Re: Lifecycle question

On 9/5/05, Giedrius Rekaius [EMAIL PROTECTED] wrote: On Mon, 05 Sep 2005 15:52:50 +0300, Stephan A. Rickauer [EMAIL PROTECTED] wrote: I am already in love with it, since I plan to use it as a HA-firewall using carp and pfsync. Problem here is just that it looks as if I had to reinstall

Re: Lifecycle question

On 9/5/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: Ramiro Aceves schrieb: I like and use both systems. But If you are concerned about easy upgrading, I would recommend Debian GNU/Linux (no flamewars please ;-) ). It is a very stable system that it is upgraded slowly, about 2 years

Re: Lifecycle question

Abraham Al-Saleh schrieb: I am already in love with it, since I plan to use it as a HA-firewall using carp and pfsync. Problem here is just that it looks as if I had to reinstall it all year ... If that's the case, then you just take one down, upgrade it, bring it back online, take the other

Re: Lifecycle question

On 9/6/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: Not to mention that upgrades with other OS's are even painful _with_ HA setup ... As an Insitute we have limited resources in terms of personal AND money. Therefore, I am forced to rethink any strategy twice. Thanks to all comments -

Re: Lifecycle question

Nick Holland schrieb: There are a lot of measures to how the upgrade process works out. Here are SOME: 1) Frequency (i.e., how often do you need to do upgrades) 2) Difficulty (how much human work is involved) 3) Ugency (when an upgrade is needed, how important is it that it is done

Re: Lifecycle question

Tobias Weingartner schrieb: This is a systems management issue. It all depends on how you manage your systems. Compartementalizing change, change management, etc. I Exactly. can recommend talking to Fritz Zaucker (tell him I sent ya). He's at ETHZ as well (in EE I think). His team,

tcpdump/pflog - rule numbering

My 'tcpdump -n -e -i pflog0' generates lines like these: 11:22:12.538707 rule 267/(match) block in on em0: 172.16.2.97.32790 225.4.5.6.6001: udp 341 [ttl 1] I am now trying to find out, what 'rule 267' should be and found posts regarding 'pfctl -s rules'. My problem is, that rule number

Re: Lifecycle question

On 9/6/05, Stephan A. Rickauer [EMAIL PROTECTED] wrote: The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think

Re: Jose Nazario's dmesg explained for OpenBSD

On Tue, Sep 06, 2005 at 12:25:23AM -0500, Andrew Daugherity wrote: === a) biomask e74d netmask ff4d ttymask ffef ... this are the interrupt masks (on i386) for the levels IPL_BIO, IPL_NET and IPL_TTY after autoconfiguration has finished. They will be modified again when clock and rtc are

Re: tcpdump/pflog - rule numbering

I have a scrub all fragment reassemble showing up on the first line of pfctl -s rules. The rules are numbered from 0 (zero). Therefore I need to add 2 to the line number of the pfctl output to get the right rule. The log entry Sep 04 21:45:56.156323 rule 8/(match) pass in on fxp0:

Re: tcpdump/pflog - rule numbering

Andreas Kahari schrieb: I have a scrub all fragment reassemble showing up on the first line of pfctl -s rules. The rules are numbered from 0 (zero). Therefore I need to add 2 to the line number of the pfctl output to get the right rule. Thanks Andreas, that explanation fixes my problem as

Re: tcpdump/pflog - rule numbering

--On 06 September 2005 11:29 +0200, Stephan A. Rickauer wrote: I am now trying to find out, what 'rule 267' should be and found posts regarding 'pfctl -s rules'. My problem is, that rule number 267 has absolutely nothing to do with the line logged above. # pfctl -sr -vv

Re: tcpdump/pflog - rule numbering

Stuart Henderson schrieb: # pfctl -sr -vv Cool! -- Stephan A. Rickauer Institut f|r Neuroinformatik Universitdt / ETH Z|rich Winterthurerstriasse 190 CH-8057 Z|rich Tel: +41 44 635 30 50 Sek: +41 44 635 30 52 Fax: +41 44 635 30 53

Re: Lifecycle question

--On 06 September 2005 10:16 +0200, Stephan A. Rickauer wrote: There is one thing I still don't understand. What effort is it to deliver patches (not backports) longer than just a few month - given that the overall amount of patches per release is low with OpenBSD anyway... let's say you have

Re: Lifecycle question

On Tue, Sep 06, 2005 at 11:00:34AM +0100, Stuart Henderson wrote: There doesn't have to be so much difference, actually. With OpenBSD an upgrade is usually pretty straightforward. The main part of the process (boot from bsd.rd, run the 'upgrade' process) can equally be used for patches and

Re: Lifecycle question

--On 06 September 2005 10:16 +0200, Stephan A. Rickauer wrote: There is one thing I still don't understand. What effort is it to deliver patches (not backports) longer than just a few month - given that the overall amount of patches per release is low with OpenBSD anyway... let's say you have

Re: Lifecycle question

Stephan A. Rickauer wrote: Nick Holland schrieb: ... Yes, OpenBSD had new releases every six months, and only supports a previous release with patches for one past release, so your frequency is going to be higher. So, at the outside, you are looking at an upgrade Ok, that is the key issue

Re: update /etc/changelist as part of package install?

Ingo Schwarze wrote: By the way, in case you are looking for serious intrusion detection, you should not rely on /etc/security anyway, but install (and maintain!) some real intrusion detection system. Yours, Ingo Agreed. Even storing hashes off site it wouldn't be difficult to get around

Active Swap space

Hi all, I have a OpenBSD system acting as a firewall. When I use the top command I see that the swap space is not being used. I'd like to know if the swap space is only enabled when the system needs it or if it's enabled just when the system comes up. Thanks -- Joco Salvatti Undergraduating in

Re: Active Swap space

--On 06 September 2005 09:36 -0300, JoC#o Salvatti wrote: I have a OpenBSD system acting as a firewall. When I use the top command I see that the swap space is not being used. Typically, one would hope that a firewall doesn't have to swap... I'd like to know if the swap space is only

Re: Active Swap space

It is enabled at all times but on OpenBSD, it is not used until needed. See also swapctl -l and swapctl(8). Andreas On 06/09/05, Joco Salvatti [EMAIL PROTECTED] wrote: Hi all, I have a OpenBSD system acting as a firewall. When I use the top command I see that the swap space is not being

sendmail and clamd

Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Thanks, Cristian Del Carlo

Snort-Inline with OpenBSD

Hello community I tried to install Snort_Inline on my OpenBSD-firewall. But in the ports-collection only snort is implemented. when I try to compile / configure the sources from www.snort.org with --enable-inline I get an error that a libipq.h is missing. Its a file for iptables under linux. Now

Re: sendmail and clamd

Cristian Del Carlo wrote: Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? smtp-vilter, which is in ports. I know that there are several methods : milter, amavis etc... Thanks,

Re: sendmail and clamd

Cristian Del Carlo schrieb: What can i use to connect sendmail and clamd? We use clamsmtp on linux. Don't know whether it is available for OpenBSD... Anyway: http://memberwebs.com/nielsen/software/clamsmtp/ -- Stephan A. Rickauer Institut f|r Neuroinformatik

Re: sendmail and clamd

--On 06 September 2005 15:13 +0200, Cristian Del Carlo wrote: i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? /usr/ports/mail/smtp-vilter works nicely, but if users should normally receive most

Re: Snort-Inline with OpenBSD

Now my question: Is there any way to install snort with inline functionality ?? i dont know, snort inline need netfilter API. you can to use snortsam. - http://www.snortsam.net

bgpctl

I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like bgpctl nei peer clear (in|out) ? Although I miss a few features it is really

Re: sendmail and clamd

...on Tue, Sep 06, 2005 at 03:13:01PM +0200, Cristian Del Carlo wrote: i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Depends

Re: Snort-Inline with OpenBSD

There is no support for PF. If you need in-line function for an IPS, you can take a look at a FreeBSD/snort_inline/IPFW/divert socket solution: http://freebsd.rogness.net/snort_inline/ The snort_inline code primarily supports Linux netfilter/libpq. Also note that snort2pf is considered Active

(3.6) httpd - Too many open files - problem

Hi. I'm using OpenBSD (3.6 now) as my web/dns/mail/whatever server for a couple of years. I was very satisfied until a couple of days ago I noticed, that my web server is not working. I restarted apache, everything was ok then, but after some time the same happened. I got many many lines like

Re: sendmail and clamd

El mar, 06-09-2005 a las 15:13 +0200, Cristian Del Carlo escribis: Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. What can i use to connect sendmail and clamd? I know that there are several methods : milter, amavis etc... Thanks,

Re: Lifecycle question

Stephan A. Rickauer wrote: Nick Holland schrieb: There are a lot of measures to how the upgrade process works out. Here are SOME: 1) Frequency (i.e., how often do you need to do upgrades) 2) Difficulty (how much human work is involved) 3) Ugency (when an upgrade is needed, how important

Re: Snort-Inline with OpenBSD

The problem is, that the firewall MUST run with OpenBSD !! Thanks for answers

Re: sendmail and clamd

Ok, thanks a lot it seems quite simple to configure. I don't know about the configuration of sendmail. What i need to have in sendmail.cf to work with smtp-vilter? Thanks, cristian On Sep 06, 2005 03:34 PM, Stuart Henderson [EMAIL PROTECTED] wrote: --On 06 September 2005 15:13 +0200,

Re: sendmail and clamd

Search google for openbsd vilter. Then follow the cached link at the top of the results. The tutorial describes pretty much what you want. Also tells you how to generate a new sendmail.cf. Also, update your /etc/rc* files to have sendmail use the new config file. vlad On Tue, Sep 06, 2005 at

Re: [OT]: good home switch?

On Sun, 4 Sep 2005, Shawn K. Quinn wrote: On Sun, 2005-09-04 at 13:57 +0200, [EMAIL PROTECTED] wrote: p.s. Forget about D-Link! I recomment to stay far far away of these crap. I am using a D-Link switch and it has performed acceptably so far. Their wireless access points might be another

Re: Lifecycle question

The reason why I bother this list is that I am impressed of OpenBSD from the technical point of view. I like its consistency and purity. But in business environments or comparable organizations where money is an issue, one needs to think about system management very carefully, since it

Re: Lifecycle question

Stephan A. Rickauer wrote: Tobias Weingartner schrieb: This is a systems management issue. It all depends on how you manage your systems. Compartementalizing change, change management, etc. I Exactly. can recommend talking to Fritz Zaucker (tell him I sent ya). He's at ETHZ as well

Re: Lifecycle question

-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: Tuesday, September 06, 2005 11:43 AM To: Stephan A. Rickauer Cc: misc@openbsd.org Subject: Re: Lifecycle question The reason why I bother this list is that I am impressed of

Re: bgpctl

tony sarendal wrote: I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like bgpctl nei peer clear (in|out) ? Although I miss a few

OpenBSD 3.8-beta MP Panic

I thought I would give the latest Beta a try on a 4WAY PIII. The USB is supposed to be disabled in the BIOS as there are no physical USB connectors even on this box. Its a Dell 6350 ---Mike OpenBSD/i386 BOOT 2.10 boot booting hd0a:/bsd: 4846336+944176 [52+249696+230995]=0x5fb28c

Multiple IP's on single NIC using DHCP

In short, I'm looking for a way to obtain multiple IP addresses via DHCP on a single NIC. For a more elaborate explanation, see below. I'm working on a router / firewall in a somewhat arcane network setup. The situation is as follows: I live in a student dorm with a farily large local 100 Mbit

Re: Lifecycle question

Will H. Backman wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Theo de Raadt Sent: Tuesday, September 06, 2005 11:43 AM To: Stephan A. Rickauer Cc: misc@openbsd.org Subject: Re: Lifecycle question The reason why I bother this list

Re: bgpctl

Agreed! Soft-reset would be awesome and more functionality from bgpctl wouldn't hurt. As is though I like the output style from bgpctl since it keeps things concise. Regards, Joe On 9/6/05, Karl Austin [EMAIL PROTECTED] wrote: tony sarendal wrote: I've started to test bgpd to see if I can

Re: sendmail and clamd

Cristian Del Carlo wrote: Hi list, i am planning to use openbsd as mail server with sendmail and clamd as antivirus on intel machine. use qmail (http://cr.yp.to/qmail.html) as the MTA - not sendmail. What can i use to connect sendmail and clamd? I know that there are several methods :

USB flash disk stopped working after 3.7

Hello list, I just noticed that my USB flash memory stick stopped working after 3.7 (it's been a while since I last used it). Whereas it used to work perfectly, any attempt to access (e.g. read the disklabel, mount, dd, ...) the disk now just hangs the machine. So I traced back the commit which

Re: bgpctl

On 06/09/05, Karl Austin [EMAIL PROTECTED] wrote: tony sarendal wrote: I've started to test bgpd to see if I can use if for a future project. Are there any plans to make bgpctl show communities, originator-id and cluster-list ? Any plans of adding route-refresh to bgpctl ? Something like

Re: (3.6) httpd - Too many open files - problem

Peter Huncar wrote: I'm using OpenBSD (3.6 now) as my web/dns/mail/whatever server for a couple of years. I was very satisfied until a couple of days ago I noticed, that my web server is not working. I restarted apache, everything was ok then, but after some time the same happened. I got many

Re: bgpctl

tony sarendal wrote: On 06/09/05, Karl Austin [EMAIL PROTECTED] wrote: You've read my mind, that was going to be my next question if my issue about having multiple communities per route was addressed (I tried -current and it doesn't work). Soft reset, and more route information from bgpctl

Re: OpenBSD 3.8-beta Alpha panic with pppoe SOS!

Hello List, I reinstalled 3.8-beta on the alpha with just the required sets and the hostname.pppoe0 and ppp.conf files with the amap_wipeout panic still occuring. I tried UKC disable amap and pkg_delete -F amap-5.1.tgz and amap-4.5.tgz without any success. Any ideas on solving this is much

Re: sendmail and clamd

Alexander Bochmann wrote: I'm successfully using smtp-vilter as milter for clamav, but I haven't followed the latest development on OpenBSD pthreads, and people used to say that there's problems with the thread implementation (search the archives for specifics) - so going with milters might

Re: sendmail and clamd

On 9/6/05, Cristian Del Carlo [EMAIL PROTECTED] wrote: What can i use to connect sendmail and clamd? Perhaps, if only for hints, you may want to take a look at MailDroid that came across the list some time ago. It connects the in-base sendmail to clamav through smtp-vilter from ports. You'll

routing question

My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing all 8 of these new addresses down my adsl 'pipe'. On my

Re: routing question

On Tuesday, September 06, John Brooks wrote: (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been set up as

Re: routing question

On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote: My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They are routing

Re: netstat - how to show PID

On Tue, Aug 30, 2005 at 03:41:14PM +0200, Simon Dassow wrote: On Tue, Aug 30, 2005 at 03:30:01PM +0200, Miroslav Kubik wrote: Is there a way how to show PID which belongs to the socket by netstat command? I searched man pages but I haven't found any useful switch for my need. I searched

adding a partition, fdisk, disklabel, and other fun

I gotta ask for help or I'm gonna hose my multi-boot system. I've got an A6 primary partition with various /usr and /var style partitions within. Pretty standard, but I ran out of disk space. I added a second primary A6 partition in the freespace of the same disk using fdisk, but cannot figure

Updated: Trouble connecting to OBSD VPN (isakmpd on 3.7 generic) from an XP (sp1) client using ipseccmd.exe (more data)

Still getting the same errors as below: 131529.495890 Plcy 40 check_policy: adding authorizer [passphrase:password] 131529.495915 Plcy 40 check_policy: adding authorizer [passphrase-md5-hex:5f4dcc3b5aa765d61d8327deb882cf99] 131529.495927 Plcy 40 check_policy: adding authorizer

Dell m70 and HP nc6230 experiences?

Does anyone on the list have any comments or caveats on using OpenBSD as a primary OS on either the Dell Precision m70 or Hewlett Packard nc6230 notebooks? Google turns up nothing interesting on either. regards, aaron.glenn

WLAN Device problem

Hello I have the following problem, i have a CNet CWP-854 Ralink Wireless-G PCI Adapter i have configured it on OpenBSD 3.8 Beta after some attempts i was able to get a status to ACTIVE, however it seems that there is no connection available, ping any clients on the same network fails same goes

Re: adding a partition, fdisk, disklabel, and other fun

On Tue, 6 Sep 2005, Kelly Martin wrote: I've got an A6 primary partition with various /usr and /var style partitions within. Pretty standard, but I ran out of disk space. I added a second primary A6 partition in the freespace of the same disk using fdisk, but don't do this. Can someone walk

Re: Lifecycle question

On Mon, 05 Sep 2005 15:35:19 +0200, Stephan A. Rickauer wrote: Well, I am thinking of using OpenBSD for our firewalls. Those I do want to upgrade regularly. Not because of features, but because of patches. You will be rewarded by this choice; I am sure ! And still, I cannot understand the

Re: routing question

On Tuesday, September 06, John Brooks wrote: (209.145.160.141) OBSD #1 - \ Switch DSL Modem ISP(209.145.160.1) / OBSD #2 - (207.246.198.220) I was expecting that 207.246.198.217 would have been

Re: routing question

On Tue, 6 Sep 2005 15:25:29 -0500, John Brooks wrote: My office network has an adsl connection with a single static ip as follows: 209.145.160.141/24 (gw 209.145.160.1) I requested additional ip's from my provider and they gave me 8 addresses at: 207.246.198.216/29 They

Re: sendmail and clamd

poncenby wrote: use qmail (http://cr.yp.to/qmail.html) as the MTA - not sendmail. Aaaag!!! At the risk of starting a flame-fest, do yourself a favour, ignore this advice and stay away from qmail. The license issue alone should make you stop and think first. It is about