 5840 mss 1460,sackOK,timestamp 883518184 
0,nop,wscale 7 (DF) [tos 0x10] (ttl 62, id 21751, len 60)
13:14:40.279993 10.0.8.101.55173  2.2.2.100.3128: S [tcp sum ok] 
4262188680:4262188680(0) win 5840 mss 1460,sackOK,timestamp 883518184 
0,nop,wscale 7 (DF) [tos 0x10] (ttl 61, id 29876, len 60)


I even tried assigning the 1.1.1.100 enc0 interface which enables me to 
connect to 2.2.2.100:5000 from the firewall but nat over enc0 doesn't work.


I would appreciate any help.

Thanks,


Vladimir

Re: Longest Uptime?

[guilherme m. schroeder]

Hi,

Uptimes sucks. Here's the biggest i've ever seen in the company i work:

[EMAIL PROTECTED] ~]$ uname -a
SunOS optg998 5.6 Generic_105181-26 sun4u sparc SUNW,UltraSPARC-IIi-cEngine
[EMAIL PROTECTED] ~]$ uptime
  3:40pm  up 2639 day(s), 13:50,  1 user,  load average: 0.08, 0.07, 0.06
[EMAIL PROTECTED] ~]$ date
Wed Oct 29 15:45:24 BRST 2008
[EMAIL PROTECTED] ~]$ psrinfo -v
Status of processor 0 as of: 10/29/08 15:41:07
  Processor has been on-line since 08/08/01 00:50:54.
  The sparc processor operates at 440 MHz,
and has a sparc floating point processor.
[EMAIL PROTECTED] ~]$ dmesg | tail -5
SUNW,hme0: Using External Transceiver
SUNW,hme0: 100 Mbps half-duplex Link Up
dump on /dev/md/dsk/d50 size 2042608K
SUNW,hme0: Using External Transceiver
SUNW,hme0: full-duplex Link Up

Ok it's not OpenBSD, blame on me. But what i liked is that this
machine is working for 2639 days and it stills blink green leds. The
harddisk never gave up too. No errors on dmesg.
It's a Netra T1 machine, running our internal DNS server. I think
we'll replace it when it dies ;)

On Wed, Oct 29, 2008 at 7:15 AM, Gilles Chehade [EMAIL PROTECTED] wrote:
 new_guy a icrit :

 I know. Longest uptime is silly, macho, pointless stuff... but I ran
 across
 an old SunOS 2.6 box that had been up for 387 days. It had been hacked.
 The
 only reason it was not an open mail relay is that /var was full. So, I
 thought to myself, I bet I could run an OpenBSD box for that amount of
 time
 or longer without getting hacked and without doing much to it. Just
 wondering what's the longest OpenBSD uptime some folks on misc have seen?

 Thanks


 It is not the size of your uptime that matters, it is what you do with it.

 Gilles

Re: Longest Uptime?

[bofh]

On Wed, Oct 29, 2008 at 1:49 PM, guilherme m. schroeder
[EMAIL PROTECTED] wrote:
 Ok it's not OpenBSD, blame on me. But what i liked is that this
 machine is working for 2639 days and it stills blink green leds. The

We bought 2 machines (together).  Expensive ones.  After putting them
in, my peon walks around looking at them.  One had a green blinking
power led.  All is well.  The other had a red blinking power led.
Peon went nuts looking in the documentation, etc etc.  Diagnostics and
everything seems to indicate the system is working.  Called support
up.  After a while, they finally figured out what was the problem.
The vendor neglected to spec the color of the power led, and had
sourced it from 2 different factories.  So, one factory put in a green
led, and the other put in a red one.

I have since made it my life's mission to tell every single one of
their reps that in a data center, you only want to see green blinking
lights, not red blinking lights.


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0feature=related

multiple subnets and gateways on CARP interface

[Mark Nipper]

I apologize in advance if this has already been covered.
I searched the mailing lists and didn't see any mention of
exactly this question.

So I have two redundant firewalls using CARP and NAT
with one public subnet on the external interface and one private
subnet on the internal interface.  This is a fairly common setup
and is easy to accomplish with PF of course.

Now, my ISP has allocated a new, public subnet for me.
I'm wanting to add to my existing subnet on the external side.
I've seen only a handful of references to doing this on the
mailing list, and none are very detailed.  Here is my current
setup in /etc/hostname.carp0 (names and passwords changed to
protect the innocent):
---
inet 1.1.1.194 255.255.255.224 1.1.1.223 vhid 1 carpdev bnx0 pass nopasswd
inet alias 1.1.1.195 255.255.255.255
inet alias 1.1.1.198 255.255.255.255
inet alias 1.1.1.199 255.255.255.255
inet alias 1.1.1.204 255.255.255.255

Clearly, I'm not hosting services on every available IP
in this subnet at the moment.  But that's beside the point.
Also, I'm using a default gateway in /etc/mygate of:
---
1.1.1.193

Now, I want to allocate more addresses in this newly
allocated subnet.  So I just use the new subnet and netmask.
But what about other addresses in that new subnet?  Should I
designate them with 255.255.255.255 and the kernel will figure
out which subnet is which?  Like such:
---
inet 1.1.1.194 255.255.255.224 1.1.1.223 vhid 1 carpdev bnx0 pass nopasswd
inet alias 1.1.1.195 255.255.255.255
inet alias 1.1.1.198 255.255.255.255
inet alias 1.1.1.199 255.255.255.255
inet alias 1.1.1.204 255.255.255.255
inet alias 2.2.2.66 255.255.255.192
inet alias 2.2.2.67 255.255.255.255
inet alias 2.2.2.68 255.255.255.255
inet alias 2.2.2.69 255.255.255.255

I also now have essentially two possible default
gateways.  But since my ISP doesn't provide any sort of dynamic
routing, we're just going to assume the first subnet has the
default gateway, as specified above in /etc/mygate.  But I still
need to get the second subnet setup to route to in general, so I
assume I want something like this in my hostname.carp0:
---
!route add -inet 2.2.2.64/26 2.2.2.65

Or do I also need a -host or -interface route setup too?

Now, assuming all of the above is in place as it should
be, will traffic ultimately be coming and going via the proper
IP addresses?  I think I'm over analyzing this last part, but
bear with me a second.  Since my default gateway is going to be
the 1.1.1.193 gateway, will traffic destined for addresses in my
2.2.2.64/26 come from the correct source address?  I have lines
like this in my PF rules at the moment:
---
binat on bnx0 from 192.168.1.80 to any - 1.1.1.195
rdr on bnx0 proto tcp from any to 1.1.1.195 port www - 192.168.1.80
.
.
(further down...)
pass in on bnx0 proto tcp from any to 192.168.1.80 port www

So once I add this newly allocated subnet, I assume I
can simply put things like this:
---
binat on bnx0 from 192.168.1.50 to any - 2.2.2.66
rdr on bnx0 proto tcp from any to 2.2.2.66 port www - 192.168.1.50
.
.
(further down...)
pass in on bnx0 proto tcp from any to 192.168.1.50 port www

and not only will remote hosts on the public Internet be able to
access a web server running on this internal, private host but
they'll also see any connection attempts or responses from that
private internal host as coming from 2.2.2.66, correct?

The routing part is the most confusing part for me as it
seems to me like traffic will come in correctly from remote
hosts, but as soon as the firewall tries to send back out, it
will end up using the default gateway somehow and things will
get all mucked up.  But like I said, maybe I'm just over
analyzing and it will all just work as it should!

Thanks for reading this far.  I know that's a bunch of
information and I hope I made it all as clear as possible.

-- 
Mark Nippere-contacts:
12345 Lamplight Vlg 818 [EMAIL PROTECTED]
Austin, Texas 78758-2564http://nipsy.bitgnome.net/
(979)575-3193  AIM/Yahoo: texasnipsy ICQ: 66971617

---begin random quote of the moment---
There's madness in my methods.
 -- random sig seen on /. by Tough Love (215404)
end random quote of the moment

Re: Looking for EeePC 701

[Marcus Glocker]

On Wed, Oct 29, 2008 at 06:45:11AM +0100, Marcus Glocker wrote:

 Hi Folks,
 
 We want to add USB BULK support for UVC devices in our uvideo(4)
 driver.  There are not that many UVC devices around which do
 BULK transfers, but the advantage would be that BULK transfers are
 working a bit more stable than our current ISOC implementation
 and we could do some further testing.
 
 One device which I know for sure that has a built-in BULK cabable
 device is the EeePC 701.  If somebody would be willing to donate
 such a device to me, please contact me off-list.
 
 Thanks.
 
 Regards,
 Marcus

Hi Guys,

We've already got many offers in a very short period and one
device should almost be on the way to me plus an additional device
for one or two more developers.  That's more than enough!

Many thanks for the great and quick support!

Best Regards,
Marcus

-- 
[ Marcus Glocker, [EMAIL PROTECTED], [EMAIL PROTECTED]   ]

Re: Serial ATA RAID ctrl on PCI

[Noah Pugsley]

For example:

# bioctl arc0
Volume  Status   Size Device 
 arc0 0 Online  199336448 sd0 RAID6
  0 Online   500107862016 0:0.0   noencl ST3500320AS SD15
  1 Online   500107862016 0:1.0   noencl ST3500630AS 3.AAG
  2 Online   500107862016 0:2.0   noencl ST3500320AS SD15
  3 Online   500107862016 0:3.0   noencl ST3500320AS SD15
  4 Online   500107862016 0:4.0   noencl ST3500320AS SD15
  5 Online   500107862016 0:5.0   noencl ST3500320AS SD15

# sysctl hw.sensors.arc0
hw.sensors.arc0.drive0=online (sd0), OK

 From /etc/sensorsd.conf

drive:command=echo %t failed with status: %s %2 on %x | mail -s 
`hostname` sensorsd CRITICAL \(RAID\) alarm



Stuart Henderson wrote:
 On 2008-10-28, Don Jackson [EMAIL PROTECTED] wrote:
   
 On Oct 28, 2008, at 3:47 PM, Robert Franklin wrote:

 
 Did you read the man page for arc(4)? It says right there.
   
 I did, and I'm not seeing anything.
 

 ...
  arc supports alarm control and monitoring of volumes configured on the
  controllers via the bio(4) interface and the bioctl(8) utility.
 ...

congrats and update questions

[Kapetanakis Giannis]

Hi all,

First I'd like to give my congrats to all OpenBSD dev team.
The last time I used it was back in 2.5 release.

I decided to check it out again when an old alpha came in my hands recently,
which was ideal running particular services (replacement for an RS6000 
that died).
I also installed it today on a newer PA-RISC 8600 (smp is not yet there 
but I can live :)


It's simplicity, efficiency, maturity and the logic of the whole project
made another happy sysadm (the rms thread in this list also contributed 
to thisomg :))

Well done again! (I needed to say this)

And a few quick questions since I haven't found relevant info online:

a) for how long each release is being supported in terms
of security patches (as well as important updates) after a new release 
is out?

This applies for the i386 only or all the archs?

b) if the userland (make build in /usr/src) updating is forced to stop,
how can you continue from the point it's stopped.

c) I choosed to follow the -stable release OPENBSD_4_3. What happens
when I update my sources with cvs up? Do I have to rebuild the whole thing
again from scratch or does it detect  the new diffs and 
compiles/installs there only?

Are there any other working options available?
I don't want to make a mess by playing with make args.

regards,

Giannis

Re: congrats and update questions

[Jim Razmus]

* Kapetanakis Giannis [EMAIL PROTECTED] [081029 15:32]:
 Hi all,

 First I'd like to give my congrats to all OpenBSD dev team.
 The last time I used it was back in 2.5 release.

 I decided to check it out again when an old alpha came in my hands recently,
 which was ideal running particular services (replacement for an RS6000  
 that died).
 I also installed it today on a newer PA-RISC 8600 (smp is not yet there  
 but I can live :)

 It's simplicity, efficiency, maturity and the logic of the whole project
 made another happy sysadm (the rms thread in this list also contributed  
 to thisomg :))
 Well done again! (I needed to say this)

 And a few quick questions since I haven't found relevant info online:

 a) for how long each release is being supported in terms
 of security patches (as well as important updates) after a new release  
 is out?
 This applies for the i386 only or all the archs?

Short answer: the two most current releases are supported.

http://www.openbsd.org/faq/faq5.html

Applies to all archs.



 b) if the userland (make build in /usr/src) updating is forced to stop,
 how can you continue from the point it's stopped.


make should be able to figure out what's built and what's not.  Try
another make build and see, or go conservatively with make clean,
depend, and build to start from scratch.

 c) I choosed to follow the -stable release OPENBSD_4_3. What happens
 when I update my sources with cvs up? Do I have to rebuild the whole thing
 again from scratch or does it detect  the new diffs and  
 compiles/installs there only?

Your question implies some unfamiliarity with the build tools and
process.  I recommend studying FAQ 5 as well as these:

http://www.openbsd.org/faq/current.html
http://www.openbsd.org/stable.html

 Are there any other working options available?

snapshots, as described in FAQ 5.

 I don't want to make a mess by playing with make args.

 regards,

 Giannis


Good luck!

Jim

new home box for secure data storage

[Douglas A. Tutty]

I'll be setting up a new box for the house and I want to use OpenBSD for
it, both for its security and since it will be an older box it will run
better than with Debian.

Roles:

main firewall for dialup internet access.
fetchmail and sendmail to ISP smarthost
other simple stuff (have another box for insecure stuff like watching
videos, surfing the net with javascript and flash).


We've moved and now our main security threat is physical security.  We
don't want the data on the computer (i.e. in the /home directories) to
be readable if someone steals the box.

I'm thinking I could go two routes:

1.  encrypt all of /home with an encrypted virtualfs file.  However,
then the data is unencrypted whenever the box is powered on.

2.  I wonder if there's a way to have per-user home directory
encryption so that the user's directory is accessed/unencrypted/mounted
(whatever the semantics) on login and recrypted/unmounted on logout.

Have swap and /tmp encrypted too.  Also, perhaps per-user $TMP
directories if go with plan 2, above.

I think I want root to be able to mount/access the directories so that
the data can be included in a backup set (which is then piped through
openssl for encryption) on a file-by-file basis rather than just backing
up a filesystem image and risking the whole thing if that image becomes
corrupted.

Ideas?  What do others do to secure /home?  I read on undeadly an idea
of putting the /home filesystem on a removable drive and putting it into
a safe but then you have to have the safe mounted securely.

Doug.

Re: new home box for secure data storage

[Almir Karic]

On Wed, Oct 29, 2008 at 04:14:22PM -0400, Douglas A. Tutty wrote:
 I'll be setting up a new box for the house and I want to use OpenBSD for
 it, both for its security and since it will be an older box it will run
 better than with Debian.
 
 Roles:
 
 main firewall for dialup internet access.
 fetchmail and sendmail to ISP smarthost
 other simple stuff (have another box for insecure stuff like watching
   videos, surfing the net with javascript and flash).
 
 
 We've moved and now our main security threat is physical security.  We
 don't want the data on the computer (i.e. in the /home directories) to
 be readable if someone steals the box.

if someone knowledgeable enough has physical access to the running box, you
can't keep the data private.

Como Organizar un Area de Capacitacion Orientada a Resultados

[Ingrid Gomez]

CC3mo Organizar un C
rea de CapacitaciC3n Orientada a Resultados

MC)xico, D.F. - 06 de Noviembre

B!Ultima PresentaciC3n del AC1o!


Como responsable del C!rea de Recursos Humanos o CapacitaciC3n, usted estC!
consciente que el fracaso o consolidaciC3n de la empresa y sus proyectos
dependen del talento de los colaboradores, sin embargo, ante los resultados
tradicionales de la capacitaciC3n, para muchos Directivos esta labor sC3lo
representa una pC)rdida de tiempo y dinero, por lo que su reto debe ser
ORGANIZAR UN C
REA DE CAPACITACICN REALMENTE  ORIENTADA  A  RESULTADOS...

Quality Training de MC)xico , a travC)s de este valioso seminario, le
otorgarC! las herramientas que harC!n que su C!rea de capacitaciC3n se
convierta en un detonador para lograr las estrategias de su empresa y le
ayudarC! a identificar el talento necesario para hacerlo. Asista y aprenda
cC3mo orientar los esfuerzos de la capacitaciC3n para generar dichos talentos,
las diversas maneras de organizar las actividades de capacitaciC3n y a conocer
los indicadores de la efectividad de la misma, obteniendo  entre  otros
beneficios:

. Organizar el C!rea de capacitaciC3n de la forma mC!s efectiva.
. Identificar las necesidades de talento de una forma precisa.
. Identificar la modalidad de capacitaciC3n acorde a la organizaciC3n y sus
objetivos.
. Lograr el compromiso y apoyo de las C!reas hacia la capacitaciC3n.
. Asegurar que la inversiC3n en capacitaciC3n se realice rentablemente.


-Solicite un folleto gratuito con la informaciC3n Completa de este seminario

Responda este correo con los siguientes datos:
Seminario: CC3mo Organizar un C
rea de CapacitaciC3n Orientada a Resultados
Nombre:
Empresa:
Puesto:
Telefono:
Ciudad:

O llamenos al 01.800.250.10.20 (Lada sin costo)







.

Esta invitaciC3n fuC) enviada a: misc@openbsd.org
Si no desea e-mails futuros responda nocap

Re: new home box for secure data storage

[Ted Unangst]

I think I want root to be able to mount/access the directories so that
the data can be included in a backup set (which is then piped through
openssl for encryption) on a file-by-file basis rather than just  
backing
up a filesystem image and risking the whole thing if that image  
becomes

corrupted.


Most of your requests are pretty common and come up frequently enough  
you should be able to find the answers, but this part makes me  
wonder.   So how does root have the key?  Do you type it in everytime  
you do a backup or is there a file called dontreadthis in /root?


You could maybe do some tricks with cfs but it's a guaranteed shot in  
the foot.



Ideas?  What do others do to secure /home?


I don't let people steal my computers. 

Re: new home box for secure data storage

[STeve Andre']

On Wednesday 29 October 2008 16:41:36 Almir Karic wrote:
 On Wed, Oct 29, 2008 at 04:14:22PM -0400, Douglas A. Tutty wrote:
  I'll be setting up a new box for the house and I want to use OpenBSD for
  it, both for its security and since it will be an older box it will run
  better than with Debian.
 
  Roles:
 
  main firewall for dialup internet access.
  fetchmail and sendmail to ISP smarthost
  other simple stuff (have another box for insecure stuff like watching
  videos, surfing the net with javascript and flash).
 
 
  We've moved and now our main security threat is physical security.  We
  don't want the data on the computer (i.e. in the /home directories) to
  be readable if someone steals the box.

 if someone knowledgeable enough has physical access to the running box, you
 can't keep the data private.

Thats true, but you can make it awfully hard to get the data.  I know
of someone who put his computer in a gun closet, which is a tall metal
cabinet weighing many hundreds of pounds, secured with bolts inside
the case to the cement wall in the basement.  Could you get it?  Sure:
with enough effort and possibly explosives.

You can secure a computer pretty well.  Just think heavy and bolted
to a wall.

--STeve Andre'

Re: PostgreSQL Problems

[Louis V. Lambrecht]

Simon Connah wrote:
Sorry if this is the wrong list, I debated whether to post it to ports 
but as it is not a problem with the port itself and is more a user 
problem (i.e I'm being stupid :)) I thought misc was probably more 
appropriate.


Anyway I've been trying to get PostgreSQL setup on my 4.3 box and I'm 
not having much luck at all. I've followed the instructions in 
README.OpenBSD but I think I am missing something very simple here. 
Any help would be greatly appreciated.


Thank you.

It would probably be easier to post a log of all the steps I have 
taken so here it is:


[Sun Oct 26 16:20:48 [EMAIL PROTECTED]:~]sudo su -
[Sun Oct 26 16:20:52 [EMAIL PROTECTED]:~]passwd _postgresql
Changing local password for _postgresql.
New password:
Retype new password:
[Sun Oct 26 16:21:12 [EMAIL PROTECTED]:~]logout
[Sun Oct 26 16:21:16 [EMAIL PROTECTED]:~]su - _postgresql
Password:
$ mkdir /var/postgresql/data
$ initdb -D /var/postgresql/data -U postgres -A md5 -W
The files belonging to this database system will be owned by user 
_postgresql.

This user must also own the server process.

The database cluster will be initialized with locale C.

fixing permissions on existing directory /var/postgresql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 10
selecting default shared_buffers/max_fsm_pages ... 400kB/2
creating configuration files ... ok
creating template1 database in /var/postgresql/data/base/1 ... FATAL: 
could not create shared memory segment: Cannot allocate memory

DETAIL: Failed system call was shmget(key=1, size=1646592, 03600).
HINT: This error usually means that PostgreSQL's request for a shared 
memory segment exceeded available memory or swap space. To reduce the 
request size (currently 1646592 bytes), reduce PostgreSQL's 
shared_buffers parameter (currently 50) and/or its max_connections 
parameter (currently 10).
The PostgreSQL documentation contains more information about shared 
memory configuration.

child process exited with exit code 1
initdb: removing contents of data directory /var/postgresql/data
$ logout
sh: logout: not found
$ exit
[Sun Oct 26 16:23:32 [EMAIL PROTECTED]:~]sudo shutdown -r now
Shutdown NOW!
shutdown: [pid 30708]
[Sun Oct 26 16:23:44 [EMAIL PROTECTED]:~]
*** FINAL System shutdown message from [EMAIL PROTECTED] ***
System going down IMMEDIATELY



System shutdown time has arrived
Connection to 192.168.1.15 closed by remote host.
Connection to 192.168.1.15 closed.
typhoon:~ simon$ ssh [EMAIL PROTECTED]
ssh: connect to host 192.168.1.15 port 22: Connection refused
typhoon:~ simon$ ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Sun Oct 26 16:22:14 2008 from typhoon.local
OpenBSD 4.3 (GENERIC) #2: Wed Oct 22 22:43:28 BST 2008

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code. With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

[Sun Oct 26 16:25:14 [EMAIL PROTECTED]:~]top
[Sun Oct 26 16:25:36 [EMAIL PROTECTED]:~]su - _postgresql
Password:
$ initdb -D /var/postgresql/data -U postgres -A md5 -W
The files belonging to this database system will be owned by user 
_postgresql.

This user must also own the server process.

The database cluster will be initialized with locale C.

fixing permissions on existing directory /var/postgresql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 40
selecting default shared_buffers/max_fsm_pages ... 28MB/179200
creating configuration files ... ok
creating template1 database in /var/postgresql/data/base/1 ... ok
initializing pg_authid ... ok
Enter new superuser password:
Enter it again:
setting password ... ok
initializing dependencies ... ok
creating system views ... ok
loading system objects' descriptions ... ok
creating conversions ... ok
setting privileges on built-in objects ... ok
creating information schema ... ok
vacuuming database template1 ... ok
copying template1 to template0 ... ok
copying template1 to postgres ... ok

Success. You can now start the database server using:

postgres -D /var/postgresql/data
or
pg_ctl -D /var/postgresql/data -l logfile start

$ pg_ctl -D /var/postgresql/data -l logfile start
server starting
$ createuser simon
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) y
Password:
createuser: could not connect to database postgres: FATAL: password 
authentication failed for user _postgresql

$ createuser simon
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) y
Shall the new role be allowed to create more new roles? (y/n) y
Password:
createuser: could not connect to database postgres: 

Management of HP Proliant DL and BL Series

[Mikel Lindsaar]

I've got a few (10) HP DL and BL servers running OpenBSD.

These are spread out over several sites and run our firewalls and
monitoring servers.

Trying to find the best way to monitor them for drive, psu failures etc.

Has anyone had any success along this line?

Looking at the various sites, the best option seems to be trying to
get the HP Linux health drivers working to generate traps, but don't
know if trying to do this is pie in the sky.

What tools / options would you recommend?

Mikel

Re: new home box for secure data storage

[Douglas A. Tutty]

On Wed, Oct 29, 2008 at 09:41:36PM +0100, Almir Karic wrote:
 On Wed, Oct 29, 2008 at 04:14:22PM -0400, Douglas A. Tutty wrote:
  I'll be setting up a new box for the house and I want to use OpenBSD for
  it, both for its security and since it will be an older box it will run
  better than with Debian.
  
  Roles:
  
  main firewall for dialup internet access.
  fetchmail and sendmail to ISP smarthost
  other simple stuff (have another box for insecure stuff like watching
  videos, surfing the net with javascript and flash).
  
  
  We've moved and now our main security threat is physical security.  We
  don't want the data on the computer (i.e. in the /home directories) to
  be readable if someone steals the box.
 
 if someone knowledgeable enough has physical access to the running box, you
 can't keep the data private.

If the box is running but no users are logged-in, why can't the data be
encrypted and therefore private?  This is my thinking about per-user
home directory/partition encryption.  

Doug.

Re: new home box for secure data storage

[Douglas A. Tutty]

On Wed, Oct 29, 2008 at 02:56:53PM -0700, Ted Unangst wrote:
 
 I think I want root to be able to mount/access the directories so that
 the data can be included in a backup set (which is then piped through
 openssl for encryption) on a file-by-file basis rather than just  
 backing
 up a filesystem image and risking the whole thing if that image  
 becomes
 corrupted.
 
 Most of your requests are pretty common and come up frequently enough  
 you should be able to find the answers, but this part makes me  
 wonder.   So how does root have the key?  Do you type it in everytime  
 you do a backup or is there a file called dontreadthis in /root?

Lets say the key is in a file.  Lets encrypt that file with openssl and
keep it in /root.  Whoever runs the backup program is asked for the
passphrase to unlock the file.  The backup program then uses that file
to mount the directories to back them up.

 You could maybe do some tricks with cfs but it's a guaranteed shot in  
 the foot.
 
 Ideas?  What do others do to secure /home?
 
 I don't let people steal my computers. 

Of course there's the risk/benefit/cost analysis.  Gun cabinets or safes
bolted to the floor work but are expensive.  I could get the same kind
of deterrence if I installed a big rack-mount 12U server full of a dozen
hard drives (think too heavy for one person to steal, assuming that they
recognized it as a computer in the first place).  Software encryption is
free.

Doug.

Habilidades para Conducir Reuniones Eficaces

[Ingrid Gomez]

Habilidades para Conducir Reuniones Eficaces B!como Nunca Antes!

MC)xico, D.F. - 06 de Noviembre

B!Unica PresentaciC3n en el AC1o!


Bloqueo mentalb improductividadb pC)rdida de tiempob B?Esto le suena
familiar? Si usted ha participado en una mala reuniC3n, entonces ha vivido
todo lo anterior. Aquellas reuniones donde los objetivos no han sido definidos
se vuelven lentas durante horas, el conflicto domina la discusiC3n y detiene
el progresob Al final no se logra nada.

Estas situaciones hacen que las reuniones tengan un obstC!culo y sean un
verdadero problema de productividad. B!B!Pero manejadas correctamente, sus
juntas pueden promover comunicaciC3n, generar nuevas ideas, fomentar la moral,
crear objetivos, construir equipos y mucho mC!s!!

Desde crear un orden del dC-a hasta el manejo de opiniones contrarias, este
seminario le brinda las soluciones que usted necesita para darle vida a sus
reuniones. Asista y obtenga fC!ciles estrategias para mejorar sus reuniones
rC!pidamente. Usted aprenderC! a dirigir discusiones positivas y productivas,
identificarC! y neutralizarC! los puntos ocultos que lo alejan del tema,
mediarC! rC!pidamente el conflicto y los argumentos cuando los
bsabelotodob estallen, lograrC! poderosos cierres que garanticen
compromiso, acciC3n y comprensiC3n de todos los participantes, incluyendo
tambiC)n:

. CC3mo determinar si su reuniC3n es necesaria.
. Habilidades para conducir discusiones encontradas.
. Aptitudes clave que debe tener un facilitador para comunicarse
efectivamente.
. Tips que le ayudarC!n a alcanzar resultados positivos en su reuniC3n.
. Entendiendo las dinC!micas de grupo y quC) ocasiona las efervescencias.
. CC3mo identificar y neutralizar las agendas ocultas.
. CC3mo desarrollar una buena discusiC3n y mantenerla.
. Estrategias y tC)cnicas de cierre que ganen compromiso y consigan
resultados.
. Herramientas y actividades que garanticen reuniones interesantes y
memorables.


-Solicite un folleto gratuito con la informaciC3n Completa de este seminario

Responda este correo con los siguientes datos:
Seminario: Habilidades para Conducir Reuniones Eficaces B!como Nunca Antes!
Nombre:
Empresa:
Puesto:
Telefono:
Ciudad:

O llamenos al 01.800.250.10.20 (Lada sin costo)







.

Esta invitaciC3n fuC) enviada a: misc@openbsd.org
Si no desea e-mails futuros responda noreu

Re: new home box for secure data storage

[patric conant]

I'm confused, the encrypted volume cannot be backed up without a key?

On Wed, Oct 29, 2008 at 8:45 PM, Douglas A. Tutty [EMAIL PROTECTED] wrote:

 On Wed, Oct 29, 2008 at 02:56:53PM -0700, Ted Unangst wrote:
 
  I think I want root to be able to mount/access the directories so that
  the data can be included in a backup set (which is then piped through
  openssl for encryption) on a file-by-file basis rather than just
  backing
  up a filesystem image and risking the whole thing if that image
  becomes
  corrupted.
 
  Most of your requests are pretty common and come up frequently enough
  you should be able to find the answers, but this part makes me
  wonder.   So how does root have the key?  Do you type it in everytime
  you do a backup or is there a file called dontreadthis in /root?

 Lets say the key is in a file.  Lets encrypt that file with openssl and
 keep it in /root.  Whoever runs the backup program is asked for the
 passphrase to unlock the file.  The backup program then uses that file
 to mount the directories to back them up.

  You could maybe do some tricks with cfs but it's a guaranteed shot in
  the foot.
 
  Ideas?  What do others do to secure /home?
 
  I don't let people steal my computers.

 Of course there's the risk/benefit/cost analysis.  Gun cabinets or safes
 bolted to the floor work but are expensive.  I could get the same kind
 of deterrence if I installed a big rack-mount 12U server full of a dozen
 hard drives (think too heavy for one person to steal, assuming that they
 recognized it as a computer in the first place).  Software encryption is
 free.

 Doug.




-- 
Some software money can't buy. For everything else there's Micros~1.

Re: new home box for secure data storage

[Douglas A. Tutty]

On Wed, Oct 29, 2008 at 09:09:20PM -0500, patric conant wrote:
 I'm confused, the encrypted volume cannot be backed up without a key?

Sure, I could backup the encrypted volume.  However, I'd rather back the
data up as an unencrypted directory along with everything else.  

I don't know what's involved in e.g. restoring an accidentally deleted
file from within an encrypted volume.  I guess I'd treat it like a
tarball in that its a file, mount it somewhere using the usual key and
retreive the file, mount the user's encrypted volume and copy the file
back where it belongs.

Its likely that its me that's confused.  Since what I'm contemplating
doesn't seem to be mainstream, I'm assuming that backup and restore
procedures aren't mainstream (e.g. have the kinks worked out) either.
That assumption could be invalid.

Doug.

Corrupted RAIDFrame device

[Paul M]

Hi all

I have a simple 2 disk RAID 1 array which has become corrupted by a 
faulty memory module.


If I repeatedly generate an MD5 hash on the same file, I consistantly 
get 1 of 2 values back, roughly alternating, so I assume that the 2 
disks have different versions of the same file and they are accessed 
more-or-less alternately. 'raidclt -s' tells me that all is well with 
the array.
It appears that the likelyhood of corruption is greater with larger 
files - approx 1/2 gig are pretty much all corrupt while small files 
are pretty much all ok. All this sounds reasonable under the 
circumstances.


My idea on recovering as much as possible was to disconnect 1 drive, 
copy all the data off, switch to the other drive and do the same, then 
run an anaysis on the 2 copies - if a file is the same on both copys, 
the it's probably ok, if they differ, then one or both will be bad.


So, I did the first copy, but when I swap to the other disk, RAIDFrame 
has remembered that this has 'failed' so will not configure it into the 
set (as I feared it would(nt)).


Does anyone know how I can tell RAIDFrame that the first drive is 
actually ok, or is my reasoning just nonsense anyway?

What would a parity re-write do in this case?

Ironicaly this computer is in the process of being configured as backup 
storage, so while I have the originals of most of the data, there is 
some that I dont, and I haven't yet set up the secondary (off site) 
backups. And yes I did test the backups were ok, the first ones at 
least. It appears the module failed some time during the process. I 
know, I should have been anal and checked every single one, but it was 
all brand new hardware ...

Actually, that's when failure rates are high.


paulm

Re: Longest Uptime?

[Andres Genovez]

2008/10/29 Gilles Chehade [EMAIL PROTECTED]

 new_guy a icrit :

 I know. Longest uptime is silly, macho, pointless stuff... but I ran
 across
 an old SunOS 2.6 box that had been up for 387 days. It had been hacked.
 The
 only reason it was not an open mail relay is that /var was full. So, I
 thought to myself, I bet I could run an OpenBSD box for that amount of
 time
 or longer without getting hacked and without doing much to it. Just
 wondering what's the longest OpenBSD uptime some folks on misc have seen?

 Thanks





  It is not the size of your uptime that matters, it is what you do with
 it.

Nice One :)


 Gilles


http://www.crice.org

Re: Capture serial port output to a file

[Sean Kamath]

On Oct 29, 2008, at 2:13 AM, J.C. Roberts wrote:


On Tuesday 28 October 2008, Marc Balmer wrote:

* Bruce Bauer wrote:

Problem:
OpenBSD 4.2 on i386
Serial port /dev/cua00 connected to the console port on a firewall.
I need to catch all text output from the serial port to a file.
The process doing this must survive a loss of network.
The box is running headless.


I could suggest you run cu in a screen session.  I have used

cu ... | tee logfile

in the past, but there are possibly more elegant solutions



I've never tried using tee(1) but it is more elegant than using the
default solution provided by tip/cu/remote.


I use 'script'.  It gets EVERYTHING.  You have to do a little post- 
processing, but it works very well.


However, if you're saying that you want to capture all output on the  
firewall coming in to /dev/cua00, why not just open the device and  
read from it?  'tail -f /dev/cua00  logfile' would do this.  Assuming  
that you have the line dedicated to this and don't need to provide any  
input.


If you want to use 'cu', you could also investigate the 'record'  
variable. (~s record /path/to/logfile)


Sean