Re: Bug Hunting 101 - Finding The Alpha Bug

[J.C. Roberts]

On Wed, 21 Dec 2005 12:13:54 -0800, J.C. Roberts [EMAIL PROTECTED]
wrote:

I found something interesting, namely a (more than once)
reported bug that looks very similar to The alpha bug. The primary
difference is you get cpu_switch_queuescan rather than cpu_switch in
the trace output.

2003-10-01 21:40:00
http://marc.theaimsgroup.com/?l=openbsd-alpham=106504464724168w=2

2003-08-03 12:00:14
http://marc.theaimsgroup.com/?l=openbsd-alpham=105999853009839w=2

There is also another report that is vague but since it is missing the
needed trace information, there's no way to tell if it's related.
2003-05-13 22:13:50
http://marc.theaimsgroup.com/?l=openbsd-bugsm=105286536018393w=2


Yes, the two bugs, one which shows cpu_switch in the trace output and
the other that shows cpu_switch_queuescan in the trace output, are
definitely related. 

I managed to reproduce the cpu_switch_queuescan output originally
reported from OpenBSD 3.3 while compiling 3.8-STABLE tonight.

The only change in the source files is that I enabled the

  #makeoptions DEBUG=-g

line in /src/sys/conf/GENERIC file. I'm going to try flipping this back
and forth a few times to see if it really is the deciding factor for
which output the bug displays.

JCR

Re: Access CD as user using cdrtools

[Jacob Meuser]

On Wed, Dec 21, 2005 at 10:26:38PM -0700, Ludwig Mises wrote:
 It seems that only root can access /dev/rcd0c when using tools such as
 cdrdao, cdda2wav and cdparanoia, even when the user is in the operator
 group:
 
 $ cdparanoia -v -d /dev/rcd0c -B
 
 Checking /dev/rcd0c for cdrom...
 Testing /dev/rcd0c for SCSI interface
 generic device: /dev/rcd0c
 ioctl device: /dev/rcd0c
 Could not open generic SCSI device /dev/rcd0c: Permission 
 denied
 Testing /dev/rcd0c for SCSI interface
 
 uid=1000(lm) gid=1000(lm) groups=1000(lm), 0(wheel), 5(operator)
 
 I get similar results with cdda2wav and cdrdao.  Oddly enough, cdio
 works just fine for this user.  Even changing the permissions on
 /dev/rcd0c to 644 didn't change anything and  I still get errors
 indicating that I have no permission, yet clearly the account is in
 the correct group:
 
 $ ls -l /dev/rcd0c
 crw-r-  1 root  operator   15,   2 Dec 15 21:32 /dev/rcd0c

operator group has only read permission.

 Is it possible to read /dev/rcd0c as a user in the operator group
 using cdda2wav or other cdrtools?  I would rather not have to use su
 or sudo just to read a CD.  And I see nothing special about cdio (i.e.
 no SUID) to make it work differently.
 

cdio opens the CD device O_RDONLY.

the cdrtools all use libscg bits to make the actual open(2), and
it only opens the device with O_RDWR.  cdrecord needs to be able
to write to the device, obviously, but the other cdrtools shouldn't
need to.  changing this appears non-trivial.  maybe ask Joerg to
add a O_RDONLY option for opening the CD device in future cdrtools
versions on the cdwrite@other.debian.org mailing list?

cdrdao and cdparanoia are not part of the cdrtools.  cdrdao needs
to be able to write to the drive.  cdparanois ahouldn't need to
though.  the patch below for the audio/cdparanoia port opens the
device O_RDONLY, and apparently does not change cdparanoia's
behaviour.  let me know how that works for you (and anyone else).

-- 
[EMAIL PROTECTED]


Index: patches/patch-interface_scan_devices_c
===
RCS file: /cvs/ports/audio/cdparanoia/patches/patch-interface_scan_devices_c,v
retrieving revision 1.3
diff -u -r1.3 patch-interface_scan_devices_c
--- patches/patch-interface_scan_devices_c  16 Sep 2002 13:35:52 -  
1.3
+++ patches/patch-interface_scan_devices_c  22 Dec 2005 08:55:48 -
@@ -176,6 +176,15 @@
}

idmessage(messagedest,messages,\t\tgeneric device: %s,generic_device);
+@@ -535,7 +579,7 @@ cdrom_drive *cdda_identify_scsi(const ch
+   }
+ 
+   if(ioctl_device)i_fd=open(ioctl_device,O_RDONLY|O_NONBLOCK);
+-  g_fd=open(generic_device,O_RDWR);
++  g_fd=open(generic_device,O_RDONLY);
+   
+   if(ioctl_device  i_fd==-1)
+ idperror(messagedest,messages,\t\tCould not open SCSI cdrom device 
 @@ -556,6 +600,7 @@ cdrom_drive *cdda_identify_scsi(const ch
  
  type=(int)(i_st.st_rdev8);

Re: pf and two ADSL links

[Craig Skinner]

On Thu, Dec 22, 2005 at 03:11:57AM +, pedro la peu wrote:
  I work for an ISP
 
 It shows. Disagree off-list please. 
 

If you insult someone on list, expect the same back, on list, you coward.

Re: OpenBSD 3.8 PPPoE Broadband Connection Howto

[stefan hoffmann]

hi Siju,

Siju George wrote:

so the DSL Router is working and the username and password is correct.
What could be the problem?


If it is a DSL _router_ you just have to setup a normal network, PPPoE 
is handled by the router.


If it is a DSL _modem_ you have to setup PPPoE.


mfG
-- stefan --

pf anchor problem (not working as expected)

[Didier Wiroth]

Hi,

I would like to load/unload an emule anchor when needed.
Unfortunately it does not work as expected as ort tcp 4662 traffic coming back
to my router is still blocked.
Dec 22 13:05:36.720276 rule 2/(match) block in on pppoe0: 80.239.200.108.34965 
158.64.125.147.4662: [|tcp] (DF)
Dec 22 13:05:37.330539 rule 2/(match) block in on pppoe0: 212.112.238.82.13114 
158.64.125.147.4662: [|tcp] (DF)
Dec 22 13:05:39.720729 rule 2/(match) block in on pppoe0: 80.239.200.108.34965 
158.64.125.147.4662: [|tcp] (DF)
Dec 22 13:05:40.330485 rule 2/(match) block in on pppoe0: 212.112.238.82.13114 
158.64.125.147.4662: [|tcp] (DF)

May be I misunderstood the anchors manual, but I honestly don't know what is 
wrong.
I would really appreciate if you can help me on this issue.

Why is the traffic still blocked via this rule block log (all) all, shoudn't
it pass through as the anchor rules allow the traffic? 

Here is my pf.conf:
# VARIABLES SECTION #
int_if=sis0
ext_if=pppoe0
localnet=172.16.43.0/24
outftp=53000:53450

icmp_types=echoreq
icmp_types = echoreq

# TABLES SECTION #
table friends {x,y}
table hostile persist

# OPTIONS SECTION #
set block-policy drop
set loginterface $ext_if

# SCRUBBING SECTION #
scrub in on $ext_if all
scrub out on $ext_if max-mss 1440

# NAT SECTION #
nat on $ext_if from $localnet to any - ($ext_if) static-port

# REDIRECTION #
rdr on $int_if proto tcp from !$ext_if to !$localnet port ftp \
- 127.0.0.1 port ftp-proxy
rdr on $int_if proto tcp from $localnet to $int_if port ssh \
- $int_if port 8022

rdr-anchor authpf/*
rdr-anchor emule

#pass quick all
block quick from hostile
block quick inet6 all
block log (all) all

#loopback and internal interface are ok
pass quick on lo0 all
pass quick on $int_if all

 EXTERNAL INTERFACE 
pass out on $ext_if inet proto tcp from ($ext_if) to any \
flags S/SA modulate state
pass out on $ext_if inet proto udp from ($ext_if) to any \
keep state
pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
port  1023 user proxy modulate state label ftpproxy
pass on $ext_if inet proto icmp icmp-type $icmp_types keep state
anchor emule
anchor authpf/*

END OF PF RULE

Here is my emule anchor (/etc/emule.pf):
ext_if = pppoe0
MuleIP= 172.16.43.10
localnet= 172.16.43.0/24
InMuleTCP = { 4661, 4662 }
InMuleUDP = { 4665, 4672 }

rdr on $ext_if proto tcp from !$localnet to any port 4661:4662 - $MuleIP port
4661:*
rdr on $ext_if proto udp from !$localnet to any port 4665 - $MuleIP port 4665
rdr on $ext_if proto udp from !$localnet to any port 4672 - $MuleIP port 4672

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $InMuleTCP\
flags S/SA keep state label eMuleTCP
pass in quick on $ext_if inet proto udp from any to ($ext_if) port $InMuleUDP\
keep state label eMuleUDP

END OF EMULE ANCHOR

The anchor is loaded when I need it via:
pfctl -v -a emule -f /etc/emule.pf
and unloaded
pfctl -v -a emule -Fa -sn  pfctl -v -a emule -Fa -sr

THX A LOT FOR HELPING

Re: pf anchor problem (not working as expected)

[Abel Talaverón Estevez]

El Jueves, 22 de Diciembre de 2005 13:37, escribis:
 Hi,

 I would like to load/unload an emule anchor when needed.
 Unfortunately it does not work as expected as ort tcp 4662 traffic coming
 back to my router is still blocked.
 Dec 22 13:05:36.720276 rule 2/(match) block in on pppoe0:
 80.239.200.108.34965  158.64.125.147.4662: [|tcp] (DF)
 Dec 22 13:05:37.330539 rule 2/(match) block in on pppoe0:
 212.112.238.82.13114  158.64.125.147.4662: [|tcp] (DF)
 Dec 22 13:05:39.720729 rule 2/(match) block in on pppoe0:
 80.239.200.108.34965  158.64.125.147.4662: [|tcp] (DF)
 Dec 22 13:05:40.330485 rule 2/(match) block in on pppoe0:
 212.112.238.82.13114  158.64.125.147.4662: [|tcp] (DF)

 May be I misunderstood the anchors manual, but I honestly don't know what
 is wrong. I would really appreciate if you can help me on this issue.

 Why is the traffic still blocked via this rule block log (all) all,
 shoudn't it pass through as the anchor rules allow the traffic?

 Here is my pf.conf:
 # VARIABLES SECTION #
 int_if=sis0
 ext_if=pppoe0
 localnet=172.16.43.0/24
 outftp=53000:53450

 icmp_types=echoreq
 icmp_types = echoreq

 # TABLES SECTION #
 table friends {x,y}
 table hostile persist

 # OPTIONS SECTION #
 set block-policy drop
 set loginterface $ext_if

 # SCRUBBING SECTION #
 scrub in on $ext_if all
 scrub out on $ext_if max-mss 1440

 # NAT SECTION #
 nat on $ext_if from $localnet to any - ($ext_if) static-port

 # REDIRECTION #
 rdr on $int_if proto tcp from !$ext_if to !$localnet port ftp \
 - 127.0.0.1 port ftp-proxy
 rdr on $int_if proto tcp from $localnet to $int_if port ssh \
 - $int_if port 8022

 rdr-anchor authpf/*
 rdr-anchor emule


This rdr-anchor is ok

 #pass quick all
 block quick from hostile
 block quick inet6 all

but here you are blocking the emule traffic
You should put here this:
anchor emule
anchor authpf/*

and not below

 block log (all) all

 #loopback and internal interface are ok
 pass quick on lo0 all
 pass quick on $int_if all

  EXTERNAL INTERFACE 
 pass out on $ext_if inet proto tcp from ($ext_if) to any \
 flags S/SA modulate state
 pass out on $ext_if inet proto udp from ($ext_if) to any \
 keep state
 pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
 port  1023 user proxy modulate state label ftpproxy
 pass on $ext_if inet proto icmp icmp-type $icmp_types keep state
 anchor emule
 anchor authpf/*

 END OF PF RULE

 Here is my emule anchor (/etc/emule.pf):
 ext_if = pppoe0
 MuleIP= 172.16.43.10
 localnet= 172.16.43.0/24
 InMuleTCP = { 4661, 4662 }
 InMuleUDP = { 4665, 4672 }

 rdr on $ext_if proto tcp from !$localnet to any port 4661:4662 - $MuleIP
 port 4661:*
 rdr on $ext_if proto udp from !$localnet to any port 4665 - $MuleIP port
 4665 rdr on $ext_if proto udp from !$localnet to any port 4672 - $MuleIP
 port 4672

 pass in quick on $ext_if inet proto tcp from any to ($ext_if) port
 $InMuleTCP\ flags S/SA keep state label eMuleTCP
 pass in quick on $ext_if inet proto udp from any to ($ext_if) port
 $InMuleUDP\ keep state label eMuleUDP

 END OF EMULE ANCHOR

 The anchor is loaded when I need it via:
 pfctl -v -a emule -f /etc/emule.pf
 and unloaded
 pfctl -v -a emule -Fa -sn  pfctl -v -a emule -Fa -sr

 THX A LOT FOR HELPING

-- 
Abel Talaversn Estevez
Ingeniero Superior de Telecomunicaciones
Analista de Proyectos

OpenWired
Caballero 87 - Bajos
08029 - Barcelona
Tel. 93 495 0990
Fax. 93 419 4591

Openwired
Alejandro Villegas,29
28043 - MADRID - ESPAQA
Telifono: 91 300 51 09
Fax:  91 300 28 13
http://www.openwired.com

how to disable remote root login

[David fire]

hi
i was looking how to disable remote root login but i cant find it
some tip?

thanks
David

Re: how to disable remote root login

[Bernd Schoeller]

On Thu, Dec 22, 2005 at 10:35:12AM -0300, David fire wrote:
 hi
 i was looking how to disable remote root login but i cant find it
 some tip?

man sshd_config

Look for PermitRootLogin

Bernd

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: how to disable remote root login

[Ryan Fox]

David fire wrote:

hi
i was looking how to disable remote root login but i cant find it
some tip?
  

http://www.google.com/search?q=disable+root+login+ssh

Behold the power of the internets.

Ryan

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of rfox.16492DEFANGED-vcf]

[no subject]

[Didier Wiroth]

Thx a lot for replying.
Hmm, I'm a bit lost now ...

Why do I have to move the anchor before the block statement?

Actually (without moving) the anchor authpf works well and no traffic is 
blocked.
Having a look here:
http://www.openbsd.org/faq/pf/authpf.html the anchor is at the bottom too, of 
the pf.conf file.

Coming back to my pf.conf.
I have block log (all) all and at the end of the file I have anchor emule.

As far as I understood the rules are checked from top to bottom and last match 
wins.
(Assuming the emule anchor is loaded)
Traffic comes in on port 4662 at the pppoe0 interface:
1) it MATCHES block log (all) all
2) it checks the other rules ... NO MATCH ...
3) finally comes to the loaded anchor emule
that has the following rule
pass in quick on $ext_if inet proto tcp from any to ($ext_if) \
port $InMuleTCP flags S/SA keep state label eMuleTCP
4) the rule from the anchor is the LAST MATCHED rule and traffic (port4662) 
should pass through ...

Hmm ... am I completely wrong and did I misunderstand how pf works?
Here is snip from the pf manual:
For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last.  The last matching
rule decides what action is taken.

thx a lot
didier

This rdr-anchor is ok

 #pass quick all
 block quick from hostile
 block quick inet6 all

but here you are blocking the emule traffic You should put here this:
   anchor emule
   anchor authpf/*

and not below

[demime 1.01d removed an attachment of type APPLICATION/DEFANGED which had a 
name of didier.wiroth.3955DEFANGED-vcf]

Re: C Compiler cannot create executable

[Moritz Grimm]

Reza Muhammad wrote:

C Compiler cannot create executable ?
what does it mean ? 


It can mean a lot of things, and since this looks like a message from a 
configure script, it might be the same issue that happened to me once. 
Check your environment variables -- for example, a 
CPPFLAGS=/usr/local/include could cause this (should be 
-I/usr/local/include). Typos like that happen ...


Clues for what the actual problem is can usually be found in the 
respective config.log file.



Moritz

Re: Greylisting google's gmail servers

[Moritz Grimm]

Nick Ryan wrote:

We have a problem getting mail from gmail through spamd. Google's gmail
public mail service use a large number of smtp servers. The first time


In addition to that, they also appear to be retrying either too fast or 
too slow ... *sigh*



rdr pass on $EXT_IF inet proto tcp from spamd-mywhite to any port 25 -
127.0.0.1 port smtp == add this line
rdr pass on $EXT_IF inet proto tcp from spamd to any port 25 -
127.0.0.1 port 8025
rdr pass on $EXT_IF inet proto tcp from !spamd-white to any port smtp -
127.0.0.1 port 8025


Instead, I suggest to use a ``no rdr'' line after rdr'ing those in the 
blacklists to spamd.



/root/whitelist.txt:
216.239.32.0/19  #gmail servers


From my point of view on the Internet, gmail uses uproxy.gmail.com to 
send mail ... which happens to be in a different network than this (it's 
 all IPs of 66.249.92.192/28, i.e. from their 66.249.64.0/19 netblock.)



Moritz

OpenBSD is popular as a VM image

[Will H. Backman]

Just an update on the popularity of the OpenBSD 3.8 VM image:
Since it was posted on Dec 19 (4 days ago), apache logs have shown 2826
hits on the file with just over 277 gigs of traffic created by those
downloads.
Not bad for only a few days.
--
Will Backman - Network Administrator
Coastal Enterprises, Inc.
http://www.ceimaine.org

Re: low priority, pf rule set debugging

[Peter N. M. Hansteen]

Joachim Schipper [EMAIL PROTECTED] writes:

 I like to macro pretty much every variable that is used in more than one
 place (i.e., hostnames, ports, etc; hostnames are especially likely to
 be re-re-re-...-used). 

That is very good advice. I tend to advocate that myself.

 If you choose good names, it can make stuff easier to understand; and
 typos tend to be far more disastrous (either giving syntax errors or
 breaking a large part of the configuration), which is a good thing as
 you can then fix it immediately.

This also is very true. There is no silver bullet, but keeping your rule
set readable will help prevent a lot of headaches.

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
First, we kill all the spammers The Usenet Bard, Twice-forwarded tales

Re: low priority, pf rule set debugging

[David fire]

hi
this days i was doing that debuging the firewall
i do this
i put log in each rule i ant to debug
then i pfctl -f /etc/pf.conf
then
pfctl -s rules  /home/david/rules.txt

then

tcpdump -n -e -ttt -i pflog0  filter option
you can look in the PF pdf  for all the filter options

now try each rule and you will see waht happend in the tcpdump output

good look
David






2005/12/22, Peter N. M. Hansteen [EMAIL PROTECTED]:

 Joachim Schipper [EMAIL PROTECTED] writes:

  I like to macro pretty much every variable that is used in more than one
  place (i.e., hostnames, ports, etc; hostnames are especially likely to
  be re-re-re-...-used).

 That is very good advice. I tend to advocate that myself.

  If you choose good names, it can make stuff easier to understand; and
  typos tend to be far more disastrous (either giving syntax errors or
  breaking a large part of the configuration), which is a good thing as
  you can then fix it immediately.

 This also is very true. There is no silver bullet, but keeping your rule
 set readable will help prevent a lot of headaches.

 --
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://www.blug.linux.no/rfc1149/ http://www.datadok.no/
 http://www.nuug.no/
 First, we kill all the spammers The Usenet Bard, Twice-forwarded tales

Re: OpenBSD is popular as a VM image

[Graham Toal]

 Just an update on the popularity of the OpenBSD 3.8 VM image:
 Since it was posted on Dec 19 (4 days ago), apache logs have shown 2826
 hits on the file with just over 277 gigs of traffic created by those
 downloads.
 Not bad for only a few days.

I hope this isn't too OT for this list, but...

do you know if it is possible under VMWare to have the
virtual system be the only one which talks to the real
ether card, while having the hosted PC only communicate
to the net by routing via the VM'd system?

What I'm thinking is that we could set up an OpenBSD
as a personal firewall to a (cough, spit) Windows machine,
and channel all the IP for the Windows machine through
that VM'd OpenBSD system.  Currently I'm using an
extra box under my desk for a BSD firewall but since my
main PC is already running 3 emulated systems as my
development environment (one 'clean' PC for programming,
one Linux for a dev web server, and believe it or not
one emulated Vax/VMS for legacy work) it would be really
nice to throw the OBSD firewall under VMware as well
and have everything in one box!

(incidentally this is one of the nicest development
environments I've had for some time.  VMware is cool,
but having a PC with 3 flat panel displays is pretty
nice too!)


Graham

Re: OpenBSD 3.8 PPPoE Broadband Connection Howto

[Bruno Carnazzi]

  Hi,

At home, I have your working target :)
I use an OBSD/i386 3.8 box connected to an ADSL router, but configured
in bridge mode (modem-only). If you use a router, you don't have to
configure PPPoE on your OBSD. If you use a bridge (seems to be your
case), you need to configure PPPoE on your OBSD box, which will
receive a public IP from your ISP. For me, using 'chap' as an
authentication did the trick. I've documented all my adventure at
http://carbonara.kicks-ass.org/doku.php?id=openbsd:pppoerouter (in
French, sorry !)

OpenBSD helped me to understand PPPoE under the hood. In my mind,
it's an excellent (the best ?) teaching platform and a wonderfull
production system.

Long life to OpenBSD !!

On 12/21/05, Siju George [EMAIL PROTECTED] wrote:
 Hi all,

 I have a new Broadband Internet connection. It uses PPPoE with a
 username and password to connect to internet.
 I can connect to Internet with Windows 2003 (easy click and configure)
 so the DSL Router is working and the username and password is correct.
 I would like to use OpenBSD 3.8 to connect to Internet with it and not
 Windows 2003.

 I read the man pages and FAQ and did accordingly ( I suppose ) and it
 is not working. Could some one please point out as to what could I
 have done wrong?

 Details of my OpenBSD 3.8 system:

 I have two interfaces rl0 rl1

 rl0 has the PPPoE connection and rl1 is connected to the LAN Switch.

 # ifconfig -a
 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224
 groups: lo
 inet 127.0.0.1 netmask 0xff00
 inet6 ::1 prefixlen 128
 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:50:fc:7d:4e:50
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 inet6 fe80::250:fcff:fe7d:4e50%rl0 prefixlen 64 scopeid 0x1
 rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 00:08:a1:7b:bf:52
 media: Ethernet autoselect (100baseTX full-duplex)
 status: active
 inet 172.17.1.1 netmask 0xfff0 broadcast 172.31.255.255
 inet6 fe80::208:a1ff:fe7b:bf52%rl1 prefixlen 64 scopeid 0x2
 pflog0: flags=141UP,RUNNING,PROMISC mtu 33224
 pfsync0: flags=0 mtu 1348
 enc0: flags=0 mtu 1536
 pppoe0: flags=a851UP,POINTOPOINT,RUNNING,SIMPLEX,LINK1,MULTICAST mtu 1492
 dev: rl0 state: session
 sid: 0x10f1 PADI retries: 1 PADR retries: 0 time: 00:00:06
 groups: pppoe egress
 inet 0.0.0.0 -- 0.0.0.1 netmask 0x
 inet6 fe80::250:fcff:fe7d:4e50%pppoe0 -  prefixlen 64 scopeid 0x7

 # cat /etc/sysctl.conf |grep inet.ip.forwarding
 net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of packets
 #
 # cat /etc/mygate
 cat: /etc/mygate: No such file or directory
 #
 # cat /etc/hostname.rl0
 up
 #
 # cat /etc/hostname.rl1
 inet 172.17.1.1 255.240.0.0 NONE
 #
 # cat /etc/hostname.pppoe0
 pppoedev rl0
 !/sbin/ifconfig rl0 up
 !/usr/sbin/spppcontrol \$if myauthproto=pap [EMAIL PROTECTED]
 myauthkey=zz
 !/sbin/ifconfig \$if inet 0.0.0.0 0.0.0.1 netmask 0x
 !/sbin/route add default 0.0.0.1
 link1 up
 #
 # cat /etc/pf.conf
 pass all
 #

 route show commands hangs for a long time :-(

 # route flush
 default  0.0.0.1  done
 loopback localhostdone
 172.16.1.0   00:11:95:c0:c7:33done
 BASE-ADDRESS.MCAST.N localhostdone
 ::/128   localhost.broadband. done
 ::/128   localhost.broadband. done
 ::127.0.0.0/128  localhost.broadband. done
 ::224.0.0.0/128  localhost.broadband. done
 ::255.0.0.0/128  localhost.broadband. done
 :::0.0.0.0/128   localhost.broadband. done
 2002::/128   localhost.broadband. done
 2002:7f00::/128  localhost.broadband. done
 2002:e000::/128  localhost.broadband. done
 2002:ff00::/128  localhost.broadband. done
 fe80::/128   localhost.broadband. done
 fe80::250:fcff:fe7d: 00:50:fc:7d:4e:50done
 fe80::208:a1ff:fe7b: 00:08:a1:7b:bf:52done
 fe80::1%lo0  link#6   done
 fe80::250:fcff:fe7d: link#7   done
 fec0::/128   localhost.broadband. done
 #
 # sh /etc/netstart
 spppcontrol: SIOCSIFGENERIC(SPPPIOSDEFS): Device busy
 add net default: gateway 0.0.0.1
 #

 What could be the problem?

 How do I debug this?

 Thankyou so much :-)

 kind regards

 Siju

Re: OpenBSD is popular as a VM image

[Jason Crawford]

On 12/22/05, Graham Toal [EMAIL PROTECTED] wrote:
  Just an update on the popularity of the OpenBSD 3.8 VM image:
  Since it was posted on Dec 19 (4 days ago), apache logs have shown 2826
  hits on the file with just over 277 gigs of traffic created by those
  downloads.
  Not bad for only a few days.

 I hope this isn't too OT for this list, but...

 do you know if it is possible under VMWare to have the
 virtual system be the only one which talks to the real
 ether card, while having the hosted PC only communicate
 to the net by routing via the VM'd system?

 What I'm thinking is that we could set up an OpenBSD
 as a personal firewall to a (cough, spit) Windows machine,
 and channel all the IP for the Windows machine through
 that VM'd OpenBSD system.  Currently I'm using an
 extra box under my desk for a BSD firewall but since my
 main PC is already running 3 emulated systems as my
 development environment (one 'clean' PC for programming,
 one Linux for a dev web server, and believe it or not
 one emulated Vax/VMS for legacy work) it would be really
 nice to throw the OBSD firewall under VMware as well
 and have everything in one box!

 (incidentally this is one of the nicest development
 environments I've had for some time.  VMware is cool,
 but having a PC with 3 flat panel displays is pretty
 nice too!)

I have a very similar setup going on, but not with that VMware player
or whatever it is. I have my host machine with 3 network cards in it,
only 1 of which has an IP on the host machine, the other two network
cards are ip-less for the host, but virtuals use them with IPs, and
the hosted machine routes through one of the virtual machines to
actually get out to the Internet. I won't go into any further details
on-list, as this is pretty OT, so email me privately if you need
further explanation.

Jason

New email address added to your Downey Savings account

[[EMAIL PROTECTED]]

Downey Savings - Welcome To A Friendlier Easier Way Of Banking

[IMAGE]

[IMAGE]

You have added [EMAIL PROTECTED] as a new email address for your
Downey Online Banking.

If you did not authorize this change or if you need assistance with your
account, please contact Downey Savings customer service at:

https://www.downeysavingsonlinebanking.com/onlineserv/HB/Signon.cgi

Thank you for using Downey Savings!
The Downey Savings Team

Please do not reply to this e-mail. Mail sent to this address cannot be
answered. For assistance, log in to your Downey Savings account and
choose the Help link in the header of any page.

--

Downey Savings Email ID PP694182

crypto disk

[Ed White]

Quoting from: http://www.onlamp.com/lpt/a/6384


The biggest drawback of svnd is its lack of security in the general use case. 
It is vulnerable to an offline dictionary attack. That is, you can generate a 
database mapping known ciphertext blocks on the disk back into pass phrases 
that can be accessed in O(1) without even being in possession of the disk. 
What's even worse is that the same database will work on any svnd disk. It is 
possible--and perhaps even likely--that large agencies such as the NSA have 
constructed such a database and can crack a majority of the svnds in the 
world in less than a second. The way that one prevents an offline dictionary 
attack is to use a salt in conjunction with the pass phrase, and this is what 
I did when I wrote CGD by using PKCS#5 PBKDF2. Offline dictionary attacks 
have been well-known since at least the '70s, and salting the pass phrase has 
been standard practice for over 30 years.

OpenBSD's solution only supports Blowfish, whereas I wanted to ensure that CGD 
had the flexibility to support a small range of ciphers. This is important 
for a number of reasons, but mainly we want to provide our users with the 
ability to make cost-versus-risk decisions. Blowfish is fast, but probably 
less secure than AES. In some situations, users will decide that speed is 
more important than security, and in others the reverse will be true. Also, 
if security issues are discovered in one cipher that we support, then users 
can change their CGDs to use one of the other ciphers without needing to 
upgrade to a new version of the operating system. Blowfish also has a 
cipherblock size of 64 bits, which for sufficiently large disks might be 
small enough to allow some level of structural analysis.


Is there any chance to see Ted Unangst's port imported?

Re: OpenBSD is popular as a VM image

[francisco]

On Thu, 22 Dec 2005, Graham Toal wrote:


Just an update on the popularity of the OpenBSD 3.8 VM image:
Since it was posted on Dec 19 (4 days ago), apache logs have shown 2826
hits on the file with just over 277 gigs of traffic created by those
downloads.
Not bad for only a few days.


I hope this isn't too OT for this list, but...

do you know if it is possible under VMWare to have the
virtual system be the only one which talks to the real
ether card, while having the hosted PC only communicate
to the net by routing via the VM'd system?

What I'm thinking is that we could set up an OpenBSD
as a personal firewall to a (cough, spit) Windows machine,
and channel all the IP for the Windows machine through
that VM'd OpenBSD system.


Was doing something similar a while back -
http://www.blackant.net/other/docs/howto-win-obsd-pf.php

Some issues with it, check out -
http://www.undeadly.org/cgi?action=articlesid=20020818020316


The December 2005 issue of ;login: has an article about this topic as 
well, it helps that VMware usb device support has grown -

http://www.usenix.org/publications/login/2005-12/index.html

The Virtual Firewall project mentioned in the article -
http://www.cs.drexel.edu/~vp/VirtualFirewall/


Coincidentally, the same ;login: issue has an article Linux vs. OpenBSD: 
A Firewall Performance Test where they test RedHat 7.3 (2.4 kernel) and 
OpenBSD 3.3.  It's anyone's guess why they would print an article about 2 
unsupported OS's that are over 2 years old each.


-f
http://www.blackant.net/

Unable to build Gateway route

[martin]

Hello.

I've been running other firewalls on this IP address with the same
settings in the past, but am having problems setting up the Gateway
with OpenBSD 3.8.  It comes back with  no route to host and when I do
a nestat -rn, the Gateway is missing even though /etc/mygate exists.

IP - 209.216.76.1
Netmask - 255.255.255.252
GW - 209.216.77.6

Any clues to what is going on ?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Unable to build Gateway route

[Jason Crawford]

On 12/22/05, martin [EMAIL PROTECTED] wrote:
 Hello.

 I've been running other firewalls on this IP address with the same
 settings in the past, but am having problems setting up the Gateway
 with OpenBSD 3.8.  It comes back with  no route to host and when I do
 a nestat -rn, the Gateway is missing even though /etc/mygate exists.

 IP - 209.216.76.1
 Netmask - 255.255.255.252
 GW - 209.216.77.6

Either a typo in your netmask, or a typo in your gateway, since your
gateway IP does not belong to the current netmask you assigned to your
external IP. I have a feeling it's a typo in the netmask as that's a
very very small one.

Jason

Re: Unable to build Gateway route

[Chris Smith]

On Thursday 22 December 2005 13:12, you wrote:
  It comes back with  no route to host and when I do
 a nestat -rn, the Gateway is missing even though /etc/mygate exists.

 IP - 209.216.76.1
 Netmask - 255.255.255.252
 GW - 209.216.77.6

How do you get to the gateway? It isn't on the subnet. Your netmask 
creates a network address of 209.216.76.0 with only 2 hosts 
209.216.76.1 and 209.216.76.2.

Change the IP address of the host to 209.216.76.5, or use a gateway 
address of 209.216.76.2, or an alternative netmask that will provide 
you with a larger subnet allowing your current IP to get to the current 
gateway, such as 255.255.255.248.

Chris

Re: Unable to build Gateway route

[martin]

--- Jason Crawford [EMAIL PROTECTED] wrote:


  IP - 209.216.76.1
  Netmask - 255.255.255.252
  GW - 209.216.77.6
 
 Either a typo in your netmask, or a typo in your gateway, since your
 gateway IP does not belong to the current netmask you assigned to
 your
 external IP. I have a feeling it's a typo in the netmask as that's a
 very very small one.
 
 Jason


Jason.

The figures are correct (I wondered about the unusual GW when I first
rx'd it but they said it was correct).  The thing is, I've had this
connection for a couple of years and have run a  number of firewalls
with no issue with these ie. Linux Router Project, Freesco and others I
have tested.  It is running now with a commercial firewall with no
problems.

Can I force it to accept the gateway IP ?

Regards...Martin
Just $16.99/mo. or less. 
dsl.yahoo.com 

Re: Unable to build Gateway route

[Will H. Backman]

martin wrote:

--- Jason Crawford [EMAIL PROTECTED] wrote:




IP - 209.216.76.1
Netmask - 255.255.255.252
GW - 209.216.77.6



Either a typo in your netmask, or a typo in your gateway, since your
gateway IP does not belong to the current netmask you assigned to
your
external IP. I have a feeling it's a typo in the netmask as that's a
very very small one.

Jason




Jason.

The figures are correct (I wondered about the unusual GW when I first
rx'd it but they said it was correct).  The thing is, I've had this
connection for a couple of years and have run a  number of firewalls
with no issue with these ie. Linux Router Project, Freesco and others I
have tested.  It is running now with a commercial firewall with no
problems.

Can I force it to accept the gateway IP ?

Regards...Martin


That setup just doesn't make sense.  Have you double and triple checked it?
It is hard to believe that it would work with anything.  If it has, then 
there are really big problems with everything else.

Re: Unable to build Gateway route

[Jason Crawford]

On 12/22/05, martin [EMAIL PROTECTED] wrote:


 --- Jason Crawford [EMAIL PROTECTED] wrote:


   IP - 209.216.76.1
   Netmask - 255.255.255.252
   GW - 209.216.77.6
  
  Either a typo in your netmask, or a typo in your gateway, since your
  gateway IP does not belong to the current netmask you assigned to
  your
  external IP. I have a feeling it's a typo in the netmask as that's a
  very very small one.
 
  Jason


 Jason.

 The figures are correct (I wondered about the unusual GW when I first
 rx'd it but they said it was correct).  The thing is, I've had this
 connection for a couple of years and have run a  number of firewalls
 with no issue with these ie. Linux Router Project, Freesco and others I
 have tested.  It is running now with a commercial firewall with no
 problems.

 Can I force it to accept the gateway IP ?

 Regards...Martin

Unless they don't follow IPv4 specs properly, with those exact
numbers, none of them should work. 209.216.76.1 is nowhere near
209.216.77.6 so the netmask of 255.255.255.252 will not let you talk
to 209.216.77.6 without another route. My guess, 255.255.252.0 is the
netmask you want, as that would include both IPs. Or maybe you
mistyped the 3rd set, and they should both be 76 or 77, although
you'll still have to change the netmask to something like
255.255.255.240. Whether other OS's worked or not is irrelevant, the
current WILL NOT WORK with an OS that follows the IPv4 spec PROPERLY.
If your ISP is indeed handing this info to you, then they are complete
morons, as it WILL NOT WORK.

Jason

Re: Unable to build Gateway route

[Chris Smith]

On Thursday 22 December 2005 14:46, Chris Smith wrote:
 GW - 209.216.77.6

Oops...I read that as 209.216.76.6 and not 209.216.77.6, so your netmask 
would have to be different than what I suggested.

Do you have another network device?

The gateway address is usually the address that your system uses to get 
to all places not on on your local subnet (excluding more specific 
routing rules). It's clear you can't get there with your current device 
set up with that IP/mask.

Chris

Re: Unable to build Gateway route

[Bryan Irvine]

On 12/22/05, martin [EMAIL PROTECTED] wrote:
 --- Jason Crawford [EMAIL PROTECTED] wrote:


   IP - 209.216.76.1
   Netmask - 255.255.255.252
   GW - 209.216.77.6
  
  Either a typo in your netmask, or a typo in your gateway, since your
  gateway IP does not belong to the current netmask you assigned to
  your
  external IP. I have a feeling it's a typo in the netmask as that's a
  very very small one.
 
  Jason


 Jason.

 The figures are correct (I wondered about the unusual GW when I first
 rx'd it but they said it was correct).  The thing is, I've had this
 connection for a couple of years and have run a  number of firewalls
 with no issue with these ie. Linux Router Project, Freesco and others I
 have tested.  It is running now with a commercial firewall with no
 problems.

I really really doubt it. The point of the router is route 2 or more
networks together.  How on earth can you route 2 networks together
when there isn't a router for your network? In other words: your
network needs a gateway on your segment in order to find it's way to
what you are telling us is your gateway.

I don't see how *anything* would work with those, and would go so far
as too say that anything that would work with those is broken.

--Bryan

Re: Unable to build Gateway route

[Greg Thomas]

On 12/22/05, martin [EMAIL PROTECTED] wrote:
 --- Jason Crawford [EMAIL PROTECTED] wrote:


   IP - 209.216.76.1
   Netmask - 255.255.255.252
   GW - 209.216.77.6
  
  Either a typo in your netmask, or a typo in your gateway, since your
  gateway IP does not belong to the current netmask you assigned to
  your
  external IP. I have a feeling it's a typo in the netmask as that's a
  very very small one.
 
  Jason


 Jason.

 The figures are correct (I wondered about the unusual GW when I first
 rx'd it but they said it was correct).  The thing is, I've had this
 connection for a couple of years and have run a  number of firewalls
 with no issue with these ie. Linux Router Project, Freesco and others I
 have tested.  It is running now with a commercial firewall with no
 problems.

We'll have to take your word for that but with the limited info you
have provided this is very non-standard.  Who's the provider?  Are you
sure you're missing missing any info?


 Can I force it to accept the gateway IP ?


With that netmask for basic IP routing those two IPs are on different subnets.

Greg

Weird Issue with FTP and pf(8)

[eric]

Here's something strange. I'm trying to connect from a pf gateway to an ftp
server and it's failing in a very specific manner. Going through the pf
gateway works fine using passive mode, but from the gateway itself using
ftp(1) doesn't seem to work.

Observe:

$ ftp ftp.example.org

[ login as anonymous ]

ftp ls
229 Entering Extended Passive Mode (|||62283|)
435 Can't build data connection: No such file or directory.
ftp ls
229 Entering Extended Passive Mode (|||50641|)
150 Opening ASCII mode data connection for '/bin/ls'.
total 16
drwxr-xr-x  10 1000  1000  512 Nov 15 15:10 OpenBSD
226 Transfer complete.

Why would I be getting a failed LIST the first time? This is very
reproducable: basically every second time a dir or ls will work.

Here's my pf from the host connecting to the FTP server. The machine these
rules are from is 3.8-STABLE).


##

blah = 10.18.209.66

binat  on $ext_if from 192.168.217.244 to any - $blah
nat   on $ext_if from any to any - ($ext_if)
rdr   on $wire_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
scrub out all no-df random-id max-mss 1440 fragment reassemble
scrub in all no-df min-ttl 2 fragment reassemble
block return log all label any-block-log
block drop log from idiots to any
block drop in log on ! em0 inet from 10.18.209.0/24 to any label em0-antispoof
block drop in log on ! em0 inet from 10.18.209.48 to any label em0-antispoof
block drop in log on em0 inet6 from fe80::20d:56ff:fefa:3b8f to any label 
em0-antispoof
block drop in log inet from 10.18.209.79 to any label any-antispoof
block drop in log inet from 10.18.209.48 to any label any-antispoof
block drop in log on ! rl0 inet from 192.168.217.240/28 to any label 
rl0-antispoof
block drop in log inet from 192.168.217.241 to any label any-antispoof
block drop in log on rl0 inet6 from fe80::240:f4ff:fe71:8305 to any label 
rl0-antispoof
pass out quick proto tcp from any port = ssh to any flags S/SA modulate state 
queue(ssh_dfl, ssh_pri)
pass out quick inet proto tcp from any port = 3128 to any flags A/A keep state 
queue http
pass in on em0 inet proto tcp from any port = ftp-data to (em0) user = 71 flags 
S/SA keep state label ftpproxy
pass out quick proto tcp from any port = www to any flags A/A keep state queue 
httplo
pass out quick proto tcp from any port = https to any flags S/SA modulate state 
queue http
pass out quick proto tcp from any port = smtp to any flags S/SA modulate state 
queue smtp
pass out quick proto tcp from any port = domain to any flags S/SA modulate 
state queue dns_tcp
pass out quick proto tcp from any to any port = domain keep state queue dns_tcp
pass out quick proto udp from any to any port = domain keep state queue dns_udp
pass out quick proto udp from any to any port = ntp keep state queue dns_ntp
pass out quick proto tcp all modulate state queue(tcp_dfl, tcp_pri)
pass out quick proto udp all keep state queue udp
pass out quick inet proto icmp all keep state queue icmp
pass out quick inet6 proto ipv6-icmp all keep state queue icmp
pass out quick all queue default
block return-rst log proto tcp all flags /S queue default
block return-rst log proto tcp all flags A/A queue default
pass in on rl0 inet proto udp from any to any port = bootps keep state label 
rl0-bootps-in
pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = 
domain keep state label rl0-domain-udp-in
pass in on rl0 inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = 
domain modulate state label rl0-domain-tcp-in
pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port = 
ntp keep state label rl0-ntp-in
pass in inet6 proto ipv6-icmp all icmp6-type toobig
pass in inet6 proto ipv6-icmp all icmp6-type paramprob
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routersol
pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routeradv
pass in log inet6 proto ipv6-icmp all icmp6-type echoreq keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in proto tcp from any to any port = auth modulate state label 
any-identd-in
pass in proto tcp from any to any port = smtp modulate state label any-smtp-in
pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 flags 
S/SA modulate state
pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 keep 
state
pass in quick inet proto udp from 192.168.217.240/28 to ! 192.168.217.241 keep 
state
pass in quick inet from 192.168.217.240/28 to ! 192.168.217.240/28 keep state
pass in quick inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port = 
ssh modulate state

Re: Unable to build Gateway route

[Vijay Sankar]

Are you using PPPoE for connecting to your ISP? 

I don't want to waste your time with suggestions about PPPoE-related
troubleshooting if that is not appropriate. I mention this because the only
comparable routing entries that I have seen (to what you describe in your
email) is with tun devices. It will be very helpful to have additional
information.

Here is an example from one of the OBSD firewalls here that uses PPPoE:

$ uptime
 2:56PM  up 183 days, 23:44, 2 users, load averages: 0.07, 0.08, 0.08

$ netstat -nrf inet
Routing tables

Internet:
DestinationGatewayFlags Refs UseMtu
Interface
default205.200.28.28  UGS 2 13884207   1400   tun0
127.0.0.1  127.0.0.1  UH  0   260868  33224   lo0
205.200.28.28  206.45.64.231  UH  10   1400   tun0

$ ifconfig -a 

tun0: flags=8011UP,POINTOPOINT,MULTICAST mtu 1400
inet 206.45.64.231 -- 205.200.28.28 netmask 0x

Other than some set up like this, I cannot see how 209.216.77.6 can be the
default gateway for an interface with the IP address 209.216.76.1.

Vijay

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
martin
Sent: December 22, 2005 12:13 PM
To: misc@openbsd.org
Subject: Unable to build Gateway route

Hello.

I've been running other firewalls on this IP address with the same
settings in the past, but am having problems setting up the Gateway
with OpenBSD 3.8.  It comes back with  no route to host and when I do
a nestat -rn, the Gateway is missing even though /etc/mygate exists.

IP - 209.216.76.1
Netmask - 255.255.255.252
GW - 209.216.77.6

Any clues to what is going on ?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: DSL Internet Connection Question

[Robert C Wittig]

Hello Robert,

Wednesday, December 21, 2005, 4:20:28 PM, you wrote:

RCW Would adding the line:

RCW supercede domain-name-servers dns.IP.address.1 dns.IP.address.2;

RCW ...do the job of hardcoding:

RCW nameserver dns.IP.address.1
RCW nameserver dns.IP.address.2

RCW ...into the 'resolv.conf' file?

Answering my own question...

the syntax and corrected spelling that works for this, is:

supersede domain-name-servers dns.IP.address.1, dns.IP.address.2;

Works great... but still does not address why a kludge is needed,
which I now will get to work figuring out.


TU You should however check, why you get wrong values from your
TU router.

I have given this some thought... since the same value...
192.168.1.254 which is the internal IP value on the modem/router, is
the same value that is passed to Red Hat, and Windows, and works for
them, I do not thing the value is 'wrong'... and since it also works
with OpenBSD, but with about a 60 second delay (like something times
out, and then defaults to a secondary (else) behaviour, which does
work...

...I suspect that I have something else set wrong, for when I
installed the operating system, and when I eventually, using trial and
error, on one thing at a time, get lucky and change the right
variable, I will be able to remove the hard-coded DNS IP's from
dhclient.conf, and things will run smoothly.

At least now, I can use the machine with Internet access, while I
figure out the right configuration.

-wittig http://www.robertwittig.com/
.

Genesys Logic USB2.0 Hub keyboard and keyboard.repeat.deln

[Oliver Fuchs]

Hello,
I used to change the behavior of my keyboard with 
/etc/wsconsctl.conf:
keyboard.repeat.del1=200# change keyboard repeat/delay
keyboard.repeat.deln=40
Now I plugged it to usb (see dmesg) - but from then on I am not able
to change the behavior anymore with wsconsctl. I am not sure but is
wsconsctl not able to change the settings of
keyboard.repeat.del1 and keyboard.repeat.deln
for USB keyboards?

Here is my dmesg:
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 898 MHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem  = 267952128 (261672K)
avail mem = 237613056 (232044K)
using 3296 buffers containing 13500416 bytes (13184K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(bb) BIOS, date 08/13/01, BIOS32 rev. 0 @ 0xfb460
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf/0xb8e0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdd00/144 (7 entries)
pcibios0: PCI Exclusive IRQs: 10 11
pcibios0: PCI Interrupt Router at 000:07:0 (VIA VT82C596A ISA rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0xa000 0xcc000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 VIA VT82C691 PCI rev 0xc4
ppb0 at pci0 dev 1 function 0 VIA VT82C598 AGP rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 Nvidia Vanta rev 0x11
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pcib0 at pci0 dev 7 function 0 VIA VT82C686 ISA rev 0x40
pciide0 at pci0 dev 7 function 1 VIA VT82C571 IDE rev 0x06: ATA100, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: ST340015A
wd0: 16-sector PIO, LBA, 38166MB, 78165360 sectors
wd1 at pciide0 channel 0 drive 1: WDC WD800BB-00DAA3
wd1: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, DV-516E, 2.01 SCSI0 5/cdrom removable
atapiscsi1 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi1: 2 targets
cd1 at scsibus1 targ 0 lun 0: MITSUMI, CR-48X8TE, 1.1B SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
cd1(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 7 function 2 VIA VT83C572 USB rev 0x16: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 7 function 3 VIA VT83C572 USB rev 0x16: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
viaenv0 at pci0 dev 7 function 4 VIA VT82C686 SMBus rev 0x40
rl0 at pci0 dev 15 function 0 Realtek 8139 rev 0x10: irq 11 address 
00:40:f4:63:c0:f5
rlphy0 at rl0 phy 0: RTL internal phy
cmpci0 at pci0 dev 17 function 0 C-Media Electronics CMI8738/C3DX Audio rev 
0x10: irq 10
audio0 at cmpci0
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask f765 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
uhub2 at uhub0 port 1
uhub2: Genesys Logic USB2.0 Hub, rev 2.00/6.0b, addr 2
uhub2: 4 ports with 4 removable, self powered
uhidev0 at uhub0 port 2 configuration 1 interface 0
uhidev0: Logitech USB Receiver, rev 1.10/21.00, addr 3, iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 2 configuration 1 interface 1
uhidev1: Logitech USB Receiver, rev 1.10/21.00, addr 3, iclass 3/1
uhidev1: 4 report ids
ums0 at uhidev1 reportid 1: 16 buttons and Z dir.
wsmouse0 at ums0 mux 0
uhid0 at uhidev1 reportid 2: input=2, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=1, output=0, feature=0
uhid2 at uhidev1 reportid 4: input=3, output=0, feature=0
wd0: no disk label
dkcsum: wd0 matches BIOS drive 0x80
dkcsum: wd1 matches BIOS drive 0x81
root on wd1a
rootdev=0x10 rrootdev=0x310 rawdev=0x312

Oliver
-- 
... don't touch the bang bang fruit

BerkeleyDB on 3.8

[J.D. Bronson]

How can I tell what version the BDB is that comes within OpenBSD 3.8?

thanks

-JD

Re: BerkeleyDB on 3.8

[steven mestdagh]

On Thu, Dec 22, 2005 at 05:10:56PM -0600, J.D. Bronson wrote:
 How can I tell what version the BDB is that comes within OpenBSD 3.8?

see FAQ 15.2.3.

-- 
steven

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

Re: BerkeleyDB on 3.8

[Ted Unangst]

On 12/22/05, steven mestdagh [EMAIL PROTECTED] wrote:
 On Thu, Dec 22, 2005 at 05:10:56PM -0600, J.D. Bronson wrote:
  How can I tell what version the BDB is that comes within OpenBSD 3.8?

look in cvs.  the answer is 1.85 plus some of 1.86 plus some other patches.

 see FAQ 15.2.3.

not so useful for the libraries that are shipped in base.

Re: BerkeleyDB on 3.8

[J.D. Bronson]

At 05:32 PM 12/22/2005, Ted Unangst wrote:

On 12/22/05, steven mestdagh [EMAIL PROTECTED] wrote:
 On Thu, Dec 22, 2005 at 05:10:56PM -0600, J.D. Bronson wrote:
  How can I tell what version the BDB is that comes within OpenBSD 3.8?

look in cvs.  the answer is 1.85 plus some of 1.86 plus some other patches.

 see FAQ 15.2.3.

not so useful for the libraries that are shipped in base.


I was looking at that FAQ and was wondering what I was missing.

Thanks to all of you who responded. I had a guess it was 1.x and 
thats fine. It works for me.

Re: BerkeleyDB on 3.8

[Jason Crawford]

On 12/22/05, J.D. Bronson [EMAIL PROTECTED] wrote:
 How can I tell what version the BDB is that comes within OpenBSD 3.8?

 thanks

Check out http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/db/ to
see the one included with OpenBSD, and /usr/ports/databases/db/ for
other versions.

Jason

Hi - You have a beautiful eCard- Card from hea345tr ([EMAIL PROTECTED])

[hea345tr]

Hi  

You have received a greeting card from hea345tr ([EMAIL PROTECTED])

You can preview your eCard message below:
-
Believe it or not!

Hey, guys! Check this out. Perfect place for our next ultimate adventure!

Gorgeous  

-
To view your eCard, please click on the following link, (or copy and paste the 
following link into your web browser's address bar): 
http://www.andamanfans.com/ecard/upcardme.php?step=pickupid=kt4d7f685994

Your card will be available for viewing during the next 30 days from 
12-23-2005. 

Please be assured to save it for your personal records before the 30 days are 
over.

I hope you have enjoyed this service and taken some time to send an eCard to 
your special someone. 

To send a card, please visit our web site: 
http://www.andamanfans.com/ecard/index.php

Enjoy and Thanks for visitng AndamanFans.com !

erratic networking problem

[Han Boetes]

Hi,

This problem has been bugging me for month now. It started
happening a month after 3.8 got tagged. At least, that's when I
started noticing it. So it might be anything. But I suspect the
OpenBSD side the most since returning to an older Linux release on
the client from a liveCD didn't fix the problem. The OpenBSD
server doesn't have a CD-drive.

OpenBSD server - linux client
Both rtl8169 gigabit networkcards

Uploading to the server goes with 11Mbytes/s, the speedlimit of
the ide harddrives, but the downloading goes with erratic
speeds. 1Mbyte/s at best, 100Kbyte/s most of the time, sometimes
no more than 20Kbytes/s

So I started examining and found a lot of fragmentatation. So I
resolved that first by turning down the packetsize to 1024 for
nfs.

I disabled and enabled scrubbing, it didn't make a difference
either

I also tried disabling the pf firewall completely. No difference
either.

And I disabled net.ipv4.tcp_ecn on both machines. Still the same.

I wonder if anyone has the magical solution.


`sudo tcpdump -pnettti re0 not port ssh' output while nfs file transfer:

Dec 23 02:09:30.155481 0:8:a1:3c:34:7a 0:8:a1:3c:34:79 0800 186: 
172.16.11.3.1022  172.16.11.1.2049: xid 0xfdc03144 144 read [|nfs] (DF)
Dec 23 02:09:30.155515 0:8:a1:3c:34:7a 0:8:a1:3c:34:79 0800 186: 
172.16.11.3.1022  172.16.11.1.2049: xid 0xfec03144 144 read [|nfs] (DF)
Dec 23 02:09:30.155545 0:8:a1:3c:34:7a 0:8:a1:3c:34:79 0800 186: 
172.16.11.3.1022  172.16.11.1.2049: xid 0xffc03144 144 read [|nfs] (DF)
Dec 23 02:09:30.155766 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 1194: 
172.16.11.1.2049  172.16.11.3.1022: xid 0xfdc03144 reply ok 1152 read
Dec 23 02:09:30.155896 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 1194: 
172.16.11.1.2049  172.16.11.3.1022: xid 0xfec03144 reply ok 1152 read

BTW : without -p (promiscuous) mode the connection gets killed in a matter of 
seconds.

~% ping -s 8000 172.16.11.3
PING 172.16.11.3 (172.16.11.3): 8000 data bytes
8008 bytes from 172.16.11.3: icmp_seq=0 ttl=64 time=0.819 ms
8008 bytes from 172.16.11.3: icmp_seq=1 ttl=64 time=0.745 ms
8008 bytes from 172.16.11.3: icmp_seq=2 ttl=64 time=0.756 ms
8008 bytes from 172.16.11.3: icmp_seq=3 ttl=64 time=0.737 ms
8008 bytes from 172.16.11.3: icmp_seq=5 ttl=64 time=0.770 ms
8008 bytes from 172.16.11.3: icmp_seq=6 ttl=64 time=0.751 ms
8008 bytes from 172.16.11.3: icmp_seq=8 ttl=64 time=0.770 ms
8008 bytes from 172.16.11.3: icmp_seq=9 ttl=64 time=0.746 ms
8008 bytes from 172.16.11.3: icmp_seq=10 ttl=64 time=0.755 ms
8008 bytes from 172.16.11.3: icmp_seq=11 ttl=64 time=0.749 ms
8008 bytes from 172.16.11.3: icmp_seq=12 ttl=64 time=0.769 ms
8008 bytes from 172.16.11.3: icmp_seq=13 ttl=64 time=0.756 ms

There is lots of packetloss, also very high pingtimes were
reported.


`sudo tcpdump -pnettti re0 not port ssh' output while doing `ping -s 8000 
172.16.11.3' 
Dec 23 02:14:14.629981 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 1514: 172.16.11.1  
172.16.11.3: icmp: echo request (frag 36405:[EMAIL PROTECTED])
Dec 23 02:14:14.629990 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 1514: 172.16.11.1  
172.16.11.3: (frag 36405:[EMAIL PROTECTED])
Dec 23 02:14:14.629995 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 1514: 172.16.11.1  
172.16.11.3: (frag 36405:[EMAIL PROTECTED])
Dec 23 02:14:14.630001 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 1514: 172.16.11.1  
172.16.11.3: (frag 36405:[EMAIL PROTECTED])
Dec 23 02:14:14.630008 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 1514: 172.16.11.1  
172.16.11.3: (frag 36405:[EMAIL PROTECTED])
Dec 23 02:14:14.630013 0:8:a1:3c:34:79 0:8:a1:3c:34:7a 0800 642: 172.16.11.1  
172.16.11.3: (frag 36405:[EMAIL PROTECTED])
Dec 23 02:14:14.630272 0:8:a1:3c:34:7a 0:8:a1:3c:34:79 0800 1514: 172.16.11.3  
172.16.11.1: icmp: echo reply (frag 64957:[EMAIL PROTECTED])

I also examined irq conflicts. I removed the usb2 hub which
conflicted with the nic on the openbsd machine. It didn't seem to
matter much.

Here is the ifconfig output from the Linux machine, which shows there are no 
network errors or conflicts:

eth0  Link encap:Ethernet  HWaddr 00:08:A1:3C:34:7A  
  inet addr:172.16.11.3  Bcast:172.16.11.255  Mask:255.255.255.0
  UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:526113 errors:0 dropped:0 overruns:0 frame:0
  TX packets:551835 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:1000 
  RX bytes:406518025 (387.6 Mb)  TX bytes:322415079 (307.4 Mb)
  Interrupt:10 Base address:0x2f00 

And here is the OpenBSD output:

re0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:08:a1:3c:34:79
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.11.1 netmask 0xff00 broadcast 172.16.11.255
inet6 fe80::208:a1ff:fe3c:3479%re0 prefixlen 64 scopeid 0x1

And here is the dmesg:

OpenBSD 3.8-current (GENERIC) #319: Fri Dec 16 15:31:29 MST 

Re: OpenBSD 3.8 PPPoE Broadband Connection Howto

[J.C. Roberts]

On Wed, 21 Dec 2005 19:27:12 +0530, Siju George [EMAIL PROTECTED]
wrote:

 Details of the exact kind of service package you have from your provider
 and occasionally info on the DSL hardware you're using are needed to
 figure out how things should be set up on your end.


Its a ADSL Router from HUAWEI
Model No. WA1003A
Has both option for LAN and wireless.
Internet connection comes by a telephone cable.

It may have seemed strange for me to ask for this info but in many
cases, including yours, it can make things real simple...

This modem/router you have actually has a http based administration
console built into the device and through the admin console you can
configure the device itself to do your PPPoE for you. This means you can
just use dhcp for your external interface and not run pppoe on your
openbsd box.

Details for accessing the web admin console on the device and setting up
the pppoe are probably in the quick-start guide.
http://www.huawei.com/products/terminal/pdf/view.do?f=360ctype=0

Also you mentioned wireless so are you *sure* about the part number
you posted. There is a WA1003A-RU model number as well that
specifically mentions wireless.

I also stumbled across some info for setting the VPI/VCI values but they
may or may not apply to your telco/provider/country. If the defaults
don't work, you may need to ask your provider for the correct values.
http://www.vinuthomas.com/Forums/viewtopic/p=26302.html

jcr

Re: Weird Issue with FTP and pf(8)

[Constantine A. Murenin]

On 22/12/05, eric [EMAIL PROTECTED] wrote:
 Here's something strange. I'm trying to connect from a pf gateway to an ftp
 server and it's failing in a very specific manner. Going through the pf
 gateway works fine using passive mode, but from the gateway itself using
 ftp(1) doesn't seem to work.

 Observe:

 $ ftp ftp.example.org

 [ login as anonymous ]

 ftp ls
 229 Entering Extended Passive Mode (|||62283|)
 435 Can't build data connection: No such file or directory.
 ftp ls
 229 Entering Extended Passive Mode (|||50641|)
 150 Opening ASCII mode data connection for '/bin/ls'.
 total 16
 drwxr-xr-x  10 1000  1000  512 Nov 15 15:10 OpenBSD
 226 Transfer complete.

 Why would I be getting a failed LIST the first time? This is very
 reproducable: basically every second time a dir or ls will work.

 Here's my pf from the host connecting to the FTP server. The machine these
 rules are from is 3.8-STABLE).


 ##

 blah = 10.18.209.66

 binat  on $ext_if from 192.168.217.244 to any - $blah
 nat   on $ext_if from any to any - ($ext_if)
 rdr   on $wire_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
 scrub out all no-df random-id max-mss 1440 fragment reassemble
 scrub in all no-df min-ttl 2 fragment reassemble
 block return log all label any-block-log
 block drop log from idiots to any
 block drop in log on ! em0 inet from 10.18.209.0/24 to any label 
 em0-antispoof
 block drop in log on ! em0 inet from 10.18.209.48 to any label em0-antispoof
 block drop in log on em0 inet6 from fe80::20d:56ff:fefa:3b8f to any label 
 em0-antispoof
 block drop in log inet from 10.18.209.79 to any label any-antispoof
 block drop in log inet from 10.18.209.48 to any label any-antispoof
 block drop in log on ! rl0 inet from 192.168.217.240/28 to any label 
 rl0-antispoof
 block drop in log inet from 192.168.217.241 to any label any-antispoof
 block drop in log on rl0 inet6 from fe80::240:f4ff:fe71:8305 to any label 
 rl0-antispoof
 pass out quick proto tcp from any port = ssh to any flags S/SA modulate state 
 queue(ssh_dfl, ssh_pri)
 pass out quick inet proto tcp from any port = 3128 to any flags A/A keep 
 state queue http
 pass in on em0 inet proto tcp from any port = ftp-data to (em0) user = 71 
 flags S/SA keep state label ftpproxy
 pass out quick proto tcp from any port = www to any flags A/A keep state 
 queue httplo
 pass out quick proto tcp from any port = https to any flags S/SA modulate 
 state queue http
 pass out quick proto tcp from any port = smtp to any flags S/SA modulate 
 state queue smtp
 pass out quick proto tcp from any port = domain to any flags S/SA modulate 
 state queue dns_tcp
 pass out quick proto tcp from any to any port = domain keep state queue 
 dns_tcp
 pass out quick proto udp from any to any port = domain keep state queue 
 dns_udp
 pass out quick proto udp from any to any port = ntp keep state queue dns_ntp
 pass out quick proto tcp all modulate state queue(tcp_dfl, tcp_pri)
 pass out quick proto udp all keep state queue udp
 pass out quick inet proto icmp all keep state queue icmp
 pass out quick inet6 proto ipv6-icmp all keep state queue icmp
 pass out quick all queue default
 block return-rst log proto tcp all flags /S queue default
 block return-rst log proto tcp all flags A/A queue default
 pass in on rl0 inet proto udp from any to any port = bootps keep state label 
 rl0-bootps-in
 pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port 
 = domain keep state label rl0-domain-udp-in
 pass in on rl0 inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port 
 = domain modulate state label rl0-domain-tcp-in
 pass in on rl0 inet proto udp from 192.168.217.240/28 to 192.168.217.241 port 
 = ntp keep state label rl0-ntp-in
 pass in inet6 proto ipv6-icmp all icmp6-type toobig
 pass in inet6 proto ipv6-icmp all icmp6-type paramprob
 pass in inet6 proto ipv6-icmp all icmp6-type routeradv
 pass in inet6 proto ipv6-icmp all icmp6-type neighbrsol
 pass in inet6 proto ipv6-icmp all icmp6-type neighbradv
 pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routersol
 pass in log on rl0 inet6 proto ipv6-icmp all icmp6-type routeradv
 pass in log inet6 proto ipv6-icmp all icmp6-type echoreq keep state
 pass in inet proto icmp all icmp-type echoreq keep state
 pass in proto tcp from any to any port = auth modulate state label 
 any-identd-in
 pass in proto tcp from any to any port = smtp modulate state label 
 any-smtp-in
 pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 
 flags S/SA modulate state
 pass in quick inet proto tcp from 192.168.217.240/28 to ! 192.168.217.241 
 keep state
 pass in quick inet proto udp from 192.168.217.240/28 to ! 192.168.217.241 
 keep state
 pass in quick inet from 192.168.217.240/28 to ! 192.168.217.240/28 keep state
 pass in quick inet proto tcp from 192.168.217.240/28 to 192.168.217.241 port 
 = ssh modulate state

Try changing

rdr   on $wire_if proto tcp from any to any port 21 - 127.0.0.1 port 8021

to

Re: erratic networking problem

[Han Boetes]

I just tried installing openbsd on an old hd in the client PC and
exactly the same stuff happens.

And the suggestions made in this message also don't help a bit.

http://archives.neohapsis.com/archives/openbsd/2005-10/1663.html



# Han

Re: erratic networking problem

[Ted Unangst]

On 12/22/05, Han Boetes [EMAIL PROTECTED] wrote:
 This problem has been bugging me for month now. It started
 happening a month after 3.8 got tagged. At least, that's when I
 started noticing it. So it might be anything. But I suspect the
 OpenBSD side the most since returning to an older Linux release on
 the client from a liveCD didn't fix the problem. The OpenBSD
 server doesn't have a CD-drive.

 OpenBSD server - linux client
 Both rtl8169 gigabit networkcards

 Uploading to the server goes with 11Mbytes/s, the speedlimit of
 the ide harddrives, but the downloading goes with erratic
 speeds. 1Mbyte/s at best, 100Kbyte/s most of the time, sometimes
 no more than 20Kbytes/s

and if you use a different protocol (ftp, http)?  anything unusual in
netstat -s?

Unsubscription Confirmation

[Subscriber Services]

You have been successfully removed and will not receive any more messages.