Re: openbsdstore: enable javascript and buy something or gtfo
Hi, talking about setting the record straight... System Administrator wrote on Sat, Oct 04, 2014 at 11:57:56PM -0400: 2. Open*BSD* as the name implies, had no decades old Unix code and by now has had much of the _original_ BSD code replaced as well. The ancestors of OpenBSD are, in direct line only: * Version 1 ATT UNIX (Nov. 1971) * Version 2 ATT UNIX (June 1972) based on v1 * Version 3 ATT UNIX (Feb. 1973) based on v2 * Version 4 ATT UNIX (Nov. 1973) based on v3 * Version 5 ATT UNIX (June 1974) based on v4 * Version 6 ATT UNIX (May 1975) based on v5 * PWB/UNIX 1.0 (July 1977) based on v6 * 1BSD (Mar. 1978) based on v6 * Version 7 ATT UNIX (Jan. 1979) based on v6 and PWB * 2BSD (May 1979) based on v6 * Version 32v ATT UNIX (May 1979) based on v7 * 3BSD (Feb. 1980) based on 32v and 2BSD * 4.0BSD(Nov. 1980) based on 3BSD * 4.1BSD(June 1981) based on 4.0BSD * 4.1aBSD (May 1982) based on 4.1BSD * 4.1cBSD (Dec. 1982) based on 4.1aBSD * 4.2BSD(Sep. 1983) based on 4.1cBSD * 4.3BSD(July 1986) based on 4.2BSD * 4.3BSD-Tahoe (June 1988) based on 4.3BSD * BSD Net/1 (Mar. 1989) based on 4.3BSD-Tahoe * 4.3BSD-Reno (June 1990) based on Tahoe and Net/1 * BSD Net/2 (Aug. 1991) based on 4.3BSD-Reno * 386BSD 0.0(Mar. 1992) based on Net/2 * 386BSD 0.1(July 1992) based on 386BSD 0.0 * NetBSD 0.8(Apr. 1993) based on 386BSD 0.1 * 4.4BSD(June 1993) based on Reno and Net/2 * NetBSD 0.9(Aug. 1993) based on NetBSD 0.8 * 4.4BSD-Lite1 (Apr. 1994) based on 4.4BSD * NetBSD 1.0(Oct. 1994) based on NetBSD 0.9 and 4.4BSD-Lite1 * 4.4BSD-Lite2 (June 1995) based on 4.4BSD-Lite1 * OpenBSD 1.2 (July 1996) based on NetBSD 1.0 * OpenBSD 2.0 (Oct. 1996) based on OpenBSD 1.2 and 4.4BSD-Lite2 It is true that much of the original BSD code has been replaced. But looking closely, you will still find decades old code from almost all BSD releases. Compare, for example, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/expand/expand.c?annotate=HEAD to http://minnie.tuhs.org/cgi-bin/utree.pl?file=1BSD/s6/expand.c in particular the main loop. Yes, much of the code has been amended, but some parts remain unchanged since more than 36 years ago. According to the Berne Convention, that file still contains text covered by Bill Joy's Copyright, even though - following U.S. Copyright law - the Copyright Notice only mentions The Regents. That is just one of no doubt many examples. It is even possible that OpenBSD still contains traces of decades old ATT UNIX code. Good candidates for looking are the following 23 files, see http://www.groklaw.net/article.php?story=20041126130302760 : sys/kern/init_main.c sys/kern/kern_clock.c sys/kern/kern_exec.c sys/kern/kern_exit.c sys/kern/kern_physio.c sys/kern/kern_sig.c sys/kern/kern_synch.c sys/kern/subr_rmap.c sys/kern/sys_generic.c sys/kern/sys_process.c sys/kern/tty.c sys/kern/tty_subr.c sys/kern/vfs_bio.c sys/kern/vfs_syscalls.c sys/sys/buf.h sys/sys/proc.h sys/sys/tty.h sys/ufs/dinode.h sys/ufs/inode.h sys/ufs/ufs_bmap.c sys/ufs/ufs_disksubr.c sys/ufs/ufs_inode.c sys/ufs/ufs_vnops.cl I checked init_main.c, and it still says: * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. I'm too lazy now to check whether any of that code *actually* still remains or if it has *incidentally* all been replaced since. In any case, i'm not aware that there ever was any *intentional* effort to replace ATT UNIX code in these files. So your claim that none remains seems somewhat bold to me. Then again, if any remains, it is certainly not a large amount. History is fun (litigation not so much). Yours, Ingo
Re: openbsdstore: enable javascript and buy something or gtfo
On Sun, Oct 05, 2014 at 11:36:33AM +0200, Ingo Schwarze wrote: Hi, talking about setting the record straight... System Administrator wrote on Sat, Oct 04, 2014 at 11:57:56PM -0400: 2. Open*BSD* as the name implies, had no decades old Unix code and by now has had much of the _original_ BSD code replaced as well. The ancestors of OpenBSD are, in direct line only: * Version 1 ATT UNIX (Nov. 1971) * Version 2 ATT UNIX (June 1972) based on v1 * Version 3 ATT UNIX (Feb. 1973) based on v2 * Version 4 ATT UNIX (Nov. 1973) based on v3 * Version 5 ATT UNIX (June 1974) based on v4 * Version 6 ATT UNIX (May 1975) based on v5 * PWB/UNIX 1.0 (July 1977) based on v6 * 1BSD (Mar. 1978) based on v6 * Version 7 ATT UNIX (Jan. 1979) based on v6 and PWB * 2BSD (May 1979) based on v6 * Version 32v ATT UNIX (May 1979) based on v7 * 3BSD (Feb. 1980) based on 32v and 2BSD * 4.0BSD(Nov. 1980) based on 3BSD * 4.1BSD(June 1981) based on 4.0BSD * 4.1aBSD (May 1982) based on 4.1BSD * 4.1cBSD (Dec. 1982) based on 4.1aBSD * 4.2BSD(Sep. 1983) based on 4.1cBSD * 4.3BSD(July 1986) based on 4.2BSD * 4.3BSD-Tahoe (June 1988) based on 4.3BSD * BSD Net/1 (Mar. 1989) based on 4.3BSD-Tahoe * 4.3BSD-Reno (June 1990) based on Tahoe and Net/1 * BSD Net/2 (Aug. 1991) based on 4.3BSD-Reno * 386BSD 0.0(Mar. 1992) based on Net/2 * 386BSD 0.1(July 1992) based on 386BSD 0.0 * NetBSD 0.8(Apr. 1993) based on 386BSD 0.1 * 4.4BSD(June 1993) based on Reno and Net/2 * NetBSD 0.9(Aug. 1993) based on NetBSD 0.8 * 4.4BSD-Lite1 (Apr. 1994) based on 4.4BSD * NetBSD 1.0(Oct. 1994) based on NetBSD 0.9 and 4.4BSD-Lite1 * 4.4BSD-Lite2 (June 1995) based on 4.4BSD-Lite1 * OpenBSD 1.2 (July 1996) based on NetBSD 1.0 * OpenBSD 2.0 (Oct. 1996) based on OpenBSD 1.2 and 4.4BSD-Lite2 It is true that much of the original BSD code has been replaced. But looking closely, you will still find decades old code from almost all BSD releases. Compare, for example, http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/expand/expand.c?annotate=HEAD to http://minnie.tuhs.org/cgi-bin/utree.pl?file=1BSD/s6/expand.c in particular the main loop. Yes, much of the code has been amended, but some parts remain unchanged since more than 36 years ago. According to the Berne Convention, that file still contains text covered by Bill Joy's Copyright, even though - following U.S. Copyright law - the Copyright Notice only mentions The Regents. That is just one of no doubt many examples. It is even possible that OpenBSD still contains traces of decades old ATT UNIX code. Good candidates for looking are the following 23 files, see http://www.groklaw.net/article.php?story=20041126130302760 : sys/kern/init_main.c sys/kern/kern_clock.c sys/kern/kern_exec.c sys/kern/kern_exit.c sys/kern/kern_physio.c sys/kern/kern_sig.c sys/kern/kern_synch.c sys/kern/subr_rmap.c sys/kern/sys_generic.c sys/kern/sys_process.c sys/kern/tty.c sys/kern/tty_subr.c sys/kern/vfs_bio.c sys/kern/vfs_syscalls.c sys/sys/buf.h sys/sys/proc.h sys/sys/tty.h sys/ufs/dinode.h sys/ufs/inode.h sys/ufs/ufs_bmap.c sys/ufs/ufs_disksubr.c sys/ufs/ufs_inode.c sys/ufs/ufs_vnops.cl I checked init_main.c, and it still says: * (c) UNIX System Laboratories, Inc. * All or some portions of this file are derived from material licensed * to the University of California by American Telephone and Telegraph * Co. or Unix System Laboratories, Inc. and are reproduced herein with * the permission of UNIX System Laboratories, Inc. I'm too lazy now to check whether any of that code *actually* still remains or if it has *incidentally* all been replaced since. In any case, i'm not aware that there ever was any *intentional* effort to replace ATT UNIX code in these files. So your claim that none remains seems somewhat bold to me. Then again, if any remains, it is certainly not a large amount. History is fun (litigation not so much). Yours, Ingo And please keep in mind that the statement old code = bad code is not true. Old code can be bad or good, just like new code. -Otto
Re: openbsdstore: enable javascript and buy something or gtfo
1. OpenBSD is a great example of the difference that having security as a primary design and development objective makes, unlike most other OSes (including all flavors of linux) which do added security. Yes, primary objective. Definitely. It is also form of added security, because it is based on constantly iterating and auditing old source and design. It isn't made cleanroom software development process from ground up. Of course, me and probably everyone else here appreciate the real security which is achieved by correcting the bugs. A quick look at [0] demonstrates your utter ignorance of EAL I know EAL. My point was that ancient unsecure stuff can be secured by auditing, re-engineering and using mitigation. OpenBSD is prime example. These methods also apply running Javascript. It's probably high time to let this utterly degenerated thread die.. I agree. It has done its purpose when Matthew pointed that sandboxing is not implemented in Chromium or Firefox.
Re: NAT logging and limits using pf
On 03/10/14 19:07, Russell Sutherland wrote: I am trying to determine whether using an OpenBSD system to perform institutional NAT for our wireless users would be a viable option. At the present time we are evaluating the A10 Thunder CGN appliance. There are a few issues for which I would like to get some input for those using pf for NAT in large environments ( 10k users ) * are there problems with arp cache resources ? * can logging be modified to use radius ? We really need some hooks to determine who is/was responsible for a given session. Thanks in advance for any operational experience you may have using pf in a similar environment. -- Russell Sutherland I+TS We're doing NAT at a few thousand users/pcs without any issue. I don't think 10k or more users will be a problem either. Just use more than one address in nat-to in order to have enough ports for translation. You can also use source-hash to ensure that nat address is the same for a given source IP. Also check sysctl parameters net.inet.ip.portfirst/net.inet.ip.portlast In order to determine who is responsible for a given session you probably need to use netflows/pflow. Searching the @misc archive for this will give you enough starting help. You have to combine it with some kind of user authentication at the point where the user is getting the private IP address (802.1x / VPN etc) Use radius there to log user-private IP match. good luck G ps. Searching for arp cache limits didn't give any results. I think you only have to worry about that if the user's network is directly connected to your firewall. However I cant find which are the limits for arp cache/route cache.
Re: npppd ipsec port 500 INVALID_MESSAGE_ID
Thanks for your guide. But my truble is: 1. isp lan - i get IP by dhclient(ip + default route + dns) 2. I have global ip, but this is not working. In ifconfig i cant see my global ip.((( How setup /etc/ipsec.conf with dhclient with global IP??? 04.10.2014 18:54, Zhi-Qiang Lei пишет: On Oct 4, 2014, at 5:51 PM, mishve...@rambler.ru wrote: I have OpenBSD 5.4 amd64. I install npppd and configure IPSec(l2tp + password). LAN 192.168.1.1/255.255.255.0 WAN(ISP NET; Connect by MAC ddress) 10.0.0.1/255.0.0.0 ISP GET ME GLOBAL IP SERVER1-Openbsd - 1.2.3.4 WIN 2003 SERVER2 IP - 9.8.7.6 WIN 2003 SERVER3 IP - 192.168.1.100 When server boot # cat /etc/hostname.em0 inet 192.168.1.1 255.255.255.0 # ifconfig em0 em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 priority: 0 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 # cat /etc/hostname.re0 dhcp # ifconfig re0 re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 10.200.81.220 netmask 0xf000 broadcast 10.200.95.255 # route show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default 10.200.80.1 UGS 6 1439 - 8 re0 10.200.80/20 link#2 UC 1 0 - 4 re0 10.200.80.1 28:6e:d4:6e:0a:e1 UHLc 1 0 - 4 re0 10.200.81.220 localhost UGS 0 0 33144 8 lo0 loopback localhost UGRS 0 0 33144 8 lo0 localhost localhost UH 2 35 33144 4 lo0 192.168.1/24 link#1 UC 2 0 - 4 em0 192.168.1.67 00:1a:13:18:b3:7c UHLc 0 0 - 4 em0 192.168.1.255 link#1 UHLc 3 43 - 4 em0 BASE-ADDRESS.MCAST localhost URS 0 0 33144 8 lo0 # cat /etc/resolv.conf # Generated by re0 dhclient search smilenet.ru nameserver 10.0.1.24 nameserver 10.0.1.13 From LAN i connect win server 192.168.1.100 to 192.168.1.1. From internet i can't connect win server 9.8.7.6 to 1.2.3.4 # cat /etc/ipsec.conf ike passive esp transport proto udp from 192.168.1.1 to 192.168.1.100 port 1701 main auth hmac-sha1 enc 3des group modp2048 quick auth hmac-sha1 enc 3des psk pass ike passive esp transport proto udp from 10.200.81.220 to 9.8.7.6 port 1701 main auth hmac-sha1 enc 3des group modp2048 quick auth hmac-sha1 enc 3des psk pass ike passive esp transport proto udp from 1.2.3.4 to 9.8.7.6 port 1701 main auth hmac-sha1 enc 3des group modp2048 quick auth hmac-sha1 enc 3des psk pass # tail /var/log/daemon isakmpd: message_recv: invalid message id isakmpd: dropped message from 9.8.7.6 port 500 due to notification type INVALID_MESSAGE_ID Please help me connect server2 9.8.7.6 to 1.2.3.4 L2TP over IPsec on OpenBSD 5.5 is very easy for me, you may read my guide. http://siegfried.github.io/unix/openbsd/vpn/ipsec/l2tp/2014/09/29/l2tp-over-ipsec-vpn-on-openbsd-5-5/
relayd url redirection
Hi,
Following http://marc.info/?l=openbsd-miscm=140508090726719w=2,
I'm trying to implement a similar setup.
relayd(8) is listening on a public IP.
httpd(8) is listening on localhost:80 and apache-httpd-openbsd is
listening on localhost:81.
I would like to handle all traffic with httpd(8) and only UserDir URLs
(/~user) with apache-httpd-openbsd.
I tried :
ext_addr=x.x.x.x
table web_httpd { 127.0.0.1 }
table web_apache { 127.0.0.1 }
http protocol filters {
return error
# pass # not needed.
# tried these forms:
match request quick path /~* forward to web_apache
match request quick path /~user/* forward to web_apache
match request path * forward to web_httpd
}
relay site1 {
listen on $ext_addr port 80
protocol filters
forward to web_httpd check tcp port 80
forward to web_apache check tcp port 81
}
But it half works. Sometimes it works and sometimes the UserDir traffic
is sent to httpd(8) and the non-UserDir traffic is sent to Apache.
I tried to use a public IP for binding web_apache (still on port
81) but it failed in the exact same way.
In case there is a problem with the '~' character, I also tried to use
something like /user for the string. But it did the same.
Does anybody have any idea how to get it working ?
Thanks for any hint !
Best.
Olivier
--
Olivier Cherrier - Symacx.com
Phone: +352691754777
mailto:o...@symacx.com
Re: NAT logging and limits using pf
On 2014-10-03, Russell Sutherland russell.sutherl...@utoronto.ca wrote: I am trying to determine whether using an OpenBSD system to perform institutional NAT for our wireless users would be a viable option. At the present time we are evaluating the A10 Thunder CGN appliance. There are a few issues for which I would like to get some input for those using pf for NAT in large environments ( 10k users ) * are there problems with arp cache resources ? * can logging be modified to use radius ? We really need some hooks to determine who is/was responsible for a given session. Thanks in advance for any operational experience you may have using pf in a similar environment. Normal PF logging isn't particularly well-suited to CGNAT-type requirements, in order to record both the internal address and the nat mapping you need to log both the inbound and outbound packets and piece it together from the two separate log entries. (pflow doesn't help either as this only records the untranslated address, rather than both translated+untranslated). About the best thing I can think of (and this is similar to something done by commercial systems) is to restrict each individual source address to using a certain port range (match in from 100.64.0.1 nat-to $nat1 port 1024:2047 etc.etc.) and keep a record of those mappings to confirm against dhcp logs or some other information. Obviously this is going to need some tooling to generate the configs - either statically, or I suppose if you had some hooks into other systems (802.1x/radius?) you could possibly add these dynamically via an anchor. In many cases doing this would avoid the need to keep local records of each individual connection so better for privacy, disk space, and i/o throughput.
Re: [Bulk] Re: openbsdstore: enable javascript and buy something or gtfo
People wrote: There are two things which irritates me in computing: 1. Need of security updates 2. Two pieces of technology which are not compatible with each other. I'm GLAD that finally we have Javascript. At last, we have language and platform that WORKS universally. Except it doesn't, server side code is more universal. Any idea how many noscript users there are amongst other filters and browsers like xombrero. It is simply wonderful. Best thing after invetion of WWW. Wonderful yet the need for security updates irritates you??? If you had looked into browser vulnerabilities you would see that the *vast* majority even ones which do not mention that javascript is the issue can be avoided by disabling javascript or the issue is javascript related. (hey, even PayPal works without JS !) Shortly before the recent security breaches I thankfully left paypal partly because they started requiring javascript but mainly because they were showing a technical lack of security understanding. Are you saying that they have reverted requiring javascript? The thing is that web is more than web sites. It is also full of applications and these are totally mixed. Simple HTML5 features and CSS3 are welcome by me but even JIT for performance annoys me. I'd rather they fixed the bugs and memory leaks and let me use websites in style and confidence. If I want to run an even more complex app then I would much prefer to to do just that and run the web based dedicated application separately which any decent application needs anyway (application or plugin) and making it pointless bloat.
Re: Trying to create softraid crypto part
So The partition has to be raid, vs 4.2 BSD Onward to my new disk... --STeve Andre' Sent with AquaMail for Android http://www.aqua-mail.com On October 6, 2014 12:22:25 AM STeve Andre' and...@msu.edu wrote: So I am missing something, or being dumb. sd0j is a 128g piece of disk. Doing bioctl -c C -l /dev/sd0j softraid0 Gives softraid0: invalid metadata format What am I missing? This is an amd64 snap of Oct 4th. The vnconfig way of encryption has worked till I decided to do things the new way. Thanks for clues, STeve Andre' Sent with AquaMail for Android http://www.aqua-mail.com
Trying to create softraid crypto part
So I am missing something, or being dumb. sd0j is a 128g piece of disk. Doing bioctl -c C -l /dev/sd0j softraid0 Gives softraid0: invalid metadata format What am I missing? This is an amd64 snap of Oct 4th. The vnconfig way of encryption has worked till I decided to do things the new way. Thanks for clues, STeve Andre' Sent with AquaMail for Android http://www.aqua-mail.com
