Re: ISAKMPD dies during phase 1
Original message Date: Thu, 14 Sep 2006 22:24:09 -0400 From: Craig Shue [EMAIL PROTECTED] Subject: ISAKMPD dies during phase 1 To: misc@openbsd.org Greetings, I am attempting to have two OpenBSD boxes communicate via IPSec. I have configured them to use ISAKMPD to negotiate the connection, using PSK. Unfortunately, isakmpd on one of the boxes dies in phase 1's negotiation. For both machines, I am using OpenBSD 3.8 on an i386 architecture. I have recompiled the kernel and userland from source on the machine experiencing isakmp death. I am wanting to modify the isakmp source to log some additional information. However, because of the abnormal termination, I moved my modified code out of the way, updated via CVS, and did the make obj make depend make make install steps. Even then, it still dies. first, if possible, upgrade to 3.9. it takes ~20 minutes per machine. second, check out http://www.securityfocus.com/infocus/1859 and see if you can get it working. there is a reason that using isakmpd.conf is becoming obsolete: it is very much error prone and annoying to debug.
Restore your account !
[IMAGE] [IMAGE] [IMAGE] Dear Chase Customer, For the User Agreement, Section 9, we may immediately issue a warning, temporarily suspend, indefinitely suspend or terminate your membership and refuse to provide our services to you if we believe that your actions may cause financial loss or legal liability for you, our users or us. * Our terms and conditions you agreed to state that your service must always be under your control or those you designate all times. We have noticed some unusual activity related to your service that indicates that other parties may have access and or control of your information's in your service. * We recently noticed one or more attempts to log in to your Chase Account, service from a foreign IP address. If you recently accessed your service while traveling, the unusual log in attempts may have been initiated by you. However, if you did not initiate the logins, please visit Chase homepage as soon as possible to restore your account status. * The log in attempt was made from: ISP host : user-0cdf2ni.cable.mindspring.com To restore your account status click the link below: https://www.chase.com/cgi-bin/webscr?cmd=login-run Have questions? Our online help screens provide answers to many frequently asked questions. You can also click the Customer Center tab then go to the Contact Us page to find a list of helpful numbers to call. Please do not reply to this automatically generated e-mail. We know you have a choice of banks. Thanks for choosing ours. Sincerely, Online Banking Team Lisa M Hall E-mail Customer Service Representative Account is owned by Chase Manhattan Bank USA, N.A. and may be serviced by its affiliates. [IMAGE] About Us | Careers | Privacy Policy | Security | Terms of Use | Legal Agreements )2006 JPMorgan ChaseCo. [IMAGE]
Re: ftp-proxy
On Thu, 14 Sep 2006, Steve Welham wrote: I agree with you and I think the man page is missing a line - at least for passive mode which is all that I tested (running ftp-proxy with no options) . It does appear that 2 translation rules are added for PASV - an rdr and a nat: It looks like that rdr rule is added in order to achieve the port rewriting noted in the code comments: * 3) Source and destination ports are rewritten to minimize * port collisions, to aid security (some systems pick weak * ports) or to satisfy RFC requirements (source port 20). I think this is explained when you consider the 4 rules together, so for my test: 1) Inbound translation: Packet: 192.168.0.10 to A.B.C.D:57239 Action: rdr matches and packet becomes 192.168.0.10 to A.B.C.D:26703 2) Inbound filter: Packet: 192.168.0.10 to A.B.C.D:26703 Action: Matches first filter rule. 3) Outbound translation... matches the NAT rule 4) Outbound filter... matches the 2nd filter rule HTH, my understanding is a lot clearer if this is all correct. Hopefully someone else can confirm. Yes, all correct. The rules in the manpage are very much simplified, to clarify what the proxy does. Listing the exact rules with the port rewriting would make them a lot more complicated (ie. not suitable for a manpage). -- Cam
webbased authpf ?
Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! Another idea I have is to simply have users authenticate, then they can download a ssh key with which they can login.
trouble with extended partitions in latest snapshot
latest snapshot doesn't see the last two partitions on my disk. neither 3.9, linux or freebsd have any problem with that. Does anyone know what's going on ? Thanks a lot. (see below the output from disklabel -d, as seen on the snapshot from September 1st and on 3.9) disklabel.40: # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: IBM-DTLA-307015 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 30003120 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] c: 30003120 0 unused 0 0 # Cyl 0 - 29764 i: 433937763 MSDOS # Cyl 0*- 4304 j: 4732560 4339440 unknown # Cyl 4305 - 8999 k: 1118880 9072000 unknown # Cyl 9000 - 10109 l: 9896039 10201338 ext2fs # Cyl 10120*- 19937* m: 1895544 20097378 unknown # Cyl 19937*- 21818* disklabel.39: # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: IBM-DTLA-307015 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 30003120 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] c: 30003120 0 unused 0 0 # Cyl 0 - 29764 i: 433937763 MSDOS # Cyl 0*- 4304 j: 4732560 4339440 unknown # Cyl 4305 - 8999 k: 1118880 9072000 unknown # Cyl 9000 - 10109 l: 9896039 10201338 ext2fs # Cyl 10120*- 19937* m: 1895544 20097378 unknown # Cyl 19937*- 21818* n: 5879790 21992985 ext2fs # Cyl 21818*- 27651* o: 2120516 27872838 ext2fs # Cyl 27651*- 29755*
Re: Necessary Files?
On 9/15/06, Ray [EMAIL PROTECTED] wrote: I plan to configure a device to boot from a CF card, but to reduce writes to the CF, run /tmp /var and /dev from a memory (mfs) drive. When preping the device, I copy the contents of the /var directory to another directory path. When 'swap mfs' in the fstab file mounts the mfs drive, the contents of the that directory is copied there. However, when I copy files to the new directory with the command: cp -rp /var /mfstmp/var I get cp: /var/cron/tabs/.sock: Operation not supported cp: /var/empty/dev/log: Operation not supported Is there any ugly problems that may come about later without these socks or file? I am doing similar things, but I use find /var |cpio -o -Hustar|gzip -9 varXX.tgz I don't have this problem. You can leave out the gzip part, too.
Re: trouble with extended partitions in latest snapshot
On Fri, 15 Sep 2006, Adi wrote: latest snapshot doesn't see the last two partitions on my disk. neither 3.9, linux or freebsd have any problem with that. Does anyone know what's going on ? Can you try to revert sys/arch/i386/i386/disksubr.c to rev 1.53 and see if the problem goes away? -Otto Thanks a lot. (see below the output from disklabel -d, as seen on the snapshot from September 1st and on 3.9) disklabel.40: # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: IBM-DTLA-307015 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 30003120 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] c: 30003120 0 unused 0 0 # Cyl 0 - 29764 i: 433937763 MSDOS # Cyl 0*- 4304 j: 4732560 4339440 unknown # Cyl 4305 - 8999 k: 1118880 9072000 unknown # Cyl 9000 - 10109 l: 9896039 10201338 ext2fs # Cyl 10120*- 19937* m: 1895544 20097378 unknown # Cyl 19937*- 21818* disklabel.39: # /dev/rwd0c: type: ESDI disk: ESDI/IDE disk label: IBM-DTLA-307015 flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 16 sectors/cylinder: 1008 cylinders: 16383 total sectors: 30003120 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 16 partitions: # sizeoffset fstype [fsize bsize cpg] c: 30003120 0 unused 0 0 # Cyl 0 - 29764 i: 433937763 MSDOS # Cyl 0*- 4304 j: 4732560 4339440 unknown # Cyl 4305 - 8999 k: 1118880 9072000 unknown # Cyl 9000 - 10109 l: 9896039 10201338 ext2fs # Cyl 10120*- 19937* m: 1895544 20097378 unknown # Cyl 19937*- 21818* n: 5879790 21992985 ext2fs # Cyl 21818*- 27651* o: 2120516 27872838 ext2fs # Cyl 27651*- 29755*
Re: bioctl(8) and ami(4)
On 9/15/06, Darrin Chandler [EMAIL PROTECTED] wrote: [...] mostly I'm looking for a cluestick about bioctl. AFAIK, this has to do with bugs in the 3.9 bioctl that were fixed in -current a while ago. The following two threads came up in the archives: LSI MegaRaid non-hotspare http://marc.theaimsgroup.com/?t=11481358623r=1w=2 Unable to set Hot Spare on MegaRAID 300-8x http://marc.theaimsgroup.com/?t=11516052231r=1w=2 Hope these help, Rogier -- If you don't know where you're going, any road will get you there.
Re: bioctl(8) and ami(4)
* Rogier Krieger [EMAIL PROTECTED] [2006-09-15 12:04]: On 9/15/06, Darrin Chandler [EMAIL PROTECTED] wrote: [...] mostly I'm looking for a cluestick about bioctl. AFAIK, this has to do with bugs in the 3.9 bioctl that were fixed in -current a while ago. The following two threads came up in the archives: not completely fixed. only seems to apply to disks that have been part of teh array before tho. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
trunk(4) with gif(4) interfaces
Hello, I would like to use a round robin aggregation of 2 (or more) gif(4) interfaces. For example: # ifconfig gif0 create # ifconfig gif0 tunnel 10.16.10.14 10.16.10.12 # ifconfig gif0 10.9.1.1 netmask 255.255.255.255 10.9.2.1 # ifconfig gif0 mtu 1500 up # # ifconfig gif1 create # ifconfig gif1 tunnel 10.16.10.100 10.16.10.12 # ifconfig gif1 10.9.1.2 netmask 255.255.255.255 10.9.2.2 # ifconfig gif1 mtu 1500 up # # ifconfig trunk0 trunkport gif0 trunkport gif1 192.168.1.1 netmask 255.255.255.0 ifconfig: SIOCSTRUNKPORT: Protocol not supported Well, it looks like this functionality isn't implemented yet with gif(4) driver... Would it be possible to implement it? I know pf(4) can also do load balancing, but I find this way less intuitive as the resulting interface cannot be monitored as easily as a trunk(4). Thanks for your help. Matthias Bertschy OpenBSD 3.9 on i386 unpatched # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:01:02:1c:c6:7b media: Ethernet autoselect (100baseTX full-duplex) status: active inet 10.16.10.100 netmask 0x broadcast 10.16.255.255 inet6 fe80::201:2ff:fe1c:c67b%xl0 prefixlen 64 scopeid 0x1 rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0d:61:3f:37:d1 groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::20d:61ff:fe3f:37d1%rl0 prefixlen 64 scopeid 0x2 inet 10.16.10.14 netmask 0x broadcast 10.16.10.255 pflog0: flags=0 mtu 33224 pfsync0: flags=0 mtu 1460 enc0: flags=0 mtu 1536 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 groups: gif physical address inet 10.16.10.14 -- 10.16.10.12 inet6 fe80::201:2ff:fe1c:c67b%gif0 - prefixlen 64 scopeid 0x7 inet 10.9.1.1 -- 10.9.2.1 netmask 0x gif1: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500 groups: gif physical address inet 10.16.10.100 -- 10.16.10.12 inet6 fe80::201:2ff:fe1c:c67b%gif1 - prefixlen 64 scopeid 0x8 inet 10.9.1.2 -- 10.9.2.2 netmask 0x trunk0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:00:00:00:00 trunk: trunkproto roundrobin groups: trunk media: Ethernet autoselect status: no carrier # dmesg OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(tm) (AuthenticAMD 686-class, 256KB L2 cache) 1.12 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu0: AMD Powernow: TS real mem = 234397696 (228904K) avail mem = 206905344 (202056K) using 2886 buffers containing 11821056 bytes (11544K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(a2) BIOS, date 10/01/04, BIOS32 rev. 0 @ 0xfb660 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xdda4 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdcd0/208 (11 entries) pcibios0: PCI Exclusive IRQs: 5 10 11 pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C596A ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0x7e00 0xc8000/0x800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8378 PCI rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 PCI-PCI rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA VT8378 VGA rev 0x01: aperture at 0xd800, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xl0 at pci0 dev 9 function 0 3Com 3c905C 100Base-TX rev 0x78: irq 10, address 00:01:02:1c:c6:7b bmtphy0 at xl0 phy 24: Broadcom 3C905C internal PHY, rev. 7 pciide0 at pci0 dev 15 function 0 VIA VT6420 SATA rev 0x80: DMA pciide0: using irq 11 for native-PCI interrupt pciide1 at pci0 dev 15 function 1 VIA VT82C571 IDE rev 0x06: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide1 channel 0 drive 0: SAMSUNG SP0802N wd0: 16-sector PIO, LBA48, 76350MB, 156365903 sectors atapiscsi0 at pciide1 channel 0 drive 1 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TOSHIBA, DVD-ROM SD-M1912, TM00 SCSI0 5/cdrom removable wd0(pciide1:0:0): using PIO mode 4, DMA mode 2 cd0(pciide1:0:1): using PIO mode 4, DMA mode 2 pciide1: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x81: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 VIA VT83C572 USB rev 0x81: irq 5 usb1 at
Re: Necessary Files?
On Thu, Sep 14, 2006 at 10:46:30PM +, Ray wrote: I plan to configure a device to boot from a CF card, but to reduce writes to the CF, run /tmp /var and /dev from a memory (mfs) drive. When preping the device, I copy the contents of the /var directory to another directory path. When 'swap mfs' in the fstab file mounts the mfs drive, the contents of the that directory is copied there. However, when I copy files to the new directory with the command: cp -rp /var /mfstmp/var I get cp: /var/cron/tabs/.sock: Operation not supported cp: /var/empty/dev/log: Operation not supported Is there any ugly problems that may come about later without these socks or file? Certainly, daemons chrooted in /var/empty won't be able to use syslog and there will be something wrong with cron (maybe the notification to re-read changed crontabs?). Joachim
Re: trunk(4) with gif(4) interfaces
On Fri, Sep 15, 2006 at 12:01:20PM +0200, Matthias Bertschy wrote: I would like to use a round robin aggregation of 2 (or more) gif(4) interfaces. trunk.4: The trunk interface allows aggregation of multiple network interfaces as one virtual trunk interface. if trunk(4) can handle other types of ifs besides network interfaces, the man page is wrong. i've never tried, but network interface seems pretty clear... jmc
Re: webbased authpf ?
On Fri, Sep 15, 2006 at 10:27:29AM +0200, Frans Haarman wrote: Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! Another idea I have is to simply have users authenticate, then they can download a ssh key with which they can login. It shouldn't be that hard to hack the authpf source to do what you want; the downside is mostly in the fact that this is a lot of trust to place in a web site... The other option is comparatively easy, if you avoid the many pitfalls (notably, the key shouldn't be reachable from the web site, of course, but should probably not even be readable for scripts on the web site; use a s(u|g)id program to check credentials and read the key if they are correct). Joachim
Re: webbased authpf ?
On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Fri, Sep 15, 2006 at 10:27:29AM +0200, Frans Haarman wrote: Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! Another idea I have is to simply have users authenticate, then they can download a ssh key with which they can login. It shouldn't be that hard to hack the authpf source to do what you want; the downside is mostly in the fact that this is a lot of trust to place in a web site... The other option is comparatively easy, if you avoid the many pitfalls (notably, the key shouldn't be reachable from the web site, of course, but should probably not even be readable for scripts on the web site; use a s(u|g)id program to check credentials and read the key if they are correct). Maybe instead of having the ever-valid ssh key available through web have a script generate a single S/Key password for user, invalidating the last one in case it was not used yet? Joachim -- viq
Re: bioctl(8) and ami(4)
On Fri, Sep 15, 2006 at 11:59:43AM +0200, Rogier Krieger wrote: On 9/15/06, Darrin Chandler [EMAIL PROTECTED] wrote: [...] mostly I'm looking for a cluestick about bioctl. AFAIK, this has to do with bugs in the 3.9 bioctl that were fixed in -current a while ago. The following two threads came up in the archives: LSI MegaRaid non-hotspare http://marc.theaimsgroup.com/?t=11481358623r=1w=2 Unable to set Hot Spare on MegaRAID 300-8x http://marc.theaimsgroup.com/?t=11516052231r=1w=2 Hope these help, Thanks! As to Henning's reply, this disk was indeed already part of the array. -- Darrin Chandler| Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
Re: webbased authpf ?
Frans Haarman wrote: Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! Another idea I have is to simply have users authenticate, then they can download a ssh key with which they can login. Hello, this is what i plan to do several days ago: * Provide a web interface and/or GUI application to allow clients connect to the authpf server; Write cgi scripts with Python for web interface and Python+wxPython for GUI application. About GUI application, it only provide a window and a system tray: - The window: * Provide three input area: username/password/authpf-server-address(IP/hostname); * Minimal/Close to system tray; - System tray: * Show the connection status simply; * Popup a memu when right click on it, allow user to stop the connection; This is just a plan. I'm learning Python and not a professional programmer, i will start to code about one month later(looking for work now), and the code maybe dirty and insecurity. I know this is a simple program, maybe somebody can finish it in one day, but maybe one month for me :) This is my plan(Chinese): http://www.bsdlife.org/wiki/index.php/Bibby%27s_Todo_List
Re: Rotate many Apache logfiles
Hi Mackan,
What is the preferred way of rotating Apache's logfiles?
My preferred way is to use just one access_log and error_log. I've heard
good things about cronolog from ports too.
I have many virtual domains, each with its own access and error logfile.
I'm using CustomLog, not TransferLog. Apache is chrooted.
I use:
LogFormat %v %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i
\ combined
CustomLog logs/access_log combined
%v = virtual host
I rotate the logs and then use Apache's own split-logfile:
/usr/bin/zcat /var/www/logs/access_log.0.gz
| /path/to/split-logfile
You need to change the path to perl on the first line of split-logfile. I
happen to keep this modified version in my $PATH.
[Watch out for my mail client wrapping long lines, btw]
QED for me... Nico
Re: Rotate many Apache logfiles
Mackan wrote: Hi! What is the preferred way of rotating Apache's logfiles? I have many virtual domains, each with its own access and error logfile. I'm using CustomLog, not TransferLog. Apache is chrooted. Adding every logfile to /etc/newsyslog.conf is one way, but hard to maintain. Is Apache's own rotatelogs program the way to go? Mackan Savelogs, if it's available, is a nice method, at least on FreeBSD. It's not in the ports or packages list for i386 on OpenBSD 3.9, but it's a perl script, so I would think it's doable.
Re: trouble with extended partitions in latest snapshot
that was supposed to go to the list, sorry. Adi On 9/15/06, Adi [EMAIL PROTECTED] wrote: Can you try to revert sys/arch/i386/i386/disksubr.c to rev 1.53 and see if the problem goes away? yes, that fixes it. Adi
Re: trunk(4) with gif(4) interfaces
Jason McIntyre wrote: On Fri, Sep 15, 2006 at 12:01:20PM +0200, Matthias Bertschy wrote: I would like to use a round robin aggregation of 2 (or more) gif(4) interfaces. trunk.4: The trunk interface allows aggregation of multiple network interfaces as one virtual trunk interface. if trunk(4) can handle other types of ifs besides network interfaces, the man page is wrong. i've never tried, but network interface seems pretty clear... jmc You must be right. But anyway, having a possibility to trunk(4) with virtual interfaces might be very useful to load balance/fail over multiple VPN links or tunnels. I would definitely find good uses of it. Is it hard to implement a pseudo device like trunk(4) working with virtual interfaces? Thanks. Matthias
Re: Rotate many Apache logfiles
On Friday 15 September 2006 14:57, you wrote: Hi! What is the preferred way of rotating Apache's logfiles? I have many virtual domains, each with its own access and error logfile. I'm using CustomLog, not TransferLog. Apache is chrooted. Adding every logfile to /etc/newsyslog.conf is one way, but hard to maintain. Is Apache's own rotatelogs program the way to go? I prefer to use cronolog. It's in ports. Hans
Re: trunk(4) with gif(4) interfaces
On Fri, Sep 15, 2006 at 03:50:17PM +0200, Matthias Bertschy wrote: if trunk(4) can handle other types of ifs besides network interfaces, the man page is wrong. i've never tried, but network interface seems pretty clear... jmc You must be right. But anyway, having a possibility to trunk(4) with virtual interfaces might be very useful to load balance/fail over multiple VPN links or tunnels. I would definitely find good uses of it. Is it hard to implement a pseudo device like trunk(4) working with virtual interfaces? actually i'm quite likely wrong (as usual). i'm not sure whether network interfaces covers pseudo-ifs like gif, pppoe, ...reyk? as to how to implemement these things, i'm not even gonna attempt an answer. jmc
Re: [OpenBSD] webbased authpf ?
On Fri, Sep 15, 2006 at 10:27:29AM +0200, Frans Haarman wrote: Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! Another idea I have is to simply have users authenticate, then they can download a ssh key with which they can login. Hi Frans, I am currently working on a fw setup and need to be able to use authpf but not everyone will have an ssh client available. I have been testing java ssh clients. There are a few out there. The setup is very simple and it provides browser based authentication. However, the licensing can be a problem for many because they are not open source and may even allow only limited non-commercial use. Hope this helps, Mike
Re: webbased authpf ?
Original message Date: Fri, 15 Sep 2006 14:21:22 +0200 From: viq [EMAIL PROTECTED] Subject: Re: webbased authpf ? To: misc@openbsd.org On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Fri, Sep 15, 2006 at 10:27:29AM +0200, Frans Haarman wrote: Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! Another idea I have is to simply have users authenticate, then they can download a ssh key with which they can login. It shouldn't be that hard to hack the authpf source to do what you want; the downside is mostly in the fact that this is a lot of trust to place in a web site... The other option is comparatively easy, if you avoid the many pitfalls (notably, the key shouldn't be reachable from the web site, of course, but should probably not even be readable for scripts on the web site; use a s(u|g)id program to check credentials and read the key if they are correct). Maybe instead of having the ever-valid ssh key available through web have a script generate a single S/Key password for user, invalidating the last one in case it was not used yet? when i used to have access to HPC clusters for running simulations, a similar method to what the OP suggested was used for authentication: provide a login/password over the web to get their firewall to open up a port for you to ssh into for 8 hours at time. the only problem i forsee with what you suggest is that apache would likely have to break its default chroot to run a script to update authpf files in /etc/authpf. if there is a way around breaking the chroot, such as having authpf look for its config files in a different location that is accessible to apache (e.g. /var/www/etc/authpf), that could work but i cannot speak from experience. viq, i like the idea of using s/key passwords, although i'm not sure if it will suffer from the same chroot problems as what i mentioned above. cheers, jake Joachim -- viq
Re: 3 gateways...
On 9/15/06, Josh [EMAIL PROTECTED] wrote: How do I know wich one to reply to? You can use packet tagging in layer 2 and layer 3 to solve this. See Tagging Ethernet Frames section in: http://www.openbsd.org/faq/pf/tagging.html In brconfig, use the MAC IDs of your gateways to tag packets. Then use the tags in pf.conf pass rules. - Raja
Re: fsck hangs
Pedro Martelletto wrote: On Wed, Sep 13, 2006 at 10:46:17PM +0200, Han Boetes wrote: 24912 fsck_ffs GIO fd 4 wrote 32 bytes \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 24912 fsck_ffs RET write 16384/0x4000 24912 fsck_ffs CALL munmap(0x861e3000,0x4000) 24912 fsck_ffs RET munmap 0 24912 fsck_ffs CALL munmap(0x7fb46000,0x1000) 24912 fsck_ffs RET munmap 0 24912 fsck_ffs CALL munmap(0x7c747000,0x4000) 24912 fsck_ffs RET munmap 0 24912 fsck_ffs CALL close(0x3) 24912 fsck_ffs RET close 0 24912 fsck_ffs CALL close(0x4) 24912 fsck_ffs RET close 0 24912 fsck_ffs CALL exit(0xc) Is this what you are looking for? Yes, thanks. Is there any 'lseek' before this write? This is the first lseek before that write, 24912 fsck_ffs GIO fd 4 wrote 16 bytes \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 24912 fsck_ffs RET write 8192/0x2000 24912 fsck_ffs CALL lseek(0x4,0,0x29,0,0) 24912 fsck_ffs RET lseek 2686976/0x29 24912 fsck_ffs CALL write(0x4,0x8ad6d000,0x4000) 24912 fsck_ffs GIO fd 4 wrote 4088 bytes # Han
ELECOM UCAM-N1C30SV2 ?
Hi all. I have got ELECOM UCAM-N1C30SV2 usb web camera. It gets recognized as: ugen0 at uhub1 port 2 ugen0: Z-Star Corp. PC Camera, rev 1.10/1.00, addr 2 But the power led on it shows no action after plugging the camera in. Would be really thankful if anybody would share any insigh or ideas if its possible to get this thing working under OpenBSD. And if its imposible, maybe some other model is working already? OpenBSD 4.0 (GENERIC) #1104: Fri Sep 1 11:54:27 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3.02 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16 cpu0: EST: strange msr value 0x0f2d0f2d real mem = 1073246208 (1048092K) avail mem = 971055104 (948296K) using 4256 buffers containing 53764096 bytes (52504K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(33) BIOS, date 01/04/06, BIOS32 rev. 0 @ 0xfb290, SMBIOS rev. 2.3 @ 0xf0100 (39 entries) bios0: Gigabyte Technology Co., Ltd. 8I945G apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 3.0 @ 0xf/0xd974 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd860/256 (14 entries) pcibios0: PCI Exclusive IRQs: 5 9 10 11 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801GH LPC rev 0x00) pcibios0: PCI bus #4 is the last bus bios0: ROM list: 0xc/0xf200 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82945GP rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82945GP PCIE rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 NVIDIA GeForce 6600 rev 0xa2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x01: irq 5 azalia0: host: High Definition Audio rev. 1.0 azalia0: codec: Realtek ALC882 (rev. 1.1), HDA version 1.0 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x01 pci3 at ppb2 bus 3 bge0 at pci3 dev 0 function 0 Broadcom BCM5789 rev 0x11, BCM5750 B1 (0x4101): irq 12, address 00:14:85:f3:2a:2e brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: irq 9 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: irq 12 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: irq 5 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: irq 9 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: Intel EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0xe1 pci4 at ppb3 bus 4 pciide0 at pci4 dev 6 function 0 ITExpress IT8212F rev 0x13: DMA, channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using irq 10 for native-PCI interrupt ichpcib0 at pci0 dev 31 function 0 Intel 82801GB LPC rev 0x01: PM disabled pciide1 at pci0 dev 31 function 2 Intel 82801GB SATA rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide1 channel 0 drive 0: SAMSUNG SP2004C wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide1 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: HL-DT-ST, DVDRAM GSA-H10A, JL02 SCSI0 5/cdrom removable cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 2 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x01: irq 11 iic0 at ichiic0 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x290/8: IT87 npx0 at isa0 port 0xf0/16: using exception 16 pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 biomask ff65 netmask ff65 ttymask ffe7 pctr: user-level cycle counter enabled uhub5 at uhub2
Re: Necessary Files?
On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: Certainly, daemons chrooted in /var/empty won't be able to use syslog and there will be something wrong with cron (maybe the notification to re-read changed crontabs?). Bunk! Syslogd will create extra/alternate sockets when it starts up, provided that you tell it to do so with -a. And cron will create its notification socket. Both of these behaviours can be found by a quick grep in the source, and the syslogd manpage explicitly mentions the use of -a to put log sockets in chroot jails. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Rotate many Apache logfiles
On Fri, Sep 15, 2006 at 02:57:57PM +0200, Mackan wrote: Hi! What is the preferred way of rotating Apache's logfiles? I have many virtual domains, each with its own access and error logfile. I'm using CustomLog, not TransferLog. Apache is chrooted. Adding every logfile to /etc/newsyslog.conf is one way, but hard to maintain. Is Apache's own rotatelogs program the way to go? I use newsyslog. With make and m4, nothing is hard to maintain. Regards, Andrew Dalgleish
Re: trunk(4) with gif(4) interfaces
On Fri, Sep 15, 2006 at 02:58:12PM +0100, Jason McIntyre wrote: On Fri, Sep 15, 2006 at 03:50:17PM +0200, Matthias Bertschy wrote: if trunk(4) can handle other types of ifs besides network interfaces, the man page is wrong. i've never tried, but network interface seems pretty clear... jmc You must be right. But anyway, having a possibility to trunk(4) with virtual interfaces might be very useful to load balance/fail over multiple VPN links or tunnels. I would definitely find good uses of it. Is it hard to implement a pseudo device like trunk(4) working with virtual interfaces? actually i'm quite likely wrong (as usual). i'm not sure whether network interfaces covers pseudo-ifs like gif, pppoe, ...reyk? as to how to implemement these things, i'm not even gonna attempt an answer. trunk(4) works only over ethernet devices (more precisely IEEE802 based interfaces). This includes wireless devices but neither of gif, gre or pppoe. tun(4) in layer 2 mode works while a normal tun(4) will not. -- :wq Claudio
implementing an aggregating pseudo-device for virtual interfaces ?
Hello, From my previous post, it looks like trunk(4) cannot be used for software based pseudo-devices. Would it be possible to implement such a tool that works for tun, gif, gre, pppoe, ... The features would be load balancing and fail over with virtual interfaces. Thanks. Matthias Bertschy
Re: trunk(4) with gif(4) interfaces
On Fri, Sep 15, 2006 at 06:01:07PM +0200, Claudio Jeker wrote: trunk(4) works only over ethernet devices (more precisely IEEE802 based interfaces). This includes wireless devices but neither of gif, gre or pppoe. tun(4) in layer 2 mode works while a normal tun(4) will not. hmm, so i think we need to word that opening sentence a bit better... jmc
Re: implementing an aggregating pseudo-device for virtual interfaces ?
On Fri, Sep 15, 2006 at 06:22:05PM +0200, Matthias Bertschy wrote: Hello, From my previous post, it looks like trunk(4) cannot be used for software based pseudo-devices. Would it be possible to implement such a tool that works for tun, gif, gre, pppoe, ... The features would be load balancing and fail over with virtual interfaces. I see no need for this. We have multipath support that already does load balancing. The fail over part is a bit more tricky since gif, gre and tun have no link-state. For sppp(4) based interfaces it would be possible to do fail-over via a ifstated triggered script. Later on the routing table will track link-state by itself but this code is not yet written. -- :wq Claudio
Re: webbased authpf ?
On Fri, Sep 15, 2006 at 09:18:09AM -0500, Jacob Yocom-Piatt wrote: Original message Date: Fri, 15 Sep 2006 14:21:22 +0200 From: viq [EMAIL PROTECTED] Subject: Re: webbased authpf ? To: misc@openbsd.org On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Fri, Sep 15, 2006 at 10:27:29AM +0200, Frans Haarman wrote: Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! when i used to have access to HPC clusters for running simulations, a similar method to what the OP suggested was used for authentication: provide a login/password over the web to get their firewall to open up a port for you to ssh into for 8 hours at time. the only problem i forsee with what you suggest is that apache would likely have to break its default chroot to run a script to update authpf files in /etc/authpf. if there is a way around breaking the chroot, such as having authpf look for its config files in a different location that is accessible to apache (e.g. /var/www/etc/authpf), that could work but i cannot speak from experience. It would probably be best to let a daemon or cronjob outside the chroot read it; a socket or even a simple pipe in the chroot is sufficient to signal a daemon, or even send the whole IP address. Of course, this does result in a two-part script, but the seperation is likely to be a good thing from a security standpoint. Joachim
Re: Rotate many Apache logfiles
On 15 sep 2006, at 18.57, Garance A Drosihn wrote: At 2:57 PM +0200 9/15/06, Mackan wrote: Hi! What is the preferred way of rotating Apache's logfiles? I have many virtual domains, each with its own access and error logfile. I'm using CustomLog, not TransferLog. Apache is chrooted. Adding every logfile to /etc/newsyslog.conf is one way, but hard to maintain. Is Apache's own rotatelogs program the way to go? Fwiw, the version of newsyslog in FreeBSD supports pattern-matching on the logfile names. However, it may not have some features that are in the version of newsyslog that comes with OpenBSD. Ok. If you don't want to pull that in, then maybe setup a separate newsyslog.conf file (and a second cronjob for it). That way it should be easier to use a shell script to create the appropriate entries for that conf file, without worrying that you're going to clobber any of the standard system entries. This is exactly what I plan to do. I don't want to bring in too many ports and 3rd party stuff. Thank you, and all other nice ppl on the list, for your replies. Mackan
Re: Necessary Files?
On Fri, Sep 15, 2006 at 09:01:12AM -0600, Chris Kuethe wrote: On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: Certainly, daemons chrooted in /var/empty won't be able to use syslog and there will be something wrong with cron (maybe the notification to re-read changed crontabs?). Bunk! Syslogd will create extra/alternate sockets when it starts up, provided that you tell it to do so with -a. And cron will create its notification socket. Both of these behaviours can be found by a quick grep in the source, and the syslogd manpage explicitly mentions the use of -a to put log sockets in chroot jails. That depends on setup, but I believe that you are right and I misunderstood. If the mfs on /var is mounted before syslogd and crond start up, you are of course, right - and I believe this is what we should be talking about. In this case, disregard my post. I was thinking of the case where one starts the system, and only then changes /var. In this case, problems with syslogd and crond would arise. However, in retrospect, this would not be a very sensible thing to do. Sorry for the noise! Joachim
Re: Necessary Files?
Chris Kuethe chris.kuethe at gmail.com writes: On 9/15/06, Joachim Schipper j.schipper at math.uu.nl wrote: Certainly, daemons chrooted in /var/empty won't be able to use syslog and there will be something wrong with cron (maybe the notification to re-read changed crontabs?). Bunk! Syslogd will create extra/alternate sockets when it starts up, provided that you tell it to do so with -a. And cron will create its notification socket. Both of these behaviours can be found by a quick grep in the source, and the syslogd manpage explicitly mentions the use of -a to put log sockets in chroot jails. CK Thanks all for your help - CK is right, I deleted the files in question from my original /var directory to be sure, upon reboot the files are rebuilt automatically are are there when browsing /var - sorry I jumped to conclusions and didn't look at that sooner. As it stands I think I'm okay...
Re: webbased authpf ?
On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: It would probably be best to let a daemon or cronjob outside the chroot read it; a socket or even a simple pipe in the chroot is sufficient to signal a daemon, or even send the whole IP address. Of course, this does result in a two-part script, but the seperation is likely to be a good thing from a security standpoint. Joachim This design is mentioned alot. I understand it, and it would probobly be best solution. Does anybody have a simple two-bin C app that communicates over a pipe that functions for this purpose? I suppose I could pull out my richard stevens AUP... I see this recommended alot. So somebody had to actualy sat down and do this at some point. Care to share?
swap mfs in fstab boot warning
I'm using fstab to create /var /tmp and /dev in mfs using swap in fstab to save writes to the CF card in our device. /etc/fstab --- /dev/wd0a /ffs rw,noatime 1 1 swap /var mfs rw,-P=/template/var,-s=65535,noexec,nosuid,nodev 0 0 swap /dev mfs rw,-P=/template/dev,-s=1200,-i=128,noexec,nosuid 0 0 --- [ /tmp is linked one time during setup with: ln -s /var/tmp /tmp ] snipit of boot with warning: --- Automatic boot in progress: starting file system checks. /dev/rwd0a: files system is clean; not checking Warning: inode blocks/cyl group (132) = data blocks (63) in last cylinder group. This implies 1022 sector(s) cannot be allocated. setting tty flags --- I think this may be normal, but I'm concerned I haven't configured the size values in fstab correctly and I'm wasting space in RAM - or perhaps my entire fstab config may cause a more ugly problems that I haven't run into yet? I know these are noob questions, but I researched the best I can an just need to make sure my fstab and linking /tmp to /var/tmp is correct... thanks, Ray
Re: Low priority or real coders
It's pretty funny that it's taken this long for another religious discussion on text editors to pop up on misc. With all the faith, I would have expected it more often. My faith in the non-Improved vi is reinforced every time I see someone using vim with color syntax highlighting. Highlighting makes source code impossible to read to someone who isn't used to it. I'm really perplexed about how people think that having each line of source code in six different colors somehow makes things clearer. Paul Irofti [EMAIL PROTECTED] wrote: I use both on a daily basis, but I'll use vim every time I get the chance because it's simply faster than vi when it comes to editing. -- Do you even send e-mails? I told you, I'm from the Wild West. I write by hand. -- Chuck Norris
Re: Low priority or real coders
Nick Holland [EMAIL PROTECTED] wrote: Take the time to learn real vi. You might just like it. vi is on every Unix machine...it's like notepad in windows or edlin in MSDOS, you need to Nah, it's ed that's like edlin
Re: Low priority or real coders
On Thu, Sep 14, 2006 at 07:16:24AM -0400, Nick Holland wrote: $ ldd /usr/local/bin/vim /usr/bin/vi /usr/local/bin/vim: StartEnd Type Open Ref GrpRef Name exe 10 0 /usr/local/bin/vim 02be4000 22bf7000 rlib 01 0 /usr/lib/libcurses.so.10.0 00801000 208dd000 rlib 01 0 /usr/local/lib/libiconv.so.4.0 044fd000 24501000 rlib 01 0 /usr/local/lib/libintl.so.3.0 01af5000 21b26000 rlib 01 0 /usr/lib/libc.so.39.3 09814000 09814000 rtld 01 0 /usr/libexec/ld.so ... $ ls -l /usr/local/lib/libiconv.so.4.0 /usr/local/lib/libintl.so.3.0 -r--r--r-- 1 root bin 1005395 Jan 14 2006 /usr/local/lib/libiconv.so.4.0 -r--r--r-- 1 root bin39135 May 7 14:10 /usr/local/lib/libintl.so.3.0 To be fair, you *can* build vim without internationalization support. which would make the libraries used by vim the same as vi. Or, you could make the argument that vi does NOT support internationalization. Although, on my linux box, I can make your point even better: $ ldd `which vim` libncurses.so.5 = /lib/libncurses.so.5 (0x2abc7000) libgpm.so.1 = /lib/libgpm.so.1 (0x2ad22000) libperl.so.1 = /usr/lib/libperl.so.1 (0x2ae28000) libutil.so.1 = /lib/libutil.so.1 (0x2b048000) libc.so.6 = /lib/libc.so.6 (0x2b14b000) libpthread.so.0 = /lib/libpthread.so.0 (0x2b376000) libm.so.6 = /lib/libm.so.6 (0x2b48d000) libdl.so.2 = /lib/libdl.so.2 (0x2b5e2000) libnsl.so.1 = /lib/libnsl.so.1 (0x2b6e6000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x2b7fd000) /lib64/ld-linux-x86-64.so.2 (0x2aaab000) $ ls -lah `which vim` -rwxr-xr-x 1 root root 2.6M Sep 12 01:57 /usr/bin/vim* Oink oink! Matt
You have just received a postcard
Hello friend ! You have just received a postcard from someone who cares about you! This is a part of the message: Hy there! It has been a long time since I haven't heared about you! I've just found out about this service from Claire, a friend of mine who also told me that... If you'd like to see the rest of the message click here to receive your animated postcard! === Thank you for using www.yourpostcard.com 's services !!! Please take this opportunity to let your friends hear about us by sending them a postcard from our collection ! ==
Re: Rotate many Apache logfiles
At 2:57 PM +0200 9/15/06, Mackan wrote: Hi! What is the preferred way of rotating Apache's logfiles? I have many virtual domains, each with its own access and error logfile. I'm using CustomLog, not TransferLog. Apache is chrooted. Adding every logfile to /etc/newsyslog.conf is one way, but hard to maintain. Is Apache's own rotatelogs program the way to go? Fwiw, the version of newsyslog in FreeBSD supports pattern-matching on the logfile names. However, it may not have some features that are in the version of newsyslog that comes with OpenBSD. If you don't want to pull that in, then maybe setup a separate newsyslog.conf file (and a second cronjob for it). That way it should be easier to use a shell script to create the appropriate entries for that conf file, without worrying that you're going to clobber any of the standard system entries. -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED]
Re: webbased authpf ?
Jeff Quast wrote: On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: It would probably be best to let a daemon or cronjob outside the chroot read it; a socket or even a simple pipe in the chroot is sufficient to signal a daemon, or even send the whole IP address. Of course, this does result in a two-part script, but the seperation is likely to be a good thing from a security standpoint. Joachim This design is mentioned alot. I understand it, and it would probobly be best solution. Does anybody have a simple two-bin C app that communicates over a pipe that functions for this purpose? I suppose I could pull out my richard stevens AUP... I see this recommended alot. So somebody had to actualy sat down and do this at some point. Care to share? I have two perl scripts that I used to implement wireless Internet access. There are a few holes but it is a work in progress. My next step is to change it to allow users that do not have ssh, access to our network. Some, airports only allow port 80 so I need to deal with that. The way the scripts work: PF redirects all users that are not in the goodip table to a default web page. They are asked for a user name and password. When they hit enter, the first script handles the input. The perl script checks the user name and password and if it is correct it sends the IP address over a socket to the access server script that then adds the ip to the goodip table. If the user then enters a new web page then they are directed because PF will now have them in the good ip table. Things that need to be fixed or considered. Consider using authpf. I did not add perl to the Apache chroot. When this is done, will the socket still work? I have user name and password in the perl script. This is not secure. I have to write a script to clean the goodip table every so often. Web page does not always show proper information. I redirect the first hit, but when they hit home, their cache shows the login page. I am new to perl. If you are interested, let me know and I will e-mail or post the code (very small scripts). Victor Camacho
Re: webbased authpf ?
On 9/15/06, Frans Haarman [EMAIL PROTECTED] wrote: Is there someting which does Authpf like things, only via a website ? So the users authenticates on the website, then the firewall rules are loaded! Just make a table and write up some script that add to the table. Something like nocat would probably what you are looking for. Maybe nocat would work? I've never used it so I don't know. --Bryan
carp weirdness
Greetings all... This was probably discussed before, but I couldn't really find anything in the archives. 1) We have a carp0 interface with a few aliases in it, and carp works fine between master (SERVER-A) and backup (SERVER-B)... until... 2) ... we plumb a another new alias into SERVER-B's carp0. Then the status of carp0 on SERVER-B goes from BACKUP to MASTER, even though the advskew on SERVER-A is lower (0) than SERVER-B's advskew (127). 3) Now, we have both servers saying carp0 is MASTER, and some connectivity problems going on, and this in the logs: Sep 15 04:00:02 fw1 /bsd: carp0: incorrect hash 4) We haven't tested it, but it seems that if we have added the alias to SERVER-A first, the problem would still happen, because the hash would be different as well. Question: whats the best way to add an alias to carp, and avoid this problem? I know we can switch shells very fast and execute the ifconfig command in both servers a second or two apart, but I guess most ppl would agree this is not is not an elegant solution. We are running 3.9-stable Thank you very much ;)
Re: carp weirdness
* Tom Bombadil [EMAIL PROTECTED] [2006-09-15 21:57]: Greetings all... This was probably discussed before, but I couldn't really find anything in the archives. 1) We have a carp0 interface with a few aliases in it, and carp works fine between master (SERVER-A) and backup (SERVER-B)... until... 2) ... we plumb a another new alias into SERVER-B's carp0. Then the status of carp0 on SERVER-B goes from BACKUP to MASTER, even though the advskew on SERVER-A is lower (0) than SERVER-B's advskew (127). this does not work. the aliases on both machines need to be the same, they're all part of the hash. 3) Now, we have both servers saying carp0 is MASTER, and some of course, since the hashes are different now; they're technically not the same carp group any more. 4) We haven't tested it, but it seems that if we have added the alias to SERVER-A first, the problem would still happen, because the hash would be different as well. Question: whats the best way to add an alias to carp, and avoid this problem? you need to add them at the same time (there is a very short window; do it in parallel, for the value of parallel you can reach. one technique is to take down the slave's carp interface, add the alias on the master, add the alias on the slave, take the slave's carp interface up again. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: carp weirdness
On Fri, Sep 15, 2006 at 12:49:20PM -0700, Tom Bombadil wrote: Greetings all... This was probably discussed before, but I couldn't really find anything in the archives. 1) We have a carp0 interface with a few aliases in it, and carp works fine between master (SERVER-A) and backup (SERVER-B)... until... 2) ... we plumb a another new alias into SERVER-B's carp0. Then the status of carp0 on SERVER-B goes from BACKUP to MASTER, even though the advskew on SERVER-A is lower (0) than SERVER-B's advskew (127). carp only accepts advertisments if the configuration (hash) is identical. 3) Now, we have both servers saying carp0 is MASTER, and some connectivity problems going on, and this in the logs: Sep 15 04:00:02 fw1 /bsd: carp0: incorrect hash of course. both hosts use the same MAC and IP address. 4) We haven't tested it, but it seems that if we have added the alias to SERVER-A first, the problem would still happen, because the hash would be different as well. Question: whats the best way to add an alias to carp, and avoid this problem? ifconfig down the carp on the backup, add the alias on the backup, add the alias on the master, ifconfig up the backup.
Re: mbuf leak with rl
On Thu, Sep 14, 2006 at 10:38:35AM -0500, Karle, Chris wrote: If you're using a rl* can you take a look at your mbuf usage (netstat -m)? On my OpenBSD 3.9 firewall, sis0 is connected to my internal network, and rl0 is connected to my cable modem. $ netstat -m 2546 mbufs in use: 2525 mbufs allocated to data 5 mbufs allocated to packet headers 16 mbufs allocated to socket names and addresses 630/648/6144 mbuf clusters in use (current/peak/max) 1952 Kbytes allocated to network (97% in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines $ dmesg | grep -e GENERIC -e rl -e sis OpenBSD 3.9 (GENERIC) #617: Thu Mar 2 02:26:48 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC sis0 at pci0 dev 4 function 0 SiS 900 10/100BaseTX rev 0x91: irq 11, address 00:14:2a:b7:c9:17 rlphy0 at sis0 phy 9: RTL8201L 10/100 PHY, rev. 1 rl0 at pci0 dev 11 function 0 Accton MPX 5030/5038 rev 0x10: irq 11, address 00:e0:29:58:9b:eb rlphy1 at rl0 phy 0: RTL internal PHY
USB Serial Converter
Hi misc@, I have just bought a usb to serial converter which is recognized as: uftdi0 at uhub0 port 2 uftdi0: FTDI FT232R USB UART, rev 2.00/6.00, addr 2 ucom0 at uftdi0 portno 1 However when I try to connect using cu I don't get any output: zaurus:fred /home/fred cu -l /dev/cuaU0 -s19200 Connected ~ [EOT] Is this chip likely to be supported by uftdi? or am I missing something more obvious? Thanks Fred My full dmesg can be found here: http://www.crowsons.net/puters/dmesg_zaurus.php or as a text file here: http://www.crowsons.net/puters/txt/dmesg_z40s.txt -- OpenBSD on the Zaurus C3200 http://www.crowsons.net/puters/zaurus.php
Launching the Internet
My question is simple- I'm a relative newbie at BSD so please bear with me. I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt ie: %internet and it doesn't work. What gives??!! Also percent sign 'Print' doesn't work and neither does percent sign 'word processor' How would I launch the internet, the word processor and print a document? any help would be appreciated -James -- View this message in context: http://www.nabble.com/Launching-the-Internet-tf2280267.html#a6334298 Sent from the openbsd user - misc forum at Nabble.com.
Re: Launching the Internet
On 9/15/06, dilbert [EMAIL PROTECTED] wrote: My question is simple- I'm a relative newbie at BSD so please bear with me. I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt ie: %internet and it doesn't work. What gives??!! if you are at a terminal try this: lynx google.com Also percent sign 'Print' doesn't work and neither does percent sign 'word processor' You might want to install abiword for a word processor. Not sure on printing since I have never printed anything from a OpenBSD machine.
Re: Launching the Internet
Launching the Internet rolf! omg! lmao! Oh man, thanks.. I haven't laughed so hard for weeks now... ahahahahahha thank you!
Re: Launching the Internet
On Fri, Sep 15, 2006 at 03:32:58PM -0700, dilbert wrote: My question is simple- I'm a relative newbie at BSD so please bear with me. I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt ie: %internet and it doesn't work. What gives??!! Also percent sign 'Print' doesn't work and neither does percent sign 'word processor' How would I launch the internet, the word processor and print a document? any help would be appreciated Is this supposed to be a yoke? Or are you trying to troll? I don't believe someone could know what a terminal is, much less open one, and still talk about 'launching the internet' (and fail to do so, too!). Better luck next time... Joachim
Re: 3 gateways...
On 9/14/06, Josh [EMAIL PROTECTED] wrote: Gidday... Here is a rangi network topology: __INTERNET__ | | | GW1 GW2 GW3 | | | |___SWITCH__| | | SERVER Ok, so GW2 is SERVERS default gateway. I need to port forward incoming port 80 internet traffic to SERVER an ALL gateways, eg, from 3 seperate network connections. How do I make it so that SERVER knows how to route back to the correct gateway? ( Note: the is no more room for any more network cards ). You didn't mention whether SERVER is an OBSD box so I'll assume it's mix of other things as well. So, I'd probably look at doing this on the gateway boxes themselves. Basically you'd have to make the GW mask the original source somehow. Such as nat the entire internet, or by using a proxy or some such thing. That way SERVER thinks it's just responding to GW. I think I read somewhere that 4.0 is going to have better support for this kind of thing.or maybe I just dreamed it? --Bryan
Re: USB Serial Converter
Fred Crowson wrote: However when I try to connect using cu I don't get any output: zaurus:fred /home/fred cu -l /dev/cuaU0 -s19200 Just a stupid idea, but shouldn't you use ttyU0 instead of cuaU0? -- Antoine
Re: Launching the Internet
dilbert wrote: My question is simple- I'm a relative newbie at BSD so please bear with me. I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt ie: %internet and it doesn't work. What gives??!! Man this is the best message ever!!! Thank you for the good laugh! -- Antoine
Re: Launching the Internet
dilbert wrote: My question is simple- I'm a relative newbie at BSD so please bear with me. I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt ie: %internet and it doesn't work. What gives??!! Also percent sign 'Print' doesn't work and neither does percent sign 'word processor' How would I launch the internet, the word processor and print a document? any help would be appreciated Heh! This has *got* to be a troll.g Not biting. -- -wittig http://www.robertwittig.com/ . http://robertwittig.net/
Re: Launching the Internet
Are you trying from a console or you got a graphical interface? On 9/15/06, Joachim Schipper [EMAIL PROTECTED] wrote: On Fri, Sep 15, 2006 at 03:32:58PM -0700, dilbert wrote: My question is simple- I'm a relative newbie at BSD so please bear with me. I'm trying to launch the internet; so I open a terminal and go percent sign 'Internet' at the prompt ie: %internet and it doesn't work. What gives??!! Also percent sign 'Print' doesn't work and neither does percent sign 'word processor' How would I launch the internet, the word processor and print a document? any help would be appreciated Is this supposed to be a yoke? Or are you trying to troll? I don't believe someone could know what a terminal is, much less open one, and still talk about 'launching the internet' (and fail to do so, too!). Better luck next time... Joachim
Re: Low priority or real coders
On 9/15/06, steve szmidt [EMAIL PROTECTED] wrote: ... It is funny to because many people are set in their ways and don't want to learn something new. Some are pround to have mastered something and don't want to join the masses who, by using some new tool, can do it faster and maybe better than the old method. Or maybe they aren't faster. Or maybe that depends on the person and the environment that they're working it. You do understand that many of us have used multiple editors seriously over the years and have settled on what we use based on personal experience? Oops, sorry, that must be my 'pride' talking, thinking I might disagree with the masses. I see doctors who spend ten years learning something. The last thing they want to hear is that their knowledge is now obsolete. Which is always the risk in any high tech industry like ours. Yeah, it's a risk if you work under a manager more interested in buzzwords than results. 'scuse me while I use 20 year old technology to get something done. Philip Guenther The trouble with doing something right the first time is that nobody appreciates how difficult it was. -- Walt West
Re: Launching the Internet
Paul Irofti wrote: Launching the Internet rolf! omg! lmao! Oh man, thanks.. I haven't laughed so hard for weeks now... ahahahahahha thank you! It MIGHT be Al Gore... you know, the guy that invented the internet.
Re: Launching the Internet
On 9/15/06, Ralph Young [EMAIL PROTECTED] wrote: Paul Irofti wrote: Launching the Internet rolf! omg! lmao! Oh man, thanks.. I haven't laughed so hard for weeks now... ahahahahahha thank you! It MIGHT be Al Gore... you know, the guy that invented the internet. People should at least try to get the story straight instead of taking lines from spin people.
