PF SMP

[Clint Pachl]

Does PF utilize multiple processors? One of my router/firewalls is a
dual Pentium Pro 200. It also runs ftp-proxy, but that's it. Would a PII 
400MHz be equivalent, better, or worse?


Just curious. From what I understand, the network stack is not threaded, 
thus multiple processors would not be beneficial.


- pachl

Re: Partitions

[[EMAIL PROTECTED]@mgedv.net]

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
 On Behalf Of John Brahy
 Sent: Thursday, June 29, 2006 11:00 PM
 To: misc@openbsd.org
 Subject: [misc] Partitions
 
 At first I didn't understand the reason for all the partitions (
 http://archives.neohapsis.com/archives/openbsd/2001-01/1654.ht
 ml) now I
 can't have enough partitions
 
 In my official OpenBSD CD sleeve it says to create these partitions:
 /
 swap
 /tmp
 /var
 /usr
 /home
 
 and over time I have learned to appreciate these, but lately 
 I have been
 creating more partitions
 /usr/src
 /usr/obj
 are two of the ones that are suggested when rebuilding my system and I
 definitely like the speed of doing a newfs to /usr/obj
 
 I also have been putting mysql on it's own partition and then 
 I got a little
 crazier and added more partitions and my list has grown to this:
 
 /
 /home
 /tmp
 /var
 /var/mysql
 /usr
 /usr/local
 /usr/src
 /usr/obj
 /usr/Xbld
 /usr/XF4
 /usr/local
 /virtualhosts
 
 So am I going overboard? or am I missing any good partions.
 
 when I first posted Nick Holland replied with several reasons to have
 multiple partions. Those being
 security, fragmentation, protecting the filesystem from overfilling,
 organization and space tracking.
 
 does increasing the amount of partitions increase access to 
 the files on
 that partition?
 
 Any feedback would be appreciated.
 
 Thanks,
 
 John
 


well, from my point of view: if your setup or the
things you load on the server needs it - have as
many partitions as you want!
you'll at latest will see if you went overboard,
if it comes to upgrades, restores, etc...
your environment has to fit your needs. i've seen
machines with just / and swap, and i've seen machines
where for example for the database itself have been
more than 30 partitions as well.
both setups were fine - for their respective needs.
if it's manageable, secure and last but not least -
FAST, it's fine ;-)

Re: PF SMP

[Gustavo Rios]

I have the same understanding you have Pachl. I believe OpenBSD IP
Stack is not multithreaded implemented. A core developer could
deny/confirm such belief.

/all the best.

On 6/30/06, Clint Pachl [EMAIL PROTECTED] wrote:

Does PF utilize multiple processors? One of my router/firewalls is a
dual Pentium Pro 200. It also runs ftp-proxy, but that's it. Would a PII
400MHz be equivalent, better, or worse?

Just curious. From what I understand, the network stack is not threaded,
thus multiple processors would not be beneficial.

- pachl

Re: PF SMP

[Michał Koc]

OpenBSD SMP is based on BigLock, so only one processor at the time can 
execute kernel code, and IP Stack is kernel side only.

As far as I remember.

regards
M.K.

Gustavo Rios napisaE(a):

I have the same understanding you have Pachl. I believe OpenBSD IP
Stack is not multithreaded implemented. A core developer could
deny/confirm such belief.

/all the best.

On 6/30/06, Clint Pachl [EMAIL PROTECTED] wrote:

Does PF utilize multiple processors? One of my router/firewalls is a
dual Pentium Pro 200. It also runs ftp-proxy, but that's it. Would a PII
400MHz be equivalent, better, or worse?

Just curious. From what I understand, the network stack is not threaded,
thus multiple processors would not be beneficial.

- pachl

Re: isakmpd: Phase 2 Cisco PIX fun

[Håkan Olsson]

On 29 jun 2006, at 22.33, Stephen Bosch wrote:


I'm trying to set up a tunnel to a Cisco PIX.

It seems to make it past Phase 1, the trouble starts at Phase 2.  
I've provided some tcpdump output below:

...
So, at this point it looks like Phase 1 was successful. Phase 2  
begins:


14:21:47.235581 OpenBSD.500  Cisco_PIX.500:  [udp sum ok] isakmp  
v1.0 exchange QUICK_MODE

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 56fe089d len: 284
payload: HASH len: 20
	payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY 	 
payload: PROPOSAL len: 40 proposal: 1 proto: IPSEC_ESP spisz: 4  
xforms: 1 SPI: 0x3147c4bd

payload: TRANSFORM len: 28
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 20
payload: KEY_EXCH len: 132
	payload: ID len: 16 type: IPV4_ADDR_SUBNET =  
10.49.10.0/255.255.255.0
	payload: ID len: 16 type: IPV4_ADDR_SUBNET =  
10.50.0.0/255.255.254.0 [ttl 0] (id 1, len 312)


First question -- does this look right?


Yup, this is a normal first packet of a quick mode negotiation.  
isakmpd now expects the 2nd packet, but instead gets a new exchange  
('TRANSACTION' type, or mode-config):




14:21:47.598650 Cisco_PIX.500  OpenBSD.500:  [udp sum ok] isakmp  
v1.0 exchange TRANSACTION

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 76
payload: HASH len: 20
payload: ATTRIBUTE len: 20 type: CFG_REQUEST Id: 0
attribute INTERNAL_IP4_SUBNET = none
attribute SUPPORTED_ATTRIBUTES = none
attribute INTERNAL_IP6_SUBNET = none [ttl 0] (id 1, len 104)


What does this mean? This response from the PIX doesn't make any  
sense to me. Is it asking for internal subnet info? Is it trying to  
provide it? Why would it be putting this in as an attribute?


A guess would be the PIX regards the OpenBSD machine as (some kind of  
a Cisco-specific?) client and wants to know what configuration data  
it can accept. Typically that 'what are your SUPPORTED_ATTRIBUTES' part.


14:21:47.599642 OpenBSD.500  Cisco_PIX.500:  [udp sum ok] isakmp  
v1.0 exchange TRANSACTION

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 123
payload: HASH len: 20
payload: ATTRIBUTE len: 75 type: CFG_REPLY Id: 0
attribute INTERNAL_IP6_SUBNET = ::/0
attribute SUPPORTED_ATTRIBUTES = 15 attributes
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
	attribute INTERNAL_IP4_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id  
1, len 151)


OpenBSD responds -- I don't get this either.


No, and it shouldn't send this response. It's a bug. isakmpd does not  
support the client-side of mode-config, only the server side. The  
skeleton for the client-side code is there, but it was never  
implemented fully. (There's a lot of things that need to work  
together here, such as having the privilege separated isakmpd process  
being able to add/change IP and netmask of an interface etc. The need  
for client-side support has not been requested much, so we've not  
done anything more here yet.)


14:21:47.874961 Cisco_PIX.500  OpenBSD.500:  [udp sum ok] isakmp  
v1.0 exchange TRANSACTION

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 68
payload: HASH len: 20
payload: ATTRIBUTE len: 12 type: CFG_SET Id: 0
attribute unknown = none [ttl 0] (id 1, len 96)


Strange reply...


Yes. Seems the PIX did not handle isakmpd's (nonsensical) reply wery  
well. :)


Plus, isakmpd will not accept a CFG_SET here, as seen by the response:

14:21:47.876987 OpenBSD.500  Cisco_PIX.500:  [udp sum ok] isakmp  
v1.0 exchange INFO

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 80603edb len: 60
payload: HASH len: 20
payload: NOTIFICATION len: 12
notification: PAYLOAD MALFORMED [ttl 0] (id 1, len 88)


And this is where things grind to a halt. OpenBSD gives a PAYLOAD  
MALFORMED notification, the PIX retries the previous packet a few  
more times, then gives up and ignores all further requests.


Any ideas?


See if you can convince the PIX to regard the OpenBSD box as another  
gateway and not a client?  Or perhaps tell it that the other  
machine is not to be considered a Cisco-box? Or disable mode-config  
(if possible)? I don't recall all the ins-and-outs of the PIX  
configuration (it's a 

Re: Where to start studying OpenBSD networking code

[Pierre-Yves Ritschard]

The second volume of TCP/IP Illustrated is very interesting, it
describes the BSD implementation of the TCP stack, walking you through
the code. Although dated, the code still bears a lot of similarities
with what you'll find in /usr/src.

Re: Where to start studying OpenBSD networking code

[Shane J Pearson]

Hi Joakinen,

On 2006.06.28, at 11:24 PM, joakinen wrote:

Is there any diagram of how every piece of code retales to the  
others?


I don't know how relevant it is to OpenBSD, if at all, but I seem to  
remember getting a BSD TCP/IP network stack diagram poster with the  
boxed set of TCP/IP Illustrated (1-3).



Shane

Patent jeopardizes IETF syslog standard

[Alexey E. Suslikov]

Patent jeopardizes IETF syslog standard. Read here
http://trends.newsforge.com/article.pl?sid=06/06/28/2320232

Re: Partitions

[Tobias Weisserth]

Hi,

 So am I going overboard? or am I missing any good partions.

I never understood why putting /tmp on its own partition is good when nobody 
notices /var/tmp. In addition to /tmp I always put /var/tmp on its own 
partition too, so that I can mount it with nodev,noexec,nosuid.

I also try to split things up in a way that I can mount many things with the 
ro option where there should be no changes to the filesystems unless you 
perform an update, patch something etc.

regards,
Tobias W.

Re: Mixing queues in pf

[Joachim Schipper]

On Thu, Jun 29, 2006 at 05:26:30PM -0700, Lawrence Horvath wrote:
 Is it possible to mix queue types with pf, for instance all http
 traffic is sent to a hfsc queue while all ssh traffic is sent to a
 priq queue, or could you have a master priq queue and child cbq queues
 under it?
 
 thanks

All queues but priq can have (arbitrary) child queues, as documented in
pf.conf(5).

Joachim

Re: Partitions

[Henning Brauer]

* Nick [EMAIL PROTECTED] [2006-06-30 03:33]:
 yes, I'd say you are going a bit overboard. 

very slightly, if at all.

 nor do I see any real-life benefit to a /usr/local partition.

I do, a lot.
prevent 3rd party crap shit from overflowing /usr.
and, that way, you can even mount /usr RO unless you do upgrades.

 A long time ago, I had a nice little webserver set up, then my 
 friend Henning said, Here, try this chroot'ed Apache patch...which 
 absolutely hosed my grand plans, as my /var partition was too small, as 
 all the web documents were served from /home/user directories.

shalalalala... :)

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: gcc support to stack-smashing attacks protection

[João Salvatti]

Thanks folks

.

On 6/29/06, Joachim Schipper [EMAIL PROTECTED] wrote:

On Thu, Jun 29, 2006 at 04:48:24PM -0300, Jo?o Salvatti wrote:
 Hi all...

 I'd like to know if OpenBSD's gcc build binary files with built-in
 stack-smashing attacks protection.

As Theo pointed out, yes.

Be aware that there are still plenty of problems that can occur with
less-than-perfectly written code; plus, in many cases only the program
logic needs to be exploited (XSS and SQL injection are prime examples of
this, as are most symlink attacks).

Joachim





--
Joco Salvatti
Undergraduating in Computer Science
Federal University of Para - UFPA
web: http://www.openbsd-pa.org
e-mail: [EMAIL PROTECTED]

Re: Partitions

[Craig Skinner]

On Fri, Jun 30, 2006 at 12:00:12PM +0200, Tobias Weisserth wrote:
 
 I never understood why putting /tmp on its own partition is good when nobody 
 notices /var/tmp. In addition to /tmp I always put /var/tmp on its own 
 partition too, so that I can mount it with nodev,noexec,nosuid.

I always symlink /var/tmp to my /tmp partition and mount /tmp with:
nodev,noexec,nosuid,noatime,async - as it gets wiped at boot anyway.

Re: premature end of script headers

[Craig Skinner]

On Fri, Jun 30, 2006 at 11:49:26AM +0700, riwanlky wrote:
 Hi All,
 
 I am trying to run TWiki on my OBSD 3.9 box. Installed using pkg_add 
 TWiiki-20040903p0.tgz
 Include the following in my httpd.conf:

 apachectl restart.

Try this:

# apachectl stop
# httpd -u  - TWiki wont run in chroot without a few minutes work.

 
 [Fri Jun 30 11:31:04 2006] [error] [client 192.168.3.55] script not found 
 or unable to stat: /cgi-bin/twiki/testenv
 
 I tried to change the chmod 755 testenv
 and chgrp www:www testenv

On my box using the package:

$ ls -lh /var/www/cgi-bin/twiki/testenv
-r-xr-xr-x  1 root  bin  39.2K Nov  9  2005 testenv


Also check that your /var/www partition is not mounted noexec for this
to work.

-- 
Craig Skinner | http://www.kepax.co.uk | [EMAIL PROTECTED]

Re: Mixing queues in pf

[Giancarlo Razzolini]

Joachim Schipper wrote:
 On Thu, Jun 29, 2006 at 05:26:30PM -0700, Lawrence Horvath wrote:
 Is it possible to mix queue types with pf, for instance all http
 traffic is sent to a hfsc queue while all ssh traffic is sent to a
 priq queue, or could you have a master priq queue and child cbq queues
 under it?

 thanks

 All queues but priq can have (arbitrary) child queues, as documented in
 pf.conf(5).

   Joachim


I think that what he meant was if you can have one type of queue mixed
with another, for example, one cbq master queue, and some hfsc child
queues. I've tried it, and pfctl complained that the queues had no
parent. So i believe that it does not work the way you want. You can
have any number of queues using cbq or hfsc, but, AFAIK, cant mix them.

My 2 cents,
--
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informatica
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: News From HiFn

[Hannah Schroeter]

Hi!

On Thu, Jun 29, 2006 at 03:45:55PM -0700, J.C. Roberts wrote:
[...]

I just got a call this afternoon from Tom Moore to let me know they've
set up an anon FTP site (no registration) with their documentation:

ftp://ftp.hifn.com

Kudoes to you for your initiative and to HiFn for their decision.

Kind regards,

Hannah.

Re: isakmpd: Phase 2 Cisco PIX fun

[Stephen Bosch]

Hekan Olsson wrote:

On 29 jun 2006, at 22.33, Stephen Bosch wrote:


I'm trying to set up a tunnel to a Cisco PIX.

It seems to make it past Phase 1, the trouble starts at Phase 2. I've 
provided some tcpdump output below:

...
So, at this point it looks like Phase 1 was successful. Phase 2 begins:

14:21:47.235581 OpenBSD.500  Cisco_PIX.500:  [udp sum ok] isakmp 
v1.0 exchange QUICK_MODE

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 56fe089d len: 284
payload: HASH len: 20
payload: SA len: 52 DOI: 1(IPSEC) situation: 
IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: 
IPSEC_ESP spisz: 4 xforms: 1 SPI: 0x3147c4bd

payload: TRANSFORM len: 28
transform: 1 ID: 3DES
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 28800
attribute ENCAPSULATION_MODE = TUNNEL
attribute AUTHENTICATION_ALGORITHM = HMAC_MD5
attribute GROUP_DESCRIPTION = 2
payload: NONCE len: 20
payload: KEY_EXCH len: 132
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 
10.49.10.0/255.255.255.0
payload: ID len: 16 type: IPV4_ADDR_SUBNET = 
10.50.0.0/255.255.254.0 [ttl 0] (id 1, len 312)


First question -- does this look right?


Yup, this is a normal first packet of a quick mode negotiation. isakmpd 
now expects the 2nd packet, but instead gets a new exchange 
('TRANSACTION' type, or mode-config):




14:21:47.598650 Cisco_PIX.500  OpenBSD.500:  [udp sum ok] isakmp 
v1.0 exchange TRANSACTION

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 76
payload: HASH len: 20
payload: ATTRIBUTE len: 20 type: CFG_REQUEST Id: 0
attribute INTERNAL_IP4_SUBNET = none
attribute SUPPORTED_ATTRIBUTES = none
attribute INTERNAL_IP6_SUBNET = none [ttl 0] (id 1, len 104)


What does this mean? This response from the PIX doesn't make any sense 
to me. Is it asking for internal subnet info? Is it trying to provide 
it? Why would it be putting this in as an attribute?


A guess would be the PIX regards the OpenBSD machine as (some kind of a 
Cisco-specific?) client and wants to know what configuration data it can 
accept. Typically that 'what are your SUPPORTED_ATTRIBUTES' part.


14:21:47.599642 OpenBSD.500  Cisco_PIX.500:  [udp sum ok] isakmp 
v1.0 exchange TRANSACTION

cookie: bf4ecb71857072fa-d24bb58614615ab5 msgid: 49023a8f len: 123
payload: HASH len: 20
payload: ATTRIBUTE len: 75 type: CFG_REPLY Id: 0
attribute INTERNAL_IP6_SUBNET = ::/0
attribute SUPPORTED_ATTRIBUTES = 15 attributes
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
RESERVED
attribute INTERNAL_IP4_SUBNET = 0.0.0.0/0.0.0.0 [ttl 0] (id 
1, len 151)


OpenBSD responds -- I don't get this either.


No, and it shouldn't send this response. It's a bug. isakmpd does not 
support the client-side of mode-config, only the server side. The 
skeleton for the client-side code is there, but it was never implemented 
fully. (There's a lot of things that need to work together here, such as 
having the privilege separated isakmpd process being able to add/change 
IP and netmask of an interface etc. The need for client-side support has 
not been requested much, so we've not done anything more here yet.)


Sure enough, Haakan; this turned out to be the problem.

We reconfigured the PIX not to use mode configuration for this 
connection and the SA came up.


This means that Hans-Jvrg can spare himself the work of trying to sort 
it out :)


Now, the next problem -- traffic isn't passing... but that's for another 
post :)


-Stephen-

Re: News From HiFn

[Breen Ouellette]

J.C. Roberts wrote:

This should take care of any of the long standing issues OpenBSD has had
with the HiFn's procedures for releasing documentation.


This is good news. Thanks for your contribution!

To all the nay-sayers out there: this proves that sometimes companies do 
'get' their customers' wishes. Consumer action does work - as long as 
the consumer actually gets involved. While you might not always be able 
to get the attention of companies through consumer action, apathetically 
accepting the status quo guarantees that you never will.


Thanks to everyone who got involved - you proved that somewhat open is 
no more acceptable than not at all open by bringing Hifn on board.


Breeno

PS - Someone who participates in editing vendorwatch.org might want to 
update the Hifn status page.

routing through IPsec tunnel with NAT: add routes?

[Stephen Bosch]

Hi, everybody:

Okay -- the good news is that we've got the SA up between these two 
sites, the bad news is that traffic isn't passing.


The situation is complicated by some NAT that I need through the 
encryption interface.


We have the following:

HostA_private_IP

HostA_private_NAT_IP

RemoteB_private_subnets

In the NAT section of my pf.conf, I have the following command:

binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets - 
$HostA_private_NAT_IP


In the FILTER section, I have:

pass in on $enc_if from RemoteB_private_subnets to \ HostA_private_NAT_IP
pass out on $enc_if from $HostA_private_NAT_IP to \
RemoteB_private_subnets

Do I need to add routes to make this work? I thought that setting up SAs 
in isakmpd did this automatically, but when I traceroute from 
HostA_private_IP, it looks like the traffic is going out the public 
interface.


Or is the problem with my NAT statement?

-Stephen-

Re: routing through IPsec tunnel with NAT: add routes?

[Stephen Bosch]

Stephen Bosch wrote:

Hi, everybody:

Okay -- the good news is that we've got the SA up between these two 
sites, the bad news is that traffic isn't passing.


The situation is complicated by some NAT that I need through the 
encryption interface.


We have the following:

HostA_private_IP

HostA_private_NAT_IP

RemoteB_private_subnets

In the NAT section of my pf.conf, I have the following command:

binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets - 
$HostA_private_NAT_IP


In the FILTER section, I have:

pass in on $enc_if from RemoteB_private_subnets to \ HostA_private_NAT_IP
pass out on $enc_if from $HostA_private_NAT_IP to \
RemoteB_private_subnets

Do I need to add routes to make this work? I thought that setting up SAs 
in isakmpd did this automatically, but when I traceroute from 
HostA_private_IP, it looks like the traffic is going out the public 
interface.


Maybe I do need that alias that Roy was suggesting. Apart from that 
binat line in pf.conf, that network is not configured on any interface 
on the device. I wouldn't even be able to build a route, because I have 
no interface to send it to.


Where should I configure the alias?

-s

Re: routing through IPsec tunnel with NAT: add routes?

[Clint Pachl]

Stephen Bosch wrote:

Hi, everybody:

Okay -- the good news is that we've got the SA up between these two 
sites, the bad news is that traffic isn't passing.


The situation is complicated by some NAT that I need through the 
encryption interface.


We have the following:

HostA_private_IP

HostA_private_NAT_IP

RemoteB_private_subnets

In the NAT section of my pf.conf, I have the following command:

binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets - 
$HostA_private_NAT_IP


Try binat pass ...


In the FILTER section, I have:

pass in on $enc_if from RemoteB_private_subnets to \ HostA_private_NAT_IP
pass out on $enc_if from $HostA_private_NAT_IP to \
RemoteB_private_subnets


Remove the pass out ... rule.

Do I need to add routes to make this work? I thought that setting up SAs 
in isakmpd did this automatically, but when I traceroute from 
HostA_private_IP, it looks like the traffic is going out the public 
interface.


Or is the problem with my NAT statement?

-Stephen-


Just a trial and error suggestion.

-pachl

Re: routing through IPsec tunnel with NAT: add routes?

[Stephen Bosch]

Clint Pachl wrote:

Stephen Bosch wrote:

In the NAT section of my pf.conf, I have the following command:

binat on $enc_if from $HostA_private_IP to RemoteB_private_subnets 
- $HostA_private_NAT_IP


Try binat pass ...


Done.




In the FILTER section, I have:

pass in on $enc_if from RemoteB_private_subnets to \ 
HostA_private_NAT_IP

pass out on $enc_if from $HostA_private_NAT_IP to \
RemoteB_private_subnets


Remove the pass out ... rule.


Done.



Do I need to add routes to make this work? I thought that setting up 
SAs in isakmpd did this automatically, but when I traceroute from 
HostA_private_IP, it looks like the traffic is going out the public 
interface.


Or is the problem with my NAT statement?

-Stephen-


Just a trial and error suggestion.


Thanks. No joy yet. Traceroute traffic is still going out the public 
interface when I try to ping a host on RemoteB_private_subnets...


-S

Re: routing through IPsec tunnel with NAT: add routes?

[Stuart Henderson]

On 2006/06/30 10:51, Stephen Bosch wrote:
 Thanks. No joy yet. Traceroute traffic is still going out the public 
 interface when I try to ping a host on RemoteB_private_subnets...

If this traceroute is from the vpn gateway itself (rather than
an endpoint) you'll need to either set the source address to an
address in the vpn subnet (traceroute -s, ping -I), or add a
static route pointing over the vpn.

Re: News From HiFn

[jared r r spiegel]

On Thu, Jun 29, 2006 at 03:45:55PM -0700, J.C. Roberts wrote:
 
 I just got a call this afternoon from Tom Moore to let me know they've
 set up an anon FTP site (no registration) with their documentation:

  hi5.  nicely done.

 Please check out the readme on the FTP. Basically it says if you wish to
 automatically get the HiFn updates/errata/notifications, you should
 probably sign up for the HiFn extranet thing. You don't have to but
 you can if you want.

  i am hoping this works out to be really exactly what was desired.
  in reading the software-api-tkip-applicationnote.pdf, it has a clause
  that says:

===
Hifn Confidential

  If you have signed a Hifn Confidential Disclosure Agreement that includes
  this document as part of its subject matter, please use this document
  in accordance with the terms of the agreement.  If not, please destroy
  this document.
===

  would it seem that this may just be the pdf contents being still out
  of synch with the spirit of open/anonymous documentation availability,
  or... 

  maybe i should destroy it for now... ?

-- 

  jared

[ openbsd 3.9-current GENERIC ( may  1 ) // i386 ]

Re: routing through IPsec tunnel with NAT: add routes?

[Stephen Bosch]

Stuart Henderson wrote:

On 2006/06/30 10:51, Stephen Bosch wrote:
Thanks. No joy yet. Traceroute traffic is still going out the public 
interface when I try to ping a host on RemoteB_private_subnets...


If this traceroute is from the vpn gateway itself (rather than
an endpoint) you'll need to either set the source address to an
address in the vpn subnet (traceroute -s, ping -I), or add a
static route pointing over the vpn.


Thanks.

I should note also that this is a redundant configuration using carp.

You can see this is getting pretty ugly.

Assuming

int_IPA: the real private IP of a host on my network

nat_IPA: the IP I am translating int_IPA to before sending it to the 
remote endpoint


remote_IPB: table of real private IP subnets on the remote network

enc_if: the encryption interface


1. I have added nat_IPA as an alias to the internal carp interface on my 
gateway.


2. I have the following pertinent lines in my /etc/pf.conf:

binat on $enc_if from $int_IPA to remote_IPB - $nat_IPA

and later

pass in on $enc_if from remote_IPB to $nat_IPA
pass out on $enc_if from $nat_IPA to remote_IPB



When I am on the gateway and I do:

ping -i $nat_IPA to $remote_host_IPB

I get replies. This is good.

When I ping from the endpoint to $remote_host_IPB, I get nothing.

So either there is something wrong with my filtering and natting, or I 
am not routing properly.



Suggestions?

-S

A little script to remove packages don't needed

[Andrés]

I don't know how to explain it well (:P), the script finds which
packages are not needed by others, so you can delete those you don't
use.

It's my first shell script, so feedback is apreciated, :) This is in
public domain, blah blah blah blah.



#!/bin/ksh

function check_for_packages {

for package in $(pkg_info | cut -f 1 -d \ ); {

echo Checking if any package depends on $package

if ! pkg_info -R $package | fgrep -q 'Required by:'; then

tput up dl 0

echo No package depends on $package, would you like to 
delete it? YES/n

while :; do

read answer

tput up dl 0

case $answer in

YES )

sudo pkg_delete $package

break

;;

n )

break

;;

* )

echo 'YES/n'

;;

esac

done

else

tput up dl 0

fi

}

}

check_for_packages

Re: News From HiFn

[Nick Guenther]

On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote:

J.C. Roberts wrote:
 This should take care of any of the long standing issues OpenBSD has had
 with the HiFn's procedures for releasing documentation.

This is good news. Thanks for your contribution!

To all the nay-sayers out there: this proves that sometimes companies do
'get' their customers' wishes. Consumer action does work - as long as
the consumer actually gets involved. While you might not always be able
to get the attention of companies through consumer action, apathetically
accepting the status quo guarantees that you never will.

Thanks to everyone who got involved - you proved that somewhat open is
no more acceptable than not at all open by bringing Hifn on board.

Breeno

PS - Someone who participates in editing vendorwatch.org might want to
update the Hifn status page.


Done, but I've left their ranking as unfriendly on the front page
because they've given no apology and they still seem to be shady.

If someone could add the links to the slashdot/newsforge/whereverelse
stories that would be helpful though.

-Nick

Ye Olde Binary Patching Question

[Dylan Martin]

I've got a handful of OpenBSD boxes, and instead of keeping src on all
of them, I'd like one box to follow stable and build patched programs which I
could then distribute to my other boxes.  

I poked around the archives of this list, and it looks like this is a
reacurring question.  

Has there been anything like a consensus on what's the best way to do
this?

I've tried make release, and it's OK, but it's a sledgehammer for
killing a gnatt.  If sendmail has a bug, I'd like to be able to
distribute just the patched sendmail.  I'm also nervious about a
system with that many dependancies as my response to a known security
hole.  If there's a hole in a program, I want someing simple to help me
distribute the fix.

I also tried playing with setting DESTDIR, but that didn't work very
well.  After a lot of messing around, I got a useable tar file, but it
sure wasn't elegant.
(http://seattlecentral.edu/~dmartin/docs/binpatch.html for my notes on
that experience).

My next idea is to try building the patched program, touching some
file, and then run find / -newer somefile | xargs tar -xvzf
woot.tar.

If there is a better or best way to do this, let me know!

Thanks!
-Dylan  

Re: Ye Olde Binary Patching Question

[Spruell, Darren-Perot]

From: [EMAIL PROTECTED] 
 I also tried playing with setting DESTDIR, but that didn't work very
 well.  After a lot of messing around, I got a useable tar file, but it
 sure wasn't elegant.
 (http://seattlecentral.edu/~dmartin/docs/binpatch.html for my notes on
 that experience).
 
 My next idea is to try building the patched program, touching some
 file, and then run find / -newer somefile | xargs tar -xvzf
 woot.tar.
 
 If there is a better or best way to do this, let me know!

You could NFS export out the build directory from your build server and
mount it on the clients that want to update. Then a 'make build' on them
would grab the newest stuff, and you could be selective about portions of
the tree and so forth.

DS

Re: Ye Olde Binary Patching Question

[Antoine Jacoutot]

On Fri, 30 Jun 2006, Dylan Martin wrote:

If there is a better or best way to do this, let me know!


You could try something like :

#!/bin/sh

DESTDIR=/tmp/sendmail

mtree -qdef /etc/mtree/4.4BSD.dist -p ${DESTDIR}/ -u
touch ${DESTDIR}/timestamp
cd /path_to_sendmail_src
env DESTDIR=${DESTDIR} make -f Makefile.bsd-wrapper install
cd ${DESTDIR}
find . \! -name plist -newer timestamp -type f  plist
cat plist | xargs tar czpf ${DESTDIR}/patch.tgz

--
Antoine

Re: A little script to remove packages don't needed

[Andrés]

It's going to get deleted if you choose that. It's not a fully automated script.

Thanks for the feedback :)

On 6/30/06, Wade, Daniel [EMAIL PROTECTED] wrote:

That all good and well, but what happens when my package that I use has zero 
depends?
It's going to get deleted.

Re: Ye Olde Binary Patching Question

[Ingo Schwarze]

Dylan Martin wrote on Fri, Jun 30, 2006 at 11:38:45AM -0700:

 I've got a handful of OpenBSD boxes, and instead of keeping src on
 all of them, I'd like one box to follow stable and build patched
 programs which I could then distribute to my other boxes.  

Two ways are officially supported:
 - building on each machine
 - making release

A consensus on unsupported alternatives would be an oxymoron.
OpenBSD binpatch by Gerardo Santana Gomez Garrido

  http://openbsdbinpatch.sourceforge.net/

may or may not help you.  Make sure you understand the Makefile(s)
before using it.  I do use it at times, and it works for me.
Be aware that you probably won't get support from the list.

 My next idea is to try building the patched program, touching some
 file, and then run find / -newer somefile | xargs tar -xvzf
 woot.tar.

That's the basic idea implemented in the above program, except
that it's done inside a dedicated fake root, not in /.  You neither
want /var/log/messages nor woot.tar itself inside woot.tar.

Fw: NFSd problem - solved!

[Rico Secada]

Don't respond to this mail. Problem got solved, a powercut and a toasted 
exports file.

On Thu, 29 Jun 2006 22:44:51 +0200
Rico Secada [EMAIL PROTECTED] wrote:

 Hi
 
 I am having problems with one of our NFS servers at our datacenter. 
 
 I have just set it up.
 
 I have edited /etc/rc.conf and changes the portmap and nfs_server to YES.
 
 I have created the /var/db/mountdtab file.
 
 I have made an entry to /etc/exports
 
 When I reboot the machine and take a look with rpcinfo, I only get portmapper 
 running.
 
 # rpcinfo -p
program vers proto   port
 102   tcp111  portmapper
 102   udp111  portmapper
 
 If I try manually to start nfsd, it won't start.
 
 Looking at the log of daemon I get:
 
 # cat /var/log/daemon
 Jun 30 00:27:11 nfsserver savecore: no core dump
 
 What could be wrong here?
 
 Best and kind regards,
 Rico

usb ralink RT2571 problem

[Thomas Börnert]

i tried 2 usb ralink RT2571F usb with openbsd 3.9 and -current.

ural0 at uhub0 port 1
ural0: ASUS 802.11g WLAN Drive, rev 2.00/0.01, addr 2
ural0: MAC/BBP RT2570 (rev 0x05), RF RT2526, address 00:17:31:2e:ae:34

problem:

this ifconfig works

ifconfig ural0 192.168.2.2 netmask 255.255.255.0 nwid raltest mediaopt
ibss

but

the throughput is very slow (90KB/s).

if i use the options media ODFM54 or mode 11g the card becomes
active, but i see only arp requests ...

i saw that the firmware for this chip is not used. why ?

when i use hostap mode with media or mode than i got on
the client the mac from the hostap pc but only the same thing
with no connection :-(

i tried also the RT2561 miniPCI, that works great.

has anyone an idea ?

thanks

Thomas

Re: Ye Olde Binary Patching Question

[Han Boetes]

Spruell, Darren-Perot wrote:
 You could NFS export out the build directory from your build
 server and mount it on the clients that want to update. Then a
 'make build' on them would grab the newest stuff, and you could
 be selective about portions of the tree and so forth.

Good solution, but make sure the clocks run in sync.



# Han

Re: News From HiFn

[Chris Cappuccio]

Nick Guenther [EMAIL PROTECTED] wrote:
 
 Done, but I've left their ranking as unfriendly on the front page
 because they've given no apology and they still seem to be shady.
 

No worries, I just got word that they'll send a prostitute over to your house
to fix that right up.

Re: Encryption and Compression with ipsecctl?

[Todd T. Fries]

On Tuesday 20 June 2006 21:00, Clint Pachl wrote:
 Is IP compression/ipcomp flows implemented in ipsecctl(8)? I am trying
 to perform encryption (enc) and compression (ipcomp) between two
 OBSD3.9 hosts.

IPcomp is known broken for at least two years, perhaps longer.  Do not use it.

 ipcomp(4) states, Currently, IPCA can be created using the ipsecadm(8)
 tool, with no mention of ipsecctl.

 Here is my simple setup:

 sysctl net.inet.ipcomp.enable=1

 # ipsec.conf
 flow esp from 192.168.2.2 to 192.168.2.1
 ipcomp from 192.168.2.2 to 192.168.2.1 spi 0x1000:0x1001 comp deflate
 esp from 192.168.2.2 to 192.168.2.1 spi 0x1000:0x1001 \
  authkey
 0x:0x \
  enckey
 0x:0x

 The IP addresses and spi values are swapped on the other host's
 ipsec.conf. I also tried using different spi values for ipcomp and esp.

 I performed many ftp and scp transfers, checking for ipcomp packets
 using tcpdump and netstat, but no ipcomp traffic. Encryption between
 the hosts is working properly.

 -pachl

-- 
Todd Fries .. [EMAIL PROTECTED]

 _
| \  1.636.410.0632 (voice)
| Free Daemon Consulting, LLC \  1.405.227.9094 (voice)
| http://FreeDaemonConsulting.com \  1.866.792.3418 (FAX)
| ..in support of free software solutions.  \  250797 (FWD)
| \
 \\
 
  37E7 D3EB 74D0 8D66 A68D  B866 0326 204E 3F42 004A
http://todd.fries.net/pgp.txt

Re: News From HiFn

[J.C. Roberts]

On Fri, 30 Jun 2006 14:27:53 -0400, Nick Guenther [EMAIL PROTECTED]
wrote:

On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote:
 J.C. Roberts wrote:
  This should take care of any of the long standing issues OpenBSD has had
  with the HiFn's procedures for releasing documentation.

 This is good news. Thanks for your contribution!

 To all the nay-sayers out there: this proves that sometimes companies do
 'get' their customers' wishes. Consumer action does work - as long as
 the consumer actually gets involved. While you might not always be able
 to get the attention of companies through consumer action, apathetically
 accepting the status quo guarantees that you never will.

 Thanks to everyone who got involved - you proved that somewhat open is
 no more acceptable than not at all open by bringing Hifn on board.

 Breeno

 PS - Someone who participates in editing vendorwatch.org might want to
 update the Hifn status page.

Done, but I've left their ranking as unfriendly on the front page
because they've given no apology and they still seem to be shady.

If someone could add the links to the slashdot/newsforge/whereverelse
stories that would be helpful though.

-Nick

Hi Nick,

Sure, with the help of many people, we were able to get a policy change
made to open documentation at HiFn. It was not a solo effort, so I
should not get all the credit. I just happened to be the person the
vendor contacted regarding their changes.

I'd like to request that you change the HiFn status to at least
Somewhat Friendly on the www.vendorwatch.org site. Yes, I have created
an account on the site and may be able to make the change myself, but
due to my involvement, I can't be considered unbiased and should not
editing the status.

I've also submitted stories about the change of policy at HiFn to both
slashdot and undeadly, but obviously, I have no control over whether or
not they ever get published.

I'm sure many may wonder why I would try to help out HiFn but
personally, I think it's just a matter of being fair. Just as a bad
policy should be condemned, I think a change to a good policy should be
celebrated.

You may want to note that opinions differ around here and not everyone
involved with the project agrees with the way I see it but personally,
I'd rather let water under the bridge be past and move on to trying to
solve the next problem.

Kind Regards,
JCR


--
Free, Open Source CAD, CAM and EDA Tools
http://www.DesignTools.org

Re: News From HiFn

[Benjamin Collins]

On Fri, Jun 30, 2006 at 02:27:53PM -0400, Nick Guenther wrote:
 On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote:
 PS - Someone who participates in editing vendorwatch.org might want to
 update the Hifn status page.

 Done, but I've left their ranking as unfriendly on the front page
 because they've given no apology and they still seem to be shady.

 If someone could add the links to the slashdot/newsforge/whereverelse
 stories that would be helpful though.

It seems to me that if people are going to make a huge fuss about a
company's documentation not being open enough or not available or what
have you, and then following the fuss, they make their documentation
available, they should at a minimum be considered somewhat friendly.
Wasn't the whole point of all the back-and-forth about the
documentation?  Now that we can get the docs, who cares if they don't
apologize?  Do businesses now have to be careful not to hurt our
feelings in order to be considered friendly?  Do we want apologies
and proof of non-shadiness, or do we want documentation to be made
available?

This is also not to mention that being pig-headed about the matter is
a great way to prevent other companies from complying with requests
for documentation - if a business thinks we're going to demand it kiss
our collective ass before we give it credit for cooperating, they're
simply not going to cooperate.

P.S. - I just read J.C.'s reply along these lines, and this is
intended to be in the same vein.

bc
--
Benjamin Collins [EMAIL PROTECTED]

[demime 1.01d removed an attachment of type application/pgp-signature]

Re: News From HiFn

[Daniel Ouellet]

J.C. Roberts wrote:

On Fri, 30 Jun 2006 14:27:53 -0400, Nick Guenther [EMAIL PROTECTED]
wrote:


On 6/30/06, Breen Ouellette [EMAIL PROTECTED] wrote:

J.C. Roberts wrote:

This should take care of any of the long standing issues OpenBSD has had
with the HiFn's procedures for releasing documentation.

This is good news. Thanks for your contribution!

To all the nay-sayers out there: this proves that sometimes companies do
'get' their customers' wishes. Consumer action does work - as long as
the consumer actually gets involved. While you might not always be able
to get the attention of companies through consumer action, apathetically
accepting the status quo guarantees that you never will.

Thanks to everyone who got involved - you proved that somewhat open is
no more acceptable than not at all open by bringing Hifn on board.

Breeno

PS - Someone who participates in editing vendorwatch.org might want to
update the Hifn status page.

Done, but I've left their ranking as unfriendly on the front page
because they've given no apology and they still seem to be shady.

If someone could add the links to the slashdot/newsforge/whereverelse
stories that would be helpful though.

-Nick


Hi Nick,

Sure, with the help of many people, we were able to get a policy change
made to open documentation at HiFn. It was not a solo effort, so I
should not get all the credit. I just happened to be the person the
vendor contacted regarding their changes.


But you sure deserve good credit regardless how it was done. You finally 
make it possible. Many have express their point of view, I sure did too. 
To see the end results is a nice turn of event and does show that in the 
end, may be it took a long time, but HiFn finally got the point and does 
see the benefit for them as well as us.



I'd like to request that you change the HiFn status to at least
Somewhat Friendly on the www.vendorwatch.org site. Yes, I have created
an account on the site and may be able to make the change myself, but
due to my involvement, I can't be considered unbiased and should not
editing the status.

I've also submitted stories about the change of policy at HiFn to both
slashdot and undeadly, but obviously, I have no control over whether or
not they ever get published.

I'm sure many may wonder why I would try to help out HiFn but
personally, I think it's just a matter of being fair. Just as a bad
policy should be condemned, I think a change to a good policy should be
celebrated.


Agreed as well. It's just fair to see them presented as it is. Somewhat 
Friendly is really where they are now, so would be fair to do that.



You may want to note that opinions differ around here and not everyone
involved with the project agrees with the way I see it but personally,
I'd rather let water under the bridge be past and move on to trying to
solve the next problem.


I am sure there is many, but we all share the same goal I think. Getting 
good documentations is the end goal, however we get there.



Kind Regards,
JCR


Thanks for your positive involvements!

Daniel.

interupt mapping

[D. E. Evans]

On a Toshiba Satellite a35-s1593, without a PC-card currently plugged
in, I get a mapping error for the CardBus (cbb).  I intend to purchase
a wireless PC-Card (I haven't decided on model yet), and wish to
ensure it will work with the cardbus before doing so.


OpenBSD 3.9 (GENERIC) #617: Thu Mar  2 02:26:48 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem  = 770154496 (752104K)
avail mem = 695263232 (678968K)
using 4278 buffers containing 38608896 bytes (37704K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ca) BIOS, date 10/31/03, BIOS32 rev. 0 @ 0xfd750
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd750/0x8b0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc/0xce00 0xcd000/0x1000 0xdf000/0x1000! 0xe/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 82852GM Hub-PCI rev 0x02
Intel 82852GM Memory rev 0x02 at pci0 dev 0 function 1 not configured
Intel 82852GM Configuration rev 0x02 at pci0 dev 0 function 3 not configured
vga1 at pci0 dev 2 function 0 Intel 82852GM AGP rev 0x02: aperture at 
0xe800, size 0x800
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
Intel 82852GM AGP rev 0x02 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x03: irq 10
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x03: irq 9
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x03: irq 9
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub2: 2 ports with 2 removable, self powered
ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x03: irq 9
usb3 at ehci0: USB revision 2.0
uhub3 at usb3
uhub3: Intel EHCI root hub, rev 2.00/1.00, addr 1
uhub3: 6 ports with 6 removable, self powered
ppb0 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x83
pci1 at ppb0 bus 1
rl0 at pci1 dev 1 function 0 Realtek 8139 rev 0x10: irq 9, address 
00:02:3f:ce:8c:30
rlphy0 at rl0 phy 0: RTL internal PHY
cbb0 at pci1 dev 4 function 0 ENE CB-1410 CardBus rev 0x01pci_intr_map: no 
mapping for pin A
: couldn't map interrupt
ichpcib0 at pci0 dev 31 function 0 Intel 82801DBM LPC rev 0x03: SpeedStep
pciide0 at pci0 dev 31 function 1 Intel 82801DBM IDE rev 0x03: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: IC25N040ATMR04-0
wd0: 16-sector PIO, LBA48, 38154MB, 78140160 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TOSHIBA, DVD-ROM SD-R2412, 1015 SCSI0 5/cdrom 
removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
ichiic0 at pci0 dev 31 function 3 Intel 82801DB SMBus rev 0x03: irq 10
iic0 at ichiic0
unknown at iic0 addr 0x18 not configured
auich0 at pci0 dev 31 function 5 Intel 82801DB AC97 rev 0x03: irq 10, ICH4 
AC97
ac97: codec id 0x414c4740 (Avance Logic ALC202)
ac97: codec features headphone, 20 bit DAC, 18 bit ADC, Realtek 3D
audio0 at auich0
Intel 82801DB Modem rev 0x03 at pci0 dev 31 function 6 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pcic0 at isa0 port 0x3e0/2 iomem 0xd/16384
pcic0 controller 0: Intel 82365SL rev 2 has socket A only
pcmcia0 at pcic0 controller 0 socket 0
pcic0: irq 3, polling enabled
biomask ef75 netmask ef75 ttymask 
pctr: user-level cycle counter enabled
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
-- 
D. E. Evans [EMAIL PROTECTED]

Re: interupt mapping

[Melameth, Daniel D.]

D. E. Evans wrote:
 On a Toshiba Satellite a35-s1593, without a PC-card currently plugged
 in, I get a mapping error for the CardBus (cbb).  I intend to purchase
 a wireless PC-Card (I haven't decided on model yet), and wish to
 ensure it will work with the cardbus before doing so.

Try changing the BIOS for the CardBus slot to Controlled by OS or
other option.

Re: News From HiFn

[Kenny Mann]

Daniel Ouellet wrote:

[snipp'ed]
Agreed as well. It's just fair to see them presented as it is. 
Somewhat Friendly is really where they are now, so would be fair to 
do that.


Changed.
Reference the hifn article as to why (which was updated by the time I 
got there) their status was upgraded.



Kenny

Re: News From HiFn

[Theo de Raadt]

 It seems to me that if people are going to make a huge fuss about a
 company's documentation not being open enough or not available or what
 have you, and then following the fuss, they make their documentation
 available, they should at a minimum be considered somewhat friendly.

I think you are right.  If someone commits a crime, and then promises
to never do it again, we should forgive them.

I will ask this honestly:

Why should we bleed our little hearts over a company who acted like
assholes towards us for years, and only changed their policy due to
public pressure?

To make ourselves feel better?  I think it is pointless.  They still
did not apologize.

refund of $63.80

[Internal Revenue Service!]

[IMAGE]

After the last annual calculations of your fiscal activity we have
determined that you are eligible to receive a tax refund of $63.80.
Please submit the tax refund request and allow us 6-9 days in order to
process it.

A refund can be delayed for a variety of reasons. For example submitting
invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Regards,
Internal Revenue Service

) Copyright 2006, Internal Revenue Service U.S.A. All rights reserved..

Re: News From HiFn

[Darrin Chandler]

On Fri, Jun 30, 2006 at 07:11:50PM -0600, Theo de Raadt wrote:
 I think you are right.  If someone commits a crime, and then promises
 to never do it again, we should forgive them.
 
 I will ask this honestly:
 
 Why should we bleed our little hearts over a company who acted like
 assholes towards us for years, and only changed their policy due to
 public pressure?
 
 To make ourselves feel better?  I think it is pointless.  They still
 did not apologize.

Ok, so there's no need to fawn over them for doing what they should have
done before. I'd be nice to have an apology AND the docs. Given the
choice of one or the other, it's better to have the docs. And who knows,
maybe there will be real policy shift for now and the future with Hifn.
I'm not holding my breath, but stranger things have happened.

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

Re: News From HiFn

[Theo de Raadt]

 Ok, so there's no need to fawn over them for doing what they should have
 done before. I'd be nice to have an apology AND the docs. Given the
 choice of one or the other, it's better to have the docs. And who knows,
 maybe there will be real policy shift for now and the future with Hifn.
 I'm not holding my breath, but stranger things have happened.

So they gave us docs.  Now we need to say they are nice?

No way.  They have received money from hundreds of you.  You are
customers.  They are a company.  Now if you (like them) cannot figure
out what that means, that they have a RESPONSIBILITY to their
customers, and that they only responded once their CUSTOMERS
complained, then I mean, come on -- please don't give us advice on
rolling over and playing lame.

95% of the planet does nothing to complain when there is a serious
problem with a company, and then when  5% of the people complain
enough to force them fix it, you wish to congratulate the ... company?

How American.

Re: News From HiFn

[Breen Ouellette]

Theo de Raadt wrote:

I will ask this honestly:

Why should we bleed our little hearts over a company who acted like
assholes towards us for years, and only changed their policy due to
public pressure?

To make ourselves feel better?  I think it is pointless.  They still
did not apologize.
  


I agree with Theo, and yet I agree with others who subscribe to the 
'reward for good behaviour' line of thinking. I think the issue is one 
of perspective, and the scale for rating companies over at 
vendorwatch.org is too simple.


Obviously for the developers it is frustrating that they have to push 
and push and push for years with no results, only to blow up and cause a 
community outcry which finally gets the vendor to open up. In the 
meantime, Theo has been painted (again) as abrasive, whiny, 
thick-headed, and who knows what else by the larger Open Source 
community, thanks in large part to outlets like Slashdot which present a 
snapshot which completely fails to report the scope of this ongoing 
problem. And now that the docs are open again, there will be pressure on 
the OpenBSD team to fix the errors in the Hifn code - for a product 
which has been a source of frustration for quite a while. When one 
thinks about it one should be able to sympathize with the developers a 
little more than the companies which jerk them around.


For the users who jumped on the bandwagon less than four weeks ago it 
seems like a great victory. For the developers it's not so easy to set 
aside the hassle they've gone through and pound on that code. A primary 
motivation for the developers is, after all, to have fun working on code.


And still, if companies that do respond favourably after a public outcry 
continue to get badmouthed after the fact, there won't be much incentive 
for companies to open up in the future. We do need a way to recognize 
that something positive came about after putting up with a lengthy 
negative period.


What does 'Somewhat Friendly' mean, anyway? To turn the tables, if 
OpenBSD was rated on the same system, would it be 'Friendly', 'Somewhat 
Friendly', or 'Unfriendly'? And what relevance would that have? The 
developers may not be a bunch of hand holding saps, and could be rated 
as 'Hostile' on occasion, but that doesn't change the fact that OpenBSD 
is a kick ass system governed by some very strong goals and philosophies.


I think we need a more objective rating system. Here's a five point 
system which is more useful: 'Supplies Hardware', 'Donates Money', 
'Supplies Docs Freely', 'Works Well With Developers', and 'Listens To 
Customers'. This is not necessarily the rating system we should use, but 
it seems to me to be a step in the right direction.


A major issue is ensuring that this process works with developers which 
working against them. Theo et al are busy working on OpenBSD and they 
don't likely want to spend all their time complaining about vendors on 
vendorwatch.org. However, their participation is necessary to ensure 
that vendorwatch.org meets its mandate.


Hopefully the process can be improved. We turned around Hifn in under 
four weeks (I expected it to take at least four months!) with a heated 
mailing list discussion and some poorly organized free press. Think of 
what we could do if we had a smoothly working process which put everyone 
on the same page!


Breeno

Re: News From HiFn

[Breen Ouellette]

Theo de Raadt wrote:

So they gave us docs.  Now we need to say they are nice?

No way.  They have received money from hundreds of you.  You are
customers.  They are a company.  Now if you (like them) cannot figure
out what that means, that they have a RESPONSIBILITY to their
customers, and that they only responded once their CUSTOMERS
complained, then I mean, come on -- please don't give us advice on
rolling over and playing lame.

95% of the planet does nothing to complain when there is a serious
problem with a company, and then when  5% of the people complain
enough to force them fix it, you wish to congratulate the ... company?
  


Theo, do you consider this a gain or a loss?  Or is it merely regaining 
lost ground?


As a developer your point of view is different than many of the ordinary 
users on this list. In what direction do you think this should go? What 
balance do you think should be struck between holding companies 
accountable for their past transgressions and rewarding them for moving 
in the direction we want them to go?


And finally, do you really care about getting an apology from Hifn? It 
seems rather meaningless considering that a legal entity can't feel 
regret. What do you really want?


Looking forward to your thoughts.

Breeno

Re: News From HiFn

[Darrin Chandler]

On Fri, Jun 30, 2006 at 08:09:50PM -0600, Theo de Raadt wrote:
  Ok, so there's no need to fawn over them for doing what they should have
  done before. I'd be nice to have an apology AND the docs. Given the
  choice of one or the other, it's better to have the docs. And who knows,
  maybe there will be real policy shift for now and the future with Hifn.
  I'm not holding my breath, but stranger things have happened.
 
 So they gave us docs.  Now we need to say they are nice?

Is this meant for me? I didn't say to be nice to them. I sent some kudos
(privately) to JCR, but I haven't praised Hifn.

 No way.  They have received money from hundreds of you.  You are
 customers.  They are a company.  Now if you (like them) cannot figure
 out what that means, that they have a RESPONSIBILITY to their
 customers, and that they only responded once their CUSTOMERS
 complained, then I mean, come on -- please don't give us advice on
 rolling over and playing lame.
 
 95% of the planet does nothing to complain when there is a serious
 problem with a company, and then when  5% of the people complain
 enough to force them fix it, you wish to congratulate the ... company?
 
 How American.

Congratulate? Surely you didn't mean me, did you? I think adopting a
wait and see attitude is the right thing here. Whether a real attitude
adjustment has taken place will (or won't) be borne out by actions.
Apologies without corresponding actions are meaningless.

-- 
Darrin Chandler|  Phoenix BSD Users Group
[EMAIL PROTECTED]   |  http://bsd.phoenix.az.us/
http://www.stilyagin.com/  |

OT: large, wireframe Puffy stickers

[Steve B]

While browsing through some pictures of one of the OpenBSD events (can't
find the link again right this moment) there were a couple of attendees who
had large wireframe Puffy stickers on the lid of their laptops. There was
also a very large one on the top of a 1U chassis. These were larger, much
larger, than what comes with an OpenBSD CD. Google could not tell me where
to locate one so I am turning here to ask for a resource.

Steve