Securing an OpenBSD AP (or bridge, dunno)
Hi all, I use an OpenBSD/i386 3.8 as a gateway for routing my residential ADSL access. I'm going to use an USB dongle (this is my last externel port available :( to provide some Wifi access for some laptops (mainly my Powerbook). I'd like it to be secured enough. So, here's some question about this : * What's the best supported wifi chipset USB-availbale) (ural vs wi vs atu ?) * What's the best linking method : routing (AP) or bridging ? I think in AP mode, filtering could be easier (of course, a filtering wifi bridge is also possible) ? Is bridging more CPU-friendly (no nat) ? (It's only a PII-233 that already share a 2Mbps with an in-kernel PPPoE on 2 PCMCIA cards - lots of interrupts !) * Wireless security : i'd like to use MAC@ filtering (it should be ok) and a ciphering technology for privacy. I know OpenBSD doesn't yet support WPA. What are some good alternative (in L2 or L3) ? WEP is not a solution. Is it possible to use IPSec in transport mode to protect this traffic or something else (OpenVPN ?) * Do I forget something ? :) Thank you, Best regards, Bruno.
Re: anoncvs prompts for password
oh, forgot to say that I wish to track -current Thanks Ramiro On 1/15/06, Ramiro Aceves [EMAIL PROTECTED] wrote: Hello OpenBSD friends. I have been googling around and I am not able to solve this problem. I am going to tell you the exact procedure for you to tell me whether I am doing something wrong. My system was OpenBSD 3.8-stable. I cvs checkout'ed src, ports, XF4 and www from [EMAIL PROTECTED]:/cvs, but using my Debian GNU/Linux at University, where we have a very high speed Internet connection. I tar'ed and gzip'ed the sources in four different *tar.gz files. I saved them in an CDROM and went home... I arrived home, and unpacked them into /usr/, compiled the kernel, the userland and XF4 with success. Two days later, I wanted to cvs up the souce from my OpenBSD box, and was stuck at the cvs prompt, when It asks me for a password: Script started on Sun Jan 15 11:20:34 2006 # cd /usr # export CVSROOT=[EMAIL PROTECTED]:/cvs # cvs up -Pd [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: cvs [update aborted]: received interr # exit Script done on Sun Jan 15 11:21:28 2006 I have searched in the FAQ with no clues. Thanks in advance for your help Ramiro
anoncvs prompts for password
Hello OpenBSD friends. I have been googling around and I am not able to solve this problem. I am going to tell you the exact procedure for you to tell me whether I am doing something wrong. My system was OpenBSD 3.8-stable. I cvs checkout'ed src, ports, XF4 and www from [EMAIL PROTECTED]:/cvs, but using my Debian GNU/Linux at University, where we have a very high speed Internet connection. I tar'ed and gzip'ed the sources in four different *tar.gz files. I saved them in an CDROM and went home... I arrived home, and unpacked them into /usr/, compiled the kernel, the userland and XF4 with success. Two days later, I wanted to cvs up the souce from my OpenBSD box, and was stuck at the cvs prompt, when It asks me for a password: Script started on Sun Jan 15 11:20:34 2006 # cd /usr # export CVSROOT=[EMAIL PROTECTED]:/cvs # cvs up -Pd [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: cvs [update aborted]: received interr # exit Script done on Sun Jan 15 11:21:28 2006 I have searched in the FAQ with no clues. Thanks in advance for your help Ramiro
Re: Securing an OpenBSD AP (or bridge, dunno)
On Sun, Jan 15, 2006 at 12:10:13PM +0400, Bruno Carnazzi wrote: Hi all, I use an OpenBSD/i386 3.8 as a gateway for routing my residential ADSL access. I'm going to use an USB dongle (this is my last externel port available :( to provide some Wifi access for some laptops (mainly my Powerbook). I'd like it to be secured enough. So, here's some question about this : * What's the best supported wifi chipset USB-availbale) (ural vs wi vs atu ?) * What's the best linking method : routing (AP) or bridging ? I think in AP mode, filtering could be easier (of course, a filtering wifi bridge is also possible) ? Is bridging more CPU-friendly (no nat) ? (It's only a PII-233 that already share a 2Mbps with an in-kernel PPPoE on 2 PCMCIA cards - lots of interrupts !) ural is the only one that works in hostap mode. You will need USB2 to get full speeds out of it which your PII won't have onboard. * Wireless security : i'd like to use MAC@ filtering (it should be ok) and a ciphering technology for privacy. I know OpenBSD doesn't yet support WPA. What are some good alternative (in L2 or L3) ? WEP is not a solution. Is it possible to use IPSec in transport mode to protect this traffic or something else (OpenVPN ?) You need to specify what you want. Access control based on MAC addresses is stupid and can be easily worked around, if you just want access control that isn't retarded you should look at authpf.
Re: anoncvs prompts for password
On Sun, Jan 15, 2006 at 01:40:23AM -0800, Ramiro Aceves wrote: # cvs up -Pd [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: cvs [update aborted]: received interr yes, i'm seeing the same. Wim? Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: anoncvs prompts for password
On Sun, 15 Jan 2006 01:40:23 -0800 Ramiro Aceves [EMAIL PROTECTED] wrote: oh, forgot to say that I wish to track -current Thanks Ramiro On 1/15/06, Ramiro Aceves [EMAIL PROTECTED] wrote: Hello OpenBSD friends. I have been googling around and I am not able to solve this problem. I am going to tell you the exact procedure for you to tell me whether I am doing something wrong. My system was OpenBSD 3.8-stable. I cvs checkout'ed src, ports, XF4 and www from [EMAIL PROTECTED]:/cvs, but using my Debian GNU/Linux at University, where we have a very high speed Internet connection. I tar'ed and gzip'ed the sources in four different *tar.gz files. I saved them in an CDROM and went home... I arrived home, and unpacked them into /usr/, compiled the kernel, the userland and XF4 with success. Two days later, I wanted to cvs up the souce from my OpenBSD box, and was stuck at the cvs prompt, when It asks me for a password: Script started on Sun Jan 15 11:20:34 2006 # cd /usr # export CVSROOT=[EMAIL PROTECTED]:/cvs # cvs up -Pd [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: cvs [update aborted]: received interr # exit Script done on Sun Jan 15 11:21:28 2006 I have searched in the FAQ with no clues. Thanks in advance for your help Ramiro I had that problem too with that mirror. I changed mirror, and forgot about it... Cheers, Jasper -- Security is decided by quality -- Theo de Raadt [demime 1.01d removed an attachment of type application/pgp-signature]
Re: anoncvs prompts for password
Jasper Lievisse Adriaanse wrote: On Sun, 15 Jan 2006 01:40:23 -0800 Ramiro Aceves [EMAIL PROTECTED] wrote: oh, forgot to say that I wish to track -current Thanks Ramiro On 1/15/06, Ramiro Aceves [EMAIL PROTECTED] wrote: Hello OpenBSD friends. I have been googling around and I am not able to solve this problem. I am going to tell you the exact procedure for you to tell me whether I am doing something wrong. My system was OpenBSD 3.8-stable. I cvs checkout'ed src, ports, XF4 and www from [EMAIL PROTECTED]:/cvs, but using my Debian GNU/Linux at University, where we have a very high speed Internet connection. I tar'ed and gzip'ed the sources in four different *tar.gz files. I saved them in an CDROM and went home... I arrived home, and unpacked them into /usr/, compiled the kernel, the userland and XF4 with success. Two days later, I wanted to cvs up the souce from my OpenBSD box, and was stuck at the cvs prompt, when It asks me for a password: Script started on Sun Jan 15 11:20:34 2006 # cd /usr # export CVSROOT=[EMAIL PROTECTED]:/cvs # cvs up -Pd [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: cvs [update aborted]: received interr # exit Script done on Sun Jan 15 11:21:28 2006 I have searched in the FAQ with no clues. Thanks in advance for your help Ramiro I had that problem too with that mirror. I changed mirror, and forgot about it... Cheers, Jasper Hello Jasper, thanks for your fast answer. I think that last night I tried with another main mirror and got the same result. I am going to try again to see what happens. Thanks for your help Ramiro.
Re: 3Ware Escalade 7506-8 IDE RAID controller support under OpenBSD 3.8
This for my home network and RAID cards are a big ticket item around here so unfortunately getting the LSI MegaRAID controller is not an option at this point ... but yeah - I wish I could trade my card in - even the nice little web interface they use to monitor it can't be installed on my box. I have already emailed their support. Greg -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Razmus Sent: Saturday, January 14, 2006 10:36 AM To: misc@openbsd.org Subject: Re: 3Ware Escalade 7506-8 IDE RAID controller support under OpenBSD 3.8 * Greg [EMAIL PROTECTED] [060114 02:34]: I have a 3Ware Escalade 7506-8 IDE RAID controller that is currently running on Suse 9.3 in a RAID 5 array and I am trying to see if I can use it with OpenBSD 3.8. I know from the OpenBSD Hardware Compatibility web page that the twe driver supports the following : 3ware Escalade 3W-5x00 and 3W-6x00 series (twe) . However I was wondering if anyone has any experience using this card under OpenBSD 3.8 . From Googling I saw a post from someone here (http://screamingelectron.org/forum/showthread.php?mode=hybridt=1955) that they got a similar card to work under OpenBSD 3.6. However they only state that Tada! Just thought I'd post an info update. The 3Ware 7506-4 raid card is supported in OpenBSD 3.6 using the aforementioned twe driver!. X-Spam-Status: No, hits=0.00 required=0.90 I am not sure what is meant by supported . So. Is anyone using this card under OpenBSD 3.8 and if so what support is available ? i.e. Can you only use the RAID array without any means of detecting a failure/rebuilding or are there any management tools available to you ? From what I have seen in the recent posts all of the OpenBSD RAID work (pretty impressive !) is for other cards/drivers. Is this correct ? I am not looking for anything fancy, just the ability to detect a drive failure, the ability to know the status of the hard drives, and to rebuild a degraded array. TIA, Greg -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.17/228 - Release Date: 1/12/2006 Replace it with an LSI MegaRAID controller and don't look back. 3Ware is on the same boat with Adaptec. They will not share the documentation the developers need to fully support their controllers. man bioctl to read what fully supported means. Jim -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.17/229 - Release Date: 1/13/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.17/229 - Release Date: 1/13/2006
Re: mssql.so
On Sat, Jan 14, 2006 at 10:51:25PM -0200, Ricardo Lucas wrote: I've read the freetds.org help but I can't figure out what to do!!! Someone can help me?! How about pkg_add freetds-0.63-msdblib, as Rosen Iliev pointed you to? If and only if that doesn't work, you can try compiling from source. Joachim
Re: for those following -current
On Sat, Jan 14, 2006 at 09:36:50PM -0600, Joe Szedula wrote: I just tried: # cd /usr/src/gnu/usr.bin/gcc # make -f Makefile.bsd-wrapper obj # make -f Makefile.bsd-wrapper depend # make -f Makefile.bsd-wrapper # make -f Makefile.bsd-wrapper install from http://www.openbsd.org/faq/current.html; and got this: # make -f Makefile.bsd-wrapper ...snip... rm -f SYSCALLS.c tmp-SYSCALLS.s sed -e s/TARGET_GETGROUPS_T/gid_t/ /usr/src/gnu/usr.bin/gcc/gcc/sys-types.h /usr/src/gnu/usr.bin/gcc/gcc/sys-protos.h SYSCALLS.c ./xgcc -B./ -B/usr/amd64-unknown-openbsd3.8/bin/ -isystem /usr/amd64-unknown-openbsd3.8/include -isystem /usr/amd64-unknown-openbsd3.8/sys-include -DIN_GCC -W -Wall -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -isystem ./include -I. -I. -I/usr/src/gnu/usr.bin/gcc/gcc -I/usr/src/gnu/usr.bin/gcc/gcc/. -I/usr/src/gnu/usr.bin/gcc/gcc/config -I/usr/src/gnu/usr.bin/gcc/gcc/../include -aux-info SYSCALLS.c.X -S -o tmp-SYSCALLS.s SYSCALLS.c SYSCALLS.c:241: warning: function declaration isn't a prototype ...snip... SYSCALLS.c:1593: warning: function declaration isn't a prototype rm -f SYSCALLS.c tmp-SYSCALLS.s # Before you embark on a -current build, it's much better to first PRACTICE with -stable, and learn to use your tools. For instance, you have script(1), which is fairly handy to save a full build log. So that you can compare with what you do in current, and notice anything that is truely abnormal. If you would have followed such a procedure, you would have noticed the exact same warnings in -stable... Asking people on a public list if they see the same problems, and duh, I wonder whether they're really problems or not, is not a really robust development practice...
Re: 3.8 perl patch 001 issue - more complete description
On Sun, Jan 15, 2006 at 12:01:52AM -0600, Josh Caster wrote: cd /usr/src/gnu/usr.bin/perl/obj exec make ... Making Encode (dynamic) make: don't know how to make config. Stop in /usr/src/gnu/usr.bin/perl/obj/ext/Encode. make config failed, continuing anyway... make: don't know how to make all. Stop in /usr/src/gnu/usr.bin/perl/obj/ext/Encode *** Error code 2 Stop in /usr/src/gnu/usr.bin/perl/obj (line 584 of makefile). ... I have tried this patch on the src.tar.gz and also on a cvs checkout. I cannot even get this make to work on a -stable release of the source. What are you running? -release, -stable or -current? Joachim
Ata over Ethernet, any plans?
Are there any plans for implementing an ATA over Ethernet driver? -- Stephan
Re: anoncvs prompts for password
Hi, yes, it's correct that I've removed both the anoncvs and openssh access to the machine as it needs to be upgraded. This will probably happen next time I get to Vienna, so around May. In the mean time I will remove the entry from the website to avoid confusion. Sorry guys, but it's just too busy around here to deal with this... -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= https://kd85.com/notforsale.html -- On Sun, Jan 15, 2006 at 11:03:27AM +0100, steven mestdagh wrote: On Sun, Jan 15, 2006 at 01:40:23AM -0800, Ramiro Aceves wrote: # cvs up -Pd [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: cvs [update aborted]: received interr yes, i'm seeing the same. Wim? Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Re: Panic during reboot on 3.8 -current #579
Hello Daniel, I considered that entry as well, but the system worked fine with this partitioning under 3.8 -release. If the issue was one of ROM addressing the hdd, I'd expect it would occur under 3.8 -release as well... Besides, the machine boots fine. I'm therefore inclined to think that it must be something else. Of course I could be wrong, wouldn't be the first time. :) Thanks for the pointer though. Daniel Ouellet schreef: This may not be the right answer for you, but looking at your stuff. I see that you use AMD processor, great, but your boot partition is way out at the end of the drive. This may or may not apply to you, I am not a guru BIOS guy for AMD stuff. http://openbsd.org/faq/faq14.html#LargeDrive May be you hit a problem when your system try to access the kernel. Obviously this may have nothing at all to do with your problem, but I just offer it in consideration when you do your setup. You have three drive available to you in your box, may be a different one might be better for you. Just a thought. If I am mistaken, I apologize. Daniel
Re: Audio problem - cannot play from 2 ources in the same time
At 21:57 2006-01-14, you wrote: On Sat, Jan 14, 2006 at 09:15:54PM +0100, Marcin Wilk wrote: Hello! At first, here are some LOG files that may help: dmesg: http://nicram.sytes.net/openbsd/dmesg.txt audioctl -a: http://nicram.sytes.net/openbsd/audioctl.txt mixerctl -a: http://nicram.sytes.net/openbsd/mixerctl.txt My system is OpenBSD release 3.8 with generic kernel on AMD64 platform (AMD Sempron 2500+ 64bit). Sound card that i got is Creative Labs SoundBlaster PCI 128 (4 speakers version on CT588 chipset). The problem is that when i play music with Mplayer (on KDE using GMPlayer) it works fine, tot he moment when KDE play some systems sound (when warning window appear or something). If it happend, them Mplayer can't play audio files present error windows: http://nicram.sytes.net/openbsd/maplayer2.png ([AO SUN] Can't open audio device /dev/audio, Device busy - nosound.). If i will wait some time (30-60 seconds) then it may play again without problems. Ahh about mplayer.. Everytime i'm start gmplayer or whan i open anything this message is appear: http://nicram.sytes.net/openbsd/mplayer-start.png . Another nice thing is with XMMS. When i set it to use SUN audio driver than same problem like with Mplayer appear. But sometimes i may solve it.. by seting XMMS to use eSound driver. But sometimes it don't help, but make XMMS freeze like that for many minutes: http://nicram.sytes.net/openbsd/xmms-freeze.png . I have made ps auxw save when it is freezed: http://nicram.sytes.net/openbsd/xmms-freeze.txt . Other info that may help: Using standard installation. KDE all other software is installed from packages from official FTP. I thionk that there is no fullduplex support for this sound card on OpenBSD.If i'm right the questin is: will it be done some day? or there is no chance for that? (i understand that it's not important for this OS). Best Regards Marcin Wilk I might be wrong, but it seems to be normal behaviour. It is not possible (as far as i know) that more than one application opens the audio device. To handle this, there are several audio daemons that provide access from more than one application to a single soundcard (and mix them). Some common used ones are artsd on KDE and esd (I prefer this one, because it's small and does not use so much cpu). Gnome has it's own I guess. I bet if you do a pkill artsd, the problems with mplayer and xmms are gone (artsd frees the sound device after a specific amount of time, that is your 30-60 seconds). A better solution is to configure mplayer, xmms and other apps to use arts (Kde apps do this by default). There is a plugin available for xmms. mplayer can also be configured, see it's manpage... Tobias Ahm. thanks You for explanation. I will use arts or something then. Best Regards Marcin Wilk
Re: Securing an OpenBSD AP (or bridge, dunno)
You're right, MAC@ is easy spoofable. I've found this and it looks to be what I want : http://software.newsforge.com/print.pl?sid=05/11/21/175249 It combines L3 isolation before authentication, L2 advantages (same LAN) after authentication (L2 OpenVPN tunnel + bridge with wired LAN), and a good level of security : authentication through authpf and strong ciphering through OpenVPN. Hopes it help, Best regards, Bruno. On 1/15/06, Jonathan Gray [EMAIL PROTECTED] wrote: On Sun, Jan 15, 2006 at 12:10:13PM +0400, Bruno Carnazzi wrote: Hi all, I use an OpenBSD/i386 3.8 as a gateway for routing my residential ADSL access. I'm going to use an USB dongle (this is my last externel port available :( to provide some Wifi access for some laptops (mainly my Powerbook). I'd like it to be secured enough. So, here's some question about this : * What's the best supported wifi chipset USB-availbale) (ural vs wi vs atu ?) * What's the best linking method : routing (AP) or bridging ? I think in AP mode, filtering could be easier (of course, a filtering wifi bridge is also possible) ? Is bridging more CPU-friendly (no nat) ? (It's only a PII-233 that already share a 2Mbps with an in-kernel PPPoE on 2 PCMCIA cards - lots of interrupts !) ural is the only one that works in hostap mode. You will need USB2 to get full speeds out of it which your PII won't have onboard. * Wireless security : i'd like to use MAC@ filtering (it should be ok) and a ciphering technology for privacy. I know OpenBSD doesn't yet support WPA. What are some good alternative (in L2 or L3) ? WEP is not a solution. Is it possible to use IPSec in transport mode to protect this traffic or something else (OpenVPN ?) You need to specify what you want. Access control based on MAC addresses is stupid and can be easily worked around, if you just want access control that isn't retarded you should look at authpf.
Re: anoncvs prompts for password
Two days later, I wanted to cvs up the souce from my OpenBSD box, and was stuck at the cvs prompt, when It asks me for a password: Script started on Sun Jan 15 11:20:34 2006 # cd /usr # export CVSROOT=[EMAIL PROTECTED]:/cvs # cvs up -Pd [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: cvs [update aborted]: received interr # exit Script done on Sun Jan 15 11:21:28 2006 I have searched in the FAQ with no clues. Thanks in advance for your help Ramiro I have investigated it further, and: When yesterday I tried another mirror, changing CVROOT env variable, I asumed that cvs up -Pd will pick the new mirror. But it picks instead the mirror that is on the /usr/src/CVS directory, so in order to use the new mirror, I needed to use the -d$CVROOT parameter. Thanks all Ramiro.
Re: anoncvs prompts for password
Wim Vandeputte wrote: Hi, yes, it's correct that I've removed both the anoncvs and openssh access to the machine as it needs to be upgraded. This will probably happen next time I get to Vienna, so around May. In the mean time I will remove the entry from the website to avoid confusion. Sorry guys, but it's just too busy around here to deal with this... Ok thanks for the information. Yes, I have changed to another server and it works fine. Thank you guys. Enjoy compiling! Ramiro.
Re: anoncvs prompts for password
2006/1/15, Ramiro Aceves [EMAIL PROTECTED]:
Two days later, I wanted to cvs up the souce from my OpenBSD box, and
was stuck at the cvs prompt, when It asks me for a password:
Script started on Sun Jan 15 11:20:34 2006
# cd /usr
# export CVSROOT=[EMAIL PROTECTED]:/cvs
# cvs up -Pd
[EMAIL PROTECTED]'s password:
Permission denied, please try again.
[EMAIL PROTECTED]'s password: cvs [update aborted]: received
interr
# exit
Script done on Sun Jan 15 11:21:28 2006
I have searched in the FAQ with no clues.
Thanks in advance for your help
Ramiro
I have investigated it further, and:
When yesterday I tried another mirror, changing CVROOT env variable, I
asumed that cvs up -Pd will pick the new mirror. But it picks instead
the mirror that is on the /usr/src/CVS directory, so in order to use the
new mirror, I needed to use the -d$CVROOT parameter.
Alternatively you can change CVS/Root in each directory:
find . -name Root -exec perl -i -pe
's,.*,[EMAIL PROTECTED]:/cvs,' {} \;
--
Gerardo Santana
Between individuals, as between nations, respect for the rights of
others is peace - Don Benito Juarez
http://santanatechnotes.blogspot.com/
Re: mssql.so
I've installed the pkg freetds-0.63-msdblib.tgz but did not found the mssql.so, any hint?! 2006/1/15, Joachim Schipper [EMAIL PROTECTED]: On Sat, Jan 14, 2006 at 10:51:25PM -0200, Ricardo Lucas wrote: I've read the freetds.org help but I can't figure out what to do!!! Someone can help me?! How about pkg_add freetds-0.63-msdblib, as Rosen Iliev pointed you to? If and only if that doesn't work, you can try compiling from source. Joachim -- Abragos Ricardo Lucas We have to stop been egoist and think more on ourselves.
Re: anoncvs prompts for password
On Sun, Jan 15, 2006 at 02:52:37PM +0100, Ramiro Aceves wrote: I have investigated it further, and: When yesterday I tried another mirror, changing CVROOT env variable, I asumed that cvs up -Pd will pick the new mirror. But it picks instead the mirror that is on the /usr/src/CVS directory, so in order to use the new mirror, I needed to use the -d$CVROOT parameter. There is a reason why the FAQ tells you to specify the -d option explicitly, and this reason is itself in the FAQ... ;-) Joachim
Re: Temperature
On 2006/01/15 13:05, Ricardo Lucas wrote: anyone knows a program that monitoring the cpu temperature and hard disk temperature sysctl(8) (hw.sensors tree) is the natural place for this information, you can be alerted if it exceeds parameters with sensorsd(8). Sensors for many motherboards and SCSI safte(4) enclosures are monitored here. SMART-capable ATA drives can be monitored with atactl(8), but you will probably need further processing to get actual temperatures. rotation?! hard disk rotation - don't think so. fan rotation - hw.sensors again.
PF load balancing
Hi all, I have a problem (very simple) with the PF and load balancing
I tried to read (of course) the FM and the rest of documentation of PF, to
look for Inet resources about, to write to the PF list, etc etc next step
would be to write to the developers team or to read the sources (the last is
always good but ..) I have a firewall with 4 network cards: 2 outside,
inside and DMZ, in the DMZ I have the mail server, and in the firewall
machine I have a Squid proxy running, the 2 outside cards are going to 2
differents routers,I'd like to make outside load balancing of all the
traffic in a simple round-robind way, but when I try the line: pass in on
$int_if route-to {$ext_if1 $ext_gw1 .. etc etc the RDRs to the DMZ don't
work, and the traffic of this machine (Squid) is not balanced..if I try
the same line but with the pass out on $ext_if1... It doesn't either
work..any ideas??
Greetings
JM
Re: pf-question: blocking nmap and dropping the IP of the src-host to a table?
On 1/14/06, Daniel Ouellet [EMAIL PROTECTED] wrote: I didn't spend to much time on this one, but I think the above should give you an idea as to how to go about it. Might work just as is if you add the ports you want to protect inside your LAN, or may need some minor changes, but it is sure very close to what you might need I think. (Sorry, Daniel, my first reply didn't hit the list.) I don't disagree with the approach, though I am not certain it will solve the NMAP issue unless NMAP completes the 3-way handshake. Default nmap behaviour (as observed executed with root privileges) will send a syn packet, which is returned by OpenBSD with an ack.. then either nmap or the host O/S on the far side returns a RST packet. No handshake, no connection. I ran nmap several times against four open ports (nc -k -l 25 (et al) listening) with this rule, here's what my state table shows: nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) nmap.source.ip - 0.0.0.0 ( states 4, connections 0, rate 0.0/60s ) I'm not sure that will ever trigger an overload to a table. Documentation can be found at http://www.openbsd.org/faq/pf/filter.html#stateopts. I'm interested in hearing solutions from others as well.
ssh to computer with variable ip address
I now have a working ssh connection to a computer on my subnet by using the (hardwired) ip address in the known_hosts file. How can ssh be used to connect to a computer with a (variable) dhcp-assigned ip address, given that the ip address can change at any time? Thanks, Dave Feustel -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: Panic during reboot on 3.8 -current #579
Thanks to Tom Cosgrove for his kind assistance. Removing the card/disabling ath in kernel did indeed solve the problem. Cheers, P Paulo Rodriguez schreef: # reboot syncing disks... done uvm_fault(0xd7be8370, 0x0, 0, 1) - e fatal page fault in supervisor mode trap type 6 code 0 eip d0178b5b cs 8 eflags 10286 cr2 bac cpl b0 panic: trap type 6, code=0, pc=d0178b5b dumping to dev 1101, offset 0 dump error 19 REBOOTS AUTOMATICALLY ... # reboot /etc/rc.shutdown in progress... /etc/rc.shutdown complete. syncing disks... done uvm_fault(0xd7cfadc0, 0x0, 0, 1) - e kernel: page fault trap, code=0 Stopped at ath_stop+0xe: movl0xbac(%esi),%edi ddb trace ath_stop(d1797030,0,0,15) at ath_stop+0xe dohooks(d05a49c0,1,e9695ef0,d0346e4c) at dohooks+0x5e boot(0,0,43c9aab6,0,d05a3e18) at boot+0x55 sys_reboot(d7cf5e14,e9695f68,e9695f58,,2d) at sys_reboot+0x26 syscall() at syscall+0x2ea --- syscall (number 55) --- 0x1c000995: ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND *21161 1 21161 0 7 0x4006 reboot 15 0 0 0 30x100204 crypto_wa crypto 14 0 0 0 30x100204 aiodoned aiodoned 13 0 0 0 30x100204 syncer update 12 0 0 0 30x100204 cleanercleaner 11 0 0 0 30x100204 reaper reaper 10 0 0 0 30x100204 pgdaemon pagedaemon 9 0 0 0 30x100204 pftm pfpurge 8 0 0 0 30x100204 usbevt usb2 7 0 0 0 30x100204 usbevt usb1 6 0 0 0 30x100204 usbtsk usbtask 5 0 0 0 30x100204 usbevt usb0 4 0 0 0 30x100204 timeoutsensors 3 0 0 0 30x100204 apmev apm0 2 0 0 0 30x100204 kmallockmthread 1 0 1 0 3 0x4084 wait init 0 -1 0 0 3 0x80204 scheduler swapper ddb show registers ds 0x10 es 0x10 fs 0x58 gs 0x10 edi 0x1 esi0 ebp 0xe9695ea0 ebx 0xd1797030end+0x1108280 edx 0xd176fde0end+0x10e1030 ecx 0xe9695cd0 eax 0xd05a49c0shutdownhook_list eip 0xd019bf16ath_stop+0xe cs 0x8 eflags 0x10292 esp 0xe9695e7c ss0xe9690010 ath_stop+0xe: movl0xbac(%esi),%edi ddb Kind regards, Paulo
Re: ssh to computer with variable ip address
On Sun, Jan 15, 2006 at 11:45:35AM -0500, Dave Feustel wrote: I now have a working ssh connection to a computer on my subnet by using the (hardwired) ip address in the known_hosts file. How can ssh be used to connect to a computer with a (variable) dhcp-assigned ip address, given that the ip address can change at any time? I do this although not on a LAN with DHCP addressing but on the Internet on several computers registering to a self-made lookup service. On a LAN with DHCP you may be able to configure Dynamic DNS to identify what hosts have what IP address. You should take care of the StrictHostKeyChecking which will complain that a known hosts will have a different Public Host Key. You'll get those this could mean a man-in-middle attack type messages which you'll have to ignore and possibly edit the .ssh/known_hosts to get rid of any entries there. Also you won't really know for sure what host is what so it's probably safer to resort to rsa/dsa key authentication as password authentication should be avoided since the host behind an IP could be a malicious host with purpose to gobble up passwords. Cheers, -peter
Re: ssh to computer with variable ip address
On 1/15/06, Dave Feustel [EMAIL PROTECTED] wrote: How can ssh be used to connect to a computer with a (variable) dhcp-assigned ip address, given that the ip address can change at any time? Your problem is not with SSH. Although I cannot say whether your situation will allow for it, try obtaining a fixed hostname to connect to. You may want to look into the dynamic DNS updates facilitated through ISC's dhcpd (from ports) and BIND and start from there. The BIND ARM and port's documents should provide enough information. You may not need ISC dhcpd. That is, if the in-base dhcpd also contains the dynamic update features. Last time I checked [1], it didn't. I do not know why they are not implemented; possibly because their use isn't too widespread to make it worhwhile to code. If the dynamic DNS above is not applicable to your situation, you may want to look into dynamic DNS clients e.g. dyndns.org [2], although I cannot vouch for their service. Cheers, Rogier References: 1. MARC - 'ddns dhcp' in openbsd-misc http://marc.theaimsgroup.com/?l=openbsd-miscm=110353569711035w=2 2. DynDNS - Dynamic DNS http://www.dyndns.com/services/dns/dyndns/ -- If you don't know where you're going, any road will get you there.
Re: ssh to computer with variable ip address
On Sunday 15 January 2006 12:14, Peter Philipp wrote: On Sun, Jan 15, 2006 at 11:45:35AM -0500, Dave Feustel wrote: I now have a working ssh connection to a computer on my subnet by using the (hardwired) ip address in the known_hosts file. How can ssh be used to connect to a computer with a (variable) dhcp-assigned ip address, given that the ip address can change at any time? I do this although not on a LAN with DHCP addressing but on the Internet on several computers registering to a self-made lookup service. On a LAN with DHCP you may be able to configure Dynamic DNS to identify what hosts have what IP address. You should take care of the StrictHostKeyChecking which will complain that a known hosts will have a different Public Host Key. You'll get those this could mean a man-in-middle attack type messages which you'll have to ignore and possibly edit the .ssh/known_hosts to get rid of any entries there. Also you won't really know for sure what host is what so it's probably safer to resort to rsa/dsa key authentication as password authentication should be avoided since the host behind an IP could be a malicious host with purpose to gobble up passwords. Cheers, -peter Thanks, Peter! I got this working internally by using the ip address of the internal ethernet adaptor. I have in the past just posted dhcp-assigned ip addresses of http servers on my public website where they could be used as indirect addressing. -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: mssql.so
On Sun, Jan 15, 2006 at 01:03:19PM -0200, Ricardo Lucas wrote: I've installed the pkg freetds-0.63-msdblib.tgz but did not found the mssql.so, any hint?! See http://marc.theaimsgroup.com/?l=openbsd-miscm=113725804214600w=2 for where to look next, or http://marc.theaimsgroup.com/?l=openbsd-miscm=113729912930316w=2 for an easier solution to your problem. Joachim
Re: mssql.so
Ricardo Lucas wrote: I've installed the pkg freetds-0.63-msdblib.tgz but did not found the mssql.so, any hint?! 2006/1/15, Joachim Schipper [EMAIL PROTECTED]: On Sat, Jan 14, 2006 at 10:51:25PM -0200, Ricardo Lucas wrote: I've read the freetds.org help but I can't figure out what to do!!! Someone can help me?! You've already been given two good hints - but a search of MARC would have also produced: http://marc.theaimsgroup.com/?l=openbsd-miscw=2r=1s=mssql.soq=t HTH Fred -- http://www.bristolshotokan.org.uk/
Re: Temperature
Hi, While we're on this subject, what about adding something like sysctl -w | grep hw.sensor to /etc/daily ? I'd consider the output of such to be as useful as the status of disk space etc. /Pete On 15. jan. 2006, at 16.25, Stuart Henderson wrote: On 2006/01/15 13:05, Ricardo Lucas wrote: anyone knows a program that monitoring the cpu temperature and hard disk temperature sysctl(8) (hw.sensors tree) is the natural place for this information, you can be alerted if it exceeds parameters with sensorsd(8). Sensors for many motherboards and SCSI safte(4) enclosures are monitored here. SMART-capable ATA drives can be monitored with atactl(8), but you will probably need further processing to get actual temperatures. rotation?! hard disk rotation - don't think so. fan rotation - hw.sensors again.
OT: wrt OpenBSD, what's a good laptop
I want aircard support of course (which lets out DELL and a few other manufactuer's.) So what's the best? Why? BTW: I suspect, but have zero affirming data, that SSH2 has been cracked. I had numerous security incidents on another laptop (not running Obsd,) so I don't know if the problem was Fbsd or SSH, though the Fbsd OS was re-installed several times and serurity oriented folks tightened down Fbsd for me (out of the box, it's a joke!) Now I'm getting into laptop's again and want to make the right choices! Which means Obsd first and foremost, so I ask: which laptop?? --jg
Re: ssh to computer with variable ip address
Do you have a ssh server with static ip address anywhere ? If so, make the client with dynamic ip address log into your server at startup and make a port forward back to the ssh port on the client. Very handy trick when you need to manage boxes sitting behind others nat'ing firewalls. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
df -h stats for same file systems display different result son AMD64 then on i386
Here is something I can't put my hands around to well and I don't really understand why that is, other then may be the fize of each mount point not process properly on AMD64, but that's just an idea. See lower below for why I think it might be the case. In any case, I would welcome a logical explication why that might be however. I mirror a mount point for three servers, one AMD64 and two i386. Then I do df -h for each one, but I get way different results when I do it on AMD64, or when I do it on i386, but I can't understand why. When I do the df -i however, I do get the same amount of inode, so there is the same amount of files. I even use rsync to make a perfect mirror of them and still I get way different results. AMD64 give me 4.6GB as the i386 gives me 8.1GB. The funny part is that the AMD64 should give me more as the file system include a bit more stuff AMD64 mount point file system is for /var/www as the mirror one is for /var/www/sites and the amd does include all of sites files. However is I log in with WinSCP and do the calculate stuff on both server to the location /var/www/sites, I do get the same results. dev. 52584 files, 2799 folders location /var/www 7,685 MB (8,059,054,473) www2 52584 files, 2799 folders location /var/www 7,683 MB (8,056,394,923) The difference in size is the logs files that are process not in sync of each others, but locally on each one. I can't explain this one. This is really weird. I thought to delete the file system and recreate it with the additional mount to to see, but the results should be good as it is now as the /var/www/sites is inside the /var/www one on the AMD64. i386 display: # df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 247M 27.8M206M12%/ /dev/wd0h 4.6G3.2M4.3G 0%/home /dev/wd0d 495M1.0K470M 0%/tmp /dev/wd0g 4.4G206M3.9G 5%/usr /dev/wd0e 12.6G745M 11.2G 6%/var /dev/wd1b 7.8G2.0K7.4G 0%/var/mysql /dev/wd0f 991M1.1M940M 0%/var/qmail /dev/wd1a 19.7G8.1G 10.6G43%/var/www/sites AMD64 display: www1# df -h Filesystem SizeUsed Avail Capacity Mounted on /dev/wd0a 251M 40.5M198M17%/ /dev/wd0h 1024M 54.0K972M 0%/home /dev/wd0d 1006M2.0K956M 0%/tmp /dev/wd0g 4.9G304M4.4G 6%/usr /dev/wd0e 24.6G4.6G 18.7G20%/var /dev/wd0f 1006M1.5M955M 0%/var/qmail I also thought about files still open, but I rebooted the system to be safe and still the same results. May be the disklabel is not seen right, or calculate right on AMD64. I am not sure I understand this right, but if the file system use fsize of 2048 on AMD64 and display almost 1/2 the size of the i386 that use fsize of 1024, may be that's just the part of the fsize that is missing in the calculation. So, far I couldn't come up with a different explication. www1# disklabel wd0 # Inside MBR partition 3: type A6 start 63 size 78156162 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: Maxtor 6E040L0 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 78165360 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:52409763 4.2BSD 2048 16384 328 # Cyl 0*- 519 b: 8388576524160swap # Cyl 520 - 8841 c: 78165360 0 unused 0 0 # Cyl 0 - 77544 d: 2097648 8912736 4.2BSD 2048 16384 328 # Cyl 8842 - 10922 e: 52429104 11010384 4.2BSD 2048 16384 328 # Cyl 10923 - 62935 f: 2097648 63439488 4.2BSD 2048 16384 328 # Cyl 62936 - 65016 g: 10486224 65537136 4.2BSD 2048 16384 328 # Cyl 65017 - 75419 h: 2132865 76023360 4.2BSD 2048 16384 328 # Cyl 75420 - 77535* oppose to i386: # disklabel wd0 # Inside MBR partition 3: type A6 start 63 size 58621122 # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: QUANTUM FIREBALL flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 58633344 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:52409763 4.2BSD 1024 8192 86 # Cyl 0*- 519 b: 8388576524160swap # Cyl 520 - 8841 c: 58633344 0 unused 0 0 # Cyl 0 - 58167 d: 1048320 8912736 4.2BSD 1024 8192 86 # Cyl
Re: anoncvs prompts for password
Joachim Schipper wrote: On Sun, Jan 15, 2006 at 02:52:37PM +0100, Ramiro Aceves wrote: I have investigated it further, and: When yesterday I tried another mirror, changing CVROOT env variable, I asumed that cvs up -Pd will pick the new mirror. But it picks instead the mirror that is on the /usr/src/CVS directory, so in order to use the new mirror, I needed to use the -d$CVROOT parameter. There is a reason why the FAQ tells you to specify the -d option explicitly, and this reason is itself in the FAQ... ;-) Joachim Oh yes, that was my mistake. I should have followed the FAQ instead making my own asumptions. Thanks for your help. Ramiro.
Re: Temperature
On 1/15/06, Pete Vickers [EMAIL PROTECTED] wrote: While we're on this subject, what about adding something like sysctl -w | grep hw.sensor to /etc/daily ? I'd consider the output of such to be as useful as the status of disk space etc. If you're concerned about temperature readings and fan speeds, you may want to use sensorsd(8) and sensorsd.conf(5) instead. It can serve as a trap to warn you, e.g. in case of a fan failure. Cheers, Rogier -- If you don't know where you're going, any road will get you there.
Re: anoncvs prompts for password
When yesterday I tried another mirror, changing CVROOT env variable, I
asumed that cvs up -Pd will pick the new mirror. But it picks instead
the mirror that is on the /usr/src/CVS directory, so in order to use the
new mirror, I needed to use the -d$CVROOT parameter.
Alternatively you can change CVS/Root in each directory:
find . -name Root -exec perl -i -pe
's,.*,[EMAIL PROTECTED]:/cvs,' {} \;
--
Thank you Gerardo for the tip!
Ramiro
Re: df -h stats for same file systems display different result son AMD64 then on i386
On Sun, 15 Jan 2006, Daniel Ouellet wrote: [snip lots of talk by a confused person] 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:52409763 4.2BSD 2048 16384 328 # Cyl 0*- 519 b: 8388576524160swap # Cyl 520 - 8841 c: 78165360 0 unused 0 0 # Cyl 0 - 77544 d: 2097648 8912736 4.2BSD 2048 16384 328 # Cyl 8842 - 10922 e: 52429104 11010384 4.2BSD 2048 16384 328 # Cyl 10923 - 62935 f: 2097648 63439488 4.2BSD 2048 16384 328 # Cyl 62936 - 65016 g: 10486224 65537136 4.2BSD 2048 16384 328 # Cyl 65017 - 75419 h: 2132865 76023360 4.2BSD 2048 16384 328 # Cyl 75420 - 77535* 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:52409763 4.2BSD 1024 8192 86 # Cyl 0*- 519 b: 8388576524160swap # Cyl 520 - 8841 c: 58633344 0 unused 0 0 # Cyl 0 - 58167 d: 1048320 8912736 4.2BSD 1024 8192 86 # Cyl 8842 - 9881 e: 27263376 9961056 4.2BSD 1024 8192 86 # Cyl 9882 - 36928 f: 2097648 37224432 4.2BSD 1024 8192 86 # Cyl 36929 - 39009 g: 9436896 39322080 4.2BSD 1024 8192 86 # Cyl 39010 - 48371 h: 9874368 48758976 4.2BSD 1024 8192 86 # Cyl 48372 - 58167 Since the bsize and fsize differ, it is expected that the used kbytes of the file systems differ. Also, the inode table size will not be the same. You're comparing apples and oranges. BTW, you don't say which version(s) you are running. That's bad. since some bugs were fixed in the -h display. Run df without -h to see the real numbers. To check if the inode/block/fragment free numbers add up, you could use dumpfs, but that is a hell of a lot of work. -Otto
Re: df -h stats for same file systems display different result son AMD64 then on i386
Otto Moerbeek wrote: On Sun, 15 Jan 2006, Daniel Ouellet wrote: [snip lots of talk by a confused person] 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:52409763 4.2BSD 2048 16384 328 # Cyl 0*- 519 b: 8388576524160swap # Cyl 520 - 8841 c: 78165360 0 unused 0 0 # Cyl 0 - 77544 d: 2097648 8912736 4.2BSD 2048 16384 328 # Cyl 8842 - 10922 e: 52429104 11010384 4.2BSD 2048 16384 328 # Cyl 10923 - 62935 f: 2097648 63439488 4.2BSD 2048 16384 328 # Cyl 62936 - 65016 g: 10486224 65537136 4.2BSD 2048 16384 328 # Cyl 65017 - 75419 h: 2132865 76023360 4.2BSD 2048 16384 328 # Cyl 75420 - 77535* 16 partitions: # sizeoffset fstype [fsize bsize cpg] a:52409763 4.2BSD 1024 8192 86 # Cyl 0*- 519 b: 8388576524160swap # Cyl 520 - 8841 c: 58633344 0 unused 0 0 # Cyl 0 - 58167 d: 1048320 8912736 4.2BSD 1024 8192 86 # Cyl 8842 - 9881 e: 27263376 9961056 4.2BSD 1024 8192 86 # Cyl 9882 - 36928 f: 2097648 37224432 4.2BSD 1024 8192 86 # Cyl 36929 - 39009 g: 9436896 39322080 4.2BSD 1024 8192 86 # Cyl 39010 - 48371 h: 9874368 48758976 4.2BSD 1024 8192 86 # Cyl 48372 - 58167 Since the bsize and fsize differ, it is expected that the used kbytes of the file systems differ. Also, the inode table size will not be the same. Not sure that I would agree fully with that, but I differ to your judgment. Yes there will and should be difference in usage as if you have a lots of small files, you are waisting more space if you fsize are bigger, unless I don't understand that part. Would it mean that the df -h would take the number of inode in use * the fsize to display the results for human then? You're comparing apples and oranges. I don't disagree to some extend as you know better, but I still try to understand it however. Shouldn't the df -h display the same results however to human? I am not arguing, but rather try to understand it. If it is design to be human converted, why a human would need to know or consider the file size in use then to compare the results? BTW, you don't say which version(s) you are running. That's bad. since some bugs were fixed in the -h display. Run df without -h to see the real numbers. All run 3.8. Sorry about that. the 4.6GB have 4870062 * 1024 = 4,986,943,488 www1# df Filesystem 1K-blocks Used Avail Capacity Mounted on /dev/wd0a 256814 4146420251017%/ /dev/wd0h 104815854995698 0%/home /dev/wd0d 1030550 2979022 0%/tmp /dev/wd0g 5159638310910 4590748 6%/usr /dev/wd0e25799860 4870062 1963980620%/var /dev/wd0f 1030550 1546977478 0%/var/qmail the 8.1GB have 15967148 * 512 = 8,175,179,776 # df Filesystem 512-blocks Used Avail Capacity Mounted on /dev/wd0a 513628 6558842236013%/ /dev/wd0h 186162852 1768496 0%/home /dev/wd0d 2061100 4 1958044 0%/tmp /dev/wd0g 9904156424544 8984408 5%/usr /dev/wd0e 33022236 1537612 29833516 5%/var /dev/wd1b 16412252 1937920 1365372012%/var/mysql /dev/wd0f 2061100 4 1958044 0%/var/qmail /dev/wd1a 41280348 15967148 2324918441%/var/www/sites The funny part is that the first above /var include more files then the /var/www/sites below and still display less space in use. To check if the inode/block/fragment free numbers add up, you could use dumpfs, but that is a hell of a lot of work. -Otto It's not a huge deal and the systems works well, I am just puzzle by the results and want to understand it, that's all.
Mixed internal network traffic, bridge+NAT separated to multiple ISPs, help?
I've struggled for a couple days configuring an OpenBSD router/firewall and would like some help from the experts. Short version: There's an internal network with voice-over-IP phones and PCs. The phones have publicly routable addresses, and for them, the OpenBSD router should act like an addressless bridge. The router also all assigns PCs private addresses via DHCP, and gives them access to the big bad internet via pf's NAT. I can get the bridge to work for the phones, I can get the NAT to work for the PCs, but not both at the same time reliably. If you've done this please tell me how. Longer version: VOIP Phones (public 20.0.0.x/24) mixed with Office PCs (private 192.168.1.x/24) ||| \V/ HW switch | $int_if OpenBSD router (192.168.1. 1) | +--- $ext_if for PCs ISP (configured via dhclient) +--- $voip_if for Phone ISP (either no addy or 20.0.0. 225, route to 20.0.0. 1) The OpenBSD router has 3 NICs- $int_if faces the single internal switch that all the VOIP phones and office PCs connect to. $voip_if faces an ISP that's assigned us public IPs for all the phones, and we can use one of those for $voip_if itself. $ext_if faces another ISP, and gets its address, gateway, and DNS servers via DHCP. The VOIP phones have publicly routable addresses, all assigned from the 20.0.0. 0/24 CIDR block. The office PCs get their addresses via DHCP from the OpenBSD router in the private 192.168.1. 0/24 network. All the VOIP traffic is to flow through the OpenBSD router, between $voip_if and $int_if. All other external traffic is to travel over $ext_if. The router itself needs to be ssh'able, serve DHCP to the internal network, and provide other services later. Plugging the VOIP ISP directly into our internal switch works, but then we're bypassing our OpenBSD router for that traffic. We want to tweak that traffic later, after the basic setup works, so bypassing is not an option. Tried so far: A. http://www.openbsd.org/faq/pf/pools.html looked promising. I set up pf so that 20.0.0. 0/24 route-to ($voip_if 200.0.0. 1) and !20.0.0. 0/24 route-to ($ext_if 44.33.22. 1), with a nat on $ext_if from 192.168.1. 0/24 - ($ext_if) This worked great for all the PCs, they could see the outside world just fine. But the phones got no traffic at all. tcpdump -i $int_if net 20.0.0. 0/24 showed no traffic. My guess is that the OpenBSD box didn't advertise that $int_if was a route for that traffic. And why should it? $int_if has the address 192.168.1. 1, that's not on the 20.0.0. 0/24 net. a smaller problem- how to specify what remote host to route-to in pf-conf when the interface is configured via DHCP? ($ext_if) will resolve to a changing interface address, but there's no way I can find to symbolicly use that interface's remote router. I had to look up its address in /var/db/dhclient.leases.$ext_if and hard-code that (44.33.22. 1 in our example). If our upstream ISP decides to change what network it assigns to us, then the router on the other end changes, and the route-to breaks B. Add a bridge for the phone traffic. ifconfig bridge0 create; brconfig bridge0 add $int_if add $voip_if up - created /etc/bridgename.bridge0 to do just that at boot. Added rules to pf.conf so only 20.0.0. 0/24 traffic would flow through $voip_if. Keep the route-to for the PC traffic so it keeps going to $ext_if. With the bridge the phones work great! Can call out, can recieve incoming calls. And the PCs work too! For a while... when the phones are unused, everything is great. But pick up a phone, and some of PCs lose all connections. They can't even get responses to ping 192.168.1. 1 And hanging up/disconnecting the phones after doesn't fix the problem. I can't predict which PCs will lose connections or when, it seems random. Some PCs continue to work! tcpdump shows some 192.168.1.x traffic leaking onto bridge0. Even traffic for ping 192.168.1. 1 sometimes shows up on bridge0. I tried changing pf.conf to have just the required NAT and pass all, loaded that with pfctl -F all -f pf.conf, that didn't fix it. In act of desparation tried to add a rule to pf.conf by IP address on bridge0 itself, but pfctl -vs rules showed that it never matched. I know that brconfig can add rules at the bridge level to filter on MAC address, but that seems difficult to maintain when adding/swapping phones regularly. I tried adding a 200.0.0.x address as an alias to $int_if, which didn't seem to make any difference. I'm lost. I suspect my difficulties stem from a my lack of route(8) knowledge. A co-worker is building another OpenBSD box with 4 NICs, so there can be one internal NIC for VOIP traffic, and another for the office PCs. While that seems conceptually cleaner, all the traffic will be going through the same HW switch- and I forsee similar issues. If we could make all the phones go to one switch, connect that to one internal NIC, and all the PCs go to another switch, and into the second internal NIC, then this
Re: ssh to computer with variable ip address
On 2006/01/15 20:55, tony sarendal wrote: Do you have a ssh server with static ip address anywhere ? If so, make the client with dynamic ip address log into your server at startup and make a port forward back to the ssh port on the client. Very handy trick when you need to manage boxes sitting behind others nat'ing firewalls. autossh (in ports) can help with this. An alternative is to connect them in a VPN. You can make do with just dynamic addresses at both sides if you are prepared to trust some 'dynamic dns' provider (openvpn can be set to make a new DNS query each time a connection times-out). Another alternative is to run IPv6 to some tunnel-broker that supports dynamic clients (e.g. sixxs in Europe).
Re: Mixed internal network traffic, bridge+NAT separated to multiple ISPs, help?
On 2006/01/15 13:59, yary wrote: a smaller problem- how to specify what remote host to route-to in pf-conf when the interface is configured via DHCP? You don't.., use the normal routing table for this instead. If we could make all the phones go to one switch, connect that to one internal NIC, and all the PCs go to another switch, and into the second internal NIC, then this would be easy. I think. But we don't have the space or the hardware. You could run vlans, if your switch supports them. That's probably the cleanest way.
Re: anoncvs prompts for password
2006/1/15, Ramiro Aceves [EMAIL PROTECTED]:
When yesterday I tried another mirror, changing CVROOT env variable, I
asumed that cvs up -Pd will pick the new mirror. But it picks instead
the mirror that is on the /usr/src/CVS directory, so in order to use the
new mirror, I needed to use the -d$CVROOT parameter.
Alternatively you can change CVS/Root in each directory:
find . -name Root -exec perl -i -pe
's,.*,[EMAIL PROTECTED]:/cvs,' {} \;
--
Thank you Gerardo for the tip!
I'm not happy with spawning perl each time a file is found, though.
That looks more like a job for sed, not perl.
I recalled there was a patch for sed to add in-place editing and
wondered what happened to it. I thought it was commited.
I just found the thread:
http://marc.theaimsgroup.com/?l=openbsd-techm=112831218022633w=2
I hope it can be reconsidered.
--
Gerardo Santana
Between individuals, as between nations, respect for the rights of
others is peace - Don Benito Juarez
http://santanatechnotes.blogspot.com/
Re: ssh to computer with variable ip address
On 15/01/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/01/15 20:55, tony sarendal wrote: Do you have a ssh server with static ip address anywhere ? If so, make the client with dynamic ip address log into your server at startup and make a port forward back to the ssh port on the client. Very handy trick when you need to manage boxes sitting behind others nat'ing firewalls. autossh (in ports) can help with this. My while-true-do loop hasn't failed me yet, never looked for a port since a few line shell script does the trick reliably. -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: OT: wrt OpenBSD, what's a good laptop
On Sun, Jan 15, 2006 at 02:08:28PM -0600, Julesg wrote: I want aircard support of course (which lets out DELL and a few other manufactuer's.) So what's the best? Why? BTW: I suspect, but have zero affirming data, that SSH2 has been cracked. I had numerous security incidents on another laptop (not running Obsd,) so I don't know if the problem was Fbsd or SSH, though the Fbsd OS was re-installed several times and serurity oriented folks tightened down Fbsd for me (out of the box, it's a joke!) Now I'm getting into laptop's again and want to make the right choices! Which means Obsd first and foremost, so I ask: which laptop?? FreeBSD isn't that bad, security-wise. I don't know who you are, but I feel pretty confident in saying that *if* someone broke SSH2, he'd have better things to do than mess with you. Not to mention being so good at messing with you that you'd likely never notice. At the moment, I know of one attack that may work against sshd, which is simply guessing passwords. In fact, it is the one attack often seen in the wild. Of course, this can be solved adequately by either choosing strong passwords or just disabling password authentication altogether, which is a pretty good idea all things considered. However, this is not an attack against ssh, per se - after all, sshd does what it should do. And, in fact, this problem is not up to the OpenSSH people to solve, either - just choose good passwords. I have heard good things about the IBM Thinkpad line; quite a few people use these with OpenBSD. So you might look into one of these - I don't know too much about laptops, though, so I'll let other, more laptop-savvy misc@ poster answer that one for you. Joachim
Re: OT: wrt OpenBSD, what's a good laptop
On 1/15/06, Julesg [EMAIL PROTECTED] wrote: I want aircard support of course (which lets out DELL and a few other manufactuer's.) OpenBSD has drivers for AirCards? If so, that's really cool. Or do you mean 802.11/WiFi? If you mean WiFi OpenBSD has tons of 802.11b/g drivers now. The Intel card in my Dell works fine but if I were to buy a new laptop it would be a Lenovo. Greg
Openbsd 3.8, sun ultra 30, install problems
Hello... Im trying to install openbsd 3.8 onto a sun ultra 30. The box has a scsi cdrom and a scsi hdd, and no floppy drive. I am using a cdrom burned with the small cd38.iso image to try and install with. When I boot the cdrom, it says: ok boot cdrom Boot device: /pci/@1f,4000/[EMAIL PROTECTED]/[EMAIL PROTECTED],0:f File and args: OpenBSD IEEE 1275 Bootblock 1.1 .. And that is where it stops. The same thing happens with netbsd as well, and I cant seem to install solaris. Here is what it says at the top of the OpenBoot thing: Sun Ultra 30 UPA/PCI (UltraSPARC-II 248MHz), Keyboard Present OpenBoot 3.9, 768 MB memory installed, Serial #10216936 Ethernet address 8:0:20:9b:e5:e8, Host ID: 809be5e8. Any ideas? Thanks, Josh
Re: OT: wrt OpenBSD, what's a good laptop
On 1/15/06, Greg Thomas [EMAIL PROTECTED] wrote: On 1/15/06, Julesg [EMAIL PROTECTED] wrote: I want aircard support of course (which lets out DELL and a few other manufactuer's.) OpenBSD has drivers for AirCards? If so, that's really cool. Or do you mean 802.11/WiFi? If you mean WiFi OpenBSD has tons of 802.11b/g drivers now. The Intel card in my Dell works fine but if I were to buy a new laptop it would be a Lenovo. I like my IBM/Lenovo Thinkpad T41. I also had good results with my IBM x30. The x30 had a prism2.5 wireless card, my T41 came with an iwi(4), but I replaced it with an ath(4). The iwi speaks 802.11g, whereas my ath doesn't speak a/g but the ath doesn't lock up every few hours like the iwi... Here's what the Lenovo 802.11 a/b/g combo card looks like: ath0 at pci2 dev 2 function 0 Atheros AR5212 (IBM MiniPCI) rev 0x01: irq 11 ath0: AR5213 5.6 phy 4.1 rf5111 1.7 rf2111 2.3, WOR1W, address 00:05:4e:4f:23:c4 If you do choose a lenovo laptop, have a look at misc/tpwireless in ports... :) CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Temperature
On Sun, 15 Jan 2006, Ricardo Lucas wrote: Hello misc, anyone knows a program that monitoring the cpu temperature and hard disk temperature and rotation?! There has been a lot of hardware monitoring work that has been happening in -current recently. Grab a snapshot and try it out - the results will be under sysctl hw.sensors, for example: hw.sensors.0=admtm0, Internal, temp, 39.00 degC / 102.20 degF hw.sensors.1=admtm0, External, temp, 32.00 degC / 89.60 degF hw.sensors.2=admtm0, 2.5 V, volts_dc, 2.50 V hw.sensors.3=admtm0, Vccp, volts_dc, 0.00 V hw.sensors.4=admtm0, 3.3 V, volts_dc, 3.32 V hw.sensors.5=admtm0, 5 V, volts_dc, 4.97 V hw.sensors.6=admtm0, 12 V, volts_dc, 12.00 V hw.sensors.7=admtm0, Vcc, volts_dc, 3.37 V It is trivial to use mrtg or similar to chart these. -d
Re: 3Ware Escalade 7506-8 IDE RAID controller support under OpenBSD 3.8
On Sat, 14 Jan 2006, Greg wrote: This for my home network and RAID cards are a big ticket item around here so unfortunately getting the LSI MegaRAID controller is not an option at this point ... but yeah - I wish I could trade my card in - even the nice little web interface they use to monitor it can't be installed on my box. I have already emailed their support. Greg We have systems running 3Ware controllers twe, .. and the work just fine. Obviously, it's just a disk controller to OBSD. Lee
Re: Openbsd 3.8, sun ultra 30, install problems
Josh wrote: Hello... Im trying to install openbsd 3.8 onto a sun ultra 30. The box has a scsi cdrom and a scsi hdd, and no floppy drive. I am using a cdrom burned with the small cd38.iso image to try and install with. When I boot the cdrom, it says: ok boot cdrom Boot device: /pci/@1f,4000/[EMAIL PROTECTED]/[EMAIL PROTECTED],0:f File and args: OpenBSD IEEE 1275 Bootblock 1.1 .. And that is where it stops. The same thing happens with netbsd as well, and I cant seem to install solaris. Here is what it says at the top of the OpenBoot thing: Sun Ultra 30 UPA/PCI (UltraSPARC-II 248MHz), Keyboard Present OpenBoot 3.9, 768 MB memory installed, Serial #10216936 Ethernet address 8:0:20:9b:e5:e8, Host ID: 809be5e8. Any ideas? Sounds like a broken computer or a bad CDROM drive. Potentially, a bad CDR you made. I've also seen some machines that refuse to read certain brands of CDR media. Nick.
Re: OT: wrt OpenBSD, what's a good laptop
On Sun, Jan 15, 2006 at 02:08:28PM -0600, Julesg wrote: I want aircard support of course (which lets out DELL and a few other manufactuer's.) So what's the best? Why? I don't know what the best is per se, but I have a Toshiba Satellite series notebook which I think is awesome, and works fine under 3.8. Built in wireless is supported by iwi. HTH, Bill
Re: OT: wrt OpenBSD, what's a good laptop
On Monday 16 January 2006 05:05, William Kranec wrote: On Sun, Jan 15, 2006 at 02:08:28PM -0600, Julesg wrote: I want aircard support of course (which lets out DELL and a few other manufactuer's.) So what's the best? Why? I don't know what the best is per se, but I have a Toshiba Satellite series notebook which I think is awesome, and works fine under 3.8. Built in wireless is supported by iwi. HTH, Bill I strongly prefer ThinkPads. The recent changeover from IBM to Lenovo doesn't seem to have changed things a lot. I think all hardware has slipped in terms of quality the last few years, but from what I've seen lately of the insides of other laptops (Dell, Sony, HP), I think ThinkPads are the best built. My four year old A31p is still a great machine, and has three spindles; three disks in a laptop is cool. ;-) --STeve Andre'
Re: postfix w/ encrypted virtual mailboxes: delivery failure file too large
based on my previous posts about trouble with svnd encryption having not garnered any replies (see http://marc.theaimsgroup.com/?l=openbsd-miscm=113717720822507w=2 ), i'm going to rephrase my questions. - what methods, if any, can be used to reliably encrypt my virtual mailboxes so that they are secure against physical theft of the machines? this seems to be a very useful thing to do since many corporate mailservers have sensitive data on them - is there any useful information in the reply i got on the postfix-users mailing list: Looks like the svnd driver applies the per-process file size limit not only to the files created, but also to the containing volume. This means that svnd used over ordinary files is not suitable. i cannot grok this reply even though i have read the vnd and vnconfig manual pages. is there any truth to this statement? should i look at the source for the vnd driver to understand more? - are there any additional utilities anyone can recommend i use to further investigate why the setup i described in the previous posts (mounting an encrypted svnd device at /var/vmail and having postfix deliver to mailboxes inside of /var/vmail) is not working? in a best-case scenario, i would like to be able to use the svnd encryption provided with the base openbsd system. failing that, it would be nice to know why svnd is not appropriate for this particular application and what some possible alternatives are. cheers, jake
Re: OT: wrt OpenBSD, what's a good laptop
On 1/15/06, Chris Kuethe [EMAIL PROTECTED] wrote: On 1/15/06, Greg Thomas [EMAIL PROTECTED] wrote: On 1/15/06, Julesg [EMAIL PROTECTED] wrote: I want aircard support of course (which lets out DELL and a few other manufactuer's.) OpenBSD has drivers for AirCards? If so, that's really cool. Or do you mean 802.11/WiFi? If you mean WiFi OpenBSD has tons of 802.11b/g drivers now. The Intel card in my Dell works fine but if I were to buy a new laptop it would be a Lenovo. I like my IBM/Lenovo Thinkpad T41. I also had good results with my IBM x30. The x30 had a prism2.5 wireless card, my T41 came with an iwi(4), but I replaced it with an ath(4). The iwi speaks 802.11g, whereas my ath doesn't speak a/g but the ath doesn't lock up every few hours like the iwi... I've got a Dell Latitude D600 which works pretty well with OpenBSD including it's Intel 2200b/g but I haven't followed support for ACPI since I've been using this old 700Mhz IBM T20 instead works just great. Greg
Linux/Unix Vulnerabilities Outnumber Windows' 3 To 1
http://www.securitypipeline.com/175801169?CID=rssfeed_pl_scp --Siju
Re: 3.8 perl patch 001 issue - more complete description
On Sun, Jan 15, 2006 at 12:21:29PM -0600, Josh Caster wrote:
I am running release 3.8. It does not appear that the line endings is a
problem because I have gotten the patch from several sources including
the 3.8.tar.gz. I've tried updating to the patch release where the
patches have already been applied and I still cannot get this make to
complete.
Thanks,
Strange. This usually happens when you do something you shouldn't -
mixing -stable and -current, or somesuch.
Can you try again with a new src.tar.gz and a new patch, and record
everything? ('script' is good for this kind of thing.)
Joachim
I ran a cvs -q get -rOPENBSD_3_8_BASE -P src
once that completed i ran patch.sh which contained the following lines:
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper depend
make -f Makefile.bsd-wrapper
# ./patch.sh 1out 2err
out:
usr/src/gnu/usr.bin/perl/obj - /usr/obj/gnu/usr.bin/perl
cd /usr/src/gnu/usr.bin/perl/obj exec make
LD_LIBRARY_PATH=/usr/src/gnu/usr.bin/perl/obj ./miniperl -Ilib configpm
configpm.tmp
sh mv-if-diff configpm.tmp lib/Config.pm
File lib/Config.pm not changed.
AutoSplitting perl library
LD_LIBRARY_PATH=/usr/src/gnu/usr.bin/perl/obj ./miniperl -Ilib -e 'use
AutoSplit; autosplit_lib_modules(@ARGV)' lib/*.pm
LD_LIBRARY_PATH=/usr/src/gnu/usr.bin/perl/obj ./miniperl -Ilib -e 'use
AutoSplit; autosplit_lib_modules(@ARGV)' lib/*/*.pm
make lib/re.pm
`lib/re.pm' is up to date.
Making DynaLoader (static_pic)
LD_LIBRARY_PATH=/usr/src/gnu/usr.bin/perl/obj cc -o perl -Wl,-E
-Wl,-R/usr/libdata/perl5/i386-openbsd/5.8.6/CORE perlmain.o
lib/auto/DynaLoader/DynaLoader.a -L. -lperl `cat ext.libs` -lm -lutil -lc
cd x2p; LD_LIBRARY_PATH=/usr/src/gnu/usr.bin/perl/obj make s2p
`s2p' is up to date.
Making utilities
Making x2p stuff
Making B (dynamic)
Making ByteLoader (dynamic)
Making Cwd (dynamic)
Making DB_File (dynamic)
Making Data::Dumper (dynamic)
Making Devel::DProf (dynamic)
Making Devel::PPPort (dynamic)
Making Devel::Peek (dynamic)
Making Digest::MD5 (dynamic)
Making Encode (dynamic)
make config failed, continuing anyway...
*** Error code 2
Stop in /usr/src/gnu/usr.bin/perl/obj (line 584 of makefile).
*** Error code 1
Stop in /usr/src/gnu/usr.bin/perl (line 578 of
/usr/src/gnu/usr.bin/perl/Makefile.bsd-wrapper).
and the err file:
./libperl.so.10.0: warning: vsprintf() is often misused, please use vsnprintf()
./libperl.so.10.0: warning: strcpy() is almost always misused, please use
strlcpy()
./libperl.so.10.0: warning: sprintf() is often misused, please use snprintf()
lib/auto/DynaLoader/DynaLoader.a(DynaLoader.o)(.text+0x2cc): In function
`XS_DynaLoader_dl_load_file':
: warning: strcat() is almost always misused, please use strlcat()
make: don't know how to make config. Stop in
/usr/src/gnu/usr.bin/perl/obj/ext/Encode.
make: don't know how to make all. Stop in
/usr/src/gnu/usr.bin/perl/obj/ext/Encode.
Thanks for any help.
Josh
Re: Linux/Unix Vulnerabilities Outnumber Windows' 3 To 1
On Monday 16 January 2006 05:49, Siju George wrote: http://www.securitypipeline.com/175801169?CID=rssfeed_pl_scp --Siju This isn't news, and whenever one tries to put numbers on these things, it's always skewed. It also doesn't have much to do with OpenBSD... --STeve Andre'
Re: postfix w/ encrypted virtual mailboxes: delivery failure file too large
On Sun, Jan 15, 2006 at 10:20:09PM -0600, [EMAIL PROTECTED] wrote: based on my previous posts about trouble with svnd encryption having not garnered any replies (see http://marc.theaimsgroup.com/?l=openbsd-miscm=113717720822507w=2 ), i'm going to rephrase my questions. - what methods, if any, can be used to reliably encrypt my virtual mailboxes so that they are secure against physical theft of the machines? this seems to be a very useful thing to do since many corporate mailservers have sensitive data on them - is there any useful information in the reply i got on the postfix-users mailing list: Looks like the svnd driver applies the per-process file size limit not only to the files created, but also to the containing volume. This means that svnd used over ordinary files is not suitable. i cannot grok this reply even though i have read the vnd and vnconfig manual pages. is there any truth to this statement? should i look at the source for the vnd driver to understand more? - are there any additional utilities anyone can recommend i use to - are there any additional utilities anyone can recommend i use to further investigate why the setup i described in the previous posts (mounting an encrypted svnd device at /var/vmail and having postfix deliver to mailboxes inside of /var/vmail) is not working? in a best-case scenario, i would like to be able to use the svnd encryption provided with the base openbsd system. failing that, it would be nice to know why svnd is not appropriate for this particular application and what some possible alternatives are. cheers, jake Things I would try (in no particular order) Newfs the vnd device. Make sure you have no quota or user limits in place, because it complains about EDQUOT or EFBIG - errno(3) Try to move your /var/spool/mail on the same disk. Postfix uses lot's off linking operations that may fail if these things are on different partitions. Configure virtual that it uses another delivery agent, for example maildrop. Look into src/virtual/maildrop.c with a debugger and find out where exactly it breaks.
Re: Linux/Unix Vulnerabilities Outnumber Windows' 3 To 1
On Mon, Jan 16, 2006 at 11:19:01AM +0530, Siju George wrote: http://www.securitypipeline.com/175801169?CID=rssfeed_pl_scp --Siju Get the facts ;) http://www.osvdb.org/blog/?p=79 Comparing apples with oranges normally results in cheese :p Tobias
